Tuesday, January 31, 2006

First reports of Nyxem damage	Posted by Mikko @ 16:24 GMT

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. We've already received first reports from users who've had files on their system overwritten by the worm.

When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you're taking daily automatic backups you might end up backing up the corrupted files over good files.

The number of machines that have been hit by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd - most of them in India, Turkey and Peru.

This worm family has been around since March 2004. The worm is named "Nyxem" because the original Nyxem.A variant launched a DDoS attack against the New York Mercantile Exchange website (www.nymex.com). We don't know why.

We have a free tool available to help disinfect machines before the deadline passes.

F-Secure : News from the Lab - January of 2006.

Thanks to Ron adding some more skins, my blog has a new look.  Let me know what you think!

Microsoft Security Advisory (904420)

Win32/Mywife.E@mm

Published: January 30, 2006

Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.

Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.

On systems that are infected by Win32/Mywife@E.mm, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. For more information, see the Microsoft Virus Encyclopedia.

As with all currently known variants of the Mywife malware, this variant does not make use of a security vulnerability, but is dependant on the user opening an infected file attachment. The malware also attempts to scan the network looking for systems it can connect to and infect It does this in the context of the user. If it fails to connect to one of these systems, it tries again by logging on with "Administrator" as the user name together with a blank password.

Read the rest of this advisory here: Microsoft Security Advisory (904420): Win32/Mywife.E@mm.

BlackWorm Summary

Published: 2006-01-26,
Last Updated: 2006-01-27 02:01:42 UTC by Johannes Ullrich (Version: 3(click to highlight changes))

About BlackWorm

Over the last week, "Blackworm" infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This  worm is  different and more serious than other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.  Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm

Naming

As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be 'CME-24'. cme.mitre.org should shortly list this number.

How would I get infected?

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

What will BlackWorm do to my system?

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal

Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":

1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.
   

To read the rest of this post, go here:   SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Blackworm Notifications (NEW)

Published: 2006-01-25,
Last Updated: 2006-01-26 17:56:37 UTC by Johannes Ullrich (Version: 1)

Blackworm infected machines reported to a 'counter' site the fact that they got infected. The TISF BlackWorm task force obtained the logs from this counter, and is notifying networks represented in the logs. These notifications will use a from address of "handlers@sans.org" or "Randy_Vaughn@Baylor.edu". Please e-mail jullrich\at/sans.org if you would like to obtain a list for your network, and have not received an automated e-mail.

Please include information to support that your e-mail address is associated with administering the respective networks, or a phone number to validate the information.

Update: We are getting A LOT of requests. Please do not forget to include the IP space you are interested in. Quite a number of people responded that these logs helped them identify infected systems and it likely prevented major data loss to these organizations. BIG THANKS to RCN for providing the counter logs in a timely manner. We could not provide this service without their help.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 

BlackWorm Summary (NEW)

Published: 2006-01-24,
Last Updated: 2006-01-24 17:04:18 UTC by Johannes Ullrich (Version: 1)

About BlackWorm

Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This  worm is  different and more serious then other worms for a number of reasons. In particular, it will delete a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.

We will try to postmore detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page references to other sites.

Naming

As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. At this time, a CME ID number is not yet available.

Snort Signatures

Joe Steward (Lurhq.com) provided the following snort signatures based on his analysis of the worm:

This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:

alert tcp any any -> any 80 
  (msg:"webstats.web.rcn.net count.cgi request
        without referrer (possible BlackWorm infection)";
content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:1000376; rev:1;)

This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a

User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)

alert tcp any any -> any 80 
   (msg:"Agentless HTTP request to
www.microsoft.com (possible BlackWorm 
         infection)"; dsize:92;
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";
classtype:misc-activity; sid:1000377; rev:1;)

Credits

We would like to thank the members of the BlackWrom task force for analysis and coordination. This task force involves many in the security (anti spam, CERTs, anti virus, academia, ISP's, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.

Links

http://blogs.securityteam.com
Symantec
Trend Micro
Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 

More on Nyxem

Published: 2006-01-23,
Last Updated: 2006-01-23 22:13:35 UTC by Bojan Zdrnja (Version: 1)

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it's still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).




This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can't be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// webstats.web.rcn.net/ [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven't seen in other analysis of the worm says:

"Additional Registry Changes

• The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed."

The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can't trust it, but this looks like another (big) problem for the average user out there.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 What's the threat? And who is noticing it? Nyxem_e versus CME 508

Published: 2006-01-22,
Last Updated: 2006-01-22 20:00:45 UTC by Patrick Nolan (Version: 4(click to highlight changes))

CME 508 does not threaten like Nyxem_e, on February 3rd and every third day of the month thereafter Nyxem.E will destroy users work (see F-Secure's blog) when the worm activates and replaces "the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP" "on all available drives", and yes, available = shared drives.

fwiw, I look at published email malware statistics daily, both Nyxem_e and CME 508 are approximately the same in volume reports, and nowhere near sober was last year as far as raw numbers go. But Nyxem.E has legs, it's more like a centipede than a worm, and it's not likely to drop off the radar soon, certainly not before the 3rd of February.

The Handlers diary previously referenced Nyxem.E in More on Blackmal/Grew/Nyxem (file deletion payload.
Source info - see the F-Secure Virus Information Pages : Nyxem.E

The vendors below do not mention the destruction of user work, as of the checking I just did, ymmv.
Also Known As: 

WORM_GREW.{A, B} [Trend Micro],
"It gathers email addresses from files with the following extension names:

DMP
DOC
MDB
MDE
PDF
PPS
PPT
PSD
RAR
XLS
ZIP".

W32.Blackmal.E@mm Symantec

W32/Nyxem-D [Sophos],

W32/MyWife.d@MM  [McAfee],

W32/Grew.A!wm (Fortinet),

W32/Small.KI@mm [Norman],

Win32/Blackmal.F [Computer Associates]

Tearec.A Panda

UPDATE
The CME reference is difficult but not impossible to follow. I'm reading CME links which show "Latest CME Identifiers CME-508", however, that last 508 link has english that says the newest CME-ID is "CME-503  - Date Assigned 2006-01-20". In any event I base my comment that "CME-508" is not a threat because I interpret vendor malware write-ups mentioning CME 503 as the "new" threat called CME-508 at cme.mitre.org. The vendors are listing 503, none are using 508 ......

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

If you grew up in Missouri like I did, some of this just might hit home.  :-)

Growing up in Missouri

1. You've never met any celebrities.

2. Everyone you know has been on a "Float Trip,"

3. "Vacation" means driving to Silver Dollar City, Worlds of Fun or Six Flags.

4. You've seen all the biggest bands ten years AFTER they were popular.

5. You measure distance in minutes rather than miles. For example, "Well, Webb City's only 20 minutes away."

6. Down south to you means Arkansas.

7. The phrase "I'm going to the Lake this weekend" only means one thing.

8. You know several people who have hit a deer.

9. You think Missouri is spelled with an "ah" at the end.

10. Your school classes were canceled because of cold.

11. You know what "Party Cove" is.

12. Your school classes were canceled because of heat.

13. You instinctively ask someone you've just met, "What High School did you go to?"

14. You've had to switch from "heat" to "A/C" in the same day.

15. You think ethanol makes your truck "run a lot better."

16. You know what's knee-high by the Fourth of July.

17. You see people wear bib overalls at funerals.

18. You see a car running in the parking lot at the store with no one in it, no matter what time of day.

19. You know in your heart that Mizzou can beat Nebraska in football.

20. You end your sentences with an unnecessary preposition. Example: "Where's my coat at?"

21. All the festivals across the state are named after a fruit, vegetable, or grain.

22. You install security lights on your house and garage and leave both unlocked.

23. You think of the major four food groups as beef, pork, beer, and Jell-O salad with marshmallows.

24. You carry jumper cables in your car and know that everyone else should.

25. You went to skating parties as a kid.

26. You only own three spices: salt, pepper, and ketchup.

27. You design your kid's Halloween costume to fit over a snowsuit.

28. You think sexy lingerie is tube socks and a flannel nightie.

29. The local paper covers national and international headlines on one page, but requires six pages for sports.

30. You think I-44 is spelled and pronounced "farty-far." (St. Louis only.)

31. You'll pay for your kids to go to college unless they want to go to KU.

32. You think that "deer season" is a National Holiday.

33. You know that Concordia is halfway between Kansas City and Columbia, and Columbia is halfway between St. Louis and Kansas City,
and the Warrenton Outlet Mall is halfway between Columbia and St. Louis.

34. You can't think of anything better than sitting on the porch in the middle of the summer during a thunderstorm.

35. You know which leaves make good toilet paper.

36. You've said, "it's not the heat, it's the humidity."

37. You know all four seasons: Almost Summer, Summer, Still Summer and Football.

38. You know if another Missourian is from the Boot-heel, Ozarks, Eastern, Middle or Western Missouri soon as they open their mouth.

39. You know that Harry S Truman, Walt Disney and Mark Twain are all from Missouri.

40. You failed World Geography in school because you thought Cuba, Versailles, California, Nevada, Houston, Cabool, Louisiana,
Springfield, and Mexico were cities in Missouri. (And they are!)

41. You think a traffic jam is ten cars waiting to pass a tractor.

42. You know what "HOME OF THE THROWED ROLL" means.

43. You actually get this and forward it to all your Missouri
friends.

More on Blackmal/Grew/Nyxem (file deletion payload) (NEW)

Published: 2006-01-20,
Last Updated: 2006-01-20 17:40:06 UTC by Jim Clausing (Version: 1)

Following up on Bojan's story from Wednesday, F-Secure posted a bulletin today with their analysis of the current variant.  The interesting (or is it scary?) part of this analysis is the revelation that on the 3rd of the month it will attempt to delete a lot of documents off the user's disks, including Office documents (*.doc, *.xls, *.ppt, *.pps), PDF files, .zip and .rar archives among others.  They also report that based on a counter on a web page that the worm updates, there are in excess of 400,000 machines infected at this time.

-----------------
Jim Clausing, jclausing /at/ isc.sans.org

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

F-Secure Security Bulletin

Published: 2006-01-19,
Last Updated: 2006-01-19 21:18:40 UTC by Deborah Hale (Version: 1)

F-Secure has issued a critical security bulletin regarding a Code Execution vulnerability that affects all of F-Secure products. The bulletin states that if you have the 2004 to 2006 versions with the Automatic Delivery System that you will be patched automatically.

For older versions or systems that are not automatically updated - the patches are available at:
http://www.f-secure.com/security/fsc-2006-1.shtml

http://secunia.com/advisories/18529/

Good work Thierry for discovery of this vulnerability. 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Symbian operating system - Nokia series 60 mobile phones - 3 new Trojans

Published: 2006-01-19,
Last Updated: 2006-01-19 20:53:20 UTC by Deborah Hale (Version: 1)

For those of you with the Nokia Series 60 phones I have some bad news.  Symantec today has posted 3 new trojans identified that impact your operating system. 

SymbOS.Sendtool.A -  The Trojan horse drops a hacktool that can be used to send malicious programs, such as variants of the SymbOS.PBStealer family of Trojans, to other mobile devices via Bluetooth.

SymbOS.Pbstealer.D - The Trojan sends the user's contact information database, Notepad, and Calendar To Do list to other Bluetooth-enabled devices.

SymbOS.Bootton.E - A Trojan horse that restarts the mobile device when executed. However, as it also drops corrupted components, the device is unable to restart.

While looking at this information - I discovered that this particular phone OS has been hit several times in the last 2 years by trojan like programs.  I can't find anything on the Nokia site that indicates that a patch is available.  I wonder if it isn't time for Nokia to take a serious look at fixing the problem?  Especially since one of these new ones allows someone with another Bluetooth device to steal the user's information. 

What about it Nokia?  For those of you that own these devices, what are you doing to protect your phone?

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Port 13701 spikes (NEW)

Published: 2006-01-18,
Last Updated: 2006-01-18 21:19:38 UTC by Swa Frantzen (Version: 1)

Immediately after the FrSIRT public release of the exploit against Veritas NetBackup scanning for TCP/13701 started to increase dramatically.

Date	Sources	Targets	Records
2006-01-18	156	47350	96176
2006-01-17	319	64840	202750
2006-01-16	173	19805	56116
2006-01-15	8	18	39
2006-01-14	4	3	10
2006-01-13	7	7	24

 
For a more detailed view:

http://isc.sans.org/specialport.php?port=13701

We also provide per autonomous system reports for those managing an AS:
http://isc.sans.org/specialport.php?port=13701&as=[ASN]

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Worldnic outage (NEW)

Published: 2006-01-18,
Last Updated: 2006-01-18 19:20:33 UTC by Swa Frantzen (Version: 1)

We got reports that worldnic DNS servers were not responding and in our preliminary search we found that all the ns?.worldnic.com DNS servers were indeed not responding to requests.

For a while we had trouble reaching the network solutions website (redirection loop), next their website spoke of "a widespread outage" without more detailed information. Now it says "At 10:45 a.m. this morning, we experienced a hardware problem that impeded traffic to our hosting and e-mail servers.  We experienced technical difficulties with an auto recovery system.  At 11:50 a.m. the system was restored. " which would seem to indicate the problems are over.
To the more technical reader it might be clear that the problem that was reported had nothing to do with their email nor their web hosting servers, but with their DNS servers. Or perhaps these servers had issues as well, but that hardly matters to the average user when DNS isn't working as it should.

Also remember this diary about a very similar incident.

--
Swa Frantzen

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

DDoS and the Million Dollar homepage	Posted by Mikko @ 18:09 GMT

The Million Dollar homepage gained lots of publicity during new year for making Alex Tew, the 21-year old student behind it a millionaire - by selling pixels! Unfortunately it also gained the attention of a botnet gang, who have launched several DDoS attacks as well as defaced the site at least once.

According to The Times, the attackers (calling themselves the "The Dark Group") sent an extortion e-mail to Mr. Tew on January 7th, demanding $5000. When the ransom was not paid, the site was attacked, as documented on Netcraft.

A week later, Tew received another mail from the attackers, asking for $50000. And this morning, after the ransom was not paid, the whole site was defaced with a note saying "don't come back you sly dog!".

This is an interesting case, as the target is quite unusual. Instead of the usual targets (online shops, credit card merchants, gambling sites), this time the attackers are targeting a private person because they know he has the money.

Alex Tew comments on the developments in his own blog.

F-Secure : News from the Lab - January of 2006.

Cisco sgbp DoS (NEW)

Published: 2006-01-18,
Last Updated: 2006-01-18 17:39:18 UTC by Swa Frantzen (Version: 1)

Cisco published a report about a DoS condition on some of their routers.

It is situated in the Stack Group Bidding Protocol (sgbp) wich is used to enable bandwidth on demand using Multilink PPP (MLP).

Full details at cisco

To summarize:

• Not vulnerable if the router does not support sgbp or if it is not configured (so #show sgbp should give no output or a syntax error message).
  
• Workarounds are listed with ACLs to protect UDP/9900 on the affected routers.
• Upgrade to fix it
• Traffic to UDP/9900 might now be DoS attempts.
  

--
Swa Frantzen

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 

Worldnic ? (NEW)

Published: 2006-01-18,
Last Updated: 2006-01-18 16:43:39 UTC by Swa Frantzen (Version: 1)

We got reports that worldnic was not responding and in our preliminary search we found that all the ns?.worldnic.com DNS servers are indeed not responding to requests at this moment.

Similarly we have trouble reaching the network solutions website (redirection loop).

Observations are welcome. We'll post updates here as we know of them.

--
Swa Frantzen

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

I have been watching this one since yesterday with the bunch on the AntiVirus list.  Hopefully the information out there will be clearer now that the AV companies have had time to analyze the virus.

Symantec now has a cleaner for this virus, which can be found here: http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html

McAfee and F-Secure also have descriptions for this virus, with completely different names.

McAfee: W32/MyWife.d@MM

F-Secure: Email-Worm.Win32.VB.bi

Trend Micro is also tracking a WORM_NYXEM.E, that may be another variant of this worm, but no details are available of this writing.

New mass mailer spreading (Blackmal/Grew/Nyxem) (NEW)

Published: 2006-01-18,
Last Updated: 2006-01-18 03:15:12 UTC by Bojan Zdrnja (Version: 1)

We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.

The sample we received had attachment named Attachments00.HQX - which is actually just an uuencoded file:

begin 664 Attachments,zip                                      .SCR
M35J0``,````$````__\``+@`````````0```````````````````````````
M````````````````````H`````X?N@X`M`G-(;@!3,TA5&AI

You can also see a typical "insert a lot of spaces before the real extension" trick.

Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D - go figure!).
Seems like we'll have to wait more for CME.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

WMFishing	Posted by Mikko @ 12:48 GMT

The Microsoft patch for the WMF vulnerability has now been out there for more than 10 days. However, we believe that most of the vulnerable Windows machines worldwide have not installed the patch yet. We also believe this vulnerability will continue to be used by various different attackers for months, possibly years.

Today we saw a phishing scam exploiting this vulnerability. This scam works by sending out emails, urging customers of the global HSBC bank to visit a site called www[dot]jhsbc[dot]com. This domain, naturally, has nothing to with the real bank but it sounds close enough.

The site is running on a owned home computer somewhere in Illinois. This machine, connected to the net via a high-speed cable connection, is hosting or has been hosting several other phishing-related domains, including these gems that administrators might want to filter at their gateways: www[dot]i7tgg4rv[dot]com and www[dot]ll67ffgsp[dot]com, www[dot]mrhpd74e[dot]com and www[dot]pph4e32q[dot]com.

The WMF connection comes from the fact that if you visit this site (and please don't), the front page contains an IFRAME that will try to push an exploit file called tr.wmf to your system. When that is executed, it will download a file called update.exe from the same server. This unexpected gift turns out to be a variant of the Trojan-Spy.Win32.Goldun family, which will start to collect information from the system.

Relevant authorities and the HSBC bank have been informed and work is under progress to get this fraudulent site taken down.

F-Secure : News from the Lab - January of 2006.

Published: 2006-01-16,
Last Updated: 2006-01-16 23:43:34 UTC by Tony Carothers (Version: 1)

FrSIRT has notified the ISC that a new exploit has been released utilizing the Stack Overflow vulnerability in Veritas Netbackup Enterprise Server.  As a reminder, a specifically crafted packet, sent to the Volume Manager via port 13701, will cause a stack overflow, allowing the attacker to run code of her/his choosing.  Authentication by the attacker is not needed to take advantage of this vulnerability.  

The vulnerability that this exploit takes advantage of is ~60 days old.  The downside of this exploit is that, in one pass, an attacker would have the ability to create a disaster, and then destroy a company's ability to recover from said disaster.

The security packs that address this vulnerability, Symantec Advisory #SYM05-024, can be found here. 

Thanx again to FrSIRT for providing the update.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 WMF Generator

Published: 2006-01-16,
Last Updated: 2006-01-16 17:14:37 UTC by Tony Carothers (Version: 1)

We received notification last night that a working exploit "MS Windows Metafile (WMF) Remote File Download Exploit Generator" has been released to the public.  The code takes advantage of the "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution", MS# MS06-001.  The exploit code will generate a .wmf that downloads and executes a specified URL.  The sad part to this story is that we have a set of 'plug & play' source code for evil-doers to spread their wares with.  And only 10 days after a patch has been released. 

 Additionally, as noted by reader Juha-Matti Laurio, we can expect to see variants coming very soon.  The group responsible for this release is well-known for this. 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Apple QuickTime and iTunes continued (NEW)

Published: 2006-01-14,
Last Updated: 2006-01-14 02:11:18 UTC by Swa Frantzen (Version: 1)

Apple seems to hit a rough spot in the road with their latest patches.

iTunes

Accusations of the software's main new feature calling home with track and artist names of the files you play. Now of course that's needed to show related albums for you to buy, but there are a number of questions remaining open. Till then, perhaps it's better not to have the call home feature if you value privacy or just have too many mp3s ...

• Apple howto.
  

QuickTime

I have the original upgrade myself and no problem so far, but aparantly Apple has recalled it. And they also seem to have published it again. Bottom line: I'm confused. Take care with not updating QuickTime to 7.0.4. as it did patch 8 vulnerabilities. Perhaps that silly joke movie can wait a little longer than getting exploited.

Of course if you produce movies quicktime's functionality might be more important than the security of your browser on the Internet and your risks might be different.

• For general users, I would urge not to downgrade as you'll have the vulnerabilities back. Moreover the problems seem to be not that clear. I'm running the initial Quicktime 7.0.4 uprade and it works just fine.
• Still the uninstaller is here should you not be able to continue without the old version.

Before some of our readers think I'm bashing Apple: I'm typing this on a Mac, a Mac I like a lot.
Before some think I love Apple for all they do: I don't, but that's another story.

--
Swa Frantzen

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Looking at the WMF issue, how did it get there?

Hi everyone, Stephen Toulouse here. Now that the monthly release has passed and people are deploying the updates I wanted to take a moment to discuss some things related to questions we’ve been receiving on the recent WMF issue. (Which was addressed in MS06-001).

One question we’ve gotten is about SetAbortProc, the function that allows printing jobs to be cancelled. (The link is to the public documentation of the function)

Specifically people are wondering about how the vulnerability was present. Bear with me, I’m going to get rather technical here in the interests of clearly pointing it out. The long story short is that the vulnerability can be triggered with either correct OR incorrect metafile record size values, there seems to have been some confusion on that point.

To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. Remember, those were the days of co-operative multitasking and the only way to allow the user to cancel a print job would be to call back to them, usually via a dialog. Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function.

The vulnerability was introduced when all that GDI functionality was allowed to be called from metafiles. The potential danger of this type of metafile record was recognized and some applications (Internet Explorer, notably) will not process any metafile record of type META_ESCAPE, the overall type of the SetAbortProc record. That restriction is the reason it's not possible to exploit this vulnerability by simply referencing an image directly in HTML. IE just won't process it. How then is Internet Explorer an attack vector for the vulnerability? An example of that is through the Windows Picture and Fax Viewer. That application can convert a raw WMF into a printable EMF record. During this conversion, the application will process the META_ESCAPE record. All the current exploits we’re aware of are based on creating an html construct using an IFRAME. At a high level, the IFRAME passes off content to the Windows shell to display. The shell looks up the registered handler for WMF which is the Windows Picture and Fax Viewer (shimgvw.dll) by default. It can run into the vulnerability when converting a raw WMF to a printable EMF if MS06-001 is not applied to the system.

Now, there’s been some speculation that you can only trigger this by using an incorrect size in your metafile record and that this trigger was somehow intentional. That speculation is wrong on both counts. The vulnerability can be triggered with correct or incorrect size values. If you are seeing that you can only trigger it with an incorrect value, it's probably because your SetAbortProc record is the last record in the metafile. The way this functionality works is by registering the callback to be called after the next metafile record is played. If the SetAbortProc record is the last record in the metafile, it will be more difficult to trigger the vulnerability.

The next question we’ve been getting is around previous operating systems like Windows 98, Windows 98 SE, and Windows Me. Specifically people are wondering why there is no update available for these platforms. Well first off it’s extremely important to note that these products are under an extended support lifecycle. Back in 2004, we made a decision that we would extend support for security updates for updates rated as Critical only through June of 2006 for these older operating systems. We publicly posted the policy at the following location:

http://support.microsoft.com/gp/lifean1

With WMF we want to be very clear: the Windows 9x platform is not vulnerable to any "Critical" attack vector. The reason Windows 9x is not vulnerable to a "Critical" attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record. Although the vulnerable code does exist in the Win9x platform, all "Critical" attack vectors are blocked by this additional step. The remaining attack vectors that we have identified require extensive user interaction and are not rated "Critical". Again the "Critical" rating refers to code execution attacks that could result in automated attacks requiring little or no user interaction.

I’d like to thank the members of the Secure Windows Initiative team for the supplemental research and history on this.

Once again we urge everyone to deploy MS06-001 for the supported platforms, and thanks for the feedback we’ve been getting!

S.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

posted on Friday, January 13, 2006 11:57 PM by stepto

Welcome to the Microsoft Security Response Center Blog! : Looking at the WMF issue, how did it get there?.

WMF Vulnerability is an Intentional Backdoor?

Posted by Zonk on Friday January 13, @12:36PM

from the take-with-a-grain-of-salt dept.

An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.

Slashdot | WMF Vulnerability is an Intentional Backdoor?.

Handler's Diary January 13th 2006

Handler's Diary January 11th 2006

New email virus making the rounds (NEW)

Published: 2006-01-11,
Last Updated: 2006-01-11 22:28:25 UTC by Daniel Wesemann (Version: 1)

We are currently analyzing a copy of .. something.  Attachment name "message.zip", detection by AV is still thin to nonexistent. When run, the code tries to pull additional files from web servers in Russia, so if you have a chance, you might consider blocking the following TLDs on your proxy / perimeter:

1gb.ru  /  t35.com  /  hzs.nm.ru /  users.cjb.net /  h16.ru

UPDATE 2200UTC:  message.zip contains a file named "Secure E-mail File.hta", which is according to current Virustotal output only detected by Panda and Kaspersky, the latter calls it Worm.Win32.Feebs.k . Samples we've seen come in an email with subject "Secure Message from HotMail.com user". The HTA file is nicely obfuscated, it has 2 obfuscation functions, one being easy unescape, while the other one is a bit more complex. Once it is executed by a user, it will run in the local zone, so it can use various ActiveXObjects. It will try to download executables from 5 web sites (domains listed above), all of which are up and working at this moment.

MD5 sums for the original exploit file and the two variants of EXEs it downloads when run:
7eb24b4c7b7933b6a0157e80be74383c  Secure E-mail File.hta
9cbd9710087bff6f372b1e3f652d8f7c  feebs1.exe

983bf330aae51535c7382dc82429364b  feebs2.exe

Analysis and write-up by fellow handler Bojan Zdrnja. Thanks! :)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.