Harry Waldron - Corporate IT Security

  Please be careful with all email messages containing Microsoft Access attachments. This new exploit capitalizes on an unpatched MS Jet Engine vulnerability that creates a compromise to system security until the Trojan Horse is removed. 

While this new zero day attack is very rare, it could could surprise individuals if we were massively spammed in the wild, Microsoft Access data base email attachments are usually thought of as being safe to open.  Thus we should always be cautious on ANY attachment type and the best practice is to never open attachments regardless of whether they appear safe or not. 

Backdoor.Hesive - Zero Day MS Jet Engine Exploit
http://secunia.com/virus_information/21954/hesive/

Backdoor.Hesive is a Trojan horse that opens a back door on the compromised computer and allows a remote attacker unauthorized access. The Trojan may arrive as a Microsoft Access file that exploits the Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability (described in Bugtraq ID 12960).


Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/12960/info

Solution: Currently we are not aware of any vendor-supplied patches for this issue

Allows the remote attacker the ability to perform the following actions:

List active ports
List processes, services, and threads
Download and execute remote files
Upload files
Run a system shell
Modify registry values
End processes
Get system information
Get network information
Post collected data to hostile web site

  F-Secure was the top corporate choice, based on it's real-time effectiveness in stopping a broad range of spyware and adware infections.

InfoWorld - Corporate Spyware Product Evaluations

F-Secure selected as top corporate Spyware product overall

QUOTE:   F-Secure Anti-Virus Client Security has one of the best, most comprehensive security bundles available, although it suffers a bit from a disjointed administration user interface. One of three anti-spyware solutions in this review that includes anti-virus capabilities in the same package, Anti-Virus Client Security’s real-time protection stopped all attempts to infect my test clients. Reporting is browser-based and provides ample predefined templates.  Because of its awesome real-time protection and overall performance, Anti-Virus Client Security 6 received the highest score of the ten products reviewed.

 Opera 8.50 was recently improved to remove the adbar on the free version.  So far the new version is working well and presents no conflicts with IE 6 SP2 or Mozilla Firefox 1.5. 

Release Note

This release is a recommended security upgrade.

At a Glance

• Advertisement banner removed
• Registration options removed
• Updated end-user license agreement
• Browser JavaScript fixes broken Web sites on the fly

Changes since 8.02

User interface

• Removed advertising banners and all dialogs and menus related to advertising, registration, and license codes.
• Solved issue with Opera reverting explicit user setting to use program as handler rather than plug-in.
• Removed support for branded banners.

Security

• Fixed issue reported in Secunia Advisory 16645: Attachment URLs now used instead of cache URLs for viewing attachments.
• Fixed drag-and-drop vulnerability allowing unintentional file uploads. Issue reported by mikx.de.
• Improved handling of must-revalidate cache directive for HTTPS pages.
• Fixed display issue with cookie comment encoding.

Miscellaneous

• Included Browser JavaScript by default. On first run after install/upgrade, Opera will fetch a fresh browser.js file and start using it.
• Multiple stability fixes.

Download Link for version 8.50:

The folks at the Internet Storm Center have an interesting series that illustrates the dangerous of advanced spyware threats.  This one is dedicated to the James Bond fans and provides an interesting account of the dangers in using the Internet without proper safeguards or precautions.

Follow the Bouncing Malware IX: eGOLDFINGER

Earlier this week, the Bagle malware authors used an approach of creating a number of new viruses and spamming them massively in the wild.  Each new wave of infected emails contained a different variation of the virus which was designed to elude detection by AV vendors.  F-Secure set an all-time record will 11 releases in one day 

Excellent Writeup by F-Secure on September 20th

 Email-Worm.Win32.Bagle.cy (aka Bagle.BI)
 Email-Worm.Win32.Bagle.cz
 Email-Worm.Win32.Bagle.da
 Email-Worm.Win32.Bagle.db
 Email-Worm.Win32.Bagle.dc
 Email-Worm.Win32.Bagle.dd
 Email-Worm.Win32.Bagle.de
 Email-Worm.Win32.Bagle.df

W32.Iberio is a worm with back door capabilities that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability -- as described in Microsoft Security Bulletin MS05-039

  This new variant was massively spammed via email and while the downloader component doesn't appear to be working, this new variant can deactivate existing AV or FW software installed on the PC.  The CPL extensions are typically found inside of a zipped archieve. This modified variant bypasses detectability in most AV products and users should be cautious in handling email messages.

McAfee information on this massively spammed variant
http://vil.nai.com/vil/content/v_129588.htm

Trend information
http://secunia.com/virus_information/21411/trojbagle.cz/

Sophos information
http://www.sophos.com/virusinfo/analyses/trojdropperbc.html

ISC information
http://isc.sans.org/diary.php?storyid=665

Multiple new variants of this threat were recently mass spammed. Filenames include 1.cpl and price.cpl and may arrive in a ZIP file named newprice.zip , price_09.zip, price some number.zip , etc.  The variants seen thus far are non functional, and deemed a low risk. The first such variant drops a corrupt file (ceeweewe.exe) to the %windir%. The corrupt file is detected as W32/Bagle.dam. Detection will be enhanced in the 4580 DAT release to detect and delete these newly discovered damaged variants. This is a generic detection covering many variants of the W32/Bagle@MM virus when sent in "CPL" format.

  One day after public disclosure of the vulnerability, an XPI patch was provided that deactivates IDN processing. This tested out well for me 

Mozilla Firefox - IDN Patch corrects critical vulnerabilities
https://addons.mozilla.org/messages/307259.html

On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user.

MANUAL APPROACH:
1. You can type "about:config" as a "URL" in the address bar
2. Then key or locate "network:enableIDN"
3. Double click it to disable it (set it to "false")
4. Close and restart browser (you can do another about:config to confirm this is now set as false)

   Users should avoid links in unsolicited email messages and untrusted URLs regardless of which browser they use.  Based on past experience, the Mozilla foundation has a priority on security, so I'm certain this will be addressed soon with a new release of Firefox.

Firefox/Deerpark all versions - Critical Security Warning
http://news.zdnet.com/2100-3513_22-5856201.html
http://techrepublic.com.com/2100-1009_11-5856201.html
http://secunia.com/advisories/16764/
http://security-protocols.com/advisory/sp-x17-advisory.txt

Tom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a user's system. The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.  The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.

  Kaspersky Labs documents a freshly launched fraud attack where the scammers use low monetary values in an attempt to go unnoticed. 

Are you $9.95 out of pocket?  - September 7, 2005 weblog entry
http://www.viruslist.com/en/weblog?calendar=2005-09

QUOTE:  Next to the more or less daily scams mentioned in the previous post, we're seeing a resurgence in another scamming tactic. Over the last couple of weeks more people are reporting charges of $9.95 to their credit cards - for no reason whatsoever. About a year ago we saw a similar trend and now it has been picked up again.

The scammers hope that because the amount of money is so small, the charge will go unnoticed. They're also using names which closely resemble real company names to make the charges look (at first glance) more legitimate. So be sure to check your accounts for odd charges on a regular basis.

  A new variant of Spybot has emerged which exploits four unpatched Microsoft vulnerabilities which must be patched on all PCs to ensure the best levels of protection.

W32.Spybot.WOE is a worm with back door capabilities that can be used to launch a distributed denial of service attack. The worm spreads by exploiting numerous vulnerabilities, including the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039).

Firewall protection:  The following are TCP ports that should be protected in the firewall for the PC or server:  139, 445, 1427, 4654, 65528, 65529.

Microsoft Security Exploits: Spreads by scanning TCP ports 139 and 445, and exploiting the following vulnerabilities:

• The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039).
• The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS03-026).
• The Microsoft Windows Local Security Authority Service Remote Buffer Overflow(as described in Microsoft Security Bulletin MS04-011).
• The Microsoft Windows ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability (as described in Microsoft Security Bulletin MS04-007).