-------------------------------------------------------------------------- symantec symantec security response January 2003 Newsletter -------------------------------------------------------------------------- Welcome to the first Symantec Security Response Newsletter for 2003. A new virus called W32.Lirva proves again that people just aren't patching their operating systems or email programs quickly enough, this worm exploits a vulnerability that Microsoft fixed in March 2001. If this patch (link below) is applied then worms like W32.Lirva will be unable to auto-execute and this will go a long way towards stopping them from spreading. Judging by the number of back door Trojans we are listing at the moment it appears that social engineering (the art of tricking people into doing something you want them to do, for example opening an email attachment.) is alive and well and that the average computer user still has trouble controlling their double-click finger. Maybe it's the lure of popstars and celebrities or too good to be true offers for cheap merchandise and goods of dubious origin. Last month we carried a link to Symantec DeepSight Analyzer and a FREE download page asking people to become a part of the global early-warning system for cyber attacks. More than 75,200 of you visited the page and I hope that we'll all benefit from the increased amount of data from any Security Focus sensors that are setup. We have an article by senior research fellow Sarah Gordon this month, 'What goes on in the mind of a hacker?'. I've added another new section this month 'Useful Links', there won't be many, just topical links to encourage you to use them. I hope 2003 brings good things to you.:) Best Regards David Banes. Editor, Symantec Security Response Newletter. -------------------------------------------------------------------------- Useful Links Microsoft Security Bulletin (MS01-020) Incorrect MIME Header Can Cause IE to Execute E-mail Attachment http://www.microsoft.com/technet/security/bulletin/MS01-020.asp -------------------------------------------------------------------------- To unsubscribe to this newsletter please go to; http://securityresponse.symantec.com/avcenter/newsletter.html -------------------------------------------------------------------------- Country Spotlight Sweden W32.Klez.H@mm W32.Opaserv.Worm W32.Opaserv.E.Worm W32.Opaserv.G.Worm Trojan Horse W32.Yaha.F@mm W32.Bugbear@mm JS.Exception.Exploit Backdoor.Sdbot W95.CIH -------------------------------------------------------------------------- These are the most reported Viruses, Trojans and Worms to the Symantec Security Response offices during the last month. Top Threats W32.Klez.H@mm - http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html Trojan.Horse - http://www.symantec.com/avcenter/venc/data/trojan.horse.html W32.Bugbear@mm - http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html JS.Exception.Exploit - http://www.symantec.com/avcenter/venc/data/js.exception.exploit.html W32.Yaha.K@mm - http://www.symantec.com/avcenter/venc/data/w32.yaha.k@mm.html W95.Spaces.1445 - http://www.symantec.com/avcenter/venc/data/w95.spaces.html HTML.Redlof.A - http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html W32.Funlove.4099 - http://www.symantec.com/avcenter/venc/data/w32.funlove.4099.html W95.Hybris.worm - http://www.symantec.com/avcenter/venc/data/w95.hybris.worm.html W32.Nimda.E@mm - http://www.symantec.com/avcenter/venc/data/enc.detection.html -------------------------------------------------------------------------- Viruses, Worms & Trojans -------------------------------------------------------------------------- W32.Lirva.A@mm Aliases:W32/Avril-A [Sophos], W32/Lirva.b@MM [McAfee], WORM_LIRVA.A [Trend], Win32.Lirva.A [CA] Risk: Moderate Date: 7th January 2003 Platforms Affected Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Overview W32.Lirva.A is a mass-mailing worm that also spreads by IRC, ICQ, KaZaA, and open network shares. This worm attempts to terminate antivirus and firewall products. It also emails the cached Windows 95/98/Me dial-up networking passwords to the virus writer. When Microsoft Outlook receives the worm, the worm takes advantage of a vulnerability that allows the attachment to auto-execute when you read or preview the email. Information on this vulnerability and a patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. If the day of the month is the 7th, 11th, or 24th, the worm will launch your Web browser to www.avril-lavigne.com and display a graphic animation on the Windows desktop. Symantec has provided a tool to remove infections of W32.Lirva.A@mm. This is the easiest way to remove this threat and should be tried first. http://www.symantec.com/avcenter/venc/data/w32.lirva.removal.tool.html References http://www.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html Credit Atli Gudmundsson, Security Response, EMEA -------------------------------------------------------------------------- W32.ExploreZip.L.Worm Aliases: W32/ExploreZip.worm@M [McAfee], I-Worm.ZippedFiles.h [KAV], WORM_EXPLORZIP.M [Trend], Win32/ExploreZip.Worm [CA], W32/ExploreZip.E [F-Prot], W32/ExploreZip.worm.210432 [F-Prot] Risk: Medium Date: 10th January 2003 Platforms Affected Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Overview W32.ExploreZip.L.Worm is a variant of Worm.ExploreZip, a worm that contains a malicious payload. The file has been repacked to make it more difficult to detect with older, existing antivirus software. This worm is packed with the UPX file format, version 0.76.1-1.24. The worm uses Microsoft Outlook, Outlook Express, or Exchange to mail itself, by replying to unread messages in the Inbox. The email attachment is titled Zipped_files.exe. W32.ExploreZip.L.Worm also searches the mapped drives and network computers for Windows installations. If they are found, the worm copies itself to the \Windows folder of the remote computer, and then modifies the Win.ini file of the infected computer. W32.ExploreZip.L.Worm has a different file size than that of the original variant. However, the worm exhibits the same characteristics as the original Worm.ExploreZip worm. See the writeup, Worm.ExploreZip, for information on what this worm does. Recommendations Definitions dated from January 8, 2003 to January 10, 2003 will detect this worm as Worm.ExploreZip. Credit Jari Kytojoki, Symantec Security Response, EMEA References http://www.symantec.com/avcenter/venc/data/w32.explorezip.l.worm.html -------------------------------------------------------------------------- Security Advisories -------------------------------------------------------------------------- Perl-HTTPd File Disclosure Vulnerability Risk:High Date:31th December 2002 Components Affected Perl-HTTPd Perl-HTTPd 1.0 Perl-HTTPd Perl-HTTPd 1.0.1 Description It has been reported that Perl-HTTPd fails to properly sanitize some web requests. By exploiting this issue, an attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory. Recommendations Block external access at the network boundary, unless service is required by external parties. Allow access to Web services for trusted hosts and networks only. Webservers should ignore or modify requests that contain '../' or other suspicious and most likely malicious strings. If possible, configure Perl-HTTPd to ignore requests that contain suspicious strings. Fixes available: Perl-HTTPd Perl-HTTPd 1.0: Perl-HTTPd Upgrade perl-httpd-1.0.2.tar.gz http://citrustech.net/~chrisj/perl-httpd/perl-httpd-1.0.2.tar.gz Perl-HTTPd Perl-HTTPd 1.0.1: Perl-HTTPd Upgrade perl-httpd-1.0.2.tar.gz http://citrustech.net/~chrisj/perl-httpd/perl-httpd-1.0.2.tar.gz References Source: Perl-HTTPd Home Page URL: http://citrustech.net/~chrisj/perl-httpd/ Credits This vulnerability was reported in the product changelog. -------------------------------------------------------------------------- Microsoft Internet Explorer PNG Deflate Heap Corruption Vulnerability Risk:High Date:12th December 2002 Platforms Affected See list here; http://www.symantec.com/avcenter/security/Content/6366.html Components Affected Microsoft Internet Explorer 5.0.1 SP2 Microsoft Internet Explorer 5.0.1 SP1 Microsoft Internet Explorer 5.0.1 Microsoft Internet Explorer 5.5 SP2 Microsoft Internet Explorer 5.5 SP1 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Description A heap corruption vulnerability has been reported for Microsoft Internet Explorer. The vulnerability is related to the way that Microsoft Internet Explorer interprets PNG image data. The function that handles the deflation of PNG images does not properly handle some invalid data within PNG image files. An attacker can exploit this vulnerability by tricking a user into viewing a maliciously constructed PNG image file. When the image file is rendered it will trigger the heap corruption condition and overwrite critical areas in memory. Any malicious attacker-supplied code will be executed with elevated privileges. It should be noted that applications which depend on MSIE to render PNG files are also affected. Recommendations Run all client software as a non-privileged user with minimal access rights. Browsing the web as a low-privileged user will limit the consequences of malicious code being executed. Do not follow links provided by unknown or untrusted sources. Be extremely careful when following links sent by unknown individuals. If possible, always ensure that any email that has been received is solicited before reading the contents. This vulnerability has been resolved in MSIE 6.0 SP 1. Users are advised to obtain the latest version of MSIE. References Source: PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability URL:msg://bugtraq/MKEAIJIPCGAHEFEJGDOCCEDMIBAA.marc@eeye.com Source: Microsoft Security Bulletin MS02-066 URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-066.asp Credits Vulnerability discovery credited to Eeye Digital Security. ------------------------------------------------------------------------- Security News -------------------------------------------------------------------------- By Sarah Gordon, Senior Research Fellow, Symantec What is hacking? By some definitions, hacking is breaking into computer systems without consent of the system owner. This activity once required a genuine knowledge of systems: it was once the domain of the computer geek, who pushed software to the limits and beyond. These days, however, it doesn't take a computer expert to become a hacker. There are tools available to help the wanna-be hacker break into systems. These tools give people unprecedented access to networks. For the more advanced hackers, tools aren't necessary, they exploit configuration errors made by users when they configure their software, or they take advantage of system vulnerabilities. One of the most commonly exploited vulnerabilities is the buffer overflow - an event that occurs when more data is placed into a storage buffer or holding area in computer memory than the buffer can handle. This, in turn, can crash the system or leave it in an unplanned state that can be exploited. For example, a program is waiting for input and may expect a small string like '123'. Instead the hacker puts in a long string like 'irespectyourskillzandyourkungfu,' overflowing the space allocated for the string in the memory. The result? The system crashes, potentially allowing a hacker access that extends far beyond that of the original program. Contrary to popular myth, hackers aren't necessarily underground loners and nerds - they're not even necessarily all that smart - although there are exceptions. In many cases, they simply don't extend their ethical and moral codes from the real world to the virtual world. Who is hacking? The popular hacking demographic of young, middleclass and male reflects those people who tend to be most technologically savvy in our society. However, hackers come in all ages, sizes, nationalities and genders. The average hacker is not necessarily some Goth-type teenaged male, dressed entirely in black and sporting the latest in piercing fashion - he may very well be the guy next door or a 50-year-old female. In fact, anecdotal evidence does suggest that hacking by females is on the rise. As more and more young women are exposed to the technology and the subculture that glamorises the activity, we should expect to see more females taking part in these types of activities. A visual check shows that there are more females at hacker conferences than there were in the early days; and while some are young girls who are part of the technically savvy counterculture, some are certainly hackers. Why do they do it? Hacking is done for a variety of reasons - technical challenge, power, fun, excitement, peer pressure, profit, and in some cases to do damage. For some it's simply a mental challenge, for others it's money, for some it's the thrill - there are many different motives and many different targets. For many, though, it's the challenge and the exhilarating feeling of power and control that comes from accessing and controlling a machine. It feels good. Historically, society has tended to uplift hackers to the heights of technical genius when in reality most of these break-ins are done using simple tools that exploit known vulnerabilities, yet many people almost admire them as techno-heroes in some ways. That is a much more serious problem and one that can't be overcome by just technical solutions. Recently public perception has shifted away from hacking being acceptable. Catching hackers is of variable success - as in many ways, the Internet knows no borders, a careful hacker can cover his or her tracks extremely well, and so catching the skilled hacker can be very difficult. In other words, it is possible, though time consuming, to catch hackers, but if the hacker is well prepared it can be a long slow process, and one that might bear little fruit in the long run. What can I do? One of the best defences against hacking is good computer security practices. Install good antivirus software that combats the gamut of blended threats. Buy a firewall, implement it and maintain it. Consider intrusion detection software to provide an additional layer of security by automatically blocking malicious attacks that spread quickly through Internet traffic that a firewall alone cannot stop. Keep your systems up to date, keep your data backed up, have a plan so that when something does go wrong you know how to react. Security should be an ongoing practice - as threats evolve so should your defences against them. -------------------------------------------------------------------------- Top Reported Viruses, Trojans and Worms Following is a list of the top reported viruses to Symantec's regional offices. -Asia Pacific HTML.Redlof.A W32.Klez.H@mm JS.Exception.Exploit W32.Funlove.4099 W32.Yaha.K@mm W32.Bugbear@mm Trojan Horse W95.Spaces.1445 W32.Nimda.E@mm W95.Hybris.worm -Europe, Middle East & Africa W32.Klez.H@mm Trojan Horse W32.Bugbear@mm JS.Exception.Exploit W95.Spaces.1445 W32.Funlove.4099 W32.Yaha.K@mm W32.Nimda.E@mm HTML.Redlof.A W95.Hybris.worm -Japan W32.Klez.H@mm HTML.Redlof.A W32.Bugbear@mm W32.Klez.E@mm Trojan Horse W95.Hybris.worm W32.Funlove.4099 W95.Spaces.1445 VBS.LoveLetter.A IRC Trojan -The Americas W32.Klez.H@mm Trojan Horse W32.Yaha.K@mm W32.Bugbear@mm JS.Exception.Exploit W95.Hybris.worm W95.Spaces.1445 IRC Trojan W32.Funlove.4099 W32.Lirva.A@mm -------------------------------------------------------------------------- A list of Virus Hoaxes reported to Symantec http://www.symantec.com/avcenter/hoax.html -------------------------------------------------------------------------- No New Joke Programs reported to Symantec this month. http://www.symantec.com/avcenter/jokes.html -------------------------------------------------------------------------- Symantec Security Response now has Removal Tools for the following threats available on the web site at: http://www.symantec.com/avcenter/tools.list.html -------------------------------------------------------------------------- Symantec Glossary for definitions of viruses, Trojans and worms and more. http://www.symantec.com/avcenter/refa.html -------------------------------------------------------------------------- Contacts -------------------------------------------------------------------------- Correspondence by email to: securitynews@symantec.com no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html -------------------------------------------------------------------------- Subscribe and Unsubscribe -------------------------------------------------------------------------- To be added or removed from the subscription mailing list, please fill out the form available on the Symantec website at: http://www.symantec.com/help/subscribe.html The Symantec Security Response NEwsletter is published periodically by Symantec Corporation. No reprint without permission in writing, in advance. -------------------------------------------------------------------------- This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation. ISSN 1444-9994 --------------------------------------------------------------------------