May 2006 - Posts
This new macro virus is not a true threat to the Open Office environment yet, as it's not in the wild currently. Still, all environments must be carefully watched to ensure the best safety practices are in place.
Stardust - New POC macro virus designed to infect Open Office documents
http://secunia.com/virus_information/29582/xmldustar.a/
Stardust is a new proof-of-concept macro virus that affects StarOffice and OpenOffice (OO) Suites. This macro virus then proceeds to infect OO based document files. It is written in Star Basic. It affects systems running on Windows 98, ME, NT, 2000, XP, and Server 2003 with StarOffice/OpenOffice Suites installed.
This new virus spreads through non-secure network shares in a similar manner as the LovGate series. It also includes a backdoor to further compromise security, along with rootkit techniques to better hide it's presence from AV software.
Lecna.A -- Network Walker uses Rootkit approach
http://secunia.com/virus_information/29583/lecna.a/
http://www.sarc.com/avcenter/venc/data/w32.lecna.a.html
W32.Lecna.A is a worm that spreads through network shares by exploiting vulnerabilities. The worm opens a back door to allow a remote attacker to have unauthorized access to the compromised computer. It uses rootkit technology to hide its presence and may attempt to download malicious files from the Internet.
A new email threat has surfaced which contains a hostile URL that will download a password stealer agent. The email is spoofed to appear like it comes from Microsoft, however the company does not distribute updates in this manner. To stay safe, users should delete all copies of this without clicking on the URL in the email.
PWS-WinPatch - Fake MS Patch being Spammed
http://www.incidents.org/diary.php?storyid=1370
http://www.sophos.com/virusinfo/analyses/trojbeastpwsc.html
http://vil.mcafeesecurity.com/vil/content/v_139619.htm
COPY OF THE NEW TROJAN HORSE ATTACK BEING SPAMMED
From: Microsoft
Sent: Monday, 29 May 2006 7:16 AM
To: Victim
Subject: Microsoft WinLogon Service - Vulnerability Issue
Microsoft Coorporation
A new vulnerability has been discovered in the Microsoft WinLogon Service , that would allow an attacker to gain access to an unpached computer. Since your email is part of our private mail lists and your have succesfully registered your Microsoft Windows , you can download the patch to fix this vulnerability before others do.
Please click the link below to download the patch and protect your computer against WinLogon attacks :
<<URL REMOVED>>
You are free to share this with all your friends and relatives that are using Microsoft Windows Operating System
Thank you
Microsoft Coorp.
Symantec is working on a solution for an elevation of privileges that could occur with corporate clients. The retail versions (e.g., NAV 2006) are not impacted by this issue. Users should be cautious in email and website visitations until this issue is resolved.
Corporate Symantec Anti-Virus Client vulnerability
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
Internet Storm Center Information
http://www.incidents.org/diary.php?storyid=1364
PRODUCTS IMPACTED
Symantec Client Security 3.1 a
Symantec Antivirus Corporate Edition 10.1
As best practice, Symantec strongly recommends the following:
* Restrict access to administration or management systems to privileged users only, with additional restricted access to the physical host system(s) if possible.
* Keep all operating systems and applications updated with the latest vendor patches.
* Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum to provide multiple points of detection and protection to both inbound and outbound threats.
* Be cautious visiting unknown or untrusted websites or following unknown URL links.
* Do not open attachments or executables from unknown sources or that you didn't request or were unaware of. Always err on the side of caution. Even if the sender is known, the source address may be spoofed.
There are no free lunches or World Cup tickets available by email offers of this type. The text of the message is in German and this new worm exploits vulnerabilities in MS04-007. Users should be cautious with all email messages.
Banwarum Worm - Offers Tickets for the WORLD CUP?
http://www.f-secure.com/weblog/archives/archive-052006.html#00000885
http://secunia.com/virus_information/29439/banwarum/
http://secunia.com/virus_information/29440/banwarum.dll/
http://secunia.com/virus_information/29438/ranchneg.a/
Diagram of worm behavior
http://www.trendmicro.com/vinfo/images/WORM_RANCHNEG_A_BD.gif
W32.Banwarum@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm also spreads through the network by exploiting the Microsoft Windows ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability (as described in Microsoft Security Bulletin MS04-007). The worm also opens a back door via HTTP access.
http://www.microsoft.com/technet/windowsvista/evaluate/hardware/vistarpc.mspx
Computers with the Windows Vista Capable PC logo will meet or exceed the requirements to deliver the core Windows Vista experiences such as innovations in security, reliability, organizing and finding information. They can also deliver key business features found in the Windows Vista Business and Windows Vista Enterprise versions, such as domain join.
Some recent updates related to the new Word vulnerabilities and very limited Zero Day exploit that has been crafted. Here's hoping things stay quite on the malware side until Microsoft develops a patch for this new vulnerability.
MSRC Blog entry
http://blogs.technet.com/msrc/archive/2006/05/23/429904.aspx
Critical Advisory on new Word Vulnerability
http://secunia.com/advisories/20153/
Microsoft Advisory
http://www.microsoft.com/technet/security/advisory/919637.mspx
A serious lapse in security has led to the theft of sensitive and confidential information for over 26.5 million Veterans.
Identity Theft impacts 26.5 million Veterans
http://seattletimes.nwsource.com/html/nationworld/2003012577_datatheft23.html
The burglary occurred May 3 in Wheaton, Md., according to a source with knowledge of the incident who requested anonymity because the matter is under investigation. A career data analyst, who was not authorized to take the information home, has been put on administrative leave pending the outcome of investigations by the FBI, local police and inspector general of the VA, Nicholson said. He would not identify the employee by name or title.
"They believe this was a random burglary and not targeted at this data," Nicholson said. "There have been a series of burglaries in that community. ... There is no indication at all that any use is being made of this data or even that they know that they have it."
Guarding against identity theft
The Veterans Affairs Department says it is not necessary for veterans to contact financial institutions or cancel credit cards and bank accounts in case of identity theft. Here is what veterans can do to protect themselves:
Be vigilant. Carefully monitor bank and credit-card statements. Report unusual activity immediately to the financial institution involved and contact the Federal Trade Commission.
If you detect suspicious or unusual activity, do the following:
• Contact the fraud department of one of the three major credit bureaus:
• Close any account that has been tampered with or opened fraudulently.
• File a report with your local police department or the police department in the community where the identity theft took place.
• File a complaint with the Federal Trade Commission by using its identity-theft hotline at 877-438-4338, online at www.consumer.gov/idtheft, or by mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Ave. NW, Washington, D.C. 20580.
Source: Veterans Affairs
Users should be careful with any spam email containing Word documents, as the vulnerability also automatic downloads of the GINWUI backdoor onto the system. A brand new variant of the backdoor component has just emerged and other variants may follow.
GINWUI.B - New payload variant from MDropper based on 0Day Word Exploit
http://secunia.com/virus_information/29302/ginwui.b/
http://secunia.com/virus_information/29299/bkdrginwui.b/
http://secunia.com/virus_information/29290/w97mmdropper.ab/
QUOTE: This backdoor arrives on a system as a file dropped by another malware that Trend Micro detects as W97M_MDROPPER.AC. When executed, it drops the files ZSYHIDE.DLL and ZSYDLL.DLL in the Windows system folder. This backdoor injects the said .DLL files, which are also detected as BKDR_GINWUI.B, into running processes to ensure memory residency and to hide its process, hence avoiding easy detection. Notably, it injects ZSYDLL.DLL into the Internet Explorer process. The said action causes the Internet Explorer to crash. Using TCP port 80, this backdoor attempts to access a remote server in scfzf.{BLOCKED}cp.net via Hyper Text Transfer Protocol (HTTP). It then listens for commands coming from a remote malicious user. It executes these commands locally on an infected system, providing the remote user virtual control over the system. The said routine compromises system security. This backdoor employs its rootkit capability in order to hide its files, process, and registry entry from an affected user, thus avoiding easy detection. In addition, it attempts to access a certain Web site.
This is rated low-risk everywhere and it's not widespread -- still folks should be careful with suspicious Word documents.
MDropper Trojan - Exploits Zero Day vulnerability in MS Word
http://vil.mcafeesecurity.com/vil/content/v_139539.htm
http://www.sarc.com/avcenter/venc/data/trojan.mdropper.h.html
http://secunia.com/virus_information/29277/mdropper.h/
Trojan.Mdropper.H is a Trojan horse that downloads other risks onto the compromised computer. This Trojan exploits a 0 day Microsoft Word vulnerability to drop Backdoor.Ginwui.
Summary of key recommendations offered in the article:
1. Never click on URLs found in email
2. Call the bank directly if you are unsure of an email message
3. Keep AV and Firewall protection as up-to-date as possible
4. Go directly to your bank's site through your web browser
5. Notify the bank ASAP if you become a victum of phishing and follow all procedures
Article: If you bank online -- you and your money are targets
http://www.marketwatch.com/News/Story/4dpBNJKhD0VdlTbl2QT7Hwb
QUOTE: There could be a hyperlink in the body of an e-mail that you think is your bank's. An e-mail could contain a malicious program that follows your key strokes until you key in your bank password. Or, a weak system link may let a similar bug take advantage of your computer's ability to store Web addresses you frequently visit. When a familiar Web address automatically appears in the URL box, you're redirected to an imposter site seeking personal information.
An estimated $940 million was lost by consumers through phishing in 2005, says Gartner Inc., Stamford, Conn. Average loss per phishing case: $7,294, says Javelin Strategy & Research, Pleasanton, Calif
F-Secure has documented a new risk associated for on-line poker players, where a rootkit could have been potentially distributed to users Internet Poker -- New Rootkit Dangers http://www.f-secure.com/weblog/archives/archive-052006.html#00000881 http://www.f-secure.com/weblog/archives/archive-052006.html#00000878 http://www.f-secure.com/v-descs/small_la.shtml http://securityresponse.symantec.com/avcenter/venc/data/trojan.checkraise.html RBCalc.exe was a malicious software program present on the "Check Raised" website for a period of time. This site provides tools, articles and other various applications to online poker players. As a result, many online poker players could have been affected by this targeted attack. Trojan.Checkraise is a Trojan horse that steals passwords for popular online poker Web sites. It also opens a back door on the compromised computer and logs keystrokes. It sends confidential information to a remote attacker
|
Question: So a question for all you poker fanatics; when is this not a winning hand?
Answer: When your online poker login credentials have been stolen and your
account drained. We have received no reports of this happening, but
the possibility is definitely there. |
All users of Apple's Quicktime video facility should update to 7.1
Apple QuickTime Vulnerabilities - Update to v7.1
http://www.us-cert.gov/cas/techalerts/TA06-132B.html
Apple QuickTime contains multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector.
This new virus is low-risk so far and spreads via unsecured network shares. It also prints a graphical image on network printers that could impact paper and bandwidth consumptions
Hoots - Network worm that could impact printing
http://vil.mcafeesecurity.com/vil/content/v_139471.htm
http://secunia.com/virus_information/29007/hoots/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FHOOTS%2EA
It's important to always stay up-to-date on the latest security patches and Operating System versions.
Florida theater chain hit by virus attack
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000400
QUOTE: Attackers may have had an easier time cracking the Muvico.com Web server because it is running Windows 2000, said Rich Miller, an analyst at Web tracking company Netcraft Ltd. Windows 2000 is an older version of Microsoft Corp.'s operating system, and it has been the subject of frequent widespread attacks, including last year's Zotob virus. "Microsoft still supports Windows 2000 to the extent that if you're current, you should be well-protected. But it is less secure than Windows Server 2003," Miller said. Still, there remain a "substantial number of Web sites that continue to run on Windows 2000," he said.
All environments must be properly protected, as security is a "process" of staying up-to-date, monitoring risks, and following best protective practices.
The illusion of invulnerability (see May 9th)
http://www.viruslist.com/en/weblog?calendar=2006-05
QUOTE: On Saturday "Linuxtag 2006" closed in Wiesbaden (Germany). According to the organisers, it’s Europe's
biggest Linux Expo. At the Kaspersky stand we talked to a lot of visitors. Pretty soon, it dawned on us exactly what the biggest threat to Linux systems is: the almost overwhelming belief in the invulnerability of Linux.
Nearly every visitor accepts the need to protect Windows against malicious code (although even at a Linux fair you find people believing that a firewall is all you need to keep viruses and worms away). But many people we spoke to were unable to think of Linux as potentially vulnerable; after all, they argued, a Linux user would never go online with root rights as typical Windows XP home users do. But such thinking overlooks some important facts:
- You don’t need to have root privileges to delete a user’s home directory of a user or access his personal data - you only need to run malicious code with user privileges. (And not every user makes daily backups which could mitigate the potential damage.)
- The number of new malicious programs for an operating system isn’t related to the number of known security flaws, but to the number of installations. In Germany, the number of Linux distributions installed is growing rapidly, and overall, the number of malicious programs for Linux more than doubled between 2004 and 2005).
*Nix Malware Doubles
http://www.viruslist.com/en/analysis?pubid=184625030
- To access a system, a virus writer doesn’t need 300 vulnerabilities - one is enough.
- Vulnerabilities exist prior to their being identified by the developers who report them. Virus writers actively search for vulnerabilities, but keep their discoveries to themselves.
- Only a perfect system can offer perfect security. In his "Areas for Improvement in the 2.6 Kernel Development Process" Andrew Morton (lead maintainer of the Linux production kernel) pointed out that the number of new bugs in the current 2.6 kernel are causing concern, and might lead to the development process being halted until existing problems are fixed.
Critical vulnerability in Sophos Anti-Virus products
http://www.incidents.org/diary.php?storyid=1325
Advisory: Crafted Microsoft CAB file can allow arbitrary code to be run
http://www.sophos.com/support/knowledgebase/article/4934.html
QUOTE: A vulnerability has been discovered in Sophos's unpacking of Microsoft Cabinet files, whereby a Microsoft Cabinet (CAB) file could be deliberately crafted to allow an attacker to execute arbitrary code on a vulnerable installation of Sophos Anti-Virus. Although theoretically a risk, Sophos has not seen any examples of malware attempting to employ this vulnerability.
All Windows users should apply these updates promptly to ensure their PCs are properly protected.
Microsoft Security bulletins - May 2006
http://www.microsoft.com/technet/security/Bulletin/ms06-May.mspx
Critical -- Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)
http://www.microsoft.com/technet/security/Bulletin/ms06-019.mspx
Critical -- Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)
http://www.microsoft.com/technet/security/Bulletin/ms06-020.mspx
Moderate -- Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
http://www.microsoft.com/technet/security/Bulletin/ms06-018.mspx
Users should be cautious with all RAR files processed in email or shared by other sources.
Kittykat - New RAR virus threat
http://secunia.com/virus_information/28958/kittykat/
http://www.sarc.com/avcenter/venc/data/w32.kittykat.html
W32.Kittykat is a virus that splits itself into many parts, and adds these parts to all RAR archive files in the current directory and the parent directory. The virus may arrive as an archive file. The virus requires that the archive is extracted with the full directory structure, and that the file start.bat is then executed.
When W32.Kittykat is executed, it performs the following actions:
1. Reconstructs itself as the following file: [RANDOM FILENAME].exe
2. Displays a message to announce its presence.
3. Searches for files to infect. The virus has no infection marker, so an already infected RAR archive file in the current or parent directory will be infected repeatedly.
All Oracle IT professionals and DBAs should be careful with export functions and file extensions in processing files, as noted by the CERT advisory below:
Oracle Export Extensions - Public Exploit Code for Unpatched Vulnerability
http://www.us-cert.gov/current/current_activity.html#unpatorcle
QUOTE: US-CERT is aware of publicly available, working exploit code for an unpatched vulnerability in Oracle Export Extensions. Successful exploitation may allow a remote attacker with some authentication credentials to execute arbitrary SQL statements with elevated privileges. This may allow an attacker to access and modify sensitive information within an Oracle database.
More information about this vulnerability can be found in the following:
US-CERT recommends the following actions to mitigate the security risks:
- Restrict access to Oracle:
Only known and trusted users should be granted access to Oracle. Additionally, user accounts should be granted only those privileges needed to perform necessary tasks.
- Change login credentials for default Oracle accounts:
Oracle creates numerous default accounts when it is installed. Upon installation, accounts that are not needed should be disabled and the login credentials for needed accounts should be changed
More Posts
Next page »