July 2004 - Posts
Bagle.AG - new variant
TrendLabs HQ has received several infection reports from the US of this BAGLE worm spreading via email and network shares.
http://secunia.com/virus_information/10711/bagle.ag/
http://vil.nai.com/vil/content/v_126795.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AG
This is a mass-mailing worm with the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- attachment can be a password-protected zip file, with the password included in the message body.
- contains a remote access component (notification is sent to hacker)
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
- shuts down security programs
Mail Propagation
The details are as follows:
From : (address is spoofed)
Subject :
- Password: %s
- Pass - %s
- Key - %s
- Re:
- Re:
- foto3
- fotogalary
- fotoinfo
- Lovely animals
- Animals
- Predators
- The snake
- Screen
Body Text: (blank)
Attachment: (.EXE, .SCR, .COM, .ZIP, .CPL)
- foto3
- foto2
- foto1
- Secret
- Doll
- Garry
- Cat
- Dog
- Fish
Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:
- .ini
- .cfg
- .txt
- .vxd
- .def
- .dll
Please do not click on the URL for any emails claiming they are from a bank. I've been seeing this exploit being spammed to my own personal email account and it could download a trojan from the website (if it's active) and infect your PC.
Delete all these messages and please avoid the URL as it manipulates an unpatched IE vulnerability.
Email Subject Line: CITI_CARDS_ONLINE E-MAIL Verification
This is a proof-of-concept virus that currently is not in the wild, but yet another platform to be now concerned with. 
First Pocket PC Virus - "Win CE4 Dust"
http://secunia.com/virus_information/10706/winceduts.a/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WINCE_DUTS.A
http://vil.nai.com/vil/content/v_126794.htm
http://www.sophos.com/virusinfo/analyses/wcedutsa.html
This detection is for a proof of concept file virus written for the PocketPC platform. The virus bears the following characteristics:
* it is coded for ARM CPUs.
* it is a parsitic file infector, appending itself to host files upon infection.
* This is a proof of concept, and is not expected to pose any threat in the wild.
* Infected files increase in size 1,520 bytes.
* Upon infecting a machine, the virus prompts the user as follows, before infection of other files occurs:
Dear User, am I allowed to spread?
The virus also contains other messages in its body:
This code arose from the dust of Permutation City
This is proof of concept code. Also i wanted to make avers happy.The situation when Pocket PC antiviruses detect only EICAR had to end ...
http://neowin.net/comments.php?id=22323&category=main
Called WinCE4.Dust, "it infects pocket pc's PE files (ARM) in root (My Device) directory", as the virus author himself noted in a message addressed, probably, to most antivirus laboratories. The virus author, by his nickname Ratter, is part of the famous 29A VX group and created this virus "not meant to spread", just as "a proof of concept code". In order to run, the virus needs a mobile compatible device running Microsoft Windows CE operating system. The virus displays a message box, asking for user's permission to spread to other files. Since Microsoft do not offer hotfixes for Pocket PC and only offer Service Packs through OEM channels, how will this effect end users in the next coming months/years?
Thankfully, this isn't a remote access exploit that a Blaster or Sasser like worm could exploit, but it could be triggered by an email or IM if POSIX services are enabled.
This is probably low-risk, but all Windows users should patch, patch, patch ... This new exploit code mainly illustrates "reverse engineering" is in process. The one's I'm most concerned about are MS04-022 and MS04-024, so it's important to "patch the roof before it rains" and perform a Windows update now
MS04-020 - POSIX Exploit developed
http://www.incidents.org/diary.php?date=2004-07-16
The ISC was notified earlier today that there was a public release of a Windows POSIX local privilege escalation exploit (MS04-020). Time to patch was last Tuesday. This is not a remote access issue, but one that still needs to be addressed and corrected.
Bagle.AF - MEDIUM RISK
http://secunia.com/virus_information/10683/bagle.af/
http://vil.nai.com/vil/content/v_126792.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AF
http://www.symantec.com/avcenter/venc/data/w32.beagle.ab@mm.html
This one is spreading significantly.
This is a mass-mailing worm with the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* attachment can be a password-protected zip file, with the password included in the message body.
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
* uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.
McAfee issued an alert for a new BHO based adware trojan that redirects Internet Explorer to potentially malicious web sites.
http://vil.nai.com/vil/content/v_126791.htm
This detection is for a Win32 trojan written in Borland Delphi that bears the following characteristics:
- installs itself using multiple, misleading filenames on the victim machine. Various Registry keys are modified to run at system startup.
- drops a DLL component, installing it as a Browser Helper Object (BHO).
- overwrites the local hosts file in order to redirect queries for various remote web servers to localhost (127.0.0.1)
Once installed, the BHO will be loaded by Internet Explorer when it is run.
COMMENTARY: A few months ago, I purchased a USB based SanDisk 128MB Flash drive and it is a great tool for transferring data between Windows XP and 2000 systems at home. It's inexpensive and if you plug it in, you've instantly got drive D: as this plug-and-play device has built-in support from the Operating System for both Windows 2000 and XP.
While I wouldn't want this functionality to be restricted or difficult to use at home, I've had concerns on how these could impact the corporate environment if this great technology was misused. As these articles reflect, viruses can be brought in from home, employees could make a “home copy” of a corporate software package, or in the worst case these could be used in corporate espionage (e.g., where sensitive data like trade secrets or customer lists are stolen).
While the majority of employees can be trusted and will use this technology responsibly, corporate policies and technical safeguards must still be established for the few employees who may not use this wonderful technology responsibly.
USB Flash Memory Drives - Corporate Security Risks
http://www.vnunet.com/news/1156645
http://www.vnunet.com/news/1156481
UK businesses failing to monitor removable media usage on corporate networks are leaving themselves open to viruses and loss of corporate data by failing to deal with the security threat from the introduction to their networks of removable media devices such as portable hard drives and MP3 players.
The poll of 100 IT managers in UK organisations revealed that:
* 84 per cent of businesses do not have security policies to prevent employees using removable media on their networks
* Almost half of respondents believe employees take unnecessary risks with critical corporate data.
* Two in five admitted to having 'no idea' whether removable media had been used to steal sensitive corporate information.
* And 85 per cent of firms said that their employees use removable data devices throughout the company, transporting data between the office and home.
This ZDNET article encourages ADMINS to patch as quickly as possible. It anticipates a blended threat will most likely surface. The security implications of compromising the Windows Shell are very serious. It might be the Linux equivalent of "you've got root".
The caption for selecting this article read: "One of the seven Windows vulnerabilities patched by Microsoft on Tuesday is the most likely to be exploited by a worm according to experts. Patch now, worms predicted in five to seven days."
MS04-024 Article - This "important" patch may be the "most critical" of all
http://zdnet.com.com/2100-1105-5268989.html
---- included text below -----
Security experts are bracing themselves for a spate of new worms and viruses designed to exploit of the seven new vulnerabilities announced by Microsoft on Tuesday as part of its monthly patch cycle. Of the new vulnerabilities, Windows Shell (MS04-024)--has been picked out by security experts as a potential target for future worms and viruses.
Ben Nagy, senior security engineer at security researcher firm eEye, said he expects the Windows Shell bug to be the most serious threat--despite Microsoft rating the problem as 'important' rather than 'critical'.
According to Microsoft, if a user is vulnerable to MS04-024 and has administrator privileges, an attacker could "take complete control of the affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges."
However, the flaw is not rated as critical because it would require "significant user interaction" to work. This means that a user would need to open an e-mail attachment, or download a file from a malicious Web site.
Atak.A worm information
http://www.symantec.com/avcenter/venc/data/w32.atak@mm.html
http://secunia.com/virus_information/10649/atak-a/
http://vil.nai.com/vil/content/v_126679.htm
This is a new mass-mailing worm that launches notepad.exe when executed. This is a mass-mailing worm bearing the following characteristics:
* harvests email addresses from the victim machine
* spoofs the From: address
* constructs messages using its own SMTP engine
Subject: Read the Result! or Important Data!
Message: Authorized Researcher Only.
Attachment: *.zip, *.com, *.exe
The Internet Storm Center has an excellent description of the protection offered with each of the updates. While an individual Windows update patch may be rated as Important, Moderate, or Critical, every security patch should be considered “critical” for protecting your system. An Important or Moderate ratings just means that a security hole may require significant user action or may be very complex for malicious individuals to develop. New critical/important/moderate patches from Microsoft http://www.incidents.org/diary.php?date=2004-07-13 As expected, Microsoft issued its monthly security bulletin today. There are several patches designated as "critical" and "important." You can read the technical bulletin at the following URL:
http://www.microsoft.com/technet/security/bulletin/ms04-jul.mspx
There is also a non-technical version of the alerts at the following URL:
http://www.microsoft.com/security/bulletins/200407_windows.mspx Swa Frantzen, a fellow ISC handler, wrote up the following summary of issues addressed by Microsoft's security bulletin:
MS04-018: References CAN-2004-0215 Users of Outlook Express should look into this one. For now it's a DoS only, so it can probably be last on your priorities. As always with this kind of software, the preview pane aggravates the problem. Turning preview panes off is a good idea.
MS04-19: References CAN-2004-0213 Local users can escalate to system privilege levels. If you don't trust all your local users this is probably somewhat more than important to deal with soon. This can probably be exploited later in a compounded attack, so best to take care of it even if you trust your local users.
MS04-20: References CAN-2004-0210 A buffer overflow in the POSIX code causes local users to be able to completely control the system. For now Windows XP and 2003 are exempt form this. If you don't trust all your local users this is probably somewhat more than important to deal with soon. This can probably be exploited later in a compounded attack, so best to take care of it even if you trust your local users.
MS04-21: References CAN-2004-0205 IIS 4.0 remote buffer overflow - full remote control. If you still use IIS 4.0 this is probably yet another reason to upgrade.
MS04-22: References CAN-2004-0212 REMOTE code execution in the task scheduler with the privileges of the logged in user. Windows 2003 is for now exempt from the problem. Interesting workaround: block access to files ending in ".job" in the perimeter
MS04-23: References CAN-2004-0201 and CAN-2003-1041 Remote code execution in the help system with the privileges of logged in user. Outlook is a transport vector for this vulnerability--easy worm potential!
MS04-24: References CAN-2004-0420 Remote code execution via Windows shell with the privileges of logged in user. Exploit uses the COM subsystem to trigger execution that's supposed to be blocked based on extensions. Although Microsoft considers this patch "important," public availability of the exploit raises our assessment the vulnerability's severity.
McAfee information - BackDoor-CGT
http://vil.nai.com/vil/content/v_126681.htm
During 13th July 2004, MessageLabs, the leading provider of managed email security services to businesses worldwide, has intercepted a significant number of emails which can lead to the download and installation of a new Trojan on affected machines. The email contains an IFRAME link to a website, which if activated will then redirect the user via a different link. At this point VBS/Inor is activated, and will download ss.exe – the new Trojan.
Name: Unknown
Number of copies intercepted so far: 3669
Time & Date first Captured: 08.38 GMT, 13th July, 2004.
As with other similar pieces of malware, this Trojan relays information back to remote attackers who are then able to access the infected machine.
Email Characteristics
Subject: Various, including:
Are you lonely?
Are you looking for companionship?
Are you looking for love?
Are you looking for romance?
Become a friend
Become a intruder
Lovgate.AI - The daily variants and attacks continue http://vil.nai.com/vil/content/v_126680.htm The development of new Lovgate variants continues on a daily basis. The "AI" version of W32/Lovgate is packed multiple times to require new signature files from AV vendors. 
The main characteristics are:
* attempts to copy itself to accessible or poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
* creates a share on the victim machine (share name "MEDIA").
* mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Additionally, mails may be sent in reply to email messages found on the victim machine (MAPI).
* terminates processes associated with various AV and security products.
* performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .~EX extension).
EXAMPLE:
http://www.symantec.com/avcenter/venc/data/w32.lemoor.a.html
W32.Lemoor.A is a worm that spreads by exploiting a vulnerability in the FTP server component of the W32.Sasser family of worms. The worm is written in Assembler and packed with FSG.
This article warns regarding the increased complexity and destructivity of the most recent variants of the Lovgate worm.
http://zdnet.com.com/2100%2D1105_2%2D5260304.html
The latest variant of the Lovgate worm scans PCs for executable files and then renames them, a tactic used by viruses from a much older generation, according to antivirus companies. The Lovgate worm first appeared in February 2003 and has since mutated many times. The most recent versions of the worm--Lovgate.AE and Lovgate.AH--were discovered on Sunday.
They spread by e-mailing themselves to addresses found on an infected machine and then open a "back door" to give control of the infected system to an attacker. Finally, the worms scan for vulnerable PCs connected to the infected system's local network--using the same Windows vulnerability exploited by the MSBlast worm almost a year ago.
The most important difference is the worm's destructive nature. Although the latest Lovgate worm does not delete any user data--such as documents or spreadsheets--it replaces executable files (with the .exe extension) on the local hard drive with further copies of itself. This process can leave an infected computer effectively useless because it is unable to run any applications.
MOST RECENT LOVGATE EXAMPLES:
http://www.symantec.com/avcenter/venc/data/w32.lovgate.ab@mm.html
http://www.symantec.com/avcenter/venc/data/w32.lovgate.y@mm.html
http://vil.nai.com/vil/content/v_126669.htm
LOVGATE REMOVAL TOOL
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lovgate.removal.tool.html
The latest versions propagate through open network shares. It allows an attacker to access your computer. The email will have a variable subject and a file attachment with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension. It spreads through the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
AVOID ALL ATTACHMENTS ENDING WITH: bat, cmd, exe, scr, pif, rar, zip
New versions of Korgo continue to emerge and this variant is highlighted as it uses Internet Explorer injection attacks as noted by Symantec.
http://secunia.com/virus_information/10561
http://www.sarc.com/avcenter/venc/data/w32.korgo.x.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KORGO.X
W32.Korgo.X is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. This variant also attempts to download and execute a file from a remote Web site. It opens a RANDOM TCP port providing backdoor functionality that may compromise security settings.
It attempts to inject a function into Explorer.exe as a thread. If successful, this threat will continue to run in the Explorer.exe process. All the actions described in the next step will appear to be done by Explorer.exe, and the worm will not show when viewing the process list in the Windows Task Manager. If unsuccessful, the worm will continue to run as its own process.
Antivirus products only detect this "after the fact" and you must apply the MS04-011 security patch to be protected:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
New versions of Mozilla's three prominent products have just been released to address an important security concern. This update will prevent your browser from playing "shell games" as Mozilla has promptly addressed a widespread vulnerability affecting most browsers. So far, Firefox 0.9.2 is working great for me. Firefox 0.9.2 -- FTP Site for downloading ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/0.9.2/ Thunderbird 0.7.2 -- FTP Site for downloading ftp://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/0.7.2/ Mozilla 1.7.1 -- FTP Site for downloading
ftp://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.1/
Below is more information from the Internet Storm Center: Mozilla issues security update for "shell" exploit http://www.incidents.org/diary.php?date=2004-07-08
Mozilla and Firefox Update Fixes Vulnerability
It's time to update your browser, though this time the problem is not with Internet Explorer, but with Mozilla and Firefox running on Windows. As described in the eWeek article at
http://www.eweek.com/article2/0,1759,1621463,00.asp A flaw in the way Mozilla and Firefox handled links containing the shell: suffix could allow a malicious web site to run arbitrary code on the visitor's system. We advise you to upgrade to Mozilla 1.7.1 or Firefox 0.9.2 to patch this vulnerability.
For more information about this vulnerability and ways of addressing it, please see
http://mozilla.org/security/shell.html . This URL also points out that Thunderbird, an email client that's part of the Mozilla suite, is vulnerable, and explains how you can address the Thunderbird vulnerability as well.
Port 1433 represents an important port to watch for signs of SQL-Injection attacks or worms.
MS SQL Server Scanning
Paul Asadoorian, GCIH and GCIA wrote in identifying several Windows systems that were discovered compromised on his network with the following characteristics:
+ They are all scanning the Internet for hosts listening on port 1433
+ They are all listening on port 26101 TCP (suspected backdoor)
+ They are all listening on TCP/35894 with a FTP banner message "220 Microsoft FTP Server"
These systems appear to be used for attacking MS SQL Servers, as reported in the 7/4 incident handlers report. Paul was able to identify these systems by parsing the output of TCPDump capture files. Organizations can benefit from from monitoring egress TCP/1433 traffic as a sign of infected systems.
This article shares tips on repairing IE if the browser has been hijacked (a term meaning that the user can no longer control the home page or aggressive pop-up activity).
http://techrepublic.com.com/5100-6270_11-5034307.html
The key recommended steps are in this order (where you would take the “next step“ if a cleaning process still doesn't correct the underlying issues).
1. AntiVirus Cleaning -- Update your AV product to the latest scanning engine and virus definitions. Scan your entire hard drive and remove items with your AV product or free cleaning tools available at many sites.
2. AdAware and SpyBot Search & Destroy -- Both of these free cleaning tools are excellent. Use Google to find sites where you can download each product and update them to the latest available definitions each time you run.
3. CWS Shredder, HijackThis, and Filemon/Regmon Analysis -- This next step requires a lot of technical expertise as Windows file and registry activity must be carefully analyzed.
Dutch security expert Merjin has developed some great tools
http://www.spywareinfo.com/~merijn/
http://www.google.com/search?&q=merjin
I'm impressed with the security expertise of several moderators who analyze and share findings on how to correct IE hijacking issues.
Bleeping Comuters - see HighjackThis Log Analysis forum
http://www.bleepingcomputer.com/forums/index.php
Sysinternals - Regmon / Filemon (monitors registry/file activity)
http://www.sysinternals.com/
4. Reinstallation of Internet Explorer -- As a last resort sometimes IE or even Windows itself will require reinstallation. Always remember to apply critical patches before reconnecting to the Internet. Then immediately perform a Windows Update to better protect your newly reinstalled environment.
How to repair or reinstall Internet Explorer if needed
http://support.microsoft.com/default.aspx?scid=kb;en-us;318378
Microsoft issued the following press release noting server and workstation configuration changes that are beneficial to better protect against current unpatched exploits.
Microsoft Statement Regarding Configuration Change to Windows in Response to Download.Ject Security Issue
http://www.microsoft.com/presspass/press/2004/jul04/07-02configchange.asp
Microsoft recommends that customers immediately install this configuration change to the Windows XP, Windows Server 2003 and Windows 2000 operating systems in order to improve system resiliency to protect against the Download.Ject attack.
REDMOND, Wash., July 2, 2004 (Updated 10:30 a.m. PDT) - On Thursday, June 24, 2004, Microsoft responded to reports that some customers running IIS 5.0 (Internet Information Services), a component of Windows 2000 Server, were being targeted by malicious code, known as "Download.Ject." Internet service providers and law enforcement, working together with Microsoft, identified the origination point of the attack -- a Web server located in Russia -- and shut it down on Thursday, June 24, 2004. (Additional information about Download.Ject is available at http://www.microsoft.com/security/incident/download_ject.mspx
Later this summer, Microsoft will release Windows XP Service Pack 2, which includes the most up-to-date network, Web browsing and e-mail features designed to help protect against malicious attacks and reduce unwanted content and downloads. A comprehensive update for all supported versions of Internet Explorer will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of Internet Explorer.
More Posts
« Previous page -
Next page »