Release of new Apache httpd versions
Date : September 20, 2007
Apache httpd versions 2.2.6, 2.0.61 and 1.3.39 have been released fixing six vulnerabilities viz. CVE-2007-3304, CVE-2007-5752, CVE-2007-1863, CISB-Aug07, CVE-2007-1862, CIVN-2007-124. These vulnerabilities could be exploited by remote unauthenticated attacker to cause denial of service, cross-site scripting attacks on the vulnerable systems.
Users are advised to update to Apache httpd versions 2.2.6, 2.0.61 and 1.3.39 to mitigate the security risks associated with the above vulnerabilities.
Note: System administrators/users are advised to test these released versions before applying to their production servers.
References:
Apache
http://httpd.apache.org
http://www.apache.org/dist/httpd/CHANGES_2.2.6
Rapid propagation of Storm worm using various social engineering techniques
Date : August 23, 2007
Updated : September 12, 2007
It has been observed that variants of ‘Storm Worm' are
circulating widely using various social engineering techniques.
Storm worm, also known as Zhelatin started spreading in
January 2007 through email attachments with subject lines related
to European storm video.
Currently Storm worm is spreading through malicious link in the
emails. Email contents and subjects are changing rapidly. Sample
email is shown here:
Clicking on the link takes the user to a web page containing a link.
The web page attempts to exploit certain vulnerabilities and uses
social engineering technique to persuade users to click on the link
to download malicious file as shown here:
The source code of a malicious web page is shown here:
The malicious file is a bot program and relies on deception to
infect target system. Storm Worm has created a large botnet
since January 2007 which is still growing. This botnet uses
Fast-Flux Domain Name Service hosting which make it harder
to take down the botnet.
Storm worm has already been used for Denial of Service attack
and seems to be developing its attacking techniques.
In view of rapid propagation of the Storm worm, users are
advised to implement following countermeasures.
- Do not click on the link provided in any unsolicited emails.
- Keep up-to-date on patches and fixes on the operating
system and application software.
- Install and maintain updated anti-virus software
at gateway and desktop level.
- It has been observed that storm worm is using nginx/0.5.17
web server. Consider blocking packets from the nginx/0.5.17
web server through Proxy or set an appropriate alert/rule
at IDS/IPS.
References:
http://isc.sans.org/diary.html?storyid=3286
http://isc.sans.org/diary.html?storyid=3298 http://isc.incidents.org/diary.html?storyid=3321 http://www.informationweek.com/shared/printable
Article.jhtml?articleID=201800635 http://www.securityfocus.com/news/11482 http://www.securityfocus.com/news/11473 http://isc.sans.org/diary.html?storyid=2071
http://www.cert-in.org.in/currentacts/currentact.htm#SW http://www.cert-in.org.in/virus/Trojan_strom_worm.htm
Propagation of “Storm Worm” variants through Emails
Date : July 11, 2007
It has been observed that new variants of ‘Storm Worm' are circulating in the wild. The malware propagation is reported via E-mail. The email lures user to install a patch from the embedded link contained in the body. On clicking the link, the malicious executable gets downloaded on the system to make the infection.
The website hosting malware has JavaScript in an attempt to exploit the browser and compromise the system. Once the browser is successfully exploited subsequently system is also compromised and afterwards malicious payload downloaded.
The Subject lines of the circulating email messages are:
Virus Detected!
Trojan Alert!
Worm Alert!
Worm Activity Detected!
Spyware Alert!
Warning!
The email body contains:
Dear customer ,
Our robot has detected an abnormal activity from your IP address on sending e-mails.Probably it is connected with last epidemic of a worm which does not have official patches at the moment.
We recommend you to install this patch to remove worm files and stop email sending,otherwise your account will be blocked.
Postmaster.
In view of rapid propagation of the trojan variants, users are advised to implement following countermeasures.
- Install and maintain updated anti-virus software at gateway and desktop level.
- Filter emails with abovementioned subject lines at the gateway.
- Do not click on the link provided in any unsolicited emails.
- Keep up-to-date on patches and fixes on the operating system and application software.
- Monitor traffic for surge on unusual ports.
References:
http://isc.sans.org/diary.html?storyid=3117
http://www.cert-in.org.in/virus/Trojan_strom_worm.htm
Malicious tool Mpack Compromises Computers on massive scale
Date : June 22, 2007
It has been reported that the large number of computers has been compromised using a malware distribution and attack kit known as MPack . Mpack is detected as Trojan.Mpkit!html (Symantec).
MPack was discovered in Dec 2006 and has reportedly compromised thousands of systems in last six months. Major attacks were noticed on Italian websites during the last week.
MPack is a collection of components written in PHP. It runs alongwith a PHP server and a database backend. It has been reported that MPack kit is being sold commercially through underground channels with the name FTP-Toolz Pack.
A typical attack scenario is as follows:
- Attacker hacks into a legitimate web site and adds the IFRAME snippet into webpage to redirect innocent user to the malicious MPack server. Attackers are also using the typo-squatting techniques to redirect the user to malicious server.
- MPack server uses the HTTP request headers to know about the operating system and web browser of the user's system. After determining the operating system and web browser, it uses this information to select the appropriate exploit codes to compromise the target system. MPack stores information about the user's computer, exploit code used and country of user.
- After the compromise, arbitrary (shell) code directs the compromised computer to download malicious files from the MPack server. Once executed on the compromised system this malicious file further downloads other malicious files from different locations.
In view of the rapid exploitation of the vulnerabilities by MPack users are advised to:
- Deploy appropriate security measures to protect web servers. Users may refer to CERT-In Web Server Security Guidelines CISG-2006-01 , CISG-2004-04 , CISG-2004-01
- Install and maintain a updated anti-virus software at gateway and desktop level
- Keep up-to-date patches and fixes on the operating system and application software
- Exercise caution while visiting trusted/untrusted websites.
- Disable active scripting in the browser.
References
http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/05/11/
MPack-uncovered_2100_.aspx
http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/06/19/
More-about-Mpack.aspx
http://www.symantec.com/enterprise/security_response/weblog/2007
/05/mpack_packed_full_of_badness.html
http://isc.incidents.org/diary.html?storyid=3015
http://isc.sans.org/diary.html?storyid=2991
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782
http://www.securityfocus.com/brief/529
Circulation of malware through MSIE7 Spam
Date : May 07, 2007
Updated: May 10, 2007
It has been observed that large number of spam mails pretending to be from Microsoft are being sent to users persuading them to download malware embedded in a file claiming as update to Internet Explorer. Similar spam mails were in circulation in the last month as reported in CERT-In Current Activity Trojan Grum/IE7.0.exe [Date : April 02, 2007]
These spam mails are appearing to come from admin@microsoft.com or admin@windows.com and have the subject line “ 'Internet Explorer 7.0 Beta ”. These mails contain an image similar to genuine image related to IE7 beta 2 download shown below. The image links to remote website to download the executable file update.exe
Certain antivirus have detected the update.exe as trojan downloader Win32/Grum.b
[ McAfee], Trojan-Downloader.Win32.Agent.bjo [Kaspersky], W32/Grum-B [Sophos], TR/Proxy.Agent.CL [AntiVir], Win32:Agent-GJR , Trojan.Downloader-4640, Trojan.Downloader.18993
Malicious executable file update.exe is hosted on the different locations. Some of the identified locations are:
http:// goldenmexico.com/images/ update DOT exe
http:// goalmastery.net/images/ update DOT exe
http:// goldenmexico.com/images/ update DOT exe
http:// gmasinc.com/images/ update DOT exe
http:// gojenola.com/images/ update DOT exe
http:// gojenola.com/images/ update DOT exe
http:// dzwebsolutions.net/images/ update DOT exe
http:// accentstaffing.com/images/ update DOTexe
http:// women-ru.org/images/ update DOT exe
http://adaptationband.net/images/ update DOT exe
http://alimov.net/images/ update DOT exe
http://xoozee.cd/update DOT exe
http://merzingo.cd/update DOT exe
http://endfriends.cd/update DOT exe
http://netdesks.cd/update DOT exe
http://pleasedostock.hk/update DOT exe
http//wordcasts.cd/update DOT exe
http://abyssrecycling.co.uk/images/update DOT exe
http://accentstaffing.com/images/update DOT exe
http://bcweblist.com/images/update DOT exe
http://actorsandactresses.co.uk/images/update DOT exe
http://mikelike.cd/update DOT exe
Once executed on the system trojan tries to download other malwares from remote websites. Further update.exe is having rootkit capabilities to hide itself on the infected system.
After execution update.exe drops 0.exe and 1.exe in the current folder. 1.exe creates malicious file svchots.exe at the location C:\Document and Settings\current user\Local settings\TEMP. Other malware file dropped at this location are 3327.exe , 3763.exe, winlogon.exe, wnset.exe. wnset.exe creates the outbound connection with IP 72.232.195.26
In view of the rapid propagation of the malware via spam mails users are advised to:
- Install and maintain a updated anti-virus software at gateway and desktop level
- Keep up-to-date patches and fixes on the operating system and application software
- Do not open email messages with the above mentioned From field and Subject lines .
- Do not click on images related to IE7 beta 2 download embedded in the body of email messages.
- Disable active scripting even while visiting trusted web sites.
- Set security level to Internet zone in Microsoft Internet explorer to high.
- Block access to the malicious websites/domains at the perimeter level.
References
http://msmvps.com/blogs/spywaresucks/archive/2007/05/05/
891095.aspx
http://www.cisrt.org/enblog/read.php?93
Phishing attacks related to Virginia Tech Tragedy
Date : April 19, 2007
It has been reported that malicious users are taking advantage of the recent Virginia Tech incident and have launched phishing attacks. They have created fraudulent domains for the purpose of phishing attacks. The phishers are using these domains to set up the phishing websites and further circulating phishing email asking the user for personal and financial information to collect donation for the virginia tragedy sufferers. They may also spread malicious programs through these domains.
A number of fraudulent domains looks alike a legitimate charity related to Virginia Tech Tragedy have been reported to be registered over the internet. These domains are
vatechshooting.com,vatechshooting.net, vatechshooting.org vatechshooting.info,vatechshooting.us,vatechshooting.biz,
vtshooting.com
vtshooting.info,vatechmassacre.com,vatechmassacre.net, vatechmassacre.info,vatechmassacre.biz,vtmassacre.com
vtmassacre.net,vtmassacre.org
,vtmassacre.info,
virginiatechrampage.com
vatechrampage.com,vtrampage.com,
virginiatechmurders.com,
virginiatechmurders.net,virginiatechmurders.org,
virginiatechmurders.info,virginiatechmurders.us
,vatechmurders.com,vtmurders.com,hokieshootings.com,
hokiemassacre.com
Users are advised to implement the following countermeasues to protect themselves from any phishing attacks:
- Keep up-to-date patches and fixes on the operating system
and application software.
- Keep up-to-date Antivirus and Antispyware signatures.
- Do not visit untrusted websites.
- Exercise caution while opening unsolicited emails and do
not click on a link embedded within
- Do not disclose any financial or personal information
being asked in unsolicited email.
- Contact your financial institution/ Bank for the authentication
of received e-mail.
- In case your financial or personal information is compromised,
immediately contact your financial institution/ Bank and report
the same.
References
http://www.isc.sans.org/diary.html?storyid=2652
http://www.us-cert.gov/current/current_activity.html#phish
Exploitation of Microsoft Windows DNS RPC vulnerability
Date : April 18, 2007
It has been reported that the Microsoft Windows DNS server RPC vulnerability described in CERT-In Vulnerability Note CIVN-2007-49 is being exploited widely.
MS DNS servers on Windows 2000 SP4 or Win 2003 SP1 or SP2 are more prone to the attack if they are accessible through Internet and have ports above 1024 open.
In a typical attack method the scans on the TCP ports 1024-1028 were noticed then TCP connection were established on the port running RPC service. Exploit shellcode binds to TCP port 1100. Malicious script files are uploaded on this port and executed to download malicious executable file from the location specified by the attacker.
Malware exploiting this vulnerability are identified as W32/Nirbot.worm!RpcDns (McAfee), WORM_VANBOT.GC(Trend Micro), W32.Rinbot.BC(Symantec)
In view of the rapid exploitation of the vulnerability users are advised to implement the following countermeasues:
- Disable remote management over RPC capability for DNS Servers through registry key setting.
- Disable the RPC interface used by the Microsoft Windows DNS service
- Block or Restrict access to RPC at the network perimeter
- Block TCP and UDP port 445
- Block unsolicited inbound traffic on ports 1024-5000 using IPsec or other firewall.
- Enable advanced TCP/IP filtering on systems
References
http://www.cert-in.org.in/vulnerability/civn-2007-49.htm http://www.cert-in.org.in/virus/Rinbot.htm
http://www.microsoft.com/technet/security/advisory/935964.mspx
http://www.us-cert.gov/current/current_activity.html#rinbot
http://isc.sans.org/diary.html?storyid=2627
http://isc.sans.org/diary.html?storyid=2633
http://vil.mcafeesecurity.com/vil/content/v_142027.htm
http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2007-041701-3720-99
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FVANBOT%2EGC
Trojan Grum/IE7.0.exe
Date : April 02, 2007
It has been observed that spam mails pretending to be from Microsoft are being sent to users persuading them to download malware embedded in file claiming as Internet Explorer 7 installer.
These spam mails are appearing to come from admin@microsoft. com and have the subject line “ Internet Explorer 7 Downloads”. These mails contain an image similar to genuine image related to IE7 beta 2 download. The image links to the file IE7.0.exe .
Different versions of the malicious files IE7.0.exe are hosted on the different locations. Some of the identified locations are:
Jpcommunications . net/images/IE7.0. exe
66. 98. 149. 237/IE7.0. exe .
The file IE7.0.exe is detected as TR/Proxy.Agent.CL(AntiVir), Trojan.Spy-3301(ClamAV), Win32/Grum (AVG, BitDefender, DrWeb, eSafe, eTrust-Vet, Fsecure, Kaspersky, Norman, Symantec, VirusBuster).
W32/Grum.a has been identified as a kernel malware that hooks several ntdll APIs to hide its files and processes. The malware also serves as a proxy server that communicates to certain IP addresses.
In view of the rapid
propagation of the malware
users are advised to:
- Install and maintain a updated anti-virus software at gateway and desktop level
- Keep up-to-date patches and fixes on the operating system and application software
- Exercise caution while opening email attachments
References
http://www.us-cert.gov/current/current_activity.html#ie7spam
http://isc.incidents.org/diary.html?storyid=2537 http://www.computerworld.com/action/article.do?command=viewArticle
Basic&articleId=9015142
http://www.f-secure.com/v-descs/trojan-proxy_w32_grum_a.shtml
Exploitation of Microsoft Windows Animated Cursor Vulnerability
Date : March 30, 2007
Updated : April 03, 2007
It has been reported that the Microsoft Windows Animated Cursor vulnerability described in CERT-In Vulnerability Note CIVN-2007-39 and Microsoft Security Advisory ( 935423 ) is being exploited widely. The exploit codes are recognized as TROJ_ANICMOO.AX (Trend Micro) alias Exploit-ANIfile.c (McAfee).
The above mentioned malware take advantage of the insufficient format validation while handling animated cursors (.ani files). The malware uses the vulnerability to download and execute other malware e.g.TROJ_SMALL.DRF (Trend Micro).
The Animated Cursor feature is often designated by the .ani suffix, but attacks for this vulnerability are not constrained by this file type so simply blocking .ani files won't necessarily protect a PC. Successful exploitation can result in memory corruption when processing cursors (.cur), animated cursors (.ani), and icons (.ico).
In addition to the above-mentioned malwares, a new kind of worm is also spreading out; it has the same behavior as Worm.Win32.Fujacks. It also can infect .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are included in the same zero-day vulnerability link. This malware is detected as, W32/Fujacks.aa (MacAfee), Trojan-Downloader.Win32.Agent.bkp (Kaspersky), W32.Fubalca (Symantec), Agent.bky (F-Secure)
The following websites are hosting related exploit code to exploit this vulnerability
- c33577 DOT cn
- ym52099 DOT 512j DOT com
- 1 DOT 520sb DOT cn
- newasp DOT com DOT cn
- koreacms DOT co DOT kr
- i5460 DOT net
- www DOT 04080 DOT com
- www DOT h3210 DOT com
- Wsfgfdgrtyhgfd DOT net
- 85 DOT 255 DOT 113 DOT 4
- uniq-soft DOT com
- fdghewrtewrtyrew DOT biz
- 2007ip DOT com
- microfsot DOT com
In view of the rapid exploitation of the vulnerability users are advised to:
- Block access to malicious websites/Domains mentioned above at the perimeter.
- Do not follow unsolicited links
- Disable email preview pane in mail client
- Read e-mail messages in plain text format if using Outlook 2002 or a later version
- Exercise caution while opening email attachments
- Install and maintain a updated anti-virus software at gateway and desktop level
- Keep up-to-date patches and fixes on the operating system and application software
Microsoft has reported that users of Internet Explorer 7 with Protection Mode are protected from active exploitation, but shellcode execution is still possible. Users of Outlook 2007 are protected (as it uses Word to display HTML messages); users of Windows Mail on Vista are protected if they do not forward or reply to malicious e-mails.
References
http://www.cert-in.org.in/vulnerability/civn-2007-39.htm http://www.microsoft.com/technet/security/advisory/935423.mspx
http://uk.trendmicro-europe.com/enterprise/vinfo/encyclopedia.
php?LYstr=VMAINDATA&vNav=3&VName=TROJ_ANICMOO.AX
http://vil.nai.com/vil/content/v_141860.htm
http://www.auscert.org.au/7431
http://isc.sans.org/diary.html?storyid=2534
http://isc.sans.org/diary.html?storyid=2539 http://www.cisrt.org/enblog/read.php?68 http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/
Worm Exploiting Sun Solaris Telnet vulnerability
Date : March 02, 2007
It has been reported that the security issue reported in Sun Solaris Telnet Daemon (in.telnetd) described in CERT-In Vulnerability Note CIVN-2007-23 is being exploited by a worm. This worm takes advantage of the vulnerability for log in on a vulnerable system via telnet with elevated privileges using the “lp” or “adm” accounts.
After logging in to the vulnerable machine worm changes the permissions of /var/adm/wtmpx to –rw-r—rw-. Creates directory .adm at the location /var/adm/sa/. Adds .profile files to /var/adm and /var/spool/lp. Installs an authenticated backdoor shell on tcp port 32982. modifies crontab entries for the users adm and lp and scan for the hosts running telnet for further infection.
In view of the wide propagation of the worm, users are advised to implement following countermeasures:
- Run inoculation script provided by Sun locally on the infected system.
- Disable Telnet.
- Apply appropriate patches referenced in Sun Alert Notification 102802 .
- Restrict access to tcp port 23 to trusted hosts only.
CVE Name
CVE-2007-0882
References
http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-
possible-worm/
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1
http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
http://www.us-cert.gov/cas/techalerts/TA07-059A.html
http://www.cert-in.org.in/vulnerability/civn-2007-23.htm
DDoS attack on root DNS servers
Date : February 08, 2007
A besieged DDoS attack has been reported on the Internet Infrastructure that temporarily crippled - but didn't take down - two of the Internet's 13 Domain Name System (DNS) root servers. This unusually powerful attack lasted as long as 12 hours on 6 th Feb, 2007 but passed largely unnoticed by most computer users.
DNS root servers basically answer queries in the DNS infrastructure, which translates a computer's "human-readable" domain name into its machine-readable IP address.
The attackers used an army of bots from around the globe to hammer the servers with bogus and abnormally large DNS requests. DNS servers run by the U.S. Department of Defense, the Internet Corporation of Assigned Names and Numbers (ICANN) and UltraNet, which manages the .org domain and some other suffixes, were affected by the attack.
http://isc.sans.org/diary.html?storyid=2184 http://www.securityfocus.com/brief/429
http://www.us-cert.gov/current/current_activity.html#dnsanom
http://www.internetnews.com/security/article.php/3658551
http://www.pcworld.com/article/id,128806-c,cybercrime/article.html
http://hosted.ap.org/dynamic/stories/I/INTERNET_ATTACKS?SITE
=WIRE&SECTION=HOME&TEMPLATE=DEFAULT
http://searchsecurity.techtarget.com/originalContent/0,289142
,sid14_gci1242635,00.html
Security updates released for fetchmail, squirrelmail, and gtk2 packages
Date : February 2, 2007
Patches for multiple vulnerabilities have been released for multiple vendors Linux products. Vulnerabilities have been reported in packages such as fetchmail, squirrelmail, gtk2.Redhat and SUSE have released patches to address these vulnerabilities in respective packages.
Multiple patches also have been releases for linux kernel vulnerabilities.
Wireshark has released new version of Wireshark 0.99.5 which fixes multiple vulnerabilities.
Users are advised to apply the required security updates from concerned vendors.
Vendor Information
Suse
http://www.novell.com/linux/security/advisories/2007_02_sr.html
Redhat
https://rhn.redhat.com/errata/RHSA-2007-0014.html https://rhn.redhat.com/errata/RHSA-2007-0022.html https://rhn.redhat.com/errata/RHSA-2007-0018.html https://rhn.redhat.com/errata/RHSA-2007-0019.html
Wireshark
http://www.wireshark.org/security/wnpa-sec-2007-01.html
Trojan Storm spreading through Spam mails
Date: January 25, 2007
It has been observed that Trojan Storm Worm and its new variants are circulating in the wild via massive spamming. The trojan is also known
to be downloaded by NUWAR family mass mailing worm. It comes as an attachment in spam e-mails with empty body and frequently changing subject lines related to some ongoing specific events to make the
seeding more successful.
The trojan is formulating botnets by creating a P2P network on UDP
port 4000 with other infected systems for the purpose of further
malicious activity.
Certain Antivirus has detected the malware as
Trojan TROJ_SMALL.EDW [Trend Micro], Trojan.Peacomm [Symantec], Win32/Nuwar.N@MM!CME-711 [Microsoft] ,Troj/DwnLdr-FYD,
Troj/Small-DOR, W32/Stormy.AB, Trojan-Downloader.
Win32.Agent.bet, Downloader-BAI!M711, Downloader-BAI,
Trojan-Downloader.Win32.Small.dam, Small.DAM[F-Secure]
For further details please refer to the CERT-In Virus Alert Trojan Storm Worm
Since the trojan variants are being spammed massively users are advised to implement the following countermeasures:
- Install and maintain a updated anti-virus software at gateway
and desktop level
- Keep up-to-date on patches and fixes on the operating
system and application software
- Exercise caution while opening email attachments
- Filter emails with subject lines and attachments the
trojan
is using at the gateway
References:
http://news.bbc.co.uk/2/hi/technology/6278079.stm
http://www.informationweek.com/showArticle.jhtml?articleID=
196902579&cid=RSSfeed_TechWeb
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
TROJ%5FSMALL%2EEDW&VSect=T
http://www.symantec.com/enterprise/security_response/weblog/2007/
01/trojanpeacomm_building_a_peert.html
http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2007-011917-1403-99&tabid=1
http://www.f-secure.com/v-descs/small_dam.shtml
http://www.f-secure.com/weblog/archives/archive-
012007.html#00001088
http://www.f-secure.com/weblog/archives/archive-
012007.html#00001089
http://www.f-secure.com/weblog/archives/archive-
012007.html#00001087
< Previous - - Next >
| 
