|
|
Welcome to the first Symantec Security Response Newsletter for 2003. A new virus called W32.Lirva
proves again that people just aren't patching their operating systems or email programs quickly enough, this worm
exploits a vulnerability that Microsoft fixed in March 2001. If this patch (link below) is applied then worms like
W32.Lirva will be unable to auto-execute and this will go a long way towards stopping them from spreading.
Judging by the number of back door Trojans we are listing at the moment it appears that social engineering (the
art of tricking people into doing something you want them to do, for example opening an email attachment.) is alive
and well and that the average computer user still has trouble controlling their double-click finger. Maybe it's
the lure of popstars and celebrities or too good to be true offers for cheap merchandise and goods of dubious origin.
Last month we carried a link to Symantec DeepSight Analyzer and a FREE download page asking people to become a
part of the global early-warning system for cyber attacks. More than 75,200 of you visited the page and I hope
that we'll all benefit from the increased amount of data from any Security Focus sensors that are setup.
We have an article by senior research fellow Sarah Gordon this month, 'What goes on in the mind of a hacker?'.
I've added another new section this month 'Useful Links', there won't be many, just topical links to encourage
you to use them. I hope 2003 brings good things to you.:)
Best Regards
David Banes.
Editor, Symantec Security Response Newletter. |
| Useful Links |
Microsoft Security Bulletin (MS01-020)
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp |
|
Viruses, Worms & Trojans
|
| W32.Lirva.A@mm |
| Aliases:W32/Avril-A
[Sophos], W32/Lirva.b@MM [McAfee], WORM_LIRVA.A [Trend], Win32.Lirva.A [CA] |
| Risk: Moderate |
|
|
| Date: 7th
January 2003 |
|
|
Platforms Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me |
| |
Overview
W32.Lirva.A is a mass-mailing worm that also spreads by IRC, ICQ, KaZaA, and open
network shares. This worm attempts to terminate antivirus and firewall products. It also emails the cached Windows
95/98/Me dial-up networking passwords to the virus writer.
When Microsoft Outlook receives the worm, the worm takes advantage of a vulnerability that allows the attachment
to auto-execute when you read or preview the email. Information on this vulnerability and a patch can be found
at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
If the day of the month is the 7th, 11th, or 24th, the worm will launch your Web browser to www.avril-lavigne.com
and display a graphic animation on the Windows desktop.
Symantec has provided a tool to remove infections of W32.Lirva.A@mm. This is the easiest way to remove this threat
and should be tried first.
http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.removal.tool.html |
| |
|
|
|
References
http://www.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html |
Credit
Atli Gudmundsson, Security Response, EMEA |
| |
| W32.ExploreZip.L.Worm |
|
|
Aliases:
W32/ExploreZip.worm@M [McAfee], I-Worm.ZippedFiles.h [KAV],
WORM_EXPLORZIP.M [Trend], Win32/ExploreZip.Worm [CA], W32/ExploreZip.E [F-Prot], W32/ExploreZip.worm.210432 [F-Prot] |
| Risk: Medium |
|
|
| Date: 10th
January 2003 |
|
|
| Platforms Affected |
| Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me |
Overview
W32.ExploreZip.L.Worm is a variant of Worm.ExploreZip, a worm that contains a malicious
payload. The file has been repacked to make it more difficult to detect with older, existing antivirus software.
This worm is packed with the UPX file format, version 0.76.1-1.24.
The worm uses Microsoft Outlook, Outlook Express, or Exchange to mail itself, by replying to unread messages in
the Inbox. The email attachment is titled Zipped_files.exe.
W32.ExploreZip.L.Worm also searches the mapped drives and network computers for Windows installations. If they
are found, the worm copies itself to the \Windows folder of the remote computer, and then modifies the Win.ini
file of the infected computer.
W32.ExploreZip.L.Worm has a different file size than that of the original variant. However, the worm exhibits the
same characteristics as the original Worm.ExploreZip worm. See the writeup, Worm.ExploreZip, for information on
what this worm does. |
| |
|
|
|
Recommendations
Definitions dated from January 8, 2003 to January 10, 2003 will detect this worm as Worm.ExploreZip. |
| |
Credit
Jari Kytojoki, Symantec Security Response, EMEA |
References
http://www.symantec.com/avcenter/venc/data/w32.explorezip.l.worm.html |
|
|
|
Security
Advisories
|
| Perl-HTTPd File Disclosure Vulnerability |
| Risk:High |
| Date:31th
December 2002 |
Components Affected
Perl-HTTPd Perl-HTTPd 1.0
Perl-HTTPd Perl-HTTPd 1.0.1 |
| |
Description
It has been reported that Perl-HTTPd fails to properly sanitize some web requests. By exploiting this issue,
an attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal
sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory. |
| |
|
Recommendations
Block external access at the network boundary, unless service is required by external parties.
Allow access to Web services for trusted hosts and networks only.
Webservers should ignore or modify requests that contain '../' or other suspicious and most likely malicious strings.
If possible, configure Perl-HTTPd to ignore requests that contain suspicious strings.
Fixes available:
Perl-HTTPd Perl-HTTPd 1.0:
Perl-HTTPd Upgrade perl-httpd-1.0.2.tar.gz
http://citrustech.net/~chrisj/perl-httpd/perl-httpd-1.0.2.tar.gz
Perl-HTTPd Perl-HTTPd 1.0.1:
Perl-HTTPd Upgrade perl-httpd-1.0.2.tar.gz
http://citrustech.net/~chrisj/perl-httpd/perl-httpd-1.0.2.tar.gz
|
References
Source: Perl-HTTPd Home Page
URL: http://citrustech.net/~chrisj/perl-httpd/ |
Credits
This vulnerability was reported in the product changelog. |
| |
| Microsoft Internet Explorer PNG Deflate Heap Corruption Vulnerability |
| Risk:High |
| Date:12th
December 2002 |
| Platforms Affected |
| See list here; http://www.symantec.com/avcenter/security/Content/6366.html |
| Components Affected |
Microsoft Internet Explorer 5.0.1 SP2
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0 |
| Description |
A heap corruption vulnerability has been reported for Microsoft Internet Explorer.
The vulnerability is related to the way that Microsoft Internet Explorer interprets PNG image data. The function
that handles the deflation of PNG images does not properly handle some invalid data within PNG image files.
An attacker can exploit this vulnerability by tricking a user into viewing a maliciously constructed PNG image
file. When the image file is rendered it will trigger the heap corruption condition and overwrite critical areas
in memory. Any malicious attacker-supplied code will be executed with elevated privileges.
It should be noted that applications which depend on MSIE to render PNG files are also affected. |
Recommendations
Run all client software as a non-privileged user with minimal access rights. Browsing the web as a low-privileged
user will limit the consequences of malicious code being executed.
Do not follow links provided by unknown or untrusted sources. Be extremely careful when following links sent by
unknown individuals. If possible, always ensure that any email that has been received is solicited before reading
the contents.
This vulnerability has been resolved in MSIE 6.0 SP 1. Users are advised to obtain the latest version of MSIE. |
References
Source: PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability
URL:msg://bugtraq/MKEAIJIPCGAHEFEJGDOCCEDMIBAA.marc@eeye.com
Source: Microsoft Security Bulletin MS02-066
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-066.asp |
Credits
Vulnerability discovery credited to Eeye Digital Security. |
| |
|
|
|
Security News
|
| What goes on in the mind of a hacker? |
|
By Sarah Gordon, Senior Research Fellow, Symantec
What is hacking?
By some definitions, hacking is breaking into computer systems without consent of the system owner. This activity
once required a genuine knowledge of systems: it was once the domain of the computer geek, who pushed software
to the limits and beyond. These days, however, it doesn't take a computer expert to become a hacker.
There are tools available to help the wanna-be hacker break into systems. These tools give people unprecedented
access to networks. For the more advanced hackers, tools aren't necessary, they exploit configuration errors made
by users when they configure their software, or they take advantage of system vulnerabilities. One of the most
commonly exploited vulnerabilities is the buffer overflow - an event that occurs when more data is placed into
a storage buffer or holding area in computer memory than the buffer can handle. This, in turn, can crash the system
or leave it in an unplanned state that can be exploited.
For example, a program is waiting for input and may expect a small string like '123'. Instead the hacker puts in
a long string like 'irespectyourskillzandyourkungfu,' overflowing the space allocated for the string in the memory.
The result? The system crashes, potentially allowing a hacker access that extends far beyond that of the original
program.
Contrary to popular myth, hackers aren't necessarily underground loners and nerds - they're not even necessarily
all that smart - although there are exceptions. In many cases, they simply don't extend their ethical and moral
codes from the real world to the virtual world.
Who is hacking?
The popular hacking demographic of young, middleclass and male reflects those people who tend to be most technologically
savvy in our society. However, hackers come in all ages, sizes, nationalities and genders. The average hacker is
not necessarily some Goth-type teenaged male, dressed entirely in black and sporting the latest in piercing fashion
- he may very well be the guy next door or a 50-year-old female.
In fact, anecdotal evidence does suggest that hacking by females is on the rise. As more and more young women are
exposed to the technology and the subculture that glamorizes the activity, we should expect to see more females
taking part in these types of activities.
A visual check shows that there are more females at hacker conferences than there were in the early days; and while
some are young girls who are part of the technically savvy counterculture, some are certainly hackers.
Why do they do it?
Hacking is done for a variety of reasons - technical challenge, power, fun, excitement, peer pressure, profit,
and in some cases to do damage. For some it's simply a mental challenge, for others it's money, for some it's the
thrill - there are many different motives and many different targets. For many, though, it's the challenge and
the exhilarating feeling of power and control that comes from accessing and controlling a machine. It feels good.
Historically, society has tended to uplift hackers to the heights of technical genius when in reality most of these
break-ins are done using simple tools that exploit known vulnerabilities, yet many people almost admire them as
techno-heroes in some ways. That is a much more serious problem and one that can't be overcome by just technical
solutions. Recently public perception has shifted away from hacking being acceptable.
Catching hackers is of variable success - as in many ways, the Internet knows no borders, a careful hacker can
cover his or her tracks extremely well, and so catching the skilled hacker can be very difficult. In other words,
it is possible, though time consuming, to catch hackers, but if the hacker is well prepared it can be a long slow
process, and one that might bear little fruit in the long run.
What can I do?
One of the best defences against hacking is good computer security practices. Install good antivirus software that
combats the gamut of blended threats. Buy a firewall, implement it and maintain it. Consider intrusion detection
software to provide an additional layer of security by automatically blocking malicious attacks that spread quickly
through Internet traffic that a firewall alone cannot stop. Keep your systems up to date, keep your data backed
up, have a plan so that when something does go wrong you know how to react. Security should be an ongoing practice
- as threats evolve so should your defences against them. |
| |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|