-------------------------------------------------------------------------- symantec symantec security response November 2002 Newsletter -------------------------------------------------------------------------- This month the Friendgreet 'worm' caused many anti-virus vendors to scratch their heads and wonder if they should add detection for an application that asks the user who is installing it if it can Spam their address book. Could users be this stupid, yes of course we can, who really reads end user licence agreements when installing software? Most of us just hit the 'Next' button to get through the pain of installing software as fast as we can and it's this impatience that triggers mass mailings to everyone in you address book. If you have an email program configured to automatically add new email addresses to the address book then you'll have a lot of addresses. Most vendors have added detection of this program to their anti-virus products at the request of customers; they want to be able to block this behaviour before a mass mail out occurs. No doubt we'll see more of this type of activity in the future, I'll be reading these agreements before installing. W95.Spaces was first discovered at the end of 1999 but seems to have re-appeared, this may be because it has piggy backed another fast spreading worm in a similar way to that which I described in the editorial of the May issue of the newsletter, you can find that issue here; http://sarc-au.symantec.com/published/english/may02inews-en.html. A common topic for discussion at the moment is instant messaging (IM) and the security issues around it, this month we have an introduction to Neal Hindocha's article titled 'Threats to Instant Messaging' and a link to an article on the Symantec web site titled 'Secure Instant Messaging'. Both are very informative and paint a clear picture of the security issues around many instant messaging platforms in use today. There are secure IM products which also encrypt the messages they send, as with any software selection process they should be considered if security is a concern. Norton AntiVirus 2003 now includes virus scanning for some of the common IM products. David Banes. Editor, securitynews@symantec.com -------------------------------------------------------------------------- To unsubscribe to this newsletter please go to; http://securityresponse.symantec.com/avcenter/newsletter.html -------------------------------------------------------------------------- Country Spotlight France W32.Bugbear@mm W32.Opaserv.Worm W32.Klez.H@mm W32.Klez.E@mm W95.Spaces.1445 W32.Yaha.F@mm W32.Opaserv.E.Worm W95.Hybris.worm W32.Funlove.4099 JS.Exception.Exploit -------------------------------------------------------------------------- These are the most reported Viruses, Trojans and Worms to the Symantec Security Response offices during the last month. Top Threats W32.Bugbear@mm - http://www.sarc.com/avcenter/venc/data/w32.bugbear@mm.html W32.Klez.H@mm - http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html W32.Opaserv.Worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html JS.Exception.Exploit - http://www.symantec.com/avcenter/venc/data/js.exception.exploit.html W95.Spaces.1445 - http://securityresponse.symantec.com/avcenter/venc/data/w95.spaces.html W32.Opaserv.E.Worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.e.worm.html W95.Hybris - http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html W32.Funlove.4099 - http://securityresponse.symantec.com/avcenter/venc/data/w32.funlove.4099.html Trojan.Horse - http://www.symantec.com/avcenter/venc/data/trojan.horse.html W32.Nimda.E@mm - http://securityresponse.symantec.com/avcenter/venc/data/enc.detection.html -------------------------------------------------------------------------- Viruses, Worms & Trojans -------------------------------------------------------------------------- W32.Friendgreet.Worm Aliases: Friendgreetings, WORM_FRIENDGRT.A [Trend], WORM_FRIENDGRT.B [Trend], Friend Greeting application [McAfee], Friend Greeting application (II) [McAfee] Risk: Very Low Date: 25th October 2002 Platforms Affected Windows 95 Windows 98 Windows NT Windows 2000 Windows XP Windows Me Overview Symantec Security Response is aware of a widespread e-card (electronic greeting card) that appears to have the characteristics of a worm. Based on a number of requests from Symantec's corporate customers, Security Response has provided definitions that detect and block this program. The installation of software that is associated with the e-card requires your permission for it to perform its mass-mailing functions. If you cancel the installation of the software, no worm-like activities are performed. NOTE: At this time, the Web site to which the e-card is linked appears to be unavailable. This means that the software can no longer be downloaded and installed from the site www.friendgreetings.com. Symantec Security Response now provides detection for an updated version of W32.Friendgreet.worm. The new installer is approximately 300 KB in size. It was discovered that this new installer modifies the taskbar in such a way that during installation you cannot switch to another program. This also results in icons disappearing from the taskbar. This does not result in any permanent loss of information. Upon rebooting the system the taskbar will function normally. Additionally, the following URLs may host the installation package for W32.Friendgreet.worm. This has not been confirmed by Security Response at this time. www.friend-card.com www.friend-card.net www.friend-cards.com Recommendations Symantec Security Response offers the suggestions detailed on the page linked here on how to configure Symantec products in order to minimize your exposure to this threat. http://www.sarc.com/avcenter/venc/data/w32.friendgreet.worm.html#recommendations References Symantec URL:http://www.sarc.com/avcenter/venc/data/w32.friendgreet.worm.html -------------------------------------------------------------------------- W95.Spaces.1445 Aliases: W95.Spaces.1633, W95.Spaces.1245, W95.Spaces.1445, W95/Busm.1445, W95/Busm99.1445 Risk:Low Date: 28th December 1999 Platforms Affected Windows 95, Windows 98 -------------------------------------------------------------------------- Overview W95.Spaces is a dangerous Windows 9x virus. On June 1 of every year, the virus manipulates the Master Boot Record (MBR) of an AT hard disk by using port commands. The virus modifies the MBR data area so that the first partition will point to itself. This prevents the system from booting, if running certain MS-DOS versions that contain a bug and are unable to boot the system correctly. Recommendations Norton AntiVirus will not remove the 0x2020 ID from the Reserved1 field of the PE header. As a benefit, this acts as inoculation from the virus since the W95.Spaces virus will assume the file is already infected. Credit Peter Szor, Symantec Security Response, USA References Symantec URL: http://securityresponse.symantec.com/avcenter/venc/data/w95.spaces.html -------------------------------------------------------------------------- Security Advisories -------------------------------------------------------------------------- Linux-HA Heartbeat remote buffer overflow vulnerability Risk:High Date:14th October 2002 Platforms Affected Linux-HA Components Affected Linux-HA heartbeat 0.4.9 a, b, c, d and 0.4.9 .1 Description The Linux-HA heartbeat utility is vulnerable to a remotely exploitable buffer overflow condition. Attackers may exploit the vulnerability to execute arbitrary code. It has been reported that the condition is related to the handling of TCP packets. Recommendations Block external access at the network boundary, unless service is required by external parties.Access to interfaces/ports used by heartbeat should be blocked. The vulnerability is eliminated in versions 0.4.9.2 and 0.4.9e. Debian has released patches which linked to here; http://www.sarc.com/avcenter/security/Content/5955.html References Source: Debian DSA 174-1 New heartbeat packages fix buffer overflows URL: http://online.securityfocus.com/advisories/4552 Symantec URL:http://www.sarc.com/avcenter/security/Content/5955.html Credits Discovered by Nathan Wallwork -------------------------------------------------------------------------- Macromedia JRun Oversized URI buffer overflow vulnerability Risk:High Date:7th November 2002 Platforms Affected IBM AIX 4.2 and 4.3 Microsoft IIS 4.0, 5.0 and 5.1 Microsoft Windows 2000 Workstation, SP1, SP2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows NT 4.0, SP1 through SP6a RedHat Linux 6.0, alpha and sparc RedHat Linux 6.1 alpha, i386 ans sparc SGI IRIX 6.5 Sun Solaris 2.6, 7.0 and 8.0 Components Affected Macromedia JRun 3.0, 3.1 and 4.0 Description Macromedia JRun is prone to a remotely exploitable buffer overflow condition. This issue is due to insufficient bounds checking of URIs in incoming web requests. Exploitation may allow a remote attacker to execute arbitrary code with the privileges of the JRun server process. This issue is specific to JRun running on Microsoft Windows platforms. Recommendations Block external access at the network boundary, unless service is required by external parties. If appropriate, block external access to the server at the network boundary. Filter untrusted or malicious network traffic at border routers and network firewalls. Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy network intrusion detection systems (NIDS). Audit NIDS and webserver logs for signs of malicious network activity. Run all server processes as non-privileged users with minimal access rights. Running the server with the least privileges required will reduce the consequences of successful exploitation. Macromedia has released patches which are linked to here; http://www.symantec.com/avcenter/security/Content/6122.html References Symantec URL:http://www.symantec.com/avcenter/security/Content/6122.html Credits This issue was reported in a Macromedia security alert. Discovery of this issue appears to be credited to Marc Maiffret of eEye Digital Security. ------------------------------------------------------------------------- Security News -------------------------------------------------------------------------- Threats to Instant Messaging Instant messaging is an up and coming threat as a carrier for malware. More and more people are using instant messaging, both for personal and business reasons. Instant messaging networks provide the ability to not only transfer text messages, but also transfer files. Consequently, instant messengers can transfer worms and other malware. Instant messaging can also provide an access point for backdoor Trojan horses. Hackers can use instant messaging to gain backdoor access to computers without opening a listening port, effectively bypassing desktop and perimeter firewall implementations. Furthermore, finding victims doesn’t require scanning unknown IP addresses, but rather simply selecting from an updated directory of buddy lists. As more functionality is added to instant messaging, such as peer-to-peer file sharing, instant messaging will also become more prone to carrying malware. Furthermore, instant messaging is very difficult to block in a company using conventional security methods such as firewalls. In addition, there are generally no antivirus applications monitoring instant messaging network communications on the server level. This means an instant messaging worm can be caught only at the desktop level. Fortunately, antivirus vendors have realized the dangers of instant messaging, and have begun to create plug-ins for the various instant messaging clients in their desktop products. Norton AntiVirus 2003 is an example of an antivirus product that will plug in to the various clients and scan any incoming files. When email became a part of our daily lives, it also became a large carrier of worms. Even after many email worm outbreaks, people are still not educated about the potential dangers of email usage. Hopefully, the same story will not be repeated with instant messengers. The full article is here; http://sarc.com/avcenter/reference/threats.to.instant.messaging.pdf Neal Hindocha Symantec Security Response Editors Note:A second article is also available on the Symantec web site; http://www.sarc.com/avcenter/reference/secure.instant.messaging.pdf -------------------------------------------------------------------------- Top Reported Viruses, Trojans and Worms Following is a list of the top reported viruses to Symantec's regional offices. -Asia Pacific W32.Bugbear@mm W32.Klez.H@mm W32.Opaserv.Worm HTML.Redlof.A JS.Exception.Exploit W95.Spaces.1445 W32.Opaserv.E.Worm W32.Funlove.4099 W32.Datom.Worm W95.Hybris.worm -Europe, Middle East & Africa W32.Bugbear@mm W32.Klez.H@mm W32.Opaserv.Worm W95.Spaces.1445 JS.Exception.Exploit W32.Opaserv.E.Worm W32.Funlove.4099 W32.Nimda.E@mm Trojan Horse W95.Hybris.worm -Japan W32.Klez.H@mm W32.Bugbear@mm W32.Opaserv.Worm W32.Klez.E@mm Trojan Horse JS.Exception.Exploit W32.Nimda.E@mm W95.Spaces.1445 W95.Hybris.worm HTML.Redlof.A -The Americas W32.Klez.H@mm W32.Bugbear@mm W32.Opaserv.Worm JS.Exception.Exploit W95.Spaces.1445 W32.Opaserv.E.Worm W95.Hybris.worm Trojan Horse IRC Trojan W32.Aplore@mm -------------------------------------------------------------------------- A list of Virus Hoaxes reported to Symantec http://www.symantec.com/avcenter/hoax.html -------------------------------------------------------------------------- No New Joke Programs reported to Symantec this month. http://www.symantec.com/avcenter/jokes.html -------------------------------------------------------------------------- Symantec Security Response now has Removal Tools for the following threats available on the web site at: http://www.symantec.com/avcenter/tools.list.html -------------------------------------------------------------------------- Symantec Glossary for definitions of viruses, Trojans and worms and more. http://www.symantec.com/avcenter/refa.html -------------------------------------------------------------------------- Contacts -------------------------------------------------------------------------- Correspondence by email to: securitynews@symantec.com no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html -------------------------------------------------------------------------- Subscribe and Unsubscribe -------------------------------------------------------------------------- To be added or removed from the subscription mailing list, please fill out the form available on the Symantec website at: http://www.symantec.com/help/subscribe.html The Symantec Security Response NEwsletter is published periodically by Symantec Corporation. No reprint without permission in writing, in advance. -------------------------------------------------------------------------- This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation. ISSN 1444-9994 --------------------------------------------------------------------------