-------------------------------------------------------------------------- symantec symantec security response ISSN 1444-999 July 2003 Newsletter -------------------------------------------------------------------------- - Welsh virus writer loses appeal. The Register has reported that a UK virus writer convicted of writing several viruses including W32.GoKar.A@mm lost his appeal to reduce his prison sentence. It's interesting that the UK's Computer Misuse Act of 1990 is effective in the fight against virus authors at a time when many countries are still grappling with legislation to counter virus writing. At the same time countries like Australia are working hard to pass legislation that will outlaw, at least in Australia, another Internet plague, spamming. It occurs to me that as spammers change their techniques and start to use malicious code like trojans to send spam it may actually make it easier for law enforcement agencies to prosecute them in places that have effective computer misuse law already in place. A hot issue in Australia at the moment is credit card and other forms of financial fraud facilitated via trojans and key loggers, again this would appear to fall under wider computer misuse law such as the Australian Federal Cybercrime Act of 2001. I'd be interested in feedback from anyone with information about computer misuse law in other countries. Best Regards David Banes. Editor, Symantec Security Response Newletter. Links http://www.theregister.co.uk/content/56/31901.html http://securityresponse.symantec.com/avcenter/venc/data/w32.gokar.a@mm.html -------------------------------------------------------------------------- Security Response is monitoring the following threat; W32.Mimail.A@mm http://www.sarc.com/avcenter/venc/data/w32.mimail.a@mm.html Use Symantec Security Alerts on Your Web Site http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi -------------------------------------------------------------------------- Top Malicious Code Threats Risk Threat Discovered Protection 4 W32.Bugbear.B@mm 4 Jun 2003 5 Jun 2003 4 W32.Klez.H@mm 17 Apr 2002 17 Apr 2002 3 W32.Sobig.E@mm 25 Jun 2003 25 Jun 2003 3 W32.HLLW.Fizzer@mm 8 May 2003 9 May 2003 3 W32.SQLExp.Worm 24 Jan 2003 24 Jan 2003 3 W32.Mimail.A@mm 1 Aug 2003 1 Aug 2003 -------------------------------------------------------------------------- Latest Malicious Code Threats Risk Threat Discovered Protection 2 Backdoor.IRC.Cirebot 2 Aug 2003 4 Aug 2003 1 Backdoor.Sumtax 1 Aug 2003 1 Aug 2003 3 W32.Mimail.A@mm 1 Aug 2003 1 Aug 2003 1 PWSteal.Bancos.B 31 Jul 2003 1 Aug 2003 1 Backdoor.FTPserver 31 Jul 2003 31 Jul 2003 -------------------------------------------------------------------------- Common Vulnerabilities Microsoft IE MIME Header Attachment Execution Vulnerability Bugtraq ID 2524 CVE Reference CVE-2001-0154 Exploited by W32.Klez, W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability Bugtraq ID 2708 CVE Reference CVE-2001-0333 Exploited by W32.Nimda Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability Bugtraq ID 1806 CVE Reference CVE-2000-0884 Exploited by W32.Nimda Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability Bugtraq ID 1780 CVE Reference CVE-2000-0979 Exploited by W32.Opaserv Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution Bugtraq ID 5311 CVE Reference CAN-2002-0649 Exploited by W32.SQLExp.Worm -------------------------------------------------------------------------- Monthly Security Round-up from Symantec DeepSight Threat Management System http://tms.symantec.com/ Microsoft released Service Pack 4 for Windows 2000, which addressed two new vulnerabilities affecting Microsoft NetMeeting and Active Directory while also encompassing all previous patches. A Threat Report was released by the Deepsight Threat Analyst Team to highlight a critical vulnerability that was discovered in the widely deployed online credit card processing software, CCBill. A remote vulnerability involving a sample script, whereami.cgi, granted unauthorized users the ability to execute arbitrary commands on the host CCBill resided in the security context of the whereami.cgi script. Security updates in three widely distributed products, Microsoft Windows, Cisco IOS, and Apache Web server. The impact of the vulnerabilities affecting these products ranged from Denial of Service attacks to remote code execution. Microsoft released 3 security bulletins. MS03-026 was assigned the security rating of "Critical", disclosing a buffer overrun in the Microsoft Windows implementation of Remote Procedure Call (RPC), which may allow remote code execution on all Windows platforms, except Windows ME. The remaining two Microsoft security bulletins, MS03-027 and MS03-028, were assigned a security rating of "Important". Cisco released an advisory disclosing a Denial of Service vulnerability affecting Cisco devices running IOS and configured to process Internet Protocol version 4 (IPv4) packets. Exploitation of the vulnerability is trivial; an exploit was made public on Friday July 18. IDS signatures were created by the Threat Analyst Team and released in the associated Threat Alert on July 17, 2003. Apache HTTP server 2.0.47 was released. The release was principally a security bug fix. The vulnerabilities fixed included Denial of Service condition, file descriptor leakage, and logging failure related vulnerabilities. The DeepSight Threat Analyst Team released a Threat Alert, detailing the release of publicly available exploits for the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. Despite the impact of this vulnerability, and the availability of exploits to the public, widespread exploitation has not yet been seen by DeepSight TMS. Several high impact vulnerabilities affected Microsoft products including the Microsoft DirectShow MIDI Filetype Buffer Overflow Vulnerability and Microsoft SQL Server LPC Port Request Buffer Overflow Vulnerability, which plagued users of DirectX and MS SQL Server, respectively. Additionally, another RPC-related vulnerability was disclosed in Microsoft’s implementation of RPC, which could result in a crash of the vulnerable machine during successful exploitation. DeepSight TMS continued to report heavy worm-related activity, with Code Red, Nimda, and SQLExp (aka Slammer) related traffic continuing their attacks on Internet-connected machines. The DeepSight Threat Analyst Team released a Snort signature to detect attacks targeting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. IDS administrators are encouraged to deploy this signature, which is available in the IDS Tips and Tricks section of this weekly, in order to assist in the detection of attacks targeting this vulnerability. -------------------------------------------------------------------------- Viruses, Worms & Trojans -------------------------------------------------------------------------- W32.Lofni.Worm Aliases : W32.Lohack.B.Worm, W32/Noala@MM [McAfee] Risk : Low[2] Date : 14th July 2003 Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me CVE ReFerence : CVE-2001-0154 Overview W32.Lofni.Worm is a worm that attempts to spread itself through file- sharing networks. It also attempts to mass mail itself to all the contacts in the Windows Address Book. The email will have a variable subject and attachment name. The attachment will have a .exe or .scr file extension. The worm uses an internal SMTP client engine. In addition, W32.Lofni.Worm is a network-aware worm. It is a Visual Basic application that is compiled to native code and is packed with UPX v1.23. Definitions dated prior to July 25, 2003 detect this as W32.Lohack.B.Worm. Credits Write-up by: Sergei Shevchenko, Security Response APAC. References Symantec Security Response http://www.sarc.com/avcenter/venc/data/w32.lofni.worm.html -------------------------------------------------------------------------- W32.HLLW.Indor.E@mm Aliases Risk Low[2] Date : 16th July 2003 Systems Affected Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Overview W32.HLLW.Indor.E@mm is a mass-mailing worm that uses Microsoft Outlook to send a zipped copy of itself to all the contacts in the Microsoft Outlook Address Book. When W32.HLLW.Indor.E@mm runs, it displays a fake message that states "Error in file #1: bad Zip file offset (Error local header signature not found): disk #1 offset: 68669733" W32.HLLW.Indor.E@mm can also spread through network drives, floppy disks, the KaZaA file-sharing network, and mIRC. The email has the following characteristics: Subject: The subject line is one of the following: - Your verification is required Confirm FFA submission and receive 1000 Credit - Your Success Is Guranteed! - You are Losing Income - WHY NOT CHECK IT OUT? IT'S FREE! - Free Software, Download it now !! - Free MP3, OGG/VORBIS Hit Songs !! - Download DVD Movie Now !! Its Free..! - URGENT: Please Verify Your Submission Confirm FFA submission !! - The E.A.S.E System Can Make You Money At Home!! - Thank You ! - Re: Your Daily Report - Re: Web Site Report - WE send the TRAFFIC, YOU make the SALES! - Thank You For Your Subscription - Confirmation - Need a quick $100 today? - Confirmation Email - Required ! Attachment: The attachment, which is a zipped copy of the worm, is one of the following: - SaveNow.zip - Report.zip - Bonus.zip - FFA.zip - FreeJoin.zip This threat is written in the Microsoft Visual Basic programming language Credits Write-up by: Yana, Liu, Security Response USA. References Symantec Security Response http://www.sarc.com/avcenter/venc/data/w32.hllw.indor.e@mm.html -------------------------------------------------------------------------- Security News Guilty Plea in Kinko's Keystroke Caper By Kevin Poulsen, Jul 18 2003 A New York cyberthief bugged the public access machines at thirteen Manhattan Kinko's shops for nearly two years. His take: hundreds of online banking passwords. ... http://www.securityfocus.com/news/6447 Guilty Plea in Kinko's Keystroke Caper By Kevin Poulsen Jul 18 2003 A New York cyberthief bugged the public access machines at thirteen Manhattan Kinko's shops for nearly two years. His take: hundreds of online banking passwords. ... http://www.securityfocus.com/news/6447 ------------------------------------------------------------------------- Security Advisories ------------------------------------------------------------------------- Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability Risk :High Date :16th July2003 Components Affected: Many, listed here; http://securityresponse.symantec.com/avcenter/security/Content/8205.html Overview A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system. This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80. Credits Discovery of this vulnerability has been credited to The Last Stage of Delirium Research Group. References Source: Microsoft Security Bulletin MS03-026 URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp Symantec Security Response http://www.sarc.com/avcenter/security/Content/8205.html -------------------------------------------------------------------------- Cisco IOS Malicious IPV4 Packet Sequence Denial Of Service Vulnerability Risk :High Date :16th July 2003 Components Affected: Many, see list here; http://www.sarc.com/avcenter/security/Content/8211.html Overview A denial of service vulnerability has been reported to exist in all hardware platforms that run Cisco IOS versions 11.x through 12.x. This issue may be triggered by a sequence of specially crafted IPV4 packets. A power cycling of an affected device is required to regain normal functionality. Credits This vulnerability was announced by the vendor. References Source: Cisco Homepage URL: http://www.cisco.com Source: Cisco Product Security Advisories and Notices URL: http://www.cisco.com/warp/public/707/advisory.html Source: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet URL: http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml -------------------------------------------------------------------------- Useful Links -------------------------------------------------------------------------- Use Symantec Security Alerts on Your Web Site http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi To unsubscribe to this newsletter please go to; http://securityresponse.symantec.com/avcenter/newsletter.html Incorrect MIME Header Can Cause IE to Execute E-mail Attachment http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp Virus Removal Tools Fix tools for threats such as W32.HLLW.Lovgate , W32.SQLExp.Worm , W32.Sobig.A@mm and W32.Bugbear@mm http://www.sarc.com/avcenter/tools.list.html Virus Hoaxes ------------ There are many email virus hoaxes, please check here before forwading email virus warnings. http://securityresponse.symantec.com/avcenter/hoax.html Joke Programs ------------ Joke programs are not malicious and can be safely deleted. http://securityresponse.symantec.com/avcenter/jokes.html -------------------------------------------------------------------------- Security Events Calendar HIPAA Security and Privacy Conference - Transactions and Compliance Strategies Date: Aug 21, 2003 San Diego, CA, USA http://www.dataconnectors.com/events/sd_hipaa_03/agenda.asp SecureWorld Expo Date: Sept 24-25, 2003 Seattle, WA, USA http://www.secureworldexpo.com/seattle03.php IDC Internet Security Conference Date: Sept 25-26, 2003 Copenhagen, Denmark http://nordic.idc.com/Events/Security/Denmark/default.htm VB2003 - VB Conference 2003 Date: Sept 25-26, 2003 Toronto, Canada http://www.virusbtn.com/conference/vb2003/index.xml AVAR 2003 - Malicious Code Conference 2003 Date: November 6-7, 2003. Sydney, Australia http://www.aavar.org/ For more events go to our online Events Calendar; http://enterprisesecurity.symantec.com/content/globalevents.cfm -------------------------------------------------------------------------- Symantec Glossary for definitions of viruses, Trojans and worms and more. http://www.symantec.com/avcenter/refa.html -------------------------------------------------------------------------- Contacts -------------------------------------------------------------------------- Correspondence by email to: securitynews@symantec.com no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html -------------------------------------------------------------------------- Subscribe and Unsubscribe -------------------------------------------------------------------------- To be added or removed from the subscription mailing list, please fill out the form available on the Symantec website at: http://www.symantec.com/help/subscribe.html The Symantec Security Response NEwsletter is published periodically by Symantec Corporation. No reprint without permission in writing, in advance. -------------------------------------------------------------------------- This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation. --------------------------------------------------------------------------