Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

July 2004 - Posts

MS04-025 - More details on vulnerabilities

This update from the Internet Storm Center provides more details on the vulnerabilities corrected by the MS04-025 security udpate.    

http://www.incidents.org/diary.php?date=2004-07-30

Microsoft Releases a Critical Patch for Internet Explorer

Today Microsoft released a patch to Internet Explorer that addresses critical vulnerabilities that may allow malicious sites to run arbitrary code on unpatched systems. These vulnerabilities have been known for some time. One of them was being actively exploited by the Scob/Ject attack that we described in:

http://www.incidents.org/diary.php?date=2004-06-25

Considering the severity of these vulnerabilities, we recommend installing this patch as soon as possible, and hope that you have a chance to consider this security bulletin before heading home for the weekend:

http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx

The following break-down of the vulnerabilities addressed by this security update is based on CVE database entries 

http://www.cve.mitre.org

CAN-2004-0549: The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.

CAN-2004-0566: Integer signedness error in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.

CAN-2003-1048: mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code due to a malformed GIF image that triggers a buffer overflow.

MS04-025: IE Rollup patch available as alternative to Windows Update

  Using Windows Update (WU) is recommended and this is only needed if there are WU issues.  So far for me, WU and the MS03-025 patch itself works great under on all work and home PCs.

MS04-025: IE Rollup patch available as alternative to Windows Update

http://support.microsoft.com/default.aspx?kbid=871260

I'm glad the IE team patched up 3 critical vulnerabiliites and while they've got further to go, at least IE is a little safer where you have to use it, like I do at my work:

http://www.pcworld.com/news/article/0,aid,117197,00.asp

A new update is available for Internet Explorer 5.x and 6. Update rollup 871260 includes security update 867801 and all Internet Explorer hotfixes that were released after security update 832894. This update is available from the Microsoft Download Center.

MS04-025 Bulletin IE Cummulative Update - Critical
http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx
http://msmvps.com/harrywaldron/archive/2004/07/30/10984.aspx

MyDoom.N - new repackaged version of MyDoom.M

The “N” variant of MyDoom is a repackaged version of “M”, which is currently rated as high risk by Secunia and Symantec.  It appears to be as an email administrators message many times to trick users into opening ZIP and other attachment types. 

MyDoom.N - new version of MyDoom.M
http://secunia.com/virus_information/10975/mydoom.n/
http://www.sarc.com/avcenter/venc/data/w32.mydoom.n@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.N

MS04-011 Korgo.Z: Exploits Windows PCT instead of LSASS

  This new variant represents a new avenue of attack for unpatched Windows systems.

MS04-011 Korgo.Z: Exploits Windows PCT instead of LSASS
http://securityresponse.symantec.com/avcenter/venc/data/w32.korgoz.html

W32.Korgo.Z is a worm that attempts to propagate by exploiting the Microsoft Windows PCT Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 113. Previous Korgo variants used a different vulnerability, the LSASS Buffer Overrun Vulnerability.

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

MS04-025 Internet Explorer Critical Update (CRITICAL)

http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx

Impact of Vulnerability:  Remote Code Execution
Maximum Severity Rating: Critical
Download size: 2.8 MB

   Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB867801)
A security issue has been identified that could allow an attacker to compromise a computer running Internet Explorer and gain control over it. You can help protect your computer by installing this update from Microsoft.

  Resolves these key vulnerabilities
Navigation Method Cross-Domain Vulnerability - CAN-2004-0549
Malformed BMP File Buffer Overrun Vulnerability - CAN-2004-0566
Malformed GIF File Double Free Vulnerability - CAN-2003-1048

Please click on the Windows Update button below to install:


Windows Server 2003 - Free Security Guide

  The Windows Server 2003 Security Guide focuses on providing a set of easy to understand guidance, tools, and templates to help secure Windows Server 2003 in many environments. While the product is extremely secure from the default installation, there are a number of security options that can be further configured based on specific requirements. This guidance not only provides recommendations, but also the background information on the risk that the setting is used to mitigate as well as the impact to an environment when the option is configured.

http://www.microsoft.com/downloads/details.aspx?familyid=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en

Click Links Below to Download:

Windows_Server_2003_Security_Guide_v1_3.exe

MyDoom.M -- DDos Attack against Microsoft by Zindos worm

  I'm guessing that this is most likely an added attack feature the author of the MyDoom.M worm has implemented as a "second wave"

MyDoom.M -- DDos Attack against Microsoft by Zindos worm 
http://secunia.com/virus_information/10909/zindos/
http://www.sarc.com/avcenter/venc/data/w32.zindos.a.html
http://vil.nai.com/vil/content/v_127038.htm

W32.Zindos.A is a worm that performs a Denial of Service (DoS) attack against the domain, microsoft.com. The worm spreads through the backdoor that Backdoor.Zincite.A opens on TCP port 1034.

Due to bugs in the code, when a system that is infected with Backdoor.Zincite.A becomes infected with Backdoor.Zindos.A, an infinite infection loop is entered, with each infection of Backdoor.Zindos.A re-infecting the system. This may cause the system to become slow and unresponsive.

Note: Backdoor.Zincite.A is a backdoor Trojan horse that W32.Mydoom.M@mm drops.

New MyDoom variant impacts Google & escalates to HIGH RISK
 Latest variant is also impacting Search engines
http://www.incidents.org/diary.php?date=2004-07-26

  MyDoom also just went HIGH RISK by Secunia, Message Labs, and Symantec
http://secunia.com/virus_information/10755/mydoom.m/
New MyDoom Variant - MEDIUM-ON-WATCH

New MyDoom Variant - MEDIUM-ON-WATCH
http://secunia.com/virus_information/10755/
http://secunia.com/virus_information/10879
http://vil.nai.com/vil/content/v_127033.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M
http://www.sarc.com/avcenter/venc/data/w32.mydoom.m@mm.html

Attachments: EXE, COM, SCR, PIF, BAT, CMD, ZIP (may be doubly ZIPped)

Best Practices in using a Credit Card for Internet Purchases

  A few best practices in using a Credit Card online include:

1. Always use a true credit card and never use a debit card for online purchases (you have have better fraud protection with the Fair Credit Reporting Act) and vandals can have unlimited access to your checking or savings account.

2. Make certain you are purchasing from a mainstream secure site and using secure server technology where you see a “lock“ icon in your browser including your information will be encrypted.

3. As shared by the Internet Storm Center, use a special credit card with low limits for any online purchases.

4. Monitor credit card statements carefully for every credit card you have. 

5. Contact your credit card customer service center immediately by phone and in writing if you detect a fraudulent transaction.  Usually only 30 days are allowed to dispute charges.  

http://www.incidents.org/diary.php?date=2004-07-25

Many people use credit cards for online purchases. One thing you can do to help protect yourself is to get a credit card that you only use for online purchases and have the limit set low, say for $500. This way if your information is stolen, you have a lower limit for which someone can take advantage. Always make sure to keep an eye on that credit card statement.

Some banks will allow you to setup a one-time use only card number online, or a temporary number that is only valid for a couple of months and has a smaller limit then your main card. For more information on what you can be held liable for and steps you can take if you believe that your credit card information has been stolen see

http://www.ftc.gov/bcp/conline/pubs/credit/atmcard.htm

 

Opera 7.53 - Security Update to prevent URL Spoofing

Opera Software  Opera 7.53 now available

All users of Opera should upgrade to v7.53 to avoid a URL spoofing vulnerabilities.  The new version is working without issues in my early testing.

Security - Fixed a JavaScript problem that made it possible to show one URL in the address bar, but load a different URL in the page (Secunia Advisory SA12028)

Opera version 7.53 now available for download.

 

More Hackers are arrested

http://www.f-secure.com/weblog/

One of the hot topics over the last months has been the continuing DDoS & extortion attacks against mostly UK-based gambling sites.  According to a recent article in The Financial Times (titled "Internet gambling extortion racket broken up"), three men in their early 20s were arrested in raids in Russia. Apparently they were launching big DDoS attacks from botnets against gambling sites, then emailing them and asking $50,000 for not doing it again. The extortion money was rerouted to Russia via Caribbean and Latvia, but nevertheless the UK police was able to trace it, leading eventually to the arrests.

So...so far, the year looks pretty good:

Month  Country
July   Russia: Three DDoS hackers arrested
June  Hungary: Magold virus author sentenced
June  Finland: VBS/Lasku virus author arrested
May   Taiwan: Peep backdoor author arrested
May   Canada: Randex variant author arrested
May   Germany: Agobot variant author arrested
May   Germany: Sasser & Netsky author arrested

SANS mentoring class on network attacks and defense

This group of young people came up with excellent ideas  on how a network is attacked and countermeasures on how to defend it.  This was impressive and they'd get an A+ from me.

SANS mentoring class on network attacks and defense

http://www.incidents.org/diary.php?date=2004-07-24

  Scott Weil, the director of the SANS Local Mentor Program, had an opportunity to meet with about 40 students from a Midwest math and science academy on Friday to discuss network security. The students ranged in age from 10 to 15 years old.  Prior to beginning his talk on ways that kids can surf safely online, Scott divided the room into two groups. One group was told to design an attack on the school's network, the other group was told to defend against an attack. After discussing it for a few moments, each group was asked to explain to Scott and the rest of the students what they decided.

The level of understanding at this age is shocking. Briefly, here is what each group said they would do.

  Attacking group:

- Map the network to find the computers
- Map the connections
- Understand the details of the OS--they all said they hoped the OS was Windows; they were going to research all known vulnerabilities of Windows to plan the attack
- Attack the network by installing a virus via a memory stick onto a node of the network and then engineer a denial of service attack via spam emails
- Disable antivirus software on the network, although they didn't say how


  Defending group:

- Use Macs as the operating system because its Unix operating system was more secure than Windows
- Make sure their anti-virus software was well tuned and current
- Monitor the firewall for any unusual activity
- Install a network tracker to document any illegal activities and then call in the local law enforcement
- Make sure that they had applied the latest patches to every piece of software and hardware on their network

Each group appointed a spokesperson for the group. The leader for the defense of the network and perimeter was a 10 year old.

Article: The weakest security link? It's you


http://zdnet.com.com/2100%2D1105_2%2D5278576.html

  Regulations around privacy, such as the Health Insurance Portability and Accountability Act, and financial reporting measures, such as the Sarbanes-Oxley Act, are also raising the stakes for corporations. As a result of these regulations, companies need to keep their customers' information, as well as their financial reporting material, under tight security.

John Thompson, chief executive of security software provider Symantec, has been a longtime advocate of companies developing corporate policies on security issues. He notes that technology alone can't keep companies secure. "Security is a process, and while technologies are important to facilitate the process, the technology itself does not ensure that you are secure,"

Thompson said. "A case in point: There is a technology, a simple technology associated with securing your house, it's called a lock. But if you, a user, do not facilitate the process, or lock the door when you walk out of your house, having the technology installed is of no value. And so the process starts with first having you be aware of how you secure your home, what threats you need to protect yourself from."

Historically, companies have viewed the issue of security and antivirus protection as a problem for their IT departments. And employees at these companies have held a similar view, said IT managers and security officers.

Message Labs - Top 10 Viruses of ALL TIME

In looking at updated statistics, I found that the all time top 10 worms intercepted in email had changed substantially, as half of these are now Netsky variants.  

Message Labs - Top 10 Viruses of ALL TIME
http://www.messagelabs.com/viruseye/threats/default.asp?toptenduration=all
 
1. W32/MyDoom.A-mm  (62M)
2. W32/Sobig.F-mm  (35M)
3. W32/Netsky.B-mm  (9M)
4. W32/NetSky.D-mm  (9M)
5. W32/Klez.H-mm   (8M)
6. W32/Swen.A-mm   (5M)
7. W32/Netsky.P-mm  (4M)
8. W32/Netsky.C-mm  (3M)
9. W32/Yaha.E-mm  (2M)
10. W32/Dumaru.A-mm   (2M)

MyDoom.N - new variant to watch

   Every new version of MyDoom should be carefully watched as the "A" variant did $38 billion in estimated damages.  Extensive volumes of email and spamming have resulted from some variants appearing to be email transmission error.s 

MyDoom.N - new variant to watch
http://vil.nai.com/vil/content/v_126797.htm
http://secunia.com/virus_information/10738/
http://secunia.com/virus_information/10749/
http://www.sarc.com/avcenter/venc/data/w32.mydoom.l@mm.html

Attachment Extensions: .cmd, .bat, .pif, .com, .scr, .exe, zip

Bagle.AI - Medium Risk

  Bagle.AI - Medium Risk (McAfee)

http://vil.nai.com/vil/content/v_126798.htm
http://www.f-secure.com/v-descs/bagle_ai.shtml
http://secunia.com/virus_information/10740/bagle.ai/

  Beagle.AG - Medium Risk (Symantec) 

http://www.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html

  VirusTotal reports significant infections

http://www.virustotal.com/flash/index_en.html

This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • attachment can be a password-protected zip file, with the password included in the message body.
  • contains a remote access component (notification is sent to hacker)
  • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
  • uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
  • terminates processes of security programs and other worms
  • deletes registry entries of security programs and other worms

From : (address is spoofed)
Subject :  Re:

Body Text:

  • >foto3 and MP3
  • >fotogalary and Music
  • >fotoinfo
  • >Lovely animals
  • >Animals
  • >Predators
  • >The snake
  • >Screen and Music

The worm will add the following body text if the attachment is sent as a password-protected ZIP file. 

  • Password: (random number)
  • Pass - (random number)
  • Key - (random number)

Attachment: (with extension .EXE, .SCR, .COM, .CPL or .ZIP)

  • MP3
  • Music_MP3
  • New_MP3_Player
  • Cool_MP3
  • Doll
  • Garry
  • Cat
  • Dog
  • Fish
MS04-011: Korgo.U - Secunia issued a MEDIUM RISK

  This new Korgo variant poses a significant threat for unpatched Windows systems.  

MS04-011: Korgo.U - Secunia issued a MEDIUM RISK
http://secunia.com/virus_information/10254/korgo.u/

The Korgo.U variant was found on June 24th, 2004. It is very similar to the previous Korgo variants, discovered since June 17th. Korgo.U worm spreads throughout the Internet using a vulnerability in Microsoft Windows LSASS. A description of the vulnerability can be found in Microsoft Security Bulletin MS04-011.  It also opens a backdoor that allows unauthorized access to an affected machine. The worm is distributed as a 9,353-byte Win32 executable. When executed, Korgo.V creates a copy of itself in the %System% directory using a randomly-generated filename that is between 5 and 8 characters in length.

Aliases: Korgo.U
W32.Korgo.Q
W32/Korgo.U
W32/Korgo.U.worm
W32/Korgo.worm.v
Win32.Korgo.V
Win32.Korgo.X
Win32/Korgo.X.Worm
Worm.Win32.Padobot.m

Exploits for MS04-022 have been developed

  MS04-022 is noteworthy as it has remote exploitability and could result in Sasser or Blaster like worms ... If you haven't performed a Windows update I'd recommend doing so as soon as you can

Exploits for MS04-022 have been developed
http://isc.incidents.org/diary.php?date=2004-07-17

Exploits for MS04-022 (Vulnerability in Task Scheduler Could Allow Code Execution) are known. By creating a specially crafted ".job" file, it is possible to cause a remote code execution using a number of common place applications as the attack vectors.  Do remember to update your system asap if you have not done so.

http://www.microsoft.com/technet/security/Bulletin/MS04-022.mspx http://www.nextgenss.com/advisories/mstaskjob.txt http://www.securityfocus.com/archive/1/368857/2004-07-11/2004-07-17/0

AGIST Worm - uses random "garbage" text for messages

AGIST Worm - uses random "garbage" text for messages

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGIST.A

TrendLabs has received several infection reports regarding this new worm spreading via email. It uses its own SMTP engine to propagate across machines. It arrives as a randomly-named .ZIP attachemnt via email. The details of the email message it sends out are as follows:

Subject: <none>
Body of message: (the message body is pure garbage)
Attachment: <random file name>.
zip

The following is a sample email message that this worm sends out

Sample message

It runs on Windows 95, 98, NT, ME, 2000, and XP.

More Posts Next page »