November 2005 - Posts

Security Advisory Updated Today

* Security Advisory (911302)

  - Title:  Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.

  - Reason For Update: Updated the title, clarified affected software, and updated workaround "Set Internet and Local intranet security zone settings to 'High' to prompt before running Active Scripting in these zones".

  - Web site:

Symantec has updated their Mytob removal tool to cover a variant that just came out today.

 November 22, 2005: Published version 1.32.0, which supports removal of W32Mytob.MC@mm.

To date, this tool now covers the following:


You can get a copy of this tool here: Symantec Security Response - W32.Mytob@mm Removal Tool

November 22, 2005 - 17:00 GMT/ 12:00 ET - MessageLabs has intercepted over 2.7-million copies of a new Sober virus, many of which are being spoofed to appear as though they are sent from the FBI or the CIA. The first copy was stopped at 19:00 GMT on 21st November. The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months.

Email Overview

These emails suggest to recipients that their Internet use has been monitored by the FBI or CIA and that they have accessed illegal Web sites. The email directs users to open the ZIP attachment containing the executable, which once opened delivers the Sober virus payload. It then spreads by searching the infected computer for other email addresses to send copies of itself to, but ignoring any domains for certain security organizations, including MessageLabs.

For full details on this virus and how to spot it, please click here

Ex-Microsoft worker gets four years for software theft - Computerworld

Ex-Microsoft worker gets four years for software theft
He illegally sold software valued at $7.1M

News Story by Jeremy Kirk

NOVEMBER 22, 2005 (IDG NEWS SERVICE) - A former Microsoft Corp. employee was sentenced to four years in prison for illegally selling the company's software, netting him $2.3 million, court documents show.

Finn W. Contini, who worked for the company from September 1999 to February 2002, pleaded guilty in January to one count of conspiracy to commit mail fraud and four counts of money laundering. During the proceedings at the U.S. District Court in Seattle on Friday, he was also ordered to pay $7.1 million in restitution to Microsoft.

Prosecutors said Contini had access to the Microsoft Internal Product Ordering Program, which allowed employees access to an unlimited amount of software and hardware at no cost for internal use. Contini redirected e-mails that would have alerted his supervisors to the order to two accomplices who also worked for Microsoft, according to the court documents.

Three other former Microsoft employees were sentenced earlier this year for their part in the crime. Robert A. Howdeshell, indicted on the same charges as Contini, was sentenced to two years and three months in jail in August and was ordered to pay $3.3 million in restitution.

Alyson Clark and Christine Hendrickson, both charged with mail fraud, received five-month prison terms plus five months of home confinement.

Contini received at least 2,692 pieces of software valued at $7.1 million. As part of the plea agreement, Contini forfeited four properties, a 2003 Toyota Highlander and a 2002 Honda Civic, along with gold and silver coins, bars and nuggets, according to documents.

I wonder who that Chris M. guys is….  ;-)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 22nd 2005

More Sober Variants (NEW)

Published: 2005-11-22,
Last Updated: 2005-11-22 15:27:02 UTC by Johannes Ullrich (Version: 1)

We continue to receive reports about new Sober variants. Thanks to Chris M. for supplying a very comprehensive list of links (see below). the CME system assigned these variants the ID CME-681.

None of these does anything new or fancy. They all try to trick users into executing the attached ZIP file. The best defense at this point is probably to stip ZIP file attachments.

The subjects and the body text vary widely. Many of them suggest that the attachement was sent by some government authority (FBI, CIA) and requests that you open it in order to verify some charges brought against you. A version in German refers to the 'BKA' (German equivalent of FBI). Other versions claim to be sent by banks and ask you to open  an attachment to verify account details.

List of Links:

Symantec (Level 3 risk) W32.Sober.X@mm

McAfee (currently Low risk) W32/Sober@MM!M681

Trend Micro (Medium risk) WORM_SOBER.AG

F-Secure (Radar Level 2) Sober.Y

Sophos (low risk) W32/Sober-{X, Z}

Computer Associates (Medium risk) Win32.Sober.W

Panda Antivirus (Medium risk) Sober.Y

No big surprise here.

Secunia Virus Information has issued a MEDIUM RISK alert for:


Learn More About Sober.X Online At Secunia:

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

 Handler's Diary November 22nd 2005

Infocon back to green (NEW)

Published: 2005-11-22,
Last Updated: 2005-11-22 15:33:08 UTC by Johannes Ullrich (Version: 1)

After elevating the Infocon to 'Yellow' 24 hours ago, we now switched back to green as there is no new development regarding the Internet Explorer issue.

There is still no fix, and even on our site, which is mostly frequented by users interested in security, 50% of all visitors are likely  vulnerable based on them using Internet Explorer with Javascript enabled.

We do not see any use of the exploit "in the wild", but the proof of concept version could trivially be modfied, so the risk persists.

If you use Microsoft Internet Explorer, make sure that you have Javascript turned off. While Windows 2003 is not vulnerable in its default configuration, it may be vulnerable in a more relaxed configuration.

Personal preference: Use Firefox and the "noscript" extension. It will allow you to turn javascript on as needed.

Anti-Virus vendors are now using the CME identifier CME 681 to label this new Sober variant.  Here is a list of descriptions that I have been able to find so far:

Symantec (Level 3 risk)  W32.Sober.X@mm

McAfee (currently Low risk)  W32/Sober@MM!M681

Trend Micro (Medium risk) WORM_SOBER.AG

F-Secure (Radar Level 2) Sober.Y

Sophos (low risk)  W32/Sober-{X, Z}

Computer Associates (Medium risk)  Win32.Sober.W

Panda Antivirus (Medium risk) Sober.Y

Blogger’s note: All threat levels are current at this writing, please check your AV vendor for the latest information.

From yesterday’s diary

F-Secure : News from the Lab - November of 2005


Another week, another Sober Posted by Katrin @ 21:43 GMT

A new Sober variant became widespread today. This variant is similar to Sober.K and some of the latest variants that were found in the middle of November 2005. The new Sober.Y variant is detected with the update published on November 16th - FSAV update version 2005-11-16_03.

Sober has been spammed in various different mails, including fake FBI warning like the one below:


I received this info from a Symantec alert this morning:

Name: W32.Sober.X@mm
Category: 3

Virus Definitions: November 19,2005

Type: Worm

Due to increased number of submissions, Symantec Security Response has increased W32.Sober.X@mm to a category 3 threat.

Virus Definitions dated 11/19/2005 will detect this threat

This virus is the same as WORM_SOBER.AG that I posted about earlier today.

Looks like it is going to be a long week.

WORM_SOBER.AG - Description and solution


As of November 21, 2005 2:20 pm (Pacific Standard Time, GMT -8:00) TrendLabs has declared a Medium risk alert in order to control this new SOBER variant that is currently spreading in USA, Canada, Brazil, New Zealand, Belgium, and Germany.

To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.


We would like to know what you think about the Behavior Diagram, our latest Virus Encyclopedia feature. Please click here to send us your comments, suggestions, or feedbacks.

Malware Overview

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, affected users are often unaware that this worm is sending out email messages from their machines.

The email messages it sends out may be written in English or in German. Below is a sample of the email message it sends:

 Like other mass-mailers, this worm utilizes social engineering techniques, such as promising users of celebrity pictures or alerting them for alleged illicit behavior, in order to entice users into opening the attached worm copy on the email messages it sends. Specifically, some versions of this worm email spoof the Federal Bureau of Investigation (FBI) or Central Intelligence Agency (CIA), notifying the user that the agency has found evidence of the user supposedly visiting illegal Web sites. Similarly, one of the German email messages spoofs Bundeskriminalamt, and threatens legal action against the user's alleged downloads of films, software, and MP3 files.

This worm also displays the following fake error message in order to trick a user into thinking that the file did not properly execute:

 It also displays the following message boxes:

 This worm is also capable of terminating processes that contain certain strings. Moreover, it searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.

You can find more details on this virus here.

As Harry Waldron has reported in his blog as well

The clock is ticking again….

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 22nd 2005

New I.E Exploit Security Advisory Released (NEW)

Published: 2005-11-22,
Last Updated: 2005-11-22 06:43:15 UTC by Kevin Hong (Version:
2(click to highlight changes))

We raised our Infocon to Yellow due to the new exploit for Internet Explorer.
Microsoft finally research a security advisory regarding this issue. 

Based on the advisory, Windows server 2003 and 2003 SP1 are not affected by this vulnerability. All other versions are vulnerable.
We recommend follow Microsofts security advisory for a temporary workaround.

You can read MS security advisory
Internet Storm Center Infocon Status

Harry Waldron also has more information posted in the MyITforum boards

New Zero Day Internet Explorer Remote Code Execution Exploit

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 21st 2005

* Internet Explorer 0-day exploit (NEW)

Published: 2005-11-21,
Last Updated: 2005-11-21 15:54:56 UTC by Johannes Ullrich (Version: 1)

the UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.

The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.

Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).

Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.

Open Questions:
We are not sure if paramters can be passed to the executable. If so, the issue would be much more severe.

Please monitor this diary for updates.

Symantec has updated their Sober virus removal tool to cover the following:

November 17, 2005: Version 1..06 released to add support for W32.Sober.V@mm and W32.Sober.W@mm

To date, this tool covers the following viruses:


Note: W32.Sober.gen is a generic detection that detects variants of W32.Sober. If your computer is detected as infected with W32.Sober.gen, download and run the tool. In most cases, the tool will be able to remove the infection.

You can download this tool here: Symantec Security Response - W32.Sober Removal Tool


SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Handler's Diary November 17th 2005

Major Cogent outage (NEW)

Published: 2005-11-17,
Last Updated: 2005-11-17 16:54:16 UTC by Johannes Ullrich (Version: 1)

Thanks to Bill P. for calling in about a major outage at Cogent.
Looks like it affects all of their major peering points:
keynote internet status

Bill did mention a major fiber cut. The Cogent website is not reachable at
this point. Posts to the NANOG list suggest a cut in DC or NY.

 Cogent Network Status Page (currently not responding).

Brian Krebs (Washington Post) was able to confirm the dual cut with Cogent. See his
blog for details.

more details will be added as they become available.

More Posts « Previous page - Next page »