Chris Mosby at myITforum.com

Well this year is just about at an end.  It is hard to believe that it passed this fast.

I hope you all have a safe and Happy New Year!!

I was just looking at this on Secunia, F-Secure has a listing for this too. Hopefully that will be the end of it... 

http://secunia.com/virus_information/14158/kipis.b/

http://www.f-secure.com/v-descs/kipis_b.shtml

=====================================

Here is another attempt by hackers to make a “beneficial” virus.  As far as I am concerned, anything installed with out an administrators knowledge, is never beneficial in the long run.

F-Secure : News from the Lab

Anti-Santy-Worm going around? Posted by Mikko @ 09:34 GMT

There seems to be a new phpBB worm going around.

We don't have all the details yet, but this one seems to be using search engines to find vulnerable discussion forum sites and infects them via the phpBB highlight vulnerability. Then the worm tries to patch the system so Santy variants won't be able to infect it any more.

Finally, the worm drops a file called secure.php which contains this text and continues spreading further.


This is not a beneficial worm. We have no idea how safe the patch the worm applies really is. We also have reports from phpBB administrators whose site is perfectly safe already to be under a denial-of-service attack caused by multiple requests created by this worm.

Information this morning from the ISC about traffic targeting MS SQL servers.  There are some very good questions to ask your self about your SQL security here.

SANS - Internet Storm Center -Handler's Diary December 30th 2004

Brute force scanning against MS SQL server accounts

This isn't necessarily new, but the Bad Guys (tm) are still trying to break into Microsoft SQL servers using brute force techniques. We received a packet capture from one site that had 96 password attempts in 4 seconds. We believe that the tool being used is called SQLck.exe. When running on a compromised server, it will likely consume 100% CPU. If you have a compromised server with this binary, please send it to us.

Maybe now would be a good time to validate the following security practices with regard to ALL database platforms:

1. Do you really need to have the SQL server ports open to the outside world? You should have a firewall in front of your database filtering the inbound traffic. If you need the ports open to the Internet, consider restricting the source IP addresses that can connect.

2. Are you sure that you have a strong password for the SQL admin accounts? The Bad Guys (tm) are using very large dictionary lists (60,000+ words) to break into your server.

3. Do you have your IDS system alerting on failed login attempts? The Snort signature ID is 688: MS-SQL sa login failed.

A discussion going on about reports for patched machines on the SMS list, revealed this information from the SMS 2003 SP1 Operations Release Notes that you might have missed:

Custom Software Update Management Reports Should Not Query v_GS_PATCHSTATE Class

When writing custom software update management reports, you should not query the v_GS_PATCHSTATE class because it no longer contains information for all patches.

WORKAROUND:   Instead of using the v_GS_PATCHSTATE class in your custom reports, use v_GS_PatchStatus because it contains all data from the v_GS_PATCHSTATE and v_GS_PATCHSTATEEX classes.

Note   This information applies to SMS 2003  SP1 only.

The Internet Storm Center has been seeing some reports of a new virus spreading.  Early reports suggest that it might be an older version of the Beagle, but the ISC is looking for samples.  We should all be on the look out for this, just in case.  I will report more details if they become available.

SANS - Internet Storm Center - Updated December 30th 2004 06:19 UTC (Handler: John Bambenek)

Another Virus, ISC Poll Results, Port 1433 scans

Update to the virus report below

Looks like the virus below is an old version of Bagle, specifically W32/Bagle.j@MM or W32/Bagle.n@MM which appeared in March of 2004. We are still trying to validate the binary attachment is the same. If anyone has an e-mail attachment that is not detected by existing anti-virus signatures, please send them to us.

http://vil.mcafeesecurity.com/vil/content/v_101071.htm
http://vil.mcafeesecurity.com/vil/content/v_101095.htm

Another Virus (update to the original diary)

We just got a report about a new virus spreading. Like other viruses in the past, it claims to come from the users ISP. Pretty well done, so you may want to try and filter it, or at least reminder your users not to click.

Sample (the 'ISP.NET' parts will be replaced with the recipients domain name):
(if you can, just block e-mail from 'administrator@yourdomain' at your external email gateway. Typically, if you use such an account, your gateway will not receive email from the outside with that that 'From' address)

From: administration@ISP.NET [mailto:administration@ISP.NET]
Sent: Wednesday, December 29, 2004 10:28 PM
To: user@ISP.NET
Subject: E-mail account disabling warning.

Hello user of ISP.NET e-mail server,

Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.

For details see the attach.

Have a good day,
The ISP.NET team http://www.ISP.NET

(spelling of the e-mail is left in its original state. We don't have the attached binary right now. If you have it, send it to us via our contact pagehttp://isc.sans.org/contact.php .

SANS - Internet Storm Center - Daily Diary

Does Your Search Engine Need A Tune-up?

We’ve had some reports over the past several days from folks about some odd search results. It appears that some searches at Google have been "seeded" with malicious sites that, when examined, have only a passing connection to the search terms entered. These sites are appearing near the top of the result listings and attempt to exploit various browser vulnerabilities to deliver malware to unwary (and unpatched) surfers. Most of the sites are new (with domain names having been only recently registered) and don’t appear to have been cached by Google. If you come across sites meeting this description, let us know the search terms that led you there.

McAfee has a new listing for a Trojan that is suspected to exploit the Windows vulnerabilities reported last week.  This is a completely different Trojan than the one listed on Symantec’s website.  Details and links are below.  Take note of the information in bold.  This Trojan also appears to register itself with the Windows XP SP2 firewall.

Downloader-TO

Trojan Characteristics:

This downloader trojan is itself download, via an HTA file (named Microsoft Office.hta and is detected with the current DAT files as VBS/Psyme ) that is believed to be used in conjunction with a recent Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability exploit.

The exploit is believed to save the file Microsoft Office.hta to the startup directory. Upon reboot, this files downloads a remote file named server.exe, saves it to the local system as c:\malware.exe , and executes the downloaded file. malware.exe is the Downloader-to trojan.

Once run, this trojan adds itself to the Windows XP SP2 authorized applications firewall policy list (as cmsscs ). It also adds an entry for the file that it downloads (C:\WINDOWS\tgbcde\module32.exe as module32 ).

The trojan attempts to terminates firewall processes that may prevent it from functioning:

* ccapp.exe
* zapro.exe
* armor2net.exe
* ZAPRO.EXE
* amon.exe
* MpfService.exe
* zonealarm.exe
* outpost.exe
* firewall.exe
* atguard.exe
* tpfw.exe
* kpf4ss.exe
* NPROTECT.EXE

Finally the trojan downloads a file, via HTTP, from 67.15.113.23 and executes it. At the time of this writing, the downloaded file contained a proxy server trojan.

 

From F-Secure’s Weblog:  F-Secure : News from the Lab

Evolution in Cabir variants Posted by Jarno @ 12:48 GMT

We've found two new Cabir variants (Cabir.H and Cabir.I, respectively). As mentioned before, we've found several examples of phone malware over the last weeks, especially Cabir and Skulls variants, affecting Symbian Series 60 phones.

However, this time there are two important differences.

First of all, these new variants seem to be recompiled versions based on original Cabir source code. Which means that the Cabir source code is floating around in the underground. Which is bad news. We didn't know the sources were out there, and we've never seen them.

Second important difference is that these new Cabir variants fix a flaw that was slowing down original Cabir's spreading speed. Cabir originally would only spread to one new phone per reboot. Which explains why it so far has only managed to spread to eight countries (as far as we know), despite being in the wild for months already.

Cabir.H and Cabir.I can spread to an unlimited number of phones per reboot. As soon as a suitable target phone is seen, the worm sends itself there as a Bluetooth file transmission and keeps sending itself to that phone while it is still in range. Once the target phone leaves the area, Cabir.H will find a new target and continue spreading. This means that in conditions where people move around and new phones come in conctact with each other, the Cabir.H and Cabir.I can spread quite rapidly.

In addition of spreading, these new Cabirs don't do anything directly destructive or malicious. However, they do block all normal Bluetooth connectivity and they also drain the infected phones battery very fast.

We have no reports of Cabir.H and Cabir.I in the wild yet. However, this is probably only a matter of time, as the virus writer behind these variants has publicly posted them on his web page.

Both new Cabir variants are detected by F-Secure Mobile Anti-Virus

Symbian Series 60 worm / trojan history so far:

2004:
June 15th: Cabir.A is found
June 16th: Cabir.B is found
November 19th: Skulls.A trojan is found
November 29th: Skulls.B is found
December 9th: Cabir.C is found
December 9th: Cabir.D is found
December 9th: Cabir.E is found
December 21st: Skulls.C is found
December 21st: Cabir.F is found
December 21st: Cabir.G is found
December 26th: Cabir.H is found
December 26th: Cabir.I is found

It is only four days since a Chinese security group released sample exploit code for two new unpatched Windows vulnerabilities were reported, and we already have a Trojan out in the wild that is using it.

Symantec has the listing for Trojan.Phel.A on its website this morning, and is rated at Level 1 risk.

Trojan.Phel.A is a Trojan horse program, which is distributed as an HTML file, and attempts to exploit the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability (BID 11467).

Trojan.Phel.A attempts to infect computers running Microsoft Windows XP with service pack 2.

Symantec and Trend Micro have also added proactive virus detections for the new exploits to their anti-virus arsenal.

Bloodhound.Exploit.20

Bloodhound.Exploit.21

TROJ_LOADIMG.A

HLP_EXPLOIT.A

As has already been reported on Rod’s Blog, the Internet Storm Center, and various other sources, a Chinese security group has released sample code to exploit two new unpatched security vulnerablitites in Windows.

Symantec and McAfee have already released generic detections for these exploits, in and effort to hold off any virus that may come out of the the release of the exploit code.  If you start to see these new detections in your environment, it would be a good idea to submit a sample to your anti-virus vendor. 

I have to say that I am glad to see these companies being more proactive with this sort of thing, and I hope it continues.  Details on the detection descriptions can be found here:

Bloodhound.Exploit.19

Exploit-ANIfile

Exploit-LoadImgAPI

I sure hope that next week is better than this week, because its been a rough one.  I started this week (late Sunday night\early Monday morning) in the emergency room wondering if I my advertisement had expired. 

I’ll spare you the gory details, but I ended up with a sudden case of bronchitis that had me in bed until today.  I wouldn’t have made it without my wife, Debbie there by my side that is for sure.  She truly is a wonderful person and I am damn lucky to have her in my life.  If you have met her, you know what I mean.

Anyway, I just wanted to take the time to say this in front of the entire Internet:

I LOVE YOU DEB!!!

Now that I have that out of my system, I hope you all have a very safe and Merry Christmas!!

Take care,

Chris

Oh my…

Legal questions dog Microsoft buy
Just the world needs, another row on code ownership

By Paul Roberts, IDG news service

A legal row over software ownership could hinder Microsoft's ability to offer products based on technology from its latest acquisition, anti-spyware company Giant Company Software. Sunbelt Software claims that its share of Giant will limit Microsoft's ability to exploit its new software fully.

For its part, Microsoft acknowledged that Sunbelt Software is part owner of Giant's AntiSpyware software. That agreement between Giant and Sunbelt does not prevent Microsoft from further developing new products based on the Giant code, according to Microsoft. However, Sunbelt President Alex Eckelberry said that his company has exclusive rights over elements of the technology, including the ability to offer SDKs (software developer's kits) for Giant AntiSpyware technology. That could make it difficult for Microsoft to integrate Giant technology with other products.

Microsoft issued a short statement regarding Sunbelt's claims Thursday saying, "We understand that Giant granted a co-ownership right to Sunbelt concerning an earlier version of Giant’s antispyware software product. However, the granting of that right to Sunbelt does not constrain either party from innovating and developing new products that are based on that earlier version."

A Microsoft spokeswoman declined to comment specifically on Sunbelt's other claims.

For the rest of the article, go here: Techworld.com - Legal questions dog Microsoft buy

Very interesting times are ahead…

Microsoft Moves On Spyware To Stymie Firefox

By Gregg Keizer, TechWeb News

Microsoft bought anti-spyware technology this week to protect its Internet Explorer browser from surging rivals like Mozilla's Firefox, a group of Gartner analysts said Friday.

Thursday, Microsoft announced that it was purchasing the New York-based Giant Company Software, and would release a beta edition of a spyware-fighting program for Windows 2000 and XP within 30 days.

Spyware is the broad term that defines software installed without users' knowledge or permission, and covers everything from relatively benign adware that tracks Web sites visited to malicious key loggers that record every keystroke in the hope of stealing passwords and financial account info. Spyware has been blamed for slowing down PCs, making them unusable on the Web due to incessant pop-ups, and for causing large fractions -- 25 to 50 percent -- of all help desk calls to the likes of Dell and Microsoft.

"The real reason for the acquisition," said John Pescatore, vice president at Gartner and the leader of a four-analyst team that published a brief on Microsoft's spyware motivations, "is that spyware problems have been making people defect from Internet Explorer. Microsoft has to protect IE until a new version comes out, which won't be until Longhorn. It has to protect IE now, since any anti-spyware improvements to IE won't show until Windows XP SP3 is released, which won't be until the second half of 2005."

Read the entire article here: TechWeb | Microsoft Internet browser spyware | Microsoft Moves On Spyware To Stymie Firefox

http://msevents.microsoft.com/cui/r.aspx?t=4&c=en-us&r=4911195

Event Name: TechNet Webcast: Understanding SMS 2003 SP1 Security Enhancements (Level 200) Start Date: 12/16/2004 Start Time: 01:00 PM PST