A trio of Bagles; Sobig writer named?

Sun has released updates for its Java System Web Server and Java System Application Server products to address a denial of service vulnerability and a couple of Perl modules commonly used in e-mail content scanning gateways have been updated to fix bugs in their handling of some unusual border cases. We close the security section with news of the arrests of dozens on identity theft and related fraud charges following a US Secret Service investigation that ran for longer than a year...

This issue's topics:

Introduction:

* Sun Web & App Server, MIME-tools, Archive::Zip patches; Sobig writer named?

Virus News:

* A trio of Bagles...

* Possible Sobig writer named; denies allegations

Security News:

* Patch fixes DoS in Sun Java System Web, and Application, servers

* MIME-tools module updated to fix boundary-handling flaws

* Archive::Zip updated to fix zero-size bypass

* Dozens arrested on identity theft charges

Introduction:

Generally a pretty quiet week, perhaps in preparation for another huge Windows patch-fest following November's 'patch Tuesday' next week??

Sun has released updates for its Java System Web Server and Java System Application Server products to address a denial of service vulnerability and a couple of Perl modules commonly used in e-mail content scanning gateways have been updated to fix bugs in their handling of some unusual border cases. We close the security section with news of the arrests of dozens on identity theft and related fraud charges following a US Secret Service investigation that ran for longer than a year...

On the virus front, three new Bagles erupted on the scene last week, with two of them being much more 'successful' than usual. This last week also saw the unusual step of an anonymous person or group posting a very detailed description of their reasons for suspecting an individual, named in the report, as the writer of a high-profile virus from last year; Sobig.

Virus News:

* A trio of Bagles...

Late last Friday, shortly after the previous issue of the newsletter was posted, a new Bagle variant was isolated. As Friday evening unfolded into the small hours of Saturday morning, it transpired that this variant - Bagle.AP, but also known as a bunch of other things (need we remind you of the huge mess there is in virus naming?) - was, in fact, the first of three released in quick succession...

Bagle.AP is possibly a 'test release', as it only searches a very limited location (the 'C:\Emails' directory) for further victim Email addresses. As this directory is not part of any default Windows installation, it is unlikely many victim machines where this variant was run would have successfully sent any further copies of the virus out.

Bagle.AQ and Bagle.AR however, have been very successful, becoming two of the most widely seen viruses during the last week. There is nothing particularly notable or different in their modus operandi, compared with earlier variants or other recent, but generally unsuccessful, mass-mailing viruses. Of course, normal e-mail safety procedures should have protected anyone from these viruses, so although huge numbers of samples are clearly being posted, it is unlikely that many folk have actually fallen victim to these viruses.

Computer Associates Virus Information Center

Computer Associates Virus Information Center

Computer Associates Virus Information Center

F-Secure Security Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Network Associates Virus Information Library

Network Associates Virus Information Library

Sophos Virus Info

Sophos Virus Info

Symantec Security Response

Symantec Security Response

Symantec Security Response

Trend Micro Virus Information Center

Trend Micro Virus Information Center

* Possible Sobig writer named; denies allegations

An anonymous person or group has posted a .PDF file outlining their suspicions as to the identity of the writer of the Sobig virus. The Sobig family has six variants that were released sequentially from Sobig.A in late January 2003 through to Sobig.F in mid-August. It has been widely believed for some time that Sobig was likely to have been written by a spammer, or by someone providing a network of e-mail proxies and relays to a spammer, or to several spammers.

The anonymous report fingers Ruslan Ibragimov, owner of Russia-based Send-Safe. Ibragimov has strongly denied all claims that he or his company have been involved in Sobig's development and release. His anonymous accusers point to large amounts of identical binary code in versions of Send-Safe and Sobig. They also document out that surprisingly many new versions of Send-Safe were released 'coincidentally' with the release of new Sobig variants, and that techniques introduced into new versions of Send-Safe or variants Sobig matched the introduction of the same technique in the new variant of Sobig or release of Send-Safe.

Who Wrote Sobig - geocities.com (~300 KB PDF)

Russian Denies Authoring "SoBig" Worm - oreillynet.com

Security News:

* Patch fixes DoS in Sun Java System Web, and Application, servers

Sun has announced that malformed client certificates may be used to execute a remote denial of service attack against its Java System Web Server 6.0 and 6.1, and Sun Java System Application Server 7 products.

Various service packs and updates have been made available to correct this in the affect products, and full details and links to the appropriate downloads are available from Sun's security advisory, linked below.

DoS in Sun Java System Web and Application Server Products - sun.com

* MIME-tools module updated to fix boundary-handling flaws

MIME-tools is a Perl module for handling MIME-encoded messages. It is used by some popular content-scanning gateways and in many 'roll your own' e-mail content filters. MIME-tools 5.414 and earlier have a flaw in their handling of empty boundary strings, and some self-mailing viruses have been seen using such a boundary separator.

MIME-tools 5.415 has been released to address this, and some brief explanation of the update (and a diff to patch against 5.414) is included in a message to the MIME- tools mailing list, archived at roaringpenguin.com. Further, several Linux distributions that include MIME-tools have already released update packages.

MIME-tools home page - cpan.org

Patch for MIME-tools - roaringpenguin.com

* Archive::Zip updated to fix zero-size bypass

Last week we reported that several commercial antivirus products were vulnerable to bypassing contents of a ZIP archive with specially manipulated internal directory structures that set (some) contained file's lengths to zero bytes. This prompted checking of several other ZIP archive handling programs, including the Perl module Archive::Zip, which was found to have the same vulnerability.

As Archive::Zip is used in several popular (e.g. Amavisd) and custom e-mail content and virus scanners, this flaw could also lead to such systems bypassing scanning of specially malformed ZIP archives. Several popular distributions ship Amavisd so have already produced update packages, and of course, an updated module is available from CPAN.

Archive::Zip home page - cpan.org

* Dozens arrested on identity theft charges

The US Secret Service has arrested dozens on identity theft and related charges following an investigation of several underground groups accused of running web sites trading in counterfeit and stolen credit card details. This stolen identity information and the tools to commit fraud using such data were traded through various web sites and involved individuals not just from the United States, but also Bulgaria, Belarus, Poland and other European countries.

Secret Service busts online organized crime ring - computerworld.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureKasperskyKasperskyLinuxSophosSymantecTrend Micro Australia

Show Comments
[]