Symantec Security Response Newsletter

symantec symantec security response

ISSN 1444-999 June 2003 Newsletter
--------------------------------------------------------------------------
Bugbear made a comeback this month in the form of W32.Bugbear.b@mm. This
variant has some significant differences to the original version. Of most
concern is the key logging and data export. Of course users wouldn't be
infected if their systems were patched up to date. It's the same problem,
an old vulnerability, first discovered in March 2001, still giving viruses
and worms like Bugbear a way onto your PC.

We are late publishing the June edition, I've been busy with the next
version of Symantec's Internet Threat Report, due out in September,
analysing the Newsletter survey results and working on the new HTML format.

In response to the survey conducted on this newsletter we have added a
couple of new sections, changed a few sections and taken note of your
comments. Later editions will be further enhanced but in this edition
you'll find a calendar of selected security events and IT Security news
links that may be of interest.

One of the more controversial additions are the 'Symantec Solution' boxes
embedded in the articles. These are a compromise, we didn't want to carry
advertising but many subscribers want to know what products we have to
combat security issues, so these boxes are, I think, a reasonable way of
covering these issues.

AVAR (Association of anti Virus Asia Researchers) have just issued their
call for papers for the conference that will be held in Sydney, Australia
later this year. As an AVAR VP I'm proud to be the conference chair on
behalf of AVAR for this year. Details of the event are in the calendar.

I've recently had the pleasure of working with Syngress to write the
Forward to a new book; Configuring Symantec AntiVirus Corporate Edition
(ISBN: 1-931836-81-7). You can get a copy from Amazon here, and no I
won't make any money from promoting this link.

Best Regards

David Banes.
Editor, Symantec Security Response Newletter.

--------------------------------------------------------------------------
Useful Links
--------------------------------------------------------------------------
Note: Participate in the Online Subscriber Survey.
http://survey.confir...161533899/i.asp

Use Symantec Security Alerts on Your Web Site
http://securityrespo...n/syndicate.cgi

To unsubscribe to this newsletter please go to;
http://securityrespo...newsletter.html

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
http://www.microsoft...in/MS01-020.asp

Virus Removal Tools
Fix tools for threats such as W32.HLLW.Lovgate , W32.SQLExp.Worm ,
W32.Sobig.A@mm and W32.Bugbear@mm
http://www.sarc.com/...tools.list.html

Virus Hoaxes
------------
There are many email virus hoaxes, please check here before forwading email
virus warnings.
http://securityrespo...enter/hoax.html

Joke Programs
------------
Joke programs are not malicious and can be safely deleted.
http://securityrespo...nter/jokes.html

--------------------------------------------------------------------------
Top Malicious Code Threats

Risk Threat Discovered Protection
4 W32.Bugbear.B@mm 4 Jun 2003 5 Jun 2003
4 W32.Klez.H@mm 17 Apr 2002 17 Apr 2002
3 W32.Sobig.E@mm 25 Jun 2003 25 Jun 2003
3 W32.HLLW.Fizzer@mm 8 May 2003 9 May 2003
3 W32.SQLExp.Worm 24 Jan 2003 24 Jan 2003

--------------------------------------------------------------------------
Latest Malicious Code Threats

Risk Threat Discovered Protection
2 W32.Vivael@mm 28 Jun 2003 28 Jun 2003
2 W32.Klexe.Worm 27 Jun 2003 28 Jun 2003
2 W32.Mumu.B.Worm 26 Jun 2003 26 Jun 2003
1 W32.HLLW.Lovgate.L@mm 25 Jun 2003 25 Jun 2003
1 W32.Yaha.T@mm 24 Jun 2003 25 Jun 2003

--------------------------------------------------------------------------
Common Vulnerabilities

Microsoft IE MIME Header Attachment Execution Vulnerability
Bugtraq ID 2524
CVE Reference CVE-2001-0154
Exploited by W32.Klez, W32.Sobig, W32.BugbearW32.Yaha,
W32.Nimda, W32.Lirva

MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
Bugtraq ID 2708
CVE Reference CVE-2001-0333
Exploited by W32.Nimda

Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
Bugtraq ID 1806
CVE Reference CVE-2000-0884
Exploited by W32.Nimda

Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability
Bugtraq ID 1780
CVE Reference CVE-2000-0979
Exploited by W32.Opaserv

Microsoft SQL Server Resolution Service buffer overflows allow arbitrary
code execution
Bugtraq ID 5311
CVE Reference CAN-2002-0649
Exploited by W32.SQLExp.Worm

--------------------------------------------------------------------------
Viruses, Worms & Trojans
--------------------------------------------------------------------------
W32.Bugbear.B@mm

Aliases :
Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee], PE_BUGBEAR.B [Trend],
W32/Bugbear-B [Sophos], I-Worm.Tanatos.b [KAV], W32/Bugbear.B [Panda],
Win32/Bugbear.B@mm [RAV]

Risk : High [4]

Date : 4th June 2003

Systems Affected:
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Overview
W32.Bugbear.B@mm worm is:

- A variant of W32.Bugbear@mm .
- A mass-mailing worm that also spreads through network shares.
- Polymorphic and also infects a select list of executable files.
- Possesses keystroke-logging and Backdoor capabilities.
- Attempts to terminate the processes of various antivirus and firewall
programs.

The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail
Attachment vulnerability to cause unpatched systems to auto-execute the
worm when reading or previewing an infected message.

In addition, the worm contains routines that specifically affect financial
institutions. This functionality will cause the worm to send sensitive
data to one of ten hard-coded public Internet e-mail addresses

The information sent includes cached passwords and key-logging data.

Because the worm does not properly handle the network resource types, it
may flood shared printer resources, which causes them to print garbage or
disrupt their normal functionality.

NOTE : If you believe your computer may already be infected with
W32.Bugbear.B@mm because your antivirus software does not work, scan your
system over the Internet with Symantec Security Check .

Symantec Security Response has created a tool to remove W32.Bugbear.B@mm,
which is the easiest way to remove this threat.

Credits

Write-up by: Eric Chien, Security Response EMEA.

References
Symantec Security Response
http://www.sarc.com/[email protected]

--------------------------------------------------------------------------
W32.Sobig.E@mm

Aliases
Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e@MM [McAfee],
WORM_SOBIG.E [Trend]

Risk :Medium [3]

Date : 25th June 2003

Systems Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Overview

W32.Sobig.E@mm is a mass-mailing worm that sends itself to all the email
addresses that it finds in the files with the following extensions:

.wab
.dbx
.htm
.html
.eml
.txt

The email falsely purports that Yahoo sent it ([email protected]).

Email Routine Details
The email message has the following characteristics:

From: [email protected]
( NOTE : W32.Sobig.E@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:

Re: Application
Re: Movie
Re: Movies
Re: Submitted
Re: ScRe:ensaver
Re: Documents
Re: Re: Application ref 003644
Re: Re: Document
Your application
Application.pif
Applications.pif
movie.pif
Screensaver.scr
submited.pif
new document.pif
Re: document.pif
004448554.pif
Referer.pif

Attachment: The attachment name will be one of the following:

Your_details.zip (contains Details.pif)
Application.zip (contains Application.pif)
document.zip (contains document.pif)
Screensaver.zip (contains Sky.world.scr)
Movie.zip (contains Movie.pif)

NOTE: The worm de-activates on July 14, 2003, and therefore, the last day
on which the worm will spread is July 13, 2003.

Symantec Security Response has created a tool to remove W32.Sobig.E@mm.

References
Symantec Security Response
http://www.sarc.com/[email protected]

--------------------------------------------------------------------------
Featured Analyses
from Symantec DeepSight Threat Management System
http://tms.symantec.com/

Fu Rootkit Analysis
-------------------
Fu is a kernel rootkit created for Microsoft Windows NT4, Microsoft Windows
2000, and Microsoft Windows XP. By directly accessing Windows kernel data
structures, Fu creates an effective avenue of clandestine access, which
attackers may use to conceal their presence and perform operations with
elevated privileges on a compromised system.

Manifesting itself in the form of a device driver, Fu is especially
dangerous because it modifies the behaviour of the underlying operating
system at the lowest possible level. Once deployed, operations performed
via this utility may be extremely difficult to detect.


Spybot version 3 Analysis
-------------------------
Spybot, also known as Milkit, is an open source trojan that contains
several mechanisms of propagation. Spybot can spread using file sharing
applications and vulnerabilities in other trojans as propagation vectors.

Spybot will attempt to take control of systems that were previously
compromised and are running the Sub-Seven or Kuang2 trojan. An infected
system will connect to an Internet Relay Chat (IRC) channel and wait for
the attacker to issue instructions. Once a system has been infected, that
attacker will have complete control of the system via IRC.

An attacker can modify the Spybot source code to create a trojan that will
meet the attackers needs. The customisable nature of Spybot can result in
dynamic behaviour and unique binaries, which can make detection and removal
a complex task.


W32.Illpatient IRC-based RAT Analysis
-------------------------------------
W32.Illpatient is an IRC-based Remote Access Tool (RAT), written in C,
which runs on the Win32 family of operating systems. It was obtained from
a compromised Symantec DeepSight Honeypot and was found compressed with
UPX.

This utility was loaded onto a compromised Symantec DeepSight Honeypot,
with what may have been a scripted installation routine, as this utility
does not appear to be capable of propagating automatically.

W32.Illpatient receives commands from its owner through Internet Relay Chat
(IRC). During startup, it connects to a hard-coded IRC server, and joins a
private, keyed channel. Although W32.Illpatient contains several features,
including a Denial of Service (DoS) routine, testing has indicated that it
is not very stable.

--------------------------------------------------------------------------
Security News

PetCo Plugs Credit Card Leak
By Kevin Poulsen Jun 30 2003
Pet supply site offered more than kitty litter and flea collars. ... >>
http://www.securityfocus.com/news/6194

AT&T lets phone fraud victims off the hook
By Kevin Poulsen Jun 25 2003
The company will abandon its efforts to collect on four-figure phone bills
left by a voice-mail cracking scheme. ... >>
http://www.securityfocus.com/news/6158

-------------------------------------------------------------------------
Security Advisories

FastTrack P2P Supernode Packet Handler Buffer Overflow Vulnerability

Risk :High
Date :26th May 2003
Components Affected: Many, listed here;
http://securityrespo...ntent/7680.html

Overview
FastTrack P2P Supernode Packet Handler has been reported prone to a buffer
overflow vulnerability. The issue presents itself in the FastTrack
Supernode packet handler. The handler does not perform sufficient bounds
checking on supernode entries received before they are copied into a
reserved buffer in internal memory.

An attacker may exploit this vulnerability to trigger a denial of service
condition or ultimately have arbitrary attacker supplied code executed.
Code execution would occur in the context of the user running an
application that incorporates the vulnerable FastTrack P2P Packet Handler.

It should be noted that this vulnerability has been tested on KaZaA version
2.0.2. Other versions of KaZaA and similar file-sharing clients based on
FastTrack P2P technology may also be affected.

Recommendations
Block external access at the network boundary, unless service is required
by external parties. If applicable, block all incoming FastTrack P2P based
traffic at the network boundary.

Credits
Discovery of this vulnerability has been credited to random nut
.

References
Source: Grokster Homepage
URL: http://www.grokster.com/

Source: iMesh Product Homepage
URL: http://www.imesh.com

Source: KaZaA Homepage
URL: http://www.kazaa.com/

Source: Morpheus Homepage
URL: http://www.musiccity.com

Symantec Security Response

http://securityrespo...ntent/7680.html

--------------------------------------------------------------------------
PMachine Lib.Inc.PHP Remote Include Command Execution Vulnerability

Risk :High
Date :15thJune 2003
Components Affected
PMachine PMachine 2.2.1

Overview
It has been reported that PMachine does not properly handle include files
under some circumstances. Because of this, an attacker may be able to
remotely execute commands.

Recommendations
Block external access at the network boundary, unless service is required
by external parties.

Filter untrusted network traffic at border routers and network firewalls.

Running the server in a closed or restricted environment may limit the
consequences of successful exploitation. Execute server processes with
the least privileges required, and place processes in a restrictive
environment.

Currently we are not aware of any vendor-supplied patches for this issue.
If you feel we are in error or are aware of more recent information,
please mail us at: [email protected] .
PMachine PMachine 2.2.1:

Credits
Discovery credited to "Frog Man" .

References
Source: SecurityFocus
URL: http://www.securityf.../bid/7919/info/
Source: PMachine Homepage
URL: http://www.pmachine.com

--------------------------------------------------------------------------
Security Events Calendar

SANSFIRE 2003
July 14-19, 2003
Washington, DC, USA.

http://www.sans.org/sansfire03/
--------------------------------------------------------------------------
Department of Homeland Security IT Security Conference
July 9-10, 2003
Baltimore, MD, USA
--------------------------------------------------------------------------
VB2003 - VB Conference 2003
Sept 25-26, 2003
Toronto, Canada
http://www.virusbtn....b2003/index.xml
--------------------------------------------------------------------------
AVAR 2003 - Malicious Code Conference 2003
November 6-7, 2003.
Sydney, Australia
http://www.aavar.org/

--------------------------------------------------------------------------
Symantec Glossary for definitions of viruses, Trojans and worms and more.
http://www.symantec....enter/refa.html
--------------------------------------------------------------------------
Contacts
--------------------------------------------------------------------------
Correspondence by email to: [email protected] no unsubscribe or
support emails please.
Send virus samples to: [email protected]
Newsletter Archive: http://www.symantec....ewsletters.html
--------------------------------------------------------------------------
Subscribe and Unsubscribe
--------------------------------------------------------------------------
To be added or removed from the subscription mailing list, please fill out
the form available on the Symantec website at:
http://www.symantec..../subscribe.html
The Symantec Security Response NEwsletter is published periodically by
Symantec Corporation. No reprint without permission in writing, in advance.
--------------------------------------------------------------------------
This message contains Symantec Corporation's current view of the topics
discussed as of the date of this document. The information contained in
this message is provided "as is" without warranty of any kind, either
expressed or implied, including but not limited to the implied warranties
of merchantability, fitness for a particular purpose, and freedom from
infringement. The user assumes the entire risk as to the accuracy and the
use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec
Corporation. Other brands and products are trademarks of their respective
holder(s). © Copyright 2002 Symantec Corporation. All rights reserved.
Materials may not be published in other documents without the express,
written permission of Symantec Corporation.
--------------------------------------------------------------------------

--------------------------------------------------------------------------------
ISSN 1444-9994

Symantec Security Response Newsletter
June 2003
Best viewed at 1024x768 resolution

Bugbear Makes a Comeback!



Bugbear made a comeback this month in the form of W32.Bugbear.b@mm. This variant has some significant differences to the original version. Of most concern is the key logging and data export. Of course users wouldn't be infected if their systems were patched up to date. It's the same problem, an old vulnerability, first discovered in March 2001, still giving viruses and worms like Bugbear a way onto your PC.

We are late publishing the June edition, I've been busy with the next version of Symantec's Internet Threat Report, due out in September, analysing the Newsletter survey results and working on the new HTML format.

In response to the survey conducted on this newsletter we have added a couple of new sections, changed a few sections and taken note of your comments. Later editions will be further enhanced but in this edition you'll find a calendar of selected security events and IT Security news links that may be of interest.

One of the more controversial additions are the 'Symantec Solution' boxes embedded in the articles. These are a compromise, we didn't want to carry advertising but many subscribers want to know what products we have to combat security issues, so these boxes are, I think, a reasonable way of covering these issues.

AVAR (Association of anti Virus Asia Researchers) have just issued their call for papers for the conference that will be held in Sydney, Australia later this year. As an AVAR VP I'm proud to be the conference chair on behalf of AVAR for this year. Details of the event are in the calendar.

I've recently had the pleasure of working with Syngress to write the Forward to a new book; Configuring Symantec AntiVirus Corporate Edition (ISBN: 1-931836-81-7). You can get a copy from Amazon here, and no I won't make any money from promoting this link.

Best Regards

David Banes




Viruses, Trojans & Worms


W32.Bugbear.B@mm

Aliases :
Win32.Bugbear.B [CA], W32/Bugbear.b@MM [McAfee], PE_BUGBEAR.B [Trend], W32/Bugbear-B [Sophos], I-Worm.Tanatos.b [KAV], W32/Bugbear.B [Panda], Win32/Bugbear.B@mm [RAV]

Risk : High [4]

Date : 4th June 2003

Systems Affected:
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me


Overview
W32.Bugbear.B@mm worm is:

- A variant of W32.Bugbear@mm .
- A mass-mailing worm that also spreads through network shares.
- Polymorphic and also infects a select list of executable files.
- Possesses keystroke-logging and Backdoor capabilities.
- Attempts to terminate the processes of various antivirus and firewall programs.

The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

In addition, the worm contains routines that specifically affect financial institutions. This functionality will cause the worm to send sensitive data to one of ten hard-coded public Internet e-mail addresses



The information sent includes cached passwords and key-logging data.   


Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.
Symantec Solutions
Symantec AntiVirus for SMTP Gateways, Intruder Alert, NetProwler, Gateway Security, Symantec Manhunt






NOTE : If you believe your computer may already be infected with W32.Bugbear.B@mm because your antivirus software does not work, scan your system over the Internet with Symantec Security Check .

Symantec Security Response has created a tool to remove W32.Bugbear.B@mm, which is the easiest way to remove this threat.


Credits

Write-up by: Eric Chien, Security Response EMEA.


References
Symantec Security Response
http://www.sarc.com/[email protected]


--------------------------------------------------------------------------------

W32.Sobig.E@mm
Aliases
Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e@MM [McAfee], WORM_SOBIG.E [Trend]
Risk :Medium [3]
Date : 25th June 2003
Systems Affected
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Overview

W32.Sobig.E@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in the files with the following extensions:

.wab
.dbx

.htm

.html

.eml

.txt

The email falsely purports that Yahoo sent it ([email protected]).

Email Routine Details
The email message has the following characteristics:


From: [email protected]
( NOTE : W32.Sobig.E@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:

Re: Application
Re: Movie
Re: Movies
Re: Submitted
Re: ScRe:ensaver
Re: Documents
Re: Re: Application ref 003644
Re: Re: Document
Your application
Application.pif
Applications.pif
movie.pif
Screensaver.scr
submited.pif
new document.pif
Re: document.pif
004448554.pif
Referer.pif
Symantec Solutions
Symantec AntiVirus for SMTP Gateways, Intruder Alert, NetProwler, Gateway Security, Symantec Manhunt




    
Attachment: The attachment name will be one of the following:

Your_details.zip (contains Details.pif)
Application.zip (contains Application.pif)
document.zip (contains document.pif)
Screensaver.zip (contains Sky.world.scr)
Movie.zip (contains Movie.pif)

NOTE: The worm de-activates on July 14, 2003, and therefore, the last day on which the worm will spread is July 13, 2003.

Symantec Security Response has created a tool to remove W32.Sobig.E@mm.


References
Symantec Security Response
http://www.sarc.com/[email protected]




Featured Analyses
from Symantec DeepSight Threat Management System
http://tms.symantec.com/  
Fu Rootkit Analysis

Fu is a kernel rootkit created for Microsoft Windows NT4, Microsoft Windows 2000, and Microsoft Windows XP. By directly accessing Windows kernel data structures, Fu creates an effective avenue of clandestine access, which attackers may use to conceal their presence and perform operations with elevated privileges on a compromised system.

Manifesting itself in the form of a device driver, Fu is especially dangerous because it modifies the behaviour of the underlying operating system at the lowest possible level. Once deployed, operations performed via this utility may be extremely difficult to detect.


--------------------------------------------------------------------------------

Spybot version 3 Analysis
Spybot, also known as Milkit, is an open source trojan that contains several mechanisms of propagation. Spybot can spread using file sharing applications and vulnerabilities in other trojans as propagation vectors. Spybot will attempt to take control of systems that were previously compromised and are running the Sub-Seven or Kuang2 trojan. An infected system will connect to an Internet Relay Chat (IRC) channel and wait for the attacker to issue instructions. Once a system has been infected, that attacker will have complete control of the system via IRC.
An attacker can modify the Spybot source code to create a trojan that will meet the attackers needs. The customisable nature of Spybot can result in dynamic behaviour and unique binaries, which can make detection and removal a complex task.


--------------------------------------------------------------------------------

W32.Illpatient IRC-based RAT Analysis
W32.Illpatient is an IRC-based Remote Access Tool (RAT), written in C, which runs on the Win32 family of operating systems. It was obtained from a compromised Symantec DeepSight Honeypot and was found compressed with UPX.
This utility was loaded onto a compromised Symantec DeepSight Honeypot, with what may have been a scripted installation routine, as this utility does not appear to be capable of propagating automatically.

W32.Illpatient receives commands from its owner through Internet Relay Chat (IRC). During startup, it connects to a hard-coded IRC server, and joins a private, keyed channel. Although W32.Illpatient contains several features, including a Denial of Service (DoS) routine, testing has indicated that it is not very stable.

  

Top Malicious Code Threats




Risk  Threat  Discovered  Protection    
4 W32.Bugbear.B@mm
4 Jun 2003  5 Jun 2003    
4 W32.Klez.H@mm
17 Apr 2002  17 Apr 2002    
3 W32.Sobig.E@mm
25 Jun 2003  25 Jun 2003    
3 W32.HLLW.Fizzer@mm
8 May 2003  9 May 2003    
3 W32.SQLExp.Worm  24 Jan 2003  24 Jan 2003    
  



Latest Malicious Code Threats




Risk Threat Discovered Protection  
2 W32.Vivael@mm  28 Jun 2003  28 Jun 2003    
2 W32.Klexe.Worm  27 Jun 2003  28 Jun 2003    
2 W32.Mumu.B.Worm  26 Jun 2003  26 Jun 2003    
1 W32.HLLW.Lovgate.L@mm  25 Jun 2003  25 Jun 2003    
1 W32.Yaha.T@mm  24 Jun 2003  25 Jun 2003    
  



Common Vulnerabilities




Microsoft IE MIME Header Attachment Execution Vulnerability
Bugtraq ID CVE Reference Exploited by
2524 CVE-2001-0154  W32.Klez, W32.Sobig, W32.BugbearW32.Yaha, W32.Nimda, W32.Lirva  
      
MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability  
2708 CVE-2001-0333  W32.Nimda  
      
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability  
1806 CVE-2000-0884  W32.Nimda  
      
Microsoft Windows 9x / Me Share Level Password Bypass Vulnerability  
1780 CVE-2000-0979  W32.Opaserv
      
Microsoft SQL Server Resolution Service buffer overflows allow arbitrary code execution  
5311 CAN-2002-0649  W32.SQLExp.Worm  
  



Security News
PetCo Plugs Credit Card Leak
By Kevin Poulsen Jun 30 2003
Pet supply site offered more than kitty litter and flea collars. ... >>


AT&T lets phone fraud victims off the hook
By  Kevin Poulsen Jun 25 2003
The company will abandon its efforts to collect on four-figure phone bills left by a voice-mail cracking scheme. ... >>







Useful Links  
  

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment


--------------------------------------------------------------------------------

Virus Removal Tools
Fix tools for threats such as W32.HLLW.Lovgate , W32.SQLExp.Worm , W32.Sobig.A@mm and W32.Bugbear@mm


--------------------------------------------------------------------------------

Virus Hoaxes

There are many email virus hoaxes, please check here before forwading email virus warnings.


--------------------------------------------------------------------------------

Joke Programs

Joke programs are not malicious and can be safely deleted.




Security Events Calendar

SANSFIRE 2003
July 14-19, 2003
Washington, DC, USA.

http://www.sans.org/sansfire03/


--------------------------------------------------------------------------------
Department of Homeland Security IT Security Conference
July 9-10, 2003
Baltimore, MD, USA
--------------------------------------------------------------------------------
VB2003 - VB Conference 2003
Sept 25-26, 2003
Toronto, Canada
http://www.virusbtn....b2003/index.xml
--------------------------------------------------------------------------------
AVAR 2003 - Malicious Code Conference 2003
November 6-7, 2003.
Sydney, Australia

http://www.aavar.org/



Security Advisories

FastTrack P2P Supernode Packet Handler Buffer Overflow Vulnerability

Risk :High

Date :26th May 2003

Components Affected: Many, listed here;

http://securityrespo...ntent/7680.html

Overview

FastTrack P2P Supernode Packet Handler has been reported prone to a buffer overflow vulnerability. The issue presents itself in the FastTrack Supernode packet handler. The handler does not perform sufficient bounds checking on supernode entries received before they are copied into a reserved buffer in internal memory.




An attacker may exploit this vulnerability to trigger a denial of service condition or ultimately have arbitrary attacker supplied code executed. Code execution would occur in the context of the user running an application that incorporates the vulnerable FastTrack P2P Packet Handler.
Symantec Solutions
Intruder Alert, Symantec Manhunt, Enterprise Firewall






It should be noted that this vulnerability has been tested on KaZaA version 2.0.2. Other versions of KaZaA and similar file-sharing clients based on FastTrack P2P technology may also be affected.

Recommendations
Block external access at the network boundary, unless service is required by external parties.
If applicable, block all incoming FastTrack P2P based traffic at the network boundary.


Credits

Discovery of this vulnerability has been credited to random nut .

References
Source: Grokster Homepage
URL: http://www.grokster.com/

Source: iMesh Product Homepage
URL: http://www.imesh.com

Source: KaZaA Homepage
URL: http://www.kazaa.com/

Source: Morpheus Homepage
URL: http://www.musiccity.com

Symantec Security Response

http://securityrespo...ntent/7680.html


--------------------------------------------------------------------------------

PMachine Lib.Inc.PHP Remote Include Command Execution Vulnerability

Risk :High

Date :15thJune 2003

Components Affected
PMachine PMachine 2.2.1

Overview

It has been reported that PMachine does not properly handle include files under some circumstances. Because of this, an attacker may be able to remotely execute commands.




Recommendations

Block external access at the network boundary, unless service is required by external parties.


Filter untrusted network traffic at border routers and network firewalls.
Symantec Solutions
Intruder Alert, Symantec Manhunt, Enterprise Firewall




Running the server in a closed or restricted environment may limit the consequences of successful exploitation. Execute server processes with the least privileges required, and place processes in a restrictive environment.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] .
PMachine PMachine 2.2.1:

Credits
Discovery credited to "Frog Man" .


References
Source: SecurityFocus
URL: http://www.securityf.../bid/7919/info/

Source: PMachine Homepage
URL: http://www.pmachine.com

  




Symantec, the Symantec logo, [registered trademarks in alphabetical order] are U.S. registered trademarks of Symantec Corporation. [Common law trademarks in alphabetical order] are trademarks of Symantec Corporation. Windows, Windows NT, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and other countries. All other brand and product names are trademarks of their respective holder(s).  Copyright © 2003 Symantec Corporation. All rights reserved. Printed in Australia.March 2003.
Follow this link to subscribe or unsubscribe http://securityrespo...regions/en.html


--------------------------------------------------------------------------------

Last Updated: July 9, 2003