Chris Mosby at myITforum.com

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor An Alert System

 Handler's Diary October 30th 2005

Microsoft attacks Zombi Masters. (NEW)

First time I did this, it was a big fat 0.  But now I have something to show…

This tool is designed to remove the infections of the following threats:

• SymbOS.Cabir
• SymbOS.Cabir.B
• SymbOS.Commwarrior.A
• SymbOS.Commwarrior.B
  
  

Note: This removal tool is designed to run on Nokia Series 60 mobile phones.

How to download and run the tool

Follow these steps to download and run the tool:

1. Download the SymcMTRT.sis file from the following URL:
   
   http://securityresponse.symantec.com/avcenter/SymcMTRT.sis
   
   Note:
   • The current version of the tool is version 1.0.3.
   • The certificate details are as follows:
     
     Issuer:
     Symbain Limited
     Owner:
     Symantec Corporation
     Expires:
     10/25/2015
     Serial number:
     13B23FA037151AE9524B0F90C9ECBD
     Valid from:
     10/25/2005
     
     
2. Save the file to a convenient location, such as your Windows desktop.
3. Load the SymcMTRT.sis removal tool file onto the compromised device.
4. In the Symbian OS Menu, open the Tools folder.
5. Open the File Mngr. program.
6. Locate the SymcMTRT.sis file and open it.
7. Click Yes when you see the following message:
   
   Install Symantec Mobile Threats Removal Tool?
   
   
8. Choose Continue and then click OK.
9. Click Exit to exit the file manager.
10. Click Back to exit the Tools folder.
11. Open the SymcMTRT application.
    
    
    
12. Click Options, select Quick Scan, and then click Select.
13. Choose Yes or No when the following message appears:
    
    Would you like to create a log file as C:\Nokia\SymcMTRT.LOG?
    
    
14. One of two messages will appear:
    
    
    
    Scanning Completed!
    The removal was successful.
    
    Directories deleted:[NUMBER OF DIRECTORIES]
    Files deleted:[NUMBER OF FILES]
    
    
    
    
    Scanning Complete!
    No threat has been found on your device
    
    
15. Click Close to exit the removal tool.
16. Restart the device.
17. Run the removal tool again to ensure that the device is clean.

The log file
When the tool has finished running, and you chose to create a log file, it saves the log file to the device's C:\Nokia directory. This log file contains the following results:

• Start time
• End time
• Number of scanned processes
• Total number of scanned directories
• Number of deleted directories
• Number of scanned files
• Number of deleted files

You can download the tool here: Symantec Security Response - Symantec Mobile Threats Removal Tool

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler's Diary October 25th 2005

New Skype vulnerabilities (NEW)

 TITLE:
Symantec Discovery Database Accounts Null Password

SECUNIA ADVISORY ID:
SA17302

RELEASE DATE:
2005-10-25

VERIFY ADVISORY:
http://secunia.com/advisories/17302/

CRITICAL:
Moderately critical

WHERE:
From local network

IMPACT:
Manipulation of data
Exposure of sensitive information

SOFTWARE:
Symantec Discovery 6.x
Symantec ON Command Discovery Standard Edition 4.x
Symantec ON Command Discovery Web Edition 4.x

DESCRIPTION:
A security issue has been reported in Symantec Discovery, which potentially can be exploited by malicious people to gain access to, or to manipulate certain information.

The security issue is caused due to two database accounts, "DiscoveryWeb" and "DiscoveryRO", being created with no passwords during installation. Assigning a password to the "DiscoveryWeb" account will affect the proper functioning of Symantec Discovery.

The security issue has been reported in the following products:
* ON Command Discovery Standard Edition version 4.5.x
* ON Command Discovery Web Edition version 4.5.x
* Symantec Discovery version 6.0


SOLUTION:
Apply updates.

The vendor recommends that the "DiscoveryRO" account be removed unless it is being used in conjunction with the heat interface.

ON Command Discovery Standard Edition:
http://www.symantec.com/techsupp...oncmd/cmd_dis_std_45x/files.html

ON Command Discovery Web Edition:
http://www.symantec.com/techsupp...oncmd/cmd_dis_web_45x/files.html

Symantec Discovery 6.0:
http://www.symantec.com/techsupp...products/sdis/sdis_6x/files.html


REPORTED BY CREDITS:
Reported by vendor.


ORIGINAL ADVISORY:
http://securityresponse.symantec...security/Content/2005.10.24.html

 TITLE:
Skype Multiple Buffer Overflow Vulnerabilities

SECUNIA ADVISORY ID:
SA17305

RELEASE DATE:
2005-10-25

VERIFY ADVISORY:
http://secunia.com/advisories/17305/

CRITICAL:
Highly critical

WHERE:
From remote

IMPACT:
DoS
System access

SOFTWARE:
Skype for Linux 0.x
Skype for Linux 1.x
Skype for Mac OS X 0.x
Skype for Mac OS X 1.x
Skype for Pocket PC 1.x
Skype for Windows 1.x

DESCRIPTION:
Some vulnerabilities have been reported in Skype, which can be exploited by malicious people to cause a DoS or to compromise a user's system.

1) A boundary error exists when handling Skype-specific URI types e.g. "callto://" and "skype://". This can be exploited to cause a buffer overflow and allows arbitrary code execution when the user clicks on a specially-crafted Skype-specific URL.

The vulnerability is related to:
SA13191

2) A boundary error exists in the handling of VCARD imports. This can be exploited to cause a buffer overflow and allows arbitrary code execution when the user imports a specially-crafted VCARD.

Vulnerability #1 and #2 has been reported in Skype for Windows Release 1.1.*.0 through 1.4.*.83.

3) A boundary error exists in the handling of certain unspecified Skype client network traffic. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes the Skype client.

The vulnerability has been reported in the following versions:
* Skype for Windows Release 1.4.*.83 and prior.
* Skype for Mac OS X Release 1.3.*.16 and prior.
* Skype for Linux Release 1.2.*.17 and prior.
* Skype for Pocket PC Release 1.1.*.6 and prior.


SOLUTION:
Update to the fixed version.
http://www.skype.com/download/

Skype for Windows:
Update to Release 1.4.*.84 or later.

Skype for Mac OS X:
Update to Release 1.3.*.17 or later.

Skype for Linux:
Update to Release 1.2.*.18 or later.

Skype for Pocket PC:
No patch is yet available.


REPORTED BY CREDITS:
1-2) Mark Rowe, Pentest Limited.
3) Imad Lahoud, EADS Corporate Research Center.


ORIGINAL ADVISORY:
http://www.skype.com/security/skype-sb-2005-02.html
http://www.skype.com/security/skype-sb-2005-03.html


OTHER REFERENCES:
SA13191:
http://secunia.com/advisories/13191/

Always glad to see a antivirus vendor be proactive.

 Bloodhound.Exploit.50 is a heuristic detection for the Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (as described in Microsoft Security Bulletin MS05-039).

Bloodhound.Exploit.51 is a heuristic detection for the Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege, as described in Microsoft Security Bulletin MS05-047.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

 Handler's Diary October 25th 2005

Exploit for Snort BO available! (NEW)

F-Secure : News from the Lab

Cabir.AA and other mobile news

Today we got a sample of new Cabir variant SymbOS/Cabir.AA. Unlike most other Cabir variants, Cabir.AA is not hex edited minor variant of Cabir.A or Cabir.B. Instead, this variant has been recompiled from source code of original Cabir (which has been floating around in the underground). Otherwise Cabir.AA is very similar to other Cabir variants with the exception that it shows a scary bitmap image when the worm starts.

We shot a video in our RF lab of a phone getting infected with Cabir.AA. The video shows two phones being infected, one infected over USB cable and another over Bluetooth from the infected phone. In this video we also have one phone that has F-Secure Mobile Anti-Virus installed, which shows the Anti-Virus detecting and blocking the Cabir, so that user cannot get infected even if he would accept the Blutooth file transfer from infected phone.

Cabir_AA.wmv (30293k file)

We also have news on Commwarrior front.

In the past couple weeks, we have seen increasing amount of stories in media about people who have had their phones infected with Commwarrior.A or Commwarrior.B. In many cases Commwarrior infection has caused large phone bills due to the amount of MMS messages it sends.

Many new operators have posted warnings about the Commwarrior spreading among users, for example recent warning from TDC mobile.

We also have updated our free F-Commwarrior tool so that now it can also handle Commwarrior.C. Commwarrior.C has quite efficient self protection, and disinfecting it without special tool is rather difficult for normal user

No'>http://feedster.com/claimfeed.php?key=20dcd903f30a78c81a5a9bd6becce515">No Need to Click Here - I'm just claiming my feed at Feedster feedster:20dcd903f30a78c81a5a9bd6becce515

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler's Diary October 24th 2005

Exploit circulating for newly patched Oracle bug

I first saw the report on a MS04–047 virus on Harry Waldron’s blog:

——————————————————————————————————————————————————————————————————————————

 MS05-047 -- Mocbot IRC Worm in the wild

  A new attack based on October's security bulletin MS05-047 surfaced overnight. This new threat remains at low risk currently.

MS05-047 -- Mocbot IRC Worm in the wild
http://secunia.com/virus_information/22746/irc-mocbot/
http://www.f-secure.com/v-descs/mocbot.shtml
http://vil.nai.com/vil/content/v_136637.htm

This botnet client was spread using the MS05-047 vulnerability in October 2005. This threat appears to be the first of its kind to exploit the recent MS05-047 Microsoft Windows vulnerability.

This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called "wudpcom". Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).

SYMPTOMS
1. Heavy netbois and microsoft-ds network traffic
2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
3. TCP 18067 connections to hostile websites

FrSIRT has also published POC code for ms05-047 exploit

—————————————————————————————————————————————————————————————————————————

He has since then updated the info on this in the MyITfourm message boards:

————————————————————————————————————————————————————————————————————————-

 Thankfully, we have a little more time, but with at least 4 published exploits in the wild, it's critical to test and patch all PCs and Servers quickly.
quote:

-- AVERT/McAfee Update Oct 23, 2005 -- After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.

Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them. This threat exploits the MS05-039 Microsoft Windows vulnerability.

————————————————————————————————————————————————————————————————————————

Thanks for keeping on top of things this weekend Harry!!

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler's Diary October 22nd 2005

Possible Problem with MS05-050 Patch (NEW)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler's Diary October 22nd 2005

Exploit Code for MS05-047 (NEW)