March 2005 - Posts
This worm uses email and P2P techniques to spread. It also has backdoor capabilities, allowing remote users to access and perform malicious tasks on affected machines. It can also prevent affected users from accessing certain antivirus and security Web sites by modifying the HOSTS file. Microsoft never distributes security updates by email.
KRYNOS.B worm - appears as a Microsoft Security update - Select Links Below:
Secunia Information on Krynos B
EMAIL FORMAT USED
Subject: Microsoft Security Update
* "Vulnerability in Windows Explorer Could Allow Remote Code Execution (612827)"
* Impact of Vulnerability: Remote Code Execution
* Importance: High
* Maximum Severity Rating: Critical
* Recommendation: Customers should apply the attached update at the earliest opportunity
* Who should read this document: Customers who use Microsoft Windows
* X-Mailer: Secure Microsoft Client, Build 2.1
* X-MimeOLE: Produced By Secure Microsoft Client V2.1
* X-MSMail-Priority: High
* X-Priority: 1 (Highest)
This worm has the following backdoor capabilities:
* Get, upload, download, or delete a file
* List files in a folder
* Disconnect current user
* Restart the system
* Run a program
* Create or delete a folder
Here's a brand new virus variant that disguises itself as an SP2 update. Reading over the technical description, this one will give someone good training in the use of REGEDIT, if they have to clean an infected PC.
Subject of email: Microsoft SP2 Update Urgent Download It
Name of attachment: SP2 UPDATE.EXE
Click Here for Latest HIPAA Guidelines
Special Publication 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, March 2005
Adobe .pdf (1,725 KB)
Zipped .pdf file (1,378 KB)
W32.Mytob.M@mm is a mass-mailing worm with back door capabilities. The worm uses its own SMTP engine to send email to addresses that it gathers from the compromised computer. The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow, as described in Microsoft Security Bulletin MS04-011
EMAIL MESSAGES TO BLOCK OR AVOID
Subject: One of the following:
Mail Delivery System
Mail Transaction Failed
Message: One of the following:
Here are your banks documents.
The original message was included as an attachments.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment: One of the following:
with one of the following extensions:
Users should upgrade to the latest version. I use Firfox 1.0.2 as a complementary browser on all my Windows systems. For the 1st time I experimented with the new upgrade feature and it worked in an accurate manner (although I don't have special themes or extensions installed). The clean installation technique is also noted in the link at the bottom.
Mozilla releases security updates for browser & email products
Mark Dowd of the ISS X-Force discovered a GIF library overflow condition that could be used to execute arbitrary code with the rights of the browser or mail client process. Mozilla Foundation software makes use of a common image library to render GIF images. This library contains a buffer overflow vulnerability when processing a Netscape-specific extension block in GIF images.
Exploitation of this buffer overflow can lead to remote compromise of affected machines with minimal user-interaction. In order to exploit this vulnerability, an attacker would be required to induce the victim to view a web page or email message containing a maliciously-crafted GIF image." Firefox 1.0.2, Thunderbird 1.0.2, and Mozilla Suite 1.7.6 address this and two other less serious bugs.
Downloads Available at:
More details and installation techniques for Firefox 1.0.2
The ISC suggests that companies fomulate policies on log files retention to meet various legal requirements like Sarbanes-Oxley, HIPAA, and other needs. This could require storing seven years of detailed log file history (but hopefully using a compressed format and DLT tape backups in an organized manner.).
Its a good idea to develop a log retention policy for your site. This should include what type of information is stored; for how long; online vs offline; and whether the data is confidential. A good starting point would be to store compressed copies of your audit logs (syslog or event logs), firewall logs (network or host), and IDS logs (alert logs at a minimum. full packet trace retention would depend on the needs and requirements of your site) for at least 60 days.
A few of the legal requirements highlighted:
The Health Insurance Portability and Accountability Act (HIPAA) - Affects healthcare industry. Logs should be retained up to 6 years.
National Industrial Security Program Operating Manual (NISPOM) - Specifies log retention of at least one year.
The Sarbanes-Oxley Act (SOX) - Affects US Corporations. Specifies retaining audit logs for up to seven years.
VISA Cardholder Information Security Program (CISP) - Specifies retaining audit logs for at least six months.
"McAfee urges all customers to verify that they have installed and deployed the 4436 DAT [or higher] and/or the 4400 Scan Engine." While DAT file 4436 will detect the vulnerability if it occurs in-the-wild, it is better to permanently patch this security exposure by moving to Scan engine 4400.
McAfee AV LHA Vulnerability - Upgrade to Engine 4400 & latest DATs
McAfee Virus Scan vulnerability for archievd files
A vulnerability for McAfee's Virus has been discovered when can be triggered by scanning a specially crafted archieved file. This can be corrected by using the latest DAT files and engine.
McAfee AntiVirus Library Stack Overflow
The ISS X-Force has another notch in their belt today, releasing information about a flaw they have discovered in AntiVirus Library versions prior to 4400. To exploit this vulnerability, an attacker is required to craft a custom LHA Archive file which will allow the attacker to run arbitrary code on the McAfee protected system when the file is scanned for viruses.
Boston College did the responsible thing of warning all graduates on their data base even though they are not certain on the extent of accounts accessed.
BOSTON - Boston College officials have warned 120,000 alumni that their personal information may have been stolen when an intruder hacked into a school computer containing the addresses and Social Security numbers of BC graduates.
Officials don't believe the hacker accessed the personal information, but instead planted a program that could be used to launch attacks on other machines. Still, amid rising concerns about identity theft, the school sent letters to its alumni. "As a precaution we have chosen to alert the entire database," Dunn said of the letters sent last Friday.
A web beacon is typically a hidden image (usually 1x1 pixels) placed on a website to capture customer data. It allows the site to capture the actions of the user, as they process pages on a site containing the beacon. Most sites use beacons responsibly to capture general marketing or site visitation statistics. Still, on a questionable site there is always the opportunity for someone to misue this information.
What are Web Beacons?
Why are they invisible images?
How do Web Beacons work?
Why do websites use Web Beacons?
Can I opt out of Web Beacons?
The Internet Storm center reports that a highly automated home page hijacking attack is occurring on vulnerable servers and workstations using MS05-001 and MS05-002 exploits. A Google search this morning notes that the 7sir7 hacker site is shutdown but affected PCs would still attempt to go there.
Entire web farms hacked to serve up the 7sir7 redirect http://isc.sans.org//diary.php?date=2005-03-13
We have received reports and evidence that a number of companies that provide shared hosting web servers have had their servers exploited and all of the customer homepages modified so that visitors are attacked. In one case, a Perl script was used to modify each customers homepage with the additional IFRAME snippet that fellow handler Lorna had already reported in the diary two days ago. The Perl script reads in the web server configuration (httpd.conf) on a compromised server, and then appends the malicious iframe code to all the index.html pages of all the virtual hosts available on this server. The same reader who managed to isolate this script has also contributed a script written by himself to clean up the affected pages. If you shout loud enough, we might include it in tomorrow's diary :-)
The page at 7sir7 is making use of several recent vulnerabilities in order to download and install malware on the PC of whoever visits the site.
- Exploits the .ANI cursor vulnerability (MS05-002)
- Exploits the HTML Help Cross Domain Vulnerability (MS05-001)
If successful, the exploits drop either of two files "mhh.exe" or "sr.exe", both of which so far are only recognized by Kaspersky and called (not-a-virus: AdWare.ToolBar.SearchIt.h). The files have been submitted to the other AV vendors
The following were the most widely used AV products based on Frost & Sullivan's research from 2004
Top 10 Anti-Virus products in 2004:
1. Symantec 38.1%
2. NAI 21.2%
3. Trend Micro 15.2%
4. Sophos 3.6
5. Computer Associates 3.4%
6. Sybari 2.1%
7. Panda 1.9%
8. F-Secure 1.4%
9. Kaspersky 1.0%
Trend shares a preliminary report of a new email worm designed to trick users by pretending to be a non-delivery error message of an earlier email that they may have sent out. Users should always be careful with these types of attachments.
CHOD.A email worm - uses non-delivery text to trick users
FORMAT OF EMAIL TO BLOCK OR AVOID
Subject: (any of the following)
• Your computer may have been infected
• Warning - you have been infected!
Message Body: (any of the following)
• Your computer may have been infected Warning - you have been infected!
• Your message was undeliverable due to the following reason(s):
Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.
Your original message has been attached.
Attachment: (any of the following)
Similar to the Choicepoint.com data theft last month, Lexis Nexis is an information management company that experienced a recent security breach. This second major incident impacts 32,000 US citizens, as highly sensitive and entrusted personal information was obtained by hackers.
Quotes: NEW YORK — Using misappropriated passwords and identifications from legitimate customers, intruders got access to personal information on as many as 32,000 U.S. citizens in a database owned by Lexis-Nexis, the company's corporate parent said today.
U.S. federal and company investigators were looking into the breach at Seisint, which was recently acquired by Lexis Nexis and includes millions of personal files for use by such customers as police and legal professionals. And the FBI and the Secret Service are both investigating the breach.
Information accessed included names, addresses, Social Security and driver's licence numbers, but not credit history, medical records or financial information, corporate parent Reed Elsevier Group PLC said in a statement.
Windows 98 and ME are legacy Operating Systems which are being maintained on extended support by Microsoft Security. Security releases for 98 and ME will generally follow the security updates made for XP and 2000.
Several critical updates for calendar year 2005 are now available through the Windows Update process for 98 and ME. In updating one of our home PCs, six critical updates were applied and everything is working well so far.
Windows 98 and ME Security updates available under Windows Update
Windows Update Link for 98 and ME
This article by Roberta Bragg is excellent and creates an awareness of the need to protect these devices and the information that is stored within them.
Protect Your PDAs, PDQ!
February 2003 • by Roberta Bragg
You know about security for networks and laptops. But what about security for hand-helds? What? You don't have a plan?
Quote: Sometimes you want people to look at your stuff; sometimes you don’t. When you’re trying to sell something, you want people to read about your wares. If you have secrets, though, you want to keep them. But there are also times you might allow strangers a closer look—for instance, allowing bag inspection at the airport or financial inspection by the IRS. Even though you may not want to expose things considered private, the law may force your hand.
Topics covered include:
* Physical Protection
* Access Control
* Protection from Malicious Code
* On-board Data Protection
* Data Transfer/Connection Protection
* Synching, Wireless Data Connections
* External Connections and Protecting Data in Flight
* Usage Definitions and Data Decisions
* Awareness Training
Below is a recent discovery that can further improve your Internet privacy if you use Yahoo's free email services.
LINKS on how web beacons work
quote: Yahoo is using something called "Web beacons" or a "super cookie" that tracks not only where its users go on the Yahoo network but also tracks where they go outside of the Yahoo network using a persistent file on the hard drive. Note that you have to have a Yahoo account to be tracked. If you want to opt-out of this tracking, log in to your Yahoo account, then go to privacy yahoo.com/privacy.
STEPS TO OPT-OUT OF THE "WEB BEACONS" TRACKING FACILITY
1. Make sure you are signed on to your Yahoo account.
2. Go to this site to start this process
3. Find the "Cookies" Information section on Yahoo's Privacy Page and then locate this specific bullet point that discusses web beacons:
* Yahoo! uses web beacons to access Yahoo! cookies inside and outside our network of web sites and in connection with Yahoo! products and services.
4. Click on the web beacons link (as noted in bold above):
5. On the web beacons information page, find this paragraph:
When conducting research Yahoo!'s practice is to require our partners to disclose the presence of these web beacons on their pages in their privacy policies and state what choices are available to users regarding the collection and use of this information. You may choose to opt-out of Yahoo! using this information for this research. Please click here to opt-out.
6. Click on the Opt-out link (as noted in bold above)
7. After clicking on the link, you are done. You'll see the following confirmation for the opt-out process:.
quote: You have opted out successfully. If you would like to cancel your opt-out request, you may do so by clicking the button below
8. Please do not click on the button shown on this page or you'll opt back into using web beacons.
9. I would then suggest deleting all cookies, or at least signing off and signing back on again with your Yahoo email account. If you use multiple browsers, clear the cookies out in each one.
10. If you have more than one Yahoo account, repeat this process for each specific account.
Yesterday was a busy day for virus and system administrators in applying protection to their servers and desktops. Please continue to be careful with email and Instant Messaging. The escalation of 4 different new viruses to Medium risk in a single day is unusual and hopefully today things will settle down.
Below are links for all of the Medium Risk worms from yesterday:
Kelvir.B -- New Messenger worm
SpyBot.AUK - dropped by Kelvir and can spread in an unpatched network
Crog/Fatso - Another MEDIUM RISK IM worm (contains inappropriate content)
Sober.L - New EMAIL worm (zip attachments)
Secunia has just declared MEDIUM RISK on Kelvir.B and Symantec also shows a high prevelance of this worm. The Spybot version dropped as a part of a "two-in-one" virus is more damaging than the Kelvir worm in an unpatched corporate network. KELVIR.B -- MSN Messenger worm MEDIUM RISK http://secunia.com/virus_information/16006/
Other AV Vendors may use http://secunia.com/virus_information/15994/ http://secunia.com/virus_information/16014/
W32.Kelvir.B is a worm that spreads through Windows Messenger and MSN Messenger and attempts to download and execute a variant of W32.Spybot.Worm.
This is good news for administrators, as they get a well deserved rest, after the extensive round of updates applied during February. While there are no security updates scheduled in March, it is important to be completely up-to-date on Microsoft security patches; due to several important critical bulletins issued in February.
"On March 8th, 2005 the Microsoft Security Response Center is planning to release no new security bulletins"
Microsoft Security Bulletins - No Updates for March 2005
More Posts Next page »