| Best
viewed at 1024x768 resolution
Blasted
again. |
|
The first couple of weeks
have August have been busy, really busy, some of our customer support
call statistics defy belief, it seems half of Asia Pacific was infected
with W32.Blaster.Worm and the threats that followed rapidly aftwerwards.
We are carrying the DCOM
RPC piece again this month as it's still very relevant. W32.Blaster
has been the subject of much analysis and three of Symantec Win32
experts (there are many more:) have spent some time on it.
Peter Ferrie, Frederic
Perriot, Peter Szor from Symantec Security Response, USA have a
joint paper titled 'Blast Off!' that will be published in Virus
Bulletin soon and is well worth a read.
Links
Virus Bulletin - http://www.virusbtn.com/
|
| |
Use Symantec Security Alerts on Your Web
Site
http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi
|
NEW! Symantec DeepSight™
Analyzer support for Norton Personal Firewall and Norton Internet
Security |
| Symantec DeepSight Analyzer
now allows you to track and report on events that are being observed
by your personal security products. Your security events are automatically
submitted to Symantec by a software program called DeepSight Extractor.
This information is used to identify patterns in attacks that help
serve as a threat-gauging system for the Internet community. The
entire process is automated and can be completely anonymous, protecting
your identity at all times.
By joining the Symantec DeepSight
Analyzer program at Symantec, you receive a number of benefits.
Symantec DeepSight Analyzer gives you the following functionality,
at absolutely no charge to you:
1. Automated Daily Summary Reports
– Report summarizing all activity that your system has seen over
the previous 24-hour period.
2. Secure Online Event Viewing - View
a history, for previous 30 days, of all events that your systems
have submitted.
3. Secure Online Report Generation
– Generate reports, summarizing your event activity over a period
of time.
For more information on
Symantec DeepSight Analyzer for Norton Personal Firewall and Norton
Internet Security and a FREE download:
http://analyzer.securityfocus.com/downloadnis.asp
|
Monthly Security Round-up
from Symantec DeepSight Threat Management System
http://tms.symantec.com/
|
| During the week of July
27 – August 2, 2003, much anticipation surrounded the release of
exploits and malicious code targeting the recently disclosed Microsoft
Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205).
Security professionals and media reports continued to speculate
the feasibility of a successful worm. Active exploitation of this
vulnerability was reported, and malicious code has been written
to allow trojan programs to use this vulnerability as an infection
vector. Currently, no software has been seen which employs functioning
code that may allow autonomous propagation in a worm-like fashion,
but it is believed that such code may be deployed in the near future.
Another vulnerability
has been reported in the popular Washington University FTP daemon.
Wu-ftpd carries a history of significant security vulnerabilities.
Other significant vulnerabilities disclosed this week included a
local buffer overflow present in Solaris.
The DeepSight Threat Analyst
Team has released a Threat Analysis of a malicious tool known as
NiBu. In addition to typical backdoor functionality, NiBu also attempts
to steal sensitive financial information. Activity, and the discovery
of an auto-rooter type rootkit that targets the Microsoft DCOM RPC
Interface overflow prompted the revision of an old Threat Alert
and the release of a separate Threat Alert.
The week of August 3-9,
2003, continued to see widespread exploitation of the Windows DCOM
RPC Interface Buffer Overrun Vulnerability. A functional worm proliferated
on August 11, 2003, and numerous automated tools have been made
available to the public to automate exploitation of this vulnerability
in a fast and efficient manner. Various groups of attackers are
known to be constructing large bot networks, many of which could
be capable of conducting extremely powerful Distributed Denial of
Service (DDoS) attacks. Network security specialists have speculated
as to the potential impact of this vulnerability, and it has been
generally agreed that a functional worm may be created relatively
easily.
A vulnerability has been disclosed
in the HTTP server in Cisco IOS, which is particularly interesting
because it has demonstrated the possibility to execute shellcode
on router devices. This domain of security has gone relatively unexplored,
and as more information regarding this becomes available, administrators
may be faced with having to
implement protection against new attack vectors that have been previously
overlooked.
Two Threat Analyses have
been released this week, both relating the Windows DCOM RPC Interface
Buffer Overrun Vulnerability. An analysis of Cirebot, a bot used
to compromise machines via this vulnerability is available. In addition,
a document outlining general exploitation patterns of the vulnerability
is also available.
August 10 - 16, 2003,
was dominated by discussion and attention directed at a new worm,
W32.Blaster, and the Windows DCOM RPC Interface Buffer Overflow
that it used in order to spread. As has been forecasted for weeks,
this worm began propagating, and achieved significant success
due to the large number of vulnerable hosts. In response to this
issue, the Threat Analyst Team released a Threat Alert.
Another Threat Alert was
issued in response to a sudden rise in traffic targeting TCP/3410.
The rise in traffic has not yet been accounted for, but it is likely
that it is related to a
backdoor trojan that listens on this port.
W32.Blaster, and a backdoor
sent through the mail attempting to capitalize on the press achieved
by this worm, both figure prominently in the malicious code listings
this week.
|
| |
Viruses,
Trojans & Worms |
|
W32.Blaster.Worm
Aliases
: W32/Lovsan.worm.a [McAfee],
Win32.Poza.A [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A
[Sophos], W32/Blaster [Panda], Worm.Win32.Lovesan [KAV]
Risk : High [4]
Date : 11th
August 2003
Systems Affected:
Windows 2000, Windows XP
CVE Reference : CAN-2003-0352
Overview
W32.Blaster.Worm
is a worm that exploits the DCOM RPC vulnerability (described in
Microsoft
Security Bulletin MS03-026 ) using TCP port 135. The worm targets
only Windows 2000 and Windows XP machines. While Windows NT and
Windows 2003 Server machines are vulnerable to the aforementioned
exploit (if not properly patched), the worm is not coded to replicate
to those systems. This worm attempts to download the msblast.exe
file to the %WinDir%\system32 directory and then execute it. W32.Blaster.Worm
does not have a mass-mailing functionality.
Additional information and an alternate site from which to download
the Microsoft patch is available in the Microsoft article, "
What
You Should Know About the Blaster Worm and Its Variants ."
|
We
recommend that you block access to TCP port 4444 at the firewall
level, and then block the following ports, if you do not use the
following applications:
- TCP Port 135, "DCOM RPC"
- UDP Port 69, "TFTP"
|
|
The worm also
attempts to perform a Denial of Service (DoS) on the Microsoft Windows
Update Web server (windowsupdate.com). This is an attempt to prevent
you from applying a patch on your computer against the DCOM RPC
vulnerability
Credits
Write-up by:
Douglas Knowles, Security Response, USA
References
Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
|
| |
|
W32.Welchia.Worm
Aliases
Risk High [4]
Date : 18th August 2003
Systems Affected
Microsoft IIS, Windows 2000, Windows
XP
CVE Reference : CAN-2003-0352,
CAN-2003-0109
Overview
W32.Welchia.Worm is a worm
that exploits multiple vulnerabilities, including:
- The DCOM RPC vulnerability (described in Microsoft Security
Bulletin MS03-026) using TCP port 135. The worm specifically targets
Windows XP machines using this exploit.
- The WebDav vulnerability (described in Microsoft Security Bulletin
MS03-007) using TCP port 80. The worm specifically targets machines
running Microsoft IIS 5.0 using this exploit. IIS 5.0 will most
likely be found on Windows 2000 systems.
W32.Welchia.Worm does
the following:
- Attempts to download the DCOM RPC patch from Microsoft's Windows
Update Web site, install it, and then reboot the computer.
|
- Checks for active machines to infect by sending an ICMP echo
request, or PING, which will result in increased ICMP traffic.
- Attempts to remove W32.Blaster.Worm
|
|
| |
|
|
Credits
Write-up by: Benjamin Nahorney
and Douglas Knowles, Frederic Perriot
References
Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html
|
|
Security News |
| Slammer
worm crashed Ohio nuke plant network
By Kevin Poulsen Aug 19 2003
A computerized safety monitoring system at the Davis-Besse nuclear
plant was crippled after the worm entered through the business network
of the plant's operator, FirstEnergy Corp. ... >>
The
Bright Side of Blaster
By Kevin Poulsen Aug 14 2003
Experts predict the worm will leave a more secure Internet in its
wake ... >>
|
| |
Security
Advisories |
| Microsoft
Windows DCOM RPC Interface Buffer Overrun Vulnerability
Risk :High
Date :16th
July2003
Components Affected:
Many, listed here;
http://securityresponse.symantec.com/avcenter/security/Content/8205.html
Overview
A buffer overrun vulnerability has been
reported in Microsoft Windows that can be exploited remotely via
a DCOM RPC interface that listens on TCP/UDP port 135. The issue
is due to insufficient bounds checking of client DCOM object activation
requests. Exploitation of this issue could result in execution of
malicious instructions with Local System privileges on an affected
system. |
This
issue may be exposed on other ports that the RPC Endpoint Mapper
listens on, such as TCP ports 139, 135, 445 and 593.
This has not been confirmed.
Under some configurations the Endpoint Mapper may receive traffic
via port 80. |
|
Credits
Discovery of this vulnerability
has been credited to The Last Stage of Delirium Research Group.
References
Source: Microsoft Security
Bulletin MS03-026
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS03-026.asp
Symantec Security Response
http://www.sarc.com/avcenter/security/Content/8205.html |
| |
|
Multiple
Oracle XDB FTP / HTTP Services Buffer Overflow Vulnerabilities
Risk :High
Date :31st
July 2003
Components Affected:
Oracle Oracle9i Enterprise Edition 9.2 .0.1
Oracle Oracle9i Personal Edition 9.2 .0.1
Oracle Oracle9i Standard Edition 9.2 .0.1
Overview
David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML Database
(XDB), during a seminar on "Variations in exploit methods between
Linux and Windows" presented at the Blackhat conference.
|
Ultimately exploitation of
these issues may provide for remote execution of arbitrary code
in the security context of the vulnerable service.
|
|
Credits
Discovery of these vulnerabilities has been credited to David Litchfield
(david@ngssoftware.com).
References
Source: Oracle Homepage
URL: http://www.oracle.com/index.html
Source: Variations in Exploit methods between Linux and Windows
URL: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf
|
| |
Common
Vulnerabilities |
|
|
| Microsoft
IE MIME Header Attachment Execution Vulnerability |
| Bugtraq
ID |
CVE
Reference |
Exploited
by |
| 2524 |
CVE-2001-0154
|
W32.Klez,
W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva |
|
| MS
IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
|
| 2708 |
CVE-2001-0333
|
W32.Nimda
|
|
| Microsoft
IIS and PWS Extended Unicode Directory Traversal Vulnerability |
| 1806 |
CVE-2000-0884
|
W32.Nimda
|
|
| Microsoft
Windows 9x / Me Share Level Password Bypass Vulnerability |
| 1780 |
CVE-2000-0979
|
W32.Opaserv |
|
| Microsoft
SQL Server Resolution Service buffer overflows allow arbitrary code
execution |
| 5311 |
CAN-2002-0649
|
W32.SQLExp.Worm
|
| |
|