ISSN 1444-9994

Symantec Security Response Newsletter

August 2003

Best viewed at 1024x768 resolution

Blasted again.

 

The first couple of weeks have August have been busy, really busy, some of our customer support call statistics defy belief, it seems half of Asia Pacific was infected with W32.Blaster.Worm and the threats that followed rapidly aftwerwards.

We are carrying the DCOM RPC piece again this month as it's still very relevant. W32.Blaster has been the subject of much analysis and three of Symantec Win32 experts (there are many more:) have spent some time on it.

Peter Ferrie, Frederic Perriot, Peter Szor from Symantec Security Response, USA have a joint paper titled 'Blast Off!' that will be published in Virus Bulletin soon and is well worth a read.

Links
Virus Bulletin - http://www.virusbtn.com/

 
Use Symantec Security Alerts on Your Web Site
http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi

 

NEW! Symantec DeepSight™ Analyzer support for Norton Personal Firewall and Norton Internet Security

Symantec DeepSight Analyzer now allows you to track and report on events that are being observed by your personal security products. Your security events are automatically submitted to Symantec by a software program called DeepSight Extractor. This information is used to identify patterns in attacks that help serve as a threat-gauging system for the Internet community. The entire process is automated and can be completely anonymous, protecting your identity at all times.

By joining the Symantec DeepSight Analyzer program at Symantec, you receive a number of benefits. Symantec DeepSight Analyzer gives you the following functionality, at absolutely no charge to you:

1. Automated Daily Summary Reports – Report summarizing all activity that your system has seen over the previous 24-hour period.

2. Secure Online Event Viewing - View a history, for previous 30 days, of all events that your systems have submitted.

3. Secure Online Report Generation – Generate reports, summarizing your event activity over a period of time.

For more information on Symantec DeepSight Analyzer for Norton Personal Firewall and Norton Internet Security and a FREE download:

http://analyzer.securityfocus.com/downloadnis.asp


 

Monthly Security Round-up
from Symantec DeepSight Threat Management System
http://tms.symantec.com/

During the week of July 27 – August 2, 2003, much anticipation surrounded the release of exploits and malicious code targeting the recently disclosed Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205). Security professionals and media reports continued to speculate the feasibility of a successful worm. Active exploitation of this vulnerability was reported, and malicious code has been written to allow trojan programs to use this vulnerability as an infection vector. Currently, no software has been seen which employs functioning code that may allow autonomous propagation in a worm-like fashion, but it is believed that such code may be deployed in the near future.

Another vulnerability has been reported in the popular Washington University FTP daemon. Wu-ftpd carries a history of significant security vulnerabilities. Other significant vulnerabilities disclosed this week included a local buffer overflow present in Solaris.

The DeepSight Threat Analyst Team has released a Threat Analysis of a malicious tool known as NiBu. In addition to typical backdoor functionality, NiBu also attempts to steal sensitive financial information. Activity, and the discovery of an auto-rooter type rootkit that targets the Microsoft DCOM RPC Interface overflow prompted the revision of an old Threat Alert and the release of a separate Threat Alert.

The week of August 3-9, 2003, continued to see widespread exploitation of the Windows DCOM RPC Interface Buffer Overrun Vulnerability. A functional worm proliferated on August 11, 2003, and numerous automated tools have been made available to the public to automate exploitation of this vulnerability in a fast and efficient manner. Various groups of attackers are known to be constructing large bot networks, many of which could be capable of conducting extremely powerful Distributed Denial of Service (DDoS) attacks. Network security specialists have speculated as to the potential impact of this vulnerability, and it has been generally agreed that a functional worm may be created relatively easily.

A vulnerability has been disclosed in the HTTP server in Cisco IOS, which is particularly interesting because it has demonstrated the possibility to execute shellcode on router devices. This domain of security has gone relatively unexplored, and as more information regarding this becomes available, administrators may be faced with having to
implement protection against new attack vectors that have been previously overlooked.

Two Threat Analyses have been released this week, both relating the Windows DCOM RPC Interface Buffer Overrun Vulnerability. An analysis of Cirebot, a bot used to compromise machines via this vulnerability is available. In addition, a document outlining general exploitation patterns of the vulnerability is also available.

August 10 - 16, 2003, was dominated by discussion and attention directed at a new worm, W32.Blaster, and the Windows DCOM RPC Interface Buffer Overflow that it used in order to spread. As has been forecasted for weeks, this worm began propagating, and achieved  significant success due to the large number of vulnerable hosts. In response to this issue, the Threat Analyst Team released a Threat Alert.

Another Threat Alert was issued in response to a sudden rise in traffic targeting TCP/3410. The rise in traffic has not yet been accounted for, but it is likely that it is related to a
backdoor trojan that listens on this port.

W32.Blaster, and a backdoor sent through the mail attempting to capitalize on the press achieved by this worm, both figure prominently in the malicious code listings this week.

 

Viruses, Trojans & Worms


W32.Blaster.Worm

Aliases : W32/Lovsan.worm.a [McAfee], Win32.Poza.A [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda], Worm.Win32.Lovesan [KAV]
Risk : High [4]

Date : 11th August 2003

Systems Affected:
Windows 2000, Windows XP
CVE Reference : CAN-2003-0352

Overview

W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026 ) using TCP port 135. The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable to the aforementioned exploit (if not properly patched), the worm is not coded to replicate to those systems. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not have a mass-mailing functionality.

Additional information and an alternate site from which to download the Microsoft patch is available in the Microsoft article, " What You Should Know About the Blaster Worm and Its Variants ."

 

We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:

  • TCP Port 135, "DCOM RPC"
  • UDP Port 69, "TFTP"

Symantec Solutions

Symantec Client Security, Norton Internet Security, Intruder Alert, NetProwler, Gateway Security, Symantec Manhunt

The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability

 

Credits

Write-up by: Douglas Knowles, Security Response, USA

References
Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html

 

W32.Welchia.Worm
Aliases
Risk High [4]
Date : 18th August 2003
Systems Affected
Microsoft IIS, Windows 2000, Windows XP
CVE Reference : CAN-2003-0352,   CAN-2003-0109
Overview

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:

  • The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
  • The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. IIS 5.0 will most likely be found on Windows 2000 systems.

W32.Welchia.Worm does the following:

  • Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
  • Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
  • Attempts to remove W32.Blaster.Worm
   

Credits

Write-up by: Benjamin Nahorney and Douglas Knowles, Frederic Perriot


References

Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html

 

Top Malicious Code Threats


Risk Threat Discovered Protection  
4

W32.Sobig.F@mm

18 Aug 2003 19 Aug 2003  
4

W32.Welchia.Worm

18 Aug 2003 18 Aug 2003  
4

W32.Blaster.Worm

11 Aug 2003 11 Aug 2003  
4

W32.Bugbear.B@mm

4 June 2003 5 June 2003  
3

W32.Mimail.A@mm

1 Aug 2003 1 Aug 2003  
 

 

Latest Malicious Code Threats


Risk Threat Discovered Protection  
1

W32.HLLW.Lemur

21 Aug 2003 22 Aug 2003  
2

W32.HLLW.Cult.H@mm

21 Aug 2003 22 Aug 2003  
3

Backdoor.Lorac

21 Aug 2003 22 Aug 2003  
2

W32.HLLW.Gaobot.AA

21 Aug 2003 21 Aug 2003  
2

W32.Dumaru.B@mm

20 Aug 2003 22 Aug 2003  
 

 

Security News

Slammer worm crashed Ohio nuke plant network
By  Kevin Poulsen Aug 19 2003
A computerized safety monitoring system at the Davis-Besse nuclear plant was crippled after the worm entered through the business network of the plant's operator, FirstEnergy Corp. ... >>

The Bright Side of Blaster
By Kevin Poulsen Aug 14 2003
Experts predict the worm will leave a more secure Internet in its wake ... >>

 

 

Security Advisories

Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability

Risk :High

Date :16th July2003

Components Affected: Many, listed here;

http://securityresponse.symantec.com/avcenter/security/Content/8205.html

Overview

A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system.

This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593.

This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80.

Symantec Solutions

Symantec Manhunt, Enterprise Firewall, Symantec Vulnerability Assessment, Gateway Security.

 

Credits

Discovery of this vulnerability has been credited to The Last Stage of Delirium Research Group.

References

Source: Microsoft Security Bulletin MS03-026
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS03-026.asp


Symantec Security Response

http://www.sarc.com/avcenter/security/Content/8205.html

 

Multiple Oracle XDB FTP / HTTP Services Buffer Overflow Vulnerabilities

Risk :High

Date :31st July 2003

Components Affected:
Oracle Oracle9i Enterprise Edition 9.2 .0.1
Oracle Oracle9i Personal Edition 9.2 .0.1
Oracle Oracle9i Standard Edition 9.2 .0.1

Overview

David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference.

Ultimately exploitation of these issues may provide for remote execution of arbitrary code in the security context of the vulnerable service.

Symantec Solutions

Symantec Manhunt, GatewaySecurity.Enterprise Firewall

 

Credits
Discovery of these vulnerabilities has been credited to David Litchfield (david@ngssoftware.com).

References
Source: Oracle Homepage
URL: http://www.oracle.com/index.html

Source: Variations in Exploit methods between Linux and Windows
URL: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf

 

 

Common Vulnerabilities


Microsoft IE MIME Header Attachment Execution Vulnerability
Bugtraq ID CVE Reference Exploited by
2524 CVE-2001-0154 W32.Klez, W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva

MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
2708 CVE-2001-0333 W32.Nimda

Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
1806 CVE-2000-0884 W32.Nimda

Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability
1780 CVE-2000-0979 W32.Opaserv

Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution
5311 CAN-2002-0649 W32.SQLExp.Worm
 

 

Security Events Calendar

SecureWorld Expo
Date: Sept 24-25, 2003
Seattle, WA, USA

http://www.secureworldexpo.com/seattle03.php


IDC Internet Security Conference
Date: Sept 25-26, 2003
Copenhagen, Denmark
http://nordic.idc.com/Events/Security/Denmark/default.htm


VB2003 - VB Conference 2003
Date: Sept 25-26, 2003
Toronto, Canada
http://www.virusbtn.com/conference/vb2003/index.xml
AVAR 2003 - Malicious Code Conference 2003

Date: November 6-7, 2003.
Sydney, Australia

http://www.aavar.org/

 

For more events go to our online Events Calendar;
http://enterprisesecurity.symantec.com/content/globalevents.cfm

 

Useful Links

 

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
DCOM RPC vulnerability Microsoft Security Bulletin MS03-026

WebDav vulnerability Microsoft Security Bulletin MS03-007


Virus Removal Tools
Fix tools for threats such as W32.HLLW.Lovgate , W32.SQLExp.Worm , W32.Sobig.A@mm and W32.Bugbear@mm


Virus Hoaxes

There are many email virus hoaxes, please check here before forwading email virus warnings.


Joke Programs

Joke programs are not malicious and can be safely deleted.

   

Symantec, the Symantec logo, [registered trademarks in alphabetical order] are U.S. registered trademarks of Symantec Corporation. [Common law trademarks in alphabetical order] are trademarks of Symantec Corporation. Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s).  Copyright © 2003 Symantec Corporation. All rights reserved. Printed in Australia.March 2003.
Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html


Last Updated: August 22, 2003