|
|
The Symantec web site has been re-launched with a bright new look so we have taken the opportunity to tidy up the
newsletter and add some new features. The first is a breakdown by geographic region for threats we write-up and
are in the wild (reported by customers). The same chart shows the distribution by percentage over a date range
of the number of reports from customers. This range highlights the peak in the number of reports, if the highlighted
date is at the end of the scale then we may not have reached the peak yet.
The second is a new virus listing in the side bar, this month at the top, which will focus on a particular country.
We've started with Australia and will work our way down a list which is sorted by the number of subscribers per
country. Canada is next followed by Great Britain, Germany then the Netherlands. After that it'll be by request
or we'll select countries that may be interesting because the types and numbers of viruses reported differs from
the global picture in some way. For example a certain virus or worm may not work well on double byte Windows (Chinese,
Japanese etc).
W32.Myparty@mm has the dubious honor of being the first threat of note in 2002 being discovered late in January.
Thankfully it limited itself to a five day period to replicate. This should be a mandatory feature for a worm,
a cut off date, virus authors please take note.
David Banes.
Editor, securitynews@symantec.com |
| Viruses, Worms & Trojans |
|
| W32.Myparty@mm |
Medium [3] Threat
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
65.0%
|
|
| EMEA (Europe, Middle East, Africa) |
27.1%
|
|
| Japan |
3.9%
|
|
| Asia Pacific |
4.0%
|
|
Date
% Reports |
26 Jan
|
27 Jan
|
28 Jan
|
29 Jan
|
30 Jan
|
31 Jan
|
1 Feb
|
2 Feb
|
3 Feb
|
4 Feb
|
|
0.02%
|
0.45%
|
24.83%
|
41.93%
|
14.13%
|
6.87%
|
4.79%
|
3.04%
|
2.06%
|
1.87%
|
|
|
|
W32.Myparty@mm is a mass-mailing email worm. This worm is capable of spreading itself only between January
25, 2002, and January 29, 2002. However, it remains active on infected computers after this period of time.
It has the following characteristics:
Subject: new photos from my party!
Message:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com
The worm sends email to all contacts in the Windows address book and to email addresses that it finds in the Outlook
Express inboxes and folders. In addition, the worm sends a message to the author so that the author can track the
worm.
On Windows NT/2000/XP-based computers, the worm drops a backdoor Trojan that allows a hacker to control the system.
Norton AntiVirus detects this as Backdoor.Myparty.
Finally, if the file name of the worm is Access.<any extension>, it may launch the Web browser to http:/
/www.disney.com. However, the worm does not contain code which can generate a file with the name Access.<any
extension>, so it is highly unlikely that this will trigger.
http://securityresponse.symantec.com/avcenter/venc/data/w32.myparty@mm.html
Douglas Knowles and Eric Chien
Symantec Security Response, EMEA.
|
| W32.Donut |
Minimal [1] Threat
|
Win32
|
|
W32.Donut is a virus that targets .exe files that were created for the Microsoft .NET framework. W32.Donut
is a concept virus. It does not have any significant chance of becoming widespread. However, it shows that virus
writers are paying close attention to the new .NET architecture and are attempting to learn how to exploit it before
the .NET framework is available on most systems.
http://securityresponse.symantec.com/avcenter/venc/data/w32.donut.html
Peter Szor
Symantec Security Response, USA |
|
| W32.Klez.E@mm |
Low [2] Threat
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
19.8%
|
|
| EMEA (Europe, Middle East, Africa) |
57.1%
|
|
| Japan |
3.7%
|
|
| Asia Pacific |
19.4%
|
|
Date
% Reports |
17 Jan
|
20 Jan
|
23 Jan
|
27 Jan
|
30 Jan
|
31 Jan
|
1 Feb
|
2 Feb
|
3 Feb
|
4 Feb
|
|
1.71%
|
2.33%
|
12.89%
|
13.82%
|
16.30%
|
11.96%
|
8.23%
|
5.28%
|
8.39%
|
11.34%
|
|
|
W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to
network shares. The worm uses random subject lines, message bodies, and attachment file names.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when
you open or even preview the message in which it is contained. Information and a patch for the vulnerability can
be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
The worm overwrites files and creates hidden copies of the original. In addition, the worm drops the virus W32.Elkern.3587
which is similar to W32.ElKern.3326. The worm attempts to disable some common antivirus products and has a payload
which fills files with all zeroes.
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html
Atli Gudmundsson and Eric Chien
Symantec Security Response, EMEA. |
|
| Security
Advisories |
Common Desktop Environment (CDE) dtspcd Buffer Overflow
Symantec Corporation advises its customers to be aware of a remote root-access buffer overflow vulnerability in
the Common Desktop Environment's (CDE's) desktop subprocess control service(dtspc). A remote intruder can cause
arbitrary code to be run with root-level privileges on the targeted system, potentially gaining root access to
the system.
The CDE is an integrated graphical user interface that runs on Unix and Linux operating systems. "dtspcd"
is a network daemon that accepts requests from clients to execute commands and launch applications remotely. On
systems running CDE, dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response
to a CDE client request. The dtspcd is typically configured to run on port 6112/tcp with root privileges. dtspcd
makes a function call to a shared library that contains a buffer overflow condition in the client connection routine.
The buffer overflow can be exploited by a specially crafted CDE client request allowing a remote attacker to gain
administrative privileges on the affected host.
Although this vulnerability can potentially affect any operating system using CDE functionality, there is information
that an exploit has been specifically developed for and is being actively used against SunOS 5.51 through 8, both
SPARC and x86 releases. If your system(s) is/are not running the CDE Subprocess Control Service, you are not vulnerable
to this issue. To determine if you have CDE installed and enabled, check for the following entries.
In /etc/services check for "dtspc 6112/tcp"
In /etc/inetd.conf check for "dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
http://securityresponse.symantec.com/avcenter/security/Content/995desc.html |
|
| Enterprise Security News Clips |
|
|
| Vulnerability
& Exploit News |
| Creating a Security Policy |
|
|
|
You can enhance your small business security by establishing a company-wide policy on issues such as password usage,
remote connections, workstation security and downloads. Once you decide the security standards you want to maintain,
the security policy should be distributed to employees. Periodic meetings to review the policy, answer questions
and gain employee feedback can be helpful.
One of the most important first steps is deciding what you want to allow in your operation. Before you create your
policy, you should decide how restrictive or permissive you want the policy to be. If your company doesn't handle
sensitive data, your security policy won't need to be as strict as one dealing with confidential customer information
and credit card numbers. Once you have an idea of the security needs of your small business, consider the following
security issues and how you'd like to address them with your employees:
Password Usage. The issue of passwords is one that should definitely be included in your security policy. It can
be one of the biggest holes in your network security caused by employees. Establish rules about password choice
and recommend safe ways of creating them, such as:
Don't use information easily obtained about you, including license plate numbers, telephone numbers, social security
numbers, the brand of your automobile, the name of the street you live on, etc.
- Use a combination of upper and lowercase letters, punctuation and numbers.
- Never write your password down.
- Change your password regularly.
To make it easier to remember to change your password, associate it with an event. For example, change your password
the first of each month or every other payday.
Instant Messaging. Unless your employees need instant-messaging clients such as IRC, ICQ or Netscape Instant Messenger
as business-related tools, you might consider disabling them in order to protect the safety of your network. Chat
programs use public networks that make it relatively easy for hackers to intercept information or files during
transfer. Security holes in chat-client software can be easily used by hackers to gain access to networks and steal
sensitive data and files. Users of chat programs might also be manipulated into communicating sensitive information
or downloading files containing malicious code. Trickery of this kind is facilitated by the theft of instant messenger
identities. Hackers may steal usernames and passwords and pose as a coworker or other trusted source fooling victims
into sending them files and information.
Remote Connections. If you have remote workers logging onto your network, let them know the security policy still
applies at home or on the road. Connecting to a network from an insecure workstation weakens your carefully constructed
in-house security. Protect remote workers with anti-virus software and a firewall so their computers don't become
a weak spot for hackers and malicious code. Norton Internet Security, which includes Norton Personal Firewall and
Norton AntiVirus, can protect your employees at home or on the road against viruses and malicious code – while
keeping the connection to your server secure.
Workstation Security. Your security policy should emphasize workstation security among employees. Passwords and
sensitive information should never be written down. Many workers tend to write their passwords on sticky notes
on computer monitors – this should be banned. It also might be a good idea to recommend employees "lock"
their desktop workstations when leaving them, using "control+alt+delete," which requires a password to
unlock the system.
Anti-virus Software. An important part of your small business security policy is to take a stand on attachments,
downloads and other risky behavior that can set your system up for a virus invasion. Make sure your employees know
the importance of scanning all attachments before opening them, and have them avoid downloading files from unfamiliar
or insecure sites.
Norton Internet Security. Norton Internet Security is your total small business security solution. Norton Internet
Security includes the award-winning Norton AntiVirus to protect your server and workstations against viruses, Trojan
horses, worms and malicious code. Norton Personal Firewall blocks out intruders and hackers and keeps your sensative
data safe.
If you establish a written security policy, the guidelines for safe computing behavior in the workpace will be
clear to your employees. You may want to consider posting consequences for violating the security policy if you
feel that would help employees adhere to it. Examining the security needs of your business, organizing them into
a concise and easily understood security policy, and distributing this policy among your employees is a sure way
to bolster network security, protect proprietary information and reduce liability exposure -- soundly protecting
the future of your small business. |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|