March 2005 - Posts
This worm uses email and P2P techniques to spread. It also has backdoor capabilities, allowing remote users to access and perform malicious tasks on affected machines. It can also prevent affected users from accessing certain antivirus and security Web sites by modifying the HOSTS file. Microsoft never distributes security updates by email.
KRYNOS.B worm - appears as a Microsoft Security update - Select Links Below:
Secunia Information on Krynos B
Trend Micro
Sophos
EMAIL FORMAT USED
From: security@microsoft.com
Subject: Microsoft Security Update
Message body:
* "Vulnerability in Windows Explorer Could Allow Remote Code Execution (612827)"
Affected Software:
* Impact of Vulnerability: Remote Code Execution
* Importance: High
* Maximum Severity Rating: Critical
* Recommendation: Customers should apply the attached update at the earliest opportunity
* Summary:
* Who should read this document: Customers who use Microsoft Windows
* X-Mailer: Secure Microsoft Client, Build 2.1
* X-MimeOLE: Produced By Secure Microsoft Client V2.1
* X-MSMail-Priority: High
* X-Priority: 1 (Highest)
Attachment: UPDATE.ZIP
This worm has the following backdoor capabilities:
* Get, upload, download, or delete a file
* List files in a folder
* Disconnect current user
* Restart the system
* Run a program
* Create or delete a folder
Here's a brand new virus variant that disguises itself as an SP2 update. Reading over the technical description, this one will give someone good training in the use of REGEDIT, if they have to clean an infected PC.
W32.Elitper.E@mm
Subject of email: Microsoft SP2 Update Urgent Download It
Name of attachment: SP2 UPDATE.EXE
Click Here for Latest HIPAA Guidelines
Special Publication 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, March 2005
Adobe .pdf (1,725 KB)
Zipped .pdf file (1,378 KB)
W32.Mytob.M@mm is a mass-mailing worm with back door capabilities. The worm uses its own SMTP engine to send email to addresses that it gathers from the compromised computer. The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow, as described in Microsoft Security Bulletin MS04-011
EMAIL MESSAGES TO BLOCK OR AVOID
Subject: One of the following:
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
[No Subject]
[random letters]
Message: One of the following:
Here are your banks documents.
The original message was included as an attachments.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
[Random data]
Attachment: One of the following:
document
readme
doc
text
file
data
test
message
body
[random letters]
with one of the following extensions:
.bat
.cmd
.exe
.pif
.scr
.zip
Users should upgrade to the latest version. I use Firfox 1.0.2 as a complementary browser on all my Windows systems. For the 1st time I experimented with the new upgrade feature and it worked in an accurate manner (although I don't have special themes or extensions installed). The clean installation technique is also noted in the link at the bottom.
Mozilla releases security updates for browser & email products
http://isc.sans.org/diary.php?date=2005-03-23
Mark Dowd of the ISS X-Force discovered a GIF library overflow condition that could be used to execute arbitrary code with the rights of the browser or mail client process. Mozilla Foundation software makes use of a common image library to render GIF images. This library contains a buffer overflow vulnerability when processing a Netscape-specific extension block in GIF images.
Exploitation of this buffer overflow can lead to remote compromise of affected machines with minimal user-interaction. In order to exploit this vulnerability, an attacker would be required to induce the victim to view a web page or email message containing a maliciously-crafted GIF image." Firefox 1.0.2, Thunderbird 1.0.2, and Mozilla Suite 1.7.6 address this and two other less serious bugs.
Mozilla advisories:
http://www.mozilla.org/security/announce/mfsa2005-32.html
http://www.mozilla.org/security/announce/mfsa2005-31.html
http://www.mozilla.org/security/announce/mfsa2005-30.html
Downloads Available at:
http://www.mozilla.org/
More details and installation techniques for Firefox 1.0.2
http://forums.mozillazine.org/viewtopic.php?t=240048
The ISC suggests that companies fomulate policies on log files retention to meet various legal requirements like Sarbanes-Oxley, HIPAA, and other needs. This could require storing seven years of detailed log file history (but hopefully using a compressed format and DLT tape backups in an organized manner.).
http://isc.sans.org/diary.php?date=2005-03-22
Its a good idea to develop a log retention policy for your site. This should include what type of information is stored; for how long; online vs offline; and whether the data is confidential. A good starting point would be to store compressed copies of your audit logs (syslog or event logs), firewall logs (network or host), and IDS logs (alert logs at a minimum. full packet trace retention would depend on the needs and requirements of your site) for at least 60 days.
A few of the legal requirements highlighted:
The Health Insurance Portability and Accountability Act (HIPAA) - Affects healthcare industry. Logs should be retained up to 6 years.
National Industrial Security Program Operating Manual (NISPOM) - Specifies log retention of at least one year.
The Sarbanes-Oxley Act (SOX) - Affects US Corporations. Specifies retaining audit logs for up to seven years.
VISA Cardholder Information Security Program (CISP) - Specifies retaining audit logs for at least six months.
"McAfee urges all customers to verify that they have installed and deployed the 4436 DAT [or higher] and/or the 4400 Scan Engine." While DAT file 4436 will detect the vulnerability if it occurs in-the-wild, it is better to permanently patch this security exposure by moving to Scan engine 4400.
McAfee AV LHA Vulnerability - Upgrade to Engine 4400 & latest DATs
http://us.mcafee.com/root/support.asp?id=4320_faqs
McAfee Virus Scan vulnerability for archievd files
http://msmvps.com/harrywaldron/archive/2005/03/19/39041.aspx
A vulnerability for McAfee's Virus has been discovered when can be triggered by scanning a specially crafted archieved file. This can be corrected by using the latest DAT files and engine.
http://isc.sans.org/diary.php?date=2005-03-18
http://xforce.iss.net/xforce/alerts/id/190
http://www.auscert.org.au/render.html?it=4908
McAfee AntiVirus Library Stack Overflow
The ISS X-Force has another notch in their belt today, releasing information about a flaw they have discovered in AntiVirus Library versions prior to 4400. To exploit this vulnerability, an attacker is required to craft a custom LHA Archive file which will allow the attacker to run arbitrary code on the McAfee protected system when the file is scanned for viruses.
Boston College did the responsible thing of warning all graduates on their data base even though they are not certain on the extent of accounts accessed.
http://www.msnbc.msn.com/id/7221456/
BOSTON - Boston College officials have warned 120,000 alumni that their personal information may have been stolen when an intruder hacked into a school computer containing the addresses and Social Security numbers of BC graduates.
Officials don't believe the hacker accessed the personal information, but instead planted a program that could be used to launch attacks on other machines. Still, amid rising concerns about identity theft, the school sent letters to its alumni. "As a precaution we have chosen to alert the entire database," Dunn said of the letters sent last Friday.
The Internet Storm center reports that a highly automated home page hijacking attack is occurring on vulnerable servers and workstations using MS05-001 and MS05-002 exploits. A Google search this morning notes that the 7sir7 hacker site is shutdown but affected PCs would still attempt to go there. 
Entire web farms hacked to serve up the 7sir7 redirect http://isc.sans.org//diary.php?date=2005-03-13
http://www.google.com/search?&q=7sir7
quote:
We have received reports and evidence that a number of companies that provide shared hosting web servers have had their servers exploited and all of the customer homepages modified so that visitors are attacked. In one case, a Perl script was used to modify each customers homepage with the additional IFRAME snippet that fellow handler Lorna had already reported in the diary two days ago. The Perl script reads in the web server configuration (httpd.conf) on a compromised server, and then appends the malicious iframe code to all the index.html pages of all the virtual hosts available on this server. The same reader who managed to isolate this script has also contributed a script written by himself to clean up the affected pages. If you shout loud enough, we might include it in tomorrow's diary :-)
The page at 7sir7 is making use of several recent vulnerabilities in order to download and install malware on the PC of whoever visits the site.
- Exploits the .ANI cursor vulnerability (MS05-002)
- Exploits the HTML Help Cross Domain Vulnerability (MS05-001)
If successful, the exploits drop either of two files "mhh.exe" or "sr.exe", both of which so far are only recognized by Kaspersky and called (not-a-virus: AdWare.ToolBar.SearchIt.h). The files have been submitted to the other AV vendors
The following were the most widely used AV products based on Frost & Sullivan's research from 2004
Top 10 Anti-Virus products in 2004:
1. Symantec 38.1%
2. NAI 21.2%
3. Trend Micro 15.2%
4. Sophos 3.6
5. Computer Associates 3.4%
6. Sybari 2.1%
7. Panda 1.9%
8. F-Secure 1.4%
9. Kaspersky 1.0%
10.Norman 0.9%
Trend shares a preliminary report of a new email worm designed to trick users by pretending to be a non-delivery error message of an earlier email that they may have sent out. Users should always be careful with these types of attachments.
CHOD.A email worm - uses non-delivery text to trick users
http://secunia.com/virus_information/16212/chod.a/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FCHOD%2EA
FORMAT OF EMAIL TO BLOCK OR AVOID
Subject: (any of the following)
• Your computer may have been infected
• Warning - you have been infected!
Message Body: (any of the following)
• Your computer may have been infected Warning - you have been infected!
• Your message was undeliverable due to the following reason(s):
Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.
Your original message has been attached.
Attachment: (any of the following)
• netsky_removal.exe
• removal_tool.exe
• message.pif
• message.scr
A web beacon is typically a hidden image (usually 1x1 pixels) placed on a website to capture customer data. It allows the site to capture the actions of the user, as they process pages on a site containing the beacon. Most sites use beacons responsibly to capture general marketing or site visitation statistics. Still, on a questionable site there is always the opportunity for someone to misue this information.
What are Web Beacons?
Why are they invisible images?
How do Web Beacons work?
Why do websites use Web Beacons?
Can I opt out of Web Beacons?
Similar to the Choicepoint.com data theft last month, Lexis Nexis is an information management company that experienced a recent security breach. This second major incident impacts 32,000 US citizens, as highly sensitive and entrusted personal information was obtained by hackers.
Fox news
CBS news
WISTV
Quotes: NEW YORK — Using misappropriated passwords and identifications from legitimate customers, intruders got access to personal information on as many as 32,000 U.S. citizens in a database owned by Lexis-Nexis, the company's corporate parent said today.
U.S. federal and company investigators were looking into the breach at Seisint, which was recently acquired by Lexis Nexis and includes millions of personal files for use by such customers as police and legal professionals. And the FBI and the Secret Service are both investigating the breach.
Information accessed included names, addresses, Social Security and driver's licence numbers, but not credit history, medical records or financial information, corporate parent Reed Elsevier Group PLC said in a statement.
Windows 98 and ME are legacy Operating Systems which are being maintained on extended support by Microsoft Security. Security releases for 98 and ME will generally follow the security updates made for XP and 2000.
Several critical updates for calendar year 2005 are now available through the Windows Update process for 98 and ME. In updating one of our home PCs, six critical updates were applied and everything is working well so far.
Windows 98 and ME Security updates available under Windows Update
http://www.techweb.com/wire/security/159400240
Windows Update Link for 98 and ME
http://www.microsoft.com/windowsupdate
More Posts
Next page »