| Best
viewed at 1024x768 resolution
Welsh
virus writer loses appeal. |
|
The Register
has reported that a UK virus writer convicted of writing several
viruses including W32.GoKar.A@mm
lost his appeal to reduce his prison sentence.
It's interesting that
the UK's Computer Misuse Act of 1990 is effective in the fight against
virus authors at a time when many countries are still grappling
with legislation to counter virus writing. At the same time countries
like Australia are working hard to pass legislation that will outlaw,
at least in Australia, another Internet plague, spamming.
It occurs to me that as
spammers change their techniques and start to use malicious code
like trojans to send spam it may actually make it easier for law
enforcement agencies to prosecute them in places that have effective
computer misuse law already in place.
A hot issue in Australia
at the moment is credit card and other forms of financial fraud
facilitated via trojans and key loggers, again this would appear
to fall under wider computer misuse law such as the Australian Federal
Cybercrime Act of 2001. I'd be interested in feedback from anyone
with information about computer misuse law in other countries.
Best Regards
David Banes
Links
http://www.theregister.co.uk/content/56/31901.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.gokar.a@mm.html |
| |
Security
Response is monitoring the following threat. |
W32.Mimail.A@mm
http://www.sarc.com/avcenter/venc/data/w32.mimail.a@mm.html |
| |
Use Symantec Security Alerts on Your Web
Site
http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi
|
Monthly Security Round-up
from Symantec DeepSight Threat Management System
http://tms.symantec.com/
|
|
Microsoft released Service Pack 4 for Windows 2000, which addressed
two new vulnerabilities affecting Microsoft NetMeeting and Active
Directory while also encompassing all previous patches.
A Threat Report was released
by the Deepsight Threat Analyst Team to highlight a critical vulnerability
that was discovered in the widely deployed online credit card processing
software, CCBill. A remote vulnerability involving a sample script,
whereami.cgi, granted unauthorized users the ability to execute
arbitrary commands on the host CCBill resided in the security context
of the whereami.cgi script.
Security updates in three
widely distributed products, Microsoft Windows, Cisco IOS, and Apache
Web server. The impact of the vulnerabilities affecting these products
ranged from Denial of Service attacks to remote code execution.
Microsoft released 3 security
bulletins. MS03-026 was assigned the security rating of "Critical",
disclosing a buffer overrun in the Microsoft Windows implementation
of Remote Procedure Call (RPC), which may allow remote code execution
on all Windows platforms, except Windows ME. The remaining two Microsoft
security bulletins, MS03-027 and MS03-028, were assigned a security
rating of "Important".
Cisco released an advisory
disclosing a Denial of Service vulnerability affecting Cisco devices
running IOS and configured to process Internet Protocol version
4 (IPv4) packets. Exploitation of the vulnerability is trivial;
an exploit was made public on Friday July 18. IDS signatures were
created by the Threat Analyst Team and released in the associated
Threat Alert on July 17, 2003.
Apache HTTP server 2.0.47
was released. The release was principally a security bug fix. The
vulnerabilities fixed included Denial of Service condition, file
descriptor leakage, and logging failure related vulnerabilities.
The DeepSight Threat Analyst
Team released a Threat Alert, detailing the release of publicly
available exploits for the Microsoft Windows DCOM RPC Interface
Buffer Overrun Vulnerability. Despite the impact of this vulnerability,
and the availability of exploits to the public, widespread exploitation
has not yet been seen by DeepSight TMS.
Several high impact vulnerabilities
affected Microsoft products including the Microsoft DirectShow MIDI
Filetype Buffer Overflow Vulnerability and Microsoft SQL Server
LPC Port Request Buffer Overflow Vulnerability, which plagued users
of DirectX and MS SQL Server, respectively. Additionally, another
RPC-related vulnerability was disclosed in Microsoft’s implementation
of RPC, which could result in a crash of the vulnerable machine
during successful exploitation.
DeepSight TMS continued
to report heavy worm-related activity, with Code Red, Nimda, and
SQLExp (aka Slammer) related traffic continuing their attacks on
Internet-connected machines.
The DeepSight Threat Analyst
Team released a Snort signature to detect attacks targeting the
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability.
IDS administrators are encouraged to deploy this signature, which
is available in the IDS Tips and Tricks section of this weekly,
in order to assist in the detection of attacks targeting this vulnerability. |
| |
Viruses,
Trojans & Worms |
|
W32.Lofni.Worm
Aliases
: W32.Lohack.B.Worm, W32/Noala@MM
[McAfee]
Risk : Low[2]
Date : 14th
July 2003
Systems Affected:
Windows 95, Windows 98, Windows NT,
Windows 2000, Windows XP, Windows Me
CVE ReFerence : CVE-2001-0154
Overview
W32.Lofni.Worm
is a worm that attempts to spread itself through file-sharing networks.
It also attempts to mass mail itself to all the contacts in the
Windows Address Book. The email will have a variable subject and
attachment name. The attachment will have a .exe or .scr file extension.
|
The
worm uses an internal SMTP client engine. In addition, W32.Lofni.Worm
is a network-aware worm. It is a Visual Basic application that is
compiled to native code and is packed with UPX v1.23.
|
|
Definitions
dated prior to July 25, 2003 detect this as W32.Lohack.B.Worm.
Credits
Write-up
by: Sergei Shevchenko, Security Response APAC.
References
Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.lofni.worm.html |
| |
|
W32.HLLW.Indor.E@mm
Aliases
Risk Low[2]
Date : 16th July 2003
Systems Affected
Windows 95, Windows 98, Windows NT,
Windows 2000, Windows XP, Windows Me
Overview
W32.HLLW.Indor.E@mm
is a mass-mailing worm that uses Microsoft Outlook to send a zipped
copy of itself to all the contacts in the Microsoft Outlook Address
Book. When W32.HLLW.Indor.E@mm runs, it displays a fake message
that states "Error in file #1: bad Zip file offset (Error local
header signature not found): disk #1 offset: 68669733"
|
W32.HLLW.Indor.E@mm
can also spread through network drives, floppy disks, the KaZaA
file-sharing network, and mIRC.
The
email has the following characteristics: |
|
| |
|
Subject:
The subject line is one of the following:
- Your verification is required
Confirm FFA submission and receive 1000 Credit
- Your Success Is Guranteed!
- You are Losing Income
- WHY NOT CHECK IT OUT? IT'S FREE!
- Free Software, Download it now
!!
- Free MP3, OGG/VORBIS Hit Songs
!!
- Download DVD Movie Now !! Its
Free..!
- URGENT: Please Verify Your Submission
Confirm FFA submission !!
- The E.A.S.E System Can Make You
Money At Home!!
- Thank You !
- Re: Your Daily Report
- Re: Web Site Report
- WE send the TRAFFIC, YOU make
the SALES!
- Thank You For Your Subscription
- Confirmation
- Need a quick $100 today?
- Confirmation Email - Required
!
Attachment:
The attachment, which is a zipped copy of the worm, is one of the
following:
- SaveNow.zip
- Report.zip
- Bonus.zip
- FFA.zip
- FreeJoin.zip
This threat is written in the Microsoft Visual Basic programming
language
Credits
Write-up
by: Yana, Liu, Security Response USA.
References
Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.hllw.indor.e@mm.html
|
|
Security News |
| Guilty
Plea in Kinko's Keystroke Caper
By Kevin Poulsen, Jul 18 2003
A New York cyberthief bugged the public access machines at thirteen
Manhattan Kinko's shops for nearly two years. His take: hundreds
of online banking passwords. ... >>
Guilty Plea in
Kinko's Keystroke Caper
By Kevin Poulsen Jul 18 2003
A New York cyberthief bugged the public access machines at thirteen
Manhattan Kinko's shops for nearly two years. His take: hundreds
of online banking passwords. ... >>
|
Common
Vulnerabilities |
|
|
| Microsoft
IE MIME Header Attachment Execution Vulnerability |
| Bugtraq
ID |
CVE
Reference |
Exploited
by |
| 2524 |
CVE-2001-0154
|
W32.Klez,
W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva |
|
| MS
IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
|
| 2708 |
CVE-2001-0333
|
W32.Nimda
|
|
| Microsoft
IIS and PWS Extended Unicode Directory Traversal Vulnerability |
| 1806 |
CVE-2000-0884
|
W32.Nimda
|
|
| Microsoft
Windows 9x / Me Share Level Password Bypass Vulnerability |
| 1780 |
CVE-2000-0979
|
W32.Opaserv |
|
| Microsoft
SQL Server Resolution Service buffer overflows allow arbitrary code
execution |
| 5311 |
CAN-2002-0649
|
W32.SQLExp.Worm
|
| |
|
| HIPAA Security
and Privacy Conference - Transactions and Compliance Strategies
Date:
Aug 21, 2003
San Diego, CA, USA
http://www.dataconnectors.com/events/sd_hipaa_03/agenda.asp
SecureWorld
Expo
Date: Sept 24-25, 2003
Seattle, WA, USA
http://www.secureworldexpo.com/seattle03.php
IDC Internet
Security Conference
Date: Sept 25-26, 2003
Copenhagen, Denmark
http://nordic.idc.com/Events/Security/Denmark/default.htm
VB2003 - VB Conference 2003
Date:
Sept 25-26, 2003
Toronto, Canada
http://www.virusbtn.com/conference/vb2003/index.xml
AVAR 2003 - Malicious Code Conference 2003
Date: November
6-7, 2003.
Sydney, Australia
http://www.aavar.org/
|
For more events go to our online Events Calendar;
http://enterprisesecurity.symantec.com/content/globalevents.cfm
|
|