botnet submitted (NEW)

Published: 2006-08-31,
Last Updated: 2006-08-31 15:11:08 UTC by Swa Frantzen (Version: 2(click to highlight changes))

Please note: this was submitted as an NT worm/botnet, it however does not seem to be affecting NT only.

We received copies of malware found by Geo on an NT system that are being discussed in public forums, it appears to be (variants of) known botnets. Here's what Norman and virustotal.com had to say about them [sanitized]:

eraseme:

[ General information ]
   * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.
[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.
[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[deleted]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[deleted]", port 1863.
   * Connects to IRC Server.
[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.         

Virustotal:

 AntiVir 6.35.1.11     08.31.2006 Worm/Sdbot.86016.43
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLZ
 BitDefender 7.2       08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
 CAT-QuickHeal 8.00    08.30.2006 no virus found 
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
 eTrust-Vet3 0.3.3052  08.31.2006 no virus found
 Ewido 4.0             08.31.2006 Backdoor.SdBot.anp
 Fortinet 2.77.0.0     08.31.2006 W32/SDBot.AKI!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 no virus found
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.anp
 McAfee 4841           08.30.2006 no virus found
 Microsoft 1.1560      08.31.2006 no virus found
 NOD32 v21.1733        08.31.2006 a variant of IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Malware
 Panda 9.0.0.4         08.30.2006 no virus found
 Sophos 4.09.0         08.31.2006 no virus found
 Symantec 8.0          08.31.2006 W32.Spybot.Worm
 ...  

csrsc:

Norman:
[ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.                               

[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.

[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
   * Modifies value "UpdatesDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Sets value "AUOptions"="^A" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Creates key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Creates key "HKLM\System\CurrentControlSet\Services\RemoteRegistry".
   * Creates key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "restrictanonymous"="^A" in key"HKLM\System\CurrentControlSet\Control\Lsa".
   * Creates key"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Creates key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Sets value "DoNotAllowXPSP2"="^A" in key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Creates key "HKLM\Software\Microsoft\OLE".
   * Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE".
   * Sets value "Record"="??^N" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".

[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[DELETED]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[DELETED]" port 1863.
   * Connects to IRC Server.
   * IRC: Uses nickname [XP||N|677795].
   * IRC: Uses username XP88038.
   * Opens URL: http://[DELETED]/prxjdg.cgi.
   * Opens URL: http://[DELETED]/x/maxwell/cgi-bin/prxjdg.cgi.
   * Opens URL: http://[DELETED]/mute/c/prxjdg.cgi.
   * Opens URL: http://[DELETED/tomocrus/cgi-bin/check/prxjdg.cgi.
   * Opens URL: http://[DELETED]/cgi-bin/proxy.cgi.
   * Opens URL: http://pDELETED]/little_w/prxjdg.cgi.
   * IRC: Sets the usermode for user [XP||N|677795] to .
   * IRC: Joins channel #NGEN with password [DELETED].

[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
   * Attempts to access service "Tlntsvr".
   * Attempts to access service "RemoteRegistry".
   * Attempts to access service "Messenger".
   * Attempts to access service "SharedAccess".
   * Attempts to access service "wscsvc".

[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.

Virustotal:

 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLZ
 BitDefender 7.2       08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
 CAT-QuickHeal 8.00    08.30.2006 no virus found
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
 eTrust-Vet 30.3.3052  08.31.2006 no virus found
 Ewido 4.0             08.31.2006 Backdoor.SdBot.anp
 Fortinet2.77.0.0      08.31.2006 W32/SDBot.AKI!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 no virus found
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.anp
 McAfee 4841           08.30.2006 no virus found
 Microsoft 1.1560      08.31.2006 no virus found
 NOD32 v21.1733        08.31.2006 a variant of IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Malware
 Panda 9.0.0.4         08.30.2006 no virus found
 Sophos 4.09.0         08.31.2006 no virus found
 Symantec 8.0          08.31.2006 W32.Spybot.Worm
 TheHacker 5.9.8.202   08.31.2006 no virus found
 UNA 1.83              08.31.2006 no virus found
 VBA32 3.11.1          08.30.2006 Win32.HLLW.MyBot
 VirusBuster 4.3.7:9   08.30.2006 no virus found 

i.exe:

Virustotal:

 AntiVir 6.35.1.11     08.31.2006 Worm/Spybot.1093632
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLY
 BitDefender 7.2       08.31.2006 Win32.Worm.Tilebot.GM
 CAT-QuickHeal 8.00    08.30.2006 no virus found
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 Win32/SDBOT.AQJ!Worm
 eTrust-Vet 30.3.3052  08.31.2006 Win32/Petribot.XM
 Ewido 4.0             08.31.2006 Backdoor.SdBot.aqj
 Fortinet 2.77.0.0     08.31.2006 W32/Tilebot.AQJ!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 Backdoor.Win32.SdBot.aqi
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.aqj
 McAfee 4841           08.30.2006 W32/Spybot.worm.gen.p
 Microsoft 1.1560      08.31.2006 Backdoor:Win32/Rbot!02A6
 NOD32 v21.1733        08.31.2006 IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Spybot.AXGM
 Panda 9.0.0.4         08.30.2006 W32/Sdbot.IAZ.worm
 Sophos 4.09.0         08.31.2006 W32/Tilebot-GM
 Symantec 8.0          08.31.2006 W32.Spybot.AKNO
 TheHacker 5.9.8.202   08.31.2006 no virus found
 UNA 1.83              08.31.2006 Backdoor.SdBot.8
 VBA32 3.11.1          08.30.2006 Win32.HLLW.MyBot
 VirusBuster 4.3.7:9   08.30.2006 no virus found 

Reading up on what the antivirus community has written about these they seem to attack  through so many vectors that it's likely they affect poorly patched systems (and NT or any other legacy windows version would make a prime target).

--
Swa Frantzen -- Section66.com

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Mass-mailers are dead! Long live mass-mailers!

Currently, exploits are the flavor of the month as far as malicious code authors are concerned. However, in recent days we have seen a few variants of a new mass-mailing worm called W32.Stration@mm successfully spreading on a moderate scale over the Internet. For some time now we have observed fewer and fewer new instances of mass-mailing worms, so it has now become a bit of a novelty to see that somebody is still willing to invest time and effort into creating a worm that uses this method as the primary means of propagation.

Mass-mailing worms have been around for a long time and people have, by and large, learnt to defend themselves more effectively against them. In the fight back, many administrators now block certain attachments on the gateway; some may apply email filtering such as Symantec Brightmail, provide user education, and use various other methods to help curtail the spread of mass-mailing worms. During the period from 2003 to 2005, it was not uncommon to see new variants of mass-mailing worms such as Netsky, Beagle and Mydoom appear nearly on a daily basis. The last truly effective mass-mailing worm we have seen was W32.Mydoom.AX@mm, which burst onto the scene back in February of 2005; in this case it managed to reach a category rating of 3. Since then, no other mass-mailing worm has achieved anywhere near the same level of success in propagation.

Despite all of the advances in technology and controls over the years, one of the soft spot in the defenses against mass-mailing threats is still the user. Most mass-mailing worms employ some form of social engineering to trick recipients into opening and running the attachments. As sure as the sun will rise everyday, there will always be new, inexperienced users to take the bait. For this reason we can expect that the mass-mailing technique will continue to be used in the arsenal of the threat authors and will remain effective, but not spectacularly so; W32.Stration.C@mm is a case in point. For those of you affected by W32.Stration.C@mm, you'll be glad to know that a full system scan using the latest definitions will clean the threat from your computer, malicious files and registry keys included.

Symantec Security Response Weblog: Mass-mailers are dead! Long live mass-mailers!.

Wednesday, August 30, 2006

Jump Around	Posted by MikaT @ 10:13 GMT

This week we've encountered a cross-platform worm that's capable (at least theoretically) of spreading from a PC to a mobile device and back. To be more specific, the "Mobler" worm moves between Symbian and Windows platforms. Although it's quite nasty on the Windows side, it doesn't cause much harm on the Symbian device. It just copies itself to the memory card and tries to trick the user into infecting his PC.

Technically there isn't any automatic spreading mechanism for Mobler to copy itself from one platform to another. It just creates a Symbian installation package that inserts a Windows executable on the mobile device's memory card. This executable is visible as a system folder in Windows Explorer - so it's possible for the user to accidentally open it and infect their PC while browsing the memory card's files.

Mobler poses no immediate risk to mobile device users in its present form. However, it's possible that virus writers might use it as a basis for more malicious malware. But then again, that could be said of previous cross-platform viruses and thus far a heavy hitter has failed to materialise.

For more information, see the descriptions for Mobler and Cardtrap.AK.

F-Secure : News from the Lab - August of 2006.

Sendmail DoS Vulnerability (NEW)

Published: 2006-08-29,
Last Updated: 2006-08-29 19:30:40 UTC by Scott Fendley (Version: 1)

For some of the Unix types out there, this may be old news by now.  However, we do have a couple of reports in the mailbag about the Sendmail Denial of Service issue. 

On August 9, 2006, Sendmail.org released version 8.13.8 which addressed a few bugs that were discovered in 8.13.7, and fixed a few other bugs.  One particular bug fixes an issue where sendmail would crash due to referencing a variable that had be freed.  This flaw can be exploited by crafting a message which very long header lines. I did not see much media attention to this when it was released (in fact I personally missed the note that it had updated). However in the past 24 hours a number of organizations have now posted information about it.  Oh well, looks like I wasn't the only one that missed it at the time.

As this appears to just be a DoS issue, it is our recommendation that if you are using Sendmail based products, please upgrade to 8.13.8 available at Sendmail.org, or contact your vendor for appropriate updates.  Also, make sure you are on the appropriate announcement list for any software vendors that you use.  Sometimes little security issues can get past even the best of us if we don't visit the local CVS repository, or website on a daily/weekly basis.

I am looking around for appropriate Snort Rules that might detect for this


For More Information:
http://secunia.com/advisories/21637/
http://www.openbsd.org/errata.html (August 25 sendmail patch)
http://www.frsirt.com/english/advisories/2006/3393


---
Scott Fendley
ISC Handler On Duty

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Google unveils 'Apps for Your Domain'

Adds online calendar, IM and web authoring tools
Clement James, vnunet.com 29 Aug 2006

Back in February, internet giant Google started making noises about a version of Gmail which website administrators could roll out for their own domain.

Over the past few days it has emerged that Google has been adding new functionality to the project, this week releasing Google Apps for Your Domain.

The new software suite, which is available free, includes customizable versions of Gmail, Google Talk and Google Calendar along with tools to brand them for a particular organization.

The service also includes Google Page Creator for designing and publishing a website.

"There is no hardware or software required, and you can customize the user interfaces with your branding and colour scheme so they look and feel like your own," Google said.

The company added that it is still working on the service: "If you are from a larger business or university with more advanced needs for communications and sharing, please get in touch regarding premium versions of the service due out later this year."

Google unveils 'Apps for Your Domain' - vnunet.com.

I just got news that my Sister just delivered her second child this morning! 

His name is Brandon and he is 21 inches long and weighed 8lbs.  Both Brandon and his mother are doing fine, and it has already been confirmed that Brandon has a good set of lungs on him. ;-)

I wish could have been there, but we will be visiting at Christmas so I can spoil him then!

- http://www.microsoft.com/technet/security/advisory/923762.mspx

* MS06-042 reissue (NEW)

Published: 2006-08-24,
Last Updated: 2006-08-24 17:23:04 UTC by Jim Clausing (Version: 1)

The anxiously awaited reissue of the patch from bulletin MS06-042 is now live.  Time to re-apply the patch on Internet Explorer 6 Service Pack 1 for Windows XP Service Pack 1 (all versions) and Windows 2000 (all versions)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx

- http://www.microsoft.com/technet/security/advisory/923762.mspx

More MS06-042 woes (NEW)

Published: 2006-08-22,
Last Updated: 2006-08-22 21:22:31 UTC by Johannes Ullrich (Version: 1)

The hotfix for MS06-042, which was supposed to be released today, has been delayed. Worse: It turns out that MS06-042 introduced a new security problem. The crashes everyone is having so much fun with are just the tip of the iceberg. The issue can also be used to execute arbitrary code.

At this point, we recommend:

• Keep MS06-042 applied if you can. It fixes more bugs than it creates.
• If you are having problems with internal web sites that can no longer be used: Restrict MSIE to be used internally only.
• Use Firefox/Opera or other browsers for now.
• "SandboxIE" can be used to protect your system from damage caused via MSIE.
• If you establish a "No MSIE" policy, you can use the snort rule below to detect accidental policy violations.

Snort Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(content: "|0D 0A|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0";)

Links:
http://isc.sans.org/diary.php?storyid=1611 (updated patch matrix)
http://research.eeye.com/html/alerts/AL20060822.html (EEye Alert regarding the code execution)
http://www.microsoft.com/technet/security/advisory/923762.mspx
http://blogs.technet.com/msrc/archive/2006/08/16/447023.aspx (latest MSRC blog article regarding this issue, dated Aug. 16th).
Sandboxie
 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

FAQ on PowerPoint 0-day

Published: 2006-08-20,
Last Updated: 2006-08-20 21:14:31 UTC by Marcus Sachs (Version: 1)

 

As was reported yesterday, there seems to be a new issue with PowerPoint.  Reader Juha-Matti has put together a comprehensive FAQ about the situation.  He is soliciting comments via his FAQ page, see the links at the bottom.  More details coming as this develops.

Marcus H. Sachs
Director, SANS Internet Storm Center

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Trojan dropper in Power Point - a new issue?

Published: 2006-08-19,
Last Updated: 2006-08-19 22:39:43 UTC by Brian Granier (Version: 1)

As pointed out by one of our readers, Juha-Matti, Trendmicro has recently released information about some Trojan droppers in Microsoft Power Point. The two links are TROJ_MDROPPER.BH and TROJ_SMALL.CMZ.

These articles a little light in detail with respect to the inner mechanics of the vulnerability, but they sound very similar to issues reported last July as you can see in our previous diary. It is possible that these issues are related to MS06-048 and is just a variant of the attack described by Microsoft here. The question remains whether this is truly a new vulnerability, if Microsoft failed to fix the root cause with MS06-048 or if MS06-048 addresses these issues. Trendmicro's claim is there is no current patch for this issue.

--
T. Brian Granier

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Analysis of Mocbot Goals (NEW)

Published: 2006-08-15,
Last Updated: 2006-08-15 20:06:26 UTC by Kyle Haugsness (Version: 1)

The folks are LURHQ have done some excellent analysis of the latter stages of Mocbot.  Exactly what is the final goal of this bot?  Find out here: http://www.lurhq.com/mocbot-spam.html

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

Dell to recall 4.1 million laptop batteries

But founder says Sony will continue as battery supplier even though it made batteries that could overheat and catch fire.

August 15 2006: 5:59 AM EDT

SAN FRANCISCO (Reuters) -- Dell Inc. said Monday it will recall 4.1 million notebook computer batteries because they could overheat and catch fire, in the biggest recall in its 22-year history.

The world's largest personal computer maker blamed the voluntary recall on lithium-ion batteries made by Sony Corp., which Dell (Charts) said could in rare cases produce smoke and catch fire.

Dell, which expected no financial impact from the recall, said it would keep Sony (Charts) as a supplier of notebook batteries.

"We have confidence that they have taken the right countermeasures and the process is now secure. We expect that Sony will continue to be a good supplier of batteries for us," Chairman Michael Dell told reporters in Singapore.

The batteries are also used by other computer makers, including Apple Computer Inc. (Charts), which said it was looking into the issue. Hewlett-Packard Co. (Charts) said its notebooks were not affected by the Dell recall, which was issued with the U.S. Consumer Product Safety Commission.

No injuries have been tied to the defect involving the Dell-branded batteries, Dell said. The company has received six reports of batteries overheating, causing damage to furniture and personal belongings, the safety commission said.

Dell spokesman Jess Blackburn said a battery of the type involved the recall was in a Dell laptop that erupted in flames in Osaka, Japan, recently. The incident was captured in photographs sent across the Internet.

About 2.7 million of the recalled notebooks are in the United States, Blackburn said.

Rick Clancy, a spokesman for Sony Electronics Inc. in the United States, said the financial impact of the recall on Sony "is still not fully determined" and partly depends on how many people participate in the recall.

Shares of Dell were down in extended trading and HP shares rose less than 1 percent.

Masahiro Ono, a Tokyo-based analyst for Morgan Stanley, said Sony would have to at least bear part of the recall cost, but he expected the cost would be limited because only six cases had been reported and the recall rate would likely be fairly low.

"Dell is an important customer for Sony's battery business for personal computers, so there would be some sort of impact on the operations," Ono said. "But realistically speaking, it would be hard for Dell to find another supplier that can provide a large volume of batteries as stably as Sony."

He said Sony's battery business has higher profitability than the average of its other operations but estimated the business generates only about ¥ 10 billion yen in annual operating profit, or 5 percent of group operating profit last business year of ¥ 191.3 billion ($1.64 billion).

Corporate image at stake

The recall comes as Dell tries to refresh its image with a marketing campaign to demonstrate improvements in customer service after the company was hit with complaints of inferior after-sales service. Dell is investing about $100 million this year and hiring 2,000 people in the improvement efforts.

The company also has taken a beating on Wall Street, with its shares falling 47 percent over the past 12 months while rival Hewlett-Packard surged 37 percent. Dell's growth has slowed amid tougher competition.

Dell's image now hinges on how the company manages the recall, said Roger Kay, president of market researcher Endpoint Technologies Associates.

"It could cut either way, depending on how they handle it," Kay said. "The circumstance of failure is an opportunity to touch customers. If they touch them well and kindly, then customers will touch them well, too."

The recall of batteries in machines sold from April 2004 to last month spans Dell's notebook lines, including the Latitude, Inspiron and Precision models, Blackburn said. They ranged in price from $500 to $2,850, Dell said.

Sony and Dell cooperated in investigating and presenting the matter to the consumer safety commission. Neither party has resorted to litigation, Clancy said.

Sony has addressed the safety problem in its lithium-ion battery cells, Clancy said. "Further modifications have been made that provide a greater level of security."

A Sony spokesman in Tokyo said the overheating problem is believed to be specific to batteries supplied to Dell, but recall decisions are up to each PC maker.

Although the battery cells involved -- a key component of battery packs -- are used in packs supplied to other PC makers, the combination of the cells in question and the recharge system embedded in the packs provided to Dell is likely to have caused the problem, he said.

He declined to identify other PC makers that have bought the batteries in question.

The recall involves 18 percent of Dell's 22 million notebook computers sold between April 2004 and July 2006. It also comes three days before Dell is scheduled to report its fiscal second-quarter earnings.

Dell to recall 4.1 million notebook PC batteries - Aug. 14, 2006.

TITLE:
ArcSoft MMS Composer Buffer Overflow Vulnerabilities

SECUNIA ADVISORY ID:
SA21426

RELEASE DATE:
2006-08-11

VERIFY ADVISORY:
http://secunia.com/advisories/21426/

CRITICAL:
Moderately critical

WHERE:
From remote

IMPACT:
DoS
System access

SOFTWARE:
ArcSoft MMS Composer 1.x
ArcSoft MMS Composer 2.x

DESCRIPTION:
Collin Mulliner and Prof. Giovanni Vigna have reported some vulnerabilities in ArcSoft MMS Composer, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system.

The vulnerabilities are caused due to various boundary errors in the processing of MMS (Multimedia Messaging Service) messages in the M-Notification.ind, M-Retrieve.conf, and SMIL parsers. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted MMS message or by sending a malicious message through a wireless connection via port 2948/udp.

Successful exploitation causes a crash or allows execution of arbitrary code.

It has also been reported that it is possible to send multiple messages to an affected device through a wireless connection via WAPPush via port 2948/udp.

The vulnerabilities have been reported in versions 1.5.5.6 and 2.0.0.13. Other versions may also be affected.


SOLUTION:
Do not open MMS messages from untrusted sources and connect to trusted wireless networks only.


REPORTED BY CREDITS:
Collin Mulliner and Prof. Giovanni Vigna.


ORIGINAL ADVISORY:
http://lists.grok.org.uk/piperma...sclosure/2006-August/048614.htmlArcSoft MMS Composer Buffer Overflow Vulnerabilities.

August 10, 2006

Phishing Alert: Yahoo! Flickr

Websense® Security Labs™ has observed another change in the technique used in Yahoo! phishing attacks. These phishing attacks attempt to capture a user's Yahoo! ID and password by displaying a fake Yahoo! Sign In page. This variant of attack has been on-going for over a year. After the Yahoo! acquisition of Flickr, these attacks have started to shift from targeting Yahoo! Photos to targeting Yahoo! Flickr.

Users receive an email or instant message that claims to be from a friend wanting to show off photos that have been posted to Flickr. The message contains a link to a phishing site, which captures the user's Yahoo! ID and password.

Previous Alert discussing these attacks:
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=296

These phishing sites are primarily hosted in the United States on the free web space provided by the Yahoo! Geocities service.

Phishing site screenshot sample:

 

Websense® - Security Labs Alert: Yahoo! Flickr.

Symantec Security Response

http://www.symantec.com/enterprise/security_response/index.jsp

Backdoor.Ranky.X

Risk Level 1: Very Low

Discovered: August 14, 2006

Updated: August 14, 2006 03:46:33 PM GDT

Type: Trojan Horse

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

SUMMARY

Backdoor.Ranky.X is a back door Trojan horse that allows the compromised computer to be used as a covert proxy. The threat is downloaded by the W32.Wargbot (Blogger’s note: The worm that exploits MS06–040 vulnerability) worm. The threat opens a back door on a randomly chosen TCP port.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

Protection

• Virus Definitions (LiveUpdate™ Daily) August 15, 2006
• Virus Definitions (LiveUpdate™ Weekly) August 16, 2006
• Virus Definitions (Intelligent Updater) August 15, 2006
• Virus Definitions (LiveUpdate™ Plus) August 15, 2006

Threat Assesment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Payload: Opens a back door on a randomly chosen TCP port.

Distribution

• Distribution Level: Low

Backdoor.Ranky.X - Symantec.com.

Symantec Backup Exec for Windows Server: RPC Interface Heap Overflow, Authorized User Potential Elevation of Privilege

13 Aug. 2006

   Summary The Backup Exec for Windows Server and Remote Agents for Window Server, also used by the Continuous Protection Server and Backup Exec for Netware Server, are vulnerable to heap overflows from specifically formatted internal network calls to RPC interfaces.  

Credit:
The information has been provided by Nicolas Pouvesle.
The original article can be found at: http://www.symantec.com/avcenter/security/Content/2006.08.11.html    

Details Vulnerable Systems:
 * Backup Exec for Windows Server and Remote Agent version 9.1 (9.1.4691)
 * Backup Exec for Windows Server and Remote Agent version 10.0 (10.0.5484)
 * Backup Exec for Windows Server and Remote Agent version 10.0 (10.0.5520)
 * Backup Exec for Windows Server and Remote Agent version 10.1 (10.1.5629)
 * Backup Exec Continuous Protection Server Remote Agent for Windows Server version 10.1 (10.1.325.6301)
 * Backup Exec Continuous Protection Server Remote Agent for Windows Server version 10.1 (10.1.326.1401)
 * Backup Exec Continuous Protection Server Remote Agent for Windows Server version 10.1 (10.1.326.2501)
 * Backup Exec Continuous Protection Server Remote Agent for Windows Server version 10.1 (10.1.326.3301)
 * Backup Exec Continuous Protection Server Remote Agent for Windows Server version 10.1 (10.1.327.401)
 * Backup Exec for Netware Server Remote Agent for Windows Server version 9.1 (All)
 * Backup Exec for Netware Server Remote Agent for Windows Server version 9.2 (All)

Tenable Network Security, notified Symantec of heap overflow issues they identified in the RPC interfaces of the Backup Exec for Window Servers and Remote Agents. The Remote Agent for Windows Server (RAWS) is also used by the Continuous Protection Server as well as Backup Exec for Netware Server depending on the customer's network environment. The overflows occur due to improper validation and subsequent handling of user input. Successful exploitation would require the attacker to have authorized but non-privileged access to the network on which the target system resides. A malicious user who attempted such an attack may cause the targeted application to crash but, if successfully exploited, could potentially execute arbitrary code and gain elevated privilege on the targeted system.

Symantec Response:
Symantec engineers did an in-depth review of the reported issues and related file functionality to further enhance the overall security of Symantec Backup Exec for Windows Server and the Remote Agent for Windows Server and to resolve any additional potential concerns. Symantec engineers have addressed these issues in all currently supported versions of the products identified above. Security updates are available for all supported products.

Symantec strongly recommends all customers apply the latest security update as indicated for their supported product versions to protect against threats of this nature.

Symantec knows of no exploitation of or adverse customer impact from these issues.

The patches listed above for affected products are available from the following location:
http://support.veritas.com/docs/284343 for Symantec Backup Exec for Windows Server and Continuous Protection Server and http://support.veritas.com/docs/284623 for Backup Exec for Netware Server.

Best Practices:
As part of normal best practices, Symantec recommends:

 * Restrict access to administration or management systems to authorized privileged users
 * Block remote access to all ports not essential for efficient operation
 * Restrict remote access, if required, to trusted/authorized systems only
 * Remove/disable unnecessary accounts or restrict access according to security policy as required
 * Run under the principle of least privilege where possible
 * Keep all operating systems and applications updated with the latest vendor patches
 * Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats
 * Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latest vulnerabilitiesSecuriTeam\.

PocketPC MMS Code Injection/Execution Vulnerability

13 Aug. 2006

   Summary Multiple buffer overflows in MMS parsing code, allow denial-of-service and remote code injection/execution via MMS.   Credit:
The information has been provided by Collin Mulliner.
The original article can be found at: http://www.mulliner.org/pocketpc/    Details Vulnerable Systems:
 * MMS Composer version 1.5.5.6
 * MMS Composer version 2.0.0.13

1.0) UDP port 2948 open on all interfaces
Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi) interface. This is unnecessary and can be used for Denial-of-Service attac