ISSN 1444-9994

Symantec Security Response Newsletter

July 2003

Best viewed at 1024x768 resolution

Welsh virus writer loses appeal.

 

The Register has reported that a UK virus writer convicted of writing several viruses including  W32.GoKar.A@mm lost his appeal to reduce his prison sentence.

It's interesting that the UK's Computer Misuse Act of 1990 is effective in the fight against virus authors at a time when many countries are still grappling with legislation to counter virus writing. At the same time countries like Australia are working hard to pass legislation that will outlaw, at least in Australia, another Internet plague, spamming.

It occurs to me that as spammers change their techniques and start to use malicious code like trojans to send spam it may actually make it easier for law enforcement agencies to prosecute them in places that have effective computer misuse law already in place.

A hot issue in Australia at the moment is credit card and other forms of financial fraud facilitated via trojans and key loggers, again this would appear to fall under wider computer misuse law such as the Australian Federal Cybercrime Act of 2001. I'd be interested in feedback from anyone with information about computer misuse law in other countries.

Best Regards

David Banes


Links

http://www.theregister.co.uk/content/56/31901.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.gokar.a@mm.html

 

Security Response is monitoring the following threat.

W32.Mimail.A@mm

http://www.sarc.com/avcenter/venc/data/w32.mimail.a@mm.html

 
Use Symantec Security Alerts on Your Web Site
http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi

 

Monthly Security Round-up
from Symantec DeepSight Threat Management System
http://tms.symantec.com/


Microsoft released Service Pack 4 for Windows 2000, which addressed two new vulnerabilities affecting Microsoft NetMeeting and Active Directory while also encompassing all previous patches.

A Threat Report was released by the Deepsight Threat Analyst Team to highlight a critical vulnerability that was discovered in the widely deployed online credit card processing software, CCBill. A remote vulnerability involving a sample script, whereami.cgi, granted unauthorized users the ability to execute arbitrary commands on the host CCBill resided in the security context of the whereami.cgi script.

Security updates in three widely distributed products, Microsoft Windows, Cisco IOS, and Apache Web server. The impact of the vulnerabilities affecting these products ranged from Denial of Service attacks to remote code execution.

Microsoft released 3 security bulletins. MS03-026 was assigned the security rating of "Critical", disclosing a buffer overrun in the Microsoft Windows implementation of Remote Procedure Call (RPC), which may allow remote code execution on all Windows platforms, except Windows ME. The remaining two Microsoft security bulletins, MS03-027 and MS03-028, were assigned a security rating of "Important".

Cisco released an advisory disclosing a Denial of Service vulnerability affecting Cisco devices running IOS and configured to process Internet Protocol version 4 (IPv4) packets. Exploitation of the vulnerability is trivial; an exploit was made public on Friday July 18. IDS signatures were created by the Threat Analyst Team and released in the associated Threat Alert on July 17, 2003.

Apache HTTP server 2.0.47 was released. The release was principally a security bug fix. The vulnerabilities fixed included Denial of Service condition, file descriptor leakage, and logging failure related vulnerabilities.

The DeepSight Threat Analyst Team released a Threat Alert, detailing the release of publicly available exploits for the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. Despite the impact of this vulnerability, and the availability of exploits to the public, widespread exploitation has not yet been seen by DeepSight TMS.

Several high impact vulnerabilities affected Microsoft products including the Microsoft DirectShow MIDI Filetype Buffer Overflow Vulnerability and Microsoft SQL Server LPC Port Request Buffer Overflow Vulnerability, which plagued users of DirectX and MS SQL Server, respectively. Additionally, another RPC-related vulnerability was disclosed in Microsoft’s implementation of RPC, which could result in a crash of the vulnerable machine during successful exploitation.

DeepSight TMS continued to report heavy worm-related activity, with Code Red, Nimda, and SQLExp (aka Slammer) related traffic continuing their attacks on Internet-connected machines.

The DeepSight Threat Analyst Team released a Snort signature to detect attacks targeting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. IDS administrators are encouraged to deploy this signature, which is available in the IDS Tips and Tricks section of this weekly, in order to assist in the detection of attacks targeting this vulnerability.

 

Viruses, Trojans & Worms


W32.Lofni.Worm

Aliases : W32.Lohack.B.Worm, W32/Noala@MM [McAfee]
Risk : Low[2]

Date : 14th July 2003

Systems Affected:
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
CVE ReFerence : CVE-2001-0154

Overview

W32.Lofni.Worm is a worm that attempts to spread itself through file-sharing networks. It also attempts to mass mail itself to all the contacts in the Windows Address Book. The email will have a variable subject and attachment name. The attachment will have a .exe or .scr file extension.

 

The worm uses an internal SMTP client engine. In addition, W32.Lofni.Worm is a network-aware worm. It is a Visual Basic application that is compiled to native code and is packed with UPX v1.23.

Definitions dated prior to July 25, 2003 detect this as W32.Lohack.B.Worm.

Credits

Write-up by: Sergei Shevchenko, Security Response APAC.

References
Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.lofni.worm.html

 

W32.HLLW.Indor.E@mm
Aliases
Risk Low[2]
Date : 16th July 2003
Systems Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Overview

W32.HLLW.Indor.E@mm is a mass-mailing worm that uses Microsoft Outlook to send a zipped copy of itself to all the contacts in the Microsoft Outlook Address Book. When W32.HLLW.Indor.E@mm runs, it displays a fake message that states "Error in file #1: bad Zip file offset (Error local header signature not found): disk #1 offset: 68669733"


W32.HLLW.Indor.E@mm can also spread through network drives, floppy disks, the KaZaA file-sharing network, and mIRC.

The email has the following characteristics:

   
Subject: The subject line is one of the following:
  • Your verification is required Confirm FFA submission and receive 1000 Credit
  • Your Success Is Guranteed!
  • You are Losing Income
  • WHY NOT CHECK IT OUT? IT'S FREE!
  • Free Software, Download it now !!
  • Free MP3, OGG/VORBIS Hit Songs !!
  • Download DVD Movie Now !! Its Free..!
  • URGENT: Please Verify Your Submission Confirm FFA submission !!
  • The E.A.S.E System Can Make You Money At Home!!
  • Thank You !
  • Re: Your Daily Report
  • Re: Web Site Report
  • WE send the TRAFFIC, YOU make the SALES!
  • Thank You For Your Subscription - Confirmation
  • Need a quick $100 today?
  • Confirmation Email - Required !

Attachment: The attachment, which is a zipped copy of the worm, is one of the following:
  • SaveNow.zip
  • Report.zip
  • Bonus.zip
  • FFA.zip
  • FreeJoin.zip


This threat is written in the Microsoft Visual Basic programming language

Credits

Write-up by: Yana, Liu, Security Response USA.


References

Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.hllw.indor.e@mm.html

 

Top Malicious Code Threats


Risk Threat Discovered Protection  
4

W32.Bugbear.B@mm

4 Jun 2003 5 Jun 2003  
3

W32.HLLW.Fizzer@mm

8 May 2003 9 May 2003  
3

W32.SQLExp.Worm

24 Jan 2003 24 Jan 2003  
3

W32.Klez.H@mm

17 Apr 2002 17 Apr 2002  
3 W32.Mimail.A@mm 1 Aug 2003 1 Aug 2003  
 

 

Latest Malicious Code Threats


Risk Threat Discovered Protection  
2 Backdoor.IRC.Cirebot 2 Aug 2003 4 Aug 2003  
1 Backdoor.Sumtax 1 Aug 2003 1 Aug 2003  
3 W32.Mimail.A@mm 1 Aug 2003 1 Aug 2003  
1 PWSteal.Bancos.B 31Jul 2003 1 Aug 2003  
1 Backdoor.FTPserver 31Jul 2003 31Jul 2003  
 

 

Security News

Guilty Plea in Kinko's Keystroke Caper
By Kevin Poulsen, Jul 18 2003
A New York cyberthief bugged the public access machines at thirteen Manhattan Kinko's shops for nearly two years. His take: hundreds of online banking passwords. ... >>


Guilty Plea in Kinko's Keystroke Caper
By  Kevin Poulsen Jul 18 2003
A New York cyberthief bugged the public access machines at thirteen Manhattan Kinko's shops for nearly two years. His take: hundreds of online banking passwords. ... >>


 

Security Advisories

Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability

Risk :High

Date :16th July2003

Components Affected: Many, listed here;

http://securityresponse.symantec.com/avcenter/security/Content/8205.html

Overview

A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system.

This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593.

This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80.

Symantec Solutions

Symantec Manhunt, Enterprise Firewall, Symantec Vulnerability Assessment, Gateway Security.

 

Credits

Discovery of this vulnerability has been credited to The Last Stage of Delirium Research Group.

References

Source: Microsoft Security Bulletin MS03-026
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS03-026.asp


Symantec Security Response

http://www.sarc.com/avcenter/security/Content/8205.html

 

Cisco IOS Malicious IPV4 Packet Sequence Denial Of Service Vulnerability

Risk :High

Date :16th July 2003

Components Affected: Many, see list here;
http://www.sarc.com/avcenter/security/Content/8211.html

Overview

A denial of service vulnerability has been reported to exist in all hardware platforms that run Cisco IOS versions 11.x through 12.x.

This issue may be triggered by a sequence of specially crafted IPV4 packets. A power cycling of an affected device is required to regain normal functionality.

Symantec Solutions

Symantec Manhunt, GatewaySecurity.Enterprise Firewall

 

Credits
This vulnerability was announced by the vendor.

References
Source: Cisco Homepage
URL: http://www.cisco.com

Source: Cisco Product Security Advisories and Notices
URL: http://www.cisco.com/warp/public/707/advisory.html

Source: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
URL: http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

 

 

Common Vulnerabilities


Microsoft IE MIME Header Attachment Execution Vulnerability
Bugtraq ID CVE Reference Exploited by
2524 CVE-2001-0154 W32.Klez, W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva

MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
2708 CVE-2001-0333 W32.Nimda

Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
1806 CVE-2000-0884 W32.Nimda

Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability
1780 CVE-2000-0979 W32.Opaserv

Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution
5311 CAN-2002-0649 W32.SQLExp.Worm
 

 

Security Events Calendar

HIPAA Security and Privacy Conference - Transactions and Compliance Strategies

Date: Aug 21, 2003

San Diego, CA, USA

http://www.dataconnectors.com/events/sd_hipaa_03/agenda.asp


SecureWorld Expo
Date: Sept 24-25, 2003
Seattle, WA, USA

http://www.secureworldexpo.com/seattle03.php


IDC Internet Security Conference
Date: Sept 25-26, 2003
Copenhagen, Denmark
http://nordic.idc.com/Events/Security/Denmark/default.htm


VB2003 - VB Conference 2003
Date: Sept 25-26, 2003
Toronto, Canada
http://www.virusbtn.com/conference/vb2003/index.xml
AVAR 2003 - Malicious Code Conference 2003

Date: November 6-7, 2003.
Sydney, Australia

http://www.aavar.org/

 

For more events go to our online Events Calendar;
http://enterprisesecurity.symantec.com/content/globalevents.cfm

 

Useful Links

 

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment


Virus Removal Tools
Fix tools for threats such as W32.HLLW.Lovgate , W32.SQLExp.Worm , W32.Sobig.A@mm and W32.Bugbear@mm


Virus Hoaxes

There are many email virus hoaxes, please check here before forwading email virus warnings.


Joke Programs

Joke programs are not malicious and can be safely deleted.

   

Symantec, the Symantec logo, [registered trademarks in alphabetical order] are U.S. registered trademarks of Symantec Corporation. [Common law trademarks in alphabetical order] are trademarks of Symantec Corporation. Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s).  Copyright © 2003 Symantec Corporation. All rights reserved. Printed in Australia.March 2003.
Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html


Last Updated: August 4, 2003