|
|
This month the Friendgreet 'worm' caused many anti-virus vendors to scratch their heads and
wonder if they should add detection for an application that asks the user who is installing it if it can Spam their
address book. Could users be this stupid, yes of course we can, who really reads end user licence agreements when
installing software?
Most of us just hit the 'Next' button to get through the pain of installing software as fast as we can and it's
this impatience that triggers mass mailings to everyone in you address book. If you have an email program configured
to automatically add new email addresses to the address book then you'll have a lot of addresses.
Most vendors have added detection of this program to their anti-virus products at the request of customers; they
want to be able to block this behaviour before a mass mail out occurs. No doubt we'll see more of this type of
activity in the future, I'll be reading these agreements before installing.
W95.Spaces was first discovered at the end of 1999 but seems to have re-appeared, this may be because it has piggy
backed another fast spreading worm in a similar way to that which I described in the editorial of the May issue
of the newsletter, you can find that issue here; http://sarc-au.symantec.com/published/english/may02inews-en.html.
A common topic for discussion at the moment is instant messaging (IM) and the security issues around it, this month
we have an introduction to Neal Hindocha's article titled 'Threats to Instant Messaging' and a link to an article
on the Symantec web site titled 'Secure Instant Messaging '. Both are very informative and paint a clear picture
of the security issues around many instant messaging platforms in use today. There are secure IM products which
also encrypt the messages they send, as with any software selection process they should be considered if security
is a concern. Norton AntiVirus 2003 now includes virus scanning for some of the common IM products.
David Banes.
Editor, securitynews@symantec.com |
| |
|
Viruses, Worms & Trojans
|
| W32.Friendgreet.Worm |
Aliases:
Friendgreetings, WORM_FRIENDGRT.A [Trend], WORM_FRIENDGRT.B [Trend], Friend Greeting application [McAfee], Friend
Greeting application (II) [McAfee] |
| Risk: Very
Low |
|
|
| Date: 25th
October 2002 |
|
|
Platforms Affected
Windows 95
Windows 98
Windows NT
Windows 2000
Windows XP
Windows Me |
| |
Overview
Symantec Security Response is aware of a widespread e-card (electronic greeting card)
that appears to have the characteristics of a worm. Based on a number of requests from Symantec's corporate customers,
Security Response has provided definitions that detect and block this program.
The installation of software that is associated with the e-card requires your permission for it to perform its
mass-mailing functions. If you cancel the installation of the software, no worm-like activities are performed.
NOTE: At this time, the Web site to which the e-card is linked appears to be unavailable. This means that the software
can no longer be downloaded and installed from the site www.friendgreetings.com.
Symantec Security Response now provides detection for an updated version of W32.Friendgreet.worm.
The new installer is approximately 300 KB in size. It was discovered that this new installer modifies the taskbar
in such a way that during installation you cannot switch to another program. This also results in icons disappearing
from the taskbar. This does not result in any permanent loss of information. Upon rebooting the system the taskbar
will function normally.
Additionally, the following URLs may host the installation package for W32.Friendgreet.worm. This has not been
confirmed by Security Response at this time.
www.friend-card.com
www.friend-card.net
www.friend-cards.com |
| |
|
|
|
Recommendations
Symantec Security Response offers the suggestions detailed on the page linked here on how to configure Symantec
products in order to minimize your exposure to this threat.
http://www.sarc.com/avcenter/venc/data/w32.friendgreet.worm.html#recommendations |
| |
|
|
|
References
Symantec URL:http://www.sarc.com/avcenter/venc/data/w32.friendgreet.worm.html |
| W95.Spaces.1445 |
|
|
Aliases:
W95.Spaces.1633, W95.Spaces.1245, W95.Spaces.1445, W95/Busm.1445, W95/Busm99.1445 |
| Risk:Low |
|
|
| Date: 28th December 1999 |
|
|
Platforms Affected
Windows 95, Windows 98 |
| |
Overview
W95.Spaces is a dangerous Windows 9x virus. On June 1 of every year, the virus manipulates
the Master Boot Record (MBR) of an AT hard disk by using port commands. The virus modifies the MBR data area so
that the first partition will point to itself. This prevents the system from booting, if running certain MS-DOS
versions that contain a bug and are unable to boot the system correctly. |
| |
|
|
|
Recommendations
To remove this virus:
1. If you have a current Rescue disk set that you created prior to the infection, skip to the next step. Otherwise,
on another, uninfected computer on which NAV is installed, run LiveUpdate and create a Rescue disk set. For instructions
on how to do this, see the document How to create or update a Norton AntiVirus rescue disk set when Norton AntiVirus
is already installed.
2. Insert Rescue disk 1 into the floppy disk drive of the infected computer, and restart the computer.
3. Follow the prompts to run a virus scan.
4. Remove the Rescue disk, and then restart the computer.
Norton AntiVirus will not remove the 0x2020 ID from the Reserved1 field of the PE header. As a benefit, this acts
as inoculation from the virus since the W95.Spaces virus will assume the file is already infected. |
| |
|
|
|
Threat Metrics
| Global Infection breakdown by geographic region and timeline. |
% of Total |
| The America's |
21.1% |
| Europe, Middle East, Africa |
72.8% |
| Japan |
5.2% |
| Asia Pacific |
1.0% |
Date
% reports |
13 Oct
|
15 Oct
|
18 Oct
|
21 Oct
|
24 Oct
|
29 Oct
|
4 Nov
|
6 Nov
|
9 Nov
|
11 Nov
|
|
0.7%
|
1.2%
|
1.15
|
1.3%
|
7.2%
|
5.5%
|
4.9%
|
5.0%
|
3.3%
|
2.7%
|
|
|
| |
Credit
Peter Szor, Symantec Security Response, USA |
References
Symantec URL:http://securityresponse.symantec.com/avcenter/venc/data/w95.spaces.html |
|
|
|
Security
Advisories
|
| Linux-HA Heartbeat remote buffer overflow vulnerability |
| Risk:High |
| Date:14th
October 2002 |
Platforms Affected
Linux-HA |
|
|
Components Affected
Linux-HA heartbeat 0.4.9 a, b, c, d and 0.4.9 .1 |
| |
Description
The Linux-HA heartbeat utility is vulnerable to a remotely exploitable buffer overflow
condition. Attackers may exploit the vulnerability to execute arbitrary code. It has been reported that the condition
is related to the handling of TCP packets. |
| |
Recommendations
Block external access at the network boundary, unless service is required by external parties.
Access to interfaces/ports used by heartbeat should be blocked.
The vulnerability is eliminated in versions 0.4.9.2 and 0.4.9e.
Debian has released patches which linked to here;
http://www.sarc.com/avcenter/security/Content/5955.html |
References
Source: Debian DSA 174-1 New heartbeat packages fix buffer overflows
URL: http://online.securityfocus.com/advisories/4552
Symantec URL:http://www.sarc.com/avcenter/security/Content/5955.html |
Credits
Discovered by Nathan Wallwork |
| |
| Macromedia JRun Oversized URI buffer overflow vulnerability |
| Risk:High |
| Date:7th
November 2002 |
Platforms Affected
IBM AIX 4.2 and 4.3
Microsoft IIS 4.0, 5.0 and 5.1
Microsoft Windows 2000 Workstation, SP1, SP2
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows NT 4.0, SP1 through SP6a
RedHat Linux 6.0, alpha and sparc
RedHat Linux 6.1 alpha, i386 ans sparc
SGI IRIX 6.5
Sun Solaris 2.6, 7.0 and 8.0 |
Components Affected
Macromedia JRun 3.0, 3.1 and 4.0 |
| |
Description
Macromedia JRun is prone to a remotely exploitable buffer overflow condition. This
issue is due to insufficient bounds checking of URIs in incoming web requests.
Exploitation may allow a remote attacker to execute arbitrary code with the privileges of the JRun server process.
This issue is specific to JRun running on Microsoft Windows platforms. |
| |
Recommendations
Block external access at the network boundary, unless service is required by external parties. If appropriate,
block external access to the server at the network boundary. Filter untrusted or malicious network traffic at border
routers and network firewalls.
Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy network intrusion
detection systems (NIDS). Audit NIDS and webserver logs for signs of malicious network activity.
Run all server processes as non-privileged users with minimal access rights. Running the server with the least
privileges required will reduce the consequences of successful exploitation.
Macromedia has released patches which are linked to here;
http://www.symantec.com/avcenter/security/Content/6122.html |
References
Symantec URL:http://www.symantec.com/avcenter/security/Content/6122.html |
Credits
This issue was reported in a Macromedia security alert. Discovery of this issue appears to be credited to Marc
Maiffret of eEye Digital Security. |
| |
|
|
|
Security News
|
| Threats to Instant Messaging |
|
Instant messaging is an up and coming threat as a carrier for malware. More and more people
are using instant messaging, both for personal and business reasons. Instant messaging networks provide the ability
to not only transfer text messages, but also transfer files. Consequently, instant messengers can transfer worms
and other malware.
Instant messaging can also provide an access point for backdoor Trojan horses. Hackers can use instant messaging
to gain backdoor access to computers without opening a listening port, effectively bypassing desktop and perimeter
firewall implementations. Furthermore, finding victims doesn’t require scanning unknown IP addresses, but rather
simply selecting from an updated directory of buddy lists. As more functionality is added to instant messaging,
such as peer-to-peer file sharing, instant messaging will also
become more prone to carrying malware.
Furthermore, instant messaging is very difficult to block in a company using conventional security methods such
as firewalls. In addition, there are generally no antivirus applications monitoring instant messaging network communications
on the server level. This means an instant messaging worm can be caught only at the desktop level.
Fortunately, antivirus vendors have realized the dangers of instant messaging, and have begun to create plug-ins
for the various instant messaging clients in their desktop products. Norton AntiVirus 2003 is an example of an
antivirus product that will plug in to the various clients and scan any incoming files.
When email became a part of our daily lives, it also became a large carrier of worms. Even after many email worm
outbreaks, people are still not educated about the potential dangers of email usage. Hopefully, the same story
will not be repeated with instant messengers.
The full article is here;
http://sarc.com/avcenter/reference/threats.to.instant.messaging.pdf
Neal Hindocha
Symantec Security Response
Editors Note:A second article is also available on the Symantec web site;
http://www.sarc.com/avcenter/reference/secure.instant.messaging.pdf |
| |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|