June 2004 - Posts
Breaking News: "Ject" Downloader Exploits Unpatched Servers, IE
A downloader known as Ject has been isolated in the wild and is believed to currently be affecting IIS web servers and Windows 2000 servers that have not applied update 835732, which is fully addressed in Security Bulletin MS04-011, available here.
When an Internet Explorer user visits the compromised server, it will attempt to download a Trojan horse known as Downloader.Ject. Fortunately, at this time, the Russian site that houses Ject has been taken offline. However, follow-up attacks could and probably will occur on any system that is unpatched and administrators of vulnerable machines are urged to apply the 835732 update to avoid infection.
The Internet Storm Center reports that there are a number of indications that a web server is infected. This includes the presence of the files Kk32.dll and/or Surf.dat, all files being sent from the infected server including JavaScript - even text files like robot.txt, and the global footer of the machine being set to a new file.
Indications of possible infection from the user side includes a message about JavaScript on the active page (this may not display,) attempts to contact the server 217.107.218.147 (unassigned.m10-msk-ru.e-neverland.net) on port 80, and antivirus programs detecting one of a number of viruses. Ject has a number of names, including BackDoor-AXJ, JS.Scob.Trojan, Scob Trojan, JS.Toofer, and Downloader-Ject.
Systems running Windows XP SP2 or those with high security settings that disable features such as JavaScript are not affected. More information about this incident can be found here.
Exploit-MhtRedir.gen Detection Should Be Fixed
I've discovered what I'm pretty sure is the root problem of the detections of Exploit-MhtRedir.gen on this blog. The detection was limited to McAfee VirusScan and was due to the program misinterpreting quoted text as malicious code. There was no infection in the page, and at no time did this quoted content (which was from a Secunia alert) present any security risk to visitors of the blog.
I'm trying to work out why VirusScan detected the code but not other antivirus programs, and it appears to be a case of VirusScan using a more general detection string. If you receive any detection from this page, please feel free to tell me about it.
McAfee Detects Exploit-MhtRedir.gen
For some reason, it appears that a single antivirus product - McAfee VirusScan - has been detecting the virus Exploit-MhtRedir.gen in this blog. It looks like this is an incorrect detection so far, but I am working on trying to figure out what exactly is causing the problem. If you are using any other antivirus program and are getting a detection for this page, I'd love it if you could inform me. So far, no other program I've tested has triggered this detection.
Thank you and sorry for any inconvenience.
Breaking News: Multi-Lingual Mass-Mailer Outbreak
Secunia has declared a Medium risk alert for the Zafi.B worm reflecting Medium risk
ratings from F-Secure, Network Associates, and Panda Software. W32/Zafi.B-mm, which is its
technical name, sends email messages in the following languages: Chinese, Czech, Danish,
Dutch, English, Finnish, French, German, Hungarian, Italian, Norwegian, Polish,
Portuguese, Romanian, Russian, Spanish, and Swedish. Aliases include Erkez.B and
Hazafi.
Is it a real world threat?
Zafi.B is known to be spreading at a significant rate in the wild. Although the spread
speed is enough to deserve a medium risk, Zafi.B is not yet considered a pandemic and is
probably unlikely to become one.
I am infected. What actions should I take?
Fortunately, Zafi.B is not extremely damaging. However, it does overwrite
antivirus-related files. Thus, if Zafi.B is activated, any antivirus programs installed on
the machine may need to be reinstalled. Tools are available to clean Zafi.B infections.
Both Symantec (specific to this worm; 155K) and Network Associates (cleans other common viruses
as well; 784K) provide removal utilities.
What can be done to prevent against this threat?
Zafi.B only spreads via email and P2P programs. Keep an updated antivirus program and use
common sense while opening emails. Zafi.B can be recognized fairly easily in email form
because it always sends itself "To" a female's name (i.e. Eva, Maricia, Anna, etc.,) and
has an attachment with a fairly long name with many extensions. One of the English message is
the sole exception to the first rule, sending itself to "David." Possible attachment
extensions are .pif (almost always), or .com or .exe (much rarer.)
Are any user groups more likely to become infected?
Of course, people who open email attachments without scanning them with an updated
antivirus program are more likely to become infected with this virus. Its P2P spread is
limited to a few file names, and thus P2P users are not at a much higher risk of
infection. As demonstrated by worms such as Sober, users are more likely to open a virus
if it sends itself in their own language. This might increase rates in other countries.
The virus does not send itself to any email address on the domain of several antivirus
companies and webmail sites, including Yahoo! Mail and Hotmail.
Other Notes
Zafi.B performs Denial of Service attacks on the Hungarian parlament site, the site of
Hungarian antivirus companies VirusBuster, VirusHirado, and 2F. Informal testing revealed
that as of 4:55 PM PDT on Monday, June 14th, 2004, all of these sites appeared to be
offline.
Not So Quiet
Secunia is reporting here (IMPORTANT: Users of McAfee VirusScan will receive a FALSE detection when going to this page) that there is a new major vulnerability in Internet Explorer.
Description:
Two vulnerabilities have been reported in Internet Explorer, which in combination with other known issues can be exploited by malicious people to compromise a user's system.
1) A variant of the "Location:" local resource access vulnerability can be exploited via a specially crafted URL in the "Location:" HTTP header to open local files.
2) A cross-zone scripting error can be exploited to execute files in the "Local Machine" security zone.
Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0. It has been reported that the preliminary SP2 prevents exploitation by denying access.
Successful exploitation requires that a user can be tricked into following a link or view a malicious HTML document.
NOTE: The vulnerabilities are actively being exploited in the wild to install adware on users' systems.
Solution:
Disable Active Scripting support for all but trusted web sites.
Filter "Location:" headers containing the "URL:" prefix in a proxy server.
Use another browser.
Provided and/or discovered by:
Originally discovered in the wild.
Detailed analysis of exploit by Jelmer.
Changelog:
2004-06-08: Updated information in advisory.
2004-06-10: Updated information in advisory and added link to US-CERT vulnerability note.
Other References:
Jelmer's posting on Full-Disclosure:
http://archives.neohapsis.com/ar...fulldisclosure/2004-06/0104.html
US-CERT VU#713878:
http://www.kb.cert.org/vuls/id/713878
|
|
Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. |
There have been reports of a pop up-producing toolbar already using this vulnerability to install itself.
New MS Patches Moderate Risks Only
Here in the northwestern United States, temperates are getting warmer but the virus season so far remains lukewarm. Korgo.F has turned out to be a very weak medium risk virus. With the exclusion of a few Trojan horse spammings here and there, no new threat has obtained major spread. The Netskys and Sassers of the world are still out there, and users should still remain on their toes for them even for older worms. Also, everyone should update their computer using Windows Update as soon as possible. However, none of these vulnerabilities are very high risk.
The first, MS04-016 (DirectPlay) affects systems using DirectX 7, 8, and 9. It could allow for a Denial of Service attack. More information can be found here. The second, MS04-017 (Crystal Reports) affects Visual Studio .NET 2003, Outlook 2003 with Business Contact Manager, and Microsoft Business Solutions CRM 1.2. The full details about this update can be found here.
No Updates this Weekend, Part of Summer
This weekend, I will be in Portland, Ore., visiting some family friends, so I'm afraid I probably won't be able to update Security Manifest unless there is a seriously major outbreak. In addition, part of the summer I will be staying in Blyn, Wash., near Sequim, where I will have no Internet connection. Updates will be limited to a few times per week. Of course, there are many other great resources which you can access from the random links which appear on the left of the page.
Have a good weekend! Hopefully the nice summer weather most people are having will stick around...
Commentary on a Potential Major Problem
It is generally true that if a virus family does not produce a variant that spreads quickly within its first five manifestations, it will be a proverbial damp squib. Obviously, this isn't foolproof, but many don't realize how often it isn't until a variant that a virus truly takes off. The first incarnation of Netsky was a minor event which took several months to even get a single report on the industry standard WildList. At first, it was believed to be confined to the labs of virus researchers for the most part. It wasn't until Netsky.B that the family took off - and did it ever.
What we have now is the first manifestation of a virus based on the successful MyDoom (which needs no introduction) by the handle of Plexus. There are a huge number of interesting things to note here, all of which would probably have garnered it a mention here. The first is that the code is almost certainly based on MyDoom. Despite the recent rounding up of subjects in the Netsky case, the author(s) of MyDoom still remain at large. Could this be their latest incarnation? Perhaps. But that's definitely not the most interesting here.
The most interesting thing would probably be that mass-mailing isn't all Plexus can do. It also spreads via the LSASS vulnerability exploited by Sasser. It certainly isn't the first, second, or even twentieth virus to do this but it is the first (as far as I know) to also include mass-mailing ability. This could be a potential headache if the worm was released in the wild, as this would allow it to spread to two major cesspools of the Internet world - users who open every attachment they receive and users who never patch their systems. For the users who still have not patched it, the worm also makes use of the RPC vulnerability from the Blaster days.
Plexus also targets Kaspersky Antivirus, which the Register article makes sound like a big deal. Retroviral abilities in viruses are nothing new (in fact, they've been around since the '80s,) and are considered nearly standard issue in today's mass-mailers. In fact, Plexus has a fairly simplistic mass-mailing capability for these days (Netsky has a huge number of variations,) although MyDoom only had a small handful of formats too. These days, it's a near impossibility to get an outbreak virus using just a single message; that more or less went out with VBScript mass-mailers about three years ago.
Is Plexus a threat? Probably not the “A” version, although an outbreak is still a possibility for the next 24 hours or so, and a minor outbreak could remain a possibility for at least a week. But so far nothing much has been reported of this in the field. Of course, if it starts spreading rapidly or a new variant appears, it'll definitely be reported here.
New Entry to List: Plexus
It seems viruses are becoming more and more “family-oriented,” so to speak. It's been a while since we've had a “one-off” family when only one version spread significantly or there was only one version. The last such case probably was Swen, and before that perhaps Fizzer. It seems like at this point Netsky variants have finally stopped. So, what virus family might take its place?
3. Plexus
I put Plexus at number three even though it only has one version. It is a mass-mailing worm that appeared only yesterday, and hasn't spread much. However, subsequent versions could pack quite a punch. After all, the first version of Netsky went nowhere - .B spread like wildfire. More information here.
2. Agobot
Agobot has more or less been on my list for several months, but still remains among the fastest-growing virus families. Statistics on spread are hard to find, but at least 30 variants are common by this point. The only reason I put this at number two instead of one is because it is not really a new family; it has been around since 2002.
1. Korgo
This LSASS worm family seemed minor until about .D, when it was discovered as spreading - slowly but steadily - in the field. .F is current an outbreak.
Breaking News: Korgo.F Goes Medium at Secunia
Based soley on Symantec's 3 (MEDIUM), Secunia has upgraded W32/Korgo.worm.F to Medium, making it the first Medium risk virus of June. It is a standard LSASS-based worm, similar to Sasser.
More info can be found here.