Published: 2005-11-30,
Last Updated: 2005-11-30 17:16:11 UTC by Scott Fendley (Version: 1)

So are any of you like me with regard to the Internet Explorer vulnerability mentioned last week http://isc.sans.org/diary.php?storyid=874? I know that I am watching and waiting to see if Microsoft is going to release an out of cycle patch, or wait for December 13th patch day. If I were a gambler, I might actually bet on Microsoft releasing it early.

Why do I think this way? Well.... Glad you asked.

Yesterday, Microsoft updated the advisory located at KB911302 with a couple of tidbits. First, they made mention of both Proof of Conecept and malicious software which appear to be targeting the reported vulnerability. Second, they also mention the Windows Live Safety Center where end users can scan and remove any malicious software and variants that may be running around now.

Throwing in that Microsoft has on occasion released out-of-cycle patches (June 2004 is a case in point in my mind), then I think it is a safe bet that Microsoft will take appropriate steps to fix the problem as quickly as possible. In the meantime there are 2 things I can continue to suggest.

1) Be vigilant. Know that a patch will be forthcoming hopefully within the next 2 weeks and be ready to deploy quickly.

2) If your organization can operate with one of the workarounds Microsoft has mentioned in KB911302, then I recommend mitigating your risk as much as possible. We all have at least one person who is a litle too...uhm...liberal with browsing the Internet on company time. Think about it, that very person is probably shopping for Christmas* presents right now on less-than-secure sites. SO....I would suggest doing those workarounds to that computer first. :-)

* For those that celebrate other holidays in December than Christmas, this statement is not meant to be offensive in any shape or form, or otherwise slight your holiday of choice.

Posted Wednesday, November 30, 2005 11:25 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Patch Management, Microsoft Windows, Internet Explorer

SANS - Internet Storm Center - Sun Java SDK and JRE Updates

Handler's Diary November 30th 2005

Sun Java SDK and JRE Updates (NEW)

Published: 2005-11-30,
Last Updated: 2005-11-30 05:28:39 UTC by Scott Fendley (Version: 1)

Sun Microsystems announced Monday some updates to their Java Software Development Kit and Java Runtime Environment to address some security issues. These security vulnerabilities could allow malicious, untrusted code to compromise a user's computer. Sun recommends that users update to the newest version of the SDK and JRE available at http://java.sun.com .

For more information about the security issues please take a look at:
http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102050-1
http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102003-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102017-1
http://secunia.com/advisories/17748/

Thanks to all of the readers who have notified us of this issue this evening.

Scott Fendley
Handler on Duty

Posted Wednesday, November 30, 2005 8:36 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Patch Management

Microsoft Security Advisory Notification - Security Advisory (911302) - Updated 11/29/05

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: November 29, 2005

********************************************************************

Security Advisory Updated Today

==============================================

* Security Advisory (911302)

- Title: Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.

- Reason For Update: Added information regarding proof of concept code, malicious software, and reference to Windows Live Safety Center.

- Web site: http://go.microsoft.com/fwlink/?LinkId=56599

Posted Wednesday, November 30, 2005 8:21 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Microsoft Windows

SANS - Internet Storm Center - DoS Exploit for MS05-053 released (NEW)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 29th 2005

DoS Exploit for MS05-053 released (NEW)

Published: 2005-11-29,
Last Updated: 2005-11-29 13:46:54 UTC by Pedro Bueno (Version: 1)

Today we received some alerts about exploits for MS05-053 that have been released and can be found on specialized websites.
This exploit claims to cause a DoS condition when viewing a special file on IE.

from the code:
"The crafted metafile from this code when viewed in internet explorer raises the CPU utilization to 100%. The code was tested on Windows 2000 server SP4. The issue does not occur with the hotfix for GDI (MS05-053) installed"

Did I say PATCH yet?
Go on...

---------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org)

)

Posted Tuesday, November 29, 2005 8:28 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Patch Management, Microsoft Windows

testing

Looks like we are up and running again…

Posted Tuesday, November 29, 2005 8:26 AM by cmosby | with no comments

Filed under: Random Thoughts and Information

SANS - Internet Storm Center - MS05-051 POC Exploit

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 27th 2005

MS05-051 POC Exploit

Published: 2005-11-27,
Last Updated: 2005-11-27 23:25:58 UTC by Johannes Ullrich (Version: 1)

A proof of concept (PoC) exploit was released against systems vulnerable
to MS05-051. MS05-051 was released in October. The vulnerability does allow for
arbitrary code execution in systems with the Microsoft Distriuted Transaction Coordinator (MSDTC) enabled.

In order to disable MSDTC, enter the following command:

sc stop MSDTC & sc config MSDTC start= disabled

By default, port 3372 is used by the exploit. The packet send will cause a denial of service condition. At this point, we see only little activity at port 3372, likely due to the fact that this PoC exploit does not actually execute any "useful" code.

MS05-051 Advisory (read for more workarounds and list of vulnerable systems)

Posted Tuesday, November 29, 2005 12:36 AM by cmosby | with no comments

Symantec Security Response - Bloodhound.Exploit.54 - Heuristic Detection for Microsoft Security Advisory (911302)

Bloodhound.Exploit.54 is a heuristic detection for the Microsoft Internet Explorer JavaScript Window() Vulnerability, as described in CAN-2005-1790.

You can read the details here: Symantec Security Response - Bloodhound.Exploit.54

Posted Tuesday, November 29, 2005 12:29 AM by cmosby | 1 comment(s)

Symantec Security Response - Trojan.Lodear Removal Tool - Updated 11/25/05

Symantec has updated their Lodear removal tool to cover the following:

November 25, 2005: Updated removal tool to version 1.3.0 to support Trojan.Lodear.D and Trojan.Lodav.B.

To date, this tool covers the following:

You can download this tool here: Symantec Security Response - Trojan.Lodear Removal Tool

Posted Tuesday, November 29, 2005 12:28 AM by cmosby | with no comments

McAfee AVERT Stinger Updated - 11/22/05

McAfee has updated their Stinger cleaner tool to cover the latest Sober.X threat (CME-681) as well as other Trojans\viruses

Stinger version 2.5.9 covers the following:

This version of Stinger includes detection for all known variants, as of November 22, 2005:

BackDoor-AQJ	BackDoor-ALI	BackDoor-CEB
BackDoor-JZ	Bat/Mumu.worm	Downloader-DN.a
Exploit-DcomRpc	Exploit-LSASS	Exploit-MS04-011
HideWindow	IPCScan	IRC/Flood.ap.dr
IRC/Flood.bi.dr	IRC/Flood.cd	NTServiceLoader
ProcKill	PWS-Narod	PWS-Sincom.dll
W32/Anig.worm	W32/Bagle@MM	W32/Blaster.worm (Lovsan)
W32/Bropia.worm	W32/Bugbear@MM	W32/Deborm.worm.gen
W32/Doomjuice.worm	W32/Dumaru	W32/Elkern.cav
W32/Fizzer.gen@MM	W32/FunLove	W32/IRCbot.worm
W32/Klez	W32/Korgo.worm	W32/Lirva
W32/Lovgate	W32/Mimail	W32/MoFei.worm
W32/Mumu.b.worm	W32/MyDoom	W32/Nachi.worm
W32/Netsky	W32/Nimda	W32/Pate
W32/Polybot	W32/Sasser.worm	W32/Sdbot.worm.gen
W32/SirCam@MM	W32/Sober	W32/Sobig
W32/SQLSlammer.worm	W32/Swen@MM	W32/Yaha@MM
W32/Zafi	W32/Zindos.worm	W32/Zotob.worm

You can download this tool here: McAfee AVERT Stinger

Posted Tuesday, November 29, 2005 12:26 AM by cmosby | with no comments

SANS - Internet Storm Center - New Version of MYTOB is causing an escalation of Risk Alert

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 24th 2005

New Version of MYTOB is causing an escalation of Risk Alert

Published: 2005-11-24,
Last Updated: 2005-11-24 17:59:15 UTC by Deborah Hale (Version: 1)

We just received notification that Trend Micro has raised the Alert for the new MYTOB virus to medium. Trend Micro has an excellent write up at:

Mytob.MX

The worm appears to be memory resident and spreads by sending a copy of itself as an attachment (account-password.zip) in an email message using its own Simple Mail Transfer Protocol (SMTP) engine. It also installs malware which Trend Micro is calling TROJ_MONURL.D. Trend Micro has removal instructions and more information about the malware at the link above.

Use extreme care when opening your email. Do not open zip files or other attachments that you are not expecting to receive or from suspicios emails.

Thanks to Scooter for notifying us of the Trend Micro Alert elevation.

Posted Tuesday, November 29, 2005 12:18 AM by cmosby | with no comments

New Beagle\Bagle\Lodear update

Harry Waldron posts the following:

F-Secure and McAfee report several new variants and this list could grow. Batten down the hatches.

F-Secure - 6 new variants
http://www.f-secure.com/v-descs/bagle_eo.shtml
http://www.f-secure.com/v-descs/bagle_ep.shtml
http://www.f-secure.com/v-descs/bagle_eq.shtml
http://www.f-secure.com/v-descs/bagle_er.shtml
http://www.f-secure.com/v-descs/bagle_es.shtml
http://www.f-secure.com/v-descs/bagle_et.shtml

McAfee detection information
http://vil.nai.com/vil/content/v_137087.htm

Quote: Several new W32/Bagle downloader variants have been widely spammed to users (November 23, 2005). To date, they are detected as W32/Bagle.gen@MM with the 4635 DATs.

These are downloader trojans. However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers). This trojan was mass-spammed in a ZIP attachment and uses peoples names as the filenames, for example:

* Edmund.zip
* Elizabeth.zip
* Fraunces.zip
* Grace.zip
* Henrie.zip
* Jeames.zip

Posted Tuesday, November 29, 2005 12:13 AM by cmosby | with no comments

From the boards: Bagle/Beagle - Several pre-Thanksgiving variants

Thanks to Harry Waldron for catching this, looks like Symantec and Trend Micro has at least one variant as well:

Symantec Security Response - Trojan.Lodear.D

Trend Micro - TROJ_BAGLE.AH

Bagle/Beagle - Several pre-Thanksgiving variants

The Bagle author didn't want to be outdone by the latest Sober variant, so batten down the hatches

F-Secure reports at least 5 new variants
http://www.f-secure.com/weblog/archives/archive-112005.html#00000718

F-Secure - 5 new variants
http://www.f-secure.com/v-descs/bagle_eo.shtml
http://www.f-secure.com/v-descs/bagle_ep.shtml
http://www.f-secure.com/v-descs/bagle_eq.shtml
http://www.f-secure.com/v-descs/bagle_er.shtml
http://www.f-secure.com/v-descs/bagle_es.shtml

McAfee detection information
http://secunia.com/virus_information/23961/bagle.genmm9725/

quote:

Several new W32/Bagle downloader variants have been widely spammed to users (November 23, 2005). To date, they are detected as W32/Bagle.gen@MM with the 4635 DATs.

Posted Tuesday, November 29, 2005 12:09 AM by cmosby | with no comments

Symantec Security Response - W32.Sober Removal Tool - Updated to cover new Sober (CME-681)

Symantec has updated their Sober removal tool to cover W32.Sober.X@mm (CME-681)

November 22, 2005: Version 1.7.1 released to add support for W32.Sober.X@mm.

To date, this tool now covers the following:

W32.Sober@mm
W32.Sober.B@mm
W32.Sober.C@mm
W32.Sober.D@mm
W32.Sober@mm.enc
W32.Sober.gen
W32.Sober.E@mm
W32.Sober.F@mm
W32.Sober.G@mm
W32.Sober.I@mm
W32.Sober.L@mm
W32.Sober.N@mm
W32.Sober.O@mm
W32.Sober.Q@mm
W32.Sober.V@mm
W32.Sober.W@mm
W32.Sober.X@mm

You can download this tool at the following location: Symantec Security Response - W32.Sober Removal Tool

Posted Tuesday, November 29, 2005 12:07 AM by cmosby | with no comments

Symantec Security Response - W32.Mytob@mm Removal Tool - Update 11/22/05

Symantec has updated their Mytob removal tool to cover a variant that just came out today.

November 22, 2005: Published version 1.32.0, which supports removal of W32Mytob.MC@mm.

To date, this tool now covers the following:

You can get a copy of this tool here: Symantec Security Response - W32.Mytob@mm Removal Tool

Posted Tuesday, November 29, 2005 12:04 AM by cmosby | with no comments

Ex-Microsoft worker gets four years for software theft - Computerworld

Ex-Microsoft worker gets four years for software theft
He illegally sold software valued at $7.1M

News Story by Jeremy Kirk

NOVEMBER 22, 2005 (IDG NEWS SERVICE) - A former Microsoft Corp. employee was sentenced to four years in prison for illegally selling the company's software, netting him $2.3 million, court documents show.

Finn W. Contini, who worked for the company from September 1999 to February 2002, pleaded guilty in January to one count of conspiracy to commit mail fraud and four counts of money laundering. During the proceedings at the U.S. District Court in Seattle on Friday, he was also ordered to pay $7.1 million in restitution to Microsoft.

Prosecutors said Contini had access to the Microsoft Internal Product Ordering Program, which allowed employees access to an unlimited amount of software and hardware at no cost for internal use. Contini redirected e-mails that would have alerted his supervisors to the order to two accomplices who also worked for Microsoft, according to the court documents.

Three other former Microsoft employees were sentenced earlier this year for their part in the crime. Robert A. Howdeshell, indicted on the same charges as Contini, was sentenced to two years and three months in jail in August and was ordered to pay $3.3 million in restitution.

Alyson Clark and Christine Hendrickson, both charged with mail fraud, received five-month prison terms plus five months of home confinement.

Contini received at least 2,692 pieces of software valued at $7.1 million. As part of the plea agreement, Contini forfeited four properties, a 2003 Toyota Highlander and a 2002 Honda Civic, along with gold and silver coins, bars and nuggets, according to documents.

Posted Tuesday, November 29, 2005 12:03 AM by cmosby | with no comments

Microsoft Security Advisory Update Notification - November 22, 2005

Security Advisory Updated Today
==============================================

* Security Advisory (911302)

- Title: Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.

- Reason For Update: Updated the title, clarified affected software, and updated workaround "Set Internet and Local intranet security zone settings to 'High' to prompt before running Active Scripting in these zones".

- Web site: http://go.microsoft.com/fwlink/?LinkId=56599

Posted Monday, November 28, 2005 11:56 PM by cmosby | with no comments

Symantec Security Response - W32.Mytob@mm Removal Tool - Update 11/22/05

Symantec has updated their Mytob removal tool to cover a variant that just came out today.

November 22, 2005: Published version 1.32.0, which supports removal of W32Mytob.MC@mm.

To date, this tool now covers the following:

You can get a copy of this tool here: Symantec Security Response - W32.Mytob@mm Removal Tool

Posted Monday, November 28, 2005 11:54 PM by cmosby | with no comments

MessageLabs Stops Over 2.7 million Copies of New Sober Virus That Spoofs FBI and CIA

November 22, 2005 - 17:00 GMT/ 12:00 ET - MessageLabs has intercepted over 2.7-million copies of a new Sober virus, many of which are being spoofed to appear as though they are sent from the FBI or the CIA. The first copy was stopped at 19:00 GMT on 21st November. The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months.

Email Overview

These emails suggest to recipients that their Internet use has been monitored by the FBI or CIA and that they have accessed illegal Web sites. The email directs users to open the ZIP attachment containing the executable, which once opened delivers the Sober virus payload. It then spreads by searching the infected computer for other email addresses to send copies of itself to, but ignoring any domains for certain security organizations, including MessageLabs.

For full details on this virus and how to spot it, please click here

http://emails.messagelabs.com/go.asp?/bMES001/qKAG522/x0KO15

Posted Monday, November 28, 2005 11:54 PM by cmosby | with no comments

Ex-Microsoft worker gets four years for software theft - Computerworld

Ex-Microsoft worker gets four years for software theft
He illegally sold software valued at $7.1M

News Story by Jeremy Kirk

NOVEMBER 22, 2005 (IDG NEWS SERVICE) - A former Microsoft Corp. employee was sentenced to four years in prison for illegally selling the company's software, netting him $2.3 million, court documents show.

Finn W. Contini, who worked for the company from September 1999 to February 2002, pleaded guilty in January to one count of conspiracy to commit mail fraud and four counts of money laundering. During the proceedings at the U.S. District Court in Seattle on Friday, he was also ordered to pay $7.1 million in restitution to Microsoft.

Prosecutors said Contini had access to the Microsoft Internal Product Ordering Program, which allowed employees access to an unlimited amount of software and hardware at no cost for internal use. Contini redirected e-mails that would have alerted his supervisors to the order to two accomplices who also worked for Microsoft, according to the court documents.

Three other former Microsoft employees were sentenced earlier this year for their part in the crime. Robert A. Howdeshell, indicted on the same charges as Contini, was sentenced to two years and three months in jail in August and was ordered to pay $3.3 million in restitution.

Alyson Clark and Christine Hendrickson, both charged with mail fraud, received five-month prison terms plus five months of home confinement.

Contini received at least 2,692 pieces of software valued at $7.1 million. As part of the plea agreement, Contini forfeited four properties, a 2003 Toyota Highlander and a 2002 Honda Civic, along with gold and silver coins, bars and nuggets, according to documents.

Posted Monday, November 28, 2005 11:53 PM by cmosby | with no comments

SANS - Internet Storm Center - More Sober Variants

I wonder who that Chris M. guys is…. ;-)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 22nd 2005

More Sober Variants (NEW)

Published: 2005-11-22,
Last Updated: 2005-11-22 15:27:02 UTC by Johannes Ullrich (Version: 1)

We continue to receive reports about new Sober variants. Thanks to Chris M. for supplying a very comprehensive list of links (see below). the CME system assigned these variants the ID CME-681.

None of these does anything new or fancy. They all try to trick users into executing the attached ZIP file. The best defense at this point is probably to stip ZIP file attachments.

The subjects and the body text vary widely. Many of them suggest that the attachement was sent by some government authority (FBI, CIA) and requests that you open it in order to verify some charges brought against you. A version in German refers to the 'BKA' (German equivalent of FBI). Other versions claim to be sent by banks and ask you to open an attachment to verify account details.

List of Links:

Symantec (Level 3 risk) W32.Sober.X@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html

McAfee (currently Low risk) W32/Sober@MM!M681
http://vil.nai.com/vil/content/v_137072.htm

Trend Micro (Medium risk) WORM_SOBER.AG
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EAG

F-Secure (Radar Level 2) Sober.Y
http://www.f-secure.com/v-descs/sober_y.shtml

Sophos (low risk) W32/Sober-{X, Z}
http://www.sophos.com/virusinfo/analyses/w32soberx.html
http://www.sophos.com/virusinfo/analyses/w32soberz.html

Computer Associates (Medium risk) Win32.Sober.W
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49473

Panda Antivirus (Medium risk) Sober.Y
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=92673&sind=0

Posted Monday, November 28, 2005 11:51 PM by cmosby | with no comments

Secunia Medium Risk Virus Alert: Sober.X

No big surprise here.

Secunia Virus Information has issued a MEDIUM RISK alert for:

Sober.X

Learn More About Sober.X Online At Secunia:

http://secunia.com/virus_information/23897/

Posted Monday, November 28, 2005 11:51 PM by cmosby | with no comments

SANS - Internet Storm Center - Infocon back to green (NEW)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 22nd 2005

Infocon back to green (NEW)

Published: 2005-11-22,
Last Updated: 2005-11-22 15:33:08 UTC by Johannes Ullrich (Version: 1)

After elevating the Infocon to 'Yellow' 24 hours ago, we now switched back to green as there is no new development regarding the Internet Explorer issue.

There is still no fix, and even on our site, which is mostly frequented by users interested in security, 50% of all visitors are likely vulnerable based on them using Internet Explorer with Javascript enabled.

We do not see any use of the exploit "in the wild", but the proof of concept version could trivially be modfied, so the risk persists.

If you use Microsoft Internet Explorer, make sure that you have Javascript turned off. While Windows 2003 is not vulnerable in its default configuration, it may be vulnerable in a more relaxed configuration.

Personal preference: Use Firefox and the "noscript" extension. It will allow you to turn javascript on as needed.

Posted Monday, November 28, 2005 11:49 PM by cmosby | with no comments

New Sober variant - now has CME identifier - CME 681

Anti-Virus vendors are now using the CME identifier CME 681 to label this new Sober variant. Here is a list of descriptions that I have been able to find so far:

Symantec (Level 3 risk) W32.Sober.X@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html

McAfee (currently Low risk) W32/Sober@MM!M681
http://vil.nai.com/vil/content/v_137072.htm

Trend Micro (Medium risk) WORM_SOBER.AG
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EAG

F-Secure (Radar Level 2) Sober.Y
http://www.f-secure.com/v-descs/sober_y.shtml

Sophos (low risk) W32/Sober-{X, Z}
http://www.sophos.com/virusinfo/analyses/w32soberx.html
http://www.sophos.com/virusinfo/analyses/w32soberz.html

Computer Associates (Medium risk) Win32.Sober.W
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49473

Panda Antivirus (Medium risk) Sober.Y
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=92673&sind=0

Blogger’s note: All threat levels are current at this writing, please check your AV vendor for the latest information.

Posted Monday, November 28, 2005 11:48 PM by cmosby | with no comments

F-Secure : News from the Lab - Another week, another Sober

From yesterday’s diary

F-Secure : News from the Lab - November of 2005

Another week, another Sober	Posted by Katrin @ 21:43 GMT

A new Sober variant became widespread today. This variant is similar to Sober.K and some of the latest variants that were found in the middle of November 2005. The new Sober.Y variant is detected with the update published on November 16th - FSAV update version 2005-11-16_03.

Sober has been spammed in various different mails, including fake FBI warning like the one below:

Posted Monday, November 28, 2005 11:47 PM by cmosby | with no comments

Symantec- W32.Sober.X@mm - Upgraded to Category 3

I received this info from a Symantec alert this morning:

Name: W32.Sober.X@mm
Category: 3

Virus Definitions: November 19,2005

Type: Worm

Due to increased number of submissions, Symantec Security Response has increased W32.Sober.X@mm to a category 3 threat.

Virus Definitions dated 11/19/2005 will detect this threat

This virus is the same as WORM_SOBER.AG that I posted about earlier today.

Posted Monday, November 28, 2005 11:46 PM by cmosby | with no comments

WORM_SOBER.AG - Medium Risk at Trend Micro

Looks like it is going to be a long week.

WORM_SOBER.AG - Description and solution

Description:

As of November 21, 2005 2:20 pm (Pacific Standard Time, GMT -8:00) TrendLabs has declared a Medium risk alert in order to control this new SOBER variant that is currently spreading in USA, Canada, Brazil, New Zealand, Belgium, and Germany.

To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

Comments/Suggestions

We would like to know what you think about the Behavior Diagram, our latest Virus Encyclopedia feature. Please click here to send us your comments, suggestions, or feedbacks.

Malware Overview

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, affected users are often unaware that this worm is sending out email messages from their machines.

The email messages it sends out may be written in English or in German. Below is a sample of the email message it sends:

Like other mass-mailers, this worm utilizes social engineering techniques, such as promising users of celebrity pictures or alerting them for alleged illicit behavior, in order to entice users into opening the attached worm copy on the email messages it sends. Specifically, some versions of this worm email spoof the Federal Bureau of Investigation (FBI) or Central Intelligence Agency (CIA), notifying the user that the agency has found evidence of the user supposedly visiting illegal Web sites. Similarly, one of the German email messages spoofs Bundeskriminalamt, and threatens legal action against the user's alleged downloads of films, software, and MP3 files.

This worm also displays the following fake error message in order to trick a user into thinking that the file did not properly execute:

It also displays the following message boxes:

This worm is also capable of terminating processes that contain certain strings. Moreover, it searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.

You can find more details on this virus here.

Posted Monday, November 28, 2005 11:45 PM by cmosby | with no comments

SANS - Internet Storm Center - New I.E Exploit Security Advisory Released, Infocon raised to Yellow status

As Harry Waldron has reported in his blog as well

The clock is ticking again….

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 22nd 2005

New I.E Exploit Security Advisory Released (NEW)

Published: 2005-11-22,
Last Updated: 2005-11-22 06:43:15 UTC by Kevin Hong (Version: 2(click to highlight changes))

We raised our Infocon to Yellow due to the new exploit for Internet Explorer.
Microsoft finally research a security advisory regarding this issue.

Based on the advisory, Windows server 2003 and 2003 SP1 are not affected by this vulnerability. All other versions are vulnerable.
We recommend follow Microsofts security advisory for a temporary workaround.

You can read MS security advisory here

Posted Monday, November 28, 2005 11:44 PM by cmosby | with no comments

SANS - Internet Storm Center - * Internet Explorer 0-day exploit (NEW)

Harry Waldron also has more information posted in the MyITforum boards

New Zero Day Internet Explorer Remote Code Execution Exploit
http://www.frsirt.com/english/advisories/2005/2509
http://www.frsirt.com/exploits/20051121.IEWindow0day.php
http://secunia.com/advisories/15546/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1790

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 21st 2005

* Internet Explorer 0-day exploit (NEW)

Published: 2005-11-21,
Last Updated: 2005-11-21 15:54:56 UTC by Johannes Ullrich (Version: 1)

the UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.

The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.

Impact:
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).

Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.

Open Questions:
We are not sure if paramters can be passed to the executable. If so, the issue would be much more severe.

Please monitor this diary for updates.

Posted Monday, November 21, 2005 11:01 AM by cmosby | with no comments

Symantec Security Response - W32.Sober Removal Tool - Update 11/17/2005

Symantec has updated their Sober virus removal tool to cover the following:

November 17, 2005: Version 1..06 released to add support for W32.Sober.V@mm and W32.Sober.W@mm

To date, this tool covers the following viruses:

W32.Sober@mm
W32.Sober.B@mm
W32.Sober.C@mm
W32.Sober.D@mm
W32.Sober@mm.enc
W32.Sober.gen
W32.Sober.E@mm
W32.Sober.F@mm
W32.Sober.G@mm
W32.Sober.I@mm
W32.Sober.L@mm
W32.Sober.N@mm
W32.Sober.O@mm
W32.Sober.Q@mm
W32.Sober.V@mm
W32.Sober.W@mm

Note: W32.Sober.gen is a generic detection that detects variants of W32.Sober. If your computer is detected as infected with W32.Sober.gen, download and run the tool. In most cases, the tool will be able to remove the infection.

You can download this tool here: Symantec Security Response - W32.Sober Removal Tool

Posted Thursday, November 17, 2005 5:59 PM by cmosby | with no comments

Filed under: Security and Anti-Virus, Virus Removal Tools

SANS - Internet Storm Center - Major Cogent outage (NEW)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 17th 2005

Major Cogent outage (NEW)

Published: 2005-11-17,
Last Updated: 2005-11-17 16:54:16 UTC by Johannes Ullrich (Version: 1)

Thanks to Bill P. for calling in about a major outage at Cogent.
Looks like it affects all of their major peering points:
keynote internet status

Bill did mention a major fiber cut. The Cogent website is not reachable at
this point. Posts to the NANOG list suggest a cut in DC or NY.

Cogent Network Status Page (currently not responding).

Brian Krebs (Washington Post) was able to confirm the dual cut with Cogent. See his blog for details.

more details will be added as they become available.

Posted Thursday, November 17, 2005 11:12 AM by cmosby | with no comments

Filed under: Internet News

Search

Tags

News

Unique Visitors

Navigation

Archives

Microsoft Links

SMS Links

Great Blogs

My Links

Security Links

Anti-Virus Links

Things I Have Done or I Am Involved In

Published Works

November 2005 - Posts

Handler's Diary November 30th 2005

Musings on the Internet Explorer 0-day vulnerability (NEW)

Sun Java SDK and JRE Updates (NEW)