October 2004 - Posts
Friday was a busy day for all security administrators who provide AV protection as at least 3 new variants were discovered. In some cases multiple updates were applied corporately in the same day, as F-Secure declared Friday as “Bagle Day”
http://isc.sans.org//diary.php?date=2004-10-29
http://www.f-secure.com/weblog/
As we approach our national election, our area will be moving from the lever based voting machines to PC based touch screen voting. Technology can be beneficial a I hope security has been thought out properly. For example, every election PC should be standalone and not connected to the Internet or any network. It will need transactional shadowing to backup each vote in case of a technical malfunction. In other words, electronic voting issues needs Fort Knox security, 100% reliability, and best audit practices (e.g., separation of duties, autonomy levels, tight balancing controls, etc). I'm hoping the process will go well and with good accuracy this year.
This repackaged variant of the Korgo worm exploits the MS04-011 security vulnerability and has apparantly spread to a number of unpatched PCs. If you are up to date on Microsoft Windows security patches, you will be automatically protected from this new Internet worm 
MS04-011: Korgo.V - Medium Risk by Secunia http://secunia.com/virus_information/10254/korgo.v/
http://vil.nai.com/vil/content/v_126518.htm
http://www.f-secure.com/v-descs/korgo_u.shtml
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=49002&sind=0 Win32.Korgo.V is a worm that spreads by exploiting the Microsoft Windows LSASS buffer overflow vulnerability. It also opens a backdoor that allows unauthorized access to an affected machine. The worm is distributed as a 9,353-byte Win32 executable. When executed, Korgo.V creates a copy of itself in the %System% directory using a randomly-generated filename that is between 5 and 8 characters in length.
The worm generates random IP addresses and attempts to connect to port 445 of the target IP in order to exploit the LSASS buffer overflow vulnerability (MS04-011). The worm cycles through 0 - 255 of the last octet of the generated IP ranges and attempts connection. If the vulnerability exploit is successful, a copy of the worm is downloaded via a random port from the original machine. It creates up to 5 threads to scan through local IP addresses.
Please never update by email as it's likely to be virus infected. 
All vendors require downloads from their website to ensure safety and never distribute patches by email.
Fake Redhat Security Advisory Circulating
http://www.redhat.com/security/
http://isc.sans.org//diary.php?date=2004-10-24
23rd October 2004 -- Red Hat has been made aware that emails are circulating that pretend to come from the Red Hat Security Team. These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code. Official messages from the Red Hat security team are never sent unsolicited, are always sent from the address secalert@redhat.com, and are digitally signed by GPG. All official updates for Red Hat products are digitally signed and should not be installed unless they are correctly signed and the signature is verified.
Analysis of the Attack
http://www.k-otik.com/news/FakeRedhatPatchAnalysis.txt
F-Secure's weblog entry shows the code design and structure for a virus with comparisons of similar and dissimilar designs. Intially, the Buchon virus was thought to be part of the Netsky family but after modeling the code it is now a brand new virus family.
http://www.f-secure.com/weblog/#00000321
This report provides in-depth technical and security information on each operating system. 
Security Report: Windows 
v. Linux 
Security Report: Windows v. Linux (33 pages)
An MS04-032 proof-of-concept exploit has become a real one. Thankfully, it is not widespread but it provides a new method of attack on unpatched systems. Everyone is encouraged to complete Windows Updates as soon as they can
MS04-032: Ecommander Backdoor
http://www.symantec.com/avcenter/venc/data/backdoor.emcommander.html
Backdoor.Emcommander is a Backdoor Trojan distributed as an EMF image file. It exploits the Microsoft Windows WMF/EMF Image Format Rendering Remote Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS04-032) and allows an attacker to control the compromised system.
Opens a backdoor on TCP port 31337 and listens for commands from an attacker. The port number may vary because Backdoor.Emcommander can be built with a Backdoor.ConstructKit tool, where the port number can be specified as a parameter. Executes the remote command sent by the attacker through the Internet. The remote command is executed through "cmd.exe" of the compromised system
This study provides excellent technical information related to Firewall protection and how to avoid configuration errors that might permit unauthorized access.
Quantitative Study of Firewall configuration errors
http://www.eng.tau.ac.il/~yash/computer2004.pdf
CWShredder Version 2.0 is now available as a free cleaning tool against the latest CoolWebSearch variants.
What's New With CWShredder?
Originally developed by Merijn Bellekom of the Netherlands, CWShredder is now owned and maintained by InterMute. CWShredder has been updated to include new CoolWebSearch variants. Use in conjunction with SpySubtract for the strongest defense against Spyware threats.
CWShredder Version 2.0
http://www.intermute.com/spysubtract/cwshredder_download.html
Symantec and Trend have just published information on this new variant which is beginning to spread 
W32.Mydoom.AF@mm - new variant
http://www.symantec.com/avcenter/venc/data/w32.mydoom.af@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AF W32.Mydoom.AF@mm is a mass-mailing worm that uses its
own SMTP engine to send itself to the email addresses that it finds from an infected system. The worm also contains
back door functionality which allows unauthorized remote access to the infected computer. The email will have a variable subject and attachment name. The attachment will have a
.cpl, .pif, or .scr file extension.
quote:FORMAT OF EMAIL MESSAGE:
From: (spoofed)
Subject: is one of the following:
Announcement
Details
Document
Fw:Document
Fw:Important
Fw:Information
Fw:Notification
Fw:Warning
Important
Information
Notification
Re:Details
Re:Document
Re:Important
Re:Information
Re:Notification
Re:Warning
Warning
readnow!
Message: is one of the following:
Check the attached document.
Daily Report.
Details are in the attached document.
Important Information.
Kill the writer of this document!
Monthly news report.
Please answer quickly!.
Please confirm!.
Please read the attached file!.
Please see the attached file for details
Please see the attached file for details.
Reply
See the attached file for details
Waiting for a Response. Please read the attachment.
here is the document.
your document.
followed by:
+++ Attachment: No Virus found
followed by one of the following:
+++ Bitdefender AntiVirus -
www.bitdefender.com +++ F-Secure AntiVirus -
www.f-secure.com +++ Kaspersky AntiVirus -
www.kaspersky.com +++ MC-Afee AntiVirus -
www.mcafee.com +++ MessageLabs AntiVirus -
www.messagelabs.com +++ Norman AntiVirus -
www.norman.com +++ Norton AntiVirus -
www.symantec.com +++ Panda AntiVirus -
www.pandasoftware.com Attachment: is one of the following:
archive.doc
attachment.doc
check.doc
data.doc
document.doc
error.doc
file.doc
information.doc
letter.doc
list.doc
message.doc
msg.doc
news.doc
note.doc
notes.doc
report.doc
text.doc
with a second file extension of .
cpl, .pif, or .scr.
Enterprise Update Scanning Tool for Bulletin MS04-028
http://www.microsoft.com/downloads/details.aspx?FamilyID=70e1c04d-47e2-4ea6-a638-11ab6ad9bd6e&DisplayLang=en
This tool is a command line scanning tool built for the sole purpose of helping customers determine systems that may need security updates provided with the MS04-028 bulletin http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx .
Users of this tool should have experience in deploying software to corporate environments and with using command line tools. More information on this tool can be found in the Knowledge Base article 886988 (KB886988)
How to obtain and use the MS04-028 Enterprise Update Scanning Tool in environments that do not use Systems Management Server http://support.microsoft.com/?id=886988
SMS MS04-028 Update Scan Tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=c4745685-9521-4b63-a338-0b3e2dcbf2bb&DisplayLang=en
This tool is a scan tool built for the sole purpose of helping customers determine SMS client computers that may need security updates provided with the MS04-028 bulletin. Like MBSA, this tool also has the instructions for SMS to locate each applicable update and download it from Microsoft.
Please update Windows and Office products with the latest security updates to ensure the best levels of protection as active development of exploits continues.
MS04-036: NNTP Proof of Concept exploit developed
http://isc.sans.org//diary.php?date=2004-10-15
If you were wondering how quickly you needed to apply the patches that Microsoft released a couple of days ago, please keep in mind that proof-of-concept exploit code for the Windows NNTP vulnerability (MS04-036) is publicly available. The recent Core Security advisory includes the exploit code, and provides detailed technical information about the vulnerability, which they seem to have reported to Microsoft in mid-August.
The Core Security advisory was published just hours after the patches became publicly available--this is a good illustration of the rapidly shrinking time window in which you need to apply security patches.
http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10
Even though the author has been arrested, cloning of the virus continues on one of the worst email viruses since Klez.H
As noted, Secunia provides a good summary of all AV vendors (as many have differing suffixes). Thankfully, this new variant remains low-risk by most AV vendors currently.
Secunia Information
http://secunia.com/virus_information/12662/
McAfee - W32/Netsky.ag@MM
http://vil.nai.com/vil/content/v_128905.htm
Symantec - W32.Netsky.AD@mm (currently rated Level 2)
http://www.sarc.com/avcenter/venc/data/w32.netsky.ad@mm.html
This variant of W32/Netsky is similar to previous variants. It bears the following characteristics:
* constructs messages using its own SMTP engine
* harvests email addresses from the victim machine
* spoofs the From: address of messages
Avoid all EMAIL attachments that end as follows:
There are 10 updates for October (7 Critical and 3 Important)
OCTOBER 2004 - MICROSOFT SECURITY BULLETINS
http://www.microsoft.com/technet/security/Bulletin/ms04-oct.mspx
3 BULLETINS RATED AS IMPORTANT
MS04-029 -- Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)
Executive Summary: An information disclosure and denial of service vulnerability exists that could cause the affected system
to stop responding or could potentially read portions of active memory content.
MS04-030 -- Vulnerability in WebDav XML Message Handler Could Lead to a Denial of Service (824151)
Executive Summary: A Denial of Service vulnerability exists that could cause the affected system to stop responding to requests.
MS04-031 -- Vulnerability in NetDDE Could Allow Remote Code Execution (841533)
Executive Summary: A remote code execution vulnerability exists in the NetDDE services because of an unchecked buffer.
7 BULLETINS RATED AS CRITICAL
MS04-032 -- Security Update for Microsoft Windows (840987)
Executive Summary: A remote code execution vulnerability, two elevation of privilege vulnerabilities, and a denial of service
vulnerability exist in Windows. The most severe vulnerability could allow remote code execution on an affected system.
MS04-033 -- Vulnerability in Microsoft Excel Could Allow Remote Code Execution (886836)
Executive Summary: A vulnerability exists in Microsoft Excel that could allow remote code execution on an affected system.
MS04-034 -- Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (873376)
Executive Summary: A vulnerability exists in the way that Windows processes Compressed (zipped) Folders that could allow remote code execution on an affected system.
MS04-035 -- Vulnerability in SMTP Could Allow Remote Code Execution (885881)
Executive Summary: A vulnerability exists in the Windows SMTP component and Exchange Server Routing Engine component that could allow remote code execution on an affected system.
MS04-036 -- Vulnerability in NNTP Could Allow Remote Code Execution (883935)
Executive Summary: A vulnerability exists in the Windows NNTP Component that could allow remote code execution on an affected system.
MS04-037 -- Vulnerability in Windows Shell Could Allow Remote Code Execution (841356)
Executive Summary: A vulnerability exists in the way that the Windows Shell launches applications. A vulnerability exists in Program Group Converter because of the way that it handles specially crafted requests. Both could allow remote code execution on an affected system.
MS04-038 -- Cumulative Security Update for Internet Explorer (834707)
Executive Summary: Five remote code execution and three information disclosure vulnerabilities exist in Internet Explorer.
This new virus is spreading in the MSN Messenger environment and please avoid all Instant Messages that offer downloading of FUNNY.EXE
W32/Funner.worm (avoid FUNNY.EXE in MSN IM)
http://secunia.com/virus_information/12581/funner/
http://vil.nai.com/vil/content/v_128750.htm
http://www.sarc.com/avcenter/venc/data/w32.funner.html
W32.Funner is a worm that spreads using Microsoft's Windows Messenger instant message program and modifies the hosts file. It may download other components and files from another web site.
Unfortunately laptop and notebook theft is a TOP security exposure. The following are some ideas for improved corporate security:
1. The likelihood of laptop theft increases dramatically during travel. If the remote office has empty available workstations and the user doesn't need a laptop outside the office, they can place their documents & work files on the network and avoid traveling with it.
2. Make sure the user checks it in with hotel security when practical if they will be gone for a long period of time.
3. Data encryption should be used on sensitive and confidential files.
4. Tactifully emphasize to traveling professionals how prevelant laptop theft is (e.g., include articles on website or feature in company newsletter).
5. Label laptops with company identification tags (hopefully in a way that might be difficult for the theft to remove/alter).
6. Include "return information" on the label in case a laptop is lost and not stolen.
7. For laptops with highly confidential information, biometrics, BIOS passwords, SecureID, smart cards, and other 2 factor authentication methods can be used.
The ISC featured these links show the top 20 security threats for 2004 and 2003:
SANS Top 20 for 2004
http://www.sans.org/top20
SANS Top 20 for 2003
http://www.sans.org/top20/top20_oct03.php
F-Secure which provides excellent AV products shares a good update on the gdiplus.dll vulnerabilities associated with malformed JPEGs.
http://www.f-secure.com/weblog/
Renewed notice on the GDI+ JPG vulnerability - (Oct 5th)
We've posted another notice on the JPG vulnerability, trying to get people to patch before it's too late.
Couple of notices on this vulnerability:
- Filtering files with .JPG extension won't protect you much. Bad JPGs can be renamed to .BMP or even .ICO and they still work fine
- To update Word, Excel and other Office tools, most users need to visit officeupdate.microsoft.com - but keep your Office installation CD handy!
- In some cases, Internet Explorer will run into the vulnerability before it has saved the offending JPG file to the IE cache folder - which means most workstation antivirus products won't have a chance to scan it before it's too late. Gateway-based antivirus scanners (like F-Secure Internet Gatekeeper) take care of this problem
- However, exploiting Internet Explorer with this vulnerability seems to be particularily hard. Exploiting Windows XP's EXPLORER.EXE while viewing local JPG files is much easier and several toolkits to create JPGs like this exist. This reduces the likelyhood of appereance of a massmailer worm using this vulnerability
- Finally, if you scan JPGs with this exploit embedded in them, F-Secure Anti-virus will detect them
For more, see our description.
More Posts
Next page »