|
|
|
CodeRed F will probably
be working it's way through the Internet for a while as unlike
CodeRed II it does not have a built in self termination date.
This is bad news, because someone has to pay for the bandwidth
it's using, engineers need to patch systems and it creates security
systems management issues.
The sendmail viulnerability
is fairly serious as it is obvious that many organizations use
sendmail as their MTA (Message Transfer Agent). We can't stress
enough how important it is to have a program in place to ensure
all of you software programs are patched up to the latest level.
There
are two IT Security related conferences running in May this year,
one in the the northern and one in the southern hemisphere, they
are;
AusCERT Asia Pacific
- Information Technology Security Conference 2003
May 11 - 15 2003 - Brisbane,
Australia
EICAR
- Annual Conference on IT Security:
May 10 - 13. 2003 -
Copenhagen, Denmark
There are details of these
events at the end of the newsletters.
Best
Regards
David Banes.
Editor, Symantec Security Response Newletter. |
| Useful
Links |
Microsoft
Security Bulletin MS02-061
Elevation of Privilege in SQL Server
Web Tasks (Q316333)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp
|
|
Viruses, Worms & Trojans
|
CodeRed.F |
| Aliases:
CodeRed.v3, CodeRed.C, CodeRed III,
W32.Bady.C, W32/CodeRed.a.worm [McAfee] |
| Risk:
Medium [3] |
|
|
| Date:
March 11th 2003 |
|
|
Platforms
Affected:
Microsoft IIS |
| |
Overview
As of March 11, 2003, Symantec
Security Response has confirmed that a new minor variant
of CodeRed
II has been found in the wild.
CodeRed.F differs in only two bytes than the original
CodeRed II. CodeRed II will restart the system if
the year is greater than 2001. This is no longer the
case for this variant.
Symantec antivirus products detect CodeRed.F as CodeRed
Worm if it is saved to a file. The worm also
drops a Trojan, which will be detected as Trojan.VirtualRoot
. The existing CodeRed
Removal Tool will correctly detect and remove
this new variant.
Please click here
for information on how to best leverage Symantec
technologies to combat the CodeRed threat.
CodeRed.F scans IP addresses for vulnerable Microsoft
IIS 4.0 and 5.0 Web servers and uses a buffer overflow
vulnerability to infect the remote computers. The
worm injects itself directly into memory, rather than
copying itself as a file on the system. In addition,
CodeRed.F creates a file detected as Trojan.VirtualRoot
. Trojan.VirtualRoot gives the hacker full remote
access to the Web server.
If you are running the Microsoft IIS Server, we recommend
that you apply the latest Microsoft patch to protect
yourself from this worm. The patch can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
.
A cumulative patch for IIS, including the four patches
released to date, is available at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
.
In addition, Trojan.VirtualRoot takes advantage of
a vulnerability in Windows 2000. Download and install
the following Microsoft security patch to address
this problem and stop the Trojan from re-infecting
the computer: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp
.
|
| |
|
|
|
References
http://www.sarc.com/avcenter/venc/data/codered.f.html
|
| |
W32.HLLW.Oror.AI@mm
|
|
|
| Aliases:
W32.HLLW.Oror.AD@mm, W32/Roro.AD@mm [F-Prot], I-Worm.Roron.gen
[KAV] |
| Risk:Low
[2] |
|
|
| Date:
March
14th 2003 |
|
|
Platforms
Affected
Windows 95, Windows 98, Windows
NT, Windows 2000, Windows XP, Windows Me
|
| |
Overview
W32.HLLW.Oror.AI@mm
is a variant of the W32.HLLW.Oror@mm mass-mailing
worm. This worm attempts to spread using email,
mIRC, KaZaA, network shares, and mapped drives.
The email attachment arrives with a .exe or .scr
file extension. W32.HLLW.Oror.AI@mm also attempts
to terminate and remove various security products
from the infected computer.
This
threat is written in the C++ language. Some of the
files are compressed with UPX.
|
| |
|
|
|
References
http://www.sarc.com/avcenter/venc/data/w32.hllw.oror.ai@mm.html
|
| |
Credit
Jari Kytojoki, Symantec Security
Response EMEA |
|
|
|
|
Security
Advisories
|
|
Sendmail Header Processing Buffer
Overflow Vulnerability |
| Risk:High |
| Date:3rd
March 2003 |
Components
Affected
Many, listed here; http://www.sarc.com/avcenter/security/Content/3.3.2003.html
|
| |
Description
Sendmail is a widely used MTA for Unix and Microsoft
Windows systems.
A remotely exploitable vulnerability has been discovered
in Sendmail. The vulnerability is due to a buffer
overflow condition in the SMTP header parsing component.
Remote attackers may exploit this vulnerability by
connecting to target SMTP servers and transmitting
to them malformed SMTP data.
The overflow condition occurs when Sendmail processes
incoming e-mail messages with multiple addresses in
a field such as "From:" or "CC:". One of the checks
to ensure that the addresses are valid is flawed,
resulting in a buffer overflow condition. Successful
attackers may exploit this vulnerability to gain root
privileges on affected servers remotely.
Versions 5.2 to 8.12.7 are affected. Administrators
are advised to upgrade to 8.12.8 or apply available
patches to prior versions of the 8.x tree. |
| |
References
http://www.sarc.com/avcenter/security/Content/3.3.2003.html |
Credits
Discovered by Mark Dowd of ISS X-Force. |
| |
|
Microsoft Windows 2000 WebDAV Buffer Overflow
Vulnerability |
| Risk:High |
| Date:17th
March 2003 |
Components
Affected
IIS 5.0 on Microsoft
Windows 2000 |
| |
Description
Microsoft has released Security Bulletin MS03-007,
outlining a previously unreported vulnerability present
in the Microsoft Windows 2000 IIS WebDAV component.
The vulnerability is a buffer overflow condition,
which requires Microsoft IIS to be enabled in order
to be exploitable.
WebDAV (World Wide Web Distributed Authoring and Versioning)
is implemented by IIS, if installed, in the Microsoft
Windows 2000 operating system. IIS is installed by
default on Windows 2000 Server and Advanced Server,
but is not installed by default on Windows 2000 Professional.
The WebDAV protocol is documented in RFC 2518 ( ftp://ftp.rfc-editor.org/in-notes/rfc2518.txt
, and provides a standard for Web-based editing
and file management. A buffer overflow vulnerability
is present in a Microsoft Windows 2000 component used
by WebDAV. WebDAV does not perform sufficient bounds
checking on data passed to a particular system component.
When unusually long data is supplied to the vulnerable
WebDAV component, it is in turn passed to the ntdll.dll
system component. WebDAV fails to perform sufficient
bounds checking on this data, allowing a buffer to
be overrun. This could result in the execution of
arbitrary code in the context of the IIS service,
which is by LocalSystem default.
|
| |
Recommendations
Administrators
are highly encouraged to apply the vendor-specific
supplied fixes provided below. Patches may be installed
on Windows 2000 systems, running either Service
Pack 2 or Service Pack 3.
All versions of Windows 2000 except Japanese NEC
Patch
http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en
Windows 2000 Japanese NECE version Patch
http://microsoft.com/downloads/details.aspx?FamilyId=FBCF9847-D3D6-4493-8DCF-9BA29263C49F&displaylang=ja
|
References
http://www.microsoft.com/ |
Credits
Microsoft |
| |
|
|
|
Security News
|
EICAR
- Annual Conference on IT Security:
May 10 - 13. 2003 - Copenhagen, Denmark |
|
|
The 12th annual EICAR conference promises again to
be an exciting event welcoming vendors, researchers, users
from business, government and universities to discuss new
develpments in:
- Pervasive computing
- Forensics
- Intrustion detection
- Cybercrime, privacy and security
- Anti-virus and malware
- IT law
More information can be found here:
http://conference.EICAR.org
Take advantage
of the online registration at:
http://conference.eicar.org/frame/registration/other/registration.html
There are Student
Awards for best research proposal, paper, etc. and the Graduate
workshop promises a lot of excitement:
http://conference.eicar.org/frame/students/students.html
As well as these
events, a professional clinic allows attendees to acquire
new or
freshen their IT Security skills.
(Please quote reference AU2003 if enquiring
about this conference via this publication)
AusCERT
Asia Pacific - Information Technology
Security Conference 2003
May
11 - 15 2003 - Brisbane, Australia
|
|
An international
conference focussing on IT security for CFOs, CIOs, CTOs
and technical staff from government agencies, universities
and industry.
At AusCERT 2003,
you will learn from world class experts about the latest
strategies to make your information systems secure and how
to address computer security breaches:
- Discover the key security issues your organization should
be addressing.
- Understand the strategic and tactical implications of
IT security for your organization.
- Get up-to-date on the latest threats and mitigation
strategies.
- Understand computer security threats and trends.
This is an IT security
conference with a difference: it includes business and technical
streams and a day and a half of tutorials. World class IT
security speakers will be present from Asia, Australia,
Europe and the USA.
Over 400 delegates
attended AusCERT2002. On their feedback form, 90% of respondees
said the content was excellent or very good. Delegates said
this was the best IT Security conference they had ever been
to!
(Please
quote reference AU2003 if enquiring about this conference
via this publication)
|
| |
|
| |
Contacts
and Subscriptions:
Follow
this
link
to subscribe or unsubscribe
http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html
Send
virus samples to: avsubmit@symantec.com
|
|
Symantec, the Symantec logo, [registered trademarks in alphabetical
order] are U.S. registered trademarks of Symantec Corporation.
[Common law trademarks in alphabetical order] are trademarks of
Symantec Corporation.
Windows,
Windows NT, and the Windows logo are registered trademarks of
Microsoft Corporation in the United States and other countries.
All other brand and product names are trademarks of their respective
holder(s).
Copyright
© 2003 Symantec Corporation. All rights reserved. Printed
in Australia.March 2003.
|
|