ISSN 1444-9994

Symantec Security Response Newsletter

June 2003

Best viewed at 1024x768 resolution

Bugbear Makes a Comeback!

 

Bugbear made a comeback this month in the form of W32.Bugbear.b@mm. This variant has some significant differences to the original version. Of most concern is the key logging and data export. Of course users wouldn't be infected if their systems were patched up to date. It's the same problem, an old vulnerability, first discovered in March 2001, still giving viruses and worms like Bugbear a way onto your PC.

We are late publishing the June edition, I've been busy with the next version of Symantec's Internet Threat Report, due out in September, analysing the Newsletter survey results and working on the new HTML format.

In response to the survey conducted on this newsletter we have added a couple of new sections, changed a few sections and taken note of your comments. Later editions will be further enhanced but in this edition you'll find a calendar of selected security events and IT Security news links that may be of interest.

One of the more controversial additions are the 'Symantec Solution' boxes embedded in the articles. These are a compromise, we didn't want to carry advertising but many subscribers want to know what products we have to combat security issues, so these boxes are, I think, a reasonable way of covering these issues.

AVAR (Association of anti Virus Asia Researchers) have just issued their call for papers for the conference that will be held in Sydney, Australia later this year. As an AVAR VP I'm proud to be the conference chair on behalf of AVAR for this year. Details of the event are in the calendar.

I've recently had the pleasure of working with Syngress to write the Forward to a new book; Configuring Symantec AntiVirus Corporate Edition (ISBN: 1-931836-81-7). You can get a copy from Amazon here, and no I won't make any money from promoting this link. :)

Best Regards

David Banes

 

Viruses, Trojans & Worms


W32.Bugbear.B@mm

Aliases :
Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee], PE_BUGBEAR.B [Trend], W32/Bugbear-B [Sophos], I-Worm.Tanatos.b [KAV], W32/Bugbear.B [Panda], Win32/Bugbear.B@mm [RAV]

Risk : High [4]

Date : 4th June 2003

Systems Affected:
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Overview
W32.Bugbear.B@mm worm is:

- A variant of W32.Bugbear@mm .
- A mass-mailing worm that also spreads through network shares.
- Polymorphic and also infects a select list of executable files.
- Possesses keystroke-logging and Backdoor capabilities.
- Attempts to terminate the processes of various antivirus and firewall programs.

The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

In addition, the worm contains routines that specifically affect financial institutions. This functionality will cause the worm to send sensitive data to one of ten hard-coded public Internet e-mail addresses

 

The information sent includes cached passwords and key-logging data.  


Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

 

NOTE : If you believe your computer may already be infected with W32.Bugbear.B@mm because your antivirus software does not work, scan your system over the Internet with Symantec Security Check .

Symantec Security Response has created a tool to remove W32.Bugbear.B@mm, which is the easiest way to remove this threat.

Credits

Write-up by: Eric Chien, Security Response EMEA.

References
Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.bugbear.b@mm.html


W32.Sobig.E@mm
Aliases
Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e@MM [McAfee], WORM_SOBIG.E [Trend]
Risk :Medium [3]
Date : 25th June 2003
Systems Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Overview

W32.Sobig.E@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in the files with the following extensions:

.wab
.dbx

.htm

.html

.eml

.txt

The email falsely purports that Yahoo sent it (support@yahoo.com).

Email Routine Details
The email message has the following characteristics:

From: support@yahoo.com
( NOTE : W32.Sobig.E@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:

Re: Application
Re: Movie
Re: Movies
Re: Submitted
Re: ScRe:ensaver
Re: Documents
Re: Re: Application ref 003644
Re: Re: Document
Your application
Application.pif
Applications.pif
movie.pif
Screensaver.scr
submited.pif
new document.pif
Re: document.pif
004448554.pif
Referer.pif

   

Attachment: The attachment name will be one of the following:

Your_details.zip (contains Details.pif)
Application.zip (contains Application.pif)
Document.zip (contains Document.pif)
Screensaver.zip (contains Sky.world.scr)
Movie.zip (contains Movie.pif)

NOTE: The worm de-activates on July 14, 2003, and therefore, the last day on which the worm will spread is July 13, 2003.

Symantec Security Response has created a tool to remove W32.Sobig.E@mm.


References

Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.sobig.e@mm.html

 

Featured Analyses
from Symantec DeepSight Threat Management System
http://tms.symantec.com/

Fu Rootkit Analysis

Fu is a kernel rootkit created for Microsoft Windows NT4, Microsoft Windows 2000, and Microsoft Windows XP. By directly accessing Windows kernel data structures, Fu creates an effective avenue of clandestine access, which attackers may use to conceal their presence and perform operations with elevated privileges on a compromised system.

Manifesting itself in the form of a device driver, Fu is especially dangerous because it modifies the behaviour of the underlying operating system at the lowest possible level. Once deployed, operations performed via this utility may be extremely difficult to detect.


Spybot version 3 Analysis
Spybot, also known as Milkit, is an open source trojan that contains several mechanisms of propagation. Spybot can spread using file sharing applications and vulnerabilities in other trojans as propagation vectors. Spybot will attempt to take control of systems that were previously compromised and are running the Sub-Seven or Kuang2 trojan. An infected system will connect to an Internet Relay Chat (IRC) channel and wait for the attacker to issue instructions. Once a system has been infected, that attacker will have complete control of the system via IRC.

An attacker can modify the Spybot source code to create a trojan that will meet the attackers needs. The customizable nature of Spybot can result in dynamic behaviour and unique binaries, which can make detection and removal a complex task.


W32.Illpatient IRC-based RAT Analysis
W32.Illpatient is an IRC-based Remote Access Tool (RAT), written in C, which runs on the Win32 family of operating systems. It was obtained from a compromised Symantec DeepSight Honeypot and was found compressed with UPX.

This utility was loaded onto a compromised Symantec DeepSight Honeypot, with what may have been a scripted installation routine, as this utility does not appear to be capable of propagating automatically.

W32.Illpatient receives commands from its owner through Internet Relay Chat (IRC). During startup, it connects to a hard-coded IRC server, and joins a private, keyed channel. Although W32.Illpatient contains several features, including a Denial of Service (DoS) routine, testing has indicated that it is not very stable.

 

Top Malicious Code Threats


Risk Threat Discovered Protection  
4

W32.Bugbear.B@mm

4 Jun 2003 5 Jun 2003  
4

W32.Klez.H@mm

17 Apr 2002 17 Apr 2002  
3

W32.Sobig.E@mm

25 Jun 2003 25 Jun 2003  
3

W32.HLLW.Fizzer@mm

8 May 2003 9 May 2003  
3 W32.SQLExp.Worm 24 Jan 2003 24 Jan 2003  
 

 

Latest Malicious Code Threats


Risk Threat Discovered Protection  
2 W32.Vivael@mm 28 Jun 2003 28 Jun 2003  
2 W32.Klexe.Worm 27 Jun 2003 28 Jun 2003  
2 W32.Mumu.B.Worm 26 Jun 2003 26 Jun 2003  
1 W32.HLLW.Lovgate.L@mm 25 Jun 2003 25 Jun 2003  
1 W32.Yaha.T@mm 24 Jun 2003 25 Jun 2003  
 

 

Common Vulnerabilities


Microsoft IE MIME Header Attachment Execution Vulnerability
Bugtraq ID CVE Reference Exploited by
2524 CVE-2001-0154 W32.Klez, W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva
     
MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
2708 CVE-2001-0333 W32.Nimda
     
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
1806 CVE-2000-0884 W32.Nimda
     
Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability
1780 CVE-2000-0979 W32.Opaserv
     
Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution
5311 CAN-2002-0649 W32.SQLExp.Worm
 

 

Security News

PetCo Plugs Credit Card Leak
By Kevin Poulsen Jun 30 2003
Pet supply site offered more than kitty litter and flea collars. ... >>


AT&T lets phone fraud victims off the hook
By  Kevin Poulsen Jun 25 2003
The company will abandon its efforts to collect on four-figure phone bills left by a voice-mail cracking scheme. ... >>


 

Useful Links

 

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment


Virus Removal Tools
Fix tools for threats such as W32.HLLW.Lovgate , W32.SQLExp.Worm , W32.Sobig.A@mm and W32.Bugbear@mm


Virus Hoaxes

There are many email virus hoaxes, please check here before forwading email virus warnings.


Joke Programs

Joke programs are not malicious and can be safely deleted.

 

Security Events Calendar

SANSFIRE 2003
July 14-19, 2003
Washington, DC, USA.

http://www.sans.org/sansfire03/


Department of Homeland Security IT Security Conference
July 9-10, 2003
Baltimore, MD, USA
VB2003 - VB Conference 2003
Sept 25-26, 2003
Toronto, Canada
http://www.virusbtn.com/conference/vb2003/index.xml
AVAR 2003 - Malicious Code Conference 2003

November 6-7, 2003.
Sydney, Australia

http://www.aavar.org/

 

Security Advisories

FastTrack P2P Supernode Packet Handler Buffer Overflow Vulnerability

Risk :High

Date :26th May 2003

Components Affected: Many, listed here;

http://securityresponse.symantec.com/avcenter/security/Content/7680.html

Overview

FastTrack P2P Supernode Packet Handler has been reported prone to a buffer overflow vulnerability. The issue presents itself in the FastTrack Supernode packet handler. The handler does not perform sufficient bounds checking on supernode entries received before they are copied into a reserved buffer in internal memory.


An attacker may exploit this vulnerability to trigger a denial of service condition or ultimately have arbitrary attacker supplied code executed. Code execution would occur in the context of the user running an application that incorporates the vulnerable FastTrack P2P Packet Handler.

 

It should be noted that this vulnerability has been tested on KaZaA version 2.0.2. Other versions of KaZaA and similar file-sharing clients based on FastTrack P2P technology may also be affected.

Recommendations
Block external access at the network boundary, unless service is required by external parties.
If applicable, block all incoming FastTrack P2P based traffic at the network boundary.

Credits

Discovery of this vulnerability has been credited to random nut <random_nut@yahoo.com>.

References
Source: Grokster Homepage
URL: http://www.grokster.com/

Source: iMesh Product Homepage
URL: http://www.imesh.com

Source: KaZaA Homepage
URL: http://www.kazaa.com/

Source: Morpheus Homepage
URL: http://www.musiccity.com

Symantec Security Response

http://securityresponse.symantec.com/avcenter/security/Content/7680.html


PMachine Lib.Inc.PHP Remote Include Command Execution Vulnerability

Risk :High

Date :15thJune 2003

Components Affected
PMachine PMachine 2.2.1

Overview

It has been reported that PMachine does not properly handle include files under some circumstances. Because of this, an attacker may be able to remotely execute commands.


Recommendations

Block external access at the network boundary, unless service is required by external parties.


Filter untrusted network traffic at border routers and network firewalls.

Running the server in a closed or restricted environment may limit the consequences of successful exploitation. Execute server processes with the least privileges required, and place processes in a restrictive environment.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .
PMachine PMachine 2.2.1:

Credits
Discovery credited to "Frog Man" <leseulfrog@hotmail.com>.

References
Source: SecurityFocus
URL: http://www.securityfocus.com/bid/7919/info/

Source: PMachine Homepage
URL: http://www.pmachine.com

 

 

Symantec, the Symantec logo, [registered trademarks in alphabetical order] are U.S. registered trademarks of Symantec Corporation. [Common law trademarks in alphabetical order] are trademarks of Symantec Corporation. Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s).  Copyright © 2003 Symantec Corporation. All rights reserved. Printed in Australia.March 2003.
Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html


Last Updated: July 9, 2003