|
Sharing Security Developments, and Best Practices for corporate and home users
September 2005 - Posts
-
-
Please be careful with all email messages containing Microsoft Access attachments. This new exploit capitalizes on an unpatched MS Jet Engine vulnerability that creates a compromise to system security until the Trojan Horse is removed.
While this new zero day attack is very rare, it could could surprise individuals if we were massively spammed in the wild, Microsoft Access data base email attachments are usually thought of as being safe to open. Thus we should always be cautious on ANY attachment type and the best practice is to never open attachments regardless of whether they appear safe or not.
Backdoor.Hesive - Zero Day MS Jet Engine Exploit http://secunia.com/virus_information/21954/hesive/
Backdoor.Hesive is a Trojan horse that opens a back door on the compromised computer and allows a remote attacker unauthorized access. The Trojan may arrive as a Microsoft Access file that exploits the Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability (described in Bugtraq ID 12960).
Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability http://www.securityfocus.com/bid/12960/info
Solution: Currently we are not aware of any vendor-supplied patches for this issue
Allows the remote attacker the ability to perform the following actions:
List active ports List processes, services, and threads Download and execute remote files Upload files Run a system shell Modify registry values End processes Get system information Get network information Post collected data to hostile web site
|
-
A new virus ressembling the social engineering approach of the Love Letter virus in May 2000 has emerged. This one is easy to block and more of a threat to home users.
McAfee information http://vil.nai.com/vil/content/v_136187.htm Trend and Symantec information http://secunia.com/virus_information/21881/suclove.a/ Payload: Opens a back door that allows a remote attacker to have unauthorized access to the compromised computer. Large scale e-mailing: Uses MS Outlook to send a copy of the worm to all users in the Outlook address book. Degrades performance: Creates a mass-mailing of itself, which may impact performance. Releases confidential info: Attempts to steal confidential system information. EMAIL TO AVOID Subject: Love, for Forgiveness :-> Body: I love u please forgive me!... Attachment: LoveLetter.doc.exe
Subject: Read my letter for you Body: this was created from the deep inside my heart. Attachment: LoveLetter.doc.exe
|
-
InfoWorld - Corporate Spyware Product Evaluations
F-Secure selected as top corporate Spyware product overall
QUOTE: F-Secure Anti-Virus Client Security has one of the best, most comprehensive security bundles available, although it suffers a bit from a disjointed administration user interface. One of three anti-spyware solutions in this review that includes anti-virus capabilities in the same package, Anti-Virus Client Security’s real-time protection stopped all attempts to infect my test clients. Reporting is browser-based and provides ample predefined templates. Because of its awesome real-time protection and overall performance, Anti-Virus Client Security 6 received the highest score of the ten products reviewed.

|
-
Opera 8.50 was recently improved to remove the adbar on the free version. So far the new version is working well and presents no conflicts with IE 6 SP2 or Mozilla Firefox 1.5.
Release Note
This release is a recommended security upgrade.
At a Glance
- Advertisement banner removed
- Registration options removed
- Updated end-user license agreement
- Browser JavaScript fixes broken Web sites on the fly
Changes since 8.02
User interface
- Removed advertising banners and all dialogs and menus related to advertising, registration, and license codes.
- Solved issue with Opera reverting explicit user setting to use program as handler rather than plug-in.
- Removed support for branded banners.
Security
- Fixed issue reported in Secunia Advisory 16645: Attachment URLs now used instead of cache URLs for viewing attachments.
- Fixed drag-and-drop vulnerability allowing unintentional file uploads. Issue reported by mikx.de.
- Improved handling of must-revalidate cache directive for HTTPS pages.
- Fixed display issue with cookie comment encoding.
Miscellaneous
- Included Browser JavaScript by default. On first run after install/upgrade, Opera will fetch a fresh browser.js file and start using it.
- Multiple stability fixes.
Download Link for version 8.50:
|
-

The folks at the Internet Storm Center have an interesting series that illustrates the dangerous of advanced spyware threats. This one is dedicated to the James Bond fans and provides an interesting account of the dangers in using the Internet without proper safeguards or precautions.
Follow the Bouncing Malware IX: eGOLDFINGER
|
-
-
-
-
This new variant was massively spammed via email and while the downloader component doesn't appear to be working, this new variant can deactivate existing AV or FW software installed on the PC. The CPL extensions are typically found inside of a zipped archieve. This modified variant bypasses detectability in most AV products and users should be cautious in handling email messages.
McAfee information on this massively spammed variant http://vil.nai.com/vil/content/v_129588.htm
Trend information http://secunia.com/virus_information/21411/trojbagle.cz/
Sophos information http://www.sophos.com/virusinfo/analyses/trojdropperbc.html
ISC information http://isc.sans.org/diary.php?storyid=665
Multiple new variants of this threat were recently mass spammed. Filenames include 1.cpl and price.cpl and may arrive in a ZIP file named newprice.zip , price_09.zip, price some number.zip , etc. The variants seen thus far are non functional, and deemed a low risk. The first such variant drops a corrupt file (ceeweewe.exe) to the %windir%. The corrupt file is detected as W32/Bagle.dam. Detection will be enhanced in the 4580 DAT release to detect and delete these newly discovered damaged variants. This is a generic detection covering many variants of the W32/Bagle@MM virus when sent in "CPL" format.
|
-
One day after public disclosure of the vulnerability, an XPI patch was provided that deactivates IDN processing. This tested out well for me
Mozilla Firefox - IDN Patch corrects critical vulnerabilities https://addons.mozilla.org/messages/307259.html
On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user.
MANUAL APPROACH: 1. You can type "about:config" as a "URL" in the address bar 2. Then key or locate "network:enableIDN" 3. Double click it to disable it (set it to "false") 4. Close and restart browser (you can do another about:config to confirm this is now set as false)
|
-
Users should avoid links in unsolicited email messages and untrusted URLs regardless of which browser they use. Based on past experience, the Mozilla foundation has a priority on security, so I'm certain this will be addressed soon with a new release of Firefox.
Firefox/Deerpark all versions - Critical Security Warning http://news.zdnet.com/2100-3513_22-5856201.html http://techrepublic.com.com/2100-1009_11-5856201.html http://secunia.com/advisories/16764/ http://security-protocols.com/advisory/sp-x17-advisory.txt
Tom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a user's system. The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.
Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file. The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.
|
-
Here's hoping the bad guys can't reengineer the critical bulletin that's forthcoming in September as we need a break after MS05-039 in August
|
|
Title: September 2005 Microsoft Security Response Center Bulletin Notification
Issued: September 8, 2005
On 13 September 2005 Microsoft is planning to release:
Security Updates - One Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for this is critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).
Microsoft Windows Malicious Software Removal Tool - Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Non-security High Priority updates on MU, WU, WSUS and SUS - Microsoft will release one NON-SECURITY High-Priority Updates for Windows on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS).
Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released. |
|
-
Kaspersky Labs documents a freshly launched fraud attack where the scammers use low monetary values in an attempt to go unnoticed.
Are you $9.95 out of pocket? - September 7, 2005 weblog entry http://www.viruslist.com/en/weblog?calendar=2005-09
QUOTE: Next to the more or less daily scams mentioned in the previous post, we're seeing a resurgence in another scamming tactic. Over the last couple of weeks more people are reporting charges of $9.95 to their credit cards - for no reason whatsoever. About a year ago we saw a similar trend and now it has been picked up again.
The scammers hope that because the amount of money is so small, the charge will go unnoticed. They're also using names which closely resemble real company names to make the charges look (at first glance) more legitimate. So be sure to check your accounts for odd charges on a regular basis.
|
-
A new variant of Spybot has emerged which exploits four unpatched Microsoft vulnerabilities which must be patched on all PCs to ensure the best levels of protection.
W32.Spybot.WOE is a worm with back door capabilities that can be used to launch a distributed denial of service attack. The worm spreads by exploiting numerous vulnerabilities, including the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039).
Firewall protection: The following are TCP ports that should be protected in the firewall for the PC or server: 139, 445, 1427, 4654, 65528, 65529.
Microsoft Security Exploits: Spreads by scanning TCP ports 139 and 445, and exploiting the following vulnerabilities:
|
-
Microsoft has released a new update. This update applies to Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). This patch fixes a condition where an exception may not show up in the Windows Firewall GUI, if this exception is created by modifying the registry directly. In order to do this, administrative priveleges are required on the box. The danger in this flaw is that a hacker could open a backdoor that would not be shown in the GUI Firewall ruleset.
Windows XP SP2 - Windows Firewall update available
|
-
http://isc.sans.org/diary.php?date=2005-09-02
There is a hoax e-mail making the rounds about a gas shortage. Don't run out and create a shortage. And now, we have reports from one of our readers (thanx, Rikki) who is seeing e-mails about a gas shortage floating around. The facts are, yes, there have been gas stations that have run out of gasoline. That is mostly because people have flocked to them to fill up fearing a shortage (can you say self-fulfilling prophecy?). Yes, some refining capacity in the US has been impacted by the hurricane, but we won't know the impact of that for some time yet. In the meantime, there is gasoline available in the US, and stations are still getting deliveries. Yes, the prices have gone up and conserving would be a good idea, but there is no evidence of an imminent widespread shortage outside of the areas that suffered direct infrastructure damage earlier this week. Remain calm.
|
-
Corporate Users of the Dameware remote control facility should patch their systems expediently as a new vulnerability and proof-of-concept code were published at the end of August.
Dameware Remote Control - Buffer Overflow Expoit Warning
Dameware Remote Control - Proof of Concept Exploit (be careful as actual code for the exploit is published here)
Solution: Upgrade to DameWare Mini Remote Control version 4.9.2.4
QUOTE: A vulnerability was identified in DameWare Mini Remote Control Server, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a buffer overflow error in the authentication procedure that does not properly handle an overly long "username" parameter (port 6129), which could be exploited by unauthenticated remote attackers to compromise a vulnerable system.
By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP. An attacker can construct a specialy crafted packet and exploit this vulnerability. The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username.
|
-
Be careful with website links in email messages. It's a best practice to never click on a URL even to opt out of spam unless you are sure it can be trusted. This breaking news story from an email message spammed to numerous individuals contains a hostile link that will download malware from the website to PCs that visit it.
Katrina Malware - Trojan-Downloader.JS.Small.bq is at this website
F-Secure - September 1st Weblog identifies this new downloader trojan horse
Subject: Re: Katrina killed as many as 80 people.
Just before daybreak Tuesday, Katrina, now a tropical storm, was 35 miles northeast of Tupelo, Miss., moving north-northeast with winds of 50 mph. Forecasters at the National Hurricane Center said the amount of rainfall has been adjusted downward Monday. Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina killed as many as 80 people in his state and burst levees in Louisiana flooded New Orleans. Read More
The Read More.. links to “nextermest . com” [DO NOT VISIT THIS SITE as Trojan-Downloader.JS.Small.bq is at this website]. It uses obfuscated javascript to download what looks like a .hta exploit.
|
-
Please donate carefully through trusted sources such as the Red Cross, church organizations, or other reputable agencies. There are a number of fake emails and websites that have surfaced which capture your credit card information and transfer funds, but to criminals and not the intended victims. Additionally, information shared in these untrusted websites could be used for identity theft purposes.
ISC Warning: Please give carefully to Hurricane Katrina relief funds
Google: Katrina Phishing Scam Warnings
QUOTE: We decided to start a new diary today, regarding the fake domains for donations to the Katrina Hurricanes victims. We updated yesterday´s diary with the information of fake emails and domains being used to get donations for the Katrina Hurricane and Brian Krebs just updated the Security Fix blog, with new informations about these fake domains. Some that we strongly suspect so far are katrinahelp.com , katrinarelief.com and katrinacleanup.com.
Please donate to only trusted sites where you have assurances your contributions will go toward helping victims of this major trajegdy . Below is a link to the American Red Cross.
http://www.redcross.org/

|
|
|
|