View Full Version : 2006 Alerts - Q2

2006-04-05, 22:33

- http://isc.sans.org/diary.php?storyid=1245
Last Updated: 2006-04-05 20:09:42 UTC
"Looks like our long-time* "friends" from the Coolwebsearch/Trafficadvance malware department have moved shop to a new hoster. If you've followed our earlier suggestions and zapped their old netblock (81.9.5.x), well, then you might want to consider banning their new sites as well. They all seem reside under 85.249.23.x now, again in St.Petersburg, Russia. If you prefer to block their domains, here's a list. All of the indicated domain names end in .biz.

traffsale1 traffweb toolbarweb toolbarsale iframecash traffcool toolbarcool traffbucks toolbarbucks traffdollars toolbardollars traffbest toolbarbest traffnew toolbarnew traffmoney toolbarmoney vip01

Be advised that unwary surfing to these sites might make your DVD drive spit out peperoni slices, cause your monitor to start flickering, and definitely will result in other side effects detrimental to the integrity of your beloved computing device. You have been warned."

* http://isc.sans.org/diary.php?storyid=868


2006-04-07, 16:32

- http://isc.sans.org/diary.php?storyid=1248
Last Updated: 2006-04-07 13:55:10 UTC
"Viruslist is reporting on a cross platform Proof of Concept (PoC) virus that works on both Linux and Windows machines. It is claimed to be capable of infecting both the linux ELF binaries and .exe's from windows. The impact of the PoC at this point is very low in itself, but it is a sign the cross platform aspects are becoming important. As the developers of viruses continue to research this, we will see (more) cross platform malware come about in the future.
Even today websites sending exploits to their visitors tend to detect what browser/platform the visitor is using and send a matching exploit to install some malware and earn their quarter for each confirmed installation. Planning ahead and also protecting the Linux, UNIX and Mac OS X, machines with anti-virus measures is a good thing to start on now if you haven't done so already.
For those thinking their "pet" computer is invulnerable to the virus threat: it's not. The vulnerability exploited by a virus is the ability of software to add or change other programs. All general purpose operating systems have that vulnerability to some degree.
Getting infrastructure that is fed signatures in an automated manner in place allows you to shorten the time needed to respond, even if the specific platform isn't targeted today. Since anti-virus measures are mostly reactive in nature, anything that makes your reactions faster is good."

:( :eek:

2006-04-14, 12:59

- http://isc.sans.org/diary.php?storyid=1261
Last Updated: 2006-04-14 01:56:17 UTC
"...Firefox has released version (and 1.0.8, for those who were not able to upgrade to 1.5) of it's browser. This update fixes some undisclosed security issues..."

- http://www.mozilla.com/firefox/
Several security fixes:
- http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.2
Notable bug fixes:
- http://www.squarefree.com/burningedge/releases/

- http://secunia.com/advisories/19631/
Release Date: 2006-04-14
Critical: Highly critical ...
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Update to versions 1.0.8 or
>>> http://www.mozilla.com/firefox/


2006-04-18, 04:18

- http://www.us-cert.gov/cas/techalerts/TA06-107A.html
April 17, 2006
"...II. Impact
The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other effects include a denial of service or local information disclosure.
III. Solution...
Upgrade to Mozilla Firefox, Mozilla Thunderbird, or SeaMonkey 1.0.1. According to Mozilla.org, Thunderbird is to be released on April 18, 2006..."

>>> http://www.mozilla.org/download.html

Thunderbird v1.5.0.2 released
- http://www.mozilla.com/thunderbird/
Release notes/fixes:
- http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird1.5.0.2
Changes in (77)
- http://weblogs.mozillazine.org/rumblingedge/archives/2006/02/1-5-0-2.html


2006-04-19, 19:57

- http://news.com.com/2102-1002_3-6062766.html?tag=st.util.print
April 19, 2006
" Apple Computer has released a security update* for Mac OS to deal with a Java vulnerability that could allow malicious attackers to gain access to users' systems. Apple issued the J2SE 5.0 Release 4 update earlier this week, noting an attacker could use a vulnerability in Java Web Start to allow a malicious application to read and write local files on a user's system. Java Web Start is a technology to load Java applications over a network such as the Internet. The company advised people with computers running the Java Web Start application on Mac OS X v10.45, as well as Apple's server version, to download the J2SE version 1.5.0_06 update."

* http://docs.info.apple.com/article.html?artnum=303658

** http://sunsolve.sun.com/search/document.do?assetkey=1-26-102170-1
Security Vulnerability With Java Web Start
Date Released: 07-Feb-2006


2006-04-21, 21:58

- http://isc.sans.org/diary.php?storyid=1282
Last Updated: 2006-04-21 19:41:56 UTC
"Multiple vulnerabilities have been reported in Apple Mac OS X and applications. Proof of Concept code has already been posted along with the information regarding the vulnerabilities. At this time no patches or workarounds appear to be available for the majority of the vulnerabilities. The impact and severity of the exploits are not yet known.

Links to advisories:
> Apple OS X 10.4.5 .tiff "LZWDecodeVector ()" Heap Overflow
- http://www.security-protocols.com/sp-x24-advisory.php
> Apple OS X BOM ArchiveHelper .zip Heap Overflow
- http://www.security-protocols.com/sp-x25-advisory.php
> Apple OS X Safari 2.0.3 Multiple Vulnerabilities
- http://www.security-protocols.com/sp-x26-advisory.php
> Apple OS X 10.4.6 "ReadBMP ()" .bmp Heap Overflow
- http://www.security-protocols.com/sp-x27-advisory.php
> Apple OS X 10.4.6 "CFAllocatorAllocate ()" .gif Heap Overflow
- http://www.security-protocols.com/sp-x28-advisory.php
> Apple OS X 10.4.6 .tiff "_cg_TIFFSetField ()" DoS
- http://www.security-protocols.com/sp-x29-advisory.php
> Apple OS X 10.4.6 .tiff "PredictorVSetField ()" Heap Overflow
- http://www.security-protocols.com/sp-x30-advisory.php ..."

- http://secunia.com/advisories/19686/
Release Date: 2006-04-21
Critical: Highly critical
Impact: DoS, System access ...
Do not visit untrusted web sites, and do not open ZIP archives or images originating from untrusted sources..."


2006-04-24, 19:24

- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=472
April 21, 2006
"Websense Security Labs is seeing large increases in drive-by installations of malicious code that is hosted on websites that are using the Web Attacker Toolkit. When a user visits one of the nearly 1000 sites that are being used to run code without user intervention, a Trojan Horse is downloaded and run. It can log keystrokes, download additional code, or open backdoors on the user's machine. The kit is being sold on the Internet for as little as $20 and can be purchased and downloaded from a website hosted in Russia (see http://www.theregister.co.uk/2006/03/27/spyware_diy/ ). The Web Attacker tool also includes a nice graphical interface and an instructional manual to assist in configuring your server for the exploit. Along with that are details about which anti-virus engines cannot detect it, and how it works. The kit has the ability to detect the visiting user's browser through the user agent and will serve one of seven different exploits based on the browser settings. It includes exploits for a number of different browsers and browser versions.
What is also interesting is that the websites that are hosting the malicious code also include a statistics page that shows the number of infected clients, percentage of clients that have been infected, and a breakdown by country, Operating System, and browser... the percentage of successful infections is quite high. On average we are seeing between 3% and 13% overall success rate. It is also interesting to notice the large number of machines that are not patched for older exploits. The statistics also show a column called "zero-day". These exploits are not zero-days anymore, because Microsoft has patched them; however, this remains the largest percentage of infections. Although we are still collecting statistics, our original research leads us to believe that there are more than 10,000 successful infections of users who have visited one of the malicious sites..."

(Screenshots available at the Websense URL above.)


2006-05-02, 22:06

- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=478
"WebsenseŽ Security Labs (TM) has received several reports of a new worm, "Nugache", which is spreading on AOL/MSN Instant Messenger networks and as an e-mail attachment by exploiting several workstation vulnerabilities. The worm opens a back door on TCP port 8, and installs a bot to wait for commands from the attacker. The command & control channel that is used is unique, as the bot appears to connect to infected peers instead of a static list. A peer-to-peer command & control channel makes it more difficult to block commands issued to the bot. The traffic over this channel also uses obfuscation in an attempt to bypass intrusion detection systems."

- http://isc.sans.org/diary.php?compare=1&storyid=1300
Last Updated: 2006-05-01 21:00:50 UTC
"...A bot was seen spreading via AOL Instant Messenger (AIM) earlier today that appears to be using "encrypted"... peer-to-peer P2P... as the Command and Control (C&C) mechanism. The bots communicate with each other via port 8/TCP... I expect that this binary will be detected by most AV companies quickly (today I hope) and slow its spread tremendously..."

(Most... AV vendors have issued signature updates -today- that cover the worm. Have you updated yours?)


2006-05-03, 04:14

- http://www.mozilla.com/firefox/releases/
Release Date: May 2, 2006
Security fix for denial of service vuln.

- http://www.getfirefox.com/

Also, you can use "Help->Check For Updates" (XP Admin account).


2006-05-12, 03:41

Quicktime upgrade v7.1 available
- http://isc.sans.org/diary.php?storyid=1329
Last Updated: 2006-05-12 00:18:50 UTC
"Apple released a Quicktime upgrade to version 7.1 that fixes a number of vulnerabilities in the Quicktime viewer. Normally I'd like suggest to read the release notes* for details, but they are typically thin in explaining what's been fixed and/or otherwise changed.
Basically viewing crafted images:
* JPEGs [CVE-2006-1458],
* Flashpix [CVE-2006-1249],
* PICT [CVE-2006-1453, CVE-2006-1454],
* BMP [CVE-2006-2238]
and movies:
* Quicktime [CVE-2006-1459, CVE-2006-1460]
* Flash [CVE-2006-1461]
* H.264 [CVE-2006-1462, CVE-2006-1463],
* MPEG-4 [CVE-2006-1464]
* AVI [CVE-2006-1465]
...can lead to arbitrary code execution.
The fixed version is available for both OS X and Windows. The best about it all is that at least we don't get the implicit insults we should only visit trusted websites. Without more information the only option is not to use quicktime or upgrade..."
* http://docs.info.apple.com/article.html?artnum=303752

>>> http://www.apple.com/quicktime/download/standalone.html

- http://secunia.com/advisories/20069/
Release Date: 2006-05-12
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Apple Quicktime 4.x, Apple Quicktime 5.x, Apple Quicktime 6.x, Apple QuickTime 7.x
Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system...
Solution: Update to version 7.1..."

>>> http://www.apple.com/quicktime/download/standalone.html

:fear: :spider:

2006-05-23, 17:12

- http://www.theregister.com/2006/05/23/sony_rootkit_settlement/
23 May 2006
"Federal courts have decided the penalty Sony BMG must suffer for exposing thousands of music fans' computers to hackers with dodgy DRM software last year. District court judge Naomi Reice Buchwald granted final approval for a settlement yesterday. Consumers will receive new malware and vulnerability-free CDs, a patch to remove the offending XCP or MediaMax code, and Sony will be dishing out free downloads. Electronic Frontier Foundation legal director Cindy Cohn said: "This settlement gets music fans what they thought they were buying in the first place: music that will play on all their electronic devices without installing sneaky software." Sony's pages about the settlement, including how to claim, are here*. The list of popular platters covered by the ruling is here**."

* http://www.sonybmgcdtechsettlement.com/

** http://www.sonybmgcdtechsettlement.com/CDList.htm

>>> http://www.eff.org/sony/


2006-06-02, 16:26

- http://isc.sans.org/diary.php?storyid=1377
Last Updated: 2006-06-02 01:53:57 UTC
"Versions of both Thunderbird and Firefox were released by the Mozilla Corporation today. The release notes state that each contained "several security fixes"...
>>> http://www.mozilla.org/download.html


Fix lists...

- http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

- http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird

- http://secunia.com/advisories/20376/
Release Date: 2006-06-02
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote
Solution Status: Vendor Patch
Solution: Update to version
http://www.mozilla.com/firefox/ ..."


2006-06-12, 21:56

- http://www.techweb.com/wire/security/189400183
June 12, 2006
"A new worm targeting Yahoo's Web-based e-mail service bent on collecting addresses for a spam database has been spotted in the wild, a security company warned Monday. The "Yamanner" worm* exploits a JavaScript vulnerability in Yahoo's Web mail, Cupertino, Calif. security specialist Symantec said in a Monday morning warning to customers of its DeepSight Threat Management System. Yamanner is spreading, added Symantec, which has assigned the threat a "2" in its 1 through 5 rating system. The worm targets addresses with the "yahoo.com" and "yahoogroups.com" domains, and arrives as an HTML message containing JavaScript. As soon as the recipient views the message, the script automatically runs to spread the worm to other users in the Yahoo address book. The message will have a From" address of av3@yahoo.com and a Subject: of "New Graphic Site". "Harvested addresses from the address book are then submitted to a remote URL, which is likely to be used for a spam database," noted Symantec in its alert. Yamanner won't execute on the newest Yahoo Mail Beta. Until Yahoo patches the flaw, Symantec recommended users steer clear of the service or disable the browser's JavaScript capabilities before reading any Web mail."
* http://www.sarc.com/avcenter/venc/data/js.yamanner@m.html

- http://isc.sans.org/diary.php?compare=1&storyid=1398
Last Updated: 2006-06-12 19:40:36 UTC
"...It was first reported to the ISC at 12:32 UTC and now appears to be circulating in two slightly different variants... both variants are flawed therefore they spread very effectively but do not actually perform the intended action. The mass-mailer attempts to open a browser window... but a spelling mistake prevents this from working. The website appears to be dormant and rejecting accesses. The release of a new version barely two hours after we started our analysis which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out.
To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses. There is currently no trivial fix for Yahoo! mail as turning off Javascript on the browser will prevent you from reading your e-mail. For Yahoo! groups it is recommended that moderators/adminstrators turn off attachments for the time being to prevent this spreading further."
Update: http://isc.sans.org/diary.php?compare=1&storyid=1398
Last Updated: 2006-06-12 20:51:32 UTC ...(Version: 4)
"...Yahoo! mass-mailer is currently making the rounds with a subject of "[random word] New Graphic site"... The mass-mailer also submits data to a page on av3.net but basic timing analysis on the response time seems to indicate that there is no difference between an access to the page without parameters or with the slew of parameters which are generated by the mass-mailer. This does not necessarily mean that the data is not being pharmed there and it is being investigated further... Note that this is not a binary attachment but a set of nested forwarded messages which are sent as an attachment in RFC2822 format... A long-term fix is apparently to migrate your Yahoo! e-mail to the Yahoo! Mail beta service although those who have already migrated mention that it is not a painless task..."
Update v5: http://isc.sans.org/diary.php?storyid=1398
Last Updated: 2006-06-12 21:19:00 UTC ...(Version: 5)
"...Update: Yahoo! is aware of the issue and is working on a fix, in their words "Yahoo! Mail is blocking most of these messages, and is working on a fix."

:fear: :(

2006-07-08, 15:33

- http://www.techweb.com/wire/security/190300666
July 06, 2006
"..."It's remarkable that it took 18 years for our database to reach 100,000 malicious threats, and just under two years to double to 200,000," said Stuart McClure, senior vice president of research and threats, in a statement. "Hackers are releasing threats faster than ever before, with 200 percent more malicious threats per day than two years ago." McAfee added the 100,000th threat to its database in September 2004. At the current pace -- 2006 should see more than 60,000 new threats, up from the 56,000 during 2005 -- the 400,000 barrier should be broken in under two years, McAfee said."

:fear: :spider: :fear: