October 2005 - Posts
Forum Administrators should move to the latest versions of phpBB, as security improvements continue to be made to this highly flexible and functional environment.
http://www.phpbb.com/phpBB/viewtopic.php?t=336756
The phpBB Group is pleased to announce the release of phpBB 2.0.18, "The Halloween Special" release. This is a major update to the 2.0.x codebase and includes fixes for numerous bugs reported by users to our Bug Tracker, as well as updates to those issues identified by the recent security audit of the code and a couple of security issues reported to us. In addition we have backported a further feature from our "Olympus" codebase to change the way automatic logins are handled.
I don't think this one is widespread, but based on the stealth-like nature of rootkits, it's probably both difficult to detect and remove. 
http://news.zdnet.com/2100-1009_22-5920403.html
A worm found spreading via America Online's Instant Messenger is carrying a nastier punch than usual, a security company has warned. The unnamed worm delivers a cocktail of unwanted software, including a so-called rootkit, security experts at FaceTime Communications said Friday. A rootkit is a tool designed to go undetected by the security software used to lock down control of a computer after an initial hack.
Data base Administrators should watch for further developments as this weakness will most likely be corrected in the future.
Article: Oracle password system comes under fire
QUOTE: Attackers could easily uncover Oracle database users'passwords because of a weak protection mechanism, putting corporate data at risk of exposure, experts have warned.
The technique Oracle uses to store and encrypt user passwords doesn't provide sufficient security, said Joshua Wright of the SANS Institute and Carlos Sid of Royal Holloway college, University of London.
As noted in this Tech Republic Article, Internet Explorer version 7 will support a more robust protocol for encrypting user data and securing online transactions.
http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx
QUOTE: In a posting on the Microsoft Internet Explorer blog, IE program manager Eric Lawrence said that IE7 would support the Transport Layer Security (TLS) protocol by default.
Lawrence also explained how IE7 will behave differently from earlier versions when it encounters potential security problems.
"Whenever IE6 encountered a problem with a HTTPS-delivered Web page, the user was informed via a modal dialog box and was asked to make a security decision. IE7 follows the XPSP2 'secure by default' paradigm by defaulting to the secure behavior," said Lawrence.
IE7 will not give users the option of seeing both secure and insecure items within an HTTPS page. With IE6, this option appears when the browser encounters an HTTPS page that includes some HTTP content. But in IE7, only the secure content will be rendered by default, forcing the user to choose to access the rest via the information bar.
"This is an important change because very few users (or web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page," Lawrence claimed.
This new Instant Messenger (IM) threat should be closely watched as it contains a security backdoor and other sophisticated capabilities.
http://secunia.com/virus_information/22890/virkel.a/
Virkel is a backdoor with IM (Instant Messenger) spreading capabilities. It was first found on October 26th, 2005. The backdoor can provide a hacker with information about a system, work as a proxy, update itself, perform a Denial of Service (DoS) attack, open remote shell, download files. It also kills processes of anti-virus and security software and blocks access to many different sites that belong to anti-virus and security software vendors.
Microsoft has just updated the Windows XP security guide and this free resource can be found through the following link:
Windows XP Security Guide
Any IT environment is only as secure as its weakest link. Unfortunately, client operating systems are often overlooked during security projects. As your organization plans to implement Microsoft® Windows® XP Professional with Service Pack 2 (SP2), ensure that security is an integral part of your deployment plans.
Although the default installation of Windows XP is quite secure, it is important to remember the trade-offs that exist between security, usability, and functionality of the client computers in your environment. A thorough understanding of these trade-offs places your organization in a position to maximize the security of your Windows XP deployment.
The guide provides specific recommendations about how to harden computers that run Windows XP with SP2 in three distinct environments:
| • |
Enterprise Client (EC). Client computers in this environment are located in an Active Directory® directory service domain and only need to communicate with systems that run Windows 2000 or later versions of the Windows operating system. |
| • |
Stand-Alone (SA). Client computers in this environment are not members of an Active Directory domain and may need to communicate with systems that run Windows NT® 4.0. |
|
• |
Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. |
Two more new exploits have developed as malicious individuals work to reverse engineer the changes and discover code weaknesses in unpatched systems. These new potential attacks are based on the MS05-047 Microsoft Security Bulletin issued in October. It's always a best practice to patch as soon as Microsoft performs a release which is usually the second Tuesday of each month.
2005-10-24 : Microsoft Windows Plug and Play "Umpnpmgr.dll" DoS Exploit (MS05-047)
2005-10-21 : Microsoft Windows Plug and Play "Umpnpmgr.dll" Remote Exploit (MS05-047)
A new attack based on August's security bulletin MS05-039 surfaced overnight. This new threat remains at low risk currently. This was initially reported as an MS05-047 exploit, but after further analysis McAfee has confirmed that while MS05-047 code was present, the MS05-039 exploit was used as the key method to infect unpatched PCs.
MS05-039 -- Mocbot IRC Worm in the wild
http://secunia.com/virus_information/22746/irc-mocbot/
http://www.f-secure.com/v-descs/mocbot.shtml
http://vil.nai.com/vil/content/v_136637.htm
This botnet client was spread using the MS05-039 vulnerability in October 2005. This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called "wudpcom". Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).
SYMPTOMS
1. Heavy netbois and microsoft-ds network traffic
2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
3. TCP 18067 connections to hostile websites
-- AVERT / McAfee Update Oct 23, 2005 -- After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.
Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them. This threat exploits the MS05-039 Microsoft Windows vulnerability.
During October, Oracle released several critical security patches that companies should quickly test and apply to safeguard information in these data base repositories.
2005-10-19 : Oracle Products Buffer Overflow and SQL Injection Vulnerabilities
Multiple vulnerabilities were identified in various Oracle products, which may be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, conduct SQL injection attacks and cross site scripting attacks, or bypass certain security restrictions. These flaws are due to unspecified errors in Oracle Database Server, Application Server, Collaboration Suite, E-Business Suite, Applications, Enterprise Manager, PeopleSoft Enterprise, and JD Edwards EnterpriseOne. No further details have been disclosed.
All Netscape 8.0x users should update to the latest version to stay protected as recent improvements in security have been released
http://browser.netscape.com/ns8/security/alerts.jsp
Fixed in Netscape Browser 8.0.4
•
MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes
So far, there are no published reports for MS05-051 which some security firms feel has the potential to be crafted into a possible Internet worm, that could especially impact Windows 2000 based PCs and Servers. At least 3 proof-of-concept exploits were developed within a couple of days of the October 11th updates, so companies should carefully test their applications and patch expediently. All users should stay as up-to-date as possible on any security patches that are released.
» 2005-10-13 : Microsoft Collaboration Data Objects Buffer Overflow PoC Exploit (MS05-048)
» 2005-10-13 : Microsoft Windows Network Connection Manager Local DoS Exploit (MS05-045)
» 2005-10-13 : Microsoft Windows FTP Client File Location Tampering Exploit (MS05-044)
In the November 2005 issue of PC World magazine, 11 different products are evaluated. Webroot Spysweeper continues to score near the top in all evaluations. The MSAS beta release also had a positive review and scored as one of the best free products. It's always best to look at more than one evaluation, as the review team can rank categories differently.
PC World - Evaluation of 11 Anti-Spyware
PC World - Evaluation of 11 Anti-Spyware Product Grid
Microsoft's Technet Security team is introducting a new Learning Paths website that features resources on security threats and appropriate controls. Each month new articles and training materials will be featured to provide on-going training for security professionals.
http://www.microsoft.com/technet/security/learning/default.mspx
Featured This Month:
Internal Threats: Mitigate the Risks in Your Environment
Today's IT Professionals work in a challenging environment where there's a constant effort to protect resources and vital information from internal misuse. Attend this series and learn about the risks, business challenges and recommendations for protecting your network from internal threats. We will cover topics such as Security risk management, assessment, and implementation as well as steps for meeting your business needs of operating in a more secure environment
Microsoft Security Release - October 2005
The following provides an overview of several important updates.
Microsoft Security Release - October 2005
http://www.microsoft.com/technet/security/Bulletin/ms05-Oct.mspx
Internet Storm Center - Excellent Technical Analysis
http://isc.sans.org/diary.php?date=2005-10-11
Vulnerability in DirectShow Could Allow Remote Code Execution (904706) - Critical
http://www.microsoft.com/technet/security/Bulletin/ms05-050.mspx
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) - Critical
http://www.microsoft.com/technet/security/Bulletin/ms05-051.mspx
Cumulative Security Update for Internet Explorer (896688) - Critical
http://www.microsoft.com/technet/security/Bulletin/ms05-052.mspx
Vulnerability in the Client Services for Netware Could Allow Remote Code Execution (899589) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-046.mspx
Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-047.mspx
Vulnerability in the Microsoft Collaboration Objects Could Allow Remote Code Execution (907245) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-048.mspx
Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-049.mspx
Vulnerability in the Windows FTP Client Could Allow File Transfer
Location and Tampering (905495) - Moderate
http://www.microsoft.com/technet/security/Bulletin/ms05-044.mspx
Vulnerability in Network Connection Manager Could Allow Denial Service (905414) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-045.mspx
Zafi.F is spreading via email in English, Italian, Spanish, Russian, Swedish and several other languages. This new HTML based variant is authentic in appearance, from a social engineering perspective.
SECUNIA
http://secunia.com/virus_information/22349/zafi.f/
F-SECURE
http://www.f-secure.com/v-descs/zafi_f.shtml
McAfee
http://vil.nai.com/vil/content/v_136426.htm
DO NOT OPEN ATTACHMENTS ENDING WITH: pif, cmd, bat, com or zip file.
CERT provides one of the best websites related to computer security. They have recently addressed a major issue among anti-virus companies, where common naming conventions don't exist due to the competitive nature of being first many times. Also, some AV products can handle several variants with a single defiition, where other AV vendors must specifically define a new variant each time a new compression or packing technique is used on the executable.
Chris Mosby, a very talented security modertor in My IT Forums commented on this need in an “Open Letter to Anti-Virus Software Companies” in November 2004. This new system won't be perfect, but it's a step in the right direction. It'll help companies like the one I work for which uses corporate McAfee VS 8.0i on the desktop and SAV for email filtering.
Common Malware Enumeration (CME) - Home Page
http://cme.mitre.org/
Common Malware Enumeration (CME) - FAQ
http://cme.mitre.org/about/faqs.html
Common Malware Enumeration (CME) - Current List
http://cme.mitre.org/data/list.html
Common Malware Enumeration (CME) - How it Works
http://cme.mitre.org/cme/process.html
Common Malware Enumeration (CME) - Press Release
http://cme.mitre.org/about/docs.html
The following 3-part review was featured by Tech Republic on the enhancements that will be forthcoming in Windows Vista, which is Microsoft's next generation operating system for client workstations.
http://www.winsupersite.com/reviews/winvista_beta1_01.asp
http://www.winsupersite.com/reviews/winvista_beta1_02.asp
http://www.winsupersite.com/reviews/winvista_beta1_02.asp
The Sober virus family is always one to watch. This one is spreading rapidly and McAfee has declared Medium Risk. It is also very difficult to clean until enhanced cleaning capabilities are provided by AV companies.
Sober.R - MEDIUM RISK by McAfee
http://vil.nai.com/vil/content/v_136390.htm
Other AV companies
http://secunia.com/virus_information/22225/sober.s/
EMAIL TO AVOID - English & German variants
|
Subject: Your new Password
Body: Your password was successfully changed! Please see the attached file for detailed information. |
This mass-mailing email virus arrives in an email message with one of the following attachment names: KlassenFoto.zip, pword_change.zip
SPECIAL INSTRUCTIONS FOR INFECTED PCs
Cleaning this new variant is difficult as some new techniques used by the virus writer lock down security of infected files, (blocks access to files using special registry settings), so that you have to clean in SAFE MODE until McAfee releases it's next DAT file (which will reset file access permissions in the registry to allow direct cleaning).
| Quote: |
|
Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below:
Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Run a system scan using the specified engine/DATs.
Delete files flagged as infected
Restart machine in default mode.
|
This new version of Spybot has to be one of the most comprehensive attacks I've seen today for this large family of viruses. It attacks weak passwords, uses existing backdoor infections, plus attacks through some of the most prominent security vulnerabilities if a system is unpatched.
Spybot.YCL - Attacks 7 major unpatched vulnerabilities or other weak security vulnerabilities
1. Attacks several major security vulnerabilities in unpatched Microsoft, Dameware, and Veritas software:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011)
The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039)
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).
The Microsft Windows ASN.1 Vulnerability (as described in Microsoft Security Bulletin MS04-007).
The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (as described in Bugtraq ID 9213).
The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here).
2. Spreads over network shares and Microsoft SQL server using weak usernames and passwords
3. Spreads to compromised computers by using back doors left behind by other malware such as:
- W32.Mydoom@mm
- W32.Beagle@mm
- Backdoor.Netdevil
- Backdoor.Optix
- Backdoor.Subseven