June 2005 - Posts

SANS - Internet Storm Center - Potential Internet Explorer COM Vulnerability

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Potential Internet Explorer COM Vulnerability

SEC Consult reported a condition in Internet Explorer that may lead to an exploitable vulnerability. The advisory points out that Internet Explorer does not properly handle the instantiation of non-ActiveX COM objects from web pages. According to the write-up, "loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. in one case, we could leverage this bug to overwrite a function pointer in the data segment. it *may* be possible to exploit this issue to execute arbitrary code in the context of IE."

The published proof-of-concept code demonstrates the issue by invoking the javaprxy.dll COM object and crashing Internet Explorer, as tested in Internet Explorer 6 on Windows XP Service Pack 2. Although there are no patches to address the issue, a work-around is to disable ActiveX support in the browser. For more information about this issue, see the SEC Consult advisory.

Posted Wednesday, June 29, 2005 1:41 PM by cmosby | with no comments
Filed under: , ,

SANS - Internet Storm Center -Microsoft Updates the Package Installer for Windows XP

This is an interesting bit of news, I wonder if this has anything to do with the new Microsoft Update site?

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Microsoft Updates the Package Installer for Windows XP

Several readers wrote to us with questions about an unexpected notification they received yesterday from Automatic Update, asking them to install update 898461 for Windows XP. According to Microsoft, this update "installs a permanent copy of the Package Installer for Windows version 6.1.22.4 on the computer so that subsequent software updates can have a significantly smaller download size." Before this update, all Package Installer files were every time you used "the Windows Update site or Automatic Updates to update the computer. This redundant download can be avoided if the installer files are made resident on the computer, because subsequent updates can use the resident files."

ISC reader Jeff pointed out that although this update is currently marked critical, it will shortly become mandatory. As Microsoft states in the Knowledge Base Article, as soon as this update "becomes mandatory, no future updates that are available from the Windows Update Web site or through Automatic Updates will include the Package Installer for Windows."

For more information about this update, see Microsoft Knowledge Base Article 898461. Please note that this package is only applicable to Windows XP.


Lenny Zeltser
ISC Handler of the Day
http://www.zeltser.com

Posted Wednesday, June 29, 2005 10:30 AM by cmosby | with no comments
Filed under: , ,

Microsoft Security Advisory (891861): Release of Update Rollup 1 for Windows 2000 Service Pack 4 (SP4) now available

Microsoft has released the Windows 2000 SP4 rollup as a Security Advisory.  Thanks to Amy Banford for making me aware of this in her post on the forums!

Microsoft Security Advisory (891861): Release of Update Rollup 1 for Windows 2000 Service Pack 4 (SP4)

Published: June 28, 2005

Today we are announcing the availability of the Update Rollup 1 for Windows 2000 Service Pack 4 (SP4). The Update Rollup will make it easier for customers to improve security of Windows 2000 systems, keep them up to date, and to build new deployment images.

The Update Rollup contains all security updates produced for Windows 2000 between the time SP4 was released and April 30, 2005, the time when the contents of the Update Rollup were locked down for final testing by Microsoft and by external beta & customer sites. The Update Rollup also contains a number of updates that increase system security, reliability, reduce support costs, and support the current generation of PC hardware.

We encourage Windows 2000 SP4 customers to install this update. For more information about this release, see Microsoft Knowledge Base Article 891861

Posted Tuesday, June 28, 2005 1:31 PM by cmosby | with no comments
Filed under: , ,

SANS - Internet Storm Center - Port 10000

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Port 10000

Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit. This exploit is now available in various easy to use forms, including a Metasploit plug-in.

At this point, we are recommending:

(1) Block traffic to/from port 10000/tcp (note: this may be a bit tricky if you don\'t have a stateful firewall, as port 10000/tcp may be used by various clients as an ephemeral port)
(2) Verify that all your Veritas servers are patched.
(3) Scan your network for overlooked or already exploited Veritas servers.

One reader noted that after a system has been hit with the exploit, it will no longer listen on port 10000, as the service will die. However, it will still listen on port 6101.

Snort Signatures for the exploit as used by Metasploit (from Paul Dokas. Thanks!):

alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg: \"Possible BackupExec Exploit (inbound)\"; content: \"|00 00 03 00 00 02 00 58 58 58|\"; offset: 24; depth: 20; classtype: attempted-admin;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg: \"Possible BackupExec Exploit (outbound)\"; content: \"|00 00 03 00 00 02 00 58 58 58|\"; offset: 24; depth: 20; classtype: attempted-admin;)

Related URLs:
Veritas Announcement:
http://seer.support.veritas.com/docs/276604.htm

Metasploit:
http://www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm

Posted Monday, June 27, 2005 3:10 PM by cmosby | with no comments
Filed under: ,

New Bagle variant in the wild

Throw this info in with the news of the Outlook and Veritas exploits that were discovered this weekend, and it is going to be a loooong week… 

The SANS - Internet Storm Center has a report about a new Bagle variant going around in the wild.

New Bagle Variant

We're receiving early reports of a new Bagle variant making the rounds. At the time of writing, many Antivirus products are not detecting this most recent mutation of the mass mailer. Identifying characteristics include a reference to SMS in the subject line, and ZIP attachments with various names containing an EXE named f22-013.exe with an md5 checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous ISC readers who alerted us to this.

This new variant may or may not be related to the new Bagle variant that was listed on Symantec, McAfee, Trend Micro, and F-Secure’s site late last night\early this morning.  Considering how viruses can used random attachments these days, it is too early to tell.

Here is a list of information from the various websites. Virus Name Game rules do apply.  Threat level information may change on these as the day goes on, so check back often.

Symantec (Trojan.Tooso.J, Level 2)
http://securityresponse.symantec.com/avcenter/venc/data/trojan.tooso.j.html

McAfee (W32/Bagle.dldr, Low-Profiled)
http://vil.nai.com/vil/content/v_129512.htm

Trend Micro (TROJ_BAGLE.BB, Low)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FBAGLE%2EBB

F-Secure (Mitglieder.CN)
http://www.f-secure.com/weblog/#00000580

http://www.f-secure.com/v-descs/mitglieder_cn.shtml
 

Posted Monday, June 27, 2005 6:09 AM by cmosby | with no comments
Filed under:

Another milestone...

I guess I must be doing something right, looks like my blog just passed the 15,000 mark for unique visitors today.  :-)

As long as you readers keep coming by, I’ll keep blogging.  Thanks for coming by!

Posted Thursday, June 23, 2005 8:15 PM by cmosby | with no comments
Filed under:

SANS - Internet Storm Center - Veritas Advisories

Just in case you haven’t seen these already…

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Veritas Advisories

Veritas Backup Exec/NetBackup Request Packet Denial Of Service Vulnerability

Veritas Backup Exec Server Remote Registry Access Vulnerability

Veritas Backup Exec Remote Agent Null Pointer Dereference Denial Of Service Vulnerability

Veritas Backup Exec Remote Agent for Windows Servers Authentication Buffer Overflow Vulnerability

Veritas Backup Exec Admin Plus Pack Option Remote Heap Overflow Vulnerability

VERITAS Backup Exec Web Administration Console Remote Buffer Overflow Vulnerability

 

Posted Thursday, June 23, 2005 7:58 AM by cmosby | with no comments
Filed under: ,

Symantec updates Mytob removal tool with 3 more variants - June 22nd

With new variants of the Mytob virus continuing to flow in everyday, Symantec is trying to keep up by once again updating their MyTob Removal Tool.  This time to include the W32.Mytob.EC@mm W32.Mytob.ED@mm, and the W32.Mytob.EE@mm variants.

Once again, here is the tally of Mytob variants covered by this tool to date: 

Download the tool here: http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob@mm.removal.tool.html

 

Rate this post: (data provided from NewsGator Online)

Posted Wednesday, June 22, 2005 9:13 AM by cmosby | with no comments
Filed under:

Microsoft Security Advisory Notification - Browser Windows Without Indications of Their Origins

Microsoft has released a Security Advisory that is related to the Dialog Origin Spoofing Vulnerability that was reported by Secunia yesterday.

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: June 21, 2005

********************************************************************

Security Advisory Updated or Released Today ==============================================

* Security Advisory (902333)

- Title: Browser Windows Without Indications of Their Origins may be Used in Phishing Attempts

- Web site: http://go.microsoft.com/fwlink/?LinkId=49437

Support:

========

Technical support resources can be found at: http://go.microsoft.com/fwlink/?LinkId=21131

International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx

Posted Wednesday, June 22, 2005 8:15 AM by cmosby | with no comments
Filed under:

SANS - Internet Storm Center - MS05-026 exploits in the field? - Update

False alarm folks, you can put away the Tums now….

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

MS05-026 exploits in the field?
The first incident of my shift involved an active exploit of MS05-026 (ED: no, Kevin, it’s actually MS05-001 as we see below.) A spam message was blasted out to potential “customers,” including the link to the poisoned website. It leveraged the MS05-026 (MS05-001, see above) (http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx) HTML Help remote code execution (no, Security zone bypass) vulnerability to install a Haxdoor variant on the visitor (well, I got one part right.)

Update: The following AV tools detect the initial Help Control Exploit

Antivirus Version Update Result
ClamAV devel-20050501 06.20.2005 Exploit.Helpcontrol
eTrust-Iris 7.1.194.0 06.19.2005 HTML/HelpControl!Exploit!Trojan
eTrust-Vet 11.9.1.0 06.20.2005 HTML.HelpControl!exploit
Fortinet 2.35.0.0 06.20.2005 VBS/Phel.A-trM
Sybari 7.5.1314 06.20.2005 HTML/HelpControl!Exploit!Trojan

The following AV tools detect the Trojan dropped:

Antivirus Version Update Result
AntiVir 6.31.0.7 06.20.2005 BDS/Haxdoor.CW
Avira 6.31.0.7 06.20.2005 BDS/Haxdoor.CW
Fortinet 2.35.0.0 06.20.2005 W32/Haxdor.3048-tr
Kaspersky 4.0.2.24 06.20.2005 Backdoor.Win32.Haxdoor.cw
McAfee 4517 06.20.2005 BackDoor-BAC.gen.b
NOD32v2 1.1146 06.20.2005 a variant of Win32/Haxdoor
Sybari 7.5.1314 06.20.2005 Backdoor.Win32.Haxdoor.cw
Symantec 8.0 06.20.2005 Backdoor.Haxdoor.D
TheHacker 5.8.2.056 06.20.2005 Backdoor/Haxdoor.cw
VBA32 3.10.3 06.20.2005 Backdoor.Win32.Haxdoor.cw

I’d prefer to not post further details at this time to avoid false-positives or expose the readers to a real danger.

Update: If one were to do one’s job and follow-up on what Exploit.Helpcontrol really triggered on, a few minutes of effort would finally turn up a link to:http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx Ahh, such is the dangerous life of a volunteer incident handler, living on the edge of exposing your stupidity and suffering the wrath of readers. :-)

Posted Tuesday, June 21, 2005 5:25 AM by cmosby | with no comments
Filed under: ,

SANS - Internet Storm Center - MS05-026 exploits in the field

Fun for the whole family….

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

MS05-026 exploits in the field
The first incident of my shift involved an active exploit of MS05-026. A spam message was blasted out to potential “customers,” including the link to the poisoned website. It leveraged the MS05-026 (http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx) HTML Help remote code execution vulnerability to install a Haxdoor variant on the visitor.

Update: The following AV tools detect the initial Help Control Exploit

Antivirus Version Update Result
ClamAV devel-20050501 06.20.2005 Exploit.Helpcontrol
eTrust-Iris 7.1.194.0 06.19.2005 HTML/HelpControl!Exploit!Trojan
eTrust-Vet 11.9.1.0 06.20.2005 HTML.HelpControl!exploit
Fortinet 2.35.0.0 06.20.2005 VBS/Phel.A-trM
Sybari 7.5.1314 06.20.2005 HTML/HelpControl!Exploit!Trojan

The following AV tools detect the Trojan dropped:

Antivirus Version Update Result
AntiVir 6.31.0.7 06.20.2005 BDS/Haxdoor.CW
Avira 6.31.0.7 06.20.2005 BDS/Haxdoor.CW
Fortinet 2.35.0.0 06.20.2005 W32/Haxdor.3048-tr
Kaspersky 4.0.2.24 06.20.2005 Backdoor.Win32.Haxdoor.cw
McAfee 4517 06.20.2005 BackDoor-BAC.gen.b
NOD32v2 1.1146 06.20.2005 a variant of Win32/Haxdoor
Sybari 7.5.1314 06.20.2005 Backdoor.Win32.Haxdoor.cw
Symantec 8.0 06.20.2005 Backdoor.Haxdoor.D
TheHacker 5.8.2.056 06.20.2005 Backdoor/Haxdoor.cw
VBA32 3.10.3 06.20.2005 Backdoor.Win32.Haxdoor.cw

Posted Monday, June 20, 2005 4:26 PM by cmosby | with no comments
Filed under: ,

CNN.com - Forum focuses on 'Downing St. memo' - Jun 16, 2005

I was one of the people that signed this petition, maybe now we can get some answers.

Forum focuses on 'Downing St. memo'
Democrats urge inquiry into whether Bush misled nation on war

Thursday, June 16, 2005 Posted: 11:08 PM EDT (0308 GMT)

WASHINGTON (AP) -- Amid new questions about President Bush's drive to topple Saddam Hussein, several House Democrats urged lawmakers on Thursday to conduct an official inquiry to determine whether the president intentionally misled Congress.

Rep. John Conyers of Michigan and a half-dozen other members of Congress were stopped at the White House gate when they hand-delivered petitions signed by 560,000 Americans who want Bush to provide a detailed response to the so-called Downing Street memo.

Read the full story here: CNN.com - Forum focuses on 'Downing St. memo' - Jun 16, 2005

More news on this story from Google News

Posted Friday, June 17, 2005 8:18 AM by cmosby | with no comments
Filed under:

More news on the UK Trojan attacks

The news wires all over are talking about the report from the UK on targeted Trojan attacks, that I posted about yesterday…

Here is a search url from Google News: http://news.google.com/nwshp?hl=en&gl=us&ncl=http://uk.sys-con.com/read/101469.htm

Posted Friday, June 17, 2005 8:06 AM by cmosby | with no comments
Filed under: , ,

SANS - Internet Storm Center - UK Critical Infrastructure and Business Trojan Attacks

This doesn’t look good…

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

UK Critical Infrastructure and Business Trojan Attacks

Britains NISCC has issued "Breaking News" and is "warning that vital computer networks are at risk of attack." "The attackers’ aim appears to be covert gathering and transmitting of commercially or economically valuable information." "To learn more see the NISCC briefing Targeted Trojan Email Attacks"
http://www.uniras.gov.uk/niscc/index-en.html
http://www.uniras.gov.uk/niscc/docs/ttea.pdf


UPDATE: Other Governments issue warnings. A principle concern is:

"The subject line and text of the e-mails appear relevant to the recipient’s work, or may be copied from a previous legitimate e-mail;

"The attachment name and type appear relevant to the text and to the recipient’s work."(1)

(1) Canadian Cyber Incident Response Centre CCIRC)
http://www.ocipep.gc.ca/opsprods/info_notes/IN05-001_e.asp


Australian Department of Defence DSD Advisory DA-2005-01
http://www.dsd.gov.au/_lib/pdf_doc/advisories/DA-2005-01.pdf


Posted Thursday, June 16, 2005 1:29 PM by cmosby | 2 comment(s)
Filed under: ,

The Bat is Back!!!

I went and saw Batman Begins last night and it was AWESOME!! 

Those that know me know that I am an avid comic book collector and have been a huge Batman fan since I was a kid.  I have thousands of comics in my collection and have read more Batman stories than you can imagine.

With that in mind, believe me when I tell you that Batman Begins has FINALLY captured the true essence of what the Batman character was meant to be when Batman was created by Bob Kane, all those years ago (1939 to be exact). 

In my opinion, Batman Begins is a must see movie.  With news out that they are already making plans for the sequel, Batman is hopefully back for good!

Posted Thursday, June 16, 2005 8:35 AM by cmosby | with no comments
Filed under:

June 2005 Microsoft Security Bulletins: What will MBSA\SMS detect?

This month just might be a sticky one for getting patches deployed.  What MBSA will and will not detect is all over the board this month.  Here is what I have:

MS05–025 (Critical) MBSA will detect this IE patch, but keep in mind the SMS install will use the old “/q:a /r:n” switches just like MS05–020 did.  Because of the use of the new Update.exe with Windows 2000 and XP.

MS05–026 (Critical) Detected by MBSA and “regular” SMS scanning tools. 

MS05–027 (Critical) Detected by MBSA and “regular” SMS scanning tools.

MS05–028 (Important) Detected by MBSA and “regular” SMS scanning tools.

MS05–029 (Important) This patch will require the updated Extended Security Update Inventory Tool to be detected by SMS.  You can upgrade the last version, or uninstall the old version and install this new version.

MS05–030 (Important) Requires the updated Extended Security Update Inventory Tool.

MS05–031 (Important) Requires the updated Extended Security Update Inventory Tool.

MS05–032 (Moderate) Detected by MBSA and “regular” SMS scanning tools.

MS05–033 (Moderate) This one is my favorite. You will have to use BOTH scanners to detect and deploy this patch, depending on what you have installed in your environment.  Here is a excerpt from the FAQ

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?
Yes. MBSA will determine whether this update is required, but only for programs that MBSA supports. For example, MBSA does not support Windows Services for UNIX and will not detect whether the update is required for that program. However, Microsoft has developed a version of the Enterprise Update Scanning Tool (EST) that will help customers determine if the Windows Services for UNIX security update is required. For detailed information about the programs that MBSA currently does not detect, see Microsoft Knowledge Base Article 306460. For more information about MBSA, visit the MBSA Web site.

What is the Enterprise Update Scanning Tool (EST)?
As part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scanning Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scanning Tool is created for a specific bulletin, customers can run the tool from a command line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.

Can I use a version of the Enterprise Update Scanning Tool (EST) to determine whether this update is required?
Yes. Microsoft has created a version of the EST that will determine if you have to apply the Windows Services for UNIX updates. For more information about the version of the EST that is being released this month, see the following Microsoft Web site. For more detailed deployment information about the version of the EST that is being released this month, see the following Microsoft Web site. There is also a version of this tool that SMS customers can obtain by visiting the following Microsoft Web site. This tool may also be available for SMS customers from the SMS Web site.

Can I use Systems Management Server (SMS) to determine whether this update is required?
Yes. SMS can help detect and deploy this security update. SMS uses MBSA for detection; therefore, SMS has the same limitation listed earlier in this bulletin related to programs that MBSA does not detect. However, there is a version of the EST that SMS customers can obtain that offers an integrated experience for SMS administrators. To download this version of the EST, visit the following Microsoft Web site. The Security Update Inventory Tool is required for detecting Microsoft Windows and other affected Microsoft products. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460

MS05–034 (Moderate) Detected by MBSA and “regular” SMS scanning tools.

 

Rate this post: (data provided from NewsGator Online)

Posted Tuesday, June 14, 2005 3:17 PM by cmosby | with no comments
Filed under: , ,

Secunia - Advisories - Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability

Secunia - Advisories - Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability

Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability

Description:
Two vulnerabilities have been reported in Java Web Start and Sun Java Runtime Environment (JRE), which can be exploited by malicious people to compromise a user's system.

1) An unspecified error may be exploited by a malicious, untrusted application to execute arbitrary code.

The vulnerability affects Java Web Start included in J2SE releases 5.0 and 5.0 Update 1 for Windows, Solaris and Linux.

2) An unspecified error may be exploited by a malicious, untrusted applet to execute arbitrary code.

The vulnerability affects J2SE releases 5.0 and 5.0 Update 1 for Windows, Solaris and Linux, and J2SE 1.4.2_07 and prior 1.4.2 releases for Windows, Solaris and Linux.

Posted Tuesday, June 14, 2005 8:45 AM by cmosby | with no comments
Filed under: ,

Symantec continues to update their Mytob removal tool - June 14th, 2005

Like it says in Harry Waldron’s post on Mytob today, new variants of the MyTob virus are coming out everyday.  In some cases, more than one variant comes out a day depending on which AV vendor’s website you frequent.

Symantec is trying to keep up with this and has made another update to their Mytob virus cleaner. This time protection for the W32.Mytob.EB@mm variant has been added.

As far as I know, this is the only cleaning tool out there for this virus family.  McAfee’s Stinger has not been updated since 5/02/2005.

Once again, here is the tally of Mytob variants covered by this tool to date:

Download the tool here: http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob@mm.removal.tool.html

Posted Tuesday, June 14, 2005 8:26 AM by cmosby | with no comments
Filed under: ,

SANS - Internet Storm Center - iframeDOLLARS.biz redux

Here is a follow up to an earlier post on iframeDOLLARS.biz

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

iframeDOLLARS.biz redux

Holy smokes, the iframeDOLLARS business practice is back up and running at (www.iframedollars.biz) 195.95.218.170 and (bestcounter.biz) 195.95.218.171. We've also received reports of malicious hosting at 195.95.218.172. I personally (NOT SANS!!!) highly recommend these domains and IPs for blackholing on your networks. While you're at it, if you manage large proxies and find new hits for iframeDOLLARS exploits, we'd like to hear about them.

Posted Tuesday, June 14, 2005 7:51 AM by cmosby | with no comments
Filed under: ,

More updates for Symantec's Mtyob removal tool - June 13th 2005

This time around the update was to add detection of W32.Mytob.BE@mm W32.Mytob.DP@mm and  W32.Mytob.EG@mm, .

Here is a list of what this tool covers to date:

Download the tool here: http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob@mm.removal.tool.html

Posted Monday, June 13, 2005 1:40 PM by cmosby | with no comments
Filed under:

June 2005 Microsoft Security Response Center Bulletin Notification

********************************************************************

Title: Microsoft Advanced Notification

Issued: June 09, 2005

********************************************************************

Summary

=======

As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update.

On 14 June 2005 the Microsoft Security Response Center is planning to release:

Security Updates

- 7 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart. 5 of these updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA), 2 of these updates will be detectable using the Enterprise Scanning Tool (EST).

- 1 Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Services for UNIX. The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA) and using the Enterprise Scanning Tool (EST).

- 1 Microsoft Security Bulletin affecting Microsoft Exchange. The greatest aggregate, maximum severity rating for this security update is Important. This update will not require a restart. This update will be detectable using the Microsoft Baseline Security Analyzer

(MBSA) and using the Enterprise Scanning Tool (EST).

- 1 Microsoft Security Bulletin affecting Microsoft Internet Security and Acceleration (ISA) Server and Small Business Server.

The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. This update will be detectable using the Enterprise Scanning Tool (EST).

Microsoft Windows Malicious Software Removal Tool

- Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

- Microsoft will NOT release any NON-SECURITY High-Priority Updates for Windows on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.

Microsoft will host a webcast next week to address customer questions on these bulletins. For more information on this webcast please see below:

- TechNet Webcast: Information about Microsoft's June Security

Bulletins (Level 100)

- Wednesday, June 15, 2005 11:00 AM (GMT-08:00) Pacific Time (US &

Canada)

-

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032275405&EventCategory=4

Posted Thursday, June 09, 2005 2:01 PM by cmosby | with no comments
Filed under: ,

Symantec Mtyob removal tool updated again - June 9th 2005

This time around the update was to provide detection for W32.Mytob.DV@mm, that was discovered yesterday.

Here is a list of what this tool covers so far:

Download the tool here: http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob@mm.removal.tool.html

Posted Thursday, June 09, 2005 11:01 AM by cmosby | 1 comment(s)
Filed under:

SANS - Internet Storm Center - More reports of RBOT using ASN.1 vuln

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

More reports of RBOT using ASN.1 vuln

We are getting more and more reports of the use of the ASN.1 vuln in an rbot variant. This is using one of the ASN.1 vulns patched by MS04-007. The exploit is borrowed from an existing proof of concept. For more discussion see this article on the vuln- http://netsecurity.about.com/cs/windowsxp/a/aa021204.htm  (thanks Dave)
This was previously mentioned in the diary on the 3rd of June as possibly rbot attacking IIS' authentication methods
This is the report from VirusTotal for the samples we've seen:

Antivirus Version Update Result
AntiVir 6.30.0.15 06.05.2005 no virus found
AVG 718 06.04.2005 no virus found
Avira 6.30.0.15 06.05.2005 no virus found
BitDefender 7.0 06.05.2005 Backdoor.SDBot.0B1CDAF0
ClamAV devel-20050501 06.05.2005 no virus found
DrWeb 4.32b 06.05.2005 no virus found
eTrust-Iris 7.1.194.0 06.05.2005 Win32/RBot.121504!Worm
eTrust-Vet 11.9.1.0 06.03.2005 no virus found
Fortinet 2.27.0.0 06.04.2005 suspicious
Ikarus 2.32 06.03.2005 IM-Worm.Win32.Sumom.C
Kaspersky 4.0.2.24 06.06.2005 Backdoor.Win32.Rbot.gen
McAfee 4506 06.03.2005 no virus found
NOD32v2 1.1129 06.05.2005 Win32/Rbot
Norman 5.70.10 06.04.2005 W32/MEWpacked.gen
Panda 8.02.00 06.05.2005 W32/Gaobot.HEG.worm
Sybari 7.5.1314 06.06.2005 Worm.RBot.BGM
Symantec 8.0 06.05.2005 W32.Spybot.Worm
TheHacker 5.8-3.0 06.06.2005 no virus found
VBA32 3.10.3 06.05.2005 Backdoor.Win32.Rbot.gen

Posted Thursday, June 09, 2005 4:38 AM by cmosby | with no comments
Filed under: ,

Eweek.com - Symantec Strikes Back at 'Adware' Vendor

Thanks to Joe Law for forwarding this link to the AntiVirus List

Symantec Strikes Back at 'Adware' Vendor
By Ryan Naraine
June 8, 2005

Internet security specialist Symantec Corp. has turned the tables on browser toolbar startup Hotbar.com Inc., filing a lawsuit to retain the right to flag Hotbar products as a potential security risk for PC users.
ADVERTISEMENT

Symantec's suit, filed in the U.S. District Court for the Northern District of California, does not seek monetary damages. Instead, it is asking for a legal judgment supporting Symantec's position that Hotbar program files "are indeed adware and can be treated as computer security risks."

Ziff Davis Internet News has learned that the suit was a direct response to a cease-and-desist letter sent to Symantec demanding that the company stop classifying Hotbar programs as adware.

Read the full article here: Symantec Strikes Back at 'Adware' Vendor

Posted Wednesday, June 08, 2005 1:18 PM by cmosby | with no comments
Filed under:

Symantec Mtyob removal tool updated - June 8th 2005

 ymantec has updated their Mytob Removal Tool to cover the recently discovered  W32.Mytob.DL@mm and  W32.Mytob.DJ@mm variants.

Download the tool here: http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob@mm.removal.tool.html

Posted Wednesday, June 08, 2005 8:58 AM by cmosby | with no comments
Filed under:

Sci Fi Wire -- Batman's Bale Knows His Comics

8 days and counting, I can’t wait!!

Batman's Bale Knows His Comics

Christian Bale, who stars in the upcoming Batman Begins movie, revealed a deep knowledge of the movie's source comic books to SCI FI Wire and said they informed his performance of the Caped Crusader. "I liked the artwork of Alex Ross, but my favorites were the Jeph Loeb and Tim Sale stories," Bale said in an interview.

Read the full article here: Sci Fi Wire -- The News Service of the Sci Fi Channel

Posted Monday, June 06, 2005 10:51 AM by cmosby | with no comments
Filed under:

Microsoft's Korean Web Site Hacked

I caught a post over at Donna's SecurityFlash about a Fox News report on a Microsoft site over in Korea getting hacked.

Microsoft's Korean Web Site Hacked

Thursday, June 02, 2005

WASHINGTON — Microsoft (MSFT) acknowledged Thursday that hackers booby-trapped its popular MSN Web site in Korea to try to steal passwords from visitors. The company said it was unclear how many Internet users might have been victimized.

Microsoft (search) said it cleaned the Web site, www.msn.co.kr, and removed the dangerous software code that unknown hackers had added earlier this week. A spokesman, Adam Sohn, said Microsoft was confident its English-language Web sites were not vulnerable to the same type of attack.

Read the full article here: http://www.foxnews.com/story/0,2933,158463,00.html

Posted Friday, June 03, 2005 10:47 AM by cmosby | with no comments
Filed under: ,

Updated info on latest Bagle variant - Medium Risk and spreading fast

Harry Waldron has a post with new info on the latest Bagle variant that I posted about yesterday

Looks like it is going to be a busy week!

Posted Wednesday, June 01, 2005 8:41 AM by cmosby | with no comments
Filed under: ,

F-Secure : News from the Lab - May-June portion of Bagles

F-Secure : News from the Lab

May-June portion of Bagles Posted by Ceco @ 00:33 GMT

The number of new Bagle-related downloader variants (aka: Mitglieder ) that we monitor has grown up to 8 in the past few hours. The downloaders are very similar. When run, they all drop a DLL (named WIWSHOST.EXE, more information here: Bagle.BO ) and inject it into Explorer.EXE address space. The dropped DLLs can be grouped into two groups. The difference between the two groups is the slightly changed set of URLs that they use to additionally download malware. Currently some variants are under analysis and updates will be provided shortly.

We continue to monitor this development and updates will be provided promptly. Thus, do not be surprised if you see databases ending _08.

Posted Wednesday, June 01, 2005 8:31 AM by cmosby | with no comments
Filed under: