ISSN 1444-9994

Symantec Security Response Newsletter

March/April 2004



As in previous months, multiple medium- to high-risk worm outbreaks, based on the MyDoom, Netsky, and Beagle worm families, dominated March and April. However, the DeepSight Threat Analyst Team released a Threat Alert in March on W32.Witty.Worm. This worm exploits the Internet Security Systems Protocol Analysis Module ICQ Parsing Overflow vulnerability, also released that month. W32.Witty.Worm is entirely memory resident - no files are created or dropped. Its payload is especially destructive, since it writes random data to physical disks, causing data corruption on the hard drives of the infected computer.

On April 13th, Microsoft released three Security Bulletins, which address 18 new vulnerabilities and included updates for three existing vulnerabilities:

  • MS04-011 provides a Security Update for Windows that rectifies 14 new vulnerabilities, many of which are highly critical.
  • MS04-012 is a Cumulative Update for Microsoft RPC/DCOM Security and details 3 new vulnerabilities and 1 previously known vulnerability.
  • MS04-013 provides a cumulative patch for Microsoft Outlook Express that addresses two new vulnerabilities.

April 30th saw the release of the first version of the Sasser worm. W32.Sasser.Worm is a blended threat that attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems. This worm and its variants are estimated to have infected millions of PCs worldwide. See later in the Newsletter for more details on the worm and the LSASS vulnerability.


Security News

New Flaw takes WiFi off the air
By Patrick Gray May 13th 2004
A newly discovered vulnerability in the 802.11 wireless standard allows attackers to jam wireless networks within a radius of one kilometer, using off-the-shelf equipment... >>

Prison Time for Cyber Stock Swindler
By Kevin Poulsen May 6th 2004
A young investor, with more wiles than trading luck, was sentenced to 13 months in prison Wednesday for using a Trojan horse program and someone else's online brokerage account to sell thousands of worthless stock options to an unwilling buyer... >>


Symantec Internet Security Threat Report

In March, Symantec published the latest edition of the Symantec Internet Security Threat Report, which provides a six-month update of Internet threat activity. This issue included an analysis of network-based attacks, known vulnerabilities, and malicious code for the period of July 1 to December 31, 2003. It also examines how and why attacks have affected some organizations more severely than others and how current trends are expected to shape future Internet security threats. One of the most significant events of the second half of 2003 occurred in August when the Internet experienced three new Category 4 worms in only 12 days. Blaster, Welchia, and Sobig.F infected millions of computers worldwide. These threats alone may have resulted in as much as $2 billion in damages.

Attack Trend Highlights

  • In the first half of 2003, only one sixth of the companies analyzed reported a serious breach. In the second half of the year, half of the companies reported a serious breach.
  • Worms remained the most common source of attack activity.
  • Almost one third of all attacking systems targeted the vulnerability exploited by Blaster.
  • Attackers increasingly targeted backdoors left by other attackers and worms.
  • Companies detecting severe attacks rose from 17% to 45%.
  • Financial services, healthcare, and power and energy were among the industries hardest hit by severe events.
  • Increased client tenure continues to result in a decrease of severe events. Over 70% of clients with tenure of more than six months successfully avoided a severe event.

Vulnerability Trend Highlights

  • Symantec documented 2,636 new vulnerabilities in 2003, an average of seven per day.
  • Symantec data indicates that the rate of vulnerability disclosure has leveled off.
  • Newly discovered vulnerabilities are increasingly severe and easy to exploit.
  • 70% of vulnerabilities in 2003 were classified as easy to exploit.
  • The percentage of vulnerabilities for which exploit code was publicly available increased by 5%.
  • The percentage of vulnerabilities that do not require specialized tools to exploit them increased by 6% in 2003.

Malicious Code Trend Highlights

  • Blended threats make up 54% of the top ten submissions over the past six months.
  • Two and a half times the number of WIN32 viruses and worms were submitted to Symantec than over the same period in 2002.
  • Within the top ten malicious code submissions, the number of mass-mailer worms with their own mail engine increased by 61% over first half of 2003.
  • Threats to privacy and confidentiality were the fastest growing threat, with 519% growth in volume of submissions within the top ten.


Monthly Security Round-up from Symantec DeepSight Threat Management System

In March, two DeepSight Threat Analyses were released, including the W32.Mockbot.A.Worm Threat Analysis and the DameWare Auto-Exploitation Networks Threat Analysis. The discovery of W32.Mockbot.A.Worm on a DeepSight Honeypot prompted the release of a Threat Analysis. This worm employs both TCP port 6127 (DameWare) and TCP port 3410 (Backdoor.OptixPro) as propagation vectors. The DameWare Auto-Exploitation Networks Threat Analysis discusses various code exploiting the DameWare remote administration tool. Both of these Analyses conclude a series of abnormal scanning activities reported by DeepSight firewall sensors.

In April, the Threat Analyst team released an analysis of the peer to-peer intercommunication structure of the Gaobot-based Phatbot. Unlike traditional IRC-based bots, Phatbot permits its operator to obscure the location of its communication nodes in order to create multiple levels of fault tolerance. The protocol utilized by Phatbot is based on WASTE, an open source peer-to-peer sharing protocol that has been augmented with Phatbot-specific extensions. Phatbot, like other variants of Gaobot, provides full access to compromised hosts, the ability to gather information from these hosts, and the ability to launch Denial of Service attacks against targets selected by the owner of the botnet. Phatbot also permits its controller to sniff for authentication tokens and determine if the infected computers are able to use AOL as a gateway for spam.

The following are some of the significant vulnerability alerts Symantec released in the past two months.

Multiple Vendor HTTP Response Splitting Vulnerability
A paper (Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics) was released to describe various attacks that target Web users through Web applications, browsers, Web or application servers, and proxy implementations. These attacks are described under the general category of HTTP Response Splitting and involve abusing various input validation flaws in these implementations to split HTTP responses into multiple parts in such a way that response data may be misrepresented to client users. Exploitation would occur by injecting variations of CR/LF sequences into parts of HTTP response headers, which the attacker may control or influence. The general consequences of exploitation are that an attacker may misrepresent web content to the client, potentially enticing the user to trust the content, and then take actions based on this false trust. While the various implementations listed in the paper contribute to these attacks, this issue will most likely be exposed through web applications that do not properly account for CR/LF sequences when accepting user-supplied input that may be returned in server responses. This vulnerability could also aid in exploitation of cross-site scripting vulnerabilities.

Microsoft MSN Messenger Information Disclosure Vulnerability
MSN Messenger has been reported to be prone to an information disclosure vulnerability. This could allow a remote user to view the contents of files on the vulnerable user's computer. The issue presents itself when a remote user initiates a malformed file transfer request to an MSN user. This malformed request could allow the remote user to view the contents of a file on the computer, provided they already know the location and name of the file. The vulnerable MSN user would also have to have permission to access the file. The attacker would also have to know the MSN Messenger sign-on name of the user in order to send the malformed request.

Apache Mod_Access Access Control Rule Bypass Vulnerability
Apache mod_access has been reported to be prone to an access rule bypass vulnerability. The issue is reported to occur only when the affected service is run on big-endian 64-bit platforms. When an Allow or Deny rule is specified and an IP address is used in the rule without a corresponding netmask, the affected module may fail to match the rule. As a result of this vulnerability, access controls may not be enforced correctly. This could lead a system administrator into a false sense of security where it is believed that the server is not exposed to malicious traffic. A remote attacker may exploit this issue to bypass access controls on the affected server.

Yahoo! Messenger YInsthelper.DLL Multiple Buffer Overflow Vulnerabilities
Yahoo! Messenger is a freely available chat client distributed and maintained by Yahoo! It is available for the Microsoft Windows platform. When Yahoo! Messenger is installed it registers "yinsthelper.dll." This library adds the following COM objects:

  • YInstHelper.YInstStarter.1
  • YInstHelper.YAcs1
  • YInstHelper.YSearchSetting2

It has been reported that the COM objects YInstHelper.YInstStarter.1 and YInstHelper.YSearchSetting2 are prone to remote memory corruption vulnerabilities, most likely due to buffer overflow conditions. The condition occurs in YInstHelper.YInstStarter.1 when the properties "DesktopIcon", "AppId", and "Test" are given values that are 255 bytes or longer. By crafting a HTML page that invokes this COM object, and passing data to one of these properties, an attacker may overwrite values that are crucial to controlling program execution flow. Ultimately an attacker may exploit these issues and then execute arbitrary instructions in the context of the user who is running an instance of Internet Explorer used to view the malicious Web page.


Viruses, Trojans & Worms

Aliases: WORM_SASSER.B [Trend], W32/Sasser.worm.b [McAfee], Worm.Win32.Sasser.b [Kaspersky], W32/Sasser-B [Sophos], Win32.Sasser.B [Computer Associates], Sasser.B [F-Secure], W32/Sasser.B.worm [Panda], Win32/Sasser.B.worm [RAV], W32/Sasser.B [F-Prot]
Risk: High [4]
Date: May 1, 2004
Systems Affected: Windows 2000, Windows XP
CVE Reference: CAN-2003-0533
W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. The main thread of execution will spawn a total of 128 instances of the propagation thread, which is designed to locate and exploit computers vulnerable to the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108), described in Microsoft Security Bulletin MS04-011. Each instance of this thread will operate indefinitely, as the entire body of execution is encapsulated within an infinite loop. This worm spreads by scanning randomly selected IP addresses of vulnerable systems. Successful exploitation of this vulnerability by W32.Sasser.Worm will result in the execution of the shellcode contained in the payload of the exploit and transfer of the worm to the compromised host. Upon execution, the worm creates a system registry key to ensure its survival across reboots and begins to search for further infection.


  • Causes significant performance degradation.

Attack Vectors

  • TCP 445, 5554, 9996
    Utilized by the built-in FTP server thread.
    The victim binds a command shell to this port and awaits a connection from the attacker.

Mitigating Strategies

  • Apply updated AntiVirus Definitions.
  • Apply patches available from Microsoft Security Bulletin MS04-011.
  • Filter out traffic targeting UDP ports 135, 137, 138, and 445 as well as TCP ports 135, 139, 445 and 593 and any ports above 1024.
  • Monitor incoming traffic for packets targeting TCP port 9996 and outgoing traffic destined for TCP port 5554.
  • Additionally, the following two processes are believed to prevent exploitation, but are as of yet untested by the Threat Analyst Team.
    • Create a file named "dcpromo.log" in the %systemroot%\debug directory. This file must be marked read-only.
    • Stop the server service (net stop server /y).


Top Malicious Code Threats

Risk Threat Discovered Protection
4 W32.Sasser.B.worm 1 May 2004 1 May 2004
3 W32.Beagle.X@mm 28 Apr 2004 28 Apr 2004
3 W32.Netsky.Y@mm 20 Apr 2004 20 Apr 2004
3 W32.Netsky.P@mm 21 Mar 2004 22 Mar 2004
3 W32.Beagle.M@mm 13 Mar 2004 13 Mar 2004


Common Vulnerabilities

Vulnerability Bugtraq ID CVE Reference Exploited by
Microsoft Windows LSASS Buffer Overrun Vulnerability 10108 CAN-2003-0533 W32.Sasser
Microsoft IE MIME Header Attachment Execution Vulnerability 2524 CVE-2001-0154 W32.Swen.A, W32.Klez, W32.Sobig, W32.Bugbear, W32.Yaha, W32.Nimda
MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability 2708 CVE-2001-0333 W32.Nimda
MS Buffer overflow in DCOM interface for RPC in Microsoft Windows 8205 CAN-2003-0352 W32.Blaster.Worm, W32.Welchia.Worm
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability 1806 CVE-2000-0884 W32.Nimda
Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability 1780 CVE-2000-0979 W32.Opaserv
Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution 5311 CAN-2002-0649 W32.SQLExp.Worm
Microsoft IE Virtual Machine (VM) allows an unsigned applet to create and use ActiveX controls 1754 CVE-2000-1061 JS.Exception.Exploit


Security Advisories

Microsoft Windows LSASS Buffer Overrun Vulnerability
Risk: High
Date: April 13, 2004
Components Affected: Many, listed here:
Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable buffer overrun vulnerability. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise. An anonymous user could exploit this issue on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003.

Symantec Solutions: Symantec Vulnerability Assessment, Symantec Enterprise Security Manager.

Mitigating factors

  • Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
  • Local attack vectors are reported to exist for this vulnerability. Do not permit untrusted individuals to have interactive access to the system. This will reduce exposure to privilege escalation attacks via this or other latent vulnerabilities.
  • Block external access at the network boundary, unless external parties require the service.
  • Regulate external or untrusted network traffic by using multiple network access control layers. This will help to limit exposure to exploitation of this and other latent vulnerabilities. This includes blocking RPC ports such as UDP ports 135-139 and 445 and TCP ports 138-139, 445, and 593.
  • Deploy network intrusion detection systems to monitor network traffic for malicious, anomalous, or suspicious activity. This may help in detecting attack attempts or activity that is the result of successful exploitation of this or other latent vulnerabilities.
  • Microsoft has released fixes to address this issue.

Vulnerability discovery credited to eEye Digital Security.

Source: Microsoft Security Bulletin MS04-011

Source: Windows Local Security Authority Service Remote Buffer Overflow

Multiple Vendor TCP Sequence Number Approximation Vulnerability
Risk: High
Date: April 20, 2004
Components Affected: Many, listed here:
A vulnerability in TCP implementations has been reported that may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. This vulnerability may permit TCP sequence numbers to be more easily approximated by remote attackers.

The cause of the vulnerability is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.

There are a few factors that may present viable target implementations, such as those which depend on long-lived TCP connections, those which have known or easily guessed IP address endpoints and those implementations with known or easily guessed TCP source ports. It has been noted that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms.


  • Block external access at the network boundary, unless external parties require the service.
  • Employ ingress and egress filtering to verify source IP addresses at the network gateway.
  • Communicate sensitive information over encrypted channels.
  • Implementing IP Security (IPSEC) to encrypt TCP traffic can help against an attack. Authenticated BGP may also be deployed to mitigate attacks versus BGP implementations.
  • Review and adjust according to policy any default configuration settings.
  • Limiting TCP source port information may conceal sensitive information from an attacker that may be useful in carrying out an attack.

Discovery of this vulnerability has been credited to Paul A. Watson.

Source: NetBSD 2004-006 TCP protocol and implementation vulnerability

Source: SGI 20040403-01-A Vulnerabilities in long-lived TCP connections

Source: Cisco cisco-sa-20040420-tcp-ios Cisco Security Advisory: TCP Vulnerabilities in Multiple IOS-Based Cisco Products

Source: Cisco cisco-sa-20040420-tcp-nonios Cisco Security Advisory: TCP Vulnerabilities in Multiple Non-IOS Cisco Products

Source: announce_en_20040421_01: TCP protocol vulnerability in SEIL series products

Source: Cisco Security Advisory: TCP Vulnerabilities in Multiple IOS-Based Cisco Product

Source: Multiple Vendor TCP Denial of Service Vulnerability

Source: NISCC Vulnerability Advisory 236929

Source: Security Advisory: TCP Vulnerability CAN-2004-0230

Source: TA04-111A Vulnerabilities in TCP

Source: TCP RFC Alert


Security Events Calendar

AusCERT 2004
Date: May 23-27th, 2004
Location: The Gold Coast, Australia

ACNS 2004: 2nd Conference of Applied Cryptography & Network Security
Date: June 8-11th, 2004
Location: Yellow Mountain, China

Blackhat USA 2004 Briefings and Training
Date: July 26-29th, 2004
Location: Las Vegas, United States

13th Usenix Security Conference
Date: Aug 9-13th, 2004
Location: San Diego, United States

For more events go to our online Events Calendar:


Useful Links

Use Symantec Security Alerts on Your Web Site

Virus Removal Tools
Fix tools for repairing threats.

Virus Hoaxes
There are many email virus hoaxes, so please check here before forwarding any email virus warnings.

Virus Calendar
Monthly calendar showing viruses which trigger on each day.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s). Copyright © 2004 Symantec Corporation. All rights reserved.

Follow this link to subscribe or unsubscribe