January 2005 - Posts
As noted in the article, only certified patches from Microsoft should be installed as it could create issues and conflicts later with future security updates.
Russian Security Firm finds XP SP2 Vulnerable & issues patch
http://www.techweb.com/wire/security/59200229
A little-known Russian security firm claimed Monday that it's spotted vulnerabilities in Microsoft Windows XP SP2, and has taken the unusual step of producing its own patch for the bug.
Researchers at Moscow-based Positive Technologies said that they uncovered the flaws in Windows XP SP2's DEP (Data Execution Mechanism) back in early October, and reported it to Microsoft more than a month ago. When it didn't receive a response, Positive released details of the vulnerability on its Web site, and posted a patch that supposedly temporarily fixes the problem.
http://vil.nai.com/vil/content/v_131355.htm
-- Update January 31st 2005 -- Due to increased prevalence, the risk assessment of this threat has been increased to medium. The 4424 DAT files will be released early to address this threat. In the meantime, the following EXTRA.DAT packages are available.
This is EXCELLENT advice on how to donate to relief and charity organizations online.
Microsoft At-home Security: "Give with Care" and safely
http://www.microsoft.com/athome/security/email/donations.mspx
QUOTE: In times of crisis, people increasingly use the Internet to contribute money quickly to aid organizations such as Red Cross/Red Crescent, Mercy Corps, UNICEF, and many others that provide relief to victims worldwide.
Unfortunately, while it has made donating easier, the Web has also led to an increase in online donation scams that play on our conscience. In our effort to lend aid quickly, many of us set aside our cynicism and become more susceptible to these false solicitations. In addition to conning givers out of their money, donation fraud also takes its toll on legitimate groups, denying them funds for relief efforts and cheating real disaster victims.
TIPS ON HOW TO AVOID ONLINE SCAMS
• Improve your computer's security and use current technology to help block spam.
• Be on guard if you receive an unsolicited e-mail from a charitable organization asking for money. Don't be too quick to click any links or enter any personal information.
• Instead of responding to solicitations, proactively contact well-known and established charity agencies that you or people you trust have used before.
• If you do receive an e-mail request from a charity you'd like to support, go to their Web site or call them personally for verification and to find out how to contribute.
• While online, manually type in the aid organization's address into your Internet browser.
• Double-check the spelling of the organization's Web site, and get in the habit of always looking at the actual Internet address, for example, "http://www.redcross.org before you continue browsing a Web site. Spoofed Web sites often use deliberate, easily overlooked misspellings to deceive users.
• Be wary of e-mails from strangers or unknown sources, especially those claiming to have attached photos of disaster victims or areas—these attachments could be infected with computer viruses or worse.
• If you provide your credit card number or personal information to a charity-related Web site, make sure current encryption technology is used and that there is a written policy about protecting personal information.
• Keep up to date on the latest online scams through trusted technology news providers, government agencies, and other professional sources.
Almost every variant of the Sober worm has went medium, so we should watch developments carefully, as it's a highly advanced virus. The social engineering approach used here could cause this virus to spread. Sober.J - New variant for the watchlist http://secunia.com/virus_information/15006/sober-j/ http://www.f-secure.com/v-descs/sober_j.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EJ http://www.sophos.com/virusinfo/analyses/w32soberj.html FORMAT OF INFECTED EMAIL MESSAGES Subject: I've got YOUR email on my account!!
Body: Hello, First, Sorry for my very bad English! Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but in the mail-text is a name & adress. I think it's your name and adress. The sender of this mails is in the text file, too. In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. lol OK, I've copied all email text in the Windows Text-Editor and i've zipped the text file with WinZip.
Attachment: email_text.zip
http://www.symantec.com/avcenter/venc/data/vbs.gormlez@mm.html
VBS.Gormlez@mm is a mass-mailing worm that sends a copy of itself to all email addresses in the Windows Address Book and attempts to spread through file-sharing networks. The worm deletes files with a .dll, .vbs, .exe, or .wsh extension
EMAIL FORMAT:
Subject: Re: Hello
Message Body: Hey There :-)
Attachment: Hello.vbs
Message after infection:
Shutdown.vbs, Version 1.00
VBS.G0mez Is here :-p
Usage: CSCRIPT SHUTDOWN.VBS [ computer_name ]
!!!"!!!" SHUTDOWN!
G0mez will now shutdown the computer! :-)
hehehe
A highly critical POC exploit has been released that can compromise Windows security on an infected media file. Please update to Winamp 5.08c. This process worked well for me in upgrading from 5.07.
Winamp 5.08c - Security Update for New Critical Exploit
http://secunia.com/advisories/13781/
WimAmp 5.08c - Security Update
http://www.winamp.com/player/
System OS X Security Update 2005-001 is now available:
http://docs.info.apple.com/article.html?artnum=300770
http://docs.info.apple.com/article.html?artnum=106704
Security Update 2005-001
* at commands - local privilege escalation
* ColorSync - heap overflow fixed though malformed input files
* libxml2 - potentially exploitable buffer overflows
* Mail - strange one: CAN-2005-0127: Message-ID info leak
* PHP – multiple known vulnerabilities
* Safari - pop-ups (when not blocked) can mislead users
* SquirrelMail - CSS vulnerability fixed
Three new Bagle variants are circulating in-the-wild and they all are very closely related. They are in essence the same virus repackaged with different compression algorithms to bypass AV scanners. Avoid all attachments in email, especially suspicious ones.
http://secunia.com/virus_information/12174/beagle.ba/
http://vil.nai.com/vil/content/v_131353.htm
http://www.sarc.com/avcenter/venc/data/w32.beagle.ba@mm.html
http://www.f-secure.com/v-descs/bagle_ba.shtml
This variant is a repacked version of W32/Bagle.bk@MM variant. It arrives in emails with variable subjects and attachments, has Peer-to-Peer spreading capabilities and contains a backdoor that listens on TCP port 81.
This is a mass-mailing worm with the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
EMAIL FORMAT BELOW:
From : (address is spoofed)
Subject :
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Body Text:
Thanks for use of our software.
Before use read the help
Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)
wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03
http://www.f-secure.com/weblog/
Today we published a new disinfection tool for Symbian series 60 phones that is capable of disinfecting SymbOS/Skulls trojan variants from a phone, even if user has rebooted the phone.
Previously disinfecting Skulls infected phone was difficult if not impossible, especially with later variants that killed popular file managers. Basically the only way to disinfect the phone was to use Epocware PC file manager that, which unfortunately did not work with most phones. Or reformat the phone, which of course destroyed all data in the phone.
F-Skulls FTP Link to Download Free Phone Cleaning Tool
This tool is able to disinfect phone even if the Skulls has locked the phone completely. The disinfection is done by installing the F-Skulls into a memory card with a clean phone. And then inserting the card with F-Skulls into infected phone and booting, during boot up the F-Skulls frees the critical system files so that use can access menu again and install an Anti-Virus for full disinfection.
So the disinfection still requires help of a clean phone, but is much preferable compared to having to reformat the phone.
Charter: The SpywareManagement forum provides an area dedicated to the discussion of spyware management topics. This forum discusses the how-to's and why's of security spyware management across a broad spectrum of Operating Systems, Applications, and Network Devices. This forum is meant as an aid to network and systems administrators and security professionals who are responsible for maintaining the security posture of their hosts and applications.
SpywareManagement.org is hosted by Shavlik Technologies, LLC.
An update of the new MySQL Bot attack:
http://isc.sans.org//diary.php?date=2005-01-27
MySQL Bot
A "bot", exploiting vulnerable MySQL installs on Windows systems, has been spotted. It infected a few thousand systems so far. Like typical for bots, infected systems will connect to an IRC server. The IRC server will instruct them to scan various networks for other vulnerable mysql servers.
http://forums.mcafeehelp.com/viewtopic.php?t=40098
Secunia and McAfee have escalated this to MEDIUM RISK
-- Update 27th January 2005 12:50 PST -- Due to increased prevalence the risk assessment of this threat has been raised to medium. The 4423 DATs have been released early to address this threat.
Analysis is underway by security and AV firms, as this is early information. The key protective measure is to lock down port 3306:
New MySQL Internet Worm - Spoolcll.exe
http://isc.sans.org//diary.php?date=2005-01-26
http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=3
We have reports about a possible MySQL worm. Right now, it appears to be hunting for Windows systems running MySQL. We have no deteails so far, and would creatly appreciate input (in particular code samples). We do observe a significant rise in port 3306 scanning, which is likely caused by infected systems. The worm creates a file called 'Spoolcll.exe' and has so far been named 'MySpooler'.
You should not expose any MySQL servers to unsolicitated connections. If you run MySQL, make sure you block port 3306. MySQL can run without networking enabled, as long as you only connect to it from the local host (e.g. if a web server and mysql run on the same system, which is common for small website). In order to turn off networking, start mysql with the --skip-networking option. You will however need networking if you use replication.
This new variant is beginning to spread in the wild
W32/Bagle.BJ - New variant in the wild
http://vil.nai.com/vil/content/v_131351.htm
http://www.f-secure.com/weblog/#00000450
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EAY
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ay@mm.html
Virus Characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
EMAIL MESSAGE FORMAT
From : (address is spoofed)
Subject :
* Delivery service mail
* Delivery by mail
* Registration is accepted
* Is delivered mail
* You are made active
Body Text:
* Thanks for use of our software.
* Before use read the help
Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)
* wsd01
* viupd02
* siupd02
* guupd02
* zupd02
* upd02
* Jol03
Junipter Routers -- Critical Vulnerability needs patching ASAP
http://isc.sans.org//diary.php?date=2005-01-26
There's a new vulnerability against Juniper routers that needs patching RIGHT NOW. Patrick Nolan has compiled some feedback and advice on managing X Windows security issues. Also, work has started creating on the 2005 Critical Threats list. If you are interested in participating in that work, see the details below. New Juniper Vulnerability: We've got a new vulnerability that has been rumored for a while but is now public.
CERT Security Advisory
http://www.kb.cert.org/vuls/id/409555
"This vulnerability could be exploited either by a directly attached neighboring device or by a remote attacker that can deliver certain packets to the router. Routers running vulnerable JUNOS software are susceptible regardless of the router's configuration. It is not possible to use firewall filters to protect vulnerable routers. This vulnerability is specific to Juniper Networks routers running JUNOS software. Routers that do not run JUNOS software are not susceptible to this vulnerability.
Steve Friedl, Microsoft MVP, developed an awesome and highly detailed article on how SQL Injection attacks work. DBAs and System Administrators need to be on the latest and greatest SPs and security updates for SQL-Server and other RDBMS's.
Excellent Article: SQL Injection Attacks by Example
http://www.unixwiz.net/techtips/sql-injection.html
SQL Injection is caused by unverified/unsanitized user input, and its main idea is to convince the application to run SQL code that it was not intended to run. If the application is creating SQL strings natively, i.e. on the fly, and then running them, it's straightforward to create some real surprises. There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation.
Any new variant of MyDoom is worth watching as it's one of the most advanced viruses out there:
New MyDoom.AM - new variant
http://secunia.com/virus_information/14818/mydoom.av/
http://vil.nai.com/vil/content/v_131207.htm
http://www.sarc.com/avcenter/venc/data/w32.mydoom.am@mm.html
http://www.f-secure.com/v-descs/mydoom_am.shtml
http://www.sophos.com/virusinfo/analyses/w32mydoomam.html
W32.Mydoom.AM@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses it finds on the compromised computer. The worm also propagates through file sharing networks. W32.Mydoom.AM@mm is a minor variant of W32.Mydoom.AG@mm. It disables antivirus and firewall applications, and blocks access to security-related Web sites
This variant bears the following characteristics:
* mails itself to target email addresses harvested from the victim machine
* constructs outgoing messages using its own SMTP engine
* spoofs the From: address on outgoing messages
* attempts to propagate through popular P2P networks by copying itself with enticing filenames
* terminates various processes (AV and security related)
* modifies the local HOSTS file to disable the updating of security products
Symptoms
* Existence of the files and Registry keys detailed here.
* Copies of the worm with the enticing filenames used for P2P propagation.
* Local HOSTS file overwritten as detailed here.
* When run, a garbage text file is opened and displayed in Notepad
* the worm will remove Registry key data for other worms from the Registry
Subject of email: Varies (see below)
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.
Size of attachment: 32,768 bytes
Possible EMAIL Subject Lines
Good day
Do not reply to this email
hello
Mail Delivery System
Attention!!!
Mail Transaction Failed
Server Report
Status
Error
More Posts
Next page »