View Full Version : Alerts - Q1-2007c

2007-03-01, 04:05

> http://www.us-cert.gov/current/#sunwrmexinet
updated March 1, 2007

- http://www.symantec.com/security_response/writeup.jsp?docid=2007-022810-0202-99&tabid=3
Updated: March 1, 2007
Also Known As: SunOS/Wanukdoor [McAfee]
Type: Trojan
"...Once the threat attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred. However, the author of the threat may have been able to use the threat to access the computer to make changes to it. Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely reinstalling the operating system."


- http://www.symantec.com/enterprise/security_response/weblog/2007/02/solaris_telnet_worm.html
February 28, 2007 ~ "Soon after information was released about a vulnerability in the in.telnetd daemon in Solaris 10, Symantec's Deepsight monitoring system began to see spikes in port 23 traffic. Most of this traffic was due to people scanning for vulnerable systems. However, yesterday we saw a renewed spike in traffic that has been correlated to a worm known as Wanuk, which uses the vulnerability to spread... Once Wanuk is on the system, it drops an executable that creates a /bin/sh back door, which listens on port 32982/TCP. In addition, Wanuk's payload includes sending out system broadcast messages of creatively designed shout-outs to a variety of security researchers... This will only happen one-third of the time at noon on the 13th of the month if the threat starts between 1 am and 5 am. Those affected should ensure they have patched or disabled telnet as a workaround..."

(Graphics available at the URL above.)

> http://isc.sans.org/port.html?port=23

:fear: :spider:

2007-03-03, 12:16

- http://www.f-secure.com/weblog/archives/archive-032007.html#00001130
March 3, 2007 ~ "New Warezov run has been going on for some hours now. The emails seem to be constant and look like this:

'Do not reply to this message

Dear Customer,

Our robot has fixed an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have patches at the moment. We recommend you to install a firewall module and it will stop e-mail sending. Otherwise your account will be blocked until you do not eliminate malfunction.

Customer support center robot'

The attachment is a ZIP file which contains a static EXE file. The name varies, but it's always like
Update-KBrandom numbers-x86.exe. MD5 is 2A9D6942D891F534E288830F6EA52615."


2007-03-10, 18:06

- http://isc.sans.org/diary.html?storyid=2397
Last Updated: 2007-03-10 16:25:08 UTC ...(Version: 3) ~ "...The airindia.com website contained a script-tag linking to a malicious Javascript hosted on a Chinese web server. We were able to confirm this and contacted Airindia to inform them their site had likely been compromised. At this point in time, the site is clean again. Initial verification shows that this malicious link has been introduced into a large number of sites, both through script injection in forms as well as ways that look very much like web server compromise to us.
If you have a large installed base of Windows machines with browsing access, you may wish to review your proxy logs for requests for the following files. We removed the actual domain as to not to link directly to the actual malware.
[xxx] .cn/images/163.js
[xxx] .cn/images/sina.htm
The file downloaded upon succesful execution is called 'install.exe' and has an md5 checksum of f9fc3189d619462f6c939bfbf36c90ab. Once executed, it installs three files on the system, 'winboot.exe', 'winroot.bat' and '1.exe', of which the latter remains resident in memory. The software seems to be a keylogger at this point in time. Anti-virus detection for this malware was non-existent this morning.
Currently, virustotal shows succesful detection by:
AntiVir 03.09.2007 TR/Crypt.FKM.Gen
CAT-QuickHeal 9.00 03.10.2007 (Suspicious) - DNAScan
eSafe 03.08.2007 Suspicious Trojan/Worm
Kaspersky 03.10.2007 Trojan-PSW.Win32.WOW.pu
Sunbelt 2.2.907.0 03.10.2007 VIPRE.Suspicious
Symantec 10 03.10.2007 Infostealer.Wowcraft
VBA32 3.11.2 03.10.2007 suspected of Downloader.Dadobra.10 (paranoid heuristics)
F-Secure, Fortinet and Sophos confirmed to us by e-mail they would be adding detection shortly..."

- http://isc.sans.org/diary.html?storyid=2397
Last Updated: 2007-03-10 18:28:19 UTC ...(Version: 4)
"...Using Google's cache we came to the conclusion this script was inserted in at least some pages on web sites in the following domains for a while:
* airindia.com
* acmt.net
* fireworks.com
* fci.org
* pbonline.com
* postbulletin.com
* post-bulletin.com
* k-1usa.net
* scsusports.com
* stariq.com
* erskinecollegesports.com
* installshield.com
* roundballclassic.com
* onebrick.org
* whozontop.com
* dove.org
* cvac.net
* honestreporting.com
* totallydrivers.com
* irinnews.org
* ...
Note that in all likelihood all of those sites are victims. The main purpose of listing them is to allow administrators to check if they got visited by their users and to make it clear that users can't help it with changing their surfing habits. Certainly not all -if any- of those sites qualify as part of the dark alleys on the Internet. Some would easily fit in a proper for business use category.
We contacted all those still sporting the bad link to the exploit earlier today. We're also asking those sites to verify how they got compromised and to share the results of that as far as possible so we can help others find and close the entry vector..."


2007-03-14, 00:44

- http://www.us-cert.gov/current/#apsec07003
March 13, 2007 ~ "Apple has released Security Update 2007-003 to address multiple vulnerabilities in various products. The impacts of these vulnerabilities include arbitrary code execution, privilege escalation, SYSTEM level access, cross-site scripting, sensitive data exposure, file manipulation, and denial of service..."

- http://docs.info.apple.com/article.html?artnum=305214

- http://www.apple.com/support/downloads/
Security Update 2007-003 (10.3.9 Client)
Security Update 2007-003 is recommended for all users.
03/13/2007 36MB

Security Update 2007-003 (10.3.9 Server)
Security Update 2007-003 is recommended for all servers.
03/13/2007 49.5MB

> http://docs.info.apple.com/article.html?artnum=106704

- http://blog.washingtonpost.com/securityfix/2007/03/apple_patches_nearly_four_doze.html
March 13, 2007 ~ "...Turned out to be "Patch Tuesday" after all, only the security updates were released by Apple instead of Microsoft. Apple issued security updates to plug at least 46 separate security holes in its operating system and other software..."


2007-03-15, 11:34

- http://secunia.com/advisories/24492/
Release Date: 2007-03-14
Critical: Moderately critical
Impact: Security Bypass, DoS
Where: From remote
Solution Status: Vendor Patch
OS: Linux Kernel 2.6.x ...
Solution: Update to version
Provided and/or discovered by: Reported by the vendor.
Original Advisory:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog- ..."


2007-03-15, 18:21

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=751
March 15, 2007 ~ "Websense Security LabsTM has received reports of new, malicious Web sites which are designed to install Trojan horses. The Web sites are hosted in Korea and Hong Kong. The sites attempt to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction. Users receive an email, written in German, requesting that they visit a Web site to verify their order number. Upon visiting the site, the malicious code is automatically downloaded and run, assuming the user is not patched for the Microsoft vulnerability. The original site, which is hosted in Korea, appears to have been compromised. An IFRAME pointing to the exploit code site is contained at the bottom of the original site. The site contains encoded JavaScript which, when decoded, runs the exploit code and downloads an .exe file, update.exe, from a server in Hong Kong..."

(Screenshots available at the URL above.)

Viral Video...
> http://www.websense.com/securitylabs/blog/blog.php?BlogID=114
Mar 15 2007 ~ "This is a follow up post on our alert we added earlier today (see: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=751 ). We have since discovered a different SPAM run that is using the same sites but with a different lure on a different compromised site. This version's lure is written in English, not German, and poses as a website that hosts video on the web. In particular it lures users to view something called the "Redneck Slingshot". One piece of irony is the subject of the SPAM lure is "must see viral video". Assuming users click on the link they are redirected to a site which is hosted in the United States, and was up at the time of this entry. The site appears to also have been compromised and is pointing to the same site that our previous alert outlined (see: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=751 )."