-------------------------------------------------------------------------- symantec symantec security response ISSN 1444-999 August 2003 Newsletter -------------------------------------------------------------------------- - Blasted Again The first couple of weeks have August have been busy, really busy, some of our customer support call statistics defy belief, it seems half of Asia Pacific was infected with W32.Blaster.Worm and the threats that followed rapidly aftwerwards. We are carrying the DCOM RPC piece again this month as it's still very relevant. W32.Blaster has been the subject of much analysis and three of Symantec Win32 experts (there are many more:) have spent some time on it. Peter Ferrie, Frederic Perriot, Peter Szor from Symantec Security Response, USA have a joint paper titled 'Blast Off!' that will be published in Virus Bulletin soon and is well worth a read. Links Virus Bulletin - http://www.virusbtn.com -------------------------------------------------------------------------- Use Symantec Security Alerts on Your Web Site http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi -------------------------------------------------------------------------- Top Malicious Code Threats Risk Threat Discovered Protection 4 W32.Sobig.F@mm 18 Aug 2003 19 Aug 2003 4 W32.Welchia.Worm 18 Aug 2003 18 Aug 2003 4 W32.Blaster.Worm 11 Aug 2003 11 Aug 2003 4 W32.Bugbear.B@mm 4 June 2003 5 June 2003 3 W32.Mimail.A@mm 1 Aug 2003 1 Aug 2003 -------------------------------------------------------------------------- Latest Malicious Code Threats Risk Threat Discovered Protection 1 W32.HLLW.Lemur 21 Aug 2003 22 Aug 2003 2 W32.HLLW.Cult.H@mm 21 Aug 2003 22 Aug 2003 3 Backdoor.Lorac 21 Aug 2003 22 Aug 2003 2 W32.HLLW.Gaobot.AA 21 Aug 2003 21 Aug 2003 2 W32.Dumaru.B@mm 20 Aug 2003 22 Aug 2003 -------------------------------------------------------------------------- Common Vulnerabilities Microsoft IE MIME Header Attachment Execution Vulnerability Bugtraq ID 2524 CVE Reference CVE-2001-0154 Exploited by W32.Klez, W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability Bugtraq ID 2708 CVE Reference CVE-2001-0333 Exploited by W32.Nimda Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability Bugtraq ID 1806 CVE Reference CVE-2000-0884 Exploited by W32.Nimda Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability Bugtraq ID 1780 CVE Reference CVE-2000-0979 Exploited by W32.Opaserv Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution Bugtraq ID 5311 CVE Reference CAN-2002-0649 Exploited by W32.SQLExp.Worm -------------------------------------------------------------------------- Monthly Security Round-up from Symantec DeepSight Threat Management System http://tms.symantec.com/ During the week of July 27 – August 2, 2003, much anticipation surrounded the release of exploits and malicious code targeting the recently disclosed Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205). Security professionals and media reports continued to speculate the feasibility of a successful worm. Active exploitation of this vulnerability was reported, and malicious code has been written to allow trojan programs to use this vulnerability as an infection vector. Currently, no software has been seen which employs functioning code that may allow autonomous propagation in a worm-like fashion, but it is believed that such code may be deployed in the near future. Another vulnerability has been reported in the popular Washington University FTP daemon. Wu-ftpd carries a history of significant security vulnerabilities. Other significant vulnerabilities disclosed this week included a local buffer overflow present in Solaris. The DeepSight Threat Analyst Team has released a Threat Analysis of a malicious tool known as NiBu. In addition to typical backdoor functionality, NiBu also attempts to stealsensitive financial information. Activity, and the discovery of an auto-rooter type rootkit that targets the Microsoft DCOM RPC Interface overflow prompted the revision of an old Threat Alert and the release of a separate Threat Alert. The week of August 3-9, 2003, continued to see widespread exploitation of the Windows DCOM RPC Interface Buffer Overrun Vulnerability. A functional worm proliferated on August 11, 2003, and numerous automated tools have been made available to the public to automate exploitation of this vulnerability in a fast and efficient manner. Various groups of attackers are known to be constructing large bot networks, many of which could be capable of conducting extremely powerful Distributed Denial of Service (DDoS) attacks. Network security specialists have speculated as to the potential impact of this vulnerability, and it has been generally agreed that a functional worm may be created relatively easily. A vulnerability has been disclosed in the HTTP server in Cisco IOS, which is particularly interesting because it has demonstrated the possibility to execute shellcode on router devices. This domain of security has gone relatively unexplored, and as more information regarding this becomes available, administrators may be faced with having to implement protection against new attack vectors that have been previously overlooked. Two Threat Analyses have been released this week, both relating the Windows DCOM RPC Interface Buffer Overrun Vulnerability. An analysis of Cirebot, a bot used to compromise machines via this vulnerability is available. In addition, a document outlining general exploitation patterns of the vulnerability is also available. August 10 - 16, 2003, was dominated by discussion and attention directed at a new worm, W32.Blaster, and the Windows DCOM RPC Interface Buffer Overflow that it used in order to spread. As has been forecasted for weeks, this worm began propagating, and achieved significant success due to the large number of vulnerable hosts. In response to this issue, the Threat Analyst Team released a Threat Alert. Another Threat Alert was issued in response to a sudden rise in traffic targeting TCP/3410. The rise in traffic has not yet been accounted for, but it is likely that it is related to abackdoor trojan that listens on this port. W32.Blaster, and a backdoor sent through the mail attempting to capitalize on the press achieved by this worm, both figure prominently in the malicious code listings this week. -------------------------------------------------------------------------- NEW! Symantec DeepSight™ Analyzer support for Norton Personal Firewall and Norton Internet Security Symantec DeepSight Analyzer now allows you to track and report on events that are being observed by your personal security products. Your security events are automatically submitted to Symantec by a software program called DeepSight Extractor. This information is used to identify patterns in attacks that help serve as a threat-gauging system for the Internet community. The entire process is automated and can be completely anonymous, protecting your identity at all times. By joining the Symantec DeepSight Analyzer program at Symantec, you receive a number of benefits. Symantec DeepSight Analyzer gives you the following functionality, at absolutely no charge to you: 1. Automated Daily Summary Reports – Report summarizing all activity that your system has seen over the previous 24-hour period. 2. Secure Online Event Viewing - View a history, for previous 30 days, of all events that your systems have submitted. 3. Secure Online Report Generation – Generate reports, summarizing your event activity over a period of time. For more information on Symantec DeepSight Analyzer for Norton Personal Firewall and Norton Internet Security and a FREE download: http://analyzer.securityfocus.com/downloadnis.asp -------------------------------------------------------------------------- Viruses, Worms & Trojans -------------------------------------------------------------------------- W32.Lofni.Worm Aliases : W32.Lohack.B.Worm, W32/Noala@MM [McAfee] Risk : Low[2] Date : 14th July 2003 Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me CVE ReFerence : CVE-2001-0154 Overview W32.Lofni.Worm is a worm that attempts to spread itself through file- sharing networks. It also attempts to mass mail itself to all the contacts in the Windows Address Book. The email will have a variable subject and attachment name. The attachment will have a .exe or .scr file extension. The worm uses an internal SMTP client engine. In addition, W32.Lofni.Worm is a network-aware worm. It is a Visual Basic application that is compiled to native code and is packed with UPX v1.23. Definitions dated prior to July 25, 2003 detect this as W32.Lohack.B.Worm. Credits Write-up by: Sergei Shevchenko, Security Response APAC. References Symantec Security Response http://www.sarc.com/avcenter/venc/data/w32.lofni.worm.html -------------------------------------------------------------------------- W32.Blaster.Worm Aliases : W32/Lovsan.worm.a [McAfee], Win32.Poza.A [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda], Worm.Win32.Lovesan [KAV] Risk : High [4] Date : 11th August 2003 Systems Affected: Windows 2000, Windows XP CVE Reference : CAN-2003-0352 Overview W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026 ) using TCP port 135. The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable to the aforementioned exploit (if not properly patched), the worm is not coded to replicate to those systems. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not have a mass-mailing functionality. Additional information and an alternate site from which to download the Microsoft patch is available in the Microsoft article, " What You Should Know About the Blaster Worm and Its Variants ." We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications: TCP Port 135, "DCOM RPC" UDP Port 69, "TFTP" The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability Credits Write-up by: Douglas Knowles, Security Response, USA References Symantec Security Response http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html -------------------------------------------------------------------------- W32.Welchia.Worm Aliases Risk High [4] Date : 18th August 2003 Systems Affected Microsoft IIS, Windows 2000, Windows XP CVE Reference : CAN-2003-0352, CAN-2003-0109 Overview W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including: The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit. The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. IIS 5.0 will most likely be found on Windows 2000 systems. W32.Welchia.Worm does the following: Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic. Attempts to remove W32.Blaster.Worm Credits Write-up by: Benjamin Nahorney and Douglas Knowles, Frederic Perriot References Symantec Security Response http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html -------------------------------------------------------------------------- Security News Slammer worm crashed Ohio nuke plant network By Kevin Poulsen Aug 19 2003 A computerized safety monitoring system at the Davis-Besse nuclear plant was crippled after the worm entered through the business network of the plant's operator, FirstEnergy Corp. ... >> http://www.securityfocus.com/news/6767 The Bright Side of Blaster By Kevin Poulsen Aug 14 2003 Experts predict the worm will leave a more secure Internet in its wake ... >> http://www.securityfocus.com/news/6728 ------------------------------------------------------------------------- Security Advisories ------------------------------------------------------------------------- Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability Risk :High Date :16th July2003 Components Affected: Many, listed here; http://securityresponse.symantec.com/avcenter/security/Content/8205.html Overview A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system. This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80. Credits Discovery of this vulnerability has been credited to The Last Stage of Delirium Research Group. References Source: Microsoft Security Bulletin MS03-026 URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp Symantec Security Response http://www.sarc.com/avcenter/security/Content/8205.html -------------------------------------------------------------------------- Multiple Oracle XDB FTP / HTTP Services Buffer Overflow Vulnerabilities Risk :High Date :31st July 2003 Components Affected: Oracle Oracle9i Enterprise Edition 9.2 .0.1 Oracle Oracle9i Personal Edition 9.2 .0.1 Oracle Oracle9i Standard Edition 9.2 .0.1 Overview David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference. Ultimately exploitation of these issues may provide for remote execution of arbitrary code in the security context of the vulnerable service. Credits Discovery of these vulnerabilities has been credited to David Litchfield (david@ngssoftware.com). References Source: Oracle Homepage URL: http://www.oracle.com/index.html Source: Variations in Exploit methods between Linux and Windows URL: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf -------------------------------------------------------------------------- Useful Links -------------------------------------------------------------------------- Use Symantec Security Alerts on Your Web Site http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi To unsubscribe to this newsletter please go to; http://securityresponse.symantec.com/avcenter/newsletter.html Incorrect MIME Header Can Cause IE to Execute E-mail Attachment http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp Virus Removal Tools Fix tools for threats such as W32.HLLW.Lovgate , W32.SQLExp.Worm , W32.Sobig.A@mm and W32.Bugbear@mm http://www.sarc.com/avcenter/tools.list.html Virus Hoaxes ------------ There are many email virus hoaxes, please check here before forwading email virus warnings. http://securityresponse.symantec.com/avcenter/hoax.html Joke Programs ------------ Joke programs are not malicious and can be safely deleted. http://securityresponse.symantec.com/avcenter/jokes.html -------------------------------------------------------------------------- Security Events Calendar SecureWorld Expo Date: Sept 24-25, 2003 Seattle, WA, USA http://www.secureworldexpo.com/seattle03.php IDC Internet Security Conference Date: Sept 25-26, 2003 Copenhagen, Denmark http://nordic.idc.com/Events/Security/Denmark/default.htm VB2003 - VB Conference 2003 Date: Sept 25-26, 2003 Toronto, Canada http://www.virusbtn.com/conference/vb2003/index.xml AVAR 2003 - Malicious Code Conference 2003 Date: November 6-7, 2003. Sydney, Australia http://www.aavar.org/ For more events go to our online Events Calendar; http://enterprisesecurity.symantec.com/content/globalevents.cfm -------------------------------------------------------------------------- Symantec Glossary for definitions of viruses, Trojans and worms and more. http://www.symantec.com/avcenter/refa.html -------------------------------------------------------------------------- Contacts -------------------------------------------------------------------------- Correspondence by email to: securitynews@symantec.com no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html -------------------------------------------------------------------------- Subscribe and Unsubscribe -------------------------------------------------------------------------- To be added or removed from the subscription mailing list, please fill out the form available on the Symantec website at: http://www.symantec.com/help/subscribe.html The Symantec Security Response NEwsletter is published periodically by Symantec Corporation. No reprint without permission in writing, in advance. -------------------------------------------------------------------------- This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation. --------------------------------------------------------------------------