Symantec Security Response Newsletter October 2003 Symantec Internet Security Threat Report, January - June 2003 Symantec reports that the increasing prevalence of blended threats remains one of the most significant security issues that companies face this year. Blended threats accounted for 60 percent of malicious code submissions in the first half of 2003, and the number of blended threats increased by 20 percent. These trends build on those of the previous six-month period, which concluded that blended threats also constituted the most frequently reported threats in the second half of 2002. The report now provides analysis of attacker vulnerability preferences and shows that 64 percent of all new attacks targeted vulnerabilities less than one year old. Moreover, of all new attacks documented in the first half of 2003, 66 percent targeted highly severe vulnerabilities, while 79 percent focused on those vulnerabilities that were severe, but which also either had an exploit or did not require one. Recent activities support Symantec's analysis that the time from discovery to outbreak continues to shorten significantly. The W32.Blaster blended threat occurred only 26 days after the vulnerability was announced. Cyber Attack Trends * The overall rate of attack activity rose by 19 percent. * Attacks are increasingly leveraging worms to carry exploits of known vulnerabilities to create exposures or security holes on a large number of systems. * The number of severe attacks continued to decline from 23 percent in the first half of 2002 to 11 percent in the first half of 2003. The 52 percent decline can be attributed in part to strengthening security postures among Symantec Managed Security Services customers. * The majority of the top 10 scans, which are a measurement of reconnaissance activity, targeted non-public services, such as Microsoft SQL and file sharing. By exploiting services common to home and internal corporate networks, the number of potential victims is substantially higher. This trend reinforces the importance of extending security policies and controls beyond public-facing systems. Malicious Code Trends * The speed of propagation of blended threats is increasing. For example, the Slammer worm impacted systems worldwide in less than a few hours. Moreover, for a time, the recent Blaster worm was infecting as many as 2,500 computers per hour. * More than 994 new Win32 viruses and worms were documented in the first half of 2003, more than double the 445 documented in the first half of 2002. * As the use of instant messaging clients and peer-to-peer networking increases, new worms and viruses use these mechanisms to spread. Of the top 50 malicious code submissions documented over the first half of 2003, 19 used peer-to-peer and instant messaging applications-an increase of almost 400 percent in only one year. * Submissions of malicious code with backdoors has risen nearly 50 percent, increasing from 11 submissions to 17 for the first half of 2003. The most visible attempt at stealing confidential data was the release of Bugbear.B in June 2003. The discovery of this variant raised serious concerns, as it specifically targeted banking institutions. Vulnerability Trends * Symantec documented 1,432 new vulnerabilities, a 12 percent increase over the number found in the same period the previous year. * The number of new moderate vulnerabilities increased 21 percent and high severity vulnerabilities increased six percent. This trend is driven by the fact that 80 percent of vulnerabilities discovered in the first half of 2003 could be remotely exploited. * Symantec reports that 70 percent of the vulnerabilities found in the first half of 2003 could be easily exploited, due to the fact that an exploit was not required, or that an exploit was readily available. This represents an increase of 10 percent over vulnerabilities discovered during the first half of 2002. Increase in SPAM Activity During the past few weeks, several Global Internet Service Providers have confirmed that a traffic slowdown occurred as a result of the generated activity, due to the "Mprox" backdoor and the "Swen" worm. These threats adversely affected networks due to excessive bandwidth consumption. The Mprox backdoor allows the unauthorized usage of a compromised host to act as a Simple Mail Transfer Protocol (SMTP) proxy server. The DeepSight Threat Analyst Team analyzed a compromised host that relayed spam email to various hosts at a significant rate. Upon investigation, it appeared that the system was infected with Mprox. Symantec has become aware that spammers are currently using this particular backdoor on a large scale to send mass amounts of unsolicited spam email. Mprox, initially discovered on September 24, 2003, is a backdoor that is not known to have any automated propagation methods of its own. However, the network-aware W32.Randex.P worm is being used to drop Mprox under the filename, Kp.exe. Randex.P propagates over systems with weak passwords on network file shares. When executed, Mprox will spawn an open proxy server on TCP port 57123, which can be used to relay spam, or for other purposes, such as masquerading the identity of a remote host. Substantial amounts of network bandwidth are being used to send these email messages. Also, it is possible that hackers are using Mprox as one part of a primitive Denial of Service (DoS) attack, by having infected systems forward mass amounts of garbage email to a specific target system. Monthly Security Round-up from Symantec DeepSight Threat Management System http://tms.symantec.com/ During the month of September, a number of vulnerabilities with significant consequences were revealed. One of the more severe was detailed in Microsoft's Security Bulletin MS03-039, which was released on September 10, 2003. This bulletin outlined further weaknesses in the Windows RPC DCOM implementation, including two vulnerabilities that could allow remote code execution and one DoS vulnerability. Vulnerabilities in OpenSSH, Wu-Ftpd, Sendmail, and Solaris Sadmind were publicized this month. All these vulnerabilities may have far reaching implications, including remote command execution. The media and security community highlighted both the Trojan.Qhosts and W32.Swen.A malware. Discussion on security-related mailing lists, regarding mysterious DNS server entries on Windows-based systems, prompted the discovery of Trojan.Qhosts. The propagation rate of W32.Swen reached substantial levels upon its release into the wild. W32.Swen depended heavily on social engineering, by masquerading as either a seemingly legitimate Microsoft security patch notice, or as a Qmail delivery failure notice. The DeepSight Threat Management System registered anomalous levels of attack and probing activity being directed at TCP ports 455 and 5308, which prompted the release of corresponding Threat Alerts. Multiple MS RPC DCOM SubSystem Vulnerabilities Alert https://tms.symantec.com/members/AnalystReports/030910-Alert-RPCSSVuln .pdf Microsoft has released Security Bulletin MS03-039 detailing remotely exploitable vulnerabilities in the RPC DCOM subsystem, which the Windows family of operating systems implemented. The RPC DCOM subsystem is vulnerable to two remotely exploitable buffer overflows and another overflow that may be exploited to launch a DoS against a vulnerable host. The Threat Analyst Team has obtained a functional exploit for the Microsoft RPCSS DCOM Interface Long Filename Heap Corruption Vulnerability, and an IDS signature has been released to detect the exploitation of this vulnerability. The Threat Analyst Team believes that a small modification to existing exploits, including the one that W32.Blaster.worm implemented, is sufficient to compromise the Microsoft Windows hosts, which are not patched against MS03-039. SHV4 Rootkit Analysis https://tms.symantec.com/members/AnalystReports/030929-Analysis-SHV4Ro otkit.pdf During the month of September, a Symantec DeepSight Honeypot running Red Hat Linux 9 was compromised with a successful attack targeting the Samba "call_trans2open" Remote Buffer Overflow Vulnerability (BID 7294). Subsequently, the hacker accessed the machine and installed a copy of the SHV4 Rootkit. The SHV4 Rootkit is a collection of modified system binaries, security-related utilities, and an installation shell script for Linux-based systems. A hacker can use this toolkit to hide his or her presence on a compromised system. In October several more vulnerabilites were announced, the most significant being the Microsoft Messenger Service Overrun Vulnerability, which was released on October 15th 2003 and is outlined later in this newsletter in the Security Advisories section. Viruses, Trojans & Worms W32.Swen.A@mm Aliases: Swen [F-Secure], W32/Swen@mm [McAfee], W32/Gibe-F [Sophos], I-Worm.Swen [KAV], Win32 Swen.A [CA], WORM_SWEN.A [Trend], Worm.Automat.AHB [Previous Symantec Detection] Risk: High [3] Date: 18th September 2003 Systems Affected: Windows 9.x, Windows 2000, Windows 2003, Windows XP CVE Reference: CVE-2001-0154 Overview W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer. The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail. W32.Swen.A@mm is similar to W32.Gibe.B@mm in function, and is written in C++. This worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. This worm, like others, sends a fake email message that appears to have been sent from Microsoft when, in reality, it is not. For information on recognizing such an email, read the Microsoft article, "How to Tell If a Microsoft Security-Related Message Is Genuine." _________________________________________________________________ W32.Mimail.C@mm Aliases: W32/Mimail.c@mm [McAfee], Worm_Mimail.C [Trend], W32/Mimail-C [Sophos], Mimail.C [AVP] Risk: Medium [3] Date: 31st October 2003 Systems Affected: Windows 9.x, Windows ME, Windows 2000, Windows XP, Windows Server 2003 CVE Reference: N/A Overview W32.Mimail.C@mm is a mass-mailing worm that attempts to perform denial of service attacks against hard-coded sites. It also collects sensitive information and attempts to deliver it to pre-defined e-mail addresses.It is distributed as a .ZIP archive that may have the name PHOTOS.JPG.EXE. The worm spoofs the sender address by prefixing the string 'james@' with the recipient's domain.The message is also reported to have the following properties: Subject: Re[2]: our private photos [random sequence of letters] Message body: Hello Dear!, Finally i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :) Right now enjoy the photos. Kiss, James. [random sequence of letters] Attachment: photos.zip It should be noted that photos.zip will contain PHOTOS.JPG.EXE, which uses a codebase exploit in Microsoft Windows. Unusual network activity may be detected, including unexplained outgoing e-mails. The worm will also attempt denial of service attacks against the following sites: darkprofits.com, darkprofits.net, www.darkprofits.com, www.darkprofits.net. Top Malicious Code Threats Risk Threat Discovered Protection 4 W32.Bugbear.B@mm 4 June 2003 5 June 2003 3 W32.Mimail.C@mm 31 Oct 2003 31 Oct 2003 3 W32.Swen.A@mm 18 Sep 2003 18 Sep 2003 3 W32.Welchia.Worm 18 Aug 2003 18 Aug 2003 3 W32.Blaster.Worm 11 Aug 2003 11 Aug 2003 Latest Malicious Code Threats Risk Threat Discovered Protection 1 Backdoor.Madfind 31 Oct 2003 31 Oct 2003 1 W32.HLLW.Gaobot.BV 31 Oct 2003 31 Oct 2003 3 W32.Mimail.C@mm 31 Oct 2003 31 Oct 2003 1 VBS.Noex.Trojan 30 Oct 2003 31 Oct 2003 1 W32.HLLW.Gaobot.BT 30 Oct 2003 31 Oct 2003 Security News Teen charged in cyber stock scam By Kevin Poulsen Oct 9 2003 Federal officials filed securities fraud and computer crime complaints on Oct 9th against a Pennsylvania teenager who allegedly used a Trojan horse and someone else's online brokerage account to sell thousands of worthless stock options to an unwilling buyer... >> Brits pound OpenSSL bugs By Kevin Poulsen Sep 30 2003 Research by the U.K. government into a once-overlooked class of software vulnerability has surfaced three new security holes in the ubiquitous OpenSSL software package, according to advisories released Tuesday Sep 30...>> Security Advisories Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability Risk: High Date: 16th July 2003 Components Affected: Many, listed here: http://securityresponse.symantec.com/avcenter/security/Content/8205.ht ml Overview A buffer overrun vulnerability has been reported in Microsoft Windows that can be remotely exploited, via a DCOM RPC interface, and which listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of the client DCOM object activation requests. Exploiting this issue could result in executing malicious instructions, with Local System privileges, on an affected system. This issue may be exposed on other ports on which the RPC Endpoint Mapper listens, such as TCP ports 139, 135, 445, and 593. This has not been confirmed. Under some configurations, the Endpoint Mapper may receive traffic via port 80. Symantec Solutions: Symantec Manhunt, Enterprise Firewall, Symantec Vulnerability Assessment, Gateway Security. Credits Discovery of this vulnerability has been credited to The Last Stage of Delirium Research Group. References Source: Microsoft Security Bulletin MS03-026 URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec urity/bulletin/MS03-026.asp _________________________________________________________________ Multiple Oracle XDB FTP / HTTP Services Buffer Overflow Vulnerabilities Risk: High Date: 31st July 2003 Components Affected: Oracle Oracle9i Enterprise Edition 9.2 .0.1 Oracle Oracle9i Personal Edition 9.2 .0.1 Oracle Oracle9i Standard Edition 9.2 .0.1 Overview David Litchfield has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB) during a seminar on "Variations in exploit methods between Linux and Windows," presented at the Blackhat conference. Ultimately, exploiting these issues may provide for the remote execution of arbitrary code in the security context of the vulnerable service. Symantec Solutions: Symantec Manhunt, Gateway Security, Enterprise Firewall. Credits David Litchfield (david@ngssoftware.com) is credited for discovering these vulnerabilities. References Source: Oracle Homepage URL: http://www.oracle.com/index.html Source: Variations in Exploit methods between Linux and Windows URL: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-pa per.pdf _________________________________________________________________ Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution Risk: High Date: October 15, 2003 Components Affected: Microsoft Windows 2000, Service Pack 2 Microsoft Windows 2000, Service Pack 3, Service Pack 4 Overview A security vulnerability exists in the Microsoft Local Troubleshooter ActiveX control. The vulnerability exists because the ActiveX control (Tshoot.ocx) contains a buffer overflow that could allow a hacker to run code of his/her choice on a user's system. Because this control is marked "safe for scripting," a hacker could exploit this vulnerability by convincing a user to view a specially crafted HTML page that references this ActiveX control. The Microsoft Local Troubleshooter ActiveX control is installed as a default part of the operating system on Windows 2000. To exploit this vulnerability, the hacker would need to create a specially formed HTML-based email and send it to the user. Alternatively, a hacker would need to host a malicious Web site that contains a Web page designed to exploit this vulnerability. In the worst case, this vulnerability could allow a hacker to load malicious code onto a user's system, and then execute the code. The code would run in the context of the user. Therefore, the code is limited to any action that the legitimate user could take on the system. Any limitations on the user's account would also limit the actions of any arbitrary code that the hacker could execute. The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met: * You have applied the patch included with the Microsoft Security bulletin, MS03-040 * You are using Internet Explorer 6 or later * You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher, in their default configuration. Mitigating factors: A Web-based attack would only be successful if the hacker creates a Web site that contains a Web page that he/she uses to exploit this vulnerability. A hacker would have no way to force users to visit the malicious Web site. Instead, the hacker would need to lure users there, typically by getting them to click a link in an email message that would take them to the hacker's site. By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at a reduced risk from an email-borne attack that attempted to exploit this vulnerability, unless the user clicked a malicious link in the email. A hacker's code could only run with the same permissions as the logged-on user. The specific privileges that the hacker could gain through this vulnerability would therefore depend on the privileges granted to the user. Any limitations on the user's account would also limit the actions of any arbitrary code executed by this vulnerability. Credits Discovery of these vulnerabilities has been credited to Greg Jones of KPMG UK and Cesar Cerrudo for reporting the issue. References Source: Microsoft. URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec urity/bulletin/MS03-042.asp _________________________________________________________________ Microsoft Messenger Service Buffer Overrun Vulnerability Risk: High Date: October 15, 2003 Components Affected: Microsoft Windows NT Workstation 4.0, Service Pack 6a Microsoft Windows NT Server 4.0, Service Pack 6a Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack Microsoft Windows 2000, Service Pack 2 Microsoft Windows 2000, Service Pack 3, Service Pack 4 Microsoft Windows XP Gold, Service Pack 1 Microsoft Windows XP 64-bit Edition Microsoft Windows XP 64-bit Edition Version 2003 Microsoft Windows Server 2003 Microsoft Windows Server 2003 64-bit Edition Overview A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer. A hacker who successfully exploited this vulnerability could run the code with Local System privileges on an affected system, or could cause the Messenger Service to fail. Then, the hacker could take any action on the system, including installing programs, viewing, changing, or deleting data, or creating new accounts with full privileges. Mitigating factors: * Messages are delivered to the Messenger service, via NetBIOS or RPC. If users have blocked the NetBIOS ports (ports 137-139), and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports. Most firewalls, including the Internet Connection Firewall in Windows XP, block NetBIOS by default. * Disabling the Messenger Service will prevent the possibility of attack. * On Windows Server 2003 systems, the Messenger Service is disabled by default. Credits The Last Stage of Delirium Research Group has been credited for discovering these vulnerabilities. References Source: Microsoft Homepage URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec urity/bulletin/MS03-043.asp Common Vulnerabilities Vulnerability Bugtraq ID CVE Reference Exploited by Microsoft Windows ntdll.dll Buffer Overflow Vulnerability 7116 CAN-2003-0109 W32.HLLW.Goabot multiple variants, W32.Blaster.worm, W32.HLLW.Raleka, W32.Dinkdink.worm Microsoft Windows Locator Service Buffer Overflow Vulnerability 6666 CAN-2003-0003 W32.HLLW.Goabot.multiple variants Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability 8205 CAN-2003-0352 W32.HLLW.Goabot multiple variants, W32.Welchia.worm, Trojan.Kaht Microsoft IE MIME Header Attachment Execution Vulnerability 2524 CVE-2001-0154 W32.Klez, W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability 2708 CVE-2001-0333 W32.Nimda Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability 1806 CVE-2000-0884 W32.Nimda Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability 1780 CVE-2000-0979 W32.Opaserv Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution 5311 CAN-2002-0649 W32.SQLExp.Worm Security Events Calendar CSI 30th Annual Competitor Security Conference & Exhibition Date: November 2-4, 2003 Washington DC, USA _________________________________________________________________ RSA 2003 - Security Conference & Exhibition Date: November 3-5, 2003 Amsterdam, Netherlands _________________________________________________________________ SecureXchange 2003 - Symantec's Worldwide User's Conference Date: November 4-11, 2003 Washington DC, USA _________________________________________________________________ SecureXchange 2003 - Symantec's Worldwide User's Conference Date: November 11-12, 2003 Tokyo, Japan _________________________________________________________________ AVAR 2003 - Malicious Code Conference 2003 Date: November 6-7, 2003 Sydney, Australia http://www.aavar.org/ For more events go to our online Events Calendar: http://enterprisesecurity.symantec.com/content/globalevents.cfm Useful Links Use Symantec Security Alerts on Your Web Site http://securityresponse.symantec.com/avcenter/cgi-bin/syndicate.cgi Virus Removal Tools Fix tools for repairing threats. Virus Hoaxes There are many email virus hoaxes, so please check here before forwarding any email virus warnings. Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s). Copyright © 2003 Symantec Corporation. All rights reserved. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.ht ml