Security Manifest : Security (Medium)

Trend Micro Reports MS05-053 Worm in the Wild - But is it?

trafton — Fri, 11 Nov 2005 21:54:00 GMT

Trend Micro has reported that they have found a worm in the wild that abuses the recently-discovered MS05-053 vulnerability, according to their analysis here. The vulnerability, published three days ago, was rated as critical. The discovery of a worm in the field this quickly could make for one of the fastest turn-arounds from patch publishing to discovery in the wild. But, Trend Micro says, upon further review, it's unclear whether the detection is accurate. CNET News's Joris Evers reports:

Trend Micro on Wednesday reported the discovery of a Trojan horse that it said attacked Windows users through an image rendering flaw in Windows, a day after Microsoft provided a fix for the bug. But it isn't so sure anymore.

The Trojan is referred to as "emfsploit.a" by the Tokyo-based antivirus company. Initially the antivirus software maker reported that the malicious code would crash "explorer.exe" on unpatched Windows machines. Explorer runs key parts of the Windows graphical user interface, including the Start menu, taskbar, desktop and file manager.

But late Thursday Trend Micro said its initial analysis of the Trojan might be incorrect.

"We asked another team to start the disassembly process again," said Raimund Genes, chief technologist for Trend Micro in Europe. That means researchers will reinvestigate the Trojan code to see what it does.

The full article is available here, and a brief mention at the Internet Storm Center is available here.

OUTBREAK: Zotob.E (IRCBot) worm hitting unpatched systems

trafton — Tue, 16 Aug 2005 22:18:00 GMT

A new worm utilizing the MS05-039 vulnerability has became a major outbreak. More coverage upcoming.

Details
IRCBot is a fast-spreading worm affecting systems not patched for the MS05-039 vulnerability. Infected machines will reboot frequently, as well as connect to an IRC server and await further instructions

Protection
Detection of this worm, as it is an outbreak, should be released very soon, if it is not already out.

The Gist
IRCBot is an urgent outbreak and all systems should be patched that have not already been.

Links
McAfee - Write-up.

Zotob - New worm hitting unpatched machines

trafton — Mon, 15 Aug 2005 00:57:00 GMT

A new version of the extensive and successful MyDoom worm family has appeared. Fortunately, like many recent variants, this version has got off to a slow start and is unlikely to become a major threat.

Details
MyDoom.CF was discovered Tuesday, June 28th, 2005. It is a standard MyDoom family member, faking the email address it is sent from. Messages MyDoom.CF use typically make a relatively unsuceesful attempt at seeming either personal (“Is it your name listed here? It seems this is the Pentagon listing“) or official (“Your file hasn't passedour security check and thus was returned“) and are typically caught by spam filters, if they are present. MyDoom.CF is not a very damaging virus, and exists only to spread. Attachments associated with MyDoom.CF are 32,256 bites in size, although if in the .zip format, they can vary.

Protection
Detection for this worm may be covered generically under some current DAT files, as it is an unremarkable variant of a well-known worm family. Updates will likely start appearing within the next 24 hours. As this is a low-risk threat, emergency detection releases are unlikely. MS05-039 can be downloaded at windowsupdate.microsoft.com.

The Gist
MyDoom.CF, although it may spread some, is an unremarkable MyDoom variant and does not pose a significant risk at this time.

Links
F-Secure - Write-up.

July Microsoft Updates Released

trafton — Wed, 13 Jul 2005 17:58:00 GMT

Microsoft has released three critical updates, one affecting Microsoft Word 2000 and 2002 and Microsoft Works Suite, and the others affecting Windows. In addition, a Moderate security bulletin affecting the Microsoft Telnet client has been re-released. Everyone running affected software should update as soon as possible.

Links
Click Here - All Bulletins
Click Here - Vulnerability in Microsoft Word Could Allow Remote Code Execution (MS05-035)
Click Here - Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (MS05-036)
Click Here - Vulnerability in JView Profiler Could Allow Remote Code Execution (MS05-037)
Click Here - Moderate re-release: Vulnerability in Telnet Client Could Allow Information Disclosure (MS05-033)

Zero Day Attack - Windows Security Load Image & Help Vulnerabilities

trafton — Wed, 29 Dec 2004 01:04:00 GMT

We are currently carefully tracking developing threats centered around vulnerabilities in the Windows operating system.

As the Internet Storm Center (sans.org) puts it:

The holiday news continues to be bleak, with a pair of critical vulnerabilities for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited via HTML delivered either via email or a website. This vulnerability can be used to execute code. Secondly, there is a heap overflow in winhlp32.exe while processing help files on Windows, including XP SP2, apparently. Try not to install help files until some Tuesday in, we hope, January.

Zero day vulnerabilities are those that are released before a patch is available for the software that is affected. Some of them appear while the patch is being made (this is a long process - oftentimes several months). As always, I'm going to focus on the threats that have originated from this and how to protect against them as, at this time, there is no way to patch the vulnerabilities.

Phel Trojan
The first threat to emerge from this incident was Trojan.Phel, emerging yesterday morning. The Trojan horse, which comes as an HTML file, exploits the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability. When executed, Phel downloads information from a domain located in New York City and saves a malicious file as My.hta to the Startup folder. It then adds itself to startup and downloads a backdoor program to the infected computer from a server in Madrid.

This worm is compatible with many languages of Windows: Danish, Dutch, English, Finnish, French, German, Italian, Norweigian, Polish, Portuguese, Spanish, Swedish, and Turkish. At this time, it is believed that Phel is has limited spread. Also, at the time of this writing, the New York City server was down, further limiting its spread. However, the server in Madrid was up, returning a “no web site configured at this address” error. Other than using the zero day exploit, Phel is an unremarkable Trojan and is incapable of spreading on its own.

More information can be found here, courtesy Symantec.

Downloader-TO
The other threat known at this time to use the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability is Downloader-TO. Like Phel, it is a Trojan horse that downloads a file and has no other apparent purpose. It does not spread itself.

When the user visits an infected web site, Downloader-TO drops itself to the startup directory as Microsoft Office.hta. When the machine is rebooted, Microsoft Office.hta triggers and downloads a program named server.exe, which is saved as C:\malware.exe. This is the Downloader-TO trojan.

The Trojan horse will also add itself to the Windows XP SP2 authorized applications firewall policy list as cmsscs. It also features the ability to disable a limited number of firewall and antivirus programs. When this is finished, the Trojan horse downloads from a server owned by a hosting company in Houston, Texas. At this time, this file is believed to be a proxy server Trojan horse. This file is also added to firewall policy as module32 and saved to C:\Windows\tgbcde\module32.exe.

For more information, please consult the McAfee write-up.

LoadImage API Vulnerability
For users not running Windows XP Service Pack 2, there is another vulnerability in the LoadImage API while allows animated cursor data files (.bmp, .cur, .ico, and .ani all qualify) to be exploited via HTML. This can include email and web sites. Unlike the Help Control vulnerability, this one can be patched by upgrading to Service Pack 2, which I strongly recommend. So far, there have been no non-proof of concept threats using this vulnerability.

Protection
At this time, no patch is available for either of these vulnerabilities. However, it is important to note that the LoadImage API vulnerability can be fixed by upgrading to Service Pack 2. Those who have not should do so as soon as humanly possible. On the other hand, all systems are at this time vulnerable to the Help Control exploit. Users should wait to install help files that they cannot totally verify the integrity of until a patch is available. When it is, I will of course post the information.

Have a happy, safe New Years!

Santy Worm - Upgrade to phpBB 2.0.11

trafton — Wed, 22 Dec 2004 23:11:00 GMT

PERL.Santy is a worm that utilized the search engine Google in order to search for vulnerable web sites running phpBB software. phpBB 2.0.10 is affected; 2.0.11 is not. Vulnerable web sites will have this at the footer:

Yet again, F-Secure's weblog did an excellent job of covering a major event:like this and I highly recommend it. Defaced sites typically display the text, in red, with varying fonts:

This site is defaced!!!
NeverEverNoSanity WebWorm generation x.

x here represents the number of infections that this worm has made before, similar to the generations in any human disease (thus not allowing us to know exactly the number of infections, since there can be multiple infections for each generation.) So far the highest generation that both Google and MSN show is 24.

Fortunately, Google has blocked the search string that Santy uses to spread, so further infections are unlikely. This was done around midnight GMT. Google sent F-Secure this reply:

While a seven hour response for something like this is not outrageous, we think we can and should do better. We will be reviewing our procedures to improve our response time in the future to similar problems.

This is a good response in my eyes and hopefully the .B variant, which has appeared, will do little.

However, all users running phpBB 2.0.10 should IMMEDIATELY upgrade to phpBB 2.0.11 as this exploit allows anyone to hack outdated sites, not just the Santy worm.

"Moo" Trojan First to Use "JPEG" Exploit

trafton — Wed, 29 Sep 2004 02:04:00 GMT

Thanks to Harry Waldron for the alert on this threat.

Recently I mentioned on this blog that the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability described in Microsoft Security Bulletin MS04-028. Now we have the first example of a non-proof of concept use of this vulnerability with the Moo Trojan.

Moo is a simple Trojan horse which has no functionality other than to download the file m00.exe from a web server and run it. It is unknown what m00.exe is, although chances are it is a backdoor program that allows unauthorized access to infected computers.

This has been labeled as the first Trojan horse to be found “in the wild” using this method. While technically true, it must be understood that “in the wild” simply means that the threat was found after it was released, and was not just directly submitted to antivirus companies. This does not necessarily mean that this threat is spreading significantly and, in fact, there have been no or few reports of Moo so far.

It is unlikely Moo will become a major threat in the field, especially as it is unable to spread by itself. Incorporating methods used in Moo could later result in much more dangerous worms, so it is important to watch this threat and patch all systems that could be affected. Also important to note is that this is not a virus and does not infect files; rather, it is a Trojan horse that downloads a file from a web server.

More information about Moo from Symantec is available here.

JPG Processing (GDI+) Bug In the Wild

trafton — Sun, 26 Sep 2004 22:13:00 GMT

The potentially very dangerous buffer overflow exploit that recently surfaced has already turned into a proof-of-concept, according to various sources. Symantec describes it thusly:

Hacktool.JPEGDownload is a program that can be used to generate .jpg files that exploit the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028). The .jpg files that this Trojan generates can download a URL hardcoded in the .jpg file, and are detected by Symantec products as Download.Trojan.

F-Secure's weblog has posted a picture of the program (click on the image for a larger view):

Although there are no known uses in any current malware other than this proof-of-concept program, once an exploit has been used as a proof-of-concept, it typically is not long before it is in the field, so patch up.

It should also be noted that Kaspersky's Exploit.IE.Crashos detection is not related to this vulnerability, and does work in SP2. This can also be activated by using a .JPG file in Internet Explorer and has generated some concern. When and if Kaspersky publishes information on this detection, it will be posted.

Disable ADODB.Stream Object in IE Immediately!

trafton — Fri, 02 Jul 2004 20:54:00 GMT

Breaking News: Security Holes Leave Hard Drive Read/Write Functions Open

Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer.

More information and a download that should be applied on Windows NT/2000/2003 Server/XP machines is available here.

"Ject" Downloader Hits IIS Servers

trafton — Sat, 26 Jun 2004 00:19:00 GMT

Breaking News: "Ject" Downloader Exploits Unpatched Servers, IE

A downloader known as Ject has been isolated in the wild and is believed to currently be affecting IIS web servers and Windows 2000 servers that have not applied update 835732, which is fully addressed in Security Bulletin MS04-011, available here.

When an Internet Explorer user visits the compromised server, it will attempt to download a Trojan horse known as Downloader.Ject. Fortunately, at this time, the Russian site that houses Ject has been taken offline. However, follow-up attacks could and probably will occur on any system that is unpatched and administrators of vulnerable machines are urged to apply the 835732 update to avoid infection.

The Internet Storm Center reports that there are a number of indications that a web server is infected. This includes the presence of the files Kk32.dll and/or Surf.dat, all files being sent from the infected server including JavaScript - even text files like robot.txt, and the global footer of the machine being set to a new file.

Indications of possible infection from the user side includes a message about JavaScript on the active page (this may not display,) attempts to contact the server 217.107.218.147 (unassigned.m10-msk-ru.e-neverland.net) on port 80, and antivirus programs detecting one of a number of viruses. Ject has a number of names, including BackDoor-AXJ, JS.Scob.Trojan, Scob Trojan, JS.Toofer, and Downloader-Ject.

Systems running Windows XP SP2 or those with high security settings that disable features such as JavaScript are not affected. More information about this incident can be found here.

Major New IE Flaw

trafton — Thu, 10 Jun 2004 12:31:00 GMT

Not So Quiet

Secunia is reporting here (IMPORTANT: Users of McAfee VirusScan will receive a FALSE detection when going to this page) that there is a new major vulnerability in Internet Explorer.

Description: Two vulnerabilities have been reported in Internet Explorer, which in combination with other known issues can be exploited by malicious people to compromise a user's system. 1) A variant of the "Location:" local resource access vulnerability can be exploited via a specially crafted URL in the "Location:" HTTP header to open local files. 2) A cross-zone scripting error can be exploited to execute files in the "Local Machine" security zone. Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0. It has been reported that the preliminary SP2 prevents exploitation by denying access. Successful exploitation requires that a user can be tricked into following a link or view a malicious HTML document. NOTE: The vulnerabilities are actively being exploited in the wild to install adware on users' systems. Solution: Disable Active Scripting support for all but trusted web sites. Filter "Location:" headers containing the "URL:" prefix in a proxy server. Use another browser. Provided and/or discovered by: Originally discovered in the wild. Detailed analysis of exploit by Jelmer. Changelog: 2004-06-08: Updated information in advisory. 2004-06-10: Updated information in advisory and added link to US-CERT vulnerability note. Other References: Jelmer's posting on Full-Disclosure: http://archives.neohapsis.com/ar...fulldisclosure/2004-06/0104.html US-CERT VU#713878: http://www.kb.cert.org/vuls/id/713878

Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

There have been reports of a pop up-producing toolbar already using this vulnerability to install itself.

Agent Trojan Horse Spammed in .BMP Form

trafton — Tue, 18 May 2004 13:30:00 GMT

February Vulnerability Used

Antivirus company Kaspersky Labs has posted a press release claiming that the Trojan Horse downloader Agent has been spammed to a moderate number of addresses using an infective .BMP form and a vulnerability discovered after a Windows source code leak in February of this year. More information about the vulnerability can be found here.

The Agent Trojan Horse is an occasional find in Russia, as it only affects the Russian version of Windows. Eugene Kaspersky predicts the inevitable: “It is very likely that malware [using this vulnerability] attacking other versions of Windows will soon appear.”

At this time, the spamming is considered a very low risk except in Russia, where it should be considered a mild threat. Microsoft has not yet released a patch.

May 2004 Security Bulletins Released

trafton — Tue, 11 May 2004 12:29:00 GMT

Users Should Patch Immediately; Nothing Critical, Though

From Jerry Bryant's blog:
May 11, 2004
Today Microsoft released the following Security Bulletins.

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summaries:

Windows: http://www.microsoft.com/technet/security/Bulletin/winmay04.mspx

Important Bulletins:

MS04-015 - Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)
http://www.microsoft.com/technet/security/Bulletin/MS04-015.mspx

Re-Released Bulletins:
The following bulletins have been re-released. Please see the bottom of each bulletin for revision information.

MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) - Important
http://www.microsoft.com/technet/security/Bulletin/MS04-014.mspx
Summary Bulletin:
http://www.microsoft.com/technet/security/Bulletin/winapr04.mspx

MS01-052 - Invalid RDP Data can Cause Terminal Service Failure - Moderate
http://www.microsoft.com/technet/security/bulletin/MS01-052.mspx

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

W32/Sasser Spreading Quickly

trafton — Sat, 01 May 2004 13:48:00 GMT

BREAKING NEWS: Sasser Goes Medium

McAfee has just upgraded W32/Sasser.worm (which uses MS04-011) to Medium risk reflecting the amount it has spread. I personally have received a number of reports of this worm being in the wild. All users should upgrade immediately. A new Stinger detection is available that covers this. Also, the Internet Storm Center has declared Infocon Yellow to reflect the global spread.

McAfee Description
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125007

ISC: New Phatbot Variant Exploits Recent Vulnerability

trafton — Wed, 28 Apr 2004 12:02:00 GMT

BREAKING NEWS: Internet Storm Center Announces Troubling New Phatbot Variant

The Internet Storm Center has announced the discovery of yet another variant of the “Phatbot” family of worms. This variant appears to exploit a recent vulnerability. This would be the first worm to do so. From the diary of handler Tom Liston:

=====BEGIN QUOTE=====
PhatBot exploiting LSASS?
The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11. Reference these old diary entries:

http://isc.sans.org/diary.php?date=2004-04-26
http://isc.sans.org/diary.php?date=2004-04-25

We are currently focusing on some keywords found in the executable that indicate that an LSASS exploit has been added, specifically, the command string "CScannerLSASS".

We are currently investigating the code, and will update the diary as new information becomes available.

Traffic matching this bot was first observed yesterday evening (EDT) at multiple US .edu's.
The bot appears to inherit all other functions usually associated with 'phatbot'.
=====END QUOTE=====

It is unknown at this time whether the worm is spreading much, but this could become a Medium-risk event if the worm is seeded well enough.

Exploits Released - Apply April Security Patches NOW

trafton — Thu, 15 Apr 2004 18:10:00 GMT

Thanks to Susan Bradley for this breaking security news report from Incidents.org:

“Dave Aitel of Immunity Security has stated publicly that they have released working exploits of two vulnerabilities patched by MS04-011 to their CANVAS customers:

http://lists.immunitysec.com/pipermail/dailydave/2004-April/000500.html

The LSASS.EXE vulnerability can be exploited to run arbitrary code with “system” privileges on vulnerable servers. eEye Digital Security has more details and also confirms the ability to run arbitrary code with “system” privileges using this vulnerability:

http://www.eeye.com/html/Research/Advisories/AD20040413C.html

Immunity’s claim that they have a working ASN.1 exploit has not been directly confirmed, but we have several anonymous confirmations that working exploits exist.

IT IS IMPERATIVE THAT THE PATCHES PROVIDED BY MICROSOFT IN ITS APRIL SECURITY RELEASE BE APPLIED TO SYSTEMS AS SOON AS POSSIBLE. It is our belief that the likelihood of a worm being released SOON that exploits one of the vulnerabilities addressed by these patches is VERY HIGH.”

Again, it is very important to patch yourself for the latest security vulnerabilities. Judging by the scope of this, we could see a Blaster-like worm that exploits this. I do not mean to sound the horns too early, though: it is quite important to note that these remain proof-of-concept exploits and so far we have seen no worm that automatically abuses them. More updates will be available as needed.

A note: The Daily Updates will restart tomorrow. Tax season is hectic, even considering that I'm not the one paying/calculating the taxes.