December 2004 - Posts
Please be careful with emails entitled as "Happy New Year" and don't open any attachments, esp. if they end in SCR. Some variants of this virus also uses offensive languange.
http://vil.nai.com/vil/content/v_130668.htm
Several new variants emerged overnight as published source code is providing virus writers the capability to produce new variants quickly
http://www.f-secure.com/v-descs/_new.shtml
--> 2004.12.30 Cabir.K
--> 2004.12.30 Cabir.L
--> 2004.12.30 Cabir.J
--> 2004.12.30 Cabir.G
--> 2004.12.30 Cabir.F
--> 2004.12.28 Cabir.I
--> 2004.12.27 Cabir.H
Cabir source code published
http://www.viruslist.com/en/weblog
Over the last few days we see several versions of Cabir. They are not very different from each other, just in unimportant ways. Today we found out that the source code that these different versions were compiled from was published on the Internet. This means it can be accessed by anyone.
As far as we know, until now the Cabir source code was accessible only to a limited number of people, including members of the international virus writing group 29A. It was a 29A member who wrote the original version of Cabir. We think it was planned to publish the source code in the next edition of the group's electronic journal.
However, it looks that someone has already got access to the code, and now it's public. This will lead to a lot of new versions of Cabir, which has already been detected in the wild in 7 countries.
There are many ways to improve IE security and I found a few links. I've shared some advice previously, but probably your easiest way of hardening security is:
TOOLS ... INTERNET OPTIONS ... SECURITY ... INTERNET ZONE ... CUSTOM LEVEL
Then change signed ACTIVE X settings from AUTOMATIC to PROMPT (that change alone gets protected from hijackers, dialers, CWS, etc). All my settings here are PROMPT or DISABLED.
I stay on MEDIUM settings but you can try HIGH as well (you want to balance things so that IE doesn't become "promptware" but saves you from a highjacking or Cool World Search variant).
Finally "don't leave home without your Firewall, AV protection, and best practices"
SOME OTHER RELATED LINKS
http://www.google.com/search?q=internet+explorer+security
http://acd.ucar.edu/~fredrick/win2k/active_scripting/
http://www.jmu.edu/computing/info-security/engineering/issues/ie.shtml
http://netsecurity.about.com/cs/tutorials/ht/ht020203.htm
http://www.microsoft.com/windows/ie/security/default.mspx
Sophos has published their top 10 list for 2004 as follows:
http://news.bbc.co.uk/2/hi/technology/4105007.stm
TOP VIRUSES OF 2004
1) Netsky-P
2) Zafi-B
3) Sasser
4) Netsky-B
5) Netsky-D
6) Netsky-Z
7) MyDoom-A
8) Sober-I
9) Netsky-C
10) Bagle-AA
Please continue to be careful with email and weblinks, as developments continue for these exploits:
http://secunia.com/virus_information/14173/downloader-to/
http://vil.nai.com/vil/content/v_130607.htm
This downloader trojan is itself download, via an HTA
file (named Microsoft Office.hta and is detected with
the current DAT files as VBS/Psyme ) that is believed
to be used in conjunction with a recent Microsoft
Internet Explorer HTML Help Control Local Zone
Security Restriction Bypass Vulnerability exploit.
The exploit is believed to save the file Microsoft
Office.hta to the startup directory. Upon reboot,
this files downloads a remote file named server.exe,
saves it to the local system as c:\malware.exe , and
executes the downloaded file. malware.exe is the
Downloader-to trojan.
Once run, this trojan adds itself to the Windows XP
SP2 authorized applications firewall policy list (as
cmsscs ). It also adds an entry for the file that it
downloads (C:\WINDOWS\tgbcde\module32.exe as module32 ).
PLEASE BE VERY CAREFUL WITH ALL WEB SITES AND EMAIL. There are already Proof-of-Concept (POC) exploits circulating in-the-wild related to brand new unpatched flaws in Microsoft Windows. With POC code circulating in the public, this provides the "bad guys" with tools to quickly build viruses, phishing attacks, and spyware around these Windows Security holes.
This is called a "Zero Day Attack", where the vendor has yet to patch the security hole and there are exploits circulating in the wild. Do not install HELP FILES and follow further breaking news on what to avoid. Finally, some AV Vendors are offering protection as noted in the McAfee examples below. Please update and protect your PC environment.
QUOTE: Because the flaws are in a library used by Windows programs, almost all browsers and e-mail clients are likely affected by the flaws, said Alfred Huger, senior director of engineering at Symantec.
New Windows Security LoadImage & Help Vulnerabilities
http://isc.sans.org//diary.php?date=2004-12-23
The holiday news continues to be bleak, with a pair of critical vulnerabilities for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited via HTML delivered either via email or a website. This vulnerability can be used to execute code. Secondly, there is a heap overflow in winhlp32.exe while processing help files on Windows, including XP SP2, apparently. Try not to install help files until some Tuesday in, we hope, January.
Exploits released for new Windows flaws
http://www.dozleng.com/updates/index.php?showtopic=3383
LoadImage API Integer Buffer overflow
http://vil.nai.com/vil/content/v_130605.htm
This detection covers code attempting to exploit a Microsoft Windows LoadImage API Integer Buffer overflow vulnerability that was announced on December 23, 2004. Reportedly, the vulnerability exists on the following operating systems:
* Windows NT4
* Windows 2000
* Windows XP (SP2 is not vulnerable)
* Windows 2003
Kernel ANI File Parsing Crash Vulnerability
http://vil.nai.com/vil/content/v_130604.htm
This detection covers code attempting to exploit a Microsoft Windows Kernel ANI File Parsing Crash Vulnerability that was announced on December 23, 2004. Reportedly, the vulnerability exists on the following operating systems:
* Windows NT4
* Windows 2000
* Windows XP (SP2 is not vulnerable)
* Windows 2003
PROOF-OF-CONCEPT TESTS & MORE DETAILED INFORMATION
I would encourage everyone to be VERY CAREFUL in selecting links to install or test their PCs as these POC tests may crash your PC requiring a reboot and you might even loose information you were working on at the time. Please just read the comments only
Windows Issues, original notification
http://www.xfocus.net/flashsky/icoExp/index.html
Bugtraq Discussion
http://www.securityfocus.com/archive/1/385...21/2004-12-27/0
http://www.securityfocus.com/archive/1/385...21/2004-12-27/0
http://www.securityfocus.com/archive/1/385...21/2004-12-27/0
Santy.b was found "in the wild"
http://www.viruslist.com/en/weblog December 22, 2004 - New variant of Santy was found some hours ago. We detect it as Net-Worm.Perl.Santy.b.
quote: What is worse, we have discovered a new verision of Santy. It seems very likely that some 'script kiddies' have gotten hold of the source code. If this is true, they will create new versions with new features, just like Lovesan. The authour of Lovesan is still free, but several co-authours have been arrested, even though they only changed some text strings in the worm's file.
F-Secure has developed a comprehensive summary for 2004 virus activity. The report describes a year of more sophisticated attacks, increased phishing scams, and major events during the past year.
F-Secure's Annual Virus Report for 2004
http://www.f-secure.com/2004/
Windows XP SP2 users should perform a Windows Update for December as a critical firewall vulnerability is patched by this update.
New XP SP2 Firewall Patch in Windows Update
http://isc.sans.org//diary.php?date=2004-12-15
http://support.microsoft.com/kb/886185
After you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet.
http://www.microsoft.com/athome/security/default.mspx
I recommend sharing Microsoft's at Home site with your family and friends. It is an EXCELLENT home user security site in using basic terminology, an educational format, and promoting best practices.
While I've been working with PCs since 1981 and in the security field since 1996, the training I've recieved helps me stay secure both at home or at work. However, MOST computer users are not IT professionals including many of our family and friends. This site might be a valuable point of reference and I plan to use it often in the future.
Message Labs provides a comprehensive virus and spam filtering service used by many companies to prevent unwanted documents from reaching corporate email systems. In their November 2004 newsletter, they offer one of the comprehensive writeups on this subject, I've seen. This provides excellent security awareness on this method of attack that is now a common threat in email messages or hostile web sites.
Comprehensive Article on Phishing
TOPICS COVERED
Introduction
Basics of phishing technique
Theme and variations
Who falls for the scam?
Some other telling statistics
So who picks up the bill?
From crude con to sophisticated scam
Virus wars
The brand profile
More recent developments
The money-laundering scam
The new "D" variant of the Zafi worm family is an advanced email attack using a well-design social engineering approach. It disquises itself as an e-card which might be accidently opened by a lot of folks. McAfee, F-Secure, and other AV vendors have escalated this to HIGH RISK.. 
Zafi.D Worm - Be careful with Holiday E-Cards (HIGH RISK)
http://vil.nai.com/vil/content/v_130371.htm
This new variant contains the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* spoofs the From: address
* harvests target email addresses from the victim machine
* outgoing email message body is either in Hungarian or English
* displays p2p worm behaviour
* shuts down security services
http://secunia.com/virus_information/13872/
Security Advisory 2004-12-10
Platform: All platforms
Opera security advisory
- Named frames or windows can be hi-jacked by malicious frames or windows.
- Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document.
- Applets have access to sun.* packages
- Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java
- Liveconnect reveals the path to the user's home directory. This can make other vulnerabilities easier to exploit.
Severity: Moderate/high
Vulnerable versions of Opera
Opera's response
Security update 7.54u1. 7.54u1 has several security fixes. (Note: Please use the download link on the right hand side of the page.)
- Tightened origin check for frames. A side effect of this is that documents not passing the origin check will open in a new page.
- Fixed issue reported by Marc Schönefeld: intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory.
- Fixed LiveConnect class access security issue reported by Jouko Pynnonen.
- Fixed Secunia issue SA12981, reported by Andreas Sandblad: periods in the file name and non-breaking spaces in content-type header type could obscure the file type.
- Fixed Secunia issue SA13253: "hi-jacking" a named browser window.
- Improved support for the "must-revalidate" cache directive.
In personally testing this, ALL 3 BROWSERS FAILED THE TEST (e.g., IE 6 SP1, Mozilla Firefox 1.0, and Opera 7.60 Beta). Hopefully all the vendors are working on this one, as the opportunities for phishing expeditions are certainly possible with this one
BROWSER IMPACTED: Netscape 7.x, Konqueror 3.x, Opera 7.x, Safari 1.x, Microsoft Internet Explorer 5.01/5.5/6, Mozilla 0.x, Mozilla 1.0, Mozilla 1.1, Mozilla 1.2, Mozilla 1.3, Mozilla 1.4, Mozilla 1.5, Mozilla 1.6, Mozilla 1.7.x, Mozilla Firefox 0.x,Mozilla Firefox 1.x
The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.
Solution: Do not browse untrusted sites while browsing trusted sites.
RELATED PRODUCT SITES
Netscape: http://secunia.com/advisories/13402/
Opera: http://secunia.com/advisories/13253/
Mozilla/Firefox: http://secunia.com/advisories/13129/
IE: http://secunia.com/advisories/13251/
Konqueror: http://secunia.com/advisories/13254/
Safari: http://secunia.com/advisories/13252/
Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
As I was reviewing some of the captured SPAM this email message (cleaned up of potentially hostile links caught my eye). Although this looked official, I was suspicious and avoided any temptation to click on the link. As, I'm setup with breaking news alerts for viruses and other news events, I still went to cnn.com and usatoday.com just to be sure.
While I captured the text portion of this message, the URL could have posed issues with respect to home page hijackers, spyware, and even the new IFRAME based viruses. While I was fully patched, I still did not analyze this beyond the initial email shown below.
FROM: Tsunami Prediction
EMAIL SUBJECT: Danger - Tsunami
THIS IS AN OFFICIAL WARNING!
A huge 300 ft. high ocean wave is moving towards your continent. Your and many other cities are in a real danger. Approximate wave moving speed is 700 km/h.
Please read more about this catastrophe here:
We are strongly urging you to evacuate yourself and your family as soon as possible, even though you may live far away from your city. The tsunami will reach the continent in approximately FOUR hours.
YOU HAVE BEEN WARNED!
This was a good article - even starts off a little on the controversial side with the QUOTE below:
Windows Server 2003 Active Directory security
http://techrepublic.com.com/5100-6264_11-5437803.html
QUOTE: If I were to tell you that Windows NT Server 4.0 was a lot more secure than Windows 2000 Server, you would probably think that I had lost my mind. Sometimes, though, truth is stranger than fiction. In some ways, Windows NT Server was more secure than Windows 2000 Server. However, Microsoft learned from their mistakes and implemented a Windows NT-like security structure into Windows Server 2003's Active Directory.
MS04-040: Internet Explorer Cummulative Update (IFRAME FIX)
http://www.microsoft.com/technet/security/bulletin/MS04-040.mspx
Microsoft Security Bulletin MS04-040
Cumulative Security Update for Internet Explorer (889293)
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should install the update immediately.
Security Update Replacement: This update replaces the update that is included with Microsoft Security Bulletin MS04-038. That update is also a cumulative update.
Caveats: Microsoft Knowledge Base Article 889293 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.
Technical Description:
----------------------
HTML Elements Vulnerability - CAN-2004-1050: A remote code execution vulnerability exists in Internet Explorer that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web Page that could potentially allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system.