-------------------------------------------------------------------------- symantec symantec security response August 2002 Newsletter -------------------------------------------------------------------------- We have another collection of low profile worms this month. Peer-to-peer (P2P) worms appear to be on the increase but nothing is a high risk at the moment. W32.Kitro.A.Worm targets MSN Messenger and there are a few worms targeting the KaZaA network, such as W32.Shermnar.Worm and W32.HLLW.Kazmor. W32.HLLW.Yoohoo targets KaZaA, Bearshare, Morpheus, and eDonkey2000. We would suggest that extreme caution is used when using P2P networks, always make sure you have anti-virus installed (and it is up-to-date) and some sort of personal firewall to block any backdoor activities that may result from an infection by a Trojan or worm. We have a great article this month, Securing the Enterprise: A New Integrated Approach, this is a must read and explains why you need an integrated security solution if you are running your companies enterprise security systems. We now have, courtesy of one of our latest acquisitions(Riptech) two Internet Security Threat Reports, they can be accessed from this link. http://enterprisesecurity.symantec.com/content.cfm?articleid=1539&PID=12807550&EID=0 David Banes. Editor, securitynews@symantec.com -------------------------------------------------------------------------- Symantec News -------------------------------------------------------------------------- There have been a few announcments about new acquisitions over the last month or so. These are significant enhancements to Symantecs existing products and services. SecurityFocus. With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats. http://www.symantec.com/press/2002/n020819.html Recourse. This acquisition will bring to Symantec true gigabit speed network intrusion detection with next generation hybrid technology and the industry's leading "honeypot" solution. http://www.symantec.com/press/2002/n020819.html Riptech. The combination of Symantec and Riptech will create the leading provider of managed security services worldwide monitoring and managing the largest number of security devices across the broadest array of solutions. http://www.symantec.com/press/2002/n020819.html The Mountain Wave acquisition brings to Symantec the patent-pending CyberWolf technology designed to automate the detection of security incidents by the intelligent analysis of security events and alerts in real-time. http://www.symantec.com/press/2002/n020702.html -------------------------------------------------------------------------- Country Spotlight - Singapore W32.Klez.H@mm JS.Exception.Exploit Backdoor.DSNX W95.Hybris.worm W32.Kwbot.Worm W32.Klez.E@mm W32.Frethem.L@mm Backdoor.Trojan W32.Nimda.enc Trojan Horse -------------------------------------------------------------------------- These are the most reported Viruses, Trojans and Worms to the Symantec Security Response offices during the last month. Top Threats W32.Klez.H@mm - http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html JS.Exception.Exploit - http://www.symantec.com/avcenter/venc/data/js.exception.exploit.html W32.Frethem.L@mm - http://securityresponse.symantec.com/avcenter/venc/data/w32.frethem.l@mm.html W32.Datom.Worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.datom.worm.html Trojan.Horse -http://www.symantec.com/avcenter/venc/data/trojan.horse.html W32.Yaha.F@mm - http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.f@mm.html W95.Hybris - http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html W32.Klez.E@mm - http://www.symantec.com/avcenter/venc/data/w32.klez.e@mm.html W32.Kitro.D.Worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.kitro.d.worm.html W32.Kitro.C.Worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.kitro.c.worm.html -------------------------------------------------------------------------- Viruses, Worms & Trojans -------------------------------------------------------------------------- W32.Datom.Worm Medium Threat [3] Win32 Global Infection breakdown by geographic region % of Total 34.0% America (North & South) 61.6% EMEA (Europe, Middle East, Africa) 0.3% Japan 4.2% Asia Pacific Date % Reports 6 Jul 0.1% 8 Jul 4.3% > 9 Jul 6.8% < 10 Jul 6.6% 14 Jul 2.0% 18 Jul 4.6% 27 Jul 1.1% 1 Aug 3.5% 4 Aug 0.6% 6 Aug 3.4% W32.Datom.Worm is a worm that spreads through open shares. This worm does not contain a damaging payload. W32.Datom.Worm exists as three files: Msvxd.exe Msvxd16.dll Msvxd32.dll These files are located in the %Windir% folder. NOTE: %Windir% is a variable. The worm locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location. The tasks in each file have likely been separated in an attempt to avoid heuristic detection: Msvxd.exe simply runs Msvxd16.dll. Msvxd16.dll adds a reference to Msvxd.exe to the registry and then runs Msvxd32.dll. Msvxd32.dll enumerates network shares and copies all three files to those shares into the %Windir% folder and adds a reference to Msvxd.exe in the Run= line in Win.ini. http://securityresponse.symantec.com/avcenter/venc/data/w32.datom.worm.html Peter Ferrie Symantec Security Response, APAC. -------------------------------------------------------------------------- W32.Chir.B@mm Low Threat [2] Win32 W32.Chir.B@mm is a network-aware, mass-mailing worm, as well being as a file infector virus. It is a variant of W32.Chir@mm. It uses its own SMTP engine to send itself to all email addresses that it finds in the Windows Address Book (.wab), and in .adc, r.db, .doc, and .xls files. The email message has the following characteristics: From: @yahoo.com or imissyou@btamail.net.cn Subject: is coming! Attachments: PP.exe W32.Chir.B@mm also searches all local and network drives, and infects files that have .htm, .html, .exe, and .scr extensions. On the first day of each month, W32.Chir.B@mm attempts to overwrite the first 4660 bytes of the files that have .adc, r.db, .doc, and .xls extensions in all folders and subfolders. http://securityresponse.symantec.com/avcenter/venc/data/w32.chir.b@mm.html Yana Liu and Peter Szor Symantec Security Response, USA -------------------------------------------------------------------------- W32.Manymize@mm Low Threat [2] Win32 W32.Manymize@mm is a mass mailing worm that sends itself and three other files to all email addresses in the Microsoft Windows Address Book. The email message has the following characteristics: Subject: The subject of the email will be one of the following: Hi Dear Hello My friend, How are you !! Attachments: The attachments are: Mi2.htm Mi2.chm Mi2.wmv Mi2.exe http://securityresponse.symantec.com/avcenter/venc/data/w32.manymize@mm.html Douglas Knowles Symantec Security Reponse, USA -------------------------------------------------------------------------- Security Advisories -------------------------------------------------------------------------- PHP multipart/form-data POST parsing High Threat [4] Multiple error allows arbitrary code A vulnerability exists in the PHP parsing code that handles file uploads (multipart/form-data). By sending a specially crafted POST request to the Web server that corrupts the internal data structures used by PHP, a remote attacker can run arbitrary code with privileges of the Web server and, potentially, gain privileged access. PHP is a popular HTML-embedded scripting language used to create dynamically generated Web pages. PHP versions starting with 4.2.0 contain updated multipart/form-data handler code to intelligently parse HTTP POST request headers and differentiate variables and files sent by the user agent in a multipart/form-data request. The parser, however, fails to provide sufficient input checking in the way the mime headers are processed. Anyone who can send HTTP POST requests to an affected Web server can exploit the vulnerability to compromise the web server and, under certain conditions, gain privileged access. PHP running on x86 platforms is currently verified to be safe from the execution of arbitrary code. However, the vulnerability can still be exploited against x86 platforms to crash PHP and, in most cases, the Web server. Components Affected Apache Software Foundation PHP 4.2.0, 4.2.1 References Source: CERT CA-2002-21 URL: http://www.cert.org/advisories/CA-2002-21.html Source: CERT CERT Vulnerability Note VU#929115 URL: http://www.kb.cert.org/vuls/id/929115 Source: Apache Software Foundation PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 URL: http://www.php.net/release_4_2_2.php More details and Symantec's Recommendations are here; http://www.symantec.com/avcenter/security/Content/2208.html -------------------------------------------------------------------------- Sun ONE (iPlanet) Web Server search High Risk [4] Multiple buffer overflow A buffer overflow vulnerability in the Sun ONE (iPlanet) Web Server may allow a remote attacker to run arbitrary code. Sun ONE Web Server is a software product for developers who build dynamic Web applications for e-commerce sites. The iPlanet Web Server, which is owned and maintained by Sun Microsystems, has been rolled into the Sun product line as the Sun ONE Web Server. The search capability in iPlanet Web Server is vulnerable to a remotely exploitable stack overflow. By supplying an overly long value for the NS-rel-doc-name parameter, which results in a saved return address being overwritten on the stack, a remote attacker gains control over the vulnerable process. Any code supplied by the attacker will run in the security context of the account running the Web Server. On Windows NT/2000 this account is the local SYSTEM account which, by default, allows any code to run uninhibited. Components Affected Sun Microsystems Sun ONE Web Server (iPlanet) 4.1 Sun Microsystems Sun ONE Web Server (iPlanet) 6.0 References Source: Security Focus.com NISR09072002 URL: http://online.securityfocus.com/archive/1/281199/2002-07-07/2002-07-13/2 Source: Security Focus.com 4851 URL: http://online.securityfocus.com/bid/4851 More details and Symantec's Recommendations are here; http://www.symantec.com/avcenter/security/Content/2126.html -------------------------------------------------------------------------- Security News -------------------------------------------------------------------------- Securing the Enterprise: A New Integrated Approach As organizations become more dependent on networks for business transactions, data sharing, and everyday communications, their networks have to be increasingly accessible to customers, employees, suppliers, partners, contractors, and telecommuters. But as accessibility increases, so too does the exposure of critical data that is stored on the network. The challenge, of course, is to ensure that only the right people gain access. The complexity of today's networks and the emergence of new security threats make the challenge more difficult every day. Evolving environments and new threats drive the need for integrated security.The ability to use enterprise networks for commerce and collaboration is a key business enabler, leading to the widespread emergence of "hyper-connected businesses." To meet the requirements of such businesses, the gateway, server, and client levels of the network have to be interconnected, which means that business-critical information must now reside at multiple levels of the internal network, each requiring its own protection. At the same time, threats to the network have become more sophisticated, with attack techniques that employ multiple methods to discover and exploit network vulnerabilities becoming more commonplace. For instance, the viruses, worms, and Trojan horses that often hide within files or programming code are able to self-replicate and self- propagate, allowing them to be spread easily by unknowing computer users. And, a new breed of threats like CodeRed and Nimda are taking the worst characteristics of viruses, worms, and Trojan horses, and combining them with server and Internet vulnerabilities in order to initiate, transmit, and spread an attack. Explicitly designed to exploit the vulnerabilities of security technologies working independently from one another, these so- called blended threats utilize multiple methods of attack and self- propagation, enabling them to spread rapidly and cause widespread damage. What are the risks? Given the multiple levels of network vulnerability and the ever-increasing number of attack techniques, the risks to corporate well being are also growing. The impact of network attacks on businesses can range from easy-to -quantify consequences, such as interrupted business operations to losses that are difficult to calculate such as damaged brand equity. Network attacks can also impact businesses in other ways, including: Interruption of Business Operations Downtime due to an attack results in lost productivity and revenues, and the costs associated with restoring a hacked network can increase the overall financial impact. Legal Liability and Potential Litigation. Organizations that have been hacked may find themselves in court as a defendant or key witness. Reduced Ability to Compete. Information is often a company's most valuable asset. The loss or theft of data can pose serious consequences, even rendering a company's market position untenable. Damage to Brand Equity. Damage to a brand can degrade a company's position in the marketplace. For example, companies that have had credit card information stolen may have a hard time restoring customer confidence in their brand. The traditional approach to security is not efficient or sufficient Current security solutions typically consist of multiple point products, each working independently. These products must be purchased, installed, deployed, managed, and updated separately. With this approach, IT managers are faced with labor- intensive configuration and implementation issues and need to address the problem of interoperability between products. Because they are not integrated, multiple point products are difficult to manage, which increases IT administration and support costs. Protection is usually not comprehensive because the lack of cross-vendor interoperability often allows threats to slip through the cracks. What's more, when an outbreak occurs, the "fixes" that each vendor provides must be tested and verified across the various technologies. This can slow response to attacks, potentially augmenting the costs that are incurred. And, since they were not designed to work together, independent point products can also degrade network performance. The implications of current security solutions include inefficiencies, inadequate protection against blended threats, and a higher cost of ownership. It all adds up to an under-performing security posture that is difficult to understand and provides little insight into enterprise security planning. Integration: A logical solution The concept of integrated security has emerged to address the new challenges facing e-businesses. Integrated security combines multiple security technologies with policy compliance, customer management, service and support, and advanced research for complete protection. By adopting a comprehensive, holistic strategy that addresses network security at the gateway, server, and client tiers, organizations may be able to reduce costs, improve manageability, enhance performance, tighten security, and reduce the risk of exposure. An integrated security approach offers the most effective security posture at the optimal cost-benefit ratio. Integrated security uses the principles of defense in depth and employs complementary security functions at multiple levels within the IT infrastructure. By combining multiple functions, integrated security can more efficiently protect against a variety of threats at each tier to minimize the effects of network attacks. Key security technologies that can be integrated include: Firewalls. Control all network traffic by screening the information entering and leaving a network to help ensure that no unauthorized access occurs. Intrusion Detection. Detects unauthorized access and provides alerts and reports that can be analyzed for patterns and planning. Content Filtering. Identifies and eliminates unwanted traffic. Virtual Private Networks (VPN). Secures connections beyond the perimeter, enabling organizations to safely communicate across the Internet. Vulnerability Management. Uncovers security gaps and suggests improvements. Virus Protection. Protects against viruses, worms, and Trojan horses. Why integrated security? When integrated into a single solution, security technologies offer more comprehensive protection while helping to reduce complexity and cost. An integrated solution eliminates the need to manage multiple products from multiple vendors or address interoperability issues. And, since integrated security can be implemented at all network tiers, it offers greater protection of proprietary assets and reduces risks to business continuity. What's more, an integrated approach enables IT personnel to focus on other strategic initiatives while maximizing the productivity of often- overburdened IT departments. Today, organizations can improve efficiency of security functions, minimize the impact of attacks, and enhance their overall security posture with an integrated security framework. It's an approach whose time has come. To learn more about all of Symantec's security solutions, visit the Enterprise Security Resource Center. http://enterprisesecurity.symantec.com/Content/esrc.cfm?PID=12754467&EID=0 -------------------------------------------------------------------------- Top Reported Viruses, Trojans and Worms Following is a list of the top reported viruses to Symantec's regional offices. -Asia Pacific W32.Klez.H@mm JS.Exception.Exploit W32.Datom.Worm Trojan Horse HTML.Redlof.A W95.Hybris.worm W32.Frethem.L@mm Backdoor.Trojan W32.Yaha.F@mm W32.HLLW.Acebo -Europe, Middle East & Africa W32.Klez.H@mm JS.Exception.Exploit W32.Frethem.L@mm W32.Datom.Worm W32.Yaha.F@mm W32.Kitro.D.Worm W32.Kitro.C.Worm W32.Klez.E@mm Trojan Horse W95.Hybris.worm -Japan W32.Klez.H@mm W32.Frethem.L@mm W32.Klez.E@mm VBS.LoveLetter.A VBS.LoveLetter.Var VBS.Network.E W95.Hybris.worm W32.Badtrans.B@mm Trojan Horse JS.Exception.Exploit -The Americas W32.Klez.H@mm JS.Exception.Exploit Trojan Horse W32.Datom.Worm W95.Hybris.worm W32.Frethem.L@mm VBS.LoveLetter.AS Backdoor.Trojan W32.Magistr.39921@mm JS.Seeker -------------------------------------------------------------------------- A list of Virus Hoaxes reported to Symantec http://www.symantec.com/avcenter/hoax.html -------------------------------------------------------------------------- No New Joke Programs reported to Symantec this month. http://www.symantec.com/avcenter/jokes.html -------------------------------------------------------------------------- Symantec Security Response now has Removal Tools for the following threats available on the web site at: http://www.symantec.com/avcenter/tools.list.html -------------------------------------------------------------------------- Symantec Glossary for definitions of viruses, Trojans and worms and more. http://www.symantec.com/avcenter/refa.html -------------------------------------------------------------------------- Contacts -------------------------------------------------------------------------- Correspondence by email to: securitynews@symantec.com no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html -------------------------------------------------------------------------- Subscribe and Unsubscribe -------------------------------------------------------------------------- To be added or removed from the subscription mailing list, please fill out the form available on the Symantec website at: http://www.symantec.com/help/subscribe.html The Symantec Security Response NEwsletter is published periodically by Symantec Corporation. No reprint without permission in writing, in advance. -------------------------------------------------------------------------- This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation. ISSN 1444-9994 --------------------------------------------------------------------------