-------------------------------------------------------------------------- symantec symantec security response October 2002 Newsletter -------------------------------------------------------------------------- Well just when we all though 2002 was going to be one of the slowest years for a long time two worms where discovered in a matter of days, both W32.Bugbear@mm and W32.Opaserv.Worm surprised erveryone by spreading very quickly. Yet again the quickest spreading worm used a known exploit that Microsoft patched a while ago, details are here if you still have not installed this update I suggest you do; http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp We have multiple OpenVMS vulnerabilities and an article on Mac OSX security from Kaoru Hayashi in Japan. David Banes. Editor, securitynews@symantec.com -------------------------------------------------------------------------- To unsubscribe to this newsletter please go to; http://securityresponse.symantec.com/avcenter/newsletter.html -------------------------------------------------------------------------- Country Spotlight New Zealand W32.Bugbear@mm W32.Klez.H@mm W32.Opaserv.Worm W32.HLLW.Qaz(gen) Trojan Horse JS.Trojan.WindowBomb JS.Exception.Exploit Backdoor.Trojan W32.Yaha.F@mm W95.Hybris.worm -------------------------------------------------------------------------- These are the most reported Viruses, Trojans and Worms to the Symantec Security Response offices during the last month. Top Threats W32.Klez.H@mm - http://www.symantec.com/avcenter/venc/data/w32.klez.h@mm.html W32.Bugbear@mm - http://www.sarc.com/avcenter/venc/data/w32.bugbear@mm.html W32.Opaserv.Worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html JS.Exception.Exploit - http://www.symantec.com/avcenter/venc/data/js.exception.exploit.html Trojan.Horse -http://www.symantec.com/avcenter/venc/data/trojan.horse.html W32.Datom.Worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.datom.worm.html W95.Hybris - http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html W32.Yaha.F@mm - http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.f@mm.html W32.Klez.E@mm - http://www.symantec.com/avcenter/venc/data/w32.klez.e@mm.html W95.CIH - http://securityresponse.symantec.com/avcenter/venc/data/cih.html -------------------------------------------------------------------------- Viruses, Worms & Trojans -------------------------------------------------------------------------- W32.Bugbear@mm Date:30th Sep 2002 Risk:High Platforms Affected Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Components Affected Email programs, network shares(Windows Networking), anti-virus and firewall programs.. Overview W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs. Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality. It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22. Recommendations The easiest way to remove this threat is to use the Symantec Security Response Removal Tool. http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html Threat Metrics The America's 24.4% Europe, Middle East, Africa 67.7% Japan 0.5% Asia Pacific 7.4% Date % reports 29 Sep 0.01% 30 Sep 0.5% 1 Oct 3.3% 2 Oct 8.0% 3 Oct 10.6% 5 Oct 7.4% 7 Oct 12.0% 9 Oct 8.4% 11 Oct 6.0% 13 Oct 4.1% Credit Serghei Sevcenco, Symantec Security Response, APAC Yana Liu, Symantec Security Response, USA References http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html -------------------------------------------------------------------------- W95.Opaserv.Worm Date: 30th Sep 2002 Risk: Medium Platforms Affected Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Components Affected Network shares (Windows Networking) Overview W32.Opaserv.Worm is a network-aware worm that attempts to replicate across open network shares. It copies itself to the remote computer as a file named Scrsvr.exe. This worm also attempts to download updates from www.opasoft.com, although the site may have already been shut down. Indicators of infection include: The existence of the files Scrsin.dat and Scrsout.dat in the root of drive C. This indicates a local infection (that is, the worm was executed on the local computer). The existence of the Tmp.ini file in the root of drive C. This indicates a remote infection (that is, the computer was infected by a remote host). The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run contains the string value ScrSvr or ScrSvrOld, which is set to c:\tmp.ini. Recommendations The easiest way to remove this threat is to use the Symantec W32.Opaserv.Worm Removal Tool. http://www.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html Threat Metrics The America's 25.3% Europe, Middle East, Africa 67.6% Japan 1.3% Asia Pacific 5.8% Date % reports 27 Oct 0.03% 29 Sep 0.2% 30 Sep 3.0% 1 Oct 13.1% 2 Oct 11.9% 4 Oct 8.7% 5 Oct 5.0% 10 Oct 6.9% 12 Sep 3.2% 13 Sep 2.7% Credit Douglas Knowles, Symantec Security Response, USA Peter Ferrie, Symantec Security Response, APAC References http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html http://www.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html -------------------------------------------------------------------------- Security Advisories -------------------------------------------------------------------------- Multiple Microsoft SQL Date:2nd Oct 2002 Risk:High Server Vulnerabilities Platforms Affected Microsoft Access 2000, Microsoft BackOffice 4.5, Microsoft Project Central Server, Microsoft SQL Server 7.0, Microsoft SQL Server 2000, Microsoft Visual Studio 6.0, Microsoft Windows 2000 Workstation to SP2 Microsoft Windows NT 4.0 to SP6a Components Affected Microsoft Data Engine 1.0 and 2000 Microsoft SQL Server 7.0 to 7.0 SP4 Microsoft SQL Server 2000 to 2000 SP2 Overview Microsoft has released a security bulletin reporting multiple vulnerabilities in Microsoft SQL Server. Description The first of these issues is a buffer overflow in SQL Server user authentication. It is possible to corrupt memory with a malformed login request. This may enable an attacker to execute arbitrary code with the privileges of the SQL Server process. Malformed login requests may also cause a denial of service. It is possible to trigger this condition prior to authenticating with the server. This issue affects Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000. The second issue is a buffer overflow in one of the Database Console Commands (DBCCs) that ship with the vulnerable products. This issue may be exploited to execute arbitrary code with the privileges of the SQL Server process. Authentication is required to exploit this vulnerability. The issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000. The third issue is related to how the affected products handle scheduled jobs. The SQL Server Agent may be instructed to create an output file during a job step. The output file will be created with the privileges of the SQL Server Agent, instead of the privileges of the user who scheduled the job. As a result, a malicious authenticated user could schedule a job step which creates a malicious output file in an attacker-specified directory. This may potentially be exploited to allow for execution of operating system commands with elevated privileges. An attacker will also be able to cause sensitive files to be corrupted. This issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000. Block external access at the network boundary, unless service is required by external parties.Blocking access to the SQL Server port (1433) at the network boundary may prevent exploitation of some of these issues. Permit privileged access for trusted inividuals only. Ensure database access controls are in place. Permit access for trusted individuals only. Microsoft has released fixes: Microsoft Patch Q327068 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech Microsoft Patch Q316333 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech References Source: Microsoft Security Bulletin MS02-056 URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-056.asp Credit Discovery of these issues is credited to , and Martin Rakhmanoff . -------------------------------------------------------------------------- Multiple OpenVMS WASD HTTP Risk:High Date:26th Sep 2002 Server Vulnerabilities Platforms Affected OpenVMS Components Affected WASD WASD HTTP Server 7.1 to 7.2.3 and 8.0 Description Multiple vulnerabilities have been reported in WASD HTTP Server for OpenVMS. The consequences of successful exploitation of these issues may range from information disclosure to varying degrees of remote compromise. Recommendations Symantec's recommendations are to upgrade to at least 7.2 and then apply the relevant fixes listed here; http://www.sarc.com/avcenter/security/Content/5811.html References Source: remote SYSTEM compromise in WASD OpenVMS http server URL: msg://bugtraq/15763.29826.824331.958784@home.gailly.net Source: WASD Package Security Advisory URL: http://wasd.vsm.com.au/ht_root/doc/misc/wasd_advisory_020925.txt Credit Discovery of these issues is credited to Jean-loup Gailly. ------------------------------------------------------------------------- Security News -------------------------------------------------------------------------- UNIX malwares on Mac OS X Kaoru Hayashi, Symantec Security Response, Japan, Introduction On March 24, 2001, Apple Computer released their next generation operating system, Mac OS X. In stark contrast to their previous OS (Mac OS 9 or earlier), Mac OS X is a UNIX based operating system. Consequently, customers and editors asked us how many malwares work on Mac OS X We know that one of the most famous backdoor trojans in Windows, Sub7, is ported on the OS (and NAV for Mac OS X can detect it). In this paper I will explain other existing UNIX malwares. Introducing Mac OS X The core of the system is called Darwin and it is based on an open source project. Darwin integrates Mach 3.0 kernel and an operating system service based on BSD UNIX. This document does not explain the Mac OS X system in detail. Please see the following site for more information. http://developer.apple.com/macosx/architecture/index.html I investigated Mac OS 10.2 + Developer CD. This is a brief introduction of the environment. Mach 3.0 kernel BSD 4.4 Lite Java 2 Standard Edition 1.3.1 gcc 3.1 several BSD UNIX commands/development tools UNIX malware overview Symantec has currently detected over 100 malicious programs that work on UNIX. Almost all malwares are Zoo (that is not reported from customers/end users). I have classified them into three categories: binary, script, and Java. In this document I will only explain binary and script malwares, because Java is "write once, run anywhere", even on Mac OS X :). Binary malwares In contrast to the Windows platform, not that many binary malwares work on UNIX. Most binary malwares only work on Linux on an Intel platform. Fortunately, they cannot work on Mac OS X for the following reasons: First, the CPU for Macintosh is not the same as the Intel platform. Currently, Mac OS X only runs on Macintosh computers that use a Motorola/IBM PowerPC G3 or G4 processor. For the same reason, binary malwares do not work on Linux for PowerPC. The second reason binary malwares do not work on Mac OS X is the executable format. Commonly, the "Executable and Linking Format (ELF)" is used on UNIX. Of course Linux for PowerPC uses it too, but Mac OS X kernel can only understand the "Mach-O" binary format and does not support ELF. Mach-O is completely different from ELF. Its structure can be found by using "otool" from the command line. Possibilities of binary malwares Malwares may work properly on Mac OS X if they are re-compiled for the OS. Apple has released a GNU C++ compiler and linker, GCC, for Mac OS X. If a user installs developer tools from Apple, the user can compile numerous source codes such as GNU software. So, only three commands are required: configure make make install This is the same as on other UNIX and, therefore, provides another possibility for binary malwares to work on Mac OS X. If someone inserts a malicious code into the source and the user downloads and compiles it on Mac OS X, it is likely to workproperly on the OS. We can remember the case when a trojan code was inserted into OpenSSH (for more information on this, see http://www.cert.org/advisories/CA-2002-24.html). Script There are three types of script malwares: shell, perl, and PHP script. Shell script The default shell on Mac OS X is tcsh and it is based on C shell. As other common UNIX tools, B shell is ported as /bin/sh. Therefore, common shell script can run on Mac OS X. As I mentioned above, many common UNIX tools are ported, even the "shutdown" command, but not all. If the shell script uses a command that is not ported on the OS, the script cannot run properly. Perl script Perl is also installed as /usr/bin/perl or /usr/bin/perl5.6.0. Perl script can work properly with the correct path and permission. PHP script PHP is a widely used server side script and it is not enabled by default on the OS. However the component is installed and only requires modifying a /etc/httpd.conf file. Script malwares Viruses Simple viruses, such as UNIX.Gobleen and UNIX.Gift, work easily. search target open target insert virus or overwrite by virus write target close target search again No special techniques or approaches are applied that are of interest to us. The "mail" command Some malwares use the "mail" command to spread or to send information from an infected system to a hacker, such as UNIX.Penguin, UNIX.LoveLetter, and UNIX.Psite. However, these do not work properly on Mac OS X. The "mail" command exists but it cannot be run by default. To use the mail command on Terminal, the Sendmail configuration needs to be modified (you know it is very difficult!). Therefore, we do not need to consider these malware types. Malware for specific environments UNIX.Abuser is an exploit of game on Linux. UNIX.Bash drops ELF for Linux. UNIX.Capdrop drops the C source code and compiles it on an infected system. The source code needs to be compiled on Linux. Many PHP malwares (but not all) contain fixed strings like "C:\Windows". Of course they only affect Windows. UNIX.Psite needs X Window System but Mac OS X does not have it by default. These malwares do all not work on Mac OS X. Trojans Mac OS X uses NetInfo for managing user and group accounts, email configurations, NFS, printers, computers, and other resources. This is almost the same concept as Active Directory or NIS and it is the one significant difference from other UNIX. Using some of these resources requires using NetInfo manager or NetInfo tools from the command line. Some trojans attempt to add new services for hackers. Some files require being modified the same as other UNIX instead of using NetInfo. /etc/inetd.conf /etc/services /etc/hosts Conclusion Fortunately, almost all malwares for UNIX are Zoo and are rarely found, even if we want to. In addition, not many UNIX malwares can work on Mac OS X. The OS has inherited "Stability and Power" from UNIX, as Apple has said themselves. On the other hand, the OS has also taken over negative characteristics from UNIX. They are; -Securities are difficult to manage for the user -The same malwares may work as on other UNIX Obviously, we need to be more wary in terms of security issues on this OS than on Mac OS 9 or earlier. Kaoru Hayashi, Symantec Security Response, Japan, -------------------------------------------------------------------------- Top Reported Viruses, Trojans and Worms Following is a list of the top reported viruses to Symantec's regional offices. -Asia Pacific W32.Bugbear@mm W32.Klez.H@mm W32.Opaserv.Worm JS.Exception.Exploit HTML.Redlof.A W32.Datom.Worm W95.Hybris.worm Trojan Horse W32.Nimda.enc Backdoor.Trojan -Europe, Middle East & Africa W32.Klez.H@mm W32.Bugbear@mm W32.Opaserv.Worm JS.Exception.Exploit W32.Klez.E@mm W32.Yaha.F@mm W32.Datom.Worm Trojan Horse W95.Hybris.worm W95.CIH -Japan W32.Klez.H@mm W32.Bugbear@mm W32.Opaserv.Worm Trojan Horse W32.Klez.E@mm VBS.LoveLetter.A W95.Hybris.worm JS.Exception.Exploit W95.CIH VBS.LoveLetter.Var -The Americas W32.Klez.H@mm W32.Bugbear@mm W32.Opaserv.Worm JS.Exception.Exploit Trojan Horse W95.Hybris.worm W32.Datom.Worm W32.Nimda.enc W32.Yaha.F@mm Backdoor.Trojan -------------------------------------------------------------------------- A list of Virus Hoaxes reported to Symantec http://www.symantec.com/avcenter/hoax.html -------------------------------------------------------------------------- No New Joke Programs reported to Symantec this month. http://www.symantec.com/avcenter/jokes.html -------------------------------------------------------------------------- Symantec Security Response now has Removal Tools for the following threats available on the web site at: http://www.symantec.com/avcenter/tools.list.html -------------------------------------------------------------------------- Symantec Glossary for definitions of viruses, Trojans and worms and more. http://www.symantec.com/avcenter/refa.html -------------------------------------------------------------------------- Contacts -------------------------------------------------------------------------- Correspondence by email to: securitynews@symantec.com no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html -------------------------------------------------------------------------- Subscribe and Unsubscribe -------------------------------------------------------------------------- To be added or removed from the subscription mailing list, please fill out the form available on the Symantec website at: http://www.symantec.com/help/subscribe.html The Symantec Security Response NEwsletter is published periodically by Symantec Corporation. No reprint without permission in writing, in advance. --------------------------------------------------------------------------