Zotob, Mytob authors arrested

The big news over the weekend was the arrest of two men, one in Turkey and the other in Morocco, for their alleged part in the writing and distribution of the Zotob worm.

This issue's topics:

Introduction:

* Zotob arrest; Adobe Reader and Acrobat, CA CAM/CAFT, Novell iMonitor, Elm updates

Virus News:

* Zotob, Mytob authors arrested

* Lock up your files

Security News:

* Just when you thought MS05-039 issues couldn't get more complex.

* MS security advisory 906267 updated

* Adobe Reader and Acrobat patched against arbitrary code execution vulnerabilities

* CA Message Queuing software updated; multiple products and platforms

* Critical Novell eDirectory iMonitor update

* Elm remote arbitrary code vulnerability fixed

* Mutt buffer overflow may be exploitable

* Targeted attacks given cutesy name

Introduction:

The big news over the weekend was the arrest of two men, one in Turkey and the other in Morocco, for their alleged part in the writing and distribution of the Zotob worm.

In more general security news, there are further developments in the ongoing saga of what configurations are open to possible exploitation of the PnP vulnerability used by Zotob and other worms and more changes in the msdds.dll COM object vulnerability story, both covered in Microsoft security advisories.

Adobe Reader and Acrobat users should get the latest updates to these products, Computer Associates releases patches for serious vulnerabilities in the Message Queuing component included in many of its products, Novell eDirectory users should get the latest update to the iMonitor component and Elm users should check whether their version of this venerable Unix email client is vulnerable to a publicly disclosed, remotely exploitable buffer overflow. Mutt users face a similar issue, but there is no official update and only a user-contributed patch available at the moment.

Virus News:

* Zotob, Mytob authors arrested

Over the weekend the Moroccan and Turkish police both arrested a local man for their alleged roles in writing and releasing the Zotob worm. Variants of Zotob infected Windows 2000 computers in the systems of many high-profile companies and organizations. Not least of these was CNN, thus pretty much guaranteeing an explosion of media interest in both Zotob and other worms spreading via exploitation of the MS05-039 PnP vulnerability.

Atilla Ekici (21) from Turkey and his Moroccan accomplice Farid Essebar (18) were arrested in their home countries by local police, following a collaborative investigation between the Moroccan and Turkish authorities, Microsoft’s Internet Crime Investigations Team and the FBI.

Essebar, using the handle "Diabl0" is said to have written the worm (which is also suggested by various comments and stings in the worm) and Ekici (using the handle 'Coder') is said to have "financed" the effort; that is, Ekici paid Essebar to write the worm. No motive has yet been publicly attributed to Ekici.

As pointed out in the F-Secure virus analysts' weblog (linked below), and elsewhere, the handle Diabl0 is also associated with the Mytob worm family, and there are further similarities between Mytob and Zotob.

Moroccan, Turk arrested over worm outbreak — computerworld.com

F-Secure weblog entry

* Lock up your files

The Myfip worm never gained much media attention. However, this recently published analysis of the Myfip family by malware researchers at LURHQ suggests this data-stealer may be more interesting (and potentially worrying) than its lack of media celebrity suggests.

Myfip Intellectual Property Theft Worm Analysis — lurhq.com

Security News:

* Just when you thought MS05-039 issues couldn't get more complex

Microsoft has issued a security advisory to "clarify information of the issue addressed in Security Bulletin MS05-039 for non-default configurations of Windows XP Service Pack 1". In short, a (probably not uncommon non-default) XP configuration is vulnerable to MS05-039 if the system has not had the MS05-039 patch applied and is pre-SP2.

The issue here is the so-called "ForceGuest" policy — the grisly details can be had from the security advisory, linked below.

Although this configuration is not known to be actively being exploited, Microsoft has released the advisory as a warning "don't leave systems unpatched; if they are thought to be immune from a problem but a patch exists, install it".

Clarification of Simple File Sharing and ForceGuest — microsoft.com

* MS security advisory 906267 updated

Further to the ongoing saga of COM Objects being inappropriately callable as ActiveX controls in web pages (if viewed in IE), Microsoft has again revised the security advisory on the latest such control, msdds.dll.

Specifically, the known vulnerable versions list has been updated to include a further vulnerable version than when we first reported on this last week. Also, the mitigating factors section of the advisory has been revised.

Msdds.dll could cause Internet Explorer to unexpectedly exit — microsoft.com

* Adobe Reader and Acrobat patched against arbitrary code execution vulnerability

Adobe has released updates for its Reader and Acrobat products to correct a buffer overflow that may be exploitable to allow the execution of arbitrary, remotely supplied code. Adobe Reader 5.1, 6.0-6.0.3, 7.0-7.0.2 and Adobe Acrobat 5.0-5.0.5, 6.0-6.0.3, 7.0-7.0.2 are the affected versions, on Linux, Mac OS, Solaris and Windows.

Recommended updates and links to them are available from the Adobe security advisory, linked below, that describes this issue.

Acrobat and Adobe Reader plug-in buffer overflow - adobe.com

* CA Message Queuing software updated; multiple products and platforms

Computer Associates has released updates to it its CA Message Queuing (CAM/CAFT) software, which is supplied as a component in many potentially critical products, including various elements of Unicenter, BrightStor, AdviseIT and eTrust Admin. These vulnerabilities affect versions of the software across all supported OS platforms.

The updates fix denial of service and potential remote arbitrary code execution vulnerabilities, discovered by CA's staff during an internal code audit that was itself prompted by the disclosure of several critical vulnerabilities in related products earlier in the year. The CA security notice linked below lists all affected products and contains links to patches and update instructions.

Patches Available To Address CA Message Queuing Vulnerabilities — ca.com

* Critical Novell eDirectory iMonitor update

Novell has released a patch to address a critical severity buffer overflow in the iMonitor server component of its eDirectory product. Version 8.7.3 of this component is susceptible to a buffer overflow while processing a non-authenticated URL request, meaning that any openly accessible iMonitor system can have arbitrary code run with Windows "system" privileges. Example exploit code is publicly available.

Buffer overflow vulnerability in eDirectory 8.7.3 iMonitor — novell.com

* Elm remote arbitrary code vulnerability fixed

Ulf Harnhammar has described a remotely exploitable arbitrary code execution vulnerability in the widely-used Unix e-mail client, Elm. Harnhammar claims that at least the 2.5 PL5, PL6 and PL7 releases are vulnerable, but the newly released 2.5 PL8, and the Elm ME+ release, are not affected.

The vulnerability occurs in a badly handled buffer copy while parsing "Expires:" headers and Harnhammar publicly released an example message to demonstrate the vulnerability.

Archived Full-Disclosure list message — grok.org.uk

* Mutt buffer overflow may be exploitable

Peter Valchev has described a possibly exploitable buffer overflow in the popular (or at least, "less sucky") Mutt e-mail client. Valchev suggested, in his Full-Disclosure posting, that this flaw may have been reported before 'but ignored as unimportant'.

He has supplied a mailbox file demonstrating the vulnerability and suggests that all recent versions are vulnerable. There is no official patch from mutt.org yet, but Valchev has supplied a suggested source patch for those not averse to rolling their own...

Archived Full-Disclosure list message — grok.org.uk

* Targeted attacks given cutesy name

"Targeted attack" is a long-established security term. It is typically used as to characterise a potentially wide class of social engineering and other attempts to breech security in which the attackers carefully choose a small group of targets — possibly even just a single target — in the hopes of obtaining the necessary information to further their attack. Targeted attacks are the logical opposite of "the shotgun approach", where little or no pre-selection of possible targets occurs.

Traditional phishing attacks are clearly of the shotgun variety, with vast numbers of email (or other) messages being indiscriminately distributed to pretty much all and sundry in the hopes that a few recipients will be taken in by the message's subterfuge or, as is more typically the case in modern pyramid schemes, simply that enough suitably gullible folk will be among the recipients.

As we reported earlier in the year there has been a noticeable upswing in targeted phishing attacks of late, with many instances of UK and US government and related defence contractors bearing the brunt of the known attacks.

These attacks were recently reported on again, but with the twist of the addition of the term "spear phishing" apparently being coined specifically for such targeted phishing attacks.

Online scammers pose as execs in "spear-phishing" — computerworld.com

Training Needed to Halt "Spear-Phishing" Attacks — computerworld.com

Join the newsletter!

Error: Please check your email address.

More about Adobe SystemsCA TechnologiesCNNFBIF-SecureLinuxMicrosoftNovellUnicenter

Show Comments

Market Place

[]