October 2005 - Posts

Looks like I passed the 25,000 mark for unique hits today. 

Thanks Google!!

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: October 21, 2005

********************************************************************

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS05-050

* MS05-045

Bulletin Information:

=====================

* MS05-050

- http://www.microsoft.com/technet/security/bulletin/ms05-050.mspx

- Reason for Revision: Bulletin updated to revise file version under the "Frequently asked questions (FAQ) related to this

security update" section for "I've installed the DirectX (KB904706) security update, what version of quartz.dll should

I have installed?" DirectX Windows 2000 Service Pack 4 versions 7.0 and 9.0.

- Originally posted: October 11, 2005

- Updated: October 21, 2005

- Bulletin Severity Rating: Critical

- Version: 1.3

* MS05-045

- http://www.microsoft.com/technet/security/bulletin/ms05-045.mspx

- Reason for Revision: Bulletin updated to revise the install registry key name for the Windows Server 2003 security update.

- Originally posted: October 11, 2005

- Updated: October 21, 2005

- Bulletin Severity Rating: Moderate

- Version: 1.1

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler's Diary October 21st 2005


parishilton.scr (NEW)

Published: 2005-10-21,
Last Updated: 2005-10-21 15:27:53 UTC by Daniel Wesemann (Version: 1)

There's a new variant of SDBOT making the rounds, arriving via IM as a link to a file called parishilton.scr . Those few AV that already detect it, seem to call it Sdbot.XD.  Maybe a good moment to check your proxy logs to see who of your IM users clicked on it..

I get e-mails from people from time to time who need help getting this nasty little Trojan off of their computer.  This tool is the first thing I point them to.

I also have them run spyware scans on their computer after that, as this is usually how this Trojan gets installed on a computer, and provide them with links with three free spyware scanning tools.

 
 

 

Symantec has updated their Trojan.Vundo removal tool to include the following:

  •  October 20, 2005: Published version 1.4 to support removal of minor variants.
  • October 13, 2005: Published version 1.3.1 to support removal of minor variants.

To date this cleaner now covers the following major variants of this Trojan:

You can download a copy of this tool here: Symantec Security Response - Trojan.Vundo Removal Tool

 

Symantec has updated their Mytob removal tool to include the following:

 October 20, 2005: Published version 1.29.0, which supports removal of W32Mytob.LE@mm

To date this cleaner now covers the following: 

You can download this tool here: Symantec Security Response - W32.Mytob@mm Removal Tool

 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler's Diary October 21st 2005

Outage on Verio and Level3 (NEW)

Published: 2005-10-21,
Last Updated: 2005-10-21 07:40:23 UTC by Daniel Wesemann (Version: 1)

We are getting reports that Level3 and Verio networks are flakey or down at the moment. We'll update this entry if we get any news. 07:40 UTC: Things are slowly going back to normal. Rumour has it that a software upgrade at Level3 went awry. 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Sploits Du Jour: Veritas NetBackup & Ethereal. Watch Oracle and Snort! (NEW)

Published: 2005-10-20,
Last Updated: 2005-10-20 21:04:21 UTC by Ed Skoudis (Version: 1)

Lots of new exploits today in the wild, so patch away, patch away, patch away all. 

In particular, patch Veritas NetBackup (more info
here).  Working exploits have been released.

Also, patch Ethereal (more info
here).  Again, working exploits are available.

Also, as we said the other day, don't forget to check out the crucial
Oracle patches.

And, for goodness sakes, patch Snort or shut off the Back Orifice preprocessor!  A fully working exploit is likely very near.

Also, a kind reader emphasized the importance of hardening systems today, in light of this Snort vulnerability, mentioning the great
Grsecurity package for Linux, as well as the importance of chroot environments.  Also, this reader requesting anonymity points out that the Stack-Smash-Protector (SSP) extensions for gcc from IBM makes it harder to exploit buffer overflows, and can be compiled into various executables.  It's essentially an update of the venerable StackGuard tool, but more carefully integrated with the compiler itself.  As we say in Jersey... "Noice".

Caught this on Donna’s SecurityFlash

Those guys must have hacked somebody off…  ;-)

F-Secure News: F-Secure was under denial of service attack

F-Secure was under denial of service attack

Helsinki, Finland - October 19, 2005

On October 18, F-Secure's external web site www.f-secure.com experienced a denial of service attack. There were no intrusions into F-Secure's systems but the company's servers experienced heavy traffic.

To some extent, the attack also affected other Internet services at the company headquarters. The attack lasted for a few hours but F-Secure was succesfully able to control it.

For more information, please contact

Ari Hyppönen, CTO, tel. +358 (0)40 517 4511

F-Secure : News from the Lab

Playstation Portable Trojan...the demo Posted by Dan @ 12:04 GMT

We blogged a story a couple weeks ago about the PSP trojan disguised as firmware for modified PSPs. A good story in its own right, but we wanted to see it in action. So what happens when a group of geeks gets an itch to destroy an expensive toy but nobody in the AVR lab is willing to pony up their own personal PSP? You make a call, get someone to donate a PSP, fire up the video camera & record it for posterity.

The result looks like this: bricking_psp.wmv (14427k file)

bricking_psp (31k image)

F-Secure : News from the Lab

Link-based RXBot seeding

Somebody has lately been seeding emails like the one pictured below.

www.thefive.us

Obviously, they are not from Symantec. And when you click the link, you end up getting redirected to a web page which will initiate an autodownload of a file called "rxBot.exe", which is - you guessed it - a variant of the RXBot family.

A mail like this will pass most corporate email filters. There's no attachment. There's no masked link either, so phishing filters probably won't detect it.

It all goes down to whether the end user can be tricked to click on the link and accept the download or not.

If you're a sysadmin, you might want to block access to www.thefive.us at your firewall right about now (abuse messages have been sent).

...and a trojan called W32om3/1.bbc? Oh come on, give me a break!

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler's Diary October 20th 2005

Back to Green on the Snort BO Buffer Overflow (NEW)

Published: 2005-10-20,
Last Updated: 2005-10-20 12:47:35 UTC by Ed Skoudis (Version: 1)

We've decided to go back to green on the Snort Back Orifice pre-processor buffer overflow vulnerability.  The reason for ratcheting down to green is primarily this: if you haven't shut off the Back Orifice preprocessor by now or come up with another work around, you probably aren't going to in the near future.  This is still a hugely important issue, but our infocon status is designed to reflect changes in the threat level.  So, we're back at green, but reserve the right to go to Yellow or higher if a worm starts to spread using this vulnerability.  From our internal deliberations, such a worm would be highly problematic.  BTW, as Kyle Haugsness pointed out last night in this article, HD Moore has recently released some piece-parts of a sploit for this flaw in Metasploit.  We're very close to full exploitation, so shut off that darn preprocessor ASAP.  Also, check with your vendors if you suspect your commercial product may have Snort code in it.  Several IDS and IPS tools do, so watch out!

In case you haven’t noticed already, I have included a new “Virus Removal Tools” category so you can go right to the latest info on them if you want to.

Enjoy.

I was looking at the CME site today and noticed that they now have a RSS feed for new CME identifiers.

http://cme.mitre.org/data/xml/cme.xml

Symantec has updated their Mytob removal tool to include the following:

 October 19, 2005: Published version 1.28.0, which supports an additional W32.Mytob.KU@mm variant

To date this cleaner now covers the following:

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler's Diary October 20th 2005

Snort BO status update (NEW)

Published: 2005-10-20,
Last Updated: 2005-10-20 05:27:33 UTC by Kyle Haugsness (Version: 1)

Here is an update regarding the Snort Back Orifice pre-processor vulnerability...(Kyle Haugsness Oct. 20 05:30 UTC)

When this vulnerability was announced yesterday, I was curious to see how difficult this would be to exploit due to the widespread nature of Snort.  After doing a little research on the encryption method in Back Orifice, I was able to develop working exploit code in 2 hours.  Bad news!!  Of course, we aren't in the business of releasing exploits, so this code is staying private.  Now, it appears that HD Moore is very close to having exploit code working as a plugin to metasploit.  If we haven't said it loudly enough already, PLEASE UPGRADE your Snort sensors or disable the BO pre-processor if running the vulnerable versions of Snort 2.4 series.  I checked the 2.3.2 source tree today and it is not vulnerable.

How about defensive measures?  If you are running Snort and are able to upgrade, then the new version should detect the exploit attempt.  But I am working on two additional defensive tools.  The first is a Snort signature that should catch the exploit attempt.  This should be available real soon now (tm).

The second tool may prove to be much more valuable.  This tool is necessary because of the fact that the exploit can be triggered on any UDP port (except 31337) and that all Back Orifice traffic is encrypted.  I don't want to give away more information at this point, since it will help the exploit writers.  The tool is a standalone program that utilizes libpcap to sniff traffic and decode UDP traffic looking for the exploit.  It will be useful to folks that can't upgrade their Snort daemon to get the new detection it provides, but still want to see if they are being attacked.  Secondly, this will be useful to people running a different IDS system that can't decode the Back Orifice encryption.  Third, it will probably be very useful in identifying a global worm outbreak. 

Since time is of the essence here, I am hoping to have this tool available very shortly.  It will require libpcap and is being developed on Debian Linux.  It will not require Snort to be running.  Since code portability isn't my strong suit, we may be looking for people to test and port the code to FreeBSD, Solaris, etc.  Please drop us an e-mail if you would be willing to help in this area.  The source code is currently about 800 lines.
More Posts « Previous page - Next page »