|
|
Peer-to-peer (P2P) networks look like the next target for worms, we've already seen worms exploit this type of
architecture and we had more than 900 samples of W32.Benjamin.Worm in 7 days. This is a lot for a worm that
does not replicate itself but requires users to manually retrieve it. Does this tell us that the average user of
a consumer based P2P network will grab any file they can, with little consideration for security and privacy?
Oddly W32.Benjamin.Worm is
number two in the Netherlands this month, just when we feature this country. Whilst Benjamin doesn't show up at
all in the Asias top ten.
An SQL worm (Digispid.B.Worm) has reminded us all to change standard, 'out of the box' passwords as soon as we
install software that use user account and passwords. This is one of the easiest expoits for a cracker or automated
worm to use.
I just got back from the AusCERT 2002 Conference at the Gold Coast in Australia, I highly recommend this conference,
take a look at the web site (http://conference.auscert.org.au/) and if you can schedule it in for next year. The
quality of speakers, attendees and topics covered was excellent.
David Banes.
Editor, securitynews@symantec.com |
| Viruses, Worms & Trojans |
| W32.Benjamin.Worm |
Low Threat [2]
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
45.5%
|
| EMEA (Europe, Middle East, Africa) |
52.7%
|
| Japan |
0.0%
|
| Asia Pacific |
1.8%
|
Date
% reports |
|
19 May
|
20 May
|
21 May
|
22 May
|
23 May
|
24 May
|
25 May
|
26 may
|
|
| |
0.1%
|
3.0%
|
11.6%
|
31.3%
|
18.3%
|
21.2%
|
10.3%
|
4.2%
|
|
|
W32.Benjamin.Worm comes disguised as popular music, movie, or software files. It spreads across KaZaA file-sharing
networks by tricking KaZaA users into downloading the program and opening it.
The size of the worm can vary because the worm pads copies of itself with garbage bytes. The worm creates the C:\%Windows%\Temp\Sys32
folder. It then changes the KaZaA download folder settings so that this new folder is accessible to other KazaA
network users. This allows other KaZaA users to download files from that location.
The worm then copies itself into this folder using many different names that are chosen randomly from a list that
the worm carries. Here are some examples:
Chterbahn Designer -full-downloader
Acrobat Capture 3.0 -full-downloader
Age of Empires-Games-full-downloader
American Pie 2 -divx-full-downloader
Baseball 2001-Games-full-downloader
Metallica - Blackened
ac dc - Fight For Your Right
The worm then displays a fake error message, finally, it waits in the background for other KaZaA users to download
the worm file.
http://www.symantec.com/avcenter/venc/data/w32.benjamin.worm.html
Yana Liu and Douglas Knowles
Symantec Security Response, USA. |
| Digispid.B.Worm |
Low Threat [2]
|
Script
|
|
Digispid.B.Worm is a worm which spreads to computers that are running Microsoft SQL Server and which have a blank
SQL administrator password. It copies files to the infected computer and changes the SQL administrator password
to a string of four random characters.
The worm is unlikely to propagate in a production environment using SQL server because it relies upon the following
assumptions to spread:
"sa" SQL server account has no password
SQL is running with Administrative access. By default, the SQL Server runs in the security context of a domain
user.
An infected computer can be identified by the presence following characteristics:
The presence of some or all of these files:
%System32%\Drivers\Services.exe
%System32%\Sqlexec.js
%System32%\Clemail.exe
%System32%\Sqlprocess.js
%System32%\Sqlinstall.bat
%System32%\Sqldir.js
%System32%\Run.js
%System32%\Timer.dll
%System32%\Samdump.dll
%System32%\Pwdump2.exe
Many outgoing port 1433 requests
For a more detailed description, please see the Technical Description
Users can protect themselves by doing the following:
Firewall filtering of incoming/outgoing port 1433 requests.
Filter outgoing email messages to "ixltd@postone.com"
Filter outgoing email messages that have subjects beginning with "SystemData-"
Verify that all SQL server "sa" accounts have passwords
For systems that have been infected, you will notice the following symptoms:
Increased internet traffic
Many outgoing port 1433 requests
Emails the Operating System user password and SQL server data information to "ixltd@postone.com"
SQL server "sa" password will be changed
When systems have been infected, you should do the following:
Update Norton AntiVirus definitions and perform a full system scan. Reset all operating system and SQL Server passwords.
http://www.symantec.com/avcenter/venc/data/digispid.b.worm.html
Douglas Knowles
Symantec Security Response, USA. |
|
| Security
Advisories |
| RedHat sharutils package uudecode flaw allows elevated privileges |
Medium [3]
|
Linux
|
|
The uudecode utility included with the Red Hat Linux sharutils package creates files in an insecure fashion that
could lead to files being overwritten or exploited to elevate local user privileges.
The sharutils package provides utilities to encode and decode files to and from various formats. The uuencode utility
converts binary files to ASCII (text) format, which can be sent safely through email. The uudecode utility converts
these files back to their binary format.
The Red Hat sharutils flaw occurs because uudecode creates an output file without verifying if it is about to write
to a symbolic link (a file pointer that links to another file) or a pipe (a technique for passing information from
one process to another). If the output file is created in an open share directory (for example, /tmp), a local
attacker could exploit this vulnerability to overwrite existing files or elevate user privileges. Depending on
the permissions of the program using uudecode, the attack could, potentially, result in root access.
Recommendations
Redhat sharutils patch
Install the appropriate version and platform RPM of the Red Hat sharutils update package, which contains a version
of uudecode patched to check for an existing symbolic link or pipe.
Before applying this update, ensure that all previously released updates relevant to your system have been applied.
To update all RPMs for your particular version, run the following command:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you want to update. Only currently installed RPMs in the list will be updated.
You can also use wildcards (*.rpm) if your current directory contains only the desired RPMs.
The sharutils update is available also on the Red Hat Network. To use Red Hat Network, launch the Red Hat Update
Agent with the following command:
up2date
The up2date command starts an interactive process to upgrade appropriate RPMs on your system.
References
Source: CVE CAN-2002-0178
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0178
Source: Red Hat RHSA-2002-065
URL: http://rhn.redhat.com/errata/RHSA-2002-065.html
Source: Security Focus.com
URL: http://online.securityfocus.com/advisories/4120
AltaVista Traversal
The AltaVista search engine includes a CGI that accepts "../" in standard queries. This allows an attacker
to access sensitive files in the HTTP directory which is one level above the search engine. Sensitive files in
this directory include the trivially encrypted password for the remote administration utility. The CGI in question
also processes additional "../" strings if they are encoded in Hex (%2e%2e%2f). This would allow an attacker
to access files throughout the host system. This signature detects an attempt to exploit this vulnerability.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0039
Login Buffer Overflow
On some System V versions of /bin/login. The exploit attempts to overflow a register and bind to a shell in
order to allow an attacker to place a new user account in the /etc/passwd or /etc/shadow file. The attack occurs
via a telnet or rlogin session. The filter looks at the connection and alerts when an attempt to overflow the buffer
occurs.
http://www.cert.org/advisories/CA-2001-34.html
MStream
This signature provides an early warning to the administrator that traffic resembling MStream control communication
has been detected. Specifically, the following;
a) MStream Client Login signature watches for TCP packets of a particular length that contain character strings
that are unique to MStream.
b) MStream Flood signature watches for a TCP ACK packet that has both a particular total size and a particular
window size.
c) MStream Master Login signature watches for TCP packets of specific lengths that contain character strings unique
to MStream.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138 |
|
| Security News |
| Wireless LAN Security: Enabling and Protecting the Enterprise |
|
|
|
Motivated by the need to reduce IT costs while increasing employee productivity, enterprise-wide wireless local
area network (LAN) solutions are becoming increasingly viable. Proliferation of mobile computing devices has boosted
employee demand for access to their organization’s network beyond the tether of their office workstation. Meanwhile,
accelerated wireless transmission rates and increasing vendor adherence to standards-based interoperability are
enhancing the practicality of wireless LANs.
Yet the same wireless technologies that can erase the physical limitations of wired communications to increase
user flexibility, boost employee productivity, and lower cost of network ownership also expose network-based assets
to considerable risks.
The security embedded in wireless LAN technologies falls short of providing adequate protection. Early-adopting
organizations have found that evaluating, and where possible, mitigating these risks before deploying a wireless
LAN is beneficial.
This white paper summarizes wireless network security planning by providing an
overview of the security risks and technical challenges in this area, as well as summarizing key recommendations
for secure wireless LANs.
http://www.symantec.com/avcenter/reference/symantec.wlan.security.pdf |
| |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|