Has your PC got the bot?

If recent trends in malware are as bad as some report, it would seem unlikely many could truthfully answer the title question with a 'no'.

This issue's topics:


* Bots galore; Firefox, Thunderbird, Winamp, zlib, AirPort & JRun fixes

Virus News:

* Has your PC got the bot?

Security News:

* Windows RDP weakness opens DoS opportunity

* Firefox/Thunderbird 1.0.6 update released

* Winamp 5.094 fixes remote code execution vulnerability

* zlib 1.2.3 includes critical security fix

* Apple AirPort 4.2 update includes important security fix

* JRun 4.0/ColdFusion MX token collision fix


No specific virus or other malware stories this past week seemed worthy of inclusion, so in the virus section we have an overview of the gathering "year of the bot". Remotely controlled and commanded "agent" software that works on its unknowing and unwilling host computer to perform at the whim of its "bot master" is increasingly the focus of both the bad guys writing and distributing malware, and antivirus and related computer security researchers charged with detecting and eliminating it.

On the security front, Microsoft has acknowledged reports of a remote DoS flaw in its Remote Desktop Protocol (RDP) implementations, the Mozilla project has released "stability updates" for Firefox and Thunderbird to fix some side-effects of the previous week's security fixes, Apple has a fix for AirPort, Macromedia a fix for JRun 4.0-based products, Nullsoft a fix for Winamp and the wildly widely used zlib compression library has a fix for an exploitable flaw that may, depending on the code's use within hosting applications, be remotely exploitable.

Virus News:

* Has your PC got the bot?

If recent trends in malware are as bad as some report, it would seem unlikely many could truthfully answer the title question with a "no".

To those working in the front lines of malware analysis and research, it certainly is noticeable that the nature of what they've been working on has changed over the last couple of years. Following the late-1990's apparent fascination with VBA macro viruses, their evolution into "network aware" data stealers and mass-mailers around 1999 and the move to VBS mass-mailing and/or "share-crawling" worms within a year, binary (Windows executable) malware then assumed its place at the top of the malware prevalence heap a couple of years into the new millennium.

Since then, the rate of truly mass-outbreak Windows viruses has fallen, as more and better front-line content filtering, and other layers of scanning, detection and ameliorative techniques, have been implemented. In a sense the success of these defensive technologies (especially in large corporate environments) has increased the value of the remaining targets.

It should not, therefore, be surprising that with more effort necessary to compromise a significant number of machines, the uses these machines are put to are less "in your face", less "crash and burn" than simply using them as the senders of massive numbers of replicants of the next trivial mass-mailer. Indeed, such is the value of compromised machines that there is now a 'cottage industry' in the business of selling access to these machines, or at least, to certain network services implemented on them (and unbeknownst to their actual owners), such as spam address harvesting and testing, spam relays, DDOS agents, and rotating web proxies and DNS to hide the real hosts of spam-vertised products and other less salubrious internet activities.

In fact, there has been quite a trend toward this "commercialisation" of compromised machines for a couple of years now, perhaps beginning with the "ad clickers" and other automated bots that surreptitiously generated affiliate income through fraudulent pay-per-view and pay-per-click activity from compromised PCs.

For the last year or so things have been approaching the point that many security product vendors and "concerned" official bodies started taking note. The terms "bot" and "zombie" are being used more and more, and the warnings of what we may yet see, should the growth of the "zombie armies" continue unchecked, are gathering more attention than just being the somewhat disjoint prognostications of a few isolated anti-malware researchers.

The last few weeks have seen several threads of this gathering bot awareness come together, and 2005 may go down in history as "the year of the bot". We've collected a few of the hopefully more interesting bot-related stories of the last couple of weeks for your delight and delectation this week...

Operation Spam Zombies — ftc.gov

FTC, International Agencies Adopt Action Plan on Spam Enforcement — ftc.gov

Zombie bots fuel spyware boom — theregister.co.uk

Zombie makers turning to fake greeting cards —- networkworld.com

Sophos Zombie Alert Service — sophos.com

New threats, dissolving perimeters — techtarget.com

Security News:

* Windows RDP weakness opens DoS opportunity

Although not enabled by default in any shipping Windows configurations other than XP Media Centre Edition, Microsoft has issued a security advisory confirming public reports of a remote denial of service against its Remote Desktop Protocol (RDP). Microsoft and other security investigators who have studied the flaw claim it cannot be exploited for a remote code execution attack (as would be necessary for it to be useful as the basis of a network worm), and can "only" be used for a DoS attack that may require restarting the machine to recover.

Typical best-practice firewall policies would remove exposure from outside one's network. There was an apparent flurry of port-scanning for port 3389 (the default terminal services port that exposes RDP) in the days before the flaw was first reported about a week ago, but that activity has not continued.

Vulnerability in RDP Could Lead to Denial of Service — microsoft.com

* Firefox/Thunderbird 1.0.6 update released

Another week, another Mozilla update.

Last week we reported the 1.0.5 release of Firefox and Thunderbird to fix critical security vulnerabilities. This week the 1.0.6 releases of both fix API incompatibility issues introduced in the 1.0.5 release that prevented some extensions and web applications from working properly.

What's New Firefox 1.0.6 — mozilla.org

Thunderbird home page — mozilla.org

* Winamp 5.094 fixes remote code execution vulnerability

Nullsoft has released Winamp 5.094 to address a critical security vulnerability in the media player's handling of "ID3v2" tags in MP3 files.

Leon Juranic of LSS Security Team discovered the buffer overflow vulnerability, which can be can be triggered by an overlong ID3v2 tag (used to include artist, title and such information in MP3 files). Although there are some sanity checks that have to be worked around, Juranic found the vulnerability to be exploitable in some system configurations, allowing the execution of arbitrary code on the target system. He has publicly reported the details of the buffer overflow and discussed many of the technical issues in exploiting the vulnerability, as well as providing an example malformed MP3 file.

Nullsoft's website does not discuss the issue in detail, so it is unclear which versions of Winamp are vulnerable. However, as the technical details and a proof-of-concept MP3 have been publicly released, all Winamp 5.0 users, at least, would be advised to obtain the update.

Winamp remote buffer overflow vulnerability — lss.hr

Winamp Version History — winamp.com

* zlib 1.2.3 includes critical security fix

The zlib maintainers have released zlib 1.2.3, which fixes a few small bugs and a security vulnerability that could allow remote code execution. All users of zlib 1.2.1 and/or 1.2.2 are advised by the zlib maintainers to "upgrade immediately" (the security vulnerability is not present in earlier versions of zlib, though the other bugs may be).

zlib code is used very extensively in other applications, either through static or dynamic linking of the official zlib libraries for the appropriate platforms, or through inclusion of (modified forms of) the original code in an application's code (zlib has liberal licensing terms). The popular Linux and UNIX-ish distributions have shipped suitable update packages (perhaps including back-ports of patch rather than the new library versions), and the official zlib distribution is now available from the zlib home page, linked below.

zlib home page — zlib.net

* Apple AirPort 4.2 update includes important security fix

In the "excitement" of the OS X 10.4.2 update last week, we missed noting that an update for AirPort for both OS X 10.3.x and 10.4.2 had also been released.

AirPort 4.2 fixes a serious flaw in the operation of machines fitted with the original AirPort Card, which could automatically associate with a random, un-trusted network. This flaw does not affect systems with only the AirPort Express cards.

About the security content of the AirPort 4.2 update — apple.com

* JRun 4.0/ColdFusion MX token collision fix

Macromedia has released a JRun 4.0 patch to address an issue whereby JRun can, under high load, produce identical session authentication tokens for two different sessions. This would allow the possible unintended sharing of session information between users. Macromedia claims this cannot be wilfully instigated, so it cannot be used as the basis of a deliberate attack.

All macromedia products based on the JRun 4.0 server suffer this flaw and administrators of systems running these products should obtain and install the JRun 4.0 patch. The products are ColdFusion MX 7.0 Enterprise Multi-Server Edition, ColdFusion MX 6.1 Enterprise with JRun and, of course, JRun 4.0 itself.

Security Patch available for JRun 4.0 token collision — macromedia.com

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AppleFTCLinuxMacromediaMicrosoftMozillaNullsoftSophos

Show Comments