|
|
I hope you all had a
restful holiday season, my first job in 2002 is to apologize for sending out a draft copy of the Newsletter in
December which was full of spelling and grammatical errors. As there are now more than a quarter of a million subscribers
I thought it best not to resend the correct version. It's posted on our web site if anyone would like a copy.
We have the usual rash of Win32 viruses and worms this month but there's nothing of significance to report, overall
it was a quiet holiday season for anti-virus researchers. We do have a great article that explains what denial of service (DoS) attacks are, how to protect your PC from them and how to avoid being
an unwilling participant in an attack. There is a summary of the Plug and Play buffer overflow and a list of the
latest vulnerabilities all with links to more detailed information.
David Banes.
Editor, securitynews@symantec.com |
| |
| Viruses, Worms & Trojans |
| W32.Maldal.D@mm |
Medium [3]
|
Win32
|
|
W32.Maldal.D@mm is an extremely damaging worm. It was written and distributed on December 28, 2001. The virus code
is in Visual Basic. It is about 27 KB in size and is packed using Aspack. The worm uses Microsoft Outlook to send
itself to all contacts in your Microsoft Outlook address book.
It attempts to delete anti-virus software and files with the following extensions: .ini, .php, .exe, .com, .mpeg,
.dat, .zip, .txt, .exe, .xls, .doc, and .jpg.
http://securityresponse.symantec.com/avcenter/venc/data/w32.maldal.d@mm.html |
| |
| W32.Zoher@mm |
Low [2]
|
Win32
|
|
| W32.Shoho@mm |
Low [2]
|
Win32
|
|
| JS.Coolsite@mm |
Low [2]
|
Script
|
|
JS.Coolsite@mm is a Java Script worm. If you are using Norton AntiVirus with definitions dated August 16, 2001
or later, you are already protected from this worm, which will be detected by those definitions as JS.Exception.Exploit.
Symantec Security Response has created a separate detection for this variant, and definitions dated December 19,
2001 or later will detect it as Coolsite@mm.
The worm arrives as an email with the subject "Hi!!" and the message "Hi. I found cool site!..."
http://securityresponse.symantec.com/avcenter/venc/data/js.coolsite@mm.html
JP Duan,
Symantec Security Response, USA |
| |
|
| Security
Advisories |
| Microsoft UPnP Buffer Overflow and DoS vulnerabilities. |
Medium [3]
|
Win32
|
|
Reference:
Microsoft Security Bulletin MS01-059, 20 December 2001
Unchecked Buffer in Universal Plug and Play can lead to System Compromise
EEye Digital Security Advisory, AD20011220, 20 December 2001
Multiple Remote Windows XP/ME/98 Vulnerabilities
Symantec Corporation advises its customers to be aware of multiple vulnerabilities in the Universal Plug and Play
(UPNP) service that have recently been discovered in Microsoft Windows XP and ME and in Microsoft Windows 98 and
98SE running the XP Internet Connection Sharing Client. The more critical of the vulnerabilities is a buffer overflow
existing in the UPnP protocol that can allow an attacker to run arbitrary code on the targeted system with SYSTEM-level
privileges, potentially gaining complete control over the targeted system. Additional vulnerabilities can result
in either a Denial of Service (DoS) against the targeted system or a possible Distributed Denial of Service (DDoS)
attack against a network. These vulnerabilities were initially discovered by the eEye Digital Security Team and
acknowledged by Microsoft.
http://securityresponse.symantec.com/avcenter/security/Content/2001.12.20a.html |
| |
| Buffer Overflow in System V Derived Login |
Medium [3]
|
Unix
|
|
Reference:
Symantec Security Response
This vulnerability can be remotely exploited to gain privileges of the invoker of login. In the case of a program
such as telnetd, rlogind, or other suid root programs, root access is gained. An exploit may exist. However, Symantec
has had no notification that it is in the wild, nor actively being exploited.
Affected:
IBM AIX versions 4.3 and 5.1
Hewlett-Packard's HP-UX
SCO OpenServer 5.0.6 and earlier
SGI IRIX 3.x
Sun Solaris 8 and earlier
Several applications use login for authentication to the system. A remotely exploitable buffer overflow exists
in the login derived from System V. Attackers can exploit this vulnerability to gain root access to the server.
http:/securityresponse.symantec..com/avcenter/security/Content/2001.12.14b.html |
| |
| Various Buffer Overflow and DoS vulnerabilities. |
Various
|
Various
|
|
This month we have 6 other new vunerabilities. The SSH CRC32 attack, a PHPNuke attack, a new version of the Whisker
CGI Scanner, and 3 other Buffer Overflow and Denial Of Service attacks.
HTTP ActivePerl Overflow
Some older versions of ActivePerl for Windows web servers may allow an attacker to execute arbitrary code at the
privilege level of the web server process.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0815
ISA Fragmented UDP
By sending a flood of malformed and fragmented UDP packets to the Microsoft Internet Security and Acceleration
(ISA) Server, an attacker can cause a denial of service by consuming all CPU cycles on the server.
Media Player Nsc Unchecked Buffer
Some versions of Microsoft Media Player contain an unchecked buffer in the code that processes NetShow Channel
descriptors. A sufficiently long string in the IP Address field can overflow the buffer.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0541
Php Nuke Remote File Copy
Older versions of PHP-Nuke fail to check the credentials of the connecting user before performing file manipulation
operations.
SSH1 CRC32 Boundary Overflow
Some older versions of SSH and OpenSSH contain an integer-overflow bug in the CRC32 compensation attack detection
code. This may allow remote attackers to write values to arbitrary locations in memory.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0144
Whisker2
Whisker is an automated CGI Scanner with sophisticated hiding techniques. A CGI Scanner makes several queries to
a Web Server to try and determine if certain vulnerable CGI programs are available for attack. |
| |
|
| Enterprise Security News Clips |
VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/
Recent Enterprise Security News headlines include:
AOL Quickly Patches Software Glitch;
San Jose Mercury News
http://enterprisesecurity.symantec.com/content.cfm?articleid=1115
U.S. and Canada to Meet on Cross-Border Cybercrime;
Washington Internet Daily
http://enterprisesecurity.symantec.com/content.cfm?articleid=1110
Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise
Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm |
| |
|
| Vulnerability & Exploit
News |
Denial of Service (DoS) attacks have been widely publicized in the news lately. These network assaults are staged
by hackers who hijack other people's computers in order to overwhelm a network or Web server with requests. The
network or server becomes overloaded, denying anyone else access to the system. The most publicized attacks involve
Internet giants like Yahoo and Microsoft. But businesses of all sizes are vulnerable to attack. The hackers who
took down the major corporations had to practice somewhere.
How DoS Attacks Work
Attackers usually hide the identity of machines used to carry out an attack by "spoofing" -- creating
a fake origination address. This make the hacker difficult to trace, so the innocent appear guilty.
A common way for hackers to launch a DoS attack is using authentication requests. This was the case in the Yahoo!
attack, as the hackers had computers from all over assaulting the Web site with fake sign-in attempts. False logons
and passwords were generated, and the Web server was bombarded by the requests until there was no room for legitimate
users to logon.
Another way hackers wreak havoc is by using "back door" remote administration software. Installing this
software on a computer without the user's knowledge allows the hacker to send data packets from that computer to
the target of attack. These packets can clog the target computer enough to block traffic in both directions Hackers
can coordinate whole fleets of computers to attack a common target, rarely getting caught because the attack is
traced back to the exploited machines, no the hacker's own.
How to Protect Yourself Against a DoS Attack
DoS attacks can be difficult to protect against, but taking these steps to secure your network can help you defend
yourself against malicious hacking.
- Secure mobile workers. While your network may be well protected against hackers, the connections used by remote
workers may not be. Make sure that anyone connecting to your network from the road adheres to strict security standards.
- Check the source. Internet service providers can ensure that the source address of incoming or outgoing Web site
traffic matches the set of addresses for that site. This allows the tracing of attack traffic to its originating
site.
-Use a firewall and intrusion detection software. A firewall monitors traffic traveling in and out of your network,
scanning for suspicious activity. Intrusion detection software constantly monitors the network for attacks. Together,
these powerful tools protect well against DoS attacks. Symantec Personal Firewall offers protection against hackers
and port scanning, while also monitoring for suspicious activity on your network that could signal a DoS attack.
How to Avoid Becoming Part of a DoS Attack
In addition to securing your machines against a possible denial of service attack, you want to prevent your own
systems from being used in an attack. It can be difficult to prevent an attack on your system, but it's easy to
stop your own site from being used by a hacker to stage one.
- Assess your risk. Symantec's Security Analyzer, which can be accessed free of charge, assesses a PC's Internet
security in four key areas -- susceptibility to hackers, risk of infection by a computer virus, loss of personal
information and inadvertent access to inappropriate materials. Running a security assessment tool on a computer
can help you determine if you are at risk for a variety of potential computer threats, including contributing to
malicious hacking.
- Prevent spoofing. Filtering email with your router can help prevent such DoS attacks by prohibiting outgoing
forged messages, or spoofing. Packets, or bundles of data, have return addresses on them. But hackers use fake
return addresses to remain anonymous during a DoS attack. You can apply filters to routers, stopping packets with
fake addresses from being sent out onto the Net.
- Use a firewall. The firewall works both on incoming and outgoing information, making it useful to defend your
computer against DoS attack and also against unwittingly participating in one.
Denial of service attacks can cause serious damage and cripple your business, whether they target you or use your
computer to target another system. Protect yourself against a DoS attack and you will also prevent your network
from becoming a helping hand to hackers. |
| |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please.
Follow this
link to subscribe or unsubscribe
http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|