-------------------------------------------------------------------------- symantec symantec security response April 2003 Newsletter -------------------------------------------------------------------------- This month we have a very interesting article 'Convenient, Useful and Insecure – Wireless Enablement ' by Jason Conyard, Symantec's Director, Wireless Product Management. Jason has spent many years researching wireless security issues and the solutions and has an in depth understanding of issues in this area. Symantec Security Response is making it's Security Alerts available to other web sites, to include these alerts on your web site go to the following page to configure a script that you can copy and paste directly into your own html page. http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi On May 1, 2003, revised standards for use of the EICAR test file will go into effect. The test file is not mailcious and does not replicate, it is often used to test anti-virus installations. The first 68 characters will be the string to scan for in the file. It may be appended by any combination of white space characters with the total file length not exceeding 128 characters. The only white space characters allowed are the space character, tab, LF, CR, CTRL-Z. The EICAR web site will be updated with the new standard on May 1st. http://www.eicar.org/ I expect it will be a while before all anti-virus products enable detection for the new standard, there is no cause for alarm if a particular product does not detect the new test file(s). The May edition of the newsletter will contain a link to a web based questionnaire about this publication. There are only 10-12 questions and I would encourage you to spend 5 minutes to participate so that we can ensure future editions of the Symantec Security Response Newsletter continue to be relevant and of interest to you. Best Regards David Banes. Editor, Symantec Security Response Newletter. -------------------------------------------------------------------------- Useful Links Microsoft Windows 2000 WebDAV / ntdll.dll Buffer Overflow Vulnerability http://securityresponse.symantec.com/avcenter/security/Content/3.17.2003.html All versions of Windows 2000, except Japanese NEC patch. http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en Windows 2000 Japanese NECE version patch. http://microsoft.com/downloads/details.aspx?FamilyId=FBCF9847-D3D6-4493-8DCF-9BA29263C49F&displaylang=ja -------------------------------------------------------------------------- To unsubscribe to this newsletter please go to; http://securityresponse.symantec.com/avcenter/newsletter.html -------------------------------------------------------------------------- Country Spotlight Belgium W32.Klez.H@mm Trojan Horse IRC Trojan Swporta.Trojan W32.Lirva.A@mm W95.Hybris.worm Backdoor.Dvldr W32.Kwbot.C.Worm W32.Bugbear@mm Backdoor.Sdbot -------------------------------------------------------------------------- These are the most reported Viruses, Trojans and Worms to the Symantec Security Response offices during the last month. Top Threats W32.Klez.H@mm Trojan Horse HTML.Redlof.A Backdoor.Dvldr IRC Trojan JS.Exception.Exploit W95.Hybris.worm W95.Spaces.1445 W32.Funlove.4099 -------------------------------------------------------------------------- Viruses, Worms & Trojans -------------------------------------------------------------------------- Trojan.Linux.JBellz Aliases: Risk: Low [1] Date: January 14th 2003 Platforms Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX. Overview The Trojan.Linux.JBellz Trojan horse arrives as a malformed .mp3 file. When the .mp3 file is played with a specific version of the mpg123 player under Linux, the code of the Trojan horse is executed; thereby, deleting all the files in the home directory of the current user. References http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.jbellz.html -------------------------------------------------------------------------- W32.Hawawi.Worm Aliases: Risk:Low [2] Date: March 19th 2003 Platforms Affected Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Overview W32.Hawawi.Worm is a worm that spreads through email using its own SMTP server, ICQ, Yahoo Messenger, PalTalk, and KaZaA. The email message has one of many different Subject lines, such as: '''*< Love Speaks it all >*''' Co0o0o0o0oL Fw: Heeeeeeeeeeeeeeeey Wussaaaaaaaap? WoW But not for NoW The messages have an attachment with a .pif extension, usually Hawawi.pif. W32.Hawawi.Worm has a payload of overwriting all the files that have the following extensions, with zero-byte files: mpeg, rm, wav, sql, mde, php, cpp, swf, ram, mp3, frm, dpr, rar, mpg, jpg, pdf, pps, ppt, txt, htm, html, zip, doc, mdb, xls. References http://securityresponse.symantec.com/avcenter/venc/data/w32.hawawi.worm.html Credit by: Douglas Knowles -------------------------------------------------------------------------- Security Advisories -------------------------------------------------------------------------- Oracle E-Business Suite RRA/FNDFS Arbitrary File Disclosure Vulnerability Risk:High Date:11th April 2003 Components Affected Oracle Applications 10.7, 11.0 Oracle E-Business Suite 10.7, 11.0, 11.1 to 11.8 Description Oracle E-Business suite RRA/FNDFS server has been reported prone to an arbitrary file disclosure vulnerability. The Oracle FNDFS server is used in usual circumstances, by Oracle utilities, to retrieve and extract report data from Concurrent Manager server. It has been reported that FNDFS may be used by an attacker to reveal the contents of arbitrary files located on the vulnerable system that are readable by 'oracle' or 'applmgr' user accounts. Sensitive information obtained in this manner may be used in further attacks launched against the vulnerable system. References Source: Integrigy OracleDB Listener Security URL: http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf Source: Oracle E-Business Suite FNDFS Vulnerability URL: http://www.integrigy.com/alerts/FNDFS_Vulnerability.htm Source: Oracle Homepage URL: http://www.oracle.com/index.html Source: Oracle Security Alert #53 URL: http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf http://www.sarc.com/avcenter/security/Content/7325.html Credits Discovery of this vulnerability has been credited to Stephen Kost of Integrigy Corporation. -------------------------------------------------------------------------- Snort TCP Packet Reassembly Integer Overflow Vulnerability Risk:High Date:15th April 2003 Platforms Affected Conectiva Linux 8.0 Gentoo Linux 1.4 _rc2 Gentoo Linux 1.4 _rc3 Components Affected SmoothWall SmoothWall 2.0 beta 4 Snort Project Snort 1.8 - 1.8.7 Snort Project Snort 1.9 - 1.9.1 -------------------------------------------------------------------------- Description A vulnerability has been discovered in Snort. The problem occurs during the reassembly of TCP packets by the stream4 preprocesser. By sending specially crafted fragmented packets across a network monitored by Snort, it may be possible to trigger an integer overflow. As a result, a buffer overflow may occur, effectively allowing a remote attacker to corrupt heap memory. Successful exploitation of this issue could allow a remote attacker to execute arbitrary code on a target system. This issue effects Snort releases prior to Snort 2.0 RC1. Recommendations Run all server processes as non-privileged users with minimal access rights. Configure Snort to run with the least privileges necessary whenever possible. This may limit the consequences of an attacker executing arbitrary code on a target system. Implement multiple redundant layers of security. The exploitability of this issue to execute arbitrary code may be hindered through the use of various memory protection schemes. Where permissible, implement the use of non-executable and randomly mapped memory pages. Implement multiple redundant layers of security. Where possible, implement multiple layers of network security. This may limit the consequences of a network sensor or firewall from being made unavailable. While NetBSD does not include Snort by default, Snort is available through pkgsrc. NetBSD users who have installed Snort packages should use pkgsrc/security/audit-packages to apply upgrades. This issue is addressed in Snort 2.0. Users are advised to upgrade. References Source: CERT CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors URL: http://online.securityfocus.com/advisories/5302 Source: CORE CORE-2003-0307 Snort TCP Stream Reassembly Integer Overflow Vulnerability URL: http://online.securityfocus.com/advisories/5294 Source: Bug 2.0b4-mallard 005 URL: http://smoothwall.org/beta/bugs/mallard-006.html Source: Snort Homepage URL: http://www.snort.org/ Credits Discovery of this issue is credited to Bruce Leidl, Juan Pablo Martinez Kuhn and Alejandro David Weil from Core Security Technologies. ------------------------------------------------------------------------- Security News -------------------------------------------------------------------------- Convenient, Useful and Insecure – Wireless Enablement by Jason R. Conyard, Director, Wireless Product Management. Last months announcement from Intel regarding their investment into 802.11 is just the latest press release in what has become one of hottest technologies to be seen, and more importantly adopted, for some time. Handheld (PDAs) have become common both at home and increasingly in the office. With devices of just about every conceivable size, shape, function and price available, it appears these once high-end gadgets are here to stay. As people become more comfortable with creating, storing and sharing information on handhelds their value and dependability increases in importance. Being able to maintain the integrity of the device, its data and the access it potentially has to other systems becomes critical. It is estimated that in 2002 alone more then 25 million wireless LAN, 802.11, chipsets where sold(1), this is despite significant publicity about inherent weaknesses in the standards security. Even when basic methods are available to secure wireless LANs, they are rarely employed, often leaving the wireless network available to anyone and everyone. Bluetooth, the Personal Area Networking (PAN), radio technology allowing desktop wires to be replaced with wireless connections is finally seeing adoption. In fact Bluetooth chip sales of an estimated 35 million out pacing those of 802.11 for 2002 (2), which likely indicates a significant increase in embedded connectivity in consumer electronics in mid-2003. The convergence of mobile computing with wireless communication is providing opportunities that have for the longest time been the sole domain of science fiction. They also present significant security challenges to both individuals and organisations. There has been much debate about security threats to ‘wireless’ and there are, as noted above, certainly reasons to pause before jumping in with both feet and committing financially. It is, however, extremely important to remember that the largest area of concern continues to come from the traditional wired infrastructure. Whether for a home PC or a global IT enterprise, servers, gateway and desktops need to be maintained and updated to run the latest patches and security solutions. Firewall and antivirus software should run their latest definitions to ensure maximum protection. This is not to suggest that Wireless LANs cannot be deployed or that handhelds should not be used, but before they are a total view must be given to how these technologies will be used, what systems they will interact with, what risks exist and how they will be secured. (1) Source: Gartner. (2) Source: IN-Stat/MDR. -------------------------------------------------------------------------- Top Reported Viruses, Trojans and Worms Following is a list of the top reported viruses to Symantec's regional offices. - Asia Pacific HTML.Redlof.A W32.Klez.H@mm JS.Exception.Exploit W32.HLLW.Lovgate.G@mm Trojan Horse Backdoor.Dvldr W95.Hybris.worm IRC Trojan W32.Funlove.4099 -Europe, Middle East & Africa W32.Klez.H@mm Trojan Horse HTML.Redlof.A JS.Exception.Exploit Backdoor.Dvldr IRC Trojan W95.Spaces.1445 W95.Hybris.worm W32.Nimda.E@mm - Japan W32.Klez.H@mm Backdoor.Dvldr HTML.Redlof.A W32.Weird Trojan Horse IRC Trojan W32.HLLW.Deloder W95.Hybris.worm W32.Klez.E@mm W32.Nimda.E@mm - The Americas W32.Klez.H@mm Trojan Horse IRC Trojan Backdoor.Dvldr W95.Hybris.worm S.Exception.Exploit W32.HLLP.Handy W95.Spaces.1445 W32.Pinfi -------------------------------------------------------------------------- A list of Virus Hoaxes reported to Symantec http://www.symantec.com/avcenter/hoax.html -------------------------------------------------------------------------- No New Joke Programs reported to Symantec this month. http://www.symantec.com/avcenter/jokes.html -------------------------------------------------------------------------- Symantec Security Response now has Removal Tools for the following threats available on the web site at: http://www.symantec.com/avcenter/tools.list.html -------------------------------------------------------------------------- Symantec Glossary for definitions of viruses, Trojans and worms and more. http://www.symantec.com/avcenter/refa.html -------------------------------------------------------------------------- Contacts -------------------------------------------------------------------------- Correspondence by email to: securitynews@symantec.com no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html -------------------------------------------------------------------------- Subscribe and Unsubscribe -------------------------------------------------------------------------- To be added or removed from the subscription mailing list, please fill out the form available on the Symantec website at: http://www.symantec.com/help/subscribe.html The Symantec Security Response NEwsletter is published periodically by Symantec Corporation. No reprint without permission in writing, in advance. -------------------------------------------------------------------------- This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation. ISSN 1444-9994 --------------------------------------------------------------------------