December 2005 - Posts
Kapsersky has received information on a new IM Worm is hitting the Netherlands. Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called xmas-2006 FUNNY.jpg
Kaspersky Lab Blogs
F-Secure Blogs: First WMF worm found
Please be careful when opening the New Years Greeting links or other seaonal greetings.
There is a "new and improved" edition of the WMF exploit that does not use a WMF extension. It also varies in size randomly to better evade AV detection. A code Yellow alert has been issued by the Internet Storm Center. There is little or no AV protection available, so extra caution should be used.
New exploit released for the WMF vulnerability - YELLOW
http://isc.sans.org/diary.php?storyid=992
A copy of the actual exploit can be found at FrSIRT for anyone wanting to review the code, but please use caution. The exploit generates files with the following characteristics:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer
A security firm from Belgium offers a testing facility for browsers. I tested IE 6 (XP SP2 version), Firefox 1.5, and Opera 8.51 and all three passed the test as follows:
The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0
QUOTE: Can someone hack into your computer via your browser? How vulnerable you are? Can websites install spyware through your browser? Scanit's Browser Security Test automatically checks your browser for various security problems. When the test is finished you get a complete report explaining the discovered vulnerabilities, their impact and how to eliminate them.
Microsoft has issued Security Advisory 912840 for a critical vulnerability in the Windows graphics rendering engine. As noted in the bulletin they have the highest priority in testing out and providing solutions for the WMF exploits that are currently circulating in-the-wild.
So far, most WMF attacks come from visiting unsafe websites, so follow best practices and "think before you click" in web surfing and never click on links in email or Instant Messenging.
Current recommendations for Malicious WMF Exploits in-the-wild
1. Keep your Anti-Virus and Anti-Spyware software as up-to-date as possible. For example, McAfee users should install DAT 4661 or higher immediately
2. Stay away from all questionable websites. Do not open WMF files or links in any environment (e.g., IM, email, web surfing, explorer, etc.).
3. Filter and block WMF files in email or content filtering systems in the corporate environment.
4. Don't rely just on the WMF extension. Windows metadata processing can process a disguised and renamed extension. For example, the extension for a corrupted WMF file might renamed to GIF and when Windows opens it, it may recognize that it was a WMF file originally and an infection could result.
5. As an extra safety precaution, you can turn off the vulnerable DLL. The Full Disclosure workaround has downloadable *.REG file that allows toggling shimgvw.dll on and off. Another option might be to turn off the shimgvw.dll service completely. Turning services completely off will result in a minor loss of functionality for thumbnail previews in Explorer and the Windows Fax & Picture viewer can be affected. Still it's easy to restore this service later after better protective solutions emerge, as noted in the Full Disclosure link.
Please click on this link for more information:
Malicious Zero Day Windows Media File Exploits are in-the-wild
Microsoft has issued a security advisory to share initial information on this new unpatched vulnerability which is being exploited in-the-wild. As Microsoft advises keep your AV and anti-spyware software updated to the latest definitions.
Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/912840.mspx
Please be careful with sites that you visit as a major new security risk has developed. Please be particularly careful downloading or playing WMF (Windows Media File) until this issue is fully resolved. I believe Microsoft will prioritize and patch this new vulnerability expediently, so please look for upcoming security advisories, workarounds, and ultimately a patch. In the mean time, follow best practices in only visiting safe sites and avoid all WMF files in emails or untrusted websites. Keep your AV protection updated as anti-virus vendors will also prioritize security protection for this new in-the-wild exploit.
STATUS INFORMATION
INTERNET STORM CENTER - YELLOW ALERT
F-SECURE BLOG - GOOD STATUS INFORMATION
SUNBELT BLOG - GOOD STATUS INFORMATION
SECUNIA INFORMATION
Microsoft Windows WMF Handling Arbitrary Code Execution
http://secunia.com/advisories/18255/
Secunia Advisory: SA18255
Release Date: 2005-12-28
Rating: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
QUOTE: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.
Solution: Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer.
TREND MICRO INFORMATION
TWO TROJAN HORSE VARIANTS SO FAR
TROJ_WMFXEXE.A
TROJ_WMFMSITS.A
QUOTE: The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
FRSIRT INFORMATION
Microsoft Windows WMF Handling Remote Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2005/3086
FrSIRT Advisory: FrSIRT/ADV-2005-3086
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-28
WORKAROUNDS THAT ARE EMERGING
These workarounds appear to help some, although they will impact some functionality. For now the best advice is to be careful with all email and website links. Avoid all WMF files, especially from untrusted sites until more is known on this new threat.
EWeek Article: Provides more on shimgvw.dll workaround
Full Disclosure - Shimgvw.dll workaround with *.REG files that can toggle settings on/off
Update January 22, 2006: During December, virus writers used a social engineering trick to lure users into loading a virus onto their PCs. They were offered a new MSN version 8 which did not exist at the time.
Microsoft has now released MSN beta 8 and this update to the post is to confirm that invitations directly from Microsoft are legitimate. While the Virkel.F worm did not spread extensively, users should always verify they are downloading from Microsoft's website. Please be careful and ensure you are downloading from Microsoft's site, rather than the spoofed one used by this virus.
=========================================
A new MSN "beta" is being offered to lure folks into infecting their existing PCs and MSN environment. As a best practice, never accept software updates or products by email. As an example, Microsoft does not distribute any software by email.
Virkel.F: Spoofed as an MSN Messenger beta 8 download
QUOTE: There is no MSN Messenger 8. Not yet anyway.However, there's a new virus going around pretending to be "MSN Messenger 8 Working BETA". There's two ways to catch it. First, by downloading it from a fake site where it has been supposedly "leaked" ...
During the past week,
several spam emails have been received labeled simply as "MERRY CHRISTMAS". However, the author was an unfamiliar name, so that is one method to quickly spot and avoid these types of messages.
As a person's name is spoofed in the author field, these messages could appear to be legimitate. On a couple of these, the author seemed to be a familiar name and I wasn't certain if it was spam until the message was opened.
Some of these messages were carefully evaluated from a security standpoint. While most were aggressive advertising messages, some pointed to websites. Visiting an unknown website can introduce spyware or other malware agents.
Most likely "HAPPY NEW YEAR" messages will be coming. In addition to spam, many viruses use themes and social engineering approaches centered around holiday greetings.
Please be careful with all email you encounter, as messages that appear to be safe could be designed to trick folks in infecting their PCs with spyware or viruses. Keep your AV software and Windows updated to the latest levels of protection. Finally, as an additional safety precaution, processing email in a plain text mode can help some.
VMware is a great management product for server consolidation as it creates logical partitions on large corporate servers to run multiple operating systems efficiently. A critical security update has been issued and system administrators are urged to apply this patch quickly.
VMware ESX Server - Critical update for Cross Site Scripting Issue
http://www.frsirt.com/english/advisories/2005/3084
Advisory ID : FrSIRT/ADV-2005-3084
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-24
Technical Description: A vulnerability has been identified in VMware ESX Server, which may be exploited by attackers to inject malicious HTML code. This flaw is due to an input validation error in the VMware Management Interface that does not properly validate certain parameters, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
Affected Products: WMware ESX Server 2.0.x, 2.1.x, 2.5.x
Solution: Apply latest VmWare Patches
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2001
Some of my friends sent a copy of this creative version of the 12 days of Christmas, developed by a talented member of the Spyware Information Forums. May everyone reading this has a wonderful Christmas, Hanukkah, and other special holidays being celebrated at this time.
Hopefully 2006 will be the best year ever, as we start a brand new year next week 
SpyWare Forums: The twelve e-mails of Christmas!
On the first day of Christmas my e-mail sent to me; A virus for my PC.
On the second day of Christmas my e-mail sent to me; Two Sasser Worms, and a virus for my PC.
On the third day of Christmas my e-mail sent to me; Three search bars, two Sasser Worms and a virus for my PC.
On the fourth day of Christmas my e-mail sent to me; Four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the fifth day of Christmas my e-mail sent to me; Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the sixth day of Christmas my e-mail sent to me; Six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the seventh day of Christmas my e-mail sent to me; Seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the eighth day of Christmas my e-mail sent to me; Eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the ninth day of Christmas my e-mail sent to me; Nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the tenth day of Christmas my e-mail sent to me; Ten BHOs, nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the eleventh day of Christmas my e-mail sent to me; Eleven peper files, ten BHOs, nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the twelfth day of Christmas my e-mail sent to me; A link to http://forums.spywareinfo.com
A major new phpBB attack is circulating and site administrators should ensure they are on phpBB version 2.0.18 or higher.
phpBB Remote Command Execution and SQL Injection Vulnerabilities
http://www.frsirt.com/english/advisories/2005/2250
Technical Description: Multiple vulnerabilities were identified in phpBB, which could be exploited by remote attackers to execute arbitrary commands or conduct SQL injection and cross site scripting attacks.
Exploit Code example
Please be careful as actual exploit code is present here
http://www.frsirt.com/exploits/20051224.r57phpbb2017.pl.php
Affected Products: phpBB version 2.0.17 and prior
Solution - Upgrade to phpBB version 2.0.18
http://www.phpbb.com/downloads.php
Several new variants of the Bagle downloader trojan and corresponding email worm have surfaced recently. These new variants use ZIP files with an individual's name as a social engineering scheme to appear as possibly safe attachments. Users should avoid opening any email attachment until it has been tested to ensure it safe even on legitimate email correspondence.
Bagle - McAfee Information
This is a downloader trojan. However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers). This trojan was mass-spammed in a ZIP attachment and uses peoples names as the filenames:
- Edmund.zip
- Elizabeth.zip
- Fraunces.zip
- Grace.zip
- Henrie.zip
- Jeames.zip
Symantec information is noted below:
Several reports from Sophos are noted below:
A corporate attorney sent the following out to the employees in his company.
1. The next time you order checks have only your initials (instead of first name) and last name put on them. If someone takes your checkbook, they will not know if you sign your checks with just your initials or your first name, but your bank will know how you sign your checks.
2. Do not sign the back of your credit cards. Instead, put "PHOTO ID REQUIRED."
3. When you are writing checks to pay on your credit card accounts, DO NOT put the complete account number on the "For" line. Instead, just put the last four numbers. The credit card company knows the rest of the number, and anyone who might be handling your check as it passes through all the check-processing channels will not have access to it.
4. Put your work phone # on your checks instead of your home phone. If you have a PO Box, use that instead of your home address. If you do not have a PO Box, use your work address. Never have your Social Security printed on your checks, (DUH!). You can add it if it is necessary. However, if you have it printed, anyone can get it.
5. Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place. Also carry a photocopy of your passport when traveling either here or abroad. We have all heard horror stories about fraud that is committed on us in stealing a name, address, Social Security number, credit cards.
6. When you check out of a hotel that uses cards for keys (and they all seem to do that now), do not turn the "keys" in. Take them with you and destroy them. Those little cards have on them all of the information you gave the hotel, including address and credit card numbers and expiration dates. Someone with a card reader, or employee of the hotel, can access all that information with no problem whatsoever.
* * *
Unfortunately, as an attorney, I have first hand knowledge because my wallet was stolen last month. Within a week, the thieve(s) ordered an expensive monthly cell phone package, applied for a VISA credit card, had a credit line approved to buy a Gateway computer and received a PIN number from DMV to change my driving record information online. Here is some critical information to limit the damage in case this happens to you or someone you know:
1. We have been told we should cancel our credit cards immediately. The key is having the toll free numbers and your card numbers handy so you know whom to call. Keep those where you can find them.
2. File a police report immediately in the jurisdiction where your credit cards, etc., were stolen. This proves to credit providers you were diligent, and this is a first step toward an investigation (if there ever is one). However, here is what is perhaps most important of all (I never even thought to do this.)
3. Call the three national credit reporting organizations immediately to place a fraud alert on your name and Social Security number. I had never heard of doing that until advised by a bank that called to tell me an application for credit was made over the Internet in my name. The alert means any company that checks your credit knows your information was stolen, and they have to contact you by phone to authorize new credit. By the time I was advised to do this, almost two weeks after the theft, all the damage had been done There are records of all the credit checks initiated by th= e thieves' purchases, none of which I knew about before placing the alert. Since then, no additional damage has been done, and the thieves threw my wallet away this weekend (someone turned it in). It seems to have stopped them dead in their tracks.
Now, here are the numbers you always need to contact about your wallet and contents being stolen:
1.) Equifax: 1-800-525-6285
2.) Experian (formerly TRW): 1-888-397-3742
3.) TransUnion : 1-800-680-7289
4.) Social Security Administration (fraud line): 1-800-269-0271
Folks need to treat Instant Messages with the same care and suspicions they would email. Files or URLs found in Instant Messages can be malicious. This new IM worm installs a rootkit which can be very difficult for AV software to detect and remove.
Links are noted below
Internet Storm Center Warning
Techweb
IM Logic
QUOTE: A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they're infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed "M.GiftCom.All," is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a "Medium" threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a "Low" classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs
Computer Security involves a two-part process of protecting resources. The first component is adding security software and fortifying defenses so that most attacks from the outside can be blocked. The second step is making certain folks follow the best practices in security, so that they resist traps and social engineering schemes.
You can think of step one as placing a fence around the chicken coup to keep the fox out. But if chicken opens the door and lets a disguised fox in, then they've lost the battle. Thus users should always protect their systems with anti-virus, anti-spyware, and firewall software. Secondly, they need to "think before they click" and suspect that any email or instant message could pose harm for their systems.
http://www.viruslist.com/en/analysis?pubid=176195190
Key Topics in the article
Computer security as a system
People are part of the system
Security vulnerabilities and some examples
Conclusion
Symantec will most likely quickly patch this newly discovered vulnerability and currently there are no known exploits in the wild.
Symantec AV products - Critical Buffer Overflow on RAR files
http://www.frsirt.com/english/advisories/2005/3003 Advisory ID : FrSIRT/ADV-2005-3003
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-20
Technical Description -- A critical vulnerability has been identified in various Symantec AntiVirus products, which may be exploited by remote attackers or malware to execute arbitrary code. This flaw is due to a heap overflow error in the "Dec2Rar.dll" library when pocessing certain length fields in the sub-block headers of RAR archives, which may be exploited by an unauthenticated remote attacker to execute arbitrary commands and take complete control of an affected system (e.g. by sending an email containing a specially crafted attachment).
Currently FrSIRT is unaware of any patches.
Malicious individuals are continuing to improve the capability for the new Dasher Internet worm to spread more actively to unpatched systems. We will most likely see more variants attempting to attack any unpatched systems.
MS05-051 - Dasher.D appears to be more potent than prior variants
http://securityresponse.symantec.com/avcenter/venc/data/w32.dasher.d.html
* Microsoft Windows MSDTC Memory Corruption Vulnerability (as described in the * Microsoft Security Bulletin MS05-051) on TCP port 1025.
* The Microsoft Windows WINS Name Value Handling Remote Buffer Overflow Vulnerability(as described in the Microsoft Security Bulletin MS05-051), using TCP port 42.
* The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039)
* The Microsoft SQL Server User Authentication Remote Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS02-056).
Microsoft has greatly improved the security associated with IIS and this DoS exploit is specifically targeted for IIS 5.1 running on Windows XP based systems. This is most likely a platform used by web development rather than production Internet based servers.
Microsoft IIS 5.1 - DoS exploit released
http://isc.sans.org/diary.php?storyid=944
Microsoft IIS Malformed URL Potential Denial of Service Vulnerability
http://secunia.com/advisories/18106/
Microsoft IIS 5.1 - FrSIRT advisory
While this link is safe, please be careful with any exploit links you find at the FrSIRT site
http://www.frsirt.com/english/advisories/2005/2963
QUOTE: Inge Henriksen has discovered a vulnerability in Microsoft Internet Information Services (IIS), which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of certain malformed URL. This can be exploited to cause the IIS service to crash.
Successful exploitation requires that "[dir]" is a virtual directory that is configured with "Scripts & Executables" execution permissions.Note: IIS will automatically restart after the crash. The vulnerability has been confirmed in IIS 5.1 on a full patched version of Microsoft Windows XP SP2.
Solution: Filter potential malicious characters or character sequences with a HTTP proxy.
Special Note: IIS 5.0 and 6.0 are reportedly not affected.
While the early versions of Dasher are not working well, this new development should be watched as the code to spread this new Internet based worm could be improved in later variants.
Dasher.B: Sophos information
http://www.sophos.com/virusinfo/analyses/w32dasherb.html
Dasher.A: F-Secure:
http://www.f-secure.com/weblog/archives/archive-122005.html#00000735
Dasher.A: MS05-051 (MSDTC) Malware / Port 1025
http://isc.sans.org/diary.php?storyid=934
W32/Dasher-B spreads by exploiting the MSDTC (MS05-051) vulnerability.
When run the worm creates the following files :
<Windows system folder>\wins\sqlexp.exe
<Windows system folder>\wins\sqlscan.exe
<Windows system folder>\wins\svchost.exe
Sqlscan.exe is a port scanner, used to search networks for open ports.
Sqlexp.exe and svchost.exe are detected as W32/Dasher-B.
W32/Dasher-B searches a set of pre-defined networks for open ports and attempts to exploit and vulnerable computers it finds. The exploit opens a backdoor on the vulnerable computer and causes it to connect to a remote server for further instructions. At the time of writing the instructions supplied by the remote server cause the exploited computer to download and execute two further programs.
More Posts
Next page »