November 2004 - Posts
This is a great article on the topic of Network Security Auditing. The process of network vulnerability testing is a never ending process of continuous improvement. It is recommended that an organization test the strengths and weaknesses of their network infrastructure on a weekly basis.
Lock IT Down: Conduct an internal and external security audit
http://techrepublic.com.com/5100-6264_11-1058963.html
Conducting a thorough network security audit has never been more critical. Almost every organization is connected to the Internet in some way, the number of interconnections between organizations is growing, and the ranks of telecommuters are increasing. Of course, for an audit to be effective, you need to know where and how to look for vulnerabilities. A formal security audit consists of four phases:
1. Assessment—During this phase, information is gathered and problems are identified and analyzed.
2. Critical fixes—Problems that are extremely serious or that require only simple, quick fixes are addressed during this phase.
3. Update other fixes—During this phase, fixes with low to intermediate priority are addressed.
4. Continuing work—This phase never ends. The information from the prior three phases is used to continually maintain the environment and keep it secure. Of course, this process should be undertaken on a regular basis in order to keep things secure.
If you use any version of WinAmp, you should take these precautions as exploits have been developed that could compromise security. This is rated as “Extremely Critical“ by Secunia.
WinAmp - Critical vulnerability with CDA and M3U extensions
http://secunia.com/advisories/13269/
http://www.security-assessment.com/Papers/Winamp_IN_CDDA_Buffer_Overflow.pdf
A new CRITICAL vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the "IN_CDDA.dll" file. This can be exploited in various ways to cause a stack-based buffer overflow e.g. by tricking a user into visiting a malicious web site containing a specially crafted ".m3u" playlist.
Successful exploitation allows execution of arbitrary code. The vulnerability has been reported in version 5.05 and confirmed in version 5.06. Prior versions may also be affected.
Solution: Disassociate ".cda" and ".m3u" extensions from Winamp.
The Security Awareness Blogspot provides an excellent resource that can help teach users best practices and the principles of safe computing.
http://www.securityawareness.blogspot.com/
To me, security awareness training is just as important as automated protection safeguards in an organization's security program. As an example, how will users react to a new virus attack where the AV vendors don't have signatures out, yet they have infected email attachments to process in their in-boxes?
If you make security awareness informative, fun, and provide value to the user that helps protect them at home, they will adopt best practices in the workplace. The Intranet is a great resource for publishing security policies, best practices, and educating users in security awareness. I've seen night and day differences at our company as users have learned to question suspicious email and follow best practices.
To borrow from CARE's great theme, you can sum up security awareness in this manner. "Give me a patch and you protect me for a day -- but teach me security and you help protect me for a lifetime".
Best Practices in Security Protection
http://www.geoapps.com/harry_waldron_best_practices.htm
http://www.cert.org/homeusers/HomeComputerSecurity/
http://www.cert.org/tech_tips/home_networks.html
http://www.learnthenet.com/english/section/protect.html
http://www.jmu.edu/computing/runsafe/
If IE users haven't loaded Sun's Java plug-in, they should be safe from this particular vulnerability. One of the bulletins mentioned that that the native MS VM Java environment is not vulnerable.
Sun Java plug-in Vulnerabilites - Patch Available
http://news.com.com/Java+flaw+could+lead+to+Windows%2C+Linux+attacks/2100-1002_3-5464872.html
http://www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029
http://jouko.iki.fi/adv/javaplugin.html
A flaw in Sun Microsystems' plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in April, was patched last month by Sun, but its details were not made public until Tuesday. Security information provider Secunia posted information about the flaw in an advisory that rated it a "highly critical" threat.
The Java plug-in enables small Web programs, known as applets, to run safely on a user's computer. But the security flaw allows a malicious Web site accessed through a victim's browser to bypass those protections. "It allows execution of attacker-supplied code without user interaction (apart from viewing a Web page) which usually means a 'critical' classification," Pynonnen stated in an e-mail interview with CNET News.com.
PATCH AVAILABLE HERE (if you have Sun's Java plug-in installed)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1
http://java.sun.com/j2se/1.4.2/download.html
This new email worm is out there, as I'm deleting these regularly along with Netsky.P
Secunia Virus Information has issued a HIGH RISK alert for Sober.I
Secunia Virus Alert: Sober.I
Risk Rating: HIGH RISK
Confirmed By: 7 Vendors
==============================
Secunia - High Risk Virus Alert: Sober.I
http://secunia.com/virus_information/13467/
McAfee Forums
http://forums.mcafeehelp.com/viewtopic.php?t=35594
----- EXAMPLE OF ONE FROM THE INBOX ----------
From: info @ hockeycanada.ca View Contact Details
Date: Mon, 22 Nov 2004 22:52:04 GMT
Subject: Registration confirmation <KEY:8459>
Your password was changed successfully!
++++++ User-Service: http://www.hockeycanada.ca
++++++ MailTo: postmaster @ hockeycanada.ca
*-*-* Attachment: No Virus found
*-*-* YAHOO- Anti_Virus Service
*-*-* http://www.yahoo.com
Virus Scan Results
File name: hockeycanada.com
File size: 55kb
File type: application/octet-stream
Scan result: Virus"W32.Sober.I@mm" found.
The Sober worm family is proliferic in email generation and this new variant has been declared as MEDIUM RISK by Secunia, and it is reported to be spreading in the France, Germany, and Australia.
Sober.I Worm - MEDIUM RISK by Secunia http://secunia.com/virus_information/13463/win32.sober.i/
http://vil.nai.com/vil/content/v_130130.htm
http://www.sarc.com/avcenter/venc/data/w32.sober.i@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.I
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40797
http://www.f-secure.com/v-descs/sober_i.shtml
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=54761&sind=0
As of November 11, 2004 at 1:31 AM (GMT -8:00 Pacific Standard Time), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in the France, Germany, and Australia.
The message it sends out has the following details:
Subject: (any of the following)
· Confirmation
· Delivery_failure_notice
· Details
· Faulty_mail delivery
· illegal signs in your mail
· invalid mail
· mail delivery system
· Mail delivery_failed
· Mail Error
· Mail_Delivery_failure
· Registration confirmation
· Your mail password
· Your Password
Message body: (any of the following)
· I was surprised, too!
*-*-* Mail_Scanner: No Virus
*-*-* SKYNET- Anti_Virus Service
*-*-*
http://www.skynet.be · Your password was changed successfully!
· Protected message is attached!
· ++++++ User-Service:
http://www. ++++++ MailTo: postmaster
Message attachment:
FILE NAME
· im_shocked
· oh_nono
FILE EXTENSIONS
*.bat, *.com, *.exe, *.pif, and *.scr
PERSONAL IDENTITY THEFT STORY
Each month, I attend a training luncheon offered by a professional organization. As we were eating lunch, one of the ladies present told me about her 25 year old daughter who had been victimized by either a phishing scam (or one of the keylogger backdoors designed to capture sensitive personal information).
Her daughter discovered this when three checks bounced as her checking account was cleaned out (by using her debit card). Her mom said that the bank had analyzed this and at least $800 was stolen via a debit card (which is NOT subject to the Fair Credit Reporting act limitations).
Her daughter was barely making it with a low-paying job and her mom said that she cried all night after being scammed in this manner. Indeed, to the victim, this form of electronic fraud would leave someone with a hopeless feeling.
I shared as much as I could with her mom (e.g., change account #'s, meet with the banking folks, document in writing, don't use debit cards, don't reply to stuff via email, virus/spyware removal, etc). Of course, her mom (who also wasn't rich) helped her through this crisis. Still for me, this discussion really brought home the need to go after and lock up these vandals.
I didn't see the mom at this month's meeting, but I'm hoping to learn as Paul Harvey says "the rest of the story" on this incident.
This 42 page document is comprehensive and excellent
Information Workers Security Handbook
http://go.microsoft.com/fwlink/?LinkId=38060
The Security Business and Technology Unit (SBTU), with the assistance of the Microsoft Solutions for Security (MSS) team has put together an Information Workers Security Handbook
IT professionals have requested guidance for their end users. This document provides, in plain language, the needed background information on how computer networks work and the specific security risks they face. It also provides real-world actions you can take to better secure your own computer and help preserve the security of the network as a whole.
http://securityawareness.blogspot.com/
Security Awareness for Ma, Pa and the Corporate Clueless
The Security Awareness Blog caters to government, corporations and home users everywhere. We focus on the people - not the technology. Our brand of Awareness programs is sponsored by Winn Schwartau's Interpact, Inc., The Security Awareness Company. We will bring you the latest news and views on Security Awareness and the Information Security Industry and we promise to offer you free Security Awareness Materials each month.
http://vil.nai.com/vil/content/v_129974.htm
This worm may be installed via MS04-032 exploit code that was recently mass-mailed to many email addresses. That message appears as follows:
The message contains an attachment arafat_1.emf , which is simply an image, but the other attachment, arafat_2.emf, is a specially crafted EMF file that installs this worm on vulnerable systems. This attachment is detected as Exploit-MS04-032!gdi with the current DAT release.
The worm attempts to spread via the ADMIN$ share, connecting to accessible remote system via existing credentials or attempting to use weak administrator passwords to gain access.
Please be careful with HTML based SPAM email 
Vundo.downloader - New IFRAME Trojan Horse
http://vil.nai.com/vil/content/v_129972.htm
This trojan was recently installed via an HTML page
that contained the Exploit-IframBO trojan. It is
believed that the exploit code may have been mailed to
a large number of email addresses. Accessing the
exploit file results in vulnerable Internet Explorer
web browsers executing download code, which downloads
and executed Vundo.dldr. Vundo.dldr is a small trojan
that simply connects to a specific IP address to
download and execute another file. The trojan author
has built this trojan to download and execute the
Vundo trojan.
Symantec NAV 2005 - Security Update available (prevents DoS attack)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2004111013091839
This update addresses a very small risk that an attacker could cause the product's icon to be temporarily removed from the system tray
CERT: Cisco IOS fails to properly handle malformed DHCP packets
http://www.kb.cert.org/vuls/id/630104
By sending a specially crafted DHCP packet to an affected device, a remote, unauthenticated attacker could cause the device to stop processing incoming network traffic. Repeated exploitation of this vulnerability could lead to a sustained denial-of-service condition. In order to regain functionality, the device must be rebooted to clear the input queue on the interface.
PATCH INFORMATION
http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml
I've been using Opera and Firefox as additional browsers with IE 6 to test newly developed webpages plus they can complement Internet Explorer to offer users improved safety for some current unpatched security exploits.
Microsoft has substantially improved security in XP SP2's version of Internet Explorer. If you have older Windows 98 or 2000 PCs, both Firefox and Opera can co-exist as additional browsing tools.
I would recommend that if anyone wants to install Firefox as an additional browser, that they leave Internet Explorer installed on their PC for the following reasons:
1. Some sites will only work with Internet Explorer
2. Uninstalling Internet Explorer will impact the Windows Update and Office Update facilities
3. Some Antivirus and 3rd party updates rely on Internet Explorer's engine for updating.
4. Internet Explorer is still an excellent browser for trusted sites and it handles file extentions and associations better.
Mozilla releases Firefox 1.0
http://news.zdnet.com/2100-9588_22-5443931.html
After 19 months of development, two name changes and more than 8 million downloads of its preview release, the Firefox browser is finally turning 1.0. Firefox, a browser based on the Mozilla Foundation's open-source development work, was made available for free download at 1 a.m. PST Tuesday.
An interesting analysis on MyDoom AG/AH from F-Secure's weblog: http://www.f-secure.com/weblog/
Turns out these new Mydoom.AG and Mydoom.AH variants might not be Mydooms at all. Our comparison tools show only around 49% correlation between these and the last Mydooms. So that would explain why the technique is so different.
These viruses are also one of the fastest ever to take advantage of a new security vulnerability. The exploit was only posted publicly on Friday, and the viruses were out by Tuesday.
So the virus spreads in four steps:
1 Infected machine ("predator") sends out tons of emails with a link
2 Recipient on target machine ("prey") follows the link back to a website on the Infected machine
3 Exploit on the web page downloads and runs the virus, turning the prey to another predator
4 Repeat
STEPS 1-4 ILLUSTRATED http://www.f-secure.com/weblog/archives/agillustration.jpg
Overnight, a new AH version was released which is similar to the AG variant. This brand new version of MyDoom is HTML based and does not contain attachments.
It exploits a critical IE vulnerability when you click on a URL found in the email message. Please always avoid clicking on links in spam or unwanted email messages. There may be more variants coming as this one is easy to copy.
W32/Mydoom.AH - MEDIUM risk for IFRAME exploit http://secunia.com/virus_information/13223/mydoom.ah/
http://vil.nai.com/vil/content/v_129631.htm
http://www.sarc.com/avcenter/venc/data/w32.mydoom.ah@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.AH
Internet Storm Report http://isc.sans.org//diary.php?date=2004-11-08 This W32/Mydoom@MM variant makes use of a zero day attack targeting a Microsoft Internet Explorer IFRAME buffer overflow vulnerability. The virus spreads by sending email messages to addresses found on the local system. The message appears as follows:
From: Spoofed address (may be
exchange-robot@paypal.com when sending paypal message body below)
Subject: (case may vary)
hi!
hey!
Confirmation
blank
There is no attachment to the message. The homepage hyperlink points to the infected system which sent the email message. Clicking on the link, accesses a web server running on the compromised system. The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus. Infected systems will show Internet Explorer listening on TCP Port 1639, the port the web server runs on. Information on the IFRAME vulnerability can be found here:
Internet Explorer IFRAME Buffer Overflow Vulnerability http://secunia.com/advisories/12959/ EXAMPLE of PAYPAL message that's spreading
quote:
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days. To see details please click this link DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received. Thank you for using PayPal
AVERT STINGER - can remove this new variant http://vil.nai.com/vil/stinger
This brand new version of MyDoom is HTML based and does not contain attachments. It also exploits a critical IE vulnerability, so AV protection plus best practices are needed -- as this one has some potential. W32/Mydoom.ag@MM - Zero Day IE I-FRAME Attack http://secunia.com/virus_information/13213/mydoom.ag/
http://vil.nai.com/vil/content/v_129630.htm
This W32/Mydoom@MM variant makes use of a zero day attack targeting a Microsoft Internet Explorer IFRAME buffer overflow vulnerability. The virus spreads by sending email messages to addresses found on the local system. The message appears as follows:
From: Spoofed address
Subject: may vary
* funny photos
* hello
* hey!
* blank
There is no attachment to the message. The homepage hyperlink points to the infected system which sent the email message. Clicking on the link, accesses a web server running on the compromised system. The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus. Infected systems will show Internet Explorer listening on TCP Port 1639, the port the web server runs on. Information on the IFRAME vulnerability can be found here:
Internet Explorer IFRAME Buffer Overflow Vulnerability http://secunia.com/advisories/12959/
Microsoft is providing a preliminary overview of the monthly security bulletins that will be issued on the second Tuesday of each month (usually around 1:00 pm PST). To help security and network administrators with planning, Microsoft will announce the patches that are going to be released a few days ahead of time. This general overview will provide the number of security bulletins that be released, anticipated security ratings and the products that will be affected.
Microsoft Security Bulletins - Advanced Notifications
http://www.microsoft.com/technet/security/news/bulletinadvance.mspx
http://www.microsoft.com/technet/security/bulletin/advance.mspx
Open Letter to Anti-Virus Software Companies
http://isc.sans.org//diary.php?date=2004-11-05
The following letter was provided to us by Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator. I think many of us can relate to the grief caused by the virus name game described in his letter. Note these the thoughts and opinions in this letter are those of the author and not necessarily those of the Internet Storm Center or the SANS Insitute. Thanks Chris.
As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus. Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know. The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.
Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could.
When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the Internet Storm Center (http://isc.sans.org/index.php ), Secunia’s Virus Information page (http://secunia.com/virus_information/ ), VGrep Online (http://www.virusbtn.com/resources/vgrep/index.xml ), MyITforum’s Security message boards (http://myitforum.techtarget.com/forums/default.asp?catApp=2 ), and AntiVirus e-mail list (http://myitforum.techtarget.com/articles/14/view.asp?id=1301 ).
This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.
While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.
Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.
Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers in the dark again.
For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak. With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.
I think I can speak for everyone in the security community when I say; "dealing with it" is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected. We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.
Along those lines, I have a suggestion. Since your business thrives on competition with the other companies out there, then maybe picking a name for a virus should be played as a competition by anti-virus software companies. First we would need a neutral third party you can send virus information to, like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT, http://www.us-cert.gov/ ).
The competition would be that the first company to send the neutral party detailed and accurate information on a virus before any other would be the one to name the virus. This would be what all other companies would have use in their descriptions from that point on.
However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to do accomplish this and keep your customers better informed about how they are protected.
Thank you for your time and attention,
Chris Mosby
SMS Administrator
MyITforum Security Message Board Moderator
AntiVirus Products were tested by Virus Bulletin in November for the Windows 2003 Server environment.
November 2004 - Windows Server 2003
http://www.virusbtn.com/vb100_award/archives/tests.xml?200411
More Posts
Next page »