ISSN 1444-9994

Symantec Security Response Newsletter

January/February 2004

 

Summary


Multiple medium-to-high risk worm outbreaks, based on the MyDoom, Netsky, and Beagle worm families, largely dominated the months of January and February. Both the MyDoom and Beagle worms contained backdoors that were the target of reasonably widespread activity soon after their release. The successor to one of last year's most prolific worms was also released. W32.Welchia.B was discovered on February 11, 2004. However, it eventually turned out to be not as nearly virulent as its predecessor.

Also in February, W32.Doomjuice was released, which is similar to Welchia, in that it attempts to delete previously infected hosts. W32.Doomjuice attempts to remove any instances of the W32.MyDoom.A and W32.MyDoom.B worms. It also launches a Denial of Service (DoS) attack against the Microsoft corporate Web site.

The most significant vulnerability released in January was the Multiple Vendor H.323 Protocol Implementation Vulnerabilities. In February, critical vulnerabilities in the Microsoft Windows operating system were announced. Two severe vulnerabilities were reported in the Microsoft Abstract Syntax Notation 1 (ASN.1) handling Library. A DoS exploit was released for one of the ASN.1 vulnerabilities. The exploit designed for the ASN.1 vulnerability also induced a DoS condition against Microsoft IIS.

A portion of the Microsoft Windows 2000 and NT 4.0 source code was leaked on the Internet, and then freely circulated via various file-sharing networks. Security Professionals speculate that the ultimate impact of the leakage is to assist attackers in locating vulnerabilities and developing exploits that target Windows, due to the implied ease in auditing the source code.

 

Security News
http://www.securityfocus.com/


Exploit based on leaked Windows Code released
By Patrick Gray Feb 16 2004
The first new security vulnerability to emerge from last week's Microsoft source code leak crossed a security mailing list over the weekend, reigniting debate over the seriousness of the leak. The vulnerability affects Internet Explorer 5 and various versions of Outlook Express. It was unearthed in code the two programs use to process bitmap image files, and affects the software on several versions of Windows, including 98, 2000 and XP... >>

Software Bug Contributed to Blackout
By Kevin Poulsen Feb 16 2004
A previously-unknown software flaw in a widely-deployed General Electric energy management system contributed to the devastating scope of the August 14th northeastern U.S. blackout, industry officials revealed this week... >>

 

Monthly Security Round-up from Symantec DeepSight Threat Management System
http://tms.symantec.com/


The Multiple Vendor H.323 Protocol Implementation Vulnerabilities were the most significant vulnerabilities released in January. These vulnerabilities affected a broad range of products, with their scope ranging from Denial of Service (DoS) to remote code.

In February, critical vulnerabilities in the Microsoft Windows operating system were announced. Two severe vulnerabilities were reported in the Microsoft Abstract Syntax Notation 1 (ASN.1) handling Library. A DoS exploit was released for one of the ASN.1 vulnerabilities. The exploit designed for the ASN.1 vulnerability also induced a DoS condition against Microsoft IIS.

Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow Vulnerabilities
http://online.securityfocus.com/bid/9743
It has been reported that the Microsoft ASN.1 library may be prone to multiple stack-based buffer overflow vulnerabilities that could allow an attacker to execute arbitrary code, leading to unauthorized access to a vulnerable system. The issues have been identified in the ASN1BERDecDouble and ASN1PERDecDouble functions.

Sun Solaris conv_fix Unspecified File Overwrite Vulnerability
http://online.securityfocus.com/bid/9759
It has been reported that Sun Solaris may be prone to a vulnerability due to an unspecified erroneous condition resulting from the "conv_fix" command that the conv_lpd(1M) script invokes. This issue reportedly permits a local attacker to overwrite or create any file on the system. Successful exploitation of this issue may allow a local attacker to gain elevated privileges, leading to a full compromise of a vulnerable system. The attacker may also cause a denial of service condition on the system.

Microsoft Internet Explorer Bitmap Processing Integer Overflow Vulnerability
http://online.securityfocus.com/bid/9663
Microsoft Internet Explorer has been reported to be prone to an integer overflow vulnerability. The issue presents itself in the bitmap file processing procedures and is the result of using a signed integer employed during boundary-checking routines.

An attacker may reportedly create a malicious bitmap crafted in a manner to cause the affected integer to wrap to a negative value when the malicious bitmap file is processed. When this integer is later used in a procedure to read data into a 1024 byte buffer, the procedure may read excessive data into the buffer, invariably resulting in a stack buffer overflow. Ultimately an attacker may exploit this condition to corrupt a saved instruction or stack-frame base pointer to influence the execution flow of the affected browser into attacker-supplied instructions.

Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability
http://online.securityfocus.com/bid/9628
It has been alleged that Microsoft Internet Explorer is prone to an issue that may allow hostile script code to access the properties of an Iframe, which has been opened in the context of the My Computer Zone. Reportedly, if an IFrame opens a local resource using a "shell:" link, the page that spawns the IFrame may be able to access the properties of the My Computer Zone.

If this issue is exploitable, it could ultimately lead to the execution of malicious script code in the context of the My Computer Zone. This issue can also potentially allow for the remote compromise of the client system in the context of the client user. Symantec has not confirmed these reports, which are pending further investigation. This BID will be updated when further information becomes available and retired if the alleged issue is not exploitable.

Opera Web Browser CLSID File Extension Misrepresentation Vulnerability
http://online.securityfocus.com/bid/9640
A vulnerability has been reported in the Opera Web Browser that may allow files to be misrepresented to client users. This issue could be exploited to deceive users into opening seemingly harmless files, which may be malicious.

The browser ostensibly presents the content to the user as the file name and type specified after the CLSID, when the CLSID (which specifies an HTML application) determines the actual content type. It is not known at this time where the security flaw lies, however it has been demonstrated that such a file name may be used to misrepresent the file type.

The dot to separate the additional file extension may need to be URL-encoded (%2E) for exploitation to be successful, though this has not been confirmed. This issue could be exploited to disguise the executable content in the form of an HTML application (HTA) file as a file type that may appear to be innocuous to a victim user. The file will appear to be of an attacker-specified type in the file download dialog presented to the user. The user may then download/open that particular file assuming that it is safe, which could result in the execution of malicious code on the client system within the context of the victim user.

Note: The file name may be prepended by "..." in the download dialog to abbreviate the malicious file name and CLSID extension in the prefix. This issue could be exploited via a malicious Web page or possibly through email.

Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability
http://online.securityfocus.com/bid/9628
It has been alleged that Microsoft Internet Explorer is prone to an issue that may allow hostile script code to access properties of an IFrame that has been opened in the context of the My Computer Zone. Reportedly, if an IFrame opens a local resource using a "shell:" link, it may be possible for the page that spawns the IFrame to access properties of the My Computer Zone.

If this issue is exploitable, it could ultimately lead to the execution of malicious script code in the context of the My Computer Zone. Also, this issue potentially allows for the remote compromise of the client system in the context of the client user. Symantec has not confirmed these reports, which are pending further investigation. This BID will be updated when further information becomes available and retired if the alleged issue is not exploitable.

Multiple Vendor H.323 Protocol Implementation Vulnerabilities
http://online.securityfocus.com/bid/9406
It has been reported that multiple vendor implementations of the H.323 protocol contain various vulnerabilities. These vulnerabilities may range from a simple denial of service to potential arbitrary code execution. As a result of these vulnerabilities, a Multiple H.323 Vulnerabilities Alert was released on January 13, 2004.

Microsoft ISA Server 2000 H.323 Filter Remote Buffer Overflow Vulnerability
http://online.securityfocus.com/bid/9408
It has been reported that the H.323 filter, which Microsoft ISA Server 2000 uses, is prone to a remote buffer overflow vulnerability. The condition presents itself as a result of insufficient boundary checks that the Microsoft Firewall Service performs on specially crafted H.323 traffic. Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code in the context of the Microsoft Firewall Service running on ISA Server 2000. This may lead to a complete control of the vulnerable system. This vulnerability was one of the vulnerabilities covered in the Multiple H.323 Vulnerabilities Alert released on January 13, 2004.

 

Viruses, Trojans & Worms
http://securityresponse.symantec.com/


W32.Netsky.D@mm
Aliases: WORM_NETSKY.D [Trend], W32/Netsky.d@MM [McAfee], W32/Netsky.D.worm [Panda], W32/Netsky-D [Sophos], Win32.Netsky.D [Computer Associates], I-Worm.Netsky.d [Kaspersky]
Risk: High [4]
Date: March 1, 2004
Systems Affected: Windows 9.x, Windows 2000, Windows XP
CVE Reference: N/A
Overview
W32.Netsky.D@mm is a mass-mailing worm that sends itself to email addresses it gathers with extensions, such as .dhtm, .cgi, .shtm, .msg, and so on, on drives C through Z on an infected system. The From address will be spoofed.

Payload

  • Causes the PC speaker to beep on certain days at certain times
  • Creates a mass-mailing of itself that may block mail servers or degrade network performance
  • Creates a mass-mailing of itself that may impact system performance

Subject

  • Re: Your website
  • Re: Your product
  • Re: Your letter
  • Re: Your archive
  • Re: Your text
  • Re: Your bill
  • Re: Your details
  • Re: My details
  • Re: Word file
  • Re: Excel file
  • Etc..

Attachment

  • your_website.pif
  • your_product.pif
  • your_letter.pif
  • your_archive.pif
  • your_text.pif
  • your_bill.pif
  • your_details.pif
  • document_word.pif
  • document_excel.pif
  • my_details.pif
  • all_document.pif
  • application.pif
  • mp3music.pif
  • yours.pif
  • document_4351.pif
  • your_file.pif
  • message_details.pif
  • your_picture.pif
  • document_full.pif
  • message_part2.pif
  • document.pif
  • your_document.pif

Mitigating Strategies

  • Mass-mailing worms can often originate from people the user knows. Do not open or execute unexpected message attachments.
  • Filter attachments not on a list of approved types at the e-mail gateway.
  • Apply the Outlook E-mail Security Update (Q262631) to block user access to certain attachment types. This update will also notify the user of applications attempting to access the Outlook address book.

W32.Beagle.J@mm
Aliases: W32/Bagle.j@MM [McAfee], WORM_BAGLE.J [Trend], Win32.Bagle.J [Computer Associates], W32/Bagle-J [Sophos]
Risk: Medium [3]
Date: March 2, 2004
Systems Affected: Windows 9.x, Windows ME, Windows 2000, Windows 2003, Windows XP
CVE Reference: N/A
Overview
The W32.Beagle.J@mm worm:

  • Is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email.
  • Sends the attacker the port on which the backdoor listens, as well as the IP address.
  • Attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names.

The email has the following characteristics:

From: (May be one of the following)

  • management@<recipient domain>
  • administration@<recipient domain>
  • staff@<recipient domain>
  • noreply@<recipient domain>
  • support@<recipient domain>

Subject: (One of the following)

  • E-mail account disabling warning.
  • E-mail account security warning.
  • Email account utilization warning.
  • Important notify about your e-mail account.
  • Notify about using the e-mail account.
  • Notify about your e-mail account utilization.
  • Warning about your e-mail account.

Message: (One of the following lines)

  • Dear user of <domain>,
  • Dear user of <domain> gateway e-mail server,
  • Dear user of e-mail server "<domain>",
  • Hello user of <domain> e-mail server,
  • Dear user of "<domain>" mailing system,
  • Dear user, the management of <domain> mailing system wants to let you know that,

Followed by one of the following paragraphs:

  • Your e-mail account has been temporary disabled because of unauthorized access.
  • Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
  • Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
  • We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
  • Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
  • Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

Followed by one of the following lines:

  • For more information see the attached file.
  • Further details can be obtained from attached file.
  • Advanced details can be found in attached file.
  • For details see the attach.
  • For details see the attached file.
  • For further details see the attach.
  • Please, read the attach for further details.
  • Pay attention on attached file.

Followed by one of the following lines:

  • The Management,
  • Sincerely,
  • Best wishes,
  • Have a good day,
  • Cheers,
  • Kind regards,

Followed by:

  • The <domain> team     http://www.<domain>

If the attachment is a zip file, the message will include one of the following lines:

  • For security reasons attached file is password protected. The password is "<password>".
  • For security purposes the attached file is password protected. Password is "<password>".
  • Attached file protected with the password for security reasons. Password is <password>.
  • In order to read the attach you have to use the following password: <password>.

Notes:

  • <domain> is the domain name part of the email address.
  • <password> is a five-digit, random number that the worm used to encrypt the attached .zip file.

Attachment: <One of the following names>.zip or .pif:

  • Attach
  • Information
  • Readme
  • Document
  • Info
  • TextDocument
  • TextFile
  • MoreInfo
  • Message

The .zip file contains a randomly named .exe file, which is password-protected with the aforementioned password.

 

Top Malicious Code Threats


Risk Threat Discovered Protection
4 W32.Netsky.D@mm 1 Mar 2004 1 Mar 2004
4 W32.Netsky.B@mm 18 Feb 2004 18 Feb 2004
3 W32.Beagle.J@mm 2 Mar 2004 2 Mar 2004
3 W32.Beagle.E.@mm 28 Feb 2004 28 Feb 2004
3 W32.Netsky.C.@mm 24 Feb 2004 25 Feb 2004
3 W32.Mydoom.F@mm 20 Feb 2004 23 Feb 2004
3 W32.Welchia.B.Worm 11 Feb 2004 11 Feb 2004
3 W32.Mydoom.A@mm 26 Jan 2004 26 Jan 2004

 

Common Vulnerabilities


Vulnerability Bugtraq ID CVE Reference Exploited by
Microsoft IE MIME Header Attachment Execution Vulnerability 2524 CVE-2001-0154 W32.Swen.A, W32.Klez, W32.Sobig, W32.Bugbear, W32.Yaha, W32.Nimda
MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability 2708 CVE-2001-0333 W32.Nimda
MS Buffer overflow in DCOM interface for RPC in Microsoft Windows 8205 CAN-2003-0352 W32.Blaster.Worm, W32.Welchia.Worm
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability 1806 CVE-2000-0884 W32.Nimda
Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability 1780 CVE-2000-0979 W32.Opaserv
Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution 5311 CAN-2002-0649 W32.SQLExp.Worm
Microsoft IE Virtual Machine (VM) allows an unsigned applet to create and use ActiveX controls 1754 CVE-2000-1061 JS.Exception.Exploit

 

Security Advisories
http://securityresponse.symantec.com/


Microsoft Windows ASN.1 Library Integer Handling
Risk: High
Date: February 10, 2004
Components Affected: Many, which are listed here: http://securityresponse.symantec.com/avcenter/security/Content/9626.html
Overview
The Microsoft Windows ASN.1 parsing library has been reported to be prone to an integer-handling vulnerability. The issue is reported to exist, because an integer value contained as part of ASN.1-based communications is interpreted as an unsigned integer.

As this integer value is assumed as trusted, unsigned, and conjectured to be further employed in potentially sensitive computations, memory corruption may result.

Symantec Solutions: Symantec Manhunt, Symantec Enterprise Firewall, Symantec Vulnerability Assessment, Symantec Gateway Security, Symantec AntiVirus Products.

Mitigating factors:

  • Block external access at the network boundary, unless external parties require service.
  • If possible, filter ASN.1-based communications at the network perimeter. Allow communications for trusted hosts and networks only.
  • Microsoft has released a security update (MS04-007) to address this issue in affected versions of Microsoft Windows. Users are strongly advised to obtain fixes as soon as possible.

Credits
Vulnerability discovery credited to eEye Digital Security.

References
Source: Microsoft ASN.1 Library Bit String Heap Corruption
URL: http://www.eeye.com/html/Research/Advisories/AD20040210-2.html

Source: Microsoft ASN.1 Library Length Overflow Heap Corruption
URL: http://www.eeye.com/html/Research/Advisories/AD20040210.html

Source: Microsoft Security Bulletin MS04-007
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-007.asp


Microsoft Windows Internet Naming Service Buffer Overflow Vulnerability
Risk: High
Date: February 10, 2004
Components Affected: Many, which are listed here: http://securityresponse.symantec.com/avcenter/security/Content/9624.html
Overview
The Microsoft Windows Internet Name Service (WINS) is prone to a remotely exploitable buffer overflow condition. Sending a series of specially crafted packets to the service could cause it to fail. On some Windows platforms, this could also lead to the execution of arbitrary code.

Symantec Solutions: Symantec Manhunt, Symantec Enterprise Firewall, Symantec Vulnerability Assessment, Symantec Gateway Security, Symantec Host IDS, Symantec Intruder Alert.

Mitigating factors:

  • Block external access at the network boundary, unless external parties require service.
  • Block access to the WINS service at the network boundary. This service typically runs on TCP port 42, by default.
  • Microsoft has released patches to fix this issue.

Credits
Discovery of this vulnerability has been credited to Qualys.

References
Source: Microsoft Security Bulletin MS04-006
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-006.asp


Linux Kernel do_mremap Function Boundary Condition Vulnerability
Risk: High
Date: January 5, 2004
Components Affected: Many, which are listed here: http://securityresponse.symantec.com/avcenter/security/Content/9356.html
Overview
A vulnerability involving the do_mremap system function has been reported in the Linux kernel, allowing for local privilege escalation. Due to a bounds-checking issue within the function, local attackers may disrupt kernel operation. Attack vectors also exist, which may permit a local attacker to gain root privileges.

This type of vulnerability will permit a remote attacker, who has gained limited privileges on a host, to fully compromise the system.

Mitigating factors:

  • Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
  • Restrict local access to all but trustworthy users and those who explicitly require access to local services. This may limit an attacker's ability to successfully exploit this issue.
  • Block external access at the network boundary, unless external parties require service.
  • Due to the high likelihood that this issue will be used in conjunction with unrelated remote vulnerabilities, we advise administrators to ensure that network-based access controls are implemented to restrict access to remote services.
  • Implement multiple redundant layers of security.
  • An attacker's ability to exploit this condition to escalate privileges may be hampered through the use of memory-protection schemes. If possible, implement the use of non-executable and randomly mapped memory paging, especially memory protection implementations that operate in kernel space.

Red Hat has released advisory RHSA-2003:417-01 to address this issue. RHSA-2003:419-05 was also released to address Red Hat Enterprise distributions. See the referenced advisories for additional details.

Guardian Digital has released advisory ESA-20040105-001 for EnGarde Secure Linux. Fixes included in this advisory may be applied with the Guardian Digital WebTool.

Conectiva has released advisory CLA-2004:799 to address this issue. See the attached advisory for details on obtaining and applying fixes.

Trustix has released advisory TSLSA-2004-01 to address this issue. See the attached advisory for details on obtaining and applying fixes.

Astaro Security Linux has released kernel updates to address this issue in Up2Date 4.018.

SuSE has released security advisory SuSE-SA:2004:001 to address this issue.

Credits
Discovery credited to Paul Starzetz and Wojciech Purczynski.

References
Source: Conectiva CLA-2004:799 kernel
URL: http://online.securityfocus.com/advisories/6197

Source: EnGarde ESA-20040105-001 kernel
URL: http://online.securityfocus.com/advisories/6196

Source: RedHat RHSA-2003:417-01 Updated kernel resolves security vulnerability
URL: http://online.securityfocus.com/advisories/6195

Source: SuSE SuSE-SA:2004:001 Linux Kernel
URL: http://online.securityfocus.com/advisories/6200

Source: Trustix TSLSA-2004-01 kernel
URL: http://online.securityfocus.com/advisories/6198

Source: RHSA-2003:419-05 Updated kernel packages resolve security vulnerability
URL: http://rhn.redhat.com/errata/RHSA-2003-419.html

Source: Up2Date 4.018
URL: http://www.astaro.org/showflat.php?Cat=&Number=34176&page=0&view=collapsed&sb=5&o=&fpart=1

 

Security Events Calendar
http://enterprisesecurity.symantec.com/


InfoSec World Conference & Expo 2004
Date: March 22-23, 2004
Location: Orlando, FL USA


InfoSecurity 2004
Date: April 27-29, 2004
Location: London, United Kingdom


European Institute for Computer Anti-Virus Research (EICAR) 2004
Date: May 1-4, 2004
Location: Luxemburg


AusCERT 2004
Date: May 23-27, 2004
Location: The Gold Coast, Australia


For more events go to our online Events Calendar:
http://enterprisesecurity.symantec.com/content/globalevents.cfm

 

Useful Links


Use Symantec Security Alerts on Your Web Site
http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi

Virus Removal Tools
Fix tools for repairing threats.

Virus Hoaxes
There are many email virus hoaxes, so please check here before forwarding any email virus warnings.

Virus Calendar
Monthly calendar showing viruses which trigger on each day.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s). Copyright © 2004 Symantec Corporation. All rights reserved.

Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html