January 2006 - Posts
Microsoft has released a preview of the IE 7 beta for public testing
http://news.zdnet.com/2100-3513_22-6033116.html
QUOTE: Microsoft took the wraps off Internet Explorer 7 Tuesday, releasing the new "preview" version of its Web browser to the general public for testing.
The program, still a work in progress, is available for download from the Internet Explorer section of Microsoft's corporate Web site, the company said. The company, which began limited testing in July, had promised to deliver a public beta by the end of March.
"The big update is that it's public," said Margaret Cobb, group product manager for Internet Explorer at Microsoft. "All previous releases were limited."
The latest version works only with Windows XP Service Pack 2 and includes many of the features Microsoft has been touting for months. Among them are new security and privacy protection capabilities such as mechanisms designed to combat phishing attacks, spyware and other threats.
http://www.f-secure.com/weblog/archives/archive-012006.html#00000797
QUOTE: When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you're taking daily automatic backups you might end up backing up the corrupted files over good files. The number of machines that have been hit by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd - most of them in India, Turkey and Peru.
Please be careful if you use WinAmp as a media player on your system. A new exploit has surfaced for an unpatched vulnerability that is rated as a critical risk by security firms. The vendor will most likely patch this soon and the patch should be applied expediently.
Winamp Computer Name Handling Buffer Overflow Vulnerability
http://secunia.com/advisories/18649/
DESCRIPTION: The vulnerability is caused due to a boundary error during the handling of filenames including a computer name. This can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename starting with an overly long computer name (about 1040 bytes). Successful exploitation allows execution of arbitrary code on a user's system when e.g. a malicious website is visited. The vulnerability has been confirmed in version 5.12. Other versions may also be affected.
Nullsoft Winamp Player PLS Handling Remote Buffer Overflow Vulnerability
http://www.frsirt.com/english/advisories/2006/0361
Advisory ID : FrSIRT/ADV-2006-0361
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-29
Technical Description: A vulnerability has been identified in Winamp, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a buffer overflow error when processing a specially crafted playlist (".pls" file) containing a malformed "File1" tag, which could be exploited by remote attackers to execute arbitrary commands and take complete control of an affected system without any user-interaction via a specially crafted web page.
Exploits: An exploit is publicly available. It can be found at the FrSIRT site for anyone who wants to review the source code.
Affected Products: Nullsoft Winamp version 5.12 and prior
Solution: The FrSIRT is not aware of any official supplied patch for this issue.
Recommendation: Use Winamp for offline media only or access only highly trusted sites until a patch is issued. It is likely that Nullsoft will quickly supply a patch, but until then use Winamp cautiously.
A new proof-of-concept exploit has been published which could be turned into a more harmful attack by malicious individuals.
Advisory ID : FrSIRT/ADV-2006-0243
CVE ID : CVE-2006-0272
Rated as : High Risk
The exploit code can be viewed at FrSIRT's site as noted below Please only view the source code if interested and do not test with it:
http://www.frsirt.com/english/
2006-01-26 : Oracle Database Server 9i/10g XML Database Component Buffer Overflow Exploit
A critical vulnerability has been discovered that is currently unpatched. Oracle will most likely address this quickly and so far there are no reports of this being exploited in the wild.
Oracle Products PL/SQL Gateway Security Bypass Vulnerability
http://secunia.com/advisories/18621/
Critical: Highly critical
Impact: Security Bypass
Solution Status: Unpatched
Software:
Oracle Application Server 10g
Oracle Database 8.x
Oracle HTTP Server 8.x
Oracle HTTP Server 9.x
Oracle9i Application Server
Oracle9i Database Enterprise Edition
Oracle9i Database Standard Edition
DESCRIPTION: A vulnerability has been identified in various Oracle products, which could be exploited by remote attackers to bypass security restrictions and gain unauthorized access to a vulnerable system. This flaw is due to an input validation error in the PL/SQL Gateway component that does not properly handle malformed HTTP requests, which could be exploited by remote unauthenticated attackers to bypass the "PLSQLExclusion" list and gain access to "excluded" packages and procedures that will allow the compromise of the back-end database server.
Oracle PL/SQL Gateway Exclusion List Security Bypass Vulnerability
http://www.frsirt.com/english/advisories/2006/0338
Advisory ID : FrSIRT/ADV-2006-0338
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-25
Solution: The FrSIRT is not aware of any official supplied patch for this issue.
Workaround: Administrators can filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities.
Recently, Bagle celebrated it's 2nd anniversary and over 400 different variants have emerged. Another round of new variants appear to be seeded in the wild, and we'll most likely see the email and downloader versions.
Trend - Bagle.BU
Sophos Troj/BagleDl-BJ
Kaspersky
F-Secure
During January 1986, the first computer virus was found in the wild, which could automatically spread from PC to PC. Today, we encounter 20-30 new variants per day with innovation in their social engineering approach and their overall sophistication. Users always need to employ the best technical defenses, stay up-to-date on all security patches, and "think before they click" any URL or email attachment.
PC viruses hit 20 year milestone
http://news.bbc.co.uk/2/hi/technology/4630910.stm
It was during the opening weeks of 1986 that the first PC virus, called Brain, was discovered in the wild. Though it achieved fame because it was the first of its type, the virus was not widespread as it could only travel by hitching a ride on floppy disks swapped between users. Brain was known as a "boot-sector" virus because of the area on a floppy disk it hid on. By concealing itself in this region, the virus could ensure that it would be installed every time that floppy disk was used on another computer.
There are now over 600,000 users who have been infected with this new virus. It contains a DESTRUCTIVE payload that will be executed on the 3rd day of the month.
Some of the email messages and attachments use inappropriate languge, and this new destructive threat can be avoided. As a best practice, email and websites of this nature should always be avoided. Still, it is a "network walker" and can spread to PCs that openly share folders or hard drives, so that one copy of this in an organization could be dangerous.
Nyxem.E - Information Storm Center - Latest Information
Nyxem.E - Information Storm Center - Contains several AV Vendor links
Nyxem.E - Fortinet provides an EXCELLENT analysis
File Deletion Dangers -- On the 3rd of the month it will attempt to delete a lot of documents off the user's disks, including Office documents (*.doc, *.xls, *.ppt, *.pps), PDF files, .zip and .rar archives among others.
HTT File Modification -- The virus will modify the Desktop.htt configuration file which controls how Active Desktop is displayed to user systems. The change is to launch a copy of the virus as C:\WinZip_Tmp.exe whenever Windows loads the Active Desktop (Windows start up). The virus appends JavaScript code to Desktop.htt
Active X Dangers -- The code uses an ActiveX control to reference the file "WinZip_Tmp.exe". Additionally, the virus will modify the "desktop.ini" configuration file to point to an infectious "Temp.htt" HTML file to launch the virus. The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed." The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy
This entry below in December caused some recent confusion, with the official MSNM 8 beta, which has been released by Microsoft:
Virkel.F: Spoofed as an MSN Messenger beta 8 download
During December, virus writers used a social engineering trick to trick users into loading a virus onto their PCs. The Virkel.F offered a new "leaked" MSNM version 8 which did not exist at the time. Users who clicked on the URL link in the message would download a virus rather than the MSNM 8 beta. Most likely this hostile website has been shutdown and copies of the Virkel.F worm do not exist in the wild.
Microsoft has now released MSNM beta 8. It is now safe to download and test MSNM 8, as long as you obtain this directly from Microsoft. As with any software update, users should confirm that their invitations are directly from Microsoft. Please be careful and ensure you are downloading from Microsoft's site, rather than the spoofed URL used by this virus. "Think before you click." Always be careful with URLs in email messages, as they can be just as dangerous as email attachments.
CERT provides a maintained list of TCP/IP ports that have Known Vulnerabilities and Exploits associated with them. A Firewall system will block these malicious attacks and make an individual's presence more stealth-like on the Internet.
All home users should employ this safeguard and there are even some of the free versions provide excellent protection. For example, I've been using free version of Zone Alarm for several years. Also, XP SP2's Firewall provides basic incoming protection and integrates very well with Windows.
http://www.us-cert.gov/current/services_ports.html
As noted in the following advisory, a third “new and improved” version of the WMF exploit was published on January 15, 2006. Thankfully, Microsoft has provided MS06-001 protection in the emergency release during early January.
The new link for Exploit “C” can be found in the general FrSIRT advisory. The exploit link could be potentially harmful, if you import this code into your browser environment, so please be careful.
http://www.frsirt.com/english/advisories/2005/3086
Recently, a number of media articles have surfaced that claim Symantec is using "Rootkit" techniques by hiding key control folders from the Operating System. This approach might create install/uninstall issues when non-conventional approaches are used. In a worse case, it could be manipulated by virus writers to hide malicious malware.
Symantec is trying to lock down and protect the SAV infrastructure, so that there might be less risk associated with users accidently discovering and manipulating the installed AV environment.
While Symantec uses only one element of a "rootkit" like techique of hiding a control file from the Operating System. The key reason this is NOT a rootkit, is that Symantec is not directly doing anything malicious with this approach.
Symantec is taking steps to further protect this control system, so that the dark side of the force does not use it as a place to hide malware. The original findings were good and hopefully the media will more realistically report techincal findings in the future.
eWeek: Symantec Caught in Norton 'Rootkit' Flap
http://www.eweek.com/article2/0,1895,1910077,00.asp
QUOTE: Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers. The anti-virus vendor acknowledged that it was hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.
Kapersky: No rootkit in Kaspersky Anti-Virus
http://www.viruslist.com/en/weblog?calendar=2006-01
QUOTE: We believe that this technology is not a rootkit and we do not believe hackers and/or malware can exploit it because:
1. If a KAV product is active, the streams are hidden and no processes (including system) have access to them.
2. If the product is disabled, the streams will be visible if viewed using the appropriate tools (standard for working with NTFS streams)
3. If a stream is re-written with some (possibly malicious) data or code (for example after rebooting in Safe Mode), when the system is next re-started, KAV will read the stream and not recognize the format. KAV will then begin to rebuild the checksum database - thus it will destroy the alien code/data.
To sum up: I think that the ”rootkit” problem is being over hyped. It is up to all of us in the security industry and press to be careful about how we use terms. Ordinary users, who can't analyze the situation themselves, shouldn't be misinformed.
Other Links
F-Secure: Cloaking without malicious intent
F-Secure: The "Symantec rootkit"
More Posts
Next page »