Sprechen Sie Deutsches? Symbian skulduggery

Although not making much of a splash here, the latest variant in the Sober family, discovered shortly after last week's newsletter was posted out, garnered a deal of attention for its relative success in German-speaking parts of Europe. And, although not self-spreading, and thus not of great concern, the latest Symbian OS malware targeting mobile phones cannot bode well for the future of these devices.

This issue's topics:

Introduction:

* Sober virus, Symbian Trojan; Sun Java, CSA, TWiki critical fixes

Virus News:

* Sprechen Sie Deutsches?

* Symbian skulduggery

Security News:

* Windows 'drop my rights' utility

* Highly critical Sun Java Plugin vulnerability fixed

* Critical Cisco Security Agent update

* Highly critical TWiki patch fixes remote code execution vulnerability

* Oracle default account and password list posted

* Phishing/identity theft

Introduction:

A very brief intro this week...

Although not making much of a splash here, the latest variant in the Sober family, discovered shortly after last week's newsletter was posted out, garnered a deal of attention for its relative success in German-speaking parts of Europe. And, although not self-spreading, and thus not of great concern, the latest Symbian OS malware targeting mobile phones cannot bode well for the future of these devices.

On the security front, a possibly handy utility was released by Microsoft's top security guru this week. Elsewhere, Sun Java, Cisco CSA and TWiki have critical vulnerabilities that need fairly urgent attention, and Oracle database admins should be carefully checking that a recently released compilation of default Oracle account names and passwords does not open their own installations up to unwanted mischief (or worse). We close the security section with a trio of interesting articles covering the effects of successful phishing operations - perhaps these links may be handy for your in-house security awareness and/or training sessions.

Virus News:

* Sprechen Sie Deutsches?

Of course, a few hours after posting last week's newsletter, a new mass-mailer struck with a vengeance. Win32/Sober.I (or Sober.J to at least one major antivirus developer) was widely distributed, especially in German-speaking parts of Europe. The latter effect is probably due to the relative novelty of 'deutschsprechenden' mass-mailers.

After collecting e-mail addresses for its mass-mailing run, Sober.I checks the last part of the domain name, looking for a match with the country domains of Austria, Germany, Liechtenstein and Switzerland, and also checks the whole address for the sub-string 'gmx'. If any of those checks succeed, the virus sends a message with a German language Subject: line and message body, otherwise it sends English messages.

Beyond this Anglo/Saxon language duality, Sober.I is a fairly typical modern mass-mailer, producing messages in several forms, including the popular apparent e-mail bounce and using many, quasi-randomly generated filenames for its attachments.

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Symbian skulduggery

In case anyone needed more evidence that the increasingly sophisticated and powerful computing capabilities built into newer mobile phones are an attractive target for malware writers, the recent discovery of the SymbOS/Skulls Trojan may do the trick.

Skulls was briefly distributed as an extended theme manager for Nokia 7610 smart phones, in the inventively named 'Extended theme.sis' software installer package. built to run under the Symbian OS used on many popular phones, Skulls is fairly specific to the Nokia 7610, although there are unconfirmed reports of Skulls working on a few other Nokia phone models.

Skulls is a Trojan, designed to 'kill' most of the extended functionality of its victim phones. It achieves this by installing corrupted, non-working programs as replacements for the standard applications built into the phone's ROM. The original programs are left intact, but Symbian OS will always try to use the 'updated' programs copied to the phone through running the Skulls installer (SIS) file. The Skulls-installed files all have a skull-and-crossbones icon and manual removal of this Trojan can be quite tricky.

As it is not self-distributing, and especially as it does not try to spread from phone to phone, Skulls poses a very low risk.

F-Secure Security Information Center

Network Associates Virus Information Library

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Windows 'drop my rights' utility

Although it is far from ideal and still a practice that is very strongly recommended against, many system administrators often claim they find themselves in situations where they 'must' login as administrator (or to an account with similarly elevated privileges) then run applications that should never be run with such privileges, such as an e-mail client or web browser. To address this 'need', Microsoft security supremo Michael Howard has released a 'drop my rights' utility that allows its user to shed all the elevated privileges an administrator account normally has over and above a 'normal user' account.

Running under DropMyRights, an e-mail program or web browser is somewhat safer, as many of the security vulnerabilities in these programs that are exploited to nefarious ends then expect to leverage the elevated rights of a typical 'Power User', or an administrator-equivalent user under XP Home, and by default, DropMyRights removes all such elevated rights.

DropMyRights is really a professional system administrator's tool for use on those extremely rare occasions where the benefits of such a tool outweigh the risks. If you do choose to use DropMyRights, don't let it lull you into a false sense of security that it somehow makes it safe to normally run as Administrator and execute your 'user level' applications via DropMyRights. Being logged in as Administrator you still have many administrator-privileged processes running and accessible to whatever code may still inveigle its way onto your machine through those user level applications, thus there are still many routes of exploitation open to a cunning and dedicated potential attacker.

Browsing the Web, Reading E-mail Safely as Administrator - microsoft.com

* Highly critical Sun Java Plugin vulnerability fixed

Sun has released updated Java Plugin packages to address a highly critical flaw that allows JavaScript components of a web page to access private Java packages that are supposed to only be accessible to the JVM internally. Normal Java applets cannot access these packages and among the functions that are exposed by this flaw is the ability to disable the Java Security manager, effectively removing all security limitations that normally comprise the Java sandbox.

All users of Sun Java as a plugin technology in a web browser or the Java SDK should update as soon as possible to remove their potential exposure to this vulnerability. All SDK and JRE releases for Solaris, Linux and Windows in versions 1.3.1_12 and earlier, 1.4.0 and 1.4.1 (all releases), and 1.4.2_05 and all earlier 1.4.2 releases are affected. Sun recommends updating to 1.3.1_13 or 1.4.2_06, both of which fix this vulnerability.

There are currently no known active exploits of this vulnerability, but now the flaw is publicly divulged, it may not be long before such exploits are seen in the wild.

Sun Java Plugin Arbitrary Package Access Vulnerability - idefense.com

Security Vulnerability With Java Plug-in in JRE/SDK - sun.com

* Critical Cisco Security Agent update

Cisco Security Agent (CSA) versions prior to 4.0.3.728 are vulnerable to a specially timed buffer overflow attack, whereby second, and later, buffer overflow attempts will not be handled by CSA's buffer overflow detection and handling code within a five minute time window of the first detected buffer overflow attempt. Remote arbitrary code execution may be possible as a result of suitably timed, multiple buffer overflow attempts.

Crafted Timed Attack Evades Cisco Security Agent Protections - cisco.com

* Highly critical TWiki patch fixes remote code execution vulnerability

TWiki is a popular user-managed content management system for collaborative intranet and Internet web projects such as a knowledgebase. Improper quoting of shell metacharacters supplied by a user request in TWiki's search function means that unauthenticated remote users can execute arbitrary shell commands on a server hosting TWiki with the privilege of the web server process.

Patches that apply to all official releases of TWiki are available from

the TWiki Security Alert page linked below.

Archived Bugtraq list message - securityfocus.com

TWiki search allows arbitrary shell command execution - twiki.org

* Oracle default account and password list posted

Oracle security specialist Pete Finnigan has collated a list of close to 600 default account names and their respective passwords created during installation and use of various Oracle database products. As this list is now publicly available, anyone running Oracle products included in the list should check that they have changed these default passwords, removed the accounts if they are actually unnecessary for the current installation or use, or taken other suitable measures.

Oracle Default Password List - petefinnigan.com

* Phishing/identity theft

The Washington Post has just run an interesting trio of articles about phishing scams and the associated hassles for victims of the resultant identity theft. Linked below (site requires free registration), these articles are especially interesting because of the included interviews of several victims of such identity theft.

Phishing 'attacks' are growing rapidly, with the Anti-Phishing Working Group reporting that between January and June this year it saw an 800% increase in unique, monthly-reported scams, and a 1200% increase between January to October.

Phishing Feeds Internet Black Markets - washingtonpost.com

Phishing Schemes Scar Victims - washingtonpost.com

Companies Forced to Fight Phishing - washingtonpost.com

Anti-Phishing Working Group home page - antiphishing.org

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCiscoCSAF-SecureKasperskyKasperskyLinuxMicrosoftNokiaOracleSophosSwitzerlandSymantecSymbianTrend Micro Australia

Show Comments
[]