FTC Adware/Spyware Conference - few solutions popup

I was glad to see this discussed, even though there were few actual solutions reached.

FTC Adware/Spyware Conference - few solutions popup
http://news.com.com/2100%2D1028%2D5195222.html

Quote:  Spyware, adware and other code that lurks on hard drives has become so pervasive it's bedeviling home users, driving corporate technology managers to distraction and has become the top complaint in customer service calls to computer makers.  

Quote:  Spyware and adware problems became the largest single customer service complaint late last year, Dell attorney Maureen Cushman told the FTC workshop. It's become "a huge technical support issue for us," Cushman said, resulting in "slow performance, inability to access the Internet, extra icons and pop-up ads. This damages our brand and, most importantly, impairs the customer experience."  

MORE INFORMATION ON THE FTC WORKSHOP
http://www.ftc.gov/bcp/workshops/spyware/index.htm

Microsoft April 2004 Updates - 3 minor issues

Microsoft did a quality job overall given the magnitude of the 20 bundled security changes in the April 2004 updates.  Below are some 3 minor issues reported so far in our 11,000 member My IT Forums.  Hopefully, the good quality and regression testing exterted by Microsoft will continue to hold up.

# 1 - ROAMING PROFILES & MAPPED DRIVE ISSUES

First issue encountered with MS04-011 - This from my colleague and administrator of our Citrix farm...  We've discovered that the -011 patch messes up roaming profiles and homedrive homepath mappings – Supposedly MS has quite few cases on this. I don’t think you use roaming profiles but hope there is nothing else mucked up – wanted to give you an FYI

# 2 - WINDOWS NT 4 - NTOSKRNL.EXE ISSUES

I've seen this on servers that were originally Uniprocessor HALs that were converted to Multiprocessor HALS later. When the patch runs, it replaces ntoskrnl.exe with the wrong HAL version.  I have seen an issue on some of my NT 4.0 Workstation PC's. I get a missing NTOSKRNL.EXE on reboot. To fix it I had to restore the NTOSKRNL.EXE from C:\WINNT\$KB835732$ Anyone else seen this?

# 3 - WINDOWS 2003 IE 6 ISSUE (after updates) - Cipher Strength = 0

NTBugtraq Mailing List

This is a functionality regression that has been around for some time. The weird part of the MS04-011 patch is that it only occurs on Windows 2003.

KB261328: Cipher Strength Appears as 0-Bit in Internet Explorer
http://support.microsoft.com/?kbid=261328

SYMPTOMS  - In Microsoft Internet Explorer, you may experience the following behaviors:  When you click About Internet Explorer on the Help menu, the Cipher Strength value is 0-bit. -and- You cannot connect to and view Web pages on secure Web sites.

CAUSE - This behavior can occur if the Schannel.dll, Rsabase.dll, or Rsaenh.dll files are missing, damaged, or of the incorrect version.

-----Original Message-----

Article: PCs are full of Spyware/Adware

I believe Spyware/Adware prevention is the next frontier in security where more work needs to be done by the AV vendors.  Personally, I like using SpyBot and AdAware for monthly checks, even though I rarely have any issues.  Staying on mainstream sites and using complementary browsers like Firefox or Opera for less trusted sites can help mitigate this risk somewhat.

Article: PCs are full of Spyware/Adware
http://news.bbc.co.uk/2/hi/technology/3633167.stm

The average computer is packed with hidden software that can secretly spy on online habits, a study has found.  The US net provider EarthLink said it uncovered an average of 28 spyware programs on each PC scanned during the first three months of the year.

Netsky.W - The Virus Wars Continue

Netsky.W Links

http://www.sarc.com/avcenter/venc/data/w32.netsky.w@mm.html
http://vil.nai.com/vil/content/v_104470.htm
http://www.techweb.com/wire/story/TWB20040416S0007
http://www.f-secure.com/v-descs/netsky_w.shtml
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=46390

NetSky.W worm variant was discovered on April 16th, 2004. This variant is very closely related to the "N" and "P" variants. It is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives.

The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has .exe, .pif, .scr or .zip as extension types.

It deletes the entries belonging to several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle (so the virus wars continue).  The bad news is that this will continue to escalate new variants among all these families.

W32.Gaobot.AAY - uses SEVEN Microsoft Security exploits

This new Gaobot variant is trying harder than any worm I've seen so far to get into your corporate network. 

This Blaster-like Internet worm attempts to find weak passwords, IRC vulnerabilities, Beagle/MyDoom backdoors and finally SEVEN different Microsoft security exploits.  Thankfully, these are older security holes that should be patched up for corporate users. 

Still SEVEN different exploits might be a record for the Blaster like series

W32.Gaobot.AAY Information:
http://www.symantec.com/avcenter/venc/data/w32.gaobot.aay.html

W32.Gaobot.AAY is a minor variant of W32.Gaobot.SY. This worm attempts to spread through network shares with weak passwords. It also allows attackers to access an infected computer using a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

• The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
• The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
• The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
• The Microsoft Messenger Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-043).
• The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 machines using this exploit.
• The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
• The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061), using UDP port 1434.
• Sending itself to the backdoor ports that the Beagle and Mydoom families of worms open.

MS04-011 EXPLOITS Published - Please quickly patch up

This bulletin from the Internet Storm Center advises everyone to get patched quickly. Some of the patches have been reverse engineered into exploits and there is the potential for "Blaster-like" worms to emerge.

MS04-011 EXPLOITS Published - Internet Storm Center

Exploits Available For MS04-11 Vulnerbilities – **PATCH NOW**

Dave Aitel of Immunity Security has stated publicly that they have released working exploits of two vulnerabilities patched by MS04-011 to their CANVAS customers:

http://lists.immunitysec.com/pipermail/dailydave/2004-April/000500.html

The LSASS.EXE vulnerability can be exploited to run arbitrary code with “system” privileges on vulnerable servers. eEye Digital Security has more details and also confirms the ability to run arbitrary code with “system” privileges using this vulnerability:

http://www.eeye.com/html/Research/Advisories/AD20040413C.html

Immunity’s claim that they have a working ASN.1 exploit has not been directly confirmed, but we have several anonymous confirmations that working exploits exist.

IT IS IMPERATIVE THAT THE PATCHES PROVIDED BY MICROSOFT IN ITS APRIL SECURITY RELEASE BE APPLIED TO SYSTEMS AS SOON AS POSSIBLE. It is our belief that the likelihood of a worm being released SOON that exploits one of the vulnerabilities addressed by these patches is VERY HIGH.

NetSky.V - more innovation

Netsky.V is a new variant that uses HTML scripting and unpatched MS exploits to spread rather than email attachments.    

NETSKY.V Links and Information

http://vil.nai.com/vil/content/v_101175.htm
http://www.symantec.com/avcenter/venc/data/w32.netsky.v@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.V

This variant of W32/Netsky is similar to previous variants of W32/Netsky, however the virus does not spread as an email attachment, but rather as a hyperlink pointing to an infected system. It bears the following characteristics:

• infects by spreading exploit script, which automatically downloads and executes the virus from a remote infected system constructs messages using its own SMTP engine
• harvests email addresses from the victim machine
• spoofs the To: and From: address of messages 
• opens a port on the victim machine (TCP 5556 & 5557) 
• delivers a DoS attack on certain web sites upon a specific date condition

EMAIL TO AVOID OR BLOCK (this does not use attachments)

From:  (spoofed email address)

To:  (spoofed email address)

Subject: (any of the following)

• Gateway Status Failure
• Mail delivery failed
• Mail Delivery Sytem failure
• Server Status failure

Message body: (any of the following)

• Converting message. Please wait....
• Please wait while converting the message...
• Please wait while loading failed message...
• The processing of this message can take a few minutes...  

MICROSOFT SECURITY BULLETINS - THAT HELP TO PREVENT INFECTION

Netsky.V relies on several unpatched vulnerablies as noted below:

http://www.microsoft.com/technet/security/bulletin/MS99-032.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-032.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx

HOW NETSKY.V INFECTS UNPATCHED SYSTEMS

http://www.symantec.com/avcenter/graphics/w32.netsky.v@mm.1.gif

Step 1. W32.Netsky.V@mm constructs the message body using the Microsoft Internet Explorer XML Page Object Type Validation Vulnerability (CAN-2003-0809 / Microsoft Security Bulletin MS03-040). Successful exploitation of this vulnerability could allow a malicious object to be trusted and as such be installed and executed on the local system. The composed email body contains the object that points to the following source:

data=http://%INFECTED_COMPUTER_IP%:5557/index.html

Step 2. As a result, the victim computer will query the index.html page from the HTTP server, that is installed on the infected computer and listens on port 5557.

Step 3. Once the HTTP server accepts incoming connection, it will forge an HTML-page that exploits the Microsoft IE5 ActiveX "Object for constructing type libraries for scriptlets" Vulnerability (CVE-1999-0668 / Microsoft Security Bulletin MS99-032).

Step 4. The code contained in the viral index.html file will run the ftp.exe to connect to the FTP server, listening on port 5556 on the infected computer, and query the worm executable.

Step 5. The worm executable will be retrieved and executed locally.

Microsoft security patches for April 2004 are important.

This announcement in eEye's newsletter, highlights the importance of the critical the April security bulletins.  So far, this has worked well for W/98 and XP with zero issues so far.  I'm planning to plug in my W/2000 SP4 system to update it today also.     

eEye Digital Security Uncovers Dangerous Vulnerabilities in Microsoft Windows
Six new vulnerabilities related to Microsoft Windows were announced today. The discoveries include critical flaws in Windows Remote Procedure Call (RPC), Local Security Authority Subsystem Service (LSASS), and in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats. Of the six newly discovered, four are extremely critical since they allow for the remote execution of code on unpatched machines.

Systems Affected
Affected systems include all current versions of Microsoft Windows and Windows Server 2003.

Potential Impact
These vulnerabilities could potentially allow an attacker to take complete control of an affected system. An attacker could then take any action on the affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. eEye and Microsoft have released detailed advisories to alert Windows users of the need to immediately secure vulnerable machines on their networks.

Severity Rating and Vulnerability Identifiers*:

Protecting Against These Vulnerabilities
The most effective way to protect vulnerable systems is to apply the hotfixes released by Microsoft. The hotfixes will remediate these vulnerabilities, and can be found here:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

 Retina Network Security Scanner
Retina has been updated to check for all of the above vulnerabilities. These checks are included in Retina versions 4.9.194 and higher. Retina is the only scanner that is 100% non-intrusive and can scan remotely without administrative access. For a comprehensive list of Retina audits click here:
http://www.eeye.com/html/mkt/gen/AprilAdv.html

Additional Information: eEye Security Bulletins

Microsoft DCOM RPC Memory Leak
http://www.eeye.com/html/Research/Advisories/AD20040413A.html

Microsoft DCOM RPC Race Condition
http://www.eeye.com/html/Research/Advisories/AD20040413B.html

Windows Local Security Authority Service Remote Buffer Overflow
http://www.eeye.com/html/Research/Advisories/AD20040413C.html

Windows Expand-Down Data Segment Local Privilege Escalation
http://www.eeye.com/html/Research/Advisories/AD20040413D.html

Windows VDM TIB Local Privilege Escalation
http://www.eeye.com/h! tml/Rese arch/Advisories/AD20040413E.html

Windows Metafile Heap Overflow
http://www.eeye.com/html/Research/Advisories/AD20040413F.html