November 2005 - Posts
Apple has issued a security update for Mac OS X, which fixes 13 vulnerabilities.
Mac OS X Security Update Fixes Multiple Vulnerabilities
http://secunia.com/advisories/17813/
http://www.frsirt.com/english/advisories/2005/2659
Reverse engineering for the security patch offered by Microsoft during November continues. Please ensure all of your Windows servers and PCs are properly patched, as these proof-of-concept test exploits could be changed to a harmful attack for unpatched systems in the near future.
Microsoft Windows Metafile (WMF) "mtNoObjects" Header Remote Exploit (MS05-053)
Please only view this POC exploit code present here
http://www.frsirt.com/exploits/20051130.MS05-053.c.php
* The crafted metafile (WMF) from this code when viewed in explorer crashes it.
* The issue is seen when the field 'mtNoObjects' in the Metafile
header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not
occur with the
* hotfix for GDI (MS05-053) installed.
The Mozilla Foundation has released their long-awaited "Deer Park" technology as Firefox 1.5. The improved management and autoupdate capabilities are definite improvements over 1.0.x versions. I've been beta testing the various builds of Deer Park and if you use 1.0.x, it's definitely worth updating to the latest and greatest New Mozilla dot com website - you can download version 1.5 from here
Brand new POC exploits have been reverse engineered from critical October & November Microsoft security updates. These have been formally published and these POC exploits could be further crafted by the bad guys out there. Please perform a Windows Update, if you haven't recently to ensure you are up-to-date on all changes.
Microsoft Windows Metafile (WMF) Image Handling Remote Exploit (MS05-053)
Please only view this POC exploit code present here
http://www.frsirt.com/exploits/20051129.MS05-053.c.php
* The crafted metafile from this code when viewed in internet explorer raises the CPU
* utilization to 100%. The code was tested on Windows 2000 server SP4. The issue does
* not occur with the hotfix for GDI (MS05-053) installed
Microsoft Windows Distributed Transaction Coordinator Remote Exploit (MS05-051)
Please only view this POC exploit code present here
http://www.frsirt.com/exploits/20051127.55k7-msdtc.c.php
This proof-of-concept DTC exploit appears to be reverse engineered from the October updates. As this critical vulnerability impacts communications security, it could be potentially crafted into a new Internet worm, based on some reports I've read. Please be sure you are up-to-date on all Microsoft Windows updates (esp. through October 2005).
Microsoft Windows Distributed Transaction Coordinator Remote Exploit (MS05-051)
Please be careful as this link contains actual exploit code below:
http://www.frsirt.com/exploits/20051127.55k7-msdtc.c.php
During early morning research, I discovered a good security site 
It provides one day, one week, and one month Top 10 virus statistical counts. Below are some key resources and the 1st link is a good one to bookmark for monitoring current Internet activities:
FortiNet Security Site - Good Statistics on viruses & spyware
Top Ten viruses
http://www.fortinet.com/FortiGuardCenter/global_threat_stats.html
Current Major Viruses & Spyware Overview
http://www.fortinet.com/FortiGuardCenter/av.html
Current Major Vulnerabilities
http://www.fortinet.com/FortiGuardCenter/idp.html
Web URL Lookup and testing facility
http://www.fortinet.com/FortiGuardCenter/webfiltering.html
]In addition to forums and blogs, below is a partial list of some free resources to monitor current developments
Microsoft sites (Security, Technet, At Home, MSRC, Live)
http://www.microsoft.com/security/default.mspx
http://www.microsoft.com/technet/security/default.mspx
http://www.microsoft.com/athome/security/community/default.mspx
http://blogs.technet.com/msrc/
http://safety.live.com/
AVERT - McAfee Security and AV developments
http://myavert.avertlabs.com/myavert/default.aspx
Secunia - New virus and security advisories
http://secunia.com/virus_information/
Internet Storm Center - Major security advisories
http://isc.sans.org/
FrSIRT - New Security Vulnerabilities & Exploits
http://www.frsirt.com/english/
CERT - Major security advisories
http://www.us-cert.gov/current/current_activity.html
Virus Total - Top 10 realtime & great testing site
http://www.virustotal.com/flash/index_en.html
F-Secure - Top 10 & WebLog
http://www.f-secure.com/virus-info/statistics/
http://www.f-secure.com/weblog/
Kaspersky Weblog
http://www.viruslist.com/en/weblog
InfoSys Security
http://www.infosyssec.net/
VirusIntel Portal
http://www.virusintel.com/tiki-index.php
This new mass-mailing worm combines Mydoom functionality with Sdbot functionality. It can launch an IRC bot and install a downloader component that may install other malware from hostile web sites.
McAfee - Mytob.HE (DAT 4636 provides protection)
F-Secure - MyTob.DO Information
Trend - Mytob.MX information - rated as MEDIUM RISK
Trend - Mytob.MX behavorial chart (excellent analysis)
Trend - Mytob.MX example of email
EMAIL TO BLOCK OR AVOID
Subject: (avoid all of the following)
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification Members Support
Security measures
Email Account Suspension
Notice of account limitation
Attachment: (avoid all of the following)
• {Random file name}.zip
• account-details.zip
• account-info.zip
• account-password.zip
• account-report.zip
• approved-password.zip
• document.zip
• email-details.zip
• email-password.zip
• important-details.zip
• new-password.zip
• password.zip
• updated-password.zip
The following link is an EXCELLENT analysis of the leading security exposures related to the Internet.
http://www.sans.org/top20/
QUOTE: Washington, D.C. - The FBI is warning the public to avoid falling victim to an on-going mass e-mail scheme wherein computer users received unsolicited e-mails purportedly sent by the FBI. These scam e-mails tell the recipients that their Internet use has been monitored by the FBI and that they have accessed illegal web sites. The e-mails then direct recipients to open an attachment and answer questions.
More links for Sober.X information
CHARACTERISTICS OF A ROOTKIT:
1. A rootkit subsitutes malicious code in place of legitimate Operating System routines. It does so in a highly stealth-like manner by turning off certain security routines.
2. They are difficult to detect. Anti-virus (AV) software must be programmed in a special complex way to even detect this software. AV products can't interogate protected operating system files as well as they can other files.
3. Rootkits are difficult to clean as they ingranulate deeply within the Registry and system files. Unless you have a proven rootkit cleaning tool, you should rebuild the PC completely from the ground up, so that there are assurances that all rootkit components are gone.
| Quote: |
| The Sony BMG copy protection debacle has pulled "rootkit" out of the hacker underground and into the wider world of regular computer users. But while those PC owners may now recognize the term, that doesn't necessarily mean they know what kind of threat it describes. And in the Sony case, not even the experts can agree on whether the record label's antipiracy technology meets the technical definition of a rootkit |
CNET Article: What makes a rootkit?
F-Secure and McAfee report several new variants and this list could grow. Batten down the hatches.
F-Secure - 6 new variants
http://www.f-secure.com/v-descs/bagle_eo.shtml
http://www.f-secure.com/v-descs/bagle_ep.shtml
http://www.f-secure.com/v-descs/bagle_eq.shtml
http://www.f-secure.com/v-descs/bagle_er.shtml
http://www.f-secure.com/v-descs/bagle_es.shtml
http://www.f-secure.com/v-descs/bagle_et.shtml
McAfee detection information
http://vil.nai.com/vil/content/v_137087.htm
Quote: Several new W32/Bagle downloader variants have been widely spammed to users (November 23, 2005). To date, they are detected as W32/Bagle.gen@MM with the 4635 DATs.
These are downloader trojans. However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers). This trojan was mass-spammed in a ZIP attachment and uses peoples names as the filenames, for example:
* Edmund.zip
* Elizabeth.zip
* Fraunces.zip
* Grace.zip
* Henrie.zip
* Jeames.zip
Opera 8.51 has been released to address critical security issues. I use this as a complementary browser in addition to IE 6 (XP SP2) and the Mozilla Deerpark beta (Firefox 1.5 RC3). After a couple of days of testing, this new version is working well on my work and home PCs. All Opera users should move to the latest version to ensure they enjoy the best protection possible.
Opera 8.51 for Windows is available for download.
Changes since 8.50
User interface
Added Answers.com search option, with 'a' as keyword to search from address field. The version number of search.ini has not been increased; the change will only be visible in fresh installs.
Security and plug-ins
- Macromedia Flash version shipped with Opera is now 7r61. Addresses issue reported in Secunia Advisory 17437.
- Solved severe stability issue when using the Acrobat Reader 7.0.5 plug-in.
Miscellaneous
- Fixed multiple stability issues.
FrSIRT Critical Advisory Information - Key Security Changes
http://www.frsirt.com/english/advisories/2005/2519
Multiple vulnerabilities were identified in Opera, which could be exploited by attackers to execute arbitrary commands.
The first issue is due to a memory corruption error in Macromedia Flash Player, a third party application redistributed with Opera, which could be exploited by remote attackers to compromise a vulnerable system by convincing a user to visit a specially crafted Web page or open a malicious Flash file. For additional information, see : FrSIRT/ADV-2005-2317
The second vulnerability is due to an error where the shell script used in Unix / Linux based environments to launch Opera parses shell commands enclosed within backticks in the URL provided via the command line, which could be exploited by remote attackers to compromise a vulnerable system by convincing a user to follow a malicious link in an external program (e.g. Thunderbird or Evolution). This issue is similar to FrSIRT/ADV-2005-1794
The link below shares a press release of the Sober.Y which continues to generate large quantities of infected email messages. I personally got 00's of copies and they are still streaming in. 
Please be careful with all suspicious emails and never open attachments unless you are absolutely certain they are safe.
MessageLabs Stops Over 2.7 million Copies of New Sober Virus That Spoofs FBI and CIA
November 22, 2005 - 17:00 GMT/ 12:00 ET - MessageLabs has intercepted over 2.7-million copies of a new Sober virus, many of which are being spoofed to appear as though they are sent from the FBI or the CIA.
The first copy was stopped at 19:00 GMT on 21st November. The size of the attack indicates that this is a major offensive, certainly one of
the largest in the last few months.
Email Overview
These emails suggest to recipients that their Internet use has been monitored by the FBI or CIA and that they have accessed illegal Web sites. The email directs users to open the ZIP attachment containing the executable, which once opened delivers the Sober virus payload.
It then spreads by searching the infected computer for other email addresses to send copies of itself to, but ignoring any domains for certain security organizations, including MessageLabs.
Additional Forum Links
My IT Forums: More information on Sober.X
McAfee Forums: More information on Sober.X
Calendar of Updates: More information on Sober.X
Microsoft is addressing this new security exposure which has recently emerged as a new zero day proof-of-concept exploit. They offer workarounds and technical information on the exposures in the link below:
Microsoft Security Advisory (911302) - New IE vulnerability with temporary Workarounds
QUOTE: This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
More information and links can be found for a new zero day proof-of-concept exploit that has been published by selecting this link:
Internet Storm Center moves to Yellow Alert Status on zero day IE exploit
A new proof-of-concept (POC) exploit has been published for a critical unpatched IE vulernability. Please be careful of any websites you visit and so far there are no reports of the POC being found in the wild
New Zero Day Internet Explorer Remote Code Execution Exploit
http://www.frsirt.com/english/advisories/2005/2509
http://www.frsirt.com/exploits/20051121.IEWindow0day.php
http://secunia.com/advisories/15546/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1790
QUOTE: A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to the JavaScript "window()" object and the "body onload" tag, which could be exploited remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page.
This vulnerability has been confirmed on Windows XP SP2 with Internet Explorer 6 (fully patched)
Both articles were published by Security Focus and they provide excellent technical information on how this emerging threat works in detail.
Windows Rootkits in 2005 - Part I
http://www.securityfocus.com/infocus/1850
Windows Rootkits in 2005 - Part II
http://online.securityfocus.com/infocus/1851
One of my friends in the security field shared an excellent summary of the failed attempt by Sony BMG to better protect their music from Copyright violations. As an ethical individual, I respect the intellectual property rights of those in the music industry. The approach Sony used created harm and potential security issues for innocent loyal customers, who purchased their CDs in good faith.
The rootkit may have appeared to be a good technical solution on the drawing board for better protecting digital rights. However, they didn't exercise risk management and plan well for things that could go wrong, including opening up the customer's PC to emerging security risks based on new malware that takes advantage of the rootkit architecture.
The following provides an update for this issue with several related links:
QUOTE: Sony/BMG has just recalled 52 music CDs, all of which came with software which will install "rootkit" spyware programs on your Windows computer. If you have any of these CDs and have played them on your Windows PCs, your computers may be infected with some truly nasty software. This problem does NOT affect Macs or Linux computers and may not have affected you if you run a secure Windows setup. More than 500,000 computers are known to be infected worldwide.
List of 52 infected Sony CDs being recalled
http://cp.sonybmg.com/xcp/english/titles.html
More on Sony's recall notice to replace these CDs at no charge to the owner
The Sony/BMG website has an uninstall program that is supposed to clean up the infection. HOWEVER, as of today, their uninstall program leaves your computer MORE VULNERABLE than before! Check with your anti-virus vendor to see if your AV can clean up this problem.
Microsoft is upgrading their Malicious Software Removal Tool, which is updated once a month. It will soon be updated to remove the XCP modifications that Sony/BMG put on your computer, but it's not available currently. More information can be found at these sites:
Sony BMG's copy-protection problems grow
http://securityfocus.com/news/11357
Mark's Sysinternals Blog Victory!
http://www.sysinternals.com/blog/2005/11/victory.html
Sony's DRM Rootkit: The Real Story
http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html
Secunia Advisory
http://secunia.com/advisories/17408/
US CERT Advisory
http://www.us-cert.gov/current/current_activity.html#xcpdrm
http://www.kb.cert.org/vuls/id/312073
Security issues may surface using Sony's XCP uninstall tools
http://secunia.com/advisories/17610/
http://www.frsirt.com/english/advisories/2005/2454
http://www.freedom-to-tinker.com/?p=927
Security issues may surface using Sony's uninstall for SunnComm MediaMax (another DRM)
http://secunia.com/advisories/17639/
http://www.frsirt.com/english/advisories/2005/2493
http://www.freedom-to-tinker.com/?p=931
Rootkits could mean a complete rebuild for your PC
http://insight.zdnet.co.uk/0,39020415,39237277-4,00.htm
QUOTE: How do we remove rootkits? -- There is only one guaranteed way to remove a rootkit. You destroy the system and then rebuild it. There is no other way to reliable remove a rootkit — no other way whatsoever. You can't delete the file or even reinstall the operating system over the top of the existing OS — which is a horrible practice anyway. It is super important to nuke the system because a rootkit's primary function is stealth — what is it hiding? Do you know? Usually not. How can you reliably know what it was hiding, what it was compromising or what it was removing?
Key Advice for now: Please do not play CDs using your PC until this issue is fully addressed (or if you do play CDs not on the list, still be vigilant and cautious). It could require rebuilding your PC.
Ideas for Infected Users: If you are currently infected with the XCP software, some standalone tools and removers are available. Do not try to remove this manually unless you have complete directions and you are highly skilled as a computer technician. Your CD-ROM or PC may no longer work properly if you fail to remove the rootkit properly. I believe further “help is on the way“ and infected users might be better served to wait a little while longer until better tools are published.
Macromedia has performed a security update for it's Flash Player to improve security, including a critical vulnerability that can be exploited by visiting a malicious web page or a specially crafted email attachment. Everyone using this software should update as quickly as possible.
Advisory ID : FrSIRT/ADV-2005-2317
CVE ID : CVE-2005-2628
Rated as : Critical 
Note : This proof-of-concept exploit generates a flash file that will cause a DoS
More Information and update links can be found in this blog entry
This new risk is rated as “Moderately Critical” and it is can impact system performance. So far there are no published exploits in-the-wild on this newly discovered vulnerability that Microsoft will most likely patch soon.
Microsoft - New unpatched RPC memory allocation vulnerability
http://www.frsirt.com/english/advisories/2005/2468
Microsoft RPC memory allocation POC Exploit
note - actual POC code is published here - please be careful
http://www.frsirt.com/exploits/20051117.Win_upnp_getdevicelist.c.php
Microsoft Security Advisory (911052)
http://www.microsoft.com/technet/security/advisory/911052.mspx
Secunia - Microsoft Windows UPnP GetDeviceList Denial of Service
http://secunia.com/advisories/17595/
Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to cause a denial of service. This flaw is due to a memory allocation error when processing specially crafted RPC (Remote procedure call) requests, which could be exploited by attackers to crash a vulnerable system or cause the "services.exe" process to consume a large amount of system resources.
Affected Products
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 2
Microsoft Windows 2000 Service Pack 1
Microsoft Windows 2000
Microsoft Windows XP Service Pack 1 (for Windows XP Service Pack 1 an attacker must have valid logon credentials to exploit this vulnerability).
Solution: FrSIRT is not aware of any official supplied patch for this issue.
Status: Microsoft is not aware of active attacks that use this vulnerability or of customer impact at this time.
More Posts
Next page »