|
|
This month we have another collection of low profile worms. Peer-to-peer(P2P) worms appear to
be on the increase but nothing is a high risk at the moment. W32.Kitro.A.Worm targets MSN Messenger and there are
a few worms targeting the KaZaA network, such as W32.Shermnar.Worm and W32.HLLW.Kazmor. W32.HLLW.Yoohoo, another
P2P worm targets KaZaA, Bearshare, Morpheus, and eDonkey2000.
We would suggest that extreme caution is used when using P2P networks, always make sure you have anti-virus installed
(and it is up-to-date) and some sort of personal firewall to block any backdoor activities that may result from
an infection by a Trojan or worm.
We have a great article this month, Securing the Enterprise: A New Integrated Approach. This is a must read and
explains why you need an integrated security solution if you are running your companies enterprise security systems.
We now have, courtesy of one of our latest acquisitions(Riptech) two Internet Security Threat Reports, they can
be accessed from this link.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1539&PID=12807550&EID=0
David Banes.
Editor, securitynews@symantec.com |
| |
| Symantec News |
There have been a number of announcments about Symantec's new acquisitions over the last month or so. These are
significant enhancements to Symantecs existing products and services.
SecurityFocus. With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning
system across the broadest range of threats.
http://www.symantec.com/press/2002/n020717.html
Recourse. This acquisition will bring to Symantec true gigabit speed network intrusion detection with next generation
hybrid technology and the industry's leading "honeypot" solution.
http://www.symantec.com/press/2002/n020819.html
Riptech. The combination of Symantec and Riptech will create the leading provider of managed security services
worldwide monitoring and managing the largest number of security devices across the broadest array of solutions.
http://www.symantec.com/press/2002/n020819.html
The Mountain Wave acquisition brings to Symantec the patent-pending CyberWolf technology designed to automate the
detection of security incidents by the intelligent analysis of security events and alerts in real-time.
http://www.symantec.com/press/2002/n020702.html |
| Viruses, Worms & Trojans |
| W32.Datom.Worm |
Moderate Threat [3]
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
34.0%
|
| EMEA (Europe, Middle East, Africa) |
61.6%
|
| Japan |
0.3%
|
| Asia Pacific |
4.2%
|
Date
% reports |
6 Jul
|
8 Jul
|
9 Jul
|
10 Jul
|
14 Jul
|
18 Jul
|
27 Jul
|
1 Aug
|
4 Aug
|
6 Aug
|
|
0.1%
|
4.3%
|
6.8%
|
6.6%
|
2.0%
|
4.6%
|
1.1 %
|
3.5%
|
0.6%
|
3.4%
|
|
W32.Datom.Worm is a worm that spreads through open shares. This worm does not contain a damaging payload.
W32.Datom.Worm exists as three files:
Msvxd.exe
Msvxd16.dll
Msvxd32.dll
These files are located in the %Windir% folder.
NOTE: %Windir% is a variable. The worm locates the Windows main installation folder (by default this is C:\Windows
or C:\Winnt) and copies itself to that location.
The tasks in each file have likely been separated in an attempt to avoid heuristic detection:
Msvxd.exe simply runs Msvxd16.dll.
Msvxd16.dll adds a reference to Msvxd.exe to the registry and then runs Msvxd32.dll.
Msvxd32.dll enumerates network shares and copies all three files to those shares into the %Windir% folder
and adds a reference to Msvxd.exe in the Run= line in Win.ini.
http://securityresponse.symantec.com/avcenter/venc/data/w32.datom.worm.html
Peter Ferrie
Symantec Security Response, APAC. |
| |
| W32.Chir.B@mm |
Low Threat [2]
|
Win32
|
W32.Chir.B@mm is a network-aware, mass-mailing worm, as well being as a file infector virus. It is a variant of
W32.Chir@mm. It uses its own SMTP engine to send itself to all email addresses that it finds in the Windows Address
Book (.wab), and in .adc, r.db, .doc, and .xls files.
The email message has the following characteristics:
From: <username>@yahoo.com or imissyou@btamail.net.cn
Subject: <username> is coming!
Attachments: PP.exe
W32.Chir.B@mm also searches all local and network drives, and infects files that have .htm, .html, .exe, and .scr
extensions. On the first day of each month, W32.Chir.B@mm attempts to overwrite the first 4660 bytes of the files
that have .adc, r.db, .doc, and .xls extensions in all folders and subfolders.
http://securityresponse.symantec.com/avcenter/venc/data/w32.chir.b@mm.html
Yana Liu and Peter Szor
Symantec Security Response, USA |
| |
| W32.Manymize@mm |
Low Threat [2]
|
Win32
|
W32.Manymize@mm is a mass mailing worm that sends itself and three other files to all email addresses in the Microsoft
Windows Address Book. The email message has the following characteristics:
Subject: The subject of the email will be one of the following:
Hi <recipient's user name>
Dear <recipient's user name>
Hello <recipient's user name>
My friend, <recipient's user name>
How are you !! <recipient's user name>
Attachments: The attachments are:
Mi2.htm
Mi2.chm
Mi2.wmv
Mi2.exe
http://securityresponse.symantec.com/avcenter/venc/data/w32.manymize@mm.html
Douglas Knowles
Symantec Security Reponse, USA |
| |
|
| Security
Advisories |
| PHP multipart/form-data POST parsing error allows arbitrary code |
High [4]
|
Multiple
|
A vulnerability exists in the PHP parsing code that handles file uploads (multipart/form-data). By sending a specially
crafted POST request to the Web server that corrupts the internal data structures used by PHP, a remote attacker
can run arbitrary code with privileges of the Web server and, potentially, gain privileged access.
PHP is a popular HTML-embedded scripting language used to create dynamically generated Web pages.
PHP versions starting with 4.2.0 contain updated multipart/form-data handler code to intelligently parse HTTP POST
request headers and differentiate variables and files sent by the user agent in a multipart/form-data request.
The parser, however, fails to provide sufficient input checking in the way the mime headers are processed. Anyone
who can send HTTP POST requests to an affected Web server can exploit the vulnerability to compromise the web server
and, under certain conditions, gain privileged access.
PHP running on x86 platforms is currently verified to be safe from the execution of arbitrary code. However, the
vulnerability can still be exploited against x86 platforms to crash PHP and, in most cases, the Web server.
Components Affected
Apache Software Foundation PHP 4.2.0, 4.2.1
References
Source: CERT CA-2002-21
URL: http://www.cert.org/advisories/CA-2002-21.html
Source: CERT CERT Vulnerability Note VU#929115
URL: http://www.kb.cert.org/vuls/id/929115
Source: Apache Software Foundation PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
URL: http://www.php.net/release_4_2_2.php
More details and Symantec's Recommendations are here;
http://www.symantec.com/avcenter/security/Content/2208.html |
| |
| Sun ONE (iPlanet) Web Server search buffer overflow |
High [4]
|
Multiple
|
A buffer overflow vulnerability in the Sun ONE (iPlanet) Web Server may allow a remote attacker to run arbitrary
code.
Sun ONE Web Server is a software product for developers who build dynamic Web applications for e-commerce sites.
The iPlanet Web Server, which is owned and maintained by Sun Microsystems, has been rolled into the Sun product
line as the Sun ONE Web Server.
The search capability in iPlanet Web Server is vulnerable to a remotely exploitable stack overflow. By supplying
an overly long value for the NS-rel-doc-name parameter, which results in a saved return address being overwritten
on the stack, a remote attacker gains control over the vulnerable process. Any code supplied by the attacker will
run in the security context of the account running the Web Server. On Windows NT/2000 this account is the local
SYSTEM account which, by default, allows any code to run uninhibited.
Components Affected
Sun Microsystems Sun ONE Web Server (iPlanet) 4.1
Sun Microsystems Sun ONE Web Server (iPlanet) 6.0
References
Source: Security Focus.com NISR09072002
URL: http://online.securityfocus.com/archive/1/281199/2002-07-07/2002-07-13/2
Source: Security Focus.com 4851
URL: http://online.securityfocus.com/bid/4851
More details and Symantec's Recommendations are here;
http://www.symantec.com/avcenter/security/Content/2126.html |
| |
|
|
| Security News |
| Securing the Enterprise: A New Integrated Approach |
|
|
As organizations become more dependent on networks for business transactions, data sharing, and everyday communications,
their networks have to be increasingly accessible to customers, employees, suppliers, partners, contractors, and
telecommuters. But as accessibility increases, so too does the exposure of critical data that is stored on the
network. The challenge, of course, is to ensure that only the right people gain access. The complexity of today's
networks and the emergence of new security threats make the challenge more difficult every day.
Evolving environments and new threats drive the need for integrated security.
The ability to use enterprise networks for commerce and collaboration is a key business enabler, leading to the
widespread emergence of "hyper-connected businesses." To meet the requirements of such businesses, the
gateway, server, and client levels of the network have to be interconnected, which means that business-critical
information must now reside at multiple levels of the internal network, each requiring its own protection. At the
same time, threats to the network have become more sophisticated, with attack techniques that employ multiple methods
to discover and exploit network vulnerabilities becoming more commonplace. For instance, the viruses, worms, and
Trojan horses that often hide within files or programming code are able to self-replicate and self-propagate, allowing
them to be spread easily by unknowing computer users. And, a new breed of threats like CodeRed and Nimda are taking
the worst characteristics of viruses, worms, and Trojan horses, and combining them with server and Internet vulnerabilities
in order to initiate, transmit, and spread an attack. Explicitly designed to exploit the vulnerabilities of security
technologies working independently from one another, these so-called blended threats utilize multiple methods of
attack and self-propagation, enabling them to spread rapidly and cause widespread damage.
What are the risks?
Given the multiple levels of network vulnerability and the ever-increasing number of attack techniques, the risks
to corporate well being are also growing. The impact of network attacks on businesses can range from easy-to-quantify
consequences, such as interrupted business operations to losses that are difficult to calculate such as damaged
brand equity. Network attacks can also impact businesses in other ways, including:
- Interruption of Business Operations Downtime due to an attack results in lost productivity
and revenues, and the costs associated with restoring a hacked network can increase the overall financial impact.
- Legal Liability and Potential Litigation. Organizations that have been hacked may find themselves
in court as a defendant or key witness.
- Reduced Ability to Compete. Information is often a company's most valuable asset. The loss
or theft of data can pose serious consequences, even rendering a company's market position untenable.
- Damage to Brand Equity. Damage to a brand can degrade a company's position in the marketplace.
For example, companies that have had credit card information stolen may have a hard time restoring customer confidence
in their brand.
The traditional approach to security is not efficient or sufficient
Current security solutions typically consist of multiple point products, each working independently. These products
must be purchased, installed, deployed, managed, and updated separately. With this approach, IT managers are faced
with labor-intensive configuration and implementation issues and need to address the problem of interoperability
between products. Because they are not integrated, multiple point products are difficult to manage, which increases
IT administration and support costs. Protection is usually not comprehensive because the lack of cross-vendor interoperability
often allows threats to slip through the cracks. What's more, when an outbreak occurs, the "fixes" that
each vendor provides must be tested and verified across the various technologies. This can slow response to attacks,
potentially augmenting the costs that are incurred. And, since they were not designed to work together, independent
point products can also degrade network performance.
The implications of current security solutions include inefficiencies, inadequate protection against blended threats,
and a higher cost of ownership. It all adds up to an under-performing security posture that is difficult to understand
and provides little insight into enterprise security planning.
Integration: A logical solution
The concept of integrated security has emerged to address the new challenges facing e-businesses. Integrated security
combines multiple security technologies with policy compliance, customer management, service and support, and advanced
research for complete protection. By adopting a comprehensive, holistic strategy that addresses network security
at the gateway, server, and client tiers, organizations may be able to reduce costs, improve manageability, enhance
performance, tighten security, and reduce the risk of exposure. An integrated security approach offers the most
effective security posture at the optimal cost-benefit ratio.
Integrated security uses the principles of defense in depth and employs complementary security functions at multiple
levels within the IT infrastructure. By combining multiple functions, integrated security can more efficiently
protect against a variety of threats at each tier to minimize the effects of network attacks. Key security technologies
that can be integrated include:
- Firewalls. Control all network traffic by screening the information entering and leaving
a network to help ensure that no unauthorized access occurs.
- Intrusion Detection. Detects unauthorized access and provides alerts and reports that can
be analyzed for patterns and planning.
- Content Filtering. Identifies and eliminates unwanted traffic.
- Virtual Private Networks (VPN). Secures connections beyond the perimeter, enabling organizations
to safely communicate across the Internet.
- Vulnerability Management. Uncovers security gaps and suggests improvements.
- Virus Protection. Protects against viruses, worms, and Trojan horses.
Why integrated security?
When integrated into a single solution, security technologies offer more comprehensive protection while helping
to reduce complexity and cost. An integrated solution eliminates the need to manage multiple products from multiple
vendors or address interoperability issues. And, since integrated security can be implemented at all network tiers,
it offers greater protection of proprietary assets and reduces risks to business continuity. What's more, an integrated
approach enables IT personnel to focus on other strategic initiatives while maximizing the productivity of often-overburdened
IT departments.
Today, organizations can improve efficiency of security functions, minimize the impact of attacks, and enhance
their overall security posture with an integrated security framework. It's an approach whose time has come.
To learn more about all of Symantec's security solutions, visit the Enterprise
Security Resource Center.
http://enterprisesecurity.symantec.com/Content/esrc.cfm?PID=12754467&EID=0
|
| |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|