Search results matching tags 'Security', 'Security (Urgent)', and 'Security'

OUTBREAK: Zotob.E (IRCBot) worm hitting unpatched systems

trafton — Tue, 16 Aug 2005 05:00:00 GMT

A new worm utilizing the MS05-039 vulnerability has became a major outbreak. More coverage upcoming.

Details
IRCBot is a fast-spreading worm affecting systems not patched for the MS05-039 vulnerability. Infected machines will reboot frequently, as well as connect to an IRC server and await further instructions

Protection
Detection of this worm, as it is an outbreak, should be released very soon, if it is not already out.

The Gist
IRCBot is an urgent outbreak and all systems should be patched that have not already been.

Links
McAfee - Write-up.

Zero Day Attack - Windows Security Load Image & Help Vulnerabilities

trafton — Tue, 28 Dec 2004 06:00:00 GMT

We are currently carefully tracking developing threats centered around vulnerabilities in the Windows operating system.

As the Internet Storm Center (sans.org) puts it:

The holiday news continues to be bleak, with a pair of critical vulnerabilities for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited via HTML delivered either via email or a website. This vulnerability can be used to execute code. Secondly, there is a heap overflow in winhlp32.exe while processing help files on Windows, including XP SP2, apparently. Try not to install help files until some Tuesday in, we hope, January.

Zero day vulnerabilities are those that are released before a patch is available for the software that is affected. Some of them appear while the patch is being made (this is a long process - oftentimes several months). As always, I'm going to focus on the threats that have originated from this and how to protect against them as, at this time, there is no way to patch the vulnerabilities.

Phel Trojan
The first threat to emerge from this incident was Trojan.Phel, emerging yesterday morning. The Trojan horse, which comes as an HTML file, exploits the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability. When executed, Phel downloads information from a domain located in New York City and saves a malicious file as My.hta to the Startup folder. It then adds itself to startup and downloads a backdoor program to the infected computer from a server in Madrid.

This worm is compatible with many languages of Windows: Danish, Dutch, English, Finnish, French, German, Italian, Norweigian, Polish, Portuguese, Spanish, Swedish, and Turkish. At this time, it is believed that Phel is has limited spread. Also, at the time of this writing, the New York City server was down, further limiting its spread. However, the server in Madrid was up, returning a “no web site configured at this address” error. Other than using the zero day exploit, Phel is an unremarkable Trojan and is incapable of spreading on its own.

More information can be found here, courtesy Symantec.

Downloader-TO
The other threat known at this time to use the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability is Downloader-TO. Like Phel, it is a Trojan horse that downloads a file and has no other apparent purpose. It does not spread itself.

When the user visits an infected web site, Downloader-TO drops itself to the startup directory as Microsoft Office.hta. When the machine is rebooted, Microsoft Office.hta triggers and downloads a program named server.exe, which is saved as C:\malware.exe. This is the Downloader-TO trojan.

The Trojan horse will also add itself to the Windows XP SP2 authorized applications firewall policy list as cmsscs. It also features the ability to disable a limited number of firewall and antivirus programs. When this is finished, the Trojan horse downloads from a server owned by a hosting company in Houston, Texas. At this time, this file is believed to be a proxy server Trojan horse. This file is also added to firewall policy as module32 and saved to C:\Windows\tgbcde\module32.exe.

For more information, please consult the McAfee write-up.

LoadImage API Vulnerability
For users not running Windows XP Service Pack 2, there is another vulnerability in the LoadImage API while allows animated cursor data files (.bmp, .cur, .ico, and .ani all qualify) to be exploited via HTML. This can include email and web sites. Unlike the Help Control vulnerability, this one can be patched by upgrading to Service Pack 2, which I strongly recommend. So far, there have been no non-proof of concept threats using this vulnerability.

Protection
At this time, no patch is available for either of these vulnerabilities. However, it is important to note that the LoadImage API vulnerability can be fixed by upgrading to Service Pack 2. Those who have not should do so as soon as humanly possible. On the other hand, all systems are at this time vulnerable to the Help Control exploit. Users should wait to install help files that they cannot totally verify the integrity of until a patch is available. When it is, I will of course post the information.

Have a happy, safe New Years!

JPG Processing (GDI+) Bug In the Wild

trafton — Sun, 26 Sep 2004 05:00:00 GMT

The potentially very dangerous buffer overflow exploit that recently surfaced has already turned into a proof-of-concept, according to various sources. Symantec describes it thusly:

Hacktool.JPEGDownload is a program that can be used to generate .jpg files that exploit the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028). The .jpg files that this Trojan generates can download a URL hardcoded in the .jpg file, and are detected by Symantec products as Download.Trojan.

F-Secure's weblog has posted a picture of the program (click on the image for a larger view):

Although there are no known uses in any current malware other than this proof-of-concept program, once an exploit has been used as a proof-of-concept, it typically is not long before it is in the field, so patch up.

It should also be noted that Kaspersky's Exploit.IE.Crashos detection is not related to this vulnerability, and does work in SP2. This can also be activated by using a .JPG file in Internet Explorer and has generated some concern. When and if Kaspersky publishes information on this detection, it will be posted.

Disable ADODB.Stream Object in IE Immediately!

trafton — Fri, 02 Jul 2004 05:00:00 GMT

Breaking News: Security Holes Leave Hard Drive Read/Write Functions Open

Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer.

More information and a download that should be applied on Windows NT/2000/2003 Server/XP machines is available here.

"Ject" Downloader Hits IIS Servers

trafton — Fri, 25 Jun 2004 05:00:00 GMT

Breaking News: "Ject" Downloader Exploits Unpatched Servers, IE

A downloader known as Ject has been isolated in the wild and is believed to currently be affecting IIS web servers and Windows 2000 servers that have not applied update 835732, which is fully addressed in Security Bulletin MS04-011, available here.

When an Internet Explorer user visits the compromised server, it will attempt to download a Trojan horse known as Downloader.Ject. Fortunately, at this time, the Russian site that houses Ject has been taken offline. However, follow-up attacks could and probably will occur on any system that is unpatched and administrators of vulnerable machines are urged to apply the 835732 update to avoid infection.

The Internet Storm Center reports that there are a number of indications that a web server is infected. This includes the presence of the files Kk32.dll and/or Surf.dat, all files being sent from the infected server including JavaScript - even text files like robot.txt, and the global footer of the machine being set to a new file.

Indications of possible infection from the user side includes a message about JavaScript on the active page (this may not display,) attempts to contact the server 217.107.218.147 (unassigned.m10-msk-ru.e-neverland.net) on port 80, and antivirus programs detecting one of a number of viruses. Ject has a number of names, including BackDoor-AXJ, JS.Scob.Trojan, Scob Trojan, JS.Toofer, and Downloader-Ject.

Systems running Windows XP SP2 or those with high security settings that disable features such as JavaScript are not affected. More information about this incident can be found here.

Major New IE Flaw

trafton — Thu, 10 Jun 2004 05:00:00 GMT

Not So Quiet

Secunia is reporting here (IMPORTANT: Users of McAfee VirusScan will receive a FALSE detection when going to this page) that there is a new major vulnerability in Internet Explorer.

Description: Two vulnerabilities have been reported in Internet Explorer, which in combination with other known issues can be exploited by malicious people to compromise a user's system. 1) A variant of the "Location:" local resource access vulnerability can be exploited via a specially crafted URL in the "Location:" HTTP header to open local files. 2) A cross-zone scripting error can be exploited to execute files in the "Local Machine" security zone. Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0. It has been reported that the preliminary SP2 prevents exploitation by denying access. Successful exploitation requires that a user can be tricked into following a link or view a malicious HTML document. NOTE: The vulnerabilities are actively being exploited in the wild to install adware on users' systems. Solution: Disable Active Scripting support for all but trusted web sites. Filter "Location:" headers containing the "URL:" prefix in a proxy server. Use another browser. Provided and/or discovered by: Originally discovered in the wild. Detailed analysis of exploit by Jelmer. Changelog: 2004-06-08: Updated information in advisory. 2004-06-10: Updated information in advisory and added link to US-CERT vulnerability note. Other References: Jelmer's posting on Full-Disclosure: http://archives.neohapsis.com/ar...fulldisclosure/2004-06/0104.html US-CERT VU#713878: http://www.kb.cert.org/vuls/id/713878

Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

There have been reports of a pop up-producing toolbar already using this vulnerability to install itself.

W32/Sasser Spreading Quickly

trafton — Sat, 01 May 2004 05:00:00 GMT

BREAKING NEWS: Sasser Goes Medium

McAfee has just upgraded W32/Sasser.worm (which uses MS04-011) to Medium risk reflecting the amount it has spread. I personally have received a number of reports of this worm being in the wild. All users should upgrade immediately. A new Stinger detection is available that covers this. Also, the Internet Storm Center has declared Infocon Yellow to reflect the global spread.

McAfee Description
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125007

ISC: New Phatbot Variant Exploits Recent Vulnerability

trafton — Wed, 28 Apr 2004 05:00:00 GMT

BREAKING NEWS: Internet Storm Center Announces Troubling New Phatbot Variant

The Internet Storm Center has announced the discovery of yet another variant of the “Phatbot” family of worms. This variant appears to exploit a recent vulnerability. This would be the first worm to do so. From the diary of handler Tom Liston:

=====BEGIN QUOTE=====
PhatBot exploiting LSASS?
The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11. Reference these old diary entries:

http://isc.sans.org/diary.php?date=2004-04-26
http://isc.sans.org/diary.php?date=2004-04-25

We are currently focusing on some keywords found in the executable that indicate that an LSASS exploit has been added, specifically, the command string "CScannerLSASS".

We are currently investigating the code, and will update the diary as new information becomes available.

Traffic matching this bot was first observed yesterday evening (EDT) at multiple US .edu's.
The bot appears to inherit all other functions usually associated with 'phatbot'.
=====END QUOTE=====

It is unknown at this time whether the worm is spreading much, but this could become a Medium-risk event if the worm is seeded well enough.

Exploits Released - Apply April Security Patches NOW

trafton — Thu, 15 Apr 2004 05:00:00 GMT

Thanks to Susan Bradley for this breaking security news report from Incidents.org:

“Dave Aitel of Immunity Security has stated publicly that they have released working exploits of two vulnerabilities patched by MS04-011 to their CANVAS customers:

http://lists.immunitysec.com/pipermail/dailydave/2004-April/000500.html

The LSASS.EXE vulnerability can be exploited to run arbitrary code with “system” privileges on vulnerable servers. eEye Digital Security has more details and also confirms the ability to run arbitrary code with “system” privileges using this vulnerability:

http://www.eeye.com/html/Research/Advisories/AD20040413C.html

Immunity’s claim that they have a working ASN.1 exploit has not been directly confirmed, but we have several anonymous confirmations that working exploits exist.

IT IS IMPERATIVE THAT THE PATCHES PROVIDED BY MICROSOFT IN ITS APRIL SECURITY RELEASE BE APPLIED TO SYSTEMS AS SOON AS POSSIBLE. It is our belief that the likelihood of a worm being released SOON that exploits one of the vulnerabilities addressed by these patches is VERY HIGH.”

Again, it is very important to patch yourself for the latest security vulnerabilities. Judging by the scope of this, we could see a Blaster-like worm that exploits this. I do not mean to sound the horns too early, though: it is quite important to note that these remain proof-of-concept exploits and so far we have seen no worm that automatically abuses them. More updates will be available as needed.

A note: The Daily Updates will restart tomorrow. Tax season is hectic, even considering that I'm not the one paying/calculating the taxes.