|
|
It appears that everyone has received Klez infected email during the last few weeks. Many of
us who know how Klez works would have spent a while explaining why we are not infected. Because of the way Klez
spoofs (impersonates) the sender by modifying the From: address of email the average user is led to believe that
their best friends and work colleagues are sending them infected emails.
Klez has however spread very widely and here at Symantec we are still seeing a large number of reports from customers,
mainly of Klez.H. Interestingly we are still discovering new 'features' in Elkern, the virus that Klez drops, some
of which make it very difficult to clean up. It does appear however that we have passed the peak and Klez is now
fading into the background noise of other malicious code running around the net.
Anti-virus researchers, security engineers and savvy corporate support staff will have come across piggy back or
multiple infections many times in the past but this is a topic we don't often cover and needs some clarification.
Often a program file (.exe, .dll etc) will become infected with a virus. If the virus is well written and the file
is still functional it will appear to the Operating System and any other process as a normal executable file.
Now imagine that another file infector finds it's way onto the infected PC and starts infecting your programs.
It's easy to see how we may end up with a program file, for example notepad.exe infected with W32.Klez and then
re-infected with this second virus. This is exactly what we are seeing now, a new CIH variant, W95.CIH.1049, infecting
files that are already infected with Klez. This is not a new scenario, Magistr and Funlove spring to mind (Peter
Ferries mind that is:) and Trojans (BackOrifice) infected with CIH.
One other interesting comparison we made was to look at the number of submissions of Love Letter and Melissa, we
had to double check, as they appeared very low compared to Sircam, Badtrans and Klez. I think this tells us that
we are all (the anti-virus industry) getting much better at handling high volume virus and worm breakouts through
a combination of experience and systems automation.
Think about this, LoveLetter and Melissa would probably rate as level three's now and then only for a short period
of time. As the net grows, bandwidth utilization and speed increases and the level of malicious code and rate of
infection increase but the security vendors products and support services do keep pace. We will never have a 'clean'
internet, if we can relegate the levels of malicious code and network intrusions to mere background noise and create
an environment where businesses can operate safely and securely then we have done our job.
David Banes.
Editor, securitynews@symantec.com
|
| Viruses, Worms & Trojans |
| W32.Klez |
Moderate Threat [3]
|
Win32
|
| Global Infection breakdown by geographic region |
% of Total
|
|
| America (North & South) |
39.5%
|
| EMEA (Europe, Middle East, Africa) |
46.5%
|
| Japan |
5.7%
|
| Asia Pacific |
8.6%
|
Date
% reports |
8 Mar
|
9 Mar
|
10 Mar
|
11 Mar
|
12 Mar
|
13 Mar
|
14 Mar
|
15 Mar
|
16 Mar
|
17 Mar
|
| |
|
|
25.2%
|
|
|
|
|
|
|
|
W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for email addresses and sends messages
to all recipients that it finds. The worm uses its own SMTP engine to send the messages.
The subject and attachment name of incoming emails is randomly chosen. The attachment will have one of the following
extensions: .bat, .exe, .pif or .scr.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when
you open or even preview the message. Information and a patch for the vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds.
Depending on which variant of the worm, the worm will drop one of the following viruses:
W32.Elkern.3326
W32.Elkern.3587
W32.Elkern.4926
which will then infect the system.
Email spoofing
Some variants of this worm use a technique known as "spoofing." If it does this, it chooses at random
an address that it finds on an infected computer as the "From:" address that it uses when it performs
its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers receive complaints
that they have sent an infected message to someone else.
For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus
program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds
the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected
email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email,
but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his
computer is not infected.
If you are using a current version of Norton AntiVirus, have the most recent virus definitions, and a full system
scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer
is not infected with this worm. |
| W95.CIH.1049 |
Low Threat [2]
|
Win95
|
|
CIH is a virus that infects 32-bit Windows 95/98/NT executable files, but it can function only under Windows 95/98/Me.
It does not function under Windows NT/2000/XP. When an infected program is run under Windows 95/98/Me, the virus
becomes resident in memory.
Although Windows NT system files can be infected, the virus cannot become resident or infect files on a computer
running Windows NT/2000/XP. The virus does not function under DOS, Windows 3.1, or on Macintosh computers. Once
the virus is resident, CIH virus infects other files when they are accessed.
Files infected by CIH may have the same size as the original files because of CIH's unique mode of infection. The
virus searches for empty, unused spaces in the file. Next it breaks itself up into smaller pieces and inserts its
code into these unused spaces. When Norton AntiVirus repairs a file that is infected by CIH, it looks for these
small viral pieces and removes them from the file.
Payload
The payload for W95.CIH.1049 executes on August 2nd.
The first payload overwrites the hard disk with random data, starting at the beginning of the disk (sector 0).
The overwriting of the sectors does not stop until the system has crashed. As a result, the computer will not boot
from the hard disk or a floppy disk. Also, the data that has been overwritten on the hard disk will be very difficult
or impossible to recover. You must restore the data from backups.
The second payload tries to cause permanent damage to the computer. This payload attacks the Flash BIOS (a part
of your computer that initializes and manages the relationships and data flow between the system devices, including
the hard drive, serial and parallel ports, and the keyboard) and tries to corrupt the data that is stored there.
As a result, nothing may be displayed when you start the computer. To fix this requires the services of a computer
technician.
W95.CIH.1049 has been known to infect the worm W32.Klez.gen@mm.
http://securityresponse.symantec.com/avcenter/venc/data/w95.cih.1049.html
Douglas Knowles
Symantec Security Response, USA |
|
| Security
Advisories |
| Sun Solaris admintool buffer overflow in PRODVERS argument allows root access |
High Risk [4]
|
Various
|
|
The Sun Solaris admintool is vulnerable to a buffer overflow that allows a local attacker to gain root privileges.
Using the Sun Solaris admintool, system administrators add users, create and manage user accounts, as well as view,
add, and remove software packages.
The admintool vulnerability results from insufficient bounds checking of the PRODVERS argument in a .cdtoc file,
which specifies variables for software distribution media. To exploit the vulnerability, a local attacker can specify
a directory that contains a .cdtoc file through the admintool add or modify software feature. If this .cdtoc file
includes a specially crafted string for the PRODVERS argument, a crash may result or the attacker may gain root
privileges.
Although this admintool vulnerability was originally detected in 2000, it has only been publicized recently.
Platforms Affected
Sun Microsystems Solaris 2.5, 2.6, 7, and 8 SPARC and x86
Recommendations
Sun Solaris admintool buffer overflow patches
Sun Solaris admintool buffer overflow - workaround
As a temporary solution to the buffer overflow vulnerabilities associated with the admintool -d command line option
as well as the PRODVERS argument in the .cdtoc file, system administrators should remove the setuid permissions
with the following:
As root: Chmod -s /usr/bin/admintool
See the following document for more complete information;
http://securityresponse.symantec.com/avcenter/security/Content/1920.html
----
References
Source: eSecurity Online
URL: http://www.esecurityonline.com/advisories/eSO2397.asp
Source: CAN 2002-0089
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0089
Source: Security Focus.com
URL: http://www.securityfocus.com/bid/4624
| Various Buffer Overflows and vulnerabilities. |
Various
|
Various
|
|
wu-ftpd format string debug set allows remote command execution
NetRecon can discover versions of wu-ftp running on network resources, which allow unauthorized users to create
and run unauthorized commands on those resources.
Sendmail mail.local allows unauthorized LMTP commands to be executed
NetRecon can discover a Sendmail service that could allow unauthorized execution of LMTP (local mail transfer protocol)
commands. This vulnerability is the result of a problem with mail.local, a program included with Sendmail, which
was intended as a delivery agent for local mail using LMTP. In LMTP mode, mail.local checks user input for an end
of message indicator. Should an unauthorized user synthesize a false end of message indicator, mail.local would
treat any text after the synthesized indicator as LMTP commands.
OpenSSH UseLogin directive can allow remote access as root
NetRecon can discover any network resource with an OpenSSH server vulnerability that allows an intruder to execute
arbitrary code. If an intruder can authenticate to the system using public key authentication, and the UseLogin
directive is enabled, the intruder can set environment variables that are used by login. Anyone exploiting this
vulnerability can execute commands with the privileges of OpenSSH, which is usually root. UseLogin is not enabled
by default; however, it is a common configuration
Lotus Domino Password Bypass
Vulnerabilities exist in Lotus Domino Server allowing malicious users to bypass administrative authentication resulting
in complete administrative control of the server. Lotus Domino Server versions 5.0.9 and prior are vulnerable.
http://online.securityfocus.com/bid/4022
mIRC Nickname Buffer Overflow
Khaled Mardam-Bay mIRC, a popular Internet Relay Chat client, conducts improper bounds checking of nicknames sent
by the server. A malicious user can exploit this unchecked buffer with a long nickname and overwrite stack variables
ultimately allowing the user to gain control of the host computer running the client software. This bug is corrected
in version 6.0.
http://online.securityfocus.com/bid/4027
Quicktime Content Type Overflow
Vulnerabilities exist in Apple QuickTime Player 5.01 and 5.02 for Windows. When an HTTP response containing a long
"Content-Type" is received from a malicious web server, a local buffer is overwritten and then executed
on the client host. If exploited, this vulnerability allows a web server to execute malicious code on the client
computer.
http://online.securityfocus.com/bid/4064
SNMP Community Name Root Access
Vulnerabilities exist in many vendors' implementations of Simple Network Management Protocol, Version 1. If exploited,
this vulnerability could lead to a denial of service for managed network devices using SNMP, or in extreme cases,
administrator-level remote access by unauthorized users. This signature identifies an exploit that includes malicious
shell code that is designed to permit the malicious user to gain privileged remote access to the system under attack.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013
SNMP Set Sysname Overflow
Vulnerabilities exist in many vendors' implementations of Simple Network Management Protocol, Version 1. The system
name of the managed device may be overflowed, as the protocol does improper bounds checking on the sysname buffer
to limit the number of characters it will accept. If exploited, this vulnerability could lead to a denial of service
for managed network devices using SNMP. In extreme cases, this vulnerability may lead to unauthorized users gaining
administrator-level remote access.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013 |
|
| Enterprise Security News Clips |
|
|
| Security News |
Win32.Simile is the latest 'product' of the developments in metamorphic virus code. The virus was released in the
most recent 29A #6 issue in early March 2002. It was written by the virus writer who calls himself 'The Mental
Driller'. Some of his previous viruses, such as Win95/Drill (which used the Tuareg polymorphic engine), have proved
very challenging to detect.
Win32/Simile moves yet another step up the scale of complexity. The source code of the virus is approximately 14,000
lines of assembly code. About 90% of the virus code is taken up by the metamorphic engine itself, which is extremely
powerful.
The virus was named 'MetaPHOR' by its author, which stands for 'Metamorphic Permutating High-Obfuscating Reassembler'.
The first generation virus code is about 32KB and there are three known variants of the virus in circulation. Samples
of the original variant which was released in the 29A issue have been received by certain AV companies from some
major corporations in Spain, indicating a minor outbreak.
Win32/Simile is highly obfuscated and challenging to understand. The virus attacks disassembling, debugging and
emulation techniques, as well as standard evaluation-based techniques for virus analysis. As with many other complex
viruses, Simile uses EPO techniques.
The full article is posted on the Symantec Security Response web site at;
http://securityresponse.symantec.com/avcenter/reference/simile.pdf
Frédéric Perriot and Péter Ször, Symantec Security Response, USA
Peter Ferrie, Symantec Security Response, APAC |
| |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|