April 2005 - Posts

• Netscape 6/7 - Critical Vulnerability in handling GIF files

  A new vulnerability was discovered in Netscape this week.  Netscape incorrectly handles GIF files, that could lead to a buffer overflow which is remotely exploitable through a specially generated GIF file. http://secunia.com/advisories/15103/ Secunia Advisory: SA15103    Release Date: 2005-04-26 Critical: Highly critical Impact: System access Where: From remote Solution Status: Unpatched Software: Netscape 6.x   Netscape 7.x Posted Apr 30 2005, 08:56 PM by harry with no comments

• Darwin Award goes to a young Hacker

  I heard this interesting account on Paul Harvey's news summary a couple of days ago SUMMARY: A hacker was trying to get back at a forum moderator after being kicked out for misbehaving. He needed the IP address to enter into his hack-tool, so the forum moderator cooperated and gave him an IP# -- the hacker's own IP address ... He entered the IP# in his hacking software ... He then disappeared off the Internet and hasn't been heard from since ... Darwin Award goes to a young Hacker http://isc.sans.org/diary.php?date=2005-04-29 Darwin Was Right. For those who don't hang out on Slashdot, there is a very amusing story going around about a young hacker who tried to raid an opponent's computer after being kicked out of a chat channel. Even Paul Harvey mentioned it today in his radio show. Note -- Due to inappropriate language, the actual detailed account wasn't shared. It can be found in the ISC link above. Posted Apr 30 2005, 08:41 AM by harry with no comments

• MS04-011: Banish.A - damages Windows repair files

  This new virus is also destructive as it will damage Windows Repair files MS04-011 Banish.A Worm This worm may propagate by taking advantage of the LSASS vulnerability. Information on this exploit can be found from the following link:  Microsoft Security Bulletin MS04-011 It also propagates via email using the following details: Subject: (Any of the following) • Here are the details. • Ok. Read the attached instructions to solve the problem. • Re: Thank you for your choice. • Thank you for shopping. This mail contains your invoice. • Thank you. Your credit card was processed successfully. Attachment: ZIP extension {File name taken from files found in the Windows recent documents folder} It deletes files found in the Windows repair folder. Posted Apr 29 2005, 09:00 AM by harry with 1 comment(s)

• Dangerous website -- Please don't mispell Google

  Hopefully, this malicious website will be shutdown by authorities soon Dangerous website -- Please don't mispell Google http://www.f-secure.com/v-descs/googkle.shtml F-Secure staff has found a malicious website that utilizes a spelling error when typing the name of the popular search engine - 'Google.com'. If a user opens a malicious website, his/her computer gets hijacked - a lot of different malware gets automatically downloaded and installed: trojan droppers, trojan downloaders, backdoors, a proxy trojan and a spying trojan. Also a few adware-related files are installed. The name of the malicious website is 'Googkle.com'. PLEASE DO NOT GO TO THIS WEBSITE! Otherwise your computer will get infected! We have reported the case to the authorities. Posted Apr 26 2005, 02:19 PM by harry with 1 comment(s)

• Windows XP Professional x64 Edition - now available (free upgrade)

  Windows XP x64 debuted on April 25, 2005.  There is still much work ahead before the Windows 64 bit environment becomes mainstream, but it's now a product available for x64 PCs.  Hardware vendors will need to write 64 bit APIs and applications must be reengineered to take advantage of the native architecture.  Still, this is a noteworthy advancement by Microsoft and provides a promise for the future for PCs built around AMD x64 and Intel x64 technologies.  Microsoft is also offering a free upgrade to existing XP users on the x64 PC platforms, which is good through July 2005.    Windows XP x64 - Home Page http://www.microsoft.com/windowsxp/64bit/default.mspx    Free Upgrade for x64 PCs http://www.microsoft.com/windowsxp/64bit/upgrade/default.mspx   Top 5 Reasons to get XP 64 http://www.microsoft.com/windowsxp/64bit/evaluation/top5.mspx High performance platform for the next generation of applications Windows XP Professional x64 Edition is a rich platform that enables the next generation of high-performance computing. 64-bit native applications can deliver more data per clock cycle, making them run faster and more efficiently. Large memory support Windows XP Professional x64 Edition supports up to 128 gigabytes (GB) of RAM and 16 terabytes of virtual memory, enabling applications to run faster when working with large data sets. Applications can preload substantially more data into virtual memory, allowing rapid access by the 64-bit processor. Flexibility Windows XP Professional x64 Edition provides a rich platform to integrate 64-bit applications and existing 32-bit applications using the Windows on Windows 64 (WOW64) x86 emulation layer, providing customers with the ability to move to 64-bit computing without having to sacrifice their existing investment in 32-bit software and Windows expertise. Multiprocessing and multicore Windows XP Professional x64 Edition is designed to support up to two single or multicore x64 processors for maximum performance and scalability. Same programming model Developers with 32-bit skills will be comfortable and quickly productive in the 64-bit Windows environment, finding it virtually identical to the development environment for 32-bit Windows.   WEBCAST:  Windows XP 64 Thursday, April 28, 2005: 10:00 AM Pacific time http://support.microsoft.com/kb/896031 In this WebCast, Microsoft MVP Charlie Russel describes Microsoft Windows XP Professional x64 Edition and the hardware that supports it. Microsoft experts will participate in the WebCast to help answer questions. Charlie will also tell you where to turn in the online community when you need help and have more questions about Windows XP Professional x64 Edition. Posted Apr 26 2005, 07:31 AM by harry with 2 comment(s)

• Symantec's revised security link for monitoring new threats.

  http://securityresponse.symantec.com/ W32.Spybot.OBZ W32.Kelvir.AN W32.Velkbot.A W32.Kelvir.AL Trojan.Goldun.E Trojan.Zhopa Posted Apr 24 2005, 05:14 PM by harry with no comments

• Backdoor.Ryejet.B - Exploits an unpatched Jet DB vulnerability

  This BHO based trojan horse is not wide spread, but does exploit an unpatched vulnerability. Backdoor.Ryejet.B - Exploits an unpatched Jet DB vulnerability Backdoor.Ryejet.B is a back door Trojan horse that allows unauthorized remote access to a compromised computer. The Trojan is installed as a Browser Helper Object, and may be distributed embedded in a malformed .mdb file that exploits the Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability (BID 12960). Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability Posted Apr 22 2005, 09:23 AM by harry with no comments

• Poisoning the Internet - Good Article by New Scientist Magazine

  This article and particularly the diagram provide more good insight into DSN cache posioning Poisoning the Internet - Article Poisoning the Internet - Diagram Posted Apr 21 2005, 12:35 PM by harry with no comments

• Sober.N - New Variant to Watch

  Most Sober variants can spread quickly, as the social engineering plus technical characteristics are advanced for this family of viruses http://secunia.com/virus_information/17277/sober.n/ http://secunia.com/virus_information/16824/win32.sober.m/ W32.Sober.N@mm is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German. Subject of email: FwD: Ich bin's nochmal or I've_got your EMail on my_account! Name of attachment: Private-Texte.zip or your_text.zip Size of attachment: 73,541 bytes Ports: TCP port 21 Compromises security settings: Attempts to terminate security-related processes. Quote: EMAIL Format -- German version From: <Spoofed> Subject: FwD: Ich bin's nochmal Message: Verdammt,,,,ich hatte vergessen Dir meinen Text mitzuschicken.Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren! Ich melde mich. Bis bald Attachment: Private-Texte.zip Quote: EMAIL Format -- English version From: <Spoofed> Subject: I've_got your EMail on my_account! Message: Hello, First, Very Sorry for my bad English. Someone is sending your private e-mails on my address. It's probably an e-mail provider error! At time, I've got over 10 mails on my account, but the recipient are you. I have copied all the mail text in the windows text-editor for you & zipped then. Make sure, that this mails don't come in my mail-box again. bye Attachment: your_text.zip Posted Apr 19 2005, 09:03 AM by harry with no comments

• Mozilla - Move to latest versions to protect against new Exploits

  http://www.f-secure.com/weblog/ Proof-of-concept exploits for the popular Mozilla and Firefox web browsers have been posted on public mailing lists. They target the following vulnerabilities: - Code execution through favicons link - Arbitrary code execution from Firefox sidebar panel These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7. We advice all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen on your computer just by surfing to the wrong site. Click here: Update instructions for Firefox 1.0.3 Posted Apr 18 2005, 07:03 AM by harry with no comments

• Mozilla Firefox 1.0.3 released for several security issues

  Mozilla has released new versions of Firefox and the Suite to fix several security vulnerabilies, including the Java Script engine flaw. Mozilla Firefox 1.0.3 released for several security issues http://www.eweek.com/article2/0,1759,1787270,00.asp Users who are upgrading from prior versions of Firefox or the Mozilla Suite should uninstall and reload according to the “Clean Installation“ instructions link below.  This will ensure existing bookmarks and settings are preseved in the Mozilla profile folders.   Mozilla Home Page - Download Links for new versions  http://www.mozilla.org/ Instructions for the "Clean Installation" process to remove older versions http://forums.mozillazine.org/viewtopic.php?t=251238 Posted Apr 16 2005, 10:59 PM by harry with 2 comment(s)

• Bagle/Beagle/Tooso - New BN Variant emerges

  This new variant emerged over the weekend and the Tooso trojan that is dropped will block AV and other security repairs making this virus even more difficult to clean.   Beagle.BN Description Tooso - Security Blocking Trojan dropped by Beagle.BN EMAIL TO AVOID/BLOCK Attempts to email a copy of Trojan.Tooso.G to the email addresses contained in the downloaded file. The email has the following characteristics: From: <Spoofed> Subject: <Blank> Message: The password is; Password: Attachment: Make.zip Price.zip Forest.zip Verses.zip Fairy_tale.zip It_about_you.zip I_know_you.zip Additional attachment: An *.rar file contains an executable file named 123456.exe which is a copy of Trojan.Tooso.G. This is the executable that is responsible for downloading the mailer component. Posted Apr 16 2005, 10:18 PM by harry with no comments

• Microsoft April Security Updates - MS05-016 & MS05-017 Exploits Developed

  It is important to quickly patch corporate and home systems as three "proof of concept" exploits have been quickly developed following the April 12th security updates from Microsoft. http://isc.sans.org/diary.php?date=2005-04-13 MS05-016 - Windows Shell Vulnerability http://www.milw0rm.com/id.php?id=938 http://www.securityfocus.com/bid/13132/exploit/ MS05-017 - Message Queueing Vulnerability https://www.immunitysec.com/pipermail/dailydave/2005-April/001719.html MS05-020: DHTML Proof of Concept Exploit Developed http://msmvps.com/harrywaldron/archive/2005/04/13/41970.aspx Posted Apr 14 2005, 07:18 AM by harry with no comments

• MS05-020: DHTML Proof of Concept Exploit Developed

  MS05-020: DHTML Proof of Concept Exploit Developed http://isc.sans.org/diary.php?date=2005-04-12 MS05-020 - Cumulative Security Update for Internet Explorer. This aggregate patch addresses several vulnerabilities in Internet Explorer that could lead to remote code execution: * DHTML Object Memory Corruption Vulnerability (CAN-2005-0553) * URL Parsing Memory Corruption Vulnerability (CAN-2005-0554) * Content Advisor Memory Corruption Vulnerability (CAN-2005-0555) Special note: A proof-of-concept exploit for this vulnerability is already publicly available from FrSIRT. The availability of the exploit is likely to increase the severity of this patch for most organizations. French Security Incident Response Team http://www.frsirt.com/english/ Microsoft Internet Explorer DHTML Object handling Exploit (MS05-020) - Please be careful as actual POC code is present in this link  http://www.frsirt.com/exploits/20050412.InternetExploiter2.php Posted Apr 13 2005, 09:46 PM by harry with 2 comment(s)

• MS04-011: Mytob - six more new variants emerge today

  This virus family continues to be actively developed.  This advanced virus can spread by email or through unpatched Windows systems.  It is spoofed to appear to be an undeliverable message issue.  - MYTOB.BH Reported by Trend Micro - MYTOB.BG Reported by Trend Micro - MYTOB.BD Reported by Trend Micro - MYTOB.AT Reported by Trend Micro - MYTOB.AY Reported by Trend Micro - MYTOB.BF Reported by Trend Micro Posted Apr 12 2005, 09:56 PM by harry with no comments

• Microsoft Security Updates - available for Windows 98 & other older OS's

  Microsoft has promptly rolled out protective security updates for Windows 98, ME, and other older Operating Systems.  This includes protection for security exposures found in both Windows and Internet Explorer.  I successfully updated our older W/98 family PC and this process worked well.   Microsoft Security Bulletins - April 2005 http://www.microsoft.com/technet/security/Bulletin/ms05-apr.mspx Posted Apr 12 2005, 09:48 PM by harry with no comments

• Microsoft Security Bulletins - April 2005

  Microsoft Security Bulletins - April 2005 http://www.microsoft.com/technet/security/Bulletin/ms05-apr.mspx Vulnerability in Windows Shell that Could Allow Remote Code Execution (893086) IMPORTANT http://www.microsoft.com/technet/security/Bulletin/ms05-016.mspx Vulnerability in Message Queuing Could Allow Code Execution (892944) IMPORTANT http://www.microsoft.com/technet/security/Bulletin/ms05-017.mspx Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859) IMPORTANT http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspx Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066) CRITICAL http://www.microsoft.com/technet/security/Bulletin/ms05-019.mspx Cumulative Security Update for Internet Explorer (890923) CRITICAL http://www.microsoft.com/technet/security/Bulletin/ms05-020.mspx Vulnerability in Exchange Server Could Allow Remote Code Execution (894549) CRITICAL http://www.microsoft.com/technet/security/Bulletin/ms05-021.mspx Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597) CRITICAL http://www.microsoft.com/technet/security/Bulletin/ms05-022.mspx Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169) CRITICAL http://www.microsoft.com/technet/security/Bulletin/ms05-023.mspx Posted Apr 12 2005, 04:28 PM by harry with no comments

• MS04-011: Dozen new Mytob variants emerge over the weekend

  About one dozen new variants of Mytob emerged over the past weekend.  This virus spreads by email and exploitation of unpatched Windows systems (MS03-026 and MS04-011).  This family of viruses is apparently easy to clone and it may become the next Spybot or Agobot when it comes to active development of new variants.  http://www.trendmicro.com/vinfo/  http://www.symantec.com/avcenter/vinfodb.html Six of the Latest Variants W32.Mytob.AM@mm W32.Mytob.AL@mm W32.Mytob.AJ@mm W32.Mytob.AK@mm W32.Mytob.AI@mm W32.Mytob.AH@mm This worm also takes advantage of the following Windows vulnerabilities to propagate: RPC/DCOM vulnerability LSASS vulnerability For more information about these vulnerabilities, please refer to the following Microsoft Web pages: Microsoft Security Bulletin MS03-026 Microsoft Security Bulletin MS04-011 Modifies files: Modifies the Hosts file. Compromises security settings: Blocks access to several security-related web sites. Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension. Ports: 10087 FORMAT OF EMAIL MESSAGE Subject: (One of the following) Good day hello Mail Delivery System Mail Transaction Failed Server Report Status Error Message:  (One of the following) * Here are your banks documents. * The original message was included as an attachment. * The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. * The message contains Unicode characters and has been sent as a binary attachment. * Mail transaction failed. Partial message is available. Attachment: (One of the following) document readme doc text file data test message body Extensions: pif, scr, exe, bat, cmd, zip Posted Apr 11 2005, 06:45 AM by harry with no comments

• Windows XP SP2 - Tech Republic's Resource Center

  Tech Republic provides an excellent site for IT professionals containing a number of links for improving security and troubleshooting any potential issues http://techrepublic.com.com/1200-22-5303956.html Posted Apr 09 2005, 10:12 PM by harry with no comments

• Microsoft - Important security updates to be released on April 12

  Microsoft has released advanced warning about the bulletins it will be releasing next Tuesday. http://www.microsoft.com/technet/security/bulletin/advance.mspx * 5 Security Bulletins for Windows, maximum level Critical * 1 Security Bulletin for Office, level Critical * 1 Security Bulletin for MSN Messenger, level Critical * 1 Security Bulletin for Exchange, level Critical Posted Apr 09 2005, 10:02 PM by harry with no comments