April 2005 - Posts
A new vulnerability was discovered in Netscape this week. Netscape incorrectly handles GIF files, that could lead to a buffer overflow which is remotely exploitable through a specially generated GIF file.
http://secunia.com/advisories/15103/
Secunia Advisory: SA15103
Release Date: 2005-04-26
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Netscape 6.x Netscape 7.x
I heard this interesting account on Paul Harvey's news summary a couple of days ago 
SUMMARY: A hacker was trying to get back at a forum moderator after being kicked out for misbehaving. He needed the IP address to enter into his hack-tool, so the forum moderator cooperated and gave him an IP# -- the hacker's own IP address ... He entered the IP# in his hacking software ... He then disappeared off the Internet and hasn't been heard from since ...
Darwin Award goes to a young Hacker http://isc.sans.org/diary.php?date=2005-04-29 Darwin Was Right. For those who don't hang out on Slashdot, there is a very amusing story going around about a young hacker who tried to raid an opponent's computer after being kicked out of a chat channel. Even Paul Harvey mentioned it today in his radio show.
Note --
Due to inappropriate language, the actual detailed account wasn't shared. It can be found in the ISC link above.
This new virus is also destructive as it will damage Windows Repair files
MS04-011 Banish.A Worm
This worm may propagate by taking advantage of the LSASS vulnerability. Information on this exploit can be found from the following link: Microsoft Security Bulletin MS04-011
It also propagates via email using the following details:
Subject: (Any of the following)
• Here are the details.
• Ok. Read the attached instructions to solve the problem.
• Re: Thank you for your choice.
• Thank you for shopping. This mail contains your invoice.
• Thank you. Your credit card was processed successfully.
Attachment: ZIP extension {File name taken from files found in the Windows recent documents folder}
It deletes files found in the Windows repair folder.
Hopefully, this malicious website will be shutdown by authorities soon
Dangerous website -- Please don't mispell Google
http://www.f-secure.com/v-descs/googkle.shtml
F-Secure staff has found a malicious website that utilizes a spelling error when typing the name of the popular search engine - 'Google.com'. If a user opens a malicious website, his/her computer gets hijacked - a lot of different malware gets automatically downloaded and installed: trojan droppers, trojan downloaders, backdoors, a proxy trojan and a spying trojan. Also a few adware-related files are installed.
The name of the malicious website is 'Googkle.com'. PLEASE DO NOT GO TO THIS WEBSITE! Otherwise your computer will get infected! We have reported the case to the authorities.
Windows XP x64 debuted on April 25, 2005. There is still much work ahead before the Windows 64 bit environment becomes mainstream, but it's now a product available for x64 PCs. Hardware vendors will need to write 64 bit APIs and applications must be reengineered to take advantage of the native architecture. Still, this is a noteworthy advancement by Microsoft and provides a promise for the future for PCs built areound AMD 64 and Intel 64 technologies. Microsoft is also offering a free upgrade to existing XP users on the x64 PC platforms, which is good through July 2005.
Windows XP x64 - Home Page
http://www.microsoft.com/windowsxp/64bit/default.mspx
Free Upgrade for x64 PCs
http://www.microsoft.com/windowsxp/64bit/upgrade/default.mspx
Top 5 Reasons to get XP 64
http://www.microsoft.com/windowsxp/64bit/evaluation/top5.mspx
 |
High performance platform for the next generation of applications
Windows XP Professional x64 Edition is a rich platform that enables the next generation of high-performance computing. 64-bit native applications can deliver more data per clock cycle, making them run faster and more efficiently. |
 |
Large memory support
Windows XP Professional x64 Edition supports up to 128 gigabytes (GB) of RAM and 16 terabytes of virtual memory, enabling applications to run faster when working with large data sets. Applications can preload substantially more data into virtual memory, allowing rapid access by the 64-bit processor. |
 |
Flexibility
Windows XP Professional x64 Edition provides a rich platform to integrate 64-bit applications and existing 32-bit applications using the Windows on Windows 64 (WOW64) x86 emulation layer, providing customers with the ability to move to 64-bit computing without having to sacrifice their existing investment in 32-bit software and Windows expertise. |
 |
Multiprocessing and multicore
Windows XP Professional x64 Edition is designed to support up to two single or multicore x64 processors for maximum performance and scalability. |
 |
Same programming model
Developers with 32-bit skills will be comfortable and quickly productive in the 64-bit Windows environment, finding it virtually identical to the development environment for 32-bit Windows. |
WEBCAST: Windows XP 64
Thursday, April 28, 2005: 10:00 AM Pacific time
http://support.microsoft.com/kb/896031
In this WebCast, Microsoft MVP Charlie Russel describes Microsoft Windows XP Professional x64 Edition and the hardware that supports it. Microsoft experts will participate in the WebCast to help answer questions. Charlie will also tell you where to turn in the online community when you need help and have more questions about Windows XP Professional x64 Edition.
This BHO based trojan horse is not wide spread, but does exploit an unpatched vulnerability.
Backdoor.Ryejet.B - Exploits an unpatched Jet DB vulnerability
Backdoor.Ryejet.B is a back door Trojan horse that allows unauthorized remote access to a compromised computer. The Trojan is installed as a Browser Helper Object, and may be distributed embedded in a malformed
.mdb file that exploits the Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability (BID 12960).
Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability
This article and particularly the diagram provide more
good insight into DSN cache posioning
Poisoning the Internet - Article
Poisoning the Internet - Diagram
Most Sober variants can spread quickly, as the social engineering plus technical characteristics are advanced for this family of viruses
http://secunia.com/virus_information/17277/sober.n/
http://secunia.com/virus_information/16824/win32.sober.m/
W32.Sober.N@mm is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.
Subject of email: FwD: Ich bin's nochmal or I've_got your EMail on my_account!
Name of attachment: Private-Texte.zip or your_text.zip
Size of attachment: 73,541 bytes
Ports: TCP port 21
Compromises security settings: Attempts to terminate security-related processes.
| Quote: |
EMAIL Format -- German version
From: <Spoofed>
Subject: FwD: Ich bin's nochmal
Message: Verdammt,,,,ich hatte vergessen Dir meinen Text mitzuschicken.Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren! Ich melde mich. Bis bald 
Attachment: Private-Texte.zip |
| Quote: |
EMAIL Format -- English version
From: <Spoofed>
Subject: I've_got your EMail on my_account!
Message: Hello, First, Very Sorry for my bad English. Someone is sending your private e-mails on my address. It's probably an e-mail provider error! At time, I've got over 10 mails on my account, but the recipient are you. I have copied all the mail text in the windows text-editor for you & zipped then. Make sure, that this mails don't come in my mail-box again. bye
Attachment: your_text.zip |
http://www.f-secure.com/weblog/
Proof-of-concept exploits for the popular Mozilla and Firefox web browsers have been posted on public mailing lists. They target the following vulnerabilities:
- Code execution through favicons link
- Arbitrary code execution from Firefox sidebar panel
These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7.
We advice all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen on your computer just by surfing to the wrong site.
Click here: Update instructions for Firefox 1.0.3
Mozilla has released new versions of Firefox and the Suite to fix several security vulnerabilies, including the Java Script engine flaw.
Mozilla Firefox 1.0.3 released for several security issues
http://www.eweek.com/article2/0,1759,1787270,00.asp
Users who are upgrading from prior versions of Firefox or the Mozilla Suite should uninstall and reload according to the “Clean Installation“ instructions link below. This will ensure existing bookmarks and settings are preseved in the Mozilla profile folders.
Mozilla Home Page - Download Links for new versions
http://www.mozilla.org/
Instructions for the "Clean Installation" process to remove older versions
http://forums.mozillazine.org/viewtopic.php?t=251238
This new variant emerged over the weekend and the Tooso trojan that is dropped will block AV and other security repairs making this virus even more difficult to clean. 
Beagle.BN Description
Tooso - Security Blocking Trojan dropped by Beagle.BN EMAIL TO AVOID/BLOCK Attempts to email a copy of Trojan.Tooso.G to the email addresses contained in the downloaded file. The email has the following characteristics:
From: <Spoofed>
Subject: <Blank>
Message: The password is; Password:
Attachment:
Make.zip
Price.zip
Forest.zip
Verses.zip
Fairy_tale.zip
It_about_you.zip
I_know_you.zip Additional attachment: An
*.rar file contains an executable file named 123456.exe which is a copy of Trojan.Tooso.G. This is the executable that is responsible for downloading the mailer component.
It is important to quickly patch corporate and home systems as three "proof of concept" exploits have been quickly developed following the April 12th security updates from Microsoft.
http://isc.sans.org/diary.php?date=2005-04-13
MS05-016 - Windows Shell Vulnerability
http://www.milw0rm.com/id.php?id=938
http://www.securityfocus.com/bid/13132/exploit/
MS05-017 - Message Queueing Vulnerability
https://www.immunitysec.com/pipermail/dailydave/2005-April/001719.html
MS05-020: DHTML Proof of Concept Exploit Developed
http://msmvps.com/harrywaldron/archive/2005/04/13/41970.aspx
MS05-020: DHTML Proof of Concept Exploit Developed
http://isc.sans.org/diary.php?date=2005-04-12
MS05-020 - Cumulative Security Update for Internet Explorer. This aggregate patch addresses several vulnerabilities in Internet Explorer that could lead to remote code execution:
* DHTML Object Memory Corruption Vulnerability (CAN-2005-0553)
* URL Parsing Memory Corruption Vulnerability (CAN-2005-0554)
* Content Advisor Memory Corruption Vulnerability (CAN-2005-0555)
Special note: A proof-of-concept exploit for this vulnerability is already publicly available from FrSIRT. The availability of the exploit is likely to increase the severity of this patch for most organizations.
French Security Incident Response Team
http://www.frsirt.com/english/
Microsoft Internet Explorer DHTML Object handling Exploit (MS05-020) - Please be careful as actual POC code is present in this link
http://www.frsirt.com/exploits/20050412.InternetExploiter2.php
This virus family continues to be actively developed. This advanced virus can spread by email or through unpatched Windows systems. It is spoofed to appear to be an undeliverable message issue.
More Posts
Next page »