**********************************************************************************
 |
Review current activity of attacks atUS-CERT at the U.S. Department of Homeland Security. |
In the News
Reports Also see Stop Badware dot org & Shadow Server dot org **********************************************************************************
5-22-2006 Microsoft Investigating Phony Patch eMail
Microsoft is investigating email messages with spoofed "from" fields that appear to come from patch@microsoft.com and purport to be a patch for a flaw in the WinLogon Service. The email is suspected to be coming from bots. According to a Microsoft spokesperson, there is no such vulnerability and users should ignore the email.http://isc.sans.org/diary.php?storyid=1370
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39257447-2000061744t-10000005c
5-22-06 Microsoft Word Zero Day Vulnerability
Microsoft Security Advisory (919637) Vulnerability in Word Could Allow Remote Code Execution Published: May 22, 20065-16-06 Apple
Apple Mac OS X Security Update 2006-003Affected: Apple Mac OS X versions 10.4.6 and prior.
Description: Apple announced fixes for thirty one vulnerabilities in Mac OS X version 10.4.6 and prior. These vulnerabilities include local and remote code execution, information disclosure, denial-of-service and local privilege escalation. The update fixes the 0-day vulnerabilities in OS X's handling of multiple image file formats.
Apple Security Update 2006-003
http://docs.info.apple.com/article.html?artnum=303737
************************************************************************
Apple QuickTime Multiple Buffer Overflows
Affected: Apple QuickTime version prior to 7.1.
Description: Apple's QuickTime, a popular digital media framework for Windows and Mac platforms, contains multiple buffer overflow vulnerabilities. The problems lie in the QuickTime's processing of various file/media formats, and may be exploited to execute arbitrary code on a client system. A webpage serving a malicious QuickTime media file may leverage these flaws to compromise a client. Note that users who have QuickTime as their default media player may be compromised via any of the media file formats. The technical details for some of the vulnerabilities have been publicly posted.
Apple Advisory
http://docs.info.apple.com/article.html?artnum=303752
*************************************************************************
3-15-06 Apple
Mac OS X Safari Remote Code ExecutionAffected:
Safari current and possibly all prior versions
Description: Safari, the default browser on Mac OS X systems, contains a vulnerability that allows an attacker to execute arbitrary code on a user's system. The problem arises because Safari opens "Safe" files automatically after downloading and also trusts the user-supplied metadata associated with a file. For instance, an attacker can create a shell script, rename the shell script with a safe extension like ".mov" and store the metadata for the shell script in the "__MacOSX" folder. The attacker can then create a zip archive that contains the shell script and the metadata, and post this crafted zip archive on a webserver. When a user visits the attacker's site, the zip file will be automatically downloaded and the shell script executed by the program indicated by the metafile. Note that no user interaction is required to leverage this flaw other than browsing a malicious webpage. Exploit code has been publicly posted.
CERT Advisory
http://www.kb.cert.org/vuls/id/999708
****************************************************************
Winamp M3U Playlist File Handling Overflow
Affected:
Winamp version 5.13 and prior
Description: Last week another buffer overflow vulnerability was reported in Winamp. This overflow is triggered by a playlist file (m3u format) that contains a specially crafted playlist file (m3u or pls format). Note that several buffer overflows have been reported in Winamp during this month. Exploit code has not been posted for this flaw yet.
References:
Posting by IRM Security
http://www.securityfocus.com/archive/1/425984
****************************************************************
Adobe Macromedia Shockwave Player ActiveX Buffer Overflow
Affected:
Shockwave player 10.1.0.11 and prior
Description: According to Macromedia, the Shockwave player has been installed on more than 390 million systems. The Shockwave installer ActiveX control contains a stack-based buffer overflow that can be triggered by passing overlong parameters. A malicious webpage can exploit this flaw to execute arbitrary code on a user's system. The technical details required to craft an exploit have not been posted.
References:
Macromedia Advisory
http://www.macromedia.com/devnet/security/security_zone/apsb06-02.html
Product Homepage
http://www.macromedia.com/software/shockwaveplayer/
****************************************************************
4-05-05 Postcard Trojans
Updated April 3rd 2005 09:19 UTC
Postcard Trojans We're receiving more reports of email messages coming in posing as "postcard pickup" notifications that wind up delivering a trojan payload. One example we were forwarded is an email message claiming "You have just received a virtual postcard from a family member!" which apparently sends you to a "pickup" site that gives you an mIRC-based trojan. While it's sad that we have to say this, the amount of cruft that's being delivered via email continues to encourage us to take a "default deny" posture; without knowing the true source of an email, one has to be cautious on accepting just about everything these days.
2-08-05 - 13 New Microsoft Windows Vulnerabilities - 8 Critical
Listing of Security Releases
http://isc.sans.org/diary.php?date=2005-02-08
Ho Ho Ho - 12-25-04 - 4 New Windows Vulnerabilities
(1) Microsoft Windows HTML Help ActiveX Control Vulnerability
Affected: Internet Explorer version 6.0 Windows XP SP2
Description: This vulnerability in the HTML Help ActiveX Control can be used to completely compromise a Windows client. An attacker can exploit the flaw by constructing a malicious webpage or an HTML email. Browsing the webpage or opening the email is sufficient for the client compromise i.e. no further user interaction is required. The problem occurs because it is possible to inject JavaScript code in the HTML Help ActiveX control's parameters. By forcing the control to open a local file, it is then possible to execute the JavaScript code in the context of the "Local Computer" zone. Technical details and a proof-of-concept exploit have been publicly posted. The PoC exploit, when run on Windows XP SP2, creates "Microsoft Office.hta" file in the "Documents and Settings\All Users\Start Menu\Programs\Startup" directory.
Status: Microsoft not confirmed, no patches available. A workaround is to disable "Active Scripting" in Internet Explorer.
References: Posting by Paul http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm PoC Exploit (Warning: Clicking the following link will launch the PoC Exploit) http://freehost07.websamba.com/greyhats/sp2rc.htm SecurityFocus BID Not yet available.
***********************************************************************
(2) Microsoft Windows USER32 Library LoadImage Buffer Overflow
Affected: Windows NT/2000/XP SP0 and SP1/2003
Description: USER32 library contains Windows API functions for user interface handling. The "LoadImage" function is responsible for handling files such as icons, cursors, animated cursors and bitmaps. The "LoadImage" function reportedly contains a heap-based buffer overflow that can be triggered by a specially crafted icon, cursor or a bitmap file. The problem occurs because the declared image size is not checked prior to opening the image. The flaw may be able to be exploited to execute arbitrary code on the client. To exploit the flaw, an attacker can take any of the following actions: (a) Create a webpage containing a malicious .ico, .bmp, .ani or .cur file, and entice an attacker to visit his webpage. (b) Send an HTML email containing the malicious .ico, .bmp, .ani or .cur file. (c) Create a shared folder containing the malicious .ico, .bmp, .ani or .cur file, and entice a user to browse his shared folder. The technical details and exploit code have been publicly posted. Status: Microsoft not confirmed, no patches available. XP SP2 is reportedly not vulnerable.
References: Posting by flashsky fangxing http://www.securityfocus.com/archive/1/385342/2004-12-21/2004-12-27/0 Exploit Code http://www.xfocus.net/flashsky/icoExp/index.html LoadImage Function Reference http://msdn.microsoft.com/library/en-us/winui/winui/windowsuserinterface/resources/introductiontoresources/resourcereference/resourcefunctions/loadimage.asp SecurityFocus BID Not yet available.
***********************************************************************
(3) Microsoft Windows Winhlp32.exe Buffer Overflows
Affected: Windows NT/2000/XP/2003
Description: Winhlp32.exe application is responsible for handling Windows Help (".hlp") files. This application reportedly contains a heap-based buffer overflow and integer overflow vulnerability. A specially crafted ".hlp" file may exploit these flaws to execute arbitrary code on the client system with the privileges of the logged-on user. Note that Windows prompts a user before downloading and opening a ".hlp" file. Hence, to exploit the flaw via a hyperlink or frame pointing to the malicious .hlp file will require user interaction. However, it may also be possible to invoke Winhlp32.exe via the HTML Help ActiveX Control, and exploit the flaw without any user interaction (not confirmed). The technical details and proof-of-concept exploits have been publicly posted.
Status: Microsoft not confirmed, no patches available. Users should not open .hlp files downloaded from untrusted sources.
References: Posting by flashsky fangxing http://www.securityfocus.com/archive/1/385332/2004-12-21/2004-12-27/0 PoC Exploits http://www.xfocus.net/flashsky/icoExp/search.hlp http://www.xfocus.net/flashsky/icoExp/search1.hlp SecurityFocus BID Not yet available.
*************************************************************************
(4) Internet Explorer DHTML Edit ActiveX Control Spoofing
Affected: Internet Explorer version 6.0 and possibly prior
Description: This Internet Explorer (IE) vulnerability allows an attacker to trick a victim into visiting a malicious site. The attack occurs when a victim clicks a link supplied by the attacker in an email or on a webpage, which according to IE's address bar points to a trusted site. However, the attacker can manipulate all the contents of the trusted site's webpage. Hence, any information entered by the user on such a page can be stolen by the attacker (phishing attacks). The problem occurs due to a flaw in IE's DHTML Edit ActiveX control. The control's "execScript" function does not sufficiently validate a window's domain prior to executing a script. The attacker can leverage the flaw in the execScript function to re-write the contents of a trusted site's webpage. Note that the attacker can also spoof the content for secure sites by exploiting this vulnerability as IE shows a "Lock" icon on the bottom right-hand corner on a spoofed webpage.
Status: Microsoft not confirmed, no updates available. An option is to disable ActiveX controls. However, that may downgrade the users' web browsing experience. The users should be advised to type the web addresses of sensitive sites such as banks etc. and not to open links to secure sites embedded in another page or an email.
Council Site Actions: All council sites are awaiting confirmation from the vendor and a patch. They plan to patch during the regular system update process. One site commented that they consider IE vulnerabilities a level 4 on a scale from 1 to 5 for servers and a level 5 on a workstation. Thus, this is not a priority to patch for them. Another site is still investigating replacing IE with Firefox as a long term strategy move.
References: Posting by Paul http://freehost07.websamba.com/greyhats/abusiveparent-discussion.htm PoC Code http://freehost07.websamba.com/greyhats/abusiveparent.htm http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/ DHTML ActiveX Control http://msdn.microsoft.com/archive/en-us/dnaredcom/html/edcomdownload.asp http://msdn.microsoft.com/archive/en-us/dnaredcom/html/edcomfaq.asp Secunia Advisory http://secunia.com/advisories/13482/ SecurityFocus BIDs Not available yet. *********************************************************************** To subscribe to @RISK: The Consensus Security Vulnerability Alert, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.
11-08-04
UPDATE: Internet Explorer FRAME Processing OverflowDescription: It has been confirmed that the Internet Explorer buffer overflow in processing a malformed "FRAME/IFRAME" element discussed in the last week's @RISK newsletter can be exploited to execute arbitrary code. The exploit code has been publicly posted. Note that a Windows user faces the risk of getting compromised by merely visiting a malicious webpage.
Council Site Actions: All of the reporting council sites are waiting on official release of the patch. Several of the sites have notified their appropriate support groups so they can be prepared once a patch is released.
References: Exploit Code http://www.securiteam.com/exploits/6B0020KBPM.html CERT Advisory http://www.kb.cert.org/vuls/id/842160 Previous @RISK Newsletter Posting http://www.sans.org/newsletters/risk/vol3_43.php (Item #2)
11-03-04
RealOne Player/RealPlayer Skin File Remote Buffer OverflowRealNetworks RealPlayer and RealOne Player are media players. Both are vulnerable to a remote stack-based buffer overflow due to a failure to handle a skin filename of 32768 bytes. The following versions are known to be vulnerable: RealPlayer versions 10.5 prior to build 6.0.12.1056, RealPlayer version 10, RealOne Player versions 2 and 1. Ref: http://www.eeye.com/html/research/advisories/AD20041027.html
Apple QuickTime Integer Overflow
Affected: QuickTime version 6.5.1 and earlier on Windows platforms Description: Apple's QuickTime media player for Windows contains an integer overflow vulnerability. The overflow can be exploited by a malicious webpage or an HTML email to execute arbitrary code on a client machine. The discoverers of the flaw have not released any technical details yet but have rated the flaw as a "High Risk". Judging by the similar rating for other advisories from the discoverers, the flaw is likely to be easy to exploit. Status: Apple has confirmed the flaw and released a security update on October 27, 2004. Council Site Actions: Most of the reporting council sites are responding to this vulnerability. Several sites already have updates in progress and others will deploy during the next regularly scheduled system update process. References: Apple Advisory http://docs.info.apple.com/article.html?artnum=61798 NGSSoftware Advisory http://www.nextgenss.com/advisories/qt1.txt SecurityFocus BID http://www.securityfocus.com/bid/11553
10-10-04
Microsoft Word Buffer Overflow Affected: Microsoft Word 2002 and possibly all earlier versions Description: Microsoft Word reportedly contains an overflow that can be triggered by a specially crafted Word document header. The flaw may be exploited to overwrite large amount of memory; hence, it may be possible to exploit the flaw to execute arbitrary code (not confirmed). A webpage serving a malicious Word document, or an email with a malicious Word attachment, may leverage the flaw to compromise a client. The technical details regarding the flaw have been publicly posted. Note that Internet Explorer automatically opens a Word document, which makes it easy to exploit the vulnerability via HTTP.10-10-04
Apple QuickTime BMP Decoding Vulnerability Affected: Mac OS X version 10.3.5, 10.2.8 Description: Apple's QuickTime, a popular digital media player for Windows and Mac platforms, contains a heap-based buffer overflow. The problem lies in the QuickTime's BMP image processing, and may be exploited to execute arbitrary code on a client system. A webpage serving a malicious QuickTime media file may leverage this flaw to compromise a client. Note that users who have QuickTime as their default media player may be compromised via any of the media file formats. No technical details have been posted. The overflow may be similar to other BMP decoding overflows discovered earlier in the Qt package. Status: Apple released a cumulative security update on Sept 30, 2004 that fixes this and other vulnerabilities.10-04-04
Windows XP SP2 Firewall Configuration Error Affected: Windows XP SP2 Description: Under certain conditions, the firewall configuration of a Windows XP system after the XP SP2 upgrade, contains a flaw. The flaw may be exploited by any remote attacker to access the shared folders and printers on the system. An attacker can also leverage the flaw to launch a brute force password guessing attack for the "Administrator" account, which may result in a complete compromise of the system. The flaw affects a number of broadband users who rely on the Windows firewall feature to keep the hackers at bay. Status: Microsoft has not confirmed the flaw. Please refer to the posted advisories for the steps to correct the firewall configuration. A workaround for the enterprises is to block ports 139 and 445 at the network perimeter. References: PC.Welt Advisory http://www.pcwelt.de/know-how/extras/103039/ SecurityTracker Advisory http://www.securitytracker.com/alerts/2004/Sep/1011374.html10-04-04
(2) UPDATE: Microsoft JPEG Image Processing Overflow (MS04-028) Description: Multiple exploits and a toolkit (posted on the th-research mailing list) that create specially crafted JPEG files are now available. Viewing such JPEG files using Internet Explorer, Outlook, Word etc., results in the execution of arbitrary code. Some security analysts predict the outbreak of an email virus exploiting the JPEG vulnerability by the end of this month. Council Site Actions: All of the council sites have either patched the systems, are in the process of patching the systems (or testing the patches) or plan to patch in the near future. In addition, one site is working with their network staff to enable appropriate IPS-like filters at the network perimeter. Another site reported they were hit with this attack and have taken steps to block it (details not provided). References: Various Exploits http://www.securiteam.com/exploits/5EP0M0KE0W.html (Opens a command shell) http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0819.html (Adds an administrator) http://www.securityfocus.com/archive/1/376320/2004-09-23/2004-09-29/0 (Binds a remote command shell or opens a reverse command shell) SANS GDI Detection Tool http://isc.sans.org/gdiscan.php Previous @RISK Newsletter Posting http://www.sans.org/newsletters/risk/vol3_37.php (Item #1)9-11-04
(4) MODERATE: WinZip Buffer Overflow Vulnerabilities Affected: WinZip version 9.0 and prior Description: WinZip, the most popular archiving software on Windows platform, has been downloaded over a 100 million times. The software contains buffer overflow vulnerabilities that may be triggered by a specially crafted zip file. The flaws may be exploited by an email or a webpage that entices a user to open a malicious zip file. No technical details regarding the flaws have been posted. Note that many viruses like Beagle have globally spread via emails with a malicious zip attachment. Status: WinZip has released version 9.0-SR1 to fix the flaws. An additional benefit this version offers is - if a user double clicks an executable file in a zip archive, the user is prompted before the file is executed. This feature can help to limit the spread of viruses.Courtesy:
**********************************************************************
@RISK: The Consensus Security Vulnerability Alert
To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.
**********************************************************************
8-22-04
See new hole in XP SP1&2 - Here and hereInternet Explorer Drag and Drop Vulnerability - Affected: Internet Explorer version 5.01, 5.5, 6.0
08/17/04
Unprotected PCs can expect infection in minutesBy William Jackson
GCN Staff
The average survival time for an unprotected networked computer dropped from 40 minutes to 20 minutes over the last year, according to the SANS Institute of Bethesda, Md.
That means that an unprotected PC can expect to become infected by a worm within 20 minutes of being connected to an unprotected network.
“The actual time it will take for a specific computer to be compromised will vary widely depending on any filters applied by the Internet Service Provider and the configuration of the operating system,” the institute said.
But the trend reflects the narrowing window of opportunity for users to adequately protect networked computers from known vulnerabilities.
Survival time is figured from daily reports submitted to SANS’ Internet Storm Center by volunteers in 70 countries. ISC receives more than 1 billion reports of probes each month from organizations that manage more than 500,000 Internet addresses. The 20-minute figure represents the overall average time between probes on a targeted PC.
Actual probe activity varies over time and according to the level of protection a network provides its users. For instance, users with ISPs that block ports commonly used by worms will have longer survival times.
Monthly averages reported by ISC over the past year ranged from a high of 65 minutes in December 2003 to a low of 15 minutes in April and May. Over the last month, average survival time bottomed out at less than 14 minutes on July 19 and 26, and peaked at about 22 minutes Aug. 1.
To help users protect themselves from online attacks, SANS has published a free survival guide for users of Windows XP. It is available at the SANS Reading Room; click here.
The guide, “Windows XP: Surviving the first day,” leads users through safe procedures for configuring hardware and software on a new PC and connecting with a network.
**********************************************************************************
OUCH: The Report On Identity Theft and Attacks On Computer Users
August 2, 2004
Every day, thousands of people are fooled by emails from criminals
trying to steal their identities or infect and take over their
computers. This update is our attempt to help you avoid being one of
the victims.
Part 1. Subject Lines You May See In Emails That Are Trying To Hurt You
I. Emails from people trying to infect your system and steal your
friends' email addresses for spam
I.1 Pictures of Osama Bin Laden hanging or Arnold Schwarzenegger's
suicide note
I.2. Email from your system administrator or other familiar sender
that says your email could not be delivered, or some similar
statement.
I.3. Email with subject "Against!" or "Revenge"
I.4. Email with subject Re_ and body with animals or foto or other
subjects
II. Emails from people trying to steal your identity (and your money)
II.1. Update Your Billing Information (from eBay)
II.2. Your account at eBay has been suspended
II.3. Your account at Wells Fargo has been suspended
II.4. Notification of US Bank Internet Banking
II.5. Attn: Citibank Update
III. Emails from people trying to fool you into hurting yourself or
your friends and coworkers
III.1 Subject: "jdbg" Virus: how to detect and remove.
Part 2. More Details About Each Attack
Part I: Emails from people trying to infect your system and steal your
friends' names for spam
I.1. Name: Hackarmy
The bait: An email or news article claiming to offer you copies of
pictures of Osama Bin Laden being hanged. A second form comes
claiming to have a suicide note from Arnold Shwarzenegger.
How it infects your system: You click on a link that downloads a zip
file. You execute the file thinking you will see the pictures.
What it does to you: Gives attackers remote control of your computer so
they can use it in attacks on other people, or harvest email names for
spam.
Where to find detailed information:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.d.html
I.2. Name: Mydoom-O
The bait: An email from your mail or system administrator or other
familiar sender with any one of the following subjects: (1) say helo to
my litl friend, (2) click me baby, (3) one more time, (4) hello, (5)
error, (6) status, (7) test, (8) report, delivery failed, (9) Message
could not be delivered, (10) Mail System Error - Returned Mail, (11)
Delivery reports about your e-mail, (12) Returned mail: see transcript
for details, (13) Returned mail: Data format error. Each has an
attachment.
How it infects your system: you download and open the attachment.
What it does to you: steals all email addresses from you to be sold to
spammers, spreads to other sites from your machine. It also uses your
system to send requests to search engines like Google to look for more
email addresses.
Where to find more detailed information:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html
I.3. Name: Atak-C
The bait: An email that arrives with the subject "Attack!" or "Revenge"
and a zipped attachment
How it infects your system: you download and open the attachment.
What it does to you: steals all email addresses from you to be sold to
spammers.
Where to find more detailed information:
http://www.sophos.com/virusinfo/analyses/w32atakc.html
I.4. Name: Beagle
The bait: An email that arrives subject Re_ and with an attachment.
How it infects your system: you download and open the attachment.
What it does to you: disables antivirus and other important software,
mass mails itself to others, steals email addresses from throughout your
files, gives attacker remote control of your computer to use to attack
other systems.
Where to find more detailed information:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39641
II. Emails from people trying to steal your identity (and your money)
II.1 Update Your Billing Information (from eBay)
The bait: An email coming from eBay saying the company has "detected a
slight error in your billing information" and saying that you must fix
it within 48 hours to continue to buy or sell on eBay.
What it tries to make you do: click on a link and tell them your eBay
and paypal username and password, and your credit/debit card information
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-27-04%20Ebay%20(Update%20Your%20Billing%20Informations).html
II.2 Your account at eBay has been suspended
The bait: An email coming from eBay saying your account has been
suspended and "We had to block your eBay account"
What it tries to make you do: click on a link and tell them your eBay
and paypal username and password, and your credit/debit card information
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-26-04_Ebay_(your_account_at_ebay_has_been_suspended).html
II.3 Your account at Wells Fargo has been suspended
The bait: An email coming from eBay saying your account has been
suspended and "Your account has been compromised by outside parties."
What it tries to make you do: click on a link and tell them your
username, password, and credit card information
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/06-29-04_Wells_Fargo_(Your_account_at_Wells_Fargo_has_been_suspended).html
II.4. Notification of US Bank Internet Banking
The bait: An email coming from US Bank saying, "as a preventative
measure, we have temporarily limited access to some features"
What it tries to make you do: click on a link and tell them username,
password, credit card data or debit card data.
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-23-04_US_Bank_(Notification_of_US_Bank_Internet_Banking).html
II.5. Attn: Citibank Update
The bait: "Click here" link in an email that seems to come from
Citibank.
What it tries to make you do: click on a link and tell them personal
information and credit card or debit card data.
Where you can see how it actually appears:
http://www.fraudwatchinternational.com/fraud_alerts/040721_1046_citibank.htm
http://www.antiphishing.org/phishing_archive/07-21-04_Citibank_(Attn_Citibank_Update).html
II.6 Confirm AOL Billing Info
The bait: An email coming from AOL saying your billing information is
out of date and asking you to "spend several minutes and update your
billing records"
What it tries to make you do: click on a link and tell them personal
information and credit card or debit card data.
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/07-20-04_AOL_(Confirm_AOL_billing_info).html
III. Emails from people trying to fool you into hurting yourself or
your friends and coworkers
III. 1. jdbg Hoax
The bait: An email telling you about a virus and how to remove it.
Example: "Subject: "jdbg" Virus: how to detect and remove." May also
talk about finding a teddy bear on the machine - because the file has a
bear as a symbol.
What it is trying to make you do: remove a file that is not harmful
Where to find more information:
http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html
****************************************************************************************
6-30-2004
==== 1. In Focus: Combined Attack Methods ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net
The June 16 Security UPDATE includes a link to the news story "New IE
Flaws Might Allow Code Injection," which describes a relatively new
attack method being used by both intruders and purveyors of suspicious
or malicious software to infest systems that use Microsoft Internet
Explorer (IE). Jelmer Kuperus said that the attack uses Javascript,
iframes, PHP, and timing techniques to gain access to the trusted
intranet zone on a user's system. According to Kuperus, the exploit
also "uses several known vulnerabilities and two previously unknown
vulnerabilities." One of the vulnerabilities, for which no patch
exists, involves ActiveX Data Objects (ADO).
http://www.winnetmag.com/article/articleid/42959/42959.html
Through this attack method that uses multiple vulnerabilities, many
people's systems (possibly even the systems of some of you readers)
have become infected with various sorts of software, most of which is
annoying, if not outright dangerous. For example, nefarious entities
have installed adware that generates an endless stream of pop-up
windows on users' systems. That's the lighter side of the problem
though.
As you can learn by reading the news story "Vulnerable IIS Sites and
IE Users Under Attack" below, yet another factor was added to the mix
last week, this time involving Microsoft IIS. Using the IIS
vulnerability described in Microsoft Security Bulletin MS04-011
(Security Update for Microsoft Windows) on systems that haven't yet
been updated with a patch that's been available since mid-April,
intruders can inject Javascript into a server's Web pages. The
Javascript then uses a technique similar to the one I described above
to get IE to download Trojan horse software onto an unsuspecting
user's systems. The Trojan horse program then gathers ("phishes")
log-on and financial information.
So now instead of intruders having to establish their own Web sites to
host malicious Javascript code, they're penetrating unpatched IIS
systems around the Internet that host legitimate Web sites. As Bugtraq
mailing list moderator David Amhad points out in a June 25 posting,
these combined vulnerabilities have "no dependence on version or
memory layout or any other such messy factors, firewalls are totally
irrelevant and VPNs become basically a free ride in, [and] the browser
doesn't end up crashing (i.e., the victim remains blissfully unaware
that they've been owned)." These combined vulnerabilities have the
potential to become devastating.
http://www.securityfocus.com/archive/1/367120/2004-06-25/2004-07-01/0
Some preventive steps are obvious, and some aren't so obvious,
depending on the user or administrator. Obviously, loading the IIS
patch MS04-011 on your servers will stop intruders from manipulating
the servers' Web pages into hosting malicious code. Turning off
scripting in the IE security zones will also protect users to a
certain extent. But in countless scenarios, turning scripting off just
isn't possible. And sometimes scripting is essential to a Web site's
usability. Many of you probably already know how to improve security
in IE, but in case you don't, Microsoft has some recommendations that
you can read at the following URL:
http://www.microsoft.com/security/incident/settings.mspx
One workaround if you can't turn off scripting is to disable ADO
databases (ADODB) in IE. Drew Copley of eEye Digital Security wrote a
simple registry script that does this very thing and one that undoes
the changes. He also wrote an executable program that disables and
re-enables ADODB. You can download the scripts and executable program
at the eEye Web site.
http://www.eeye.com/html/research/alerts/al20040610.html
Another way of protecting IE systems against ADODB attacks is to use
PivX Solutions' Qwik-Fix, which protects IE against a variety of
intrusion methods. Recently, the company made available a version of
Qwik-Fix for enterprise environments. I don't know of any other tool
that provides the same sort of functionality.
http://www.pivx.com
====================
--Internet Explorer Vulnerabilities
(11/10/9 June 2004)
The security flaws could allow an attacker run code on vulnerable
systems. Due to the critical nature of the vulnerabilities, users are
encouraged to disable Active Scripting support on all but trusted web
sites. A Microsoft spokesperson said the company is considering what
steps to take, including the possibility of releasing a patch outside
of their regular monthly update. Someone has apparently exploited the
flaws to install adware on vulnerable computers.
http://www.computerworld.com.au/index.php?id=117316298&eid=-255
http://www.computerworld.com/printthis/2004/0,4814,93802,00.html
http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39182874-39001150t-39000005c
http://www.kb.cert.org/vuls/id/713878
6/25/2004
IIS Sites and IE Users Under Attack
A new form of attack is spreading around the Internet, but to what
extent remains unknown at the time of this writing. The attack affects
unpatched Microsoft IIS systems, which, when compromised, then attack
unprotected Microsoft Internet Explorer (IE) systems.
Malicious users use an overflow condition in IIS to compromise an
unpatched system. The vulnerability is related to the Private
Communications Transport (PCT) in Microsoft's SSL library. Malicious
Javascript code is inserted into a Web page, and when unprotected IE
users visit the compromised Web page, IE might run the Javascript code
on the user's system. The code then injects the system with the
attacker's code of choice.
If possible, administrators should install Microsoft patch MS04-011
to protect IIS. According to iDEFENSE, IE users are being compromised
with a combination of two vulnerabilities: One of these
vulnerabilities is related to a problem in MIME Encapsulated Aggregate
HTML (MHTML), and the other is related to ADO databases (ADODB).
Microsoft has made the MS04-013 patch available for the MHTML problem,
but no patch is yet available for the ADODB vulnerability. IE users
should consider disabling active scripting in IE to protect their
systems against these attacks.
http://secadministrator.com/articles/index.cfm?articleid=43088
Compromised Web Sites Infect Web Surfers
(for more details, also see yesterday's diary: http://isc.sans.org/diary.php?date=2004-06-24 )
Updates will be posted here.
UPDATE 17:26 UTC Jan 25 2004
LURHQ published a detailed analysis of the "Berbew" trojan downloaded by this
exploit. According to this analysis, the trojan will capture passwords as use
log into given e-commerce, bank or auction web sites.