CERT-In (Computer Emergency Response Team) -India

HOME > CURRENT ACTIVITIES

CURRENT ACTIVITIES

Exploitation of Microsoft Windows Animated Cursor Vulnerability
Date : March 30, 2007

It has been reported that the Microsoft Windows Animated Cursor vulnerability described in CERT-In Vulnerability Note CIVN-2007-39 and Microsoft Security Advisory ( 935423 ) is being exploited widely. The exploit codes are recognized as TROJ_ANICMOO.AX(Trend Micro) alias Exploit-ANIfile.c (McAfee).

The above mentioned malware take advantage of the insufficient format validation while handling animated cursors (.ani files). The malware uses the vulnerability to download and execute other malware e.g.TROJ_SMALL.DRF (Trend Micro).

The following websites are hosting related exploit code to exploit this vulnerability

c33577 .cn
ym52099.512j .com
1.520sb .cn
newasp.com .cn
koreacms .co.kr
i5460 .net
www. 04080 .com
www. h3210 .com

In view of the rapid exploitation of the vulnerability users are advised to:

Install and maintain a updated anti-virus software at gateway and desktop level
Keep up-to-date patches and fixes on the operating system and application software
Exercise caution while opening email attachments
Read e-mail messages in plain text format if using Outlook 2002 or a later version
Block access to malicious websites/Domains mentioned above at the perimeter.

CVE Name
CVE-2007-1765

References

http://www.microsoft.com/technet/security/advisory/935423.mspx
http://uk.trendmicro-europe.com/enterprise/vinfo/encyclopedia.
php?LYstr=VMAINDATA&vNav=3&VName=TROJ_ANICMOO.AX
http://vil.nai.com/vil/content/v_141860.htm
http://www.auscert.org.au/7431
http://isc.sans.org/diary.html?storyid=2534
http://isc.sans.org/diary.html?storyid=2539

Worm Exploiting Sun Solaris Telnet vulnerability
Date : March 02, 2007

It has been reported that the security issue reported in Sun Solaris Telnet Daemon (in.telnetd) described in CERT-In Vulnerability Note CIVN-2007-23 is being exploited by a worm. This worm takes advantage of the vulnerability for log in on a vulnerable system via telnet with elevated privileges using the “lp” or “adm” accounts.

After logging in to the vulnerable machine worm changes the permissions of /var/adm/wtmpx to –rw-r—rw-. Creates directory .adm at the location /var/adm/sa/. Adds .profile files to /var/adm and /var/spool/lp. Installs an authenticated backdoor shell on tcp port 32982. modifies crontab entries for the users adm and lp and scan for the hosts running telnet for further infection.

In view of the wide propagation of the worm, users are advised to implement following countermeasures:

Run inoculation script provided by Sun locally on the infected system.
Disable Telnet.
Apply appropriate patches referenced in Sun Alert Notification 102802 .
Restrict access to tcp port 23 to trusted hosts only.

CVE Name
CVE-2007-0882

References

http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-
possible-worm/
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1
http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
http://www.us-cert.gov/cas/techalerts/TA07-059A.html
http://www.cert-in.org.in/vulnerability/civn-2007-23.htm

DDoS attack on root DNS servers
Date : February 08, 2007

A besieged DDoS attack has been reported on the Internet Infrastructure that temporarily crippled - but didn't take down - two of the Internet's 13 Domain Name System (DNS) root servers. This unusually powerful attack lasted as long as 12 hours on 6 th Feb, 2007 but passed largely unnoticed by most computer users.

DNS root servers basically answer queries in the DNS infrastructure, which translates a computer's "human-readable" domain name into its machine-readable IP address.

The attackers used an army of bots from around the globe to hammer the servers with bogus and abnormally large DNS requests. DNS servers run by the U.S. Department of Defense, the Internet Corporation of Assigned Names and Numbers (ICANN) and UltraNet, which manages the .org domain and some other suffixes, were affected by the attack.

http://isc.sans.org/diary.html?storyid=2184 http://www.securityfocus.com/brief/429
http://www.us-cert.gov/current/current_activity.html#dnsanom
http://www.internetnews.com/security/article.php/3658551
http://www.pcworld.com/article/id,128806-c,cybercrime/article.html
http://hosted.ap.org/dynamic/stories/I/INTERNET_ATTACKS?SITE
=WIRE&SECTION=HOME&TEMPLATE=DEFAULT
http://searchsecurity.techtarget.com/originalContent/0,289142
,sid14_gci1242635,00.html

Security updates released for fetchmail, squirrelmail, and gtk2 packages
Date : February 2, 2007

Patches for multiple vulnerabilities have been released for multiple vendors Linux products. Vulnerabilities have been reported in packages such as fetchmail, squirrelmail, gtk2.Redhat and SUSE have released patches to address these vulnerabilities in respective packages.

Multiple patches also have been releases for linux kernel vulnerabilities.

Wireshark has released new version of Wireshark 0.99.5 which fixes multiple vulnerabilities. Users are advised to apply the required security updates from concerned vendors.

Vendor Information

Suse
http://www.novell.com/linux/security/advisories/2007_02_sr.html

Redhat
https://rhn.redhat.com/errata/RHSA-2007-0014.html https://rhn.redhat.com/errata/RHSA-2007-0022.html https://rhn.redhat.com/errata/RHSA-2007-0018.html https://rhn.redhat.com/errata/RHSA-2007-0019.html

Wireshark
http://www.wireshark.org/security/wnpa-sec-2007-01.html

Trojan Storm spreading through Spam mails
Date: January 25, 2007

It has been observed that Trojan Storm Worm and its new variants are circulating in the wild via massive spamming. The trojan is also known
to be downloaded by NUWAR family mass mailing worm. It comes as an attachment in spam e-mails with empty body and frequently changing subject lines related to some ongoing specific events to make the
seeding more successful.

The trojan is formulating botnets by creating a P2P network on UDP
port 4000 with other infected systems for the purpose of further
malicious activity.

Certain Antivirus has detected the malware as
Trojan TROJ_SMALL.EDW [Trend Micro], Trojan.Peacomm [Symantec], Win32/Nuwar.N@MM!CME-711 [Microsoft] ,Troj/DwnLdr-FYD,
Troj/Small-DOR, W32/Stormy.AB, Trojan-Downloader.
Win32.Agent.bet, Downloader-BAI!M711, Downloader-BAI,
Trojan-Downloader.Win32.Small.dam, Small.DAM[F-Secure]

For further details please refer to the CERT-In Virus Alert Trojan Storm Worm

Since the trojan variants are being spammed massively users are advised to implement the following countermeasures:

Install and maintain a updated anti-virus software at gateway
and desktop level
Keep up-to-date on patches and fixes on the operating system and application software
Exercise caution while opening email attachments
Filter emails with subject lines and attachments the trojan
is using at the gateway

References:

http://news.bbc.co.uk/2/hi/technology/6278079.stm

http://www.informationweek.com/showArticle.jhtml?articleID=
196902579&cid=RSSfeed_TechWeb

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
TROJ%5FSMALL%2EEDW&VSect=T

http://www.symantec.com/enterprise/security_response/weblog/2007/
01/trojanpeacomm_building_a_peert.html

http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2007-011917-1403-99&tabid=1

http://www.f-secure.com/v-descs/small_dam.shtml

http://www.f-secure.com/weblog/archives/archive-
012007.html#00001088

http://www.f-secure.com/weblog/archives/archive-
012007.html#00001089

http://www.f-secure.com/weblog/archives/archive-
012007.html#00001087

Targeted malicious code attacks on Government Networks
Date: December 26, 2006

Recently it has been observed that targeted attacks are being launched on government networks through maliciously crafted emails and attachments. These malicious attachments contains Trojans for stealing sensitive information with techniques such as key logging, screen captures, backdoors etc. The Trojan is a malicious code concealed inside a legitimate program such as application, screen saver, greeting etc.

Typically the emails sent by attackers are spoofed with “From” addresses of trusted agencies and colleagues. Since these malicious code are not publicly known, the Antivirus and Anti spyware programs may not detect the same. The malicious files are embedded in attachments such as office documents (.doc, .ppt etc).

Users are advised to take following precautions to protect their systems against these attacks.

Exercise caution while opening email attachments
Do not visit untrusted websites or click URLs provided in emails.
Set the Security settings in the browser to prompt before executing active scripting such as Java applets/scripts, ActiveX controls etc.
Maintain updated Antivirus and Anti spyware programs
Apply patches and updates at the Operating System and Application level.
Use personal/desktop firewalls apart from perimeter firewalls
Use IDS/IPS at the gateway
Deploy antivirus at the gateway level
Monitor systems for any suspicious activities (such as unusual traffic, unknown processes, reduced system performance, abnormal memory usage etc.
Report any suspicious activities to CERT-In Incident Response Help Desk

For further information refer to following resources:

http://www.cert-in.org.in/knowledgebase/guidelines/cisg-2003-05.pdf
http://www.cert-in.org.in/virus/index.html
http://www.cert-in.org.in/antivirus.htm

Malware exploiting Christmas greetings
Date: December 26, 2006

It has been observed that malware exploiting Christmas greetings are circulating in the wild. The malware are embedded in attachments of type .exe and .ppt.

Certain Antivirus has detected the malware as Trojan Trojan-Spy.Win32.Ardamax.e and Exploit.MSPPoint.Agent.g. [F-secure]. The reported malicious binary come as an attachment in e-mail messages as Christmas_Puzzle.exe and Christmas +Blessing-4.ppt . It has some rootkit components with hiding techniques and exploiting Vulnerabilities in Microsoft Office described in CIVN-2006-24 .

Users are advised to implement the following countermeasures:

Keep updated Anti-Virus Signatures.
Apply appropriate security updates at the OS level and application level.
Exercise caution while visiting untrusted websites and opening email attachments.

References:

http://www.f-secure.com/weblog/archives/archive-122006.html
#00001058
http://www.virus.org/news/computer-viruses/christmas-is-coming
-the-malware-is-getting-fat..html

Rise in phishing attacks on Indian Banks
Date: December 06, 2006

In the past few weeks CERT-In has observed that there has been a rise in phishing attacks on Indian Banks. Phishing is a technique used to gain personal information for purposes of identity theft, using fraudulent e-mail messages that appear to come from legitimate business that a user is dealing with. It uses e-mail messages featuring logos and formats similar to the legitimate messages appear to come from the trusted sources (in this case Banks) to gain confidential information of users like bank account number, password, personal information, etc. Some reputed National Banks are on the target of such attacks.

Users are advised to take the following measures against phishing attacks.

Do not follow unsolicited web links received in email messages.
Apply appropriate security updates at the OS level and applications such as web browsers.
Keep updated Anti-Spyware and Anti-Virus software.
Use personal firewall.
Use anti-phishing toolbars.
Immediately contact your respective banks in case your financial information has been compromised.
Report phishing incidents to CERT-In and concerned Banks.

Users may further refer to CERT-In Whitepaper on “ Phishing attacks and Countermeasures “ CIWP- 2005-03 and CERT-In Guideline on “Securing Home computers ” CISG-2005-03 .

Web IRC based bots (MEDBOT Family) spreading widely
Date: November 20, 2006

It has been observed that the activities of the MEDBOT botnet family are increasing for sending spam. MEDBOT first detected in the month of August 2006 as WORM_MEDBOT.AI(trend micro), W32/Medbot-B(Sophos), Troj/Medbot-E(Sophos). Since August many other variants of MEDBOT and HORST has been detected.

Unlike other bots MEDBOT uses Web IRC to connect to the IRC server and wait for the commands via a private message from the remote attacker.

MEDBOT is a package of malwares consisting of a Trojan downloader, Trojan's hidden copy, HORST Trojan and a worm. The Trojan Downloader connects to several URLs to download updated copies of the malware package after successfully executing on the affected system, one such domain is medbot.com which is found active. The worm included in the package drops the copy of the downloader in the shared folders. The hidden copy of the Trojan executes in case main Trojan copy is removed from the affected system.

MEDBOT uses the HORST family of Trojans which converts the affected system into a proxy server, which is used by remote attacker to hide his actual location. For details regarding the HORST family of Trojans refer to CERT-In Virus Alert Trojan HORST.

References

http://www.trendmicro.com/vinfo/secadvisories/
default6.asp?VName=The+MEDBOT+Menace http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=WORM%5FMEDBOT%2EAI&VSect=P http://www.sophos.com/security/analyses/w32medbotb.html http://www.sophos.com/security/analyses/trojmedbote.html
http://cert-in.org.in/virus/trojan_horst.htm

Exploitation of Microsoft XML Core Services XMLHTTP ActiveX Control Code Execution Vulnerability
Date: November 08, 2006
Updated: November 15, 2006

It has been observed that the unpatched Microsoft XML Core Services XMLHTTP ActiveX Control Code Execution Vulnerability described in
CERT-In Vulnerability Note CIVN-2006-112 is being exploited widely.

This is a vulnerability related to ActiveX objects and is not web browser specific. It works on IE 6 as well as on IE 7.

Some exploit codes have been detected spreading in the wild such as Exploit-XMLCoreSrvcs(McAfee), Bloodhound.Exploit.96(Symantec), Exploit:HTML/Xmlreq.A(Microsoft).

While executing the exploit creates an MSXML 4.0 ActiveX object and then uses multiple vulnerable method (setRequestHeader()) calls to execute shellcode included in the exploit code.

After execution shellcode downloads the first stage downloader which further downloads subsequent files.

Users are advised to take following precautions until a patch is available to address this vulnerability

Prevent the XMLHTTP 4.0 ActiveX Control from running in Internet Explorer.
Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.
Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone.
Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones.

Microsoft has released patches on 14th Nov 2006 to address this secuirty issue vide Security Bulletin MS06-071. Users are advised to apply appropriate patches as mentioned in this bulletin.

References

Microsoft
http://www.microsoft.com/technet/security/advisory/927892.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-071.mspx

USCERT
http://www.kb.cert.org/vuls/id/585137

FrSIRT
http://www.frsirt.com/english/advisories/2006/4334

Secunia
http://secunia.com/advisories/22687/

SANS
http://isc.sans.org/diary.php?storyid=1823 http://isc.incidents.org/diary.php?storyid=1833&isc=
0497be909837920f7e8ba70cf6e1687b

Exploitation of unpatched Microsoft Visual Studio WMI Object Broker ActiveX Code Execution Vulnerability
Date: November 06, 2006

It has been observed that the unpatched Microsoft Visual Studio WMI Object Broker ActiveX Code Execution Vulnerability described in
CERT-In Vulnerability Note CIVN-2006-109 is being exploited widely.

This vulnerability allows a malicious file on the website to be downloaded and executed on the vulnerable system when website is visited through Microsoft Internet explorer.

The downloaded files are identified as Trojans and info stealers which further executes and download other malware on the infected system.

Users are advised to take following precautions until a patch is available to address this vulnerability

Prevent the WMI Scripting control from running in Internet Explorer
Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local Intranet security zone.
Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local Intranet security zone.
Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones.

References:
http://www.symantec.com/enterprise/security_response
/weblog/2006/11/visual_confirmation_vulnerabil.html
http://secunia.com/advisories/22603/
http://www.microsoft.com/technet/security/advisory/927709.mspx
http://www.frsirt.com/english/advisories/2006/4282
http://www.securityfocus.com/bid/20797/info

Internet Explorer 7 Window Injection Vulnerability
Date: October 31, 2006

A Security issue has been reported in Microsoft Internet Explorer 7.x, which could be exploited by malicious user to spoof the contents of a website.

This flaw caused by the possibility that a website can inject content into another site's window if the target name of the window is known.

It is noted that same flaw is present in previous versions of Microsoft Internet Explorer (IE 5.x, IE 6.x).

CVE Name
CVE-2004-1155

References:
http://secunia.com/advisories/22628/

Exploitation of unpatched Microsoft Internet Explorer Vector Markup Language Code Execution Vulnerability
Date: September 26, 2006
Updated: September 28,2006

It has been observed that the unpatched Microsoft Internet Explorer Vector Markup Language Code Execution Vulnerability described in
CERT-In Vulnerability Note CIVN-2006-92 is being exploited widely.

Various Antivirus vendors has alerted about the Trojans and exploits;
and recognizing these as Trojan.Vimalov [ Symantec ] , EXPL_EXE
COD.A (Trend Micro) , HTML/Levem.C (Microsoft), Exploit-VMLFill [McAfee] , Troj/Dloadr-ANO, Troj/Goldun-EC, Troj/Goldun-EE [ Sophos].

Users are advised to take following precautions until a patch is available to address this vulnerability

Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
Modify the Access Control List on Vgx.dll to be more restrictive
Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone.
Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector

Microsoft has released patches on 26th Sep 2006 to address this secuirty issue vide Security Bulletin MS06-055. Users are advised to apply appropriate patches as mentioned in this bulletin.

References:

http://www.cert-in.org.in/vulnerability/civn-2006-92.htm
http://www.microsoft.com/technet/security /advisory/925568.mspx
http://vil.nai.com/vil/content/v_140629.htm
http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2006-091914-1801-99&tabid=2
http://www.sophos.com/pressoffice/news/articles /2006/09/
vml-exploit.html
http://www.isc.sans.org/diary.php?storyid=1735&isc
=e88bf2ac3009eacfa2484a4ab7aaa431

IRCbots targeting unpatched Windows Systems
Date: September 04, 2006

It has been observed that IRCbots are targeting the unpatched Microsoft Windows systems in the wild with buffer overflow vulnerabilities described in MS03-049 (Workstation Service), CIAD-2004-05 ( ASN.1 Vulnerability Could Allow Code Execution), CIVN-2005-38 ( Vulnerability in Message Queuing Could Allow Code Execution), CIVN-2005-73 ( Microsoft Plug and Play service Buffer Overflow Vulnerability) and the most recent vulnerability in CIVN-2006-75 (Microsoft Windows Server Service Buffer Overrun Vulnerability).It also spreads via Instant Messaging services and network shares and contains rootkit component to hide its file and processes. These bots are listening for the attacker commands after connecting to the following IRC servers on the TCP ports specified below:

tc.danknugs.be (216.18.229.159, 216.18.229.161, 216.18.229.160) TCP port 9568
aboutus.hottest.es (195.205.20.180) TCP port 4915
contacts.hottest.es (63.138.101.136) TCP port 4915
forum.ednet.es (195.205.20.180) TCP port 4915
new.cheapdf.com (84.244.13.100) TCP port 4545
fbi32.cheapdf.com (84.244.13.100) TCP port 9568
95.205.20.180 TCP port 4915
61.252.151.703 TCP port 4915
mak.smokedro.com TCP port 8080
fat.hack010.gy.net TCP port 5411
c.suicidegaming.com TCP port 9568
bla.girlsontheblock.com TCP port 443

Various Antivirus vendors has alerted of these bots and recognizing it as a WORM_RANDEX.AM [Trend], W32/Sdbot.worm!MS06-040 [McAfee], W32/Kassbot-V [Sophos], W32./Vanebot-A [ Sophos], W32/Rbot-FKR [Sophos], Backdoor.Win32.Rbot.ayg (Kaspersky), WORM_RBOT.AEY (TrendMicro), W32/Opanki.worm!MS06-040 [McAfee], W32.Spybot.AKNO [Symantec]

The malicious binary analyzed has got some registry entry identified with

"JavaNet" = "rBot v2 a.k.a. the next generation (working on winXP SP2)"

to the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows
indicating some more variants in the future.

In view of high damage potential of the IRCbots windows users are advised to implement following countermeasures:

Keep update your antivirus signatures.
Apply appropriate patch for the above vulnerabilities.
Block TCP port139 and 445 at the firewall.
Enable advanced TCP/IP filtering on systems.
Block the affected ports by using IPSec on the affected systems.
Moniter outgoing traffic to specified TCP port of the IRC command and control (C&C) servers mentioned above.
Monitor outgoing traffic scanning for others being vulnerable on port 445/TCP.

References:

http://www.isc.sans.org/diary.php?storyid=1660&isc=
64e7bb16590c8efaa48544e0b4c73c7a http://www.symantec.com/security_response/writeup.jsp?
docid=2006-081910-4849-99&tabid=2 http://www.symantec.com/enterprise/security_response/
writeup.jsp?docid=2006-083015-4912-99 http://www.sophos.com/security/analyses/w32rbotfkr.html
?_log_from=rss http://www.sophos.com/virusinfo/analyses/w32vanebota.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM_RANDEX.AM
http://vil.nai.com/vil/content/v_140440.htm
http://news.zdnet.com/2100-1009_22-6108409.html

Exploitation of Microsoft Windows Server Service Buffer Overrun Vulnerability
Date: August 14, 2006

It has been observed that the exploit code for Microsoft Windows Server Service Buffer Overrun Vulnerability described in CERT-In Vulnerability Note CIVN-2006-75 is circulating in the wild.

This vulnerability is caused due to an unchecked buffer in server service while handling malformed requests. A remote attacker could exploit the vulnerability by sending a specially crafted message to an affected system to execute arbitrary code with system privileges.

Certain Antivirus detect these exploit codes as worm/backdoors/IRCbots such W32.Wargbot [Symantec], Worm.IRCBOT.JK and JL [TrendMicro], IRC.Mocbot [McAfee], IRCBOT-ST [F-Secure]. It has been reported that the backdoors created on the compromised systems after exploitation of this vulnerability contacts or listens on the following IRC servers:

bniu.househot.com
61.189.243.240,202.121.199.200,210.75.211.111,211.154.135.30,
218.61.146.86, 58.81.137.157,61.163.231.115

ypgw.wallloan.com 58.81.137.157,61.163.231.115,61.189.243.240,202.121.199.200,
211.154.135.30,218.61.146.86

In view of wide exploitation and high damage potential of the worm/backdoor, users are advised to implement following countermeasures:

Update Anti-Virus Signatures
Apply appropriate patches as mentioned in Microsoft Security
Bulletin MS06-040
Block TCP ports 139 and 445 at the firewall .
Moniter outgoing traffic to port 18067/TCP of the IRC command and control (C&C) servers mentioned above.
Monitor outgoing traffic scanning for others being vulnerable
on port 445/TCP.

References:

http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
http://www.microsoft.com/technet/security/advisory/922437.mspx
http://blogs.technet.com/msrc/archive/2006/08/11/446078.aspx
http://www.symantec.com/security_response/writeup.jsp?docid=2006
-081312-3302-99&tabid=1
http://www.f-secure.com/v-descs/ircbot_st.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
WORM_IRCBOT.JK
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
WORM_IRCBOT.JL
http://vil.nai.com/vil/Content/v_140394.htm
http://www.isc.sans.org/diary.php?storyid=1597
http://news.com.com/Microsoft+on+worm+watch/2100-1002_3-
6104825.html?tag=nefd.top

Zero-Day exploit code for mso.dll vulnerability in Microsoft PowerPoint
Date: July 14, 2006
Updated: August 09,2006

It has been reported that the zero-day exploit code for mso.dll vulnerability in Microsoft PowerPoint described in CERT-In Vulnerability Note CIVN-2006-73 is circulating widely. Certain Antivirus has detected the exploit codes as Trojans such as Exploit-PPT.b [McAfee], Trojan.PPDropper.B [Symantec], TROJ_MDROPPER.AS [Trend Micro], TROJ_MDROPPER.AK [Trend Micro] dropping backdoors and other malicious codes such as BKDR_BIFROSE.KN [Trend Micro],
TROJ_RILER.B [Trend Micro], Backdoor.Win32.Bifrose.a [Kaspersky], Bck/Bifrose.AP [ Panda], Troj/Bckdr-CEP[Sophos], W32/Bifrose.A[Norman].

Users are advised to implement the following workarounds

Do not open PowerPoint attachment from untrusted sources.
Do not grant administrative privileges to users.
Maintain updated Antivirus.

Solution

Apply appropriate patch as mentioned in MS security Bulletin MS06-048

References:

http://news.com.com/New+PowerPoint+hole+used+in+cyberattacks
/2100-1002_3-6094059.html?tag=nefd.top

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
http://www.microsoft.com/technet/security/advisory/922970.mspx

CERT-In
http://www.cert-in.org.in/vulnerability/civn-2006-73.htm

US-CERT
http://www.us-cert.gov/current/current_activity.html#exppwrptvul

ISC-SANS
http://www.isc.sans.org/diary.php?storyid=1484

Symantec http://www.symantec.com/enterprise/security_response/writeup.jsp
?docid=2006-071212-4413-99&tabid=2

McAfee
http://vil.nai.com/vil/content/v_140157.htm

Trend Micro http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName
=TROJ_MDROPPER.AS http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VNam
e=TROJ_RILER.B

Zero-Day Buffer Overflow Vulnerability in Microsoft Hyperlink Object Library
Date: July 01, 2006
Updated: August 09,2006

It has been reported that the zero-day Buffer Overflow vulnerability in Microsoft Hyperlink Object Library (HLINK.DLL) described in CERT-In Vulnerability Note CIVN-2006-57 is being exploited using malicious Excel files.

The vulnerability could be exploited by remote attacker to execute arbitrary code by enticing a user to click on a specially crafted overly long hyperlink sent via emails or office documents. Successful exploitation could lead to complete take over of the affected system.

Certain Antivirus has detect these exploit codes as Trojans such as Trojan.Hlinic [Symantec], TROJ_URXCEL.A [Tend Micro].

Users are advised to take following precautions until a patch is available to address this vulnerability

Do not click on unsolicited links received in email or embedded in Office documents.
Do not open Excel documents from untrusted sources.
Do not grant administrative privileges to users.
Maintain updated Antivirus.

Solution

Apply appropriate patch as mentioned in MS security Bulletin MS06-050

References:

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-050.mspx
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx

US-CERT
http://www.us-cert.gov/current/current_activity.html#exp4msexcl2

CERT-In
http://cert-in.org.in/vulnerability/civn-2006-57.htm

Microsoft Excel Zero-day Vulnerability
Date: June 20, 2006
Updated: July 12,2006

A vulnerability has been reported in Microsoft Excel due to some unspecified error while processing malformed excel file, described in CERT-In Vulnerability Note CIVN-2006-61 and CIVN-2006-67 . This vulnerability could be exploited by convincing a user to open a specially crafted excel file, sent through emails or hosting the same on malicious websites or otherwise. A successful exploitation of the vulnerability could allow a remote attacker to execute the arbitrary code with the privilege of logged user on the affected system.

The versions affected are Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac.

It has been observed that certain exploit codes are available in the wild to exploit the vulnerability. Certain Antivirus detect these exploit codes as trojans such as Downloader.Booli.A [Symantec], Trojan.Mdropper.J [Symantec], Downloader-AWV [McAfee],EXPLOIT-MSEXCEL.GEN, TROJ_SMALL.AWC[Trend Micro], X97M_EMBED.AN [Trend Micro], Troj/DwnLdr-DEL Trojan-Downloader.Win32.Agent.alq [Sophos].

Users are advised to take following precautions until a patch is available to address this vulnerability.

Do not open untrusted excel file.
Do not rely on filename extension filtering.
Do not grant administrative privileges to user.
Maintain updated Antivirus.

For any further details regarding the vulnerability please refer to Microsoft Security Advisory

Microsoft has released patches to address this security issue vide bulletin
Microsoft Security Bulletin MS06-037

References:

Microsoft http://www.microsoft.com/technet/security/advisory/921365.mspx http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx

US-CERT
http://www.kb.cert.org/vuls/id/802324
http://www.us-cert.gov/cas/alerts/SA06-167A.html

SANS
http://www.isc.sans.org/diary.php?storyid=1426

Securiteam
http://blogs.securiteam.com/?p=451

Secunia
http://secunia.com/advisories/20686/

Exploitation of Microsoft Word Unspecified Code Execution Vulnerability
Date : May 23, 2006
Updated: June 14,2006

It has been reported that the Microsoft Word Unspecified Code Execution Vulnerability described in CERT-In Vulnerability Note CIVN-2006-40 is being exploited through malicious word documents.

This vulnerability is caused due to buffer overflow while processing malformed documents. This vulnerability could be exploited by the attackers by convincing a user to open specially crafted word documents, sent through emails or hosting the same on malicious websites, allowing execution of arbitrary code with the privileges of the user running Microsoft Word. Successful exploitation requires the user running the Microsoft Word with administrator privileges.

Certain Antivirus detect these exploit codes as trojans such W97M_MDROPPER.AB (Trend Micro), W97M_MDROPPER.AC (Trend Micro), Exploit-OleData.gen (McAfee), Trojan.Mdropper.H (Symantec). This malware is reported to be dropping other malicious files such as BKDR_GINWUI.A , BKDR_GINWUI.B (Trend Micro), Backdoor-CKB!cfaae1e6 (McAfee), Backdoor.Ginwui.B (Symantec) and bots such as Rbot. The backdoors are distributed inside a document file with a shell-code that dropped the backdoor's file to a hard drive and activated it.

Users are advised to take following precautions untill a patch is available to address this vulnerability.

Do not open untrusted Word documents.
Do not rely on filename extension filtering.
Do not grant administrative privileges to user.
Maintain updated Antivirus.
Microsoft has suggested following workarounds in an advisory 919637

Disable Outlook feature to use Word as Mail editor
Append /safe to the WINWORD.EXE command line

Microsoft has released patches to address this security issue vide bulletin MS06-027

References

SANS
http://isc.incidents.org/diary.php?storyid=1351
http://isc.incidents.org/diary.php?storyid=1346
http://isc.incidents.org/diary.php?storyid=1347
http://isc.incidents.org/diary.php?storyid=1345

Microsoft
http://www.microsoft.com/technet/security/advisory/919637.mspx

eEye Digital Security

http://www.eeye.com/html/resources/newsletters/aler
t/pub/AL20060523.html?sb=kwkbmvamunbmvambckmn

Multiple patches released for Linux
Date : April 28, 2006

Patches for multiple vulnerabilities have been released by different linux vendors. Many vulnerabilities have been reported in php which could be exploited by remote attackers to conduct cross-site-scripting attacks, gain control of the vulnerable systems. Patches have also been released for ipsec-tools, mozilla, firefox and thunderbird. Redhat, Gentoo, SUSE and Mandrake have released patches to address these vulnerabilities. Some of the vulnerabilities reported are highly critical.

Users advised to apply the required updates from concerned vendors.

Vendor Information

Suse
http://www.novell.com/linux/download/updates/
Redhat
http://www.redhat.com/security/updates/
Mandrakesoft
http://www.mandrakesoft.com/security/advisories
Gentoo
http://www.gentoo.org/security/en/glsa/

Bots targeting Forums running phpBB and other open source software
Date : April 25, 2006

It has been observed that in recent days the bot/worm writers are targeting the open source softwares. It has been reported that many targeted attacks have been seen on open source softwares like phpBB, mamboo, phpNuke etc.

It has been reported that phpBB is being exploited by bots running bulletin boards and online forums. It has been observed that phpBB bots are exploiting the open source phpBB forum software vulnerabilities. Details regarding the exact vulnerabilities which are being exploited by the bots are unknown. The targeted attacks could cause phishing scams, launch “Distributed Denial of Service” attacks, execute local system commands or infect other vulnerable phpBB systems.

Recently a bot named FuntKlakow was seen with many forums, registering user accounts and even posted simplistic messages on many phpBB forums around the world. The bot exploits thousand of hosts running phpBB softwares.

Normally these bots are capable of searching Google for the phpBB based vulnerable hosts. These bots can download and execute malicious pearl scripts and may join certain IRC channels and listen for the commands from the attackers.

As these kinds of attacks are on the rise, concerned administrators are advised to implement the following countermeasures to mitigate the attack vectors:

Upgrade phpBB software to the latest version.
Apply appropriate patches to the systems with phpBB web applications running.
Make /tmp a non-executable partition.(and link /usr/tmp and /var/tmp to it).
Block outbound ftp/web traffic from your web server.
If possible run chrooted apache.
Use mod_security.

References:

http://www.eweek.com/article2/0,1895,1918295,00.asp http://www.isc.sans.org/diary.php?storyid=1275 http://news.netcraft.com/archives/2006/03/20/bot_authors_
targeting_phpbb_forums.html

Exploit codes for Microsoft Internet Explorer "createTextRange()" Code Execution Vulnerability
Date : March 28, 2006
Updated: April 15, 2006

It has been observed that exploit codes for the Microsoft Internet Explorer "createTextRange()" Code Execution Vulnerability described in CERT-In Vulnerability Note CIVN-2006-28 are circulating widely.

This vulnerability is caused due to memory corruption error when Internet Explorer calls "createTextRange()" method for certain HTML/DHTML objects. This vulnerability could be exploited by the attackers by hosting specially crafted webpages and enticing users to visit these web pages. Links to malicious web pages may also be sent to users through emails.

It has been reported that some malicious/compromised websites are being used to exploit this vulnerability and further download malware such as Bots, trojan downloader, spyware and backdoors to the comprimsed systems.

Certain Antivirus detect these exploit codes as trojans such as EXPL_TXTRANGE.A (Trendmicro), CreatetxtRange (Panda Software) and Bloodhound.Exploit.61 (Symantec).

Successful exploitation requires active scripting is enabled in Internet Explorer.

Users are advised to take following precautions untill a patch is available to address this vulnerability.

Disable active scripting or configure Internet Explorer to prompt before running Active Scripting. For details refer to Microsoft Security Advisory 917077.
Exercise caution while visiting untrusted websites and opening email attachments.
Maintain updated Anti Virus software and Anti Spyware.

Microsoft has released patches on 11th April 2006 to address this secuirty issue vide Security Bulletin MS06-013. Users are advised to apply appropriate patches as mentioned in this bulletin.

References:

http://www.isc.sans.org/diary.php?storyid=1222 http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=451 http://www.eweek.com/article2/0,1895,1942570,00.asp http://blogs.technet.com/msrc/archive/2006/03/27/423176.aspx http://www.microsoft.com/technet/security/advisory/917077.mspx http://www.us-cert.gov/current/current_activity.html#iememfail http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=EXPL%5FTXTRANGE%2EA http://securityresponse.symantec.com/avcenter/venc/data/
bloodhound.exploit.61.html http://www.pandasoftware.com/virus_info/encyclopedia/
overview.aspx?IdVirus=112746&sind=0

Multiple patches released for Linux
Date : March 20, 2006

Patches for multiple vulnerabilities have been released for multiple vendors Linux products. Multiple vulnerabilities have been reported in packages such as Apache Log4net, Libpcre3, GnuPG, ypserv, kdegraphics, OpernOffice, iputils, gnome-pilot, evolution, kernel-utils, sysstat, file, udev, chkconfig, shadow-utils, metamail, kpdf, squid, psacct and rpm . Redhat, Gentoo, SUSE and Mandrake have released patches to address these vulnerabilities in respective packages. Some of the vulnerabilities reported are highly critical.

Multiple patches also have been releases for linux kernel vulnerabilities.

Users advised to apply the required updates from concerned vendors.

Vendor Information

Suse
http://www.novell.com/linux/download/updates/

Redhat
http://www.redhat.com/security/updates/

Mandrakesoft
http://www.mandrakesoft.com/security/advisories

Gentoo
http://www.gentoo.org/security/en/glsa/

Exploit codes for the Windows Media Player vulnerabilities available on Internet
Date : February 24, 2006

It has been observed that exploit codes for Microsoft Windows Media Player BMP file handling vulnerability described in CERT-In Vulnerability Note CIVN-2006-12 and Buffer Overflow Vulnerability in Windows Media Player Plug-in for non-Microsoft browsers described in CERT-In Vulnerability Note CIVN-2006-13 are available on the internet.

The Microsoft Windows Media Player BMP file handling vulnerability could be exploited if a user opens either a specially crafted .bmp file in Windows Media Player or opens a Windows Media Metafile that reference .bmp file. Further it could be exploited if a user visits a specially crafted web page.

The Buffer Overflow Vulnerability in Windows Media Player Plug-in could be exploited by constructing a malicious EMBED element. An attacker could entice a user to visit a specially crafted html document to execute arbitrary code with user privilege.

Microsoft has released security bulletin MS06-005 and MS06-006 to address these security issues.

Users are suggested to apply appropriate patches and implement the workarounds mentioned in the above bulletins.

References:

http://www.cert-in.org.in/vulnerability/civn-2006-12.htm
http://www.cert-in.org.in/vulnerability/civn-2006-13.htm http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx http://www.us-cert.gov/current/current_activity.html#medplyrplugin http://www.us-cert.gov/current/current_activity.html#buffbmp http://www.frsirt.com/english/advisories/2006/0575 http://www.frsirt.com/english/advisories/2006/0574

Worm Nyxem_e/Blackmal/GREW/MyWife spreading very fast
Date : February 2, 2006

It has been observed that mass mailing worm called Nyxem with aliases such as Blackmal, MyWife, Grew and its variants are spreading very fast infecting large number of computers running Microsoft Windows.

The worm propagates by attaching a copy of itself to email messages that it sends to the target harvested address using its own SMTP engine. Attachments may be executable file or MIME file containing executable file and propagates via e-mail and network shares.

The emails sent by this worm contain obscene subject lines and message content and attachments. For further details refer to Virus Alert issued by CERT-In on 23 rd January.

It may be noted that destructive payload of this worm activates on every third day of the month (first time on 3 rd February 2006) and replaces the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". The targeted files are like : DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP. It may also be noted that the payload activates according to clock of the infected system.

In view of the higher damage potential of this worm, users are advised to take following precautions to mitigate the risk.

Update Anti Virus software regularly
Block emails with the subjects and attachments mentioned above at the email gateway level
Exercise caution while opening email attachments
Block executable and unknown file types at the email gateway
Backup all important data files
Apply appropriate security updates at OS and application level

For further queries and help contact CERT-In Incident Response Help Desk

Tel	91-1600-11-4949
Fax	91-1600-11-6969

Exploit codes for Zero-day Vulnerability in Windows systems circulating
Date : December 29, 2005
Updated on: January 06, 2006

It has been reported that a Zero-day vulnerability was discovered on December 27, 2005 affecting the Microsoft Windows systems running Internet Explorer or Mozilla Firefox browsers.

The vulnerability is in the way that Windows (Picture and Fax Viewer) handles the corrupted .wmf (Windows Metafiles) files. Microsoft Windows Metafile format images are graphical files that can contain both vector and bitmap-based picture information. For further details regarding this vulnerability refer to CERT-In Vulnerability Note CIVN-2006-02.

It has been observed that exploit codes that could cause buffer overflow through maliciously crafted WMF files are available on the internet. Further some malicious sites are hosting malicious WMF files. An attacker who exploits this vulnerability could get complete access to a system or cause Denial of Service.

This vulnerability may be similar to the one described in Microsoft Security Bulletin MS05-053, but it has been reported that even the systems with the patches mentioned in this bulletin are also susceptible to these exploits.

Some antivirus programs detect these exploit codes as Trojan Exploit-WMF.

Microsoft has released an advisory 912840 describing this vulnerability in Graphics Rendering Engine.

Users are advised to implement following workarounds:

Exercise caution while opening email and links in emails from untrusted sources
Don’t view ".wmf" files received from untrusted sources
Block ".wmf" files at the HTTP proxy and the SMTP level
If not explicitly required unregister Windows Picture and Fax Viewer (Shimgvw.dll)
Maintain up-to-date antivirus software
Apply latest updates to the OS and applications

Microsoft has released updates to address this vulnerability on 5th January 2006. Users are advised to apply appropriate update as mentioned in Microsoft Security Bulletin MS06-001.

References:

Update Functionality in SOBER.AG
Date : December 13, 2005
Updated on: January 04, 2006

CERT-In is monitoring the wide spread of Sober Worm variants. It has been observed that the SOBER.AG worm (also known as "SOBER.Y" and "W32/SOBER.X") is having mass mailing capability and could also update itself automatically. It is a bi-lingual (English and German) worm that utilizes its own SMTP engine to propagate. This worm has a functionality to update itself to the latest sober variant on or after January 5, 2006 through some pseudorandom URL’s. These URLs are free public web hosting websites which are predetermined by the virus author. On receiving the updates the worm may execute code which could reduce the security protection of affected systems.

The users and systems administrators are advised to apply following countermeasures:

Install and maintain a updated anti-virus software
Keep up-to-date patches and fixes on the operating systems
Do not visit un-trusted websites
Refer to CERT-In Anti Virus Policy & Best Practices

For further information refer to the following links.

Oracle worm proof-of-concept code
Date : November 03, 2005

It has been observed that proof-of-concept PL/SQL code for an Oracle worm is publicly available on web. The worm sends a command via UTL_TCP to the listener and identifies the Oracle databases with in the same subnet. After identify database server it creates private database link and connect via using default users and password combinations. The default/username password list includes:

system/manager,
scott/tiger
sys/change_on_install
dbsnmp/dbsnmp
mdsys/mdsys
outln/outln
ordcommon/ordcommon

Users are advised to implement the following workarounds:

Change default user credentials for Oracle installations
Revoke CREATE DATABASE LINK privileges from the CONNECT role
Change the default port for the TNS listener
Restrict Oracle network access to trusted hosts only
Protect your TNS listener with a strong password.

For further information refer to the following links.

Multiple Vulnerabilities in Oracle Products
Date : October 20, 2005

It has been observed that multiple vulnerabilities exists in Oracle products, which could be exploited by local/remote attacker to cause a denial of service, conduct SQL injection attacks, execute arbitrary commands, cross site scripting attacks, information disclosure attacks, and potentially to compromise a vulnerable system. The following supported products are affected

Oracle Application Server 10g
Oracle Collaboration Suite Release 1
Oracle Collaboration Suite Release 2
Oracle Database 8.x
Oracle Database Server 10g
Oracle Developer Suite 10g
JD Edwards EnterpriseOne 8.x
JD Edwards OneWorld 8.x
Oracle E-Business Suite 11i
Oracle Enterprise Manager 10.x
Oracle Enterprise Manager 9.x
Oracle9i Application Server
Oracle9i Database Enterprise Edition
Oracle9i Database Standard Edition
PeopleSoft Enterprise Customer Relationship Management (CRM) 8.x
PeopleSoft EnterpriseOne Applications 8.x

Oracle has released patches to address these vulnerabilities. Users may refer to Oracle Critical Patch Update for October 2005 and apply appropriate patches as mentioned.

For further information refer to the following links.

Unexpected Behavior in Windows Firewall User Interface
Date : September 01, 2005

Microsoft confirmed the notification of an unexpected behavior in Windows Firewall user interface which doesn't show the malformed entries in Windows registry. The behavior occurs if an exception is created by modifying the registry key. For example to open TCP port 12345, add a port to the registry and then set the registry value to “12345:TCP:*:Enabled”. But the correct value for this exception is “12345:TCP:*:Enabled :Exception Name”. Since this exception does not contain a name, Windows Firewall user interface may not show this entry. Microsoft Security Advisory (897663) confirms that systems running Microsoft Windows XP Service Pack2 and Microsoft Windows 2003 Service Pack 1 are vulnerable to this issue. As an immediate workaround use command line utility 'netsh firewall' to view the open ports. Also Microsoft issued an update to Windows XP Service Pack2 (KB897663) to fix this flaw.

References:

http://support.microsoft.com/kb/897663
http://www.microsoft.com/technet/security/advisory/897663.mspx

Windows Registry Utilities String Concealment flaw
Date : August 30, 2005

It has been observed that applications like Microsoft Windows Registry Editor, Windows AntiSpyware; HijackThis does not properly display registry keys containing long registry values. This vulnerability could be exploited to hide malicious software on Microsoft Windows machine by using long registry keys. It is possible to hide registry entries under HKLM\Software\Microsoft\Windows\CurrentVersion\Run” making them invisible when viewed by vulnerable applications, allowing malicious applications to run invisibly during system startup. An updated list of vulnerable applications and non vulnerable applications is listed in SANS website.

References:

http://isc.sans.org/diary.php?date=2005-08-24
http://secunia.com/advisories/16560/
http://www.pcwelt.de/news/sicherheit/118750/index.html
http://news.com.com/Flaw+may+hide+malicious+software/2100-
1002_3-5843863.html?tag=nefd.top

Exploit for Microsoft Internet Explorer msdds.dll COM object Vulnerability
Date : August 19, 2005
Updated on: October 12, 2005

It has been observed that a zero day exploit is available for Microsoft Internet Explorer. The exploit makes use of vulnerability in Microsoft DDS Library Shape Control (msdds.dll) COM object, when called from a malicious web page using Internet explorer causes the browser to exit unexpectedly. msdds.dll COM object is installed as part of Microsoft Visual Studio .NET, Microsoft Office XP and Microsoft Office 2003. Details regarding this security issue can be found at Microsoft Security Advisory (906267) and CERT-In Vulnerability Note CIVN-2005-79. Microsoft is in the process of investigating this vulnerability and suggested workarounds in the Advisory (906267). Microsoft has released patch to address this vulnerability vide security bulletin MS05-052.

References:

http://www.microsoft.com/technet/security/advisory/906267.mspx
http://isc.sans.org/diary.php?date=2005-08-18
http://www.frsirt.com/english/advisories/2005/1450
http://secunia.com/advisories/16480/

Exploits for Microsoft Windows Vulnerabilities available on internet
Date : August 12, 2005

It has been observed that exploits for Microsoft Windows vulnerabilities published in Microsoft Security Bulletins MS05-038, MS05-039 and MS05-041 for August 2005 are available on the internet. Details regarding these vulnerabilities can be found at CERT-In Advisory (CIAD-2005-19). According to Microsoft Advisory (899588) released on August 11, 2005 the vulnerability in Microsoft Windows Plug and Play service is critical and could be exploited to compromise windows 2000 systems. Users are advised to apply appropriate patches as mentioned in Microsoft Security Bulletins released in on Aug 9, 2005.

References:

CERT-In Advisory CIAD-2005-19
http://cert-in.org.in/advisory/ciad-2005-19.htm

CERT-In Vulnerability Note CIVN-2005-73
http://www.cert-in.org.in/vulnerability/civn-2005-73.htm

Microsoft Security Advisory (899588)
http://www.microsoft.com/technet/security/advisory/899588.mspx

Microsoft Security Bulletins for August
http://www.microsoft.com/technet/security/bulletin/ms05-aug.mspx

Internet Storm Center
http://isc.sans.org/diary.php?date=2005-08-11

Cisco IOS Vulnerabilities
Date : July 29, 2005

In a recent Black Hat Conference a proof-of-concept exploit code targeting previous Cisco IOS vulnerabilities was demonstrated. It has been reported that the demonstrated exploit could allow attackers to launch large scale attack against Cisco routers hampering the functionality of Internet. The Federal District Court of US has issued injunction against Black Hat Inc. and the researcher of the exploit from further disclosure of code. All users are advised to upgrade to latest Cisco IOS firmware. For further details refer to:

Un-patched IE vulnerabilities
Date : July 23, 2005
Updated on: August 11, 2005

Two vulnerabilities are reported in Microsoft Internet Explorer's JPEG image rendering capabilities, which may allow a remote attacker to execute arbitrary code.

Successful exploitation of these vulnerabilities could allow execution of arbitrary code in the user’s context and crash of IE. Microsoft Internet Explorer 6 SP2 & previous versions are prone to a buffer overflow vulnerability in the JPEG image rendering library used by the browser. This vulnerability is due to a failure of the application to properly bounds check input data prior to copying it to a fixed size memory buffer. No patches are available from the vendor.

Microsoft has released pathces to address these vulnerabilities on 9th August, 2005. Users may refer to CERT-In vulnerability note CIVN-2005-72 and apply appropriate patches as mentioned in the Microsoft Security Bulletin MS05-038

For further information refer to the following links.

Security Focus BID: 14282
http://www.securityfocus.com/bid/14282
Security Focus BID: 14284
http://www.securityfocus.com/bid/14284
News.com
http://news.com.com/Unpatched+IE+flaws+reported/
2100-1002_3- 5798893.html?tag=nefd.top

Kirvo worm spreads via MSN Messenger or Windows Messenger
Date : July 23, 2005

It has been observed a new worm called as Kirvo is spreading in the wild. The worm is identified as W32/Kelvir.worm.ea by McAfee and Trojan.Kirvo.B by Symantec. It spreads via Windows Messenger or MSN Messenger by sending a message containing link to the malicious website and tricking users to visit malicious website. The malicious website hosts an IRC bot ( Backdoor.Sdbot ) which gets downloaded on the users system. The compromised system is used for the further propagation of worm and other malicious activities.

Users are advised to update their Antivirus software to mitigate the risk. For further details refer to following URLs

Trojan horse spreading by posing as London attack news
Date : July 17, 2005

An email claiming as video news clip of the aftermath of London attacks is spreading in the wild. The mail contains a Trojan horse program and is used to compromise computer systems. The email arrives with an attached file named as ‘Terror Movie.avi <124 spaces> checked By Norton Antivirus.exe’. When clicked, instead of the movie file the Trojan horse program gets executed and copies itself to windows directory and modifies registry entries, so that it can automatically start at system startup. The Trojan then attempts to find the list of SMTP servers configured for the system and starts using these servers to send a large volume of unsolicited emails.

References

http://www.f-secure.com/weblog/

http://www.spamfo.co.uk/component/option,com_content/task,
view/id,347/Itemid,2/

Microsoft releases Update Rollup for Windows 2000 SP4
Date : June 30, 2005

Microsoft has released a package consisting of numerous patches to Windows 2000 Service Pack 4. The Update Rollup cont