|
Sharing Security Developments, and Best Practices for corporate and home users
August 2006 - Posts
-
The Spybot family is one of the popular and adaptable (i.e. easy to create new variants) malware attack programs circulating in-the-wild. The latest adaptation now includes the MS06-040 exploit along with the capability to download and install a rootkit.
Spybot - New Variant includes MS06-040 Exploit plus Rootkit http://vil.mcafeesecurity.com/vil/content/v_135336.htm Quote: The worm opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting MS06-040 vulnerability. TCP port 443 is normally used for https protocol but this worm uses it for IRC. W32/Spybot.worm.gen.p is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J. Actions that the worm may perform on receiving appropriate commands include: * Enumerate active process and threads on infected computer * Start, stop and hide processes and threads * Modify Microsoft Internet Explorer's start page * Open a local web server * Port scan IP addresses in a specified subnet to identify possible targets for infection * Open backdoor at a specified port * Transfer files * Spread via MIRC * Update itself * Restart infected machine * Flush ARP and DNS caches * Sniff network traffic * Create, delete and try to spread via network shares * Spread via AOL Instant Messenger * Download files from a specified URL
|
-
This blog entry discusses "little Johnnie and Susie" returning to school and the need to careful with the PC environment (e.g., web searches, email, Instant Messaging, etc) ... Indeed, parents have to teach their children well, and these good principles apply to everyone when it comes to Internet safety. AVERT Labs - Security begins at home
http://www.avertlabs.com/research/blog/?p=76 McAfee Security Tips
http://www.mcafee.com/us/threat_center/tips.html AVERT Labs - Security and Children's Web Sites
http://www.avertlabs.com/research/blog/?p=22 QUOTE: There are two basic things which will have the biggest effect on the security of any desktop/laptop machine: (1) Application/OS vulnerabilities No OS is completely immune from application or OS vulnerabilities. The response of the vendor is the biggest consideration and arguably at this point the major players aren’t leaving actively attacked holes open for extended periods of time. With a firewall and anti-virus software in place, the average user will be reasonably safe. (If your machine should be armored like Fort Knox, obviously “reasonably safe” won’t be sufficient, but that’s another story) (2) Social engineering So, what’s left at that point is social engineering. No amount of OS security or security products will prevent you from putting your home address, phone number, credit card information, etc. out on a website if you’re truly determined. Malware does not have to be prevalent to be dangerous - if you’re the only person in the world who got targeted and your machine is compromised in some way, it’s still a big deal to you personally. People still need to be aware and proceed carefully regardless of what kind of machine they’re using.
|
-
While this statistic seems high, there's a definite increased trend for keyloggers, password stealers, backdoors, phishing attacks, etc. Malware writers are more inclined to steal from folks in a stealth-like manner, than to launch the destructive payloads we used to see in the past. Panda Labs - 88% of New malware in 2nd quarter related to Cybercrime
http://www.pandasoftware.com/about/press/viewNews.htm?noticia=7719 QUOTE: According to Luis Corrons, director of PandaLabs: “the results show how malware creators are concentrating on profiting from their efforts, creating increasing numbers of Trojans and bots. The greatest danger lies in the fact that they are installed and operate silently without users noticing any of the typical symptoms of infection and therefore victims are unaware that their computers are being used to steal from them or even from third-parties. This false sense of security works in favor of the attackers.”
|
-
Kaspersky Labs documents the usage of GIF animation in spam messages that are designed to bypass content filtering controls. See August 30th entry - "An animated August"
http://www.viruslist.com/en/weblog?calendar=2006-08 Example of "Hot Stocks" SPAM using GIF animation
http://www.viruslist.com/en/imagesen/pictures/vlweblog-196822919.gif QUOTE: We've recently detected yet another new trick being used by spammers. Spam now isn’t just being sent as a static graphical image in an attachment, but as an animated image. Spammers are using GIF animation which will be recognized and displayed by all popular browsers. Spammers are always developing new technologies in order to evade spam filters. Whether or not animation will make spam more difficult to detect isn't yet clear. It's true that a lot of spam filters don't analyze the actual graphics in spam.
|
-
Most exploit attacks have recently been the spammed trojan horse variety. This new MS06-001 WMF-exploit based attack is a true worm that can replicate among vulnerable PCs if the user clicks on the infected attachments. MS06-001: Womble Worm - WMF Exploit
http://vil.nai.com/vil/content/v_140497.htm
http://www.sophos.com/security/analyses/w32womblea.html W32/Womble@MM is a mass mailing worm which uses Exploit-WMF to spread. It may arrive as a ZIP archive or as a file using the following file extension: JPG.WMF. W32/Womble@MM uses it's own SMTP engine to send out the messages. It generates the email as follows: ---- EMAIL TO BLOCK OR AVOID ---- From: (Spoofed email sender) Subject: Uses any one of the following: info, Incredible!!, Hi, important, !!, Look at this!!!, FIFA, pic, private, Beauty, Re: Private, Olympus, Bush, Kiss, Paula, Miss Khan, ect. Attachment: firefox_update.pif.zip, congratulations.jpg.zip, your_friends.wmf.zip, some_info.wmf, your_friends.jpg Files with .ZIP extensions are just the copy of the worm itself. Those files with wither .JPG and .WMF extensions contain the Exploit-WMF as well as the worm
|
-
-
CERT has issued an advisory and Microsoft has updated their advisory regarding long URL strings that can a buffer overflow condition. The August 22nd release was postponed, so that QA issues could be fully resolved. CERT - Microsoft Internet Explorer long URL buffer overflow
http://www.kb.cert.org/vuls/id/821156 QUOTE: Microsoft Internet Explorer 6 Service Pack 1 on Windows 2000 and Windows XP SP1 contains a vulnerability when viewing a web site using the HTTP 1.1 protocol. If the web site uses HTTP 1.1 compression and contains an overly long URL, a buffer overflow can occur. Note that this vulnerability was introduced with the first release of the MS06-042 updates on August 8, 2006. MS06-042 Re-release postponed to ensure Quality
http://blogs.technet.com/msrc/archive/2006/08/22/448689.aspx QUOTE: On August 15, 2006 Microsoft announced that it would be re-releasing MS06-042 Tuesday, August 22, 2006 to address an issue affecting Internet Explorer 6 Service Pack 1 customers discussed in Microsoft Knowledge Base Article 923762. Due to an issue discovered in final testing, Microsoft will not be re-releasing MS06-042 today. This update will be re-released for Internet Explorer 6 Service Pack 1 when it meets an appropriate level of quality for broad distribution. Additional Links: Microsoft Security Advisory (923762)
http://www.microsoft.com/technet/security/advisory/923762.mspx Secunia
http://secunia.com/advisories/21557/ FrSIRT
http://www.frsirt.com/english/advisories/2006/3356 Security Focus
http://www.securityfocus.com/news/11408
|
-
This article from Network World was highlighted in the morning email and documents some of the key changes associated with the new airline restrictions. Article: That won't fly, how new airplane rules could affect you By: M. E. Kabay As readers will no doubt be aware, on Aug. 10, British police arrested 21 people suspected of plotting to blow up planes flying from the U.K. to the U.S. http://news.bbc.co.uk/2/hi/uk_news/4778575.stm In the wake of these police actions, the U.K. Department of Transport issued new, stricter regulations limiting what passengers can take into aircraft cabins. The press release of Aug. 10 http://news.bbc.co.uk/2/hi/uk_news/4778615.stm This specifically allows only the following - and everything must be placed in a transparent plastic bag, not in pockets (quoting exactly): * Pocket-size wallets and pocket-size purses plus contents (for example money, credit cards, identity cards etc (not handbags) * Travel documents essential for the journey (for example passports and travel tickets) * Prescription medicines and medical items sufficient and essential for the flight (e.g., diabetic kit), except in liquid form unless verified as authentic * Spectacles and sunglasses, without cases * Contact lens holders, without bottles of solution * For those traveling with an infant: baby food, milk (the contents of each bottle must be tasted by the accompanying passenger) and sanitary items sufficient and essential for the flight (nappies, wipes, creams and nappy disposal bags) * Female sanitary items sufficient and essential for the flight, if unboxed (e.g. tampons, pads, towels and wipes) * Tissues (unboxed) and/or handkerchiefs * Keys (but no electrical key fobs). All other belongings must be stowed in checked luggage. As I read these rules, business travelers, such as the readers of this column, who may need to fly to the U.K. and back from the U.S. will have to consider some information security issues. First of all, nobody is going to be bringing laptop computers, cell phones, PDAs or even watches onto the aircraft. That restriction means that confidential information stored on such devices may now be exposed to greater threat than if the devices were kept with the passenger. Anyone planning to allow baggage handlers to have access to laptop computers and such would do well to act on security experts' repeated pleas to use disk encryption. On a personal note, my PDA uses strong encryption for confidential data, and my watch has a password on the "Note" section where I store such things as bank account numbers. Not having your computer with you on a transatlantic flight may change your perspective on the productivity costs of international travel. I recommend you bring a good book, because you sure aren't going to be answering e-mail, writing that management report you intended to finish, or even watching DVDs or listening to CDs or your iPod. And forget the sound suppressing earphones: I don't see those on the approved list, either. It is possible that we will see an increase in the relative value of electronic conferencing, perhaps including Web-camera feeds for videoconferencing in lieu of physical transatlantic meetings. If similar restrictions come to be applied in the U.S., the same cost/benefit calculations may reduce business air travel and increase virtual meetings. We will have to pay better attention to the security of such communications; VPNs will become standard operating procedures for any kind of confidential information interchange at such meetings.
|
-
-
-
F-Secure has escalated this new variant of Haxdoor to MEDIUM RISK as it represents about 60% of their reported infections.
Haxdoor.KI - Rootkit attack spreading in Europe
http://www.f-secure.com/weblog/archives/archive-082006.html
http://www.f-secure.com/weblog/archives/europe.jpg
http://www.f-secure.com/v-descs/haxdoor_ki.shtml
Haxdoor.KI - On the 17th of August 2006 we received numerous reports of a new Haxdoor backdoor variant being spammed as an e-mail attachment to a large amount of people. The backdoor was spammed inside an archive named rakningen.zip. The backdoor's file, located inside the archive, is named rakningen.exe. (Swedish) We also have a report that it was spammed inside an archive named rechnung.zip as rechnung.exe. (German)
Haxdoor is a powerful backdoor with rootkit and spying capabilities. It can hide its presence, processes and files, on an infected system. So when it is active, it can only be detected by anti-virus programs that use kernel drivers and by rootkit detectors such as our F-Secure BlackLight. It can also be detected by F-Secure products that have a built-in anti-rootkit engine such as our F-Secure Internet Security 2006.
|
-
MS06-051 is an important one to have installed for protection.
MS06-051: MoBB - Putting the fun in browser fun
http://metasploit.blogspot.com/2006/08/putting-fun-in-browser-fun.html
QUOTE: The important take away is that the use of this
technique means that all of the otherwise
non-exploitable issues reported in H D's postings can
potentially be exploited in a reliable fashion through
the use of this technique. However, it will only work
on machines that are not patched with the latest
critical updates since this issue has now been
addressed by the patch that was created for MS06-051.
At any rate, it would be interesting to know what
other applications might be vulnerable to this type of
attack as well as other interesting ways to achieve it
in Internet Explorer.
http://browserfun.blogspot.com/
QUOTE: Matt Miller posted to the Metasploit Blog about
a technique that allows arbitrary code execution in
Internet Explorer using any fatal unhandled exception.
Every Internet Explorer denial of service flaw is
exploitable if MS06-051 has not been installed. More
information can be found in the Uninformed Journal
article.
Exploiting the Otherwise Non-exploitable on Windows
http://uninformed.org/index.cgi?v=4&a=5
|
-
Even though Vista and IE 7 represent better security than XP SP2 or IE 6 SP1 respectively -- they will require patching, as no software product is perfect or bulletproof.
Windows Vista - First security patch issued
http://www.informationweek.com/news/showArticle.jhtml?articleID=192201435
QUOTE: Microsoft confirmed Tuesday that two of the 12 security bulletins issued last week affect Windows Vista Beta 2, the widely-used preview, and posted download instructions for the first security updates to its next-generation operating system.
"We are committed to releasing Windows Vista updates for all MSRC critical class issues that may arise during the beta testing period," wrote Alex Heaton, product manager for the Windows Vista security team, on the group's blog.
Out of the dozen bulletins released Aug. 8, two -- [MS06-042 and MS06-051 -- impact Vista Beta 2." Of the seven critical Windows updates released in August, only 2 also affect Windows Vista Beta 2 or later," said Heaton.
MS06-042 is a cumulative security update for Internet Explorer that included patches for 8 different vulnerabilities; MS06-051 detailed a fix for a flaw in the Windows kernel that might let attackers hijack PCs by drawing users to malicious Web sites.
|
-
On August 22, 2006, Microsoft will be releasing MS06-042 with the integrated Hot Fix, so it's available with Windows Update.
MS06-042 and IE 6.0 SP1 Issues - New Windows Update release by August 22nd
http://blogs.technet.com/msrc/archive/2006/08/16/447023.aspx
http://www.incidents.org/diary.php?storyid=1604
MS06-042 - Hot Fix information
http://support.microsoft.com/kb/923762/
QUOTE: A new version of security update 918899 is currently in development and will be released to all Microsoft Internet Explorer 6 Service Pack 1 customers by August 22, 2006. The new update will be available on the Microsoft Download Center and by using Windows Update. Customers who are using any version of Internet Explorer other than Internet Explorer 6 Service Pack 1 together with any Windows version are not affected by this release and do not have to take any action.
|
-
-
Microsoft Office had several security updates in July and August. All users should be careful of suspicious documents, apply the latest service packs, and install all Office updates.
MS06-047: Trojan.Mdropper.N - Exploits Word vulnerability patched in August
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-081616-2104-99
QUOTE - Trojan.Mdropper.N is a Trojan horse that exploits the Microsoft Visual Basic for Applications Document Check Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-047) and attempts to drop a file on the compromised computer. The Trojan is a Microsoft Word document reportedly named: syosetu.doc
|
-
-
A generic IRCbot called MocBot by some AV vendors has been adpated to use the Windows security MS06-040 patched during August. This IRC-MocBot attack is now in the wild. It will automatically affect unpatched W/2000 systems (unless firewall controls to block ports 139 and 445 are in place).
On infected systems, it hides as a Windows Genuine Advantage Registration service. Finally, Trend is reporting a 2nd variant so this new malware model may be adaptable to creating new variants to bypass AV detection as it emerges. Please install all available Microsoft security updates (esp. MS06-040) for the best level of protection.
SECURITY INFORMATION AND WARNINGS
MSRC Blog Information
http://blogs.technet.com/msrc/archive/2006/08/13/446268.aspx
Internet Storm Center bulletin
http://www.incidents.org/diary.php?storyid=1592
FrSIRT - Current Threat Analysis
http://www.frsirt.com/english/threats/
Department of Homeland Security Warning
http://www.dhs.gov/dhspublic/display?content=5789
ANTI-VIRUS PROTECTION FOR NEW MS06-040 BASED IRC-BOT
MS06-040 - McAfee IRC-MocBot
http://vil.nai.com/vil/content/v_140394.htm
MS06-040 - McAfee generic information on IRC bot adapted to use exploit
http://vil.nai.com/vil/content/v_136637.htm
QUOTE: This is a detection for variants of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines. This worm spreads by exploit in the MS06-040 vulnerability. It registers itself as a "Windows Genuine Advantage Registration" Service. Stopping or disabling this service will result in system instability..(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)
MS06-040 - F-Secure Weblog and AV information
http://www.f-secure.com/weblog/archives/archive-082006.html#00000946
http://www.f-secure.com/v-descs/ircbot_st.shtml
QUOTE: IRCBot.st is the first variant of this IRC backdoor-worm to use the recently discovered MS06-040 exploit to spread. After being run, the backdoor installs itself to system, modifies several security settings, connects to a remote IRC server and starts listening for commands from a remote hacker
MS06-040 - Symantec MocBot.B
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-081315-2652-99
MS06-040 - Trend WORM_IRCBOT.JK and WORM_IRCBOT.JL
http://secunia.com/virus_information/31381/ircbot.jk/
http://secunia.com/virus_information/31382/ircbot.jl/
MS06-040 - Trend WORM_IRCBOT Behavioral Diagram
http://www.trendmicro.com/vinfo/images/WORM_IRCBOT_JK.gif
http://www.trendmicro.com/vinfo/images/WORM_IRCBOT_JL_BD_2.gif
QUOTE: This worm propagates by dropping copies of itself in the default network-shared folder IPC$. It can also use the popular chat application AOL Instant Messgener (AIM) as another medium in speading its copies to as many users as possible. Via AIM, this worm sends out instant messages containing a URL, where a copy of it can be downloaded, to all the contacts in an affected user's buddy list. It is important to note that this worm takes advantage of a known vulnerability in Windows' Server Service to do the mentioned propagation routines. More information on the said vulnerability can be found in the following Microsoft Web page: Microsoft Security Bulletin MS06-040 It opens random TCP ports to establish a connection with the IRC hostile IRC based servers. Once connected, it then acts as a backdoor allowing a remote malicious user to issue commands and gain privileges on the affected machine, thus effectively compromising system security. This worm also either disables or restricts several system services to let its routines run without interference.
MS06-040 - Computer Associates Cuebot.J
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=57639
QUOTE: In order to spread, the worm attempts to exploit the Microsoft Windows Server service buffer overflow vulnerability. The worm searches IP addresses for potential targets, checking for vulnerable systems via port 445. It only does this if it is commanded to through its IRC controlled backdoor (see Payload section below for additional detail).
For more information on this vulnerability, please visit:
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
|
-
-
We are in an active cycle of security risks and development now. Below are links for the 32 and 64 bit versions of this new based EXE based infector, that I hope proof-of-concept, rather than in-the-wild. Symantec is still analyzing the 64 bit variant.
W64.Bounds - New 64 bit EXE virus infector
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-081009-3153-99
It's probably a cousin of the 32 bit version below:
W32.Bounds - New 32 bit EXE virus infector
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-080913-5115-99
Discovered: August 9, 2006
Updated: August 10, 2006 09:58:41 AM ZE9
Type: Virus
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Bounds is a proof of concept polymorphic entrypoint-obscuring infector of Windows executable files. When W32.Bounds is executed, it performs the following actions:
1. Infects all suitable executable files in the current directory and all subdirectories, regardless of the file extension, whenever an infected file is executed.
2. Uses a new type of entrypoint obscuring by hooking an entry in the Import Table that is referenced by the Bound Import Table.
|
-
The Department of Homeland Security has issued a warning to apply the Microsoft security bulletins for August promptly to ensure the safest level of protection.
DHS Recommends Security Patch to Protect Against a Vulnerability Found In Windows Operating Systems
http://www.dhs.gov/dhspublic/display?content=5789
Quote: For Immediate Release
Office of the Press Secretary
Contact: 202-282-8010
August 9, 2006
The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights.
Windows Operating Systems users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch. This vulnerability could impact government systems, private industry and critical infrastructure, as well as individual and home users.
|
-
Work continues by the malware writers in developing exploit code that could adversely impact unpatched Windows servers and workstations.
MS06-040 Exploit - Now Publicly available
http://www.incidents.org/diary.php?storyid=1582
QUOTE: The current exploit seems to be working on all Windows 2000 systems and Windows XP SP0 and SP1. The good thing is that it doesn't work against Windows XP SP2 or Windows 2003 SP1. The current version doesn't work against Windows 2003 SP0 either, but this doesn't mean that it's safe.
|
-
Work continues by the malware writers in developing exploit code that could adversely impact unpatched Windows servers and workstations.
MS06-040 Exploit - Now Publicly available
http://www.incidents.org/diary.php?storyid=1582
QUOTE: The current exploit seems to be working on all Windows 2000 systems and Windows XP SP0 and SP1. The good thing is that it doesn't work against Windows XP SP2 or Windows 2003 SP1. The current version doesn't work against Windows 2003 SP0 either, but this doesn't mean that it's safe.
|
-
Microsoft's Security team has been very busy during 2006, we're seeing significantly more attacks of Windows, IE and Office.
Microsoft has patched more critical vulnerabilities than 2004 and 2005 combined
http://www.avertlabs.com/research/blog/?p=66
|
-
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002284
QUOTE: August 08, 2006 (IDG News Service) -- Security researcher Jesse D'Aguanno has developed what he bills as the first Trojan horse malware for Research in Motion Ltd.'s (RIM) BlackBerry e-mail device.
The software, which was demonstrated at the Defcon hacker conference over the weekend, appears to be a free tick-tack-toe download. Once downloaded, however, it works with another piece of code, called BBProxy, that can be used to attack vulnerable machines within the corporate network.
D'Aguanno plans to make the BBProxy software, but not the Trojan horse code, available on his company's site within the next few days.
The BlackBerry hack was written to show that while these devices are often not treated with the same concern as PCs, they can be equally dangerous, said D'Aguanno, director of professional services and research at Praetorian Global LLC.
When users think of the BlackBerry's security, they are too focused on protecting the device's data and tend to ignore its networking capabilities. D'Aguanno said. "It's a computer that has constant access to your internal network."
|
-
Microsoft has released several important security updates related to Windows, IE, and Office. This month's update is large and it's working well so far on my corporate desktop and laptop plus home systems. I'd encourage everyone to update promptly to stay protected against some of the latest security threats.
===========================================
New Security Bulletins for August 2006
===========================================
Today, 08 August 2006, Microsoft is releasing the following security
bulletins for newly discovered vulnerabilities:
• Critical MS06-040 Microsoft Windows Remote Code Execution
• Critical MS06-041 Microsoft Windows Remote Code Execution
• Critical MS06-042 Microsoft Windows Remote Code Execution
• Critical MS06-043 Microsoft Windows Remote Code Execution
• Critical MS06-044 MS Windows 2000 Remote Code Execution
• Important MS06-045 Microsoft Windows Remote Code Execution
• Critical MS06-046 Microsoft Windows Remote Code Execution
• Critical MS06-047 Microsoft Office Applications or Applications
that use Visual Basic for Applications Remote Code Execution
• Critical MS06-048 Microsoft PowerPoint Remote Code Execution
• Important MS06-049 Microsoft Windows Elevation of Privilege
• Important MS06-050 Microsoft Windows Remote Code Execution
• Critical MS06-051 Microsoft Windows Remote Code Execution
The Summary for these new bulletins may be found at the following page:
http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx
|
-
Trend has published heuristic detectic for the new DOS based WMF exploit which was recently discovered.
TROJ_WMFCRASH.D - New DOS based WMF Exploit
http://secunia.com/virus_information/31228/trojwmfcrash.d/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FWMFCRASH%2ED
TROJ_WMFCRASH.D - Behavioral Diagram
http://www.trendmicro.com/vinfo/images/TROJ_WMFCRASH_D_img2.gif
QUOTE: This Trojan is Trend Micro's detection for a proof-of-concept Windows Metafile (WMF) that takes advantage of a vulnerability affecting systems running Windows XP and Server 2003. The said vulnerability is caused by a page fault in the Application Programming Interface (API) function CreateBrushIndirect, which occurs because of an invalid pointer access.
It is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Once this malicious .WMF file is opened, it launches a denial of service (DoS) attack against the legitimate system process EXPLORER.EXE in order to restart or terminate it. The said action may leave an affected user unable to navigate through Windows. After performing the said routine, this Trojan eventually terminates itself.
|
-
On July 29, 2006, a new worm MSH/Cibyz.A surfaced which uses Microsoft's new XP SP2 and Vista scripting environment called Powershell. As scripting routines are a collection of Windows command line entries, malware authors can create destructive routines that could delete all files of a certain type, disable security protection, spread to network shares, etc.
I was pleased to discover that Microsoft is better protecting this environment, so that scripts won't run automatically based on out-of-the-box settings. In fact new trust and authorization levels have been established for scripts so that administrators and users are better protected.
Thus, the Powershell commands for this will function only if the user if running in ADMIN mode, clicks on the attachment, and has a setting of Unrestricted (allowing any script to be processed, which is a highly unadvisable setting). Furthermore, even if this is allowed, the user must then define the proper path for the script to run in and "infect themselves".
More can be found in the links noted below:
Windows PowerShell and the PowerShell Worm
http://blogs.msdn.com/powershell/archive/2006/08/03/687838.aspx
Worm:MSH/Cibyz.A - Proof-of-Concept P2P Worm
http://www.microsoft.com/security/encyclopedia/details.aspx?name=Worm:MSH/Cibyz.A
A “PowerShell Worm” has recently been reported by several antivirus companies and some news organizations. There has been some confusion and concern around the classification of this malicious script as a worm as well as questions about the risk. It is important to note that the PowerShell Worm will not work and cannot infect Windows PowerShell in its default configuration.
This is a proof-of-concept virus whose “Worm” replication mode is just a simple file copy and could have been implemented in any language which supports copying files. The fact that the worm is written in PowerShell rather than another scripting language or even as an executable has actually made it even harder for this virus to spread since the additional security features around PowerShell scripts result in many additional steps for the user to perform before an infection can take place.
|
-
A new unpatched vulnerability has been published, that can result in a Denial-of-Service (DoS) attack. Links from Secunia and FrSIRT are noted below.
Microsoft Windows GDI Library WMF Image Handling Remote Denial of Service Vulnerability
http://secunia.com/advisories/21377/
http://www.frsirt.com/english/advisories/2006/3180
Advisory ID : FrSIRT/ADV-2006-3180
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-08-07
Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by attackers to cause a denial of service. This flaw is due to a signedness error in the GDI library (gdi32.dll) when processing malformed WMF images, which could be exploited by attackers to crash an application linked against the vulnerable library (e.g. Internet Explorer) by tricking a user into visiting a malicious web page or opening a specially crafted image.
|
-
On Tuesday August 8, 2006, Microsoft will release several planned changes for Windows and Office that should be promptly applied to ensure the best level of security protection.
MS Security - 12 Windows/Office patches on 8/8/06
http://www.microsoft.com/technet/security/bulletin/advance.mspx
Microsoft released their Security Bulletin Advance Notification on Thursday afternoon. Next Tuesday appears to be a very active day as there are 12 security bulletins that will be released as well as 2 High Priority (though not security based) updates. In addition, the Malicious Software Removal Tool will have its monthly update.
* Ten Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
* Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart
|
More Posts Next page »
|
|
|