| Best
viewed at 1024x768 resolution
Bugbear
Makes a Comeback!
|
|
Bugbear made a comeback
this month in the form of W32.Bugbear.b@mm. This variant has some
significant differences to the original version. Of most concern
is the key logging and data export. Of course users wouldn't be
infected if their systems were patched up to date. It's the same
problem, an old vulnerability, first discovered in March 2001, still
giving viruses and worms like Bugbear a way onto your PC.
We are late publishing
the June edition, I've been busy with the next version of Symantec's
Internet Threat Report, due out in September, analysing the Newsletter
survey results and working on the new HTML format.
In response to the survey
conducted on this newsletter we have added a couple of new sections,
changed a few sections and taken note of your comments. Later editions
will be further enhanced but in this edition you'll find a calendar
of selected security events and IT Security news links that may
be of interest.
One of the more controversial
additions are the 'Symantec Solution' boxes embedded in the articles.
These are a compromise, we didn't want to carry advertising but
many subscribers want to know what products we have to combat security
issues, so these boxes are, I think, a reasonable way of covering
these issues.
AVAR (Association of anti Virus Asia
Researchers) have just issued their call for papers for the conference
that will be held in Sydney, Australia later this year. As an AVAR
VP I'm proud to be the conference chair on behalf of AVAR for this
year. Details of the event are in the calendar.
I've recently had the
pleasure of working with Syngress to write the Forward to a new
book; Configuring Symantec AntiVirus Corporate Edition (ISBN: 1-931836-81-7).
You can get a copy from Amazon here,
and no I won't make any money from promoting this link. :)
Best Regards
David Banes
|
Viruses,
Trojans & Worms |
|
W32.Bugbear.B@mm
Aliases
:
Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee], PE_BUGBEAR.B [Trend],
W32/Bugbear-B [Sophos], I-Worm.Tanatos.b [KAV], W32/Bugbear.B [Panda],
Win32/Bugbear.B@mm [RAV]
Risk : High
[4]
Date : 4th
June 2003
Systems Affected:
Windows 95, Windows 98, Windows NT,
Windows 2000, Windows XP, Windows Me
Overview
W32.Bugbear.B@mm worm is:
- A variant of W32.Bugbear@mm .
- A mass-mailing worm that also spreads through network shares.
- Polymorphic and also infects a select list of executable files.
- Possesses keystroke-logging and Backdoor capabilities.
- Attempts to terminate the processes of various antivirus and firewall
programs.
The worm uses the Incorrect
MIME Header Can Cause IE to Execute E-mail Attachment vulnerability
to cause unpatched systems to auto-execute the worm when reading
or previewing an infected message.
In addition, the worm contains routines that specifically affect
financial institutions. This functionality will cause the worm to
send sensitive data to one of ten hard-coded public Internet e-mail
addresses |
The information sent includes
cached passwords and key-logging data.
Because the worm does not properly handle the network resource types,
it may flood shared printer resources, which causes them to print
garbage or disrupt their normal functionality.
|
|
NOTE
: If you believe your computer may already be infected with
W32.Bugbear.B@mm because your antivirus software does not work,
scan your system over the Internet with Symantec
Security Check .
Symantec Security Response has created a tool
to remove W32.Bugbear.B@mm, which is the easiest way
to remove this threat.
Credits
Write-up
by: Eric Chien, Security Response EMEA.
References
Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.bugbear.b@mm.html
|
|
W32.Sobig.E@mm
Aliases
Win32.Sobig.E [CA], W32/Sobig-E [Sophos],
W32/Sobig.e@MM [McAfee], WORM_SOBIG.E [Trend]
Risk :Medium [3]
Date : 25th June 2003
Systems Affected
Windows 95, Windows 98, Windows NT,
Windows 2000, Windows XP, Windows Me
Overview
W32.Sobig.E@mm
is a mass-mailing worm that sends itself to all the email addresses
that it finds in the files with the following extensions:
.wab
.dbx
.htm
.html
.eml
.txt
The email falsely purports
that Yahoo sent it (support@yahoo.com).
|
Email
Routine Details
The email message has the following characteristics:
From:
support@yahoo.com
( NOTE : W32.Sobig.E@mm spoofs
this field. It could be any address.)
Subject:
The subject line will be one of the following:
Re: Application
Re: Movie
Re: Movies
Re: Submitted
Re: ScRe:ensaver
Re: Documents
Re: Re: Application ref 003644
Re: Re: Document
Your application
Application.pif
Applications.pif
movie.pif
Screensaver.scr
submited.pif
new document.pif
Re: document.pif
004448554.pif
Referer.pif |
|
| |
|
Attachment:
The attachment name will be one of the following:
Your_details.zip (contains Details.pif)
Application.zip (contains Application.pif)
Document.zip (contains Document.pif)
Screensaver.zip (contains Sky.world.scr)
Movie.zip (contains Movie.pif)
NOTE: The worm de-activates on July 14, 2003, and therefore, the
last day on which the worm will spread is July 13, 2003.
Symantec Security Response
has created a tool to remove W32.Sobig.E@mm.
References
Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.sobig.e@mm.html |
Featured Analyses
from Symantec DeepSight Threat Management System
http://tms.symantec.com/ |
| Fu Rootkit Analysis
Fu is a kernel rootkit
created for Microsoft Windows NT4, Microsoft Windows 2000, and Microsoft
Windows XP. By directly accessing Windows kernel data structures,
Fu creates an effective avenue of clandestine access, which attackers
may use to conceal their presence and perform operations with elevated
privileges on a compromised system.
Manifesting itself in the form of a device
driver, Fu is especially dangerous because it modifies the behaviour
of the underlying operating system at the lowest possible level.
Once deployed, operations performed via this utility may be extremely
difficult to detect.
|
|
Spybot version 3 Analysis
Spybot, also known as Milkit, is an open source trojan that
contains several mechanisms of propagation. Spybot can spread using
file sharing applications and vulnerabilities in other trojans as
propagation vectors. Spybot will attempt to take control of systems
that were previously compromised and are running the Sub-Seven or
Kuang2 trojan. An infected system will connect to an Internet Relay
Chat (IRC) channel and wait for the attacker to issue instructions.
Once a system has been infected, that attacker will have complete
control of the system via IRC.
An attacker can modify the Spybot source code to create a trojan
that will meet the attackers needs. The customizable nature of Spybot
can result in dynamic behaviour and unique binaries, which can make
detection and removal a complex task.
|
|
W32.Illpatient IRC-based RAT Analysis
W32.Illpatient is an IRC-based Remote Access Tool (RAT),
written in C, which runs on the Win32 family of operating systems.
It was obtained from a compromised Symantec DeepSight Honeypot and
was found compressed with UPX.
This utility was loaded onto a compromised
Symantec DeepSight Honeypot, with what may have been a scripted
installation routine, as this utility does not appear to be capable
of propagating automatically.
W32.Illpatient receives commands from its
owner through Internet Relay Chat (IRC). During startup, it connects
to a hard-coded IRC server, and joins a private, keyed channel.
Although W32.Illpatient contains several features, including a Denial
of Service (DoS) routine, testing has indicated that it is not very
stable.
|
|
Common
Vulnerabilities |
|
|
| Microsoft
IE MIME Header Attachment Execution Vulnerability |
| Bugtraq
ID |
CVE
Reference |
Exploited
by |
| 2524 |
CVE-2001-0154
|
W32.Klez,
W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva |
| |
|
|
| MS
IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
|
| 2708 |
CVE-2001-0333
|
W32.Nimda
|
| |
|
|
| Microsoft
IIS and PWS Extended Unicode Directory Traversal Vulnerability |
| 1806 |
CVE-2000-0884
|
W32.Nimda
|
| |
|
|
| Microsoft
Windows 9x / Me Share Level Password Bypass Vulnerability |
| 1780 |
CVE-2000-0979
|
W32.Opaserv |
| |
|
|
| Microsoft
SQL Server Resolution Service buffer overflows allow arbitrary code
execution |
| 5311 |
CAN-2002-0649
|
W32.SQLExp.Worm
|
| |
|
| SANSFIRE 2003
July 14-19, 2003
Washington, DC, USA.
http://www.sans.org/sansfire03/
Department of Homeland Security IT Security Conference
July 9-10, 2003
Baltimore, MD, USA
VB2003 - VB Conference 2003
Sept 25-26, 2003
Toronto, Canada
http://www.virusbtn.com/conference/vb2003/index.xml
AVAR 2003 - Malicious Code Conference 2003
November 6-7, 2003.
Sydney, Australia
http://www.aavar.org/
|
Security
Advisories |
| FastTrack
P2P Supernode Packet Handler Buffer Overflow Vulnerability
Risk :High
Date :26th
May 2003
Components Affected:
Many, listed here;
http://securityresponse.symantec.com/avcenter/security/Content/7680.html
Overview
FastTrack P2P Supernode Packet
Handler has been reported prone to a buffer overflow vulnerability.
The issue presents itself in the FastTrack Supernode packet handler.
The handler does not perform sufficient bounds checking on supernode
entries received before they are copied into a reserved buffer in
internal memory.
|
An
attacker may exploit this vulnerability to trigger a denial of service
condition or ultimately have arbitrary attacker supplied code executed.
Code execution would occur in the context of the user running an
application that incorporates the vulnerable FastTrack P2P Packet
Handler. |
|
It should be noted that
this vulnerability has been tested on KaZaA version 2.0.2. Other
versions of KaZaA and similar file-sharing clients based on FastTrack
P2P technology may also be affected.
Recommendations
Block external access at the network boundary, unless service is
required by external parties.
If applicable, block all incoming FastTrack P2P based traffic at
the network boundary.
Credits
Discovery of this vulnerability
has been credited to random nut <random_nut@yahoo.com>.
References
Source: Grokster Homepage
URL: http://www.grokster.com/
Source: iMesh Product Homepage
URL: http://www.imesh.com
Source: KaZaA Homepage
URL: http://www.kazaa.com/
Source: Morpheus Homepage
URL: http://www.musiccity.com
Symantec Security Response
http://securityresponse.symantec.com/avcenter/security/Content/7680.html
|
|
PMachine
Lib.Inc.PHP Remote Include Command Execution Vulnerability
Risk :High
Date :15thJune
2003
Components Affected
PMachine PMachine 2.2.1
Overview
It has been reported that
PMachine does not properly handle include files under some circumstances.
Because of this, an attacker may be able to remotely execute commands.
|
Recommendations
Block external access at
the network boundary, unless service is required by external parties.
Filter untrusted network traffic at border routers and network firewalls.
|
|
Running the server in a
closed or restricted environment may limit the consequences of successful
exploitation. Execute server processes with the least privileges
required, and place processes in a restrictive environment.
Currently we are not aware of any vendor-supplied patches for this
issue. If you feel we are in error or are aware of more recent information,
please mail us at: vuldb@securityfocus.com .
PMachine PMachine 2.2.1:
Credits
Discovery credited to "Frog Man" <leseulfrog@hotmail.com>.
References
Source: SecurityFocus
URL: http://www.securityfocus.com/bid/7919/info/
Source: PMachine Homepage
URL: http://www.pmachine.com
|
| |
|