Vesser, Doomjuice, DoomHunter - What next?

This issue's topics: Introduction: * Three Windows updates; Sophos AV & Mutt updates; marching on Mydoom Virus News: * Vesser, Doomjuice, DoomHunter - What next? * PayPal 'phisher' pleads guilty Security News: * Virtual PC for Mac updated to fix privilege elevation * WINS server patch fixes remote code execution vulnerability * Remote code execution flaw in Microsoft ASN.1 parser fixed * Sophos antivirus security fix * Mutt update fixes exploitable buffer overflow

This issue's topics:

Introduction:

* Three Windows updates; Sophos AV & Mutt updates; marching on Mydoom

Virus News:

* Vesser, Doomjuice, DoomHunter - What next?

* PayPal 'phisher' pleads guilty

Security News:

* Virtual PC for Mac updated to fix privilege elevation

* WINS server patch fixes remote code execution vulnerability

* Remote code execution flaw in Microsoft ASN.1 parser fixed

* Sophos antivirus security fix

* Mutt update fixes exploitable buffer overflow

Introduction:

Following Microsoft's out-of-sync critical update for IE last week, Redmond resumed normal transmission as soon as possible. As this week included the second Tuesday of the month, that meant more patches this week - in fact, three Windows security patches. Some commentators have suggested that the ASN.1 patch, which is rated 'critical' on all affected OSes (all NT-based OSes), is 'the next RPC DCOM', referring to the large number of potentially vulnerable machines and the fact that the vulnerability is a buffer overflow that is remotely exploitable to run arbitrary code with full system privileges. (For those with short memories, the RPC DCOM patch of MS03-026 was the palliative that too many administrators did not get installed in the six weeks between the patch's release and the initial distribution of the Blaster worm.)

Microsoft's other two patches are of lower criticality, but the local privilege escalation in Virtual PC for Mac may be of greater concern to Mac administrators than Microsoft has suggested.

Elsewhere, UK antivirus developer Sophos (Who? Not heard of them? They focus on the corporate and institutional market.) has advised its users of flaws in the handling of e-mail messages with certain malformed MIME headers which can cause its virus scanner to miss seeing attachments to messages and popular Unix-ish e-mail client Mutt has been up=dated to fix a critical security flaw that could result in execution of arbitrary code.

On the virus front, the veritable army of Mydoom-infected machines, all sitting there waiting for 'upgrade with this' orders was too much temptation for some other malware writers and we have seen several worms that depend for their spread on Mydoom's 'private militia... There's also some heartening news on the legal crackdown against those running phishing scams.

Virus News:

* Vesser, Doomjuice, DoomHunter - What next?

Following the huge 'success' of Mydoom (whose 12 February 'drop-dead' date should, about now, be putting quite a hole in the level of Mydoom viruses stopped by e-mail gateway scanners around the world), it should not be surprising that other malware has been developed to take advantage of the virtual army of Mydoom 'drones' out there.

For, aside from its now infamous mass-mailing routine, Mydoom had another interesting feature - it installed a simple backdoor that would act as a network traffic proxy or, if probed with just the right 'magic words', it would accept a program from the 'sending end' of the network communication, write to a file and execute it. When initially discovered it was assumed this was included as a path to allow direct, network-borne updating of the initial Mydoom variant when its writer had an 'improved' version to release. And, in fact, Mydoom.B did try to use just this mechanism to supplement its e-mail based spread.

Over the course of this last week we have seen several things spread through this Mydoom backdoor. First was Vesser (also known as Deadhat) which spread both through 'normal' P2P distribution methods using Soulseek and through the Mydoom backdoor. Next was Doomjuice, which may have been the most successful to date, and was interesting for its practice of dropping archived, compressed copies of the full source code to Mydoom.A. Doomjuice.A was followed by a second, much smaller variant that did not drop the Mydoom source code and that refined its DoS attack against www.microsoft.com to make it harder for server-side filtering at Microsoft to simply ignore Doomjuice URL requests.

Most recently, overnight we saw DoomHunter start to spread. DoomHunter is interesting as it is an 'anti-worm', spreading only to machines susceptible to accepting its advances through the Mydoom upload mechanism. When run on a Mydoom-infected machines (which happens after the download completes as a standard part of the Mydoom update mechanism), it kills Mydoom processes in memory, deletes Mydoom files and registry entries then installs itself to listen on Mydoom's primary port and to run at every system startup. If anything probes it on that port tries to spread to the probing machine on same port and send a copy of itself, on the assumption that this was likely a probe from a Mydoom- infected machine. This sets DoomHunter aside from most other anti-worms we have seen in that it does not actively scan the network for its potential targets but waits, much as a honeypot machine does, to be 'attacked'. It is still an automated mechanism that makes unauthorized (by the user) changes to a system so detection of it will likely be added to most virus scanners in their next regular update.

We have linked to descriptions of Doomjuice, as perhaps the most 'successful' of these Mydoom piggybackers, and where available the second link per AV developer is to their DoomHunter description.

Computer Associates Virus Information Center - Doomjuice.A

Computer Associates Virus Information Center - DoomHunter.A

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center - Doomjuice.A

Trend Micro Virus Information Center - DoomHunter.A

* PayPal 'phisher' pleads guilty

The Register has reported the case of twenty year old Minnesotan, Scott Papierniak, who pleaded guilty to wire fraud charges. The charges arose from Papierniak's involvement in a 'phishing scam' that attempted to obtain PayPal user credentials via bogus 'security alerts' that directed the victims to a web site run by Papierniak.

Speculation in The Register article about links between these scams and various Mimail virus variants are likely red herrings. Antivirus researchers quizzed about such links suggested that the common misuse of the word 'virus' for 'something bad' related to a computer' may have contributed to a misunderstanding. Further, The Register's claim that Papierniak 'ran the scams for nearly two years until he was caught in September 2003' is also rather counter-indicative of Mimail involvement as the first Mimail variant (Mimail.A) was released in early August last year and the first Mimail variant to incorporate a PayPal phishing scam component was Mimail.I, released in mid-November, by which time Papierniak had been arrested and was presumably incarcerated or, if released on bail, unlikely to be up to his old tricks.

PayPal virus writing scammer scumbag pleads guilty - theregister.co.uk

Security News:

* Virtual PC for Mac updated to fix privilege elevation

A vulnerability in the handling of temporary files by Microsoft's Virtual PC for Mac emulator provides a privilege elevation opportunity to a Mac user with local logon privileges. Appropriate exploitation of this vulnerability could give an attacker full system privileges. Because of the need for local logon privileges for an attacker to exploit this flaw, Microsoft rates the vulnerability as being of 'important' severity. Updates for Virtual PC for Mac versions 6.0, 6.01, 6.02 and 6.1 have been released and links to their download locations are available from the Microsoft security bulletin linked below.

Microsoft Security Bulletin MS04-005

* WINS server patch fixes remote code execution vulnerability

Microsoft has released a patch for its Windows Internet Naming Service (WINS) server products. Specifically, NT Server & Terminal Server, Windows 2000 Server and Windows Server 2003 are affected. 'Workstation' versions of NT and Windows 2000, and Windows XP, are not affected. The vulnerability due to a buffer overflow and is rated of low severity on all affected platforms apart from Windows Server 2003, where it gets a rating of 'important'. Patches for all affected OSes are available and Microsoft recommends their installation. The security bulletin also describes some workarounds and firewalling considerations that can greatly reduce an enterprise's exposure from this vulnerability.

Microsoft Security Bulletin MS04-006

* Remote code execution flaw in Microsoft ASN.1 parser fixed

All NT-based versions of Windows are potentially vulnerable to a buffer overflow in Microsoft's ASN.1 (Abstract Syntax Notation 1) library, 'msasn1.dll'. Microsoft rates the vulnerability as 'critical' on all affected platforms (NT, Windows 2000, XP and Server 2003) and further suggests that servers may be more likely vulnerable as they are more likely to be running the kinds of processes that require ASN.1 support and to have network listeners with such dependencies open.

Although there are no currently known exploits of this vulnerability, the potential for a successful exploit to run arbitrary code with full system privileges and the huge number of potentially vulnerable machines must make this a very attractive target for 'the hacker underground'.

A similar vulnerability was at the heart of the Blaster worm outbreak. In Blaster's case, within approximately six weeks of the patch being released several 'proof of concept' exploits had been released and successively refined to the point where the code could easily be incorporated into the core distribution mechanism of a network worm and such a worm was written and released. In retrospect, at that point in time clearly far too many machines had not been patched. Hopefully, should a worm exploiting this latest hole also be developed and released, this time enough folk will have updated...

Security researchers at eEye Digital Security discovered part of this flaw about six months ago and a related flaw a couple of months later. Their advisories describing some of the technical details of those discoveries are linked below, along with the usual Microsoft security bulletin.

Microsoft ASN.1 Library Length Overflow Heap Corruption - eeye.com

Microsoft ASN.1 Library Bit String Heap Corruption - eeye.com

Microsoft Security Bulletin MS04-007

* Sophos antivirus security fix

UK-based antivirus developer Sophos is warning users of Sophos Anti-Virus version 3.78 has a MIME parsing bug that can drop the scanner into an infinite loop while scanning certain 'malformed' MIME message structures. A fix to remove this potential denial of service has been released. Another problem, due to a combination of events related to an option in the qmail SMTP server affecting how it generates Delivery Status Notification messages ('bounces' and the like) means that copies of some virus-carrying e-mails bounced by qmail will be missed by Sophos Anti-Virus if it is used to scan such e-mail messages (decoded copies of the virus extracted from such messages are still detected by the scanner).

Sophos Anti-Virus version 3.78d has been released to address both issues and links to the released versions for the various OS platforms Sophos supports are available in the company's advisory linked below.

Advisory: Sophos Anti-Virus 3.78 MIME handling - sophos.com

* Mutt update fixes exploitable buffer overflow

Mutt, the popular Unix-ish e-mail client, has been updated to version 1.4.2 to fix a buffer overflow that can be triggered while processing incoming messages. The overflow is known to be exploitable to crash Mutt and may allow execution of arbitrary code. Users of previous versions are recommended to upgrade as soon as practicable as spam triggering the overflow has been reported.

Many Linux distributions that include Mutt have already shipped update packages and the rest should be expected to follow suit. Hard-core users may prefer downloading the source distribution and building from scratch.

Mutt home page - mutt.org

Join the newsletter!

Error: Please check your email address.

More about CA TechnologieseEye Digital SecurityF-SecureKasperskyKasperskyLinuxMicrosoftPayPalScott CorporationSophosSophos Anti-VirusSymantecTrend Micro Australia

Show Comments

Market Place

[]