Mydoom virus; IE fix on the way

This issue's topics: Introduction: * Mydoom virus; IE fix on the way; Gaim, MAILsweeper, OS X updates Virus News: * (My)doom and gloom settles over PC users Security News: * MS to fix IE URL obfuscation issue - sometime... * Multiple buffer overflows fixed in Gaim, Ultramagnetic * MAILsweeper for SMTP DoS fixed * Multiple security fixes for Mac OS X

This issue's topics:

Introduction:

* Mydoom virus; IE fix on the way; Gaim, MAILsweeper, OS X updates

Virus News:

* (My)doom and gloom settles over PC users

Security News:

* MS to fix IE URL obfuscation issue - sometime...

* Multiple buffer overflows fixed in Gaim, Ultramagnetic

* MAILsweeper for SMTP DoS fixed

* Multiple security fixes for Mac OS X

Introduction:

Mydoom, the latest Windows mass-mailer had a massive effect of computer systems around the world, even if not running Windows. The sheer volume of e-mail traffic generated by the worm itself, by the torrent of bounces as it tried to deliver to innumerable bad or broken addresses, and by the rejection messages from legions of e-mail virus scanners had a noticeable impact on general Internet traffic in many places.

Despite saying that Mydoom has no apparently new features in the item below (which is quite true from a technical perspective), an aspect of its social engineering may provide an interesting commentary of computing in general. You see, it has been suggested that the virus' success is due to the fact that many of its messages are crafted as if, or to give the impression that, something broke during the message's transmission. Perhaps it is a commentary on the fragility of contemporary computer systems that folk are more prepared to believe that a dodgy e-mail message is evidence something broke than that they may be being scammed?

Other than Mydoom, it has been a fairly quiet week again. Users of Gaim, MAILsweeper for SMTP and/or Mac OS X should check the relevant items describing security updates for those products and Windows users may be interested to hear that Microsoft is looking into URL obfuscation issues in IE that help identity thieves on their 'phishing' scams...

Virus News:

* (My)doom and gloom settles over PC users

Perhaps last week's effort from Bagle was just a softener...

For the early part of this week, the mass-mailer Mydoom was on the rampage, and some rampage it was! Although not strictly comparable from event to event because of the continually increasing size of its userbase, detection figures from UK e-mail ASP MessageLabs show their e-mail virus scanning service stopped more e-mail messages carrying Mydoom in the first 24 hours of the outbreak than for the same period in any previous outbreak.

In the first 24 hours of the Sobig.F outbreak - the previous holder of this dubious title - MessageLabs stopped around one million Sobig.F messages. On 26 January and overnight through the early morning of 27 January, they stopped 1.2 million copies of Mydoom and at the height of the Mydoom traffic surge one in twelve messages processed by MessageLabs carried a copy of Mydoom.

Mydoom itself is actually pretty ordinary. It doesn't contain any new or apparently devious or otherwise useful tricks, and technically is a fairly standard mass-mailer. It collects possible e-mail addresses from a wide range of file types on its victims' machines, uses its own SMTP code rather than relying on Outlook or some other e-mail client on the user's machine, and forges the sender information.

A less common feature, perhaps responsible for pushing up the number of Mydoom e-mail messages recorded, is its inclusion of a short list of common 'user' parts of e-mail addresses (i.e. the name to the left of the '@' character in an e-mail address). Mydoom uses this list to 'brute force' additional possible target addresses at each domain it finds in its e-mail address search. Most e-mail relays have to accept all such e-mail messages as they have no idea of the list of users acceptable to the server on whose behalf they are accepting e-mail. Services such as that provided by MessageLabs are inevitably setup as such relays, so they can 'intercept' all e-mail intended for their clients' e-mail servers.

Mydoom also includes a 'spread via the Kazaa P2P network' feature, but again, this is not unusual these days. For more technical details on the virus' operation, read the various technical descriptions from the antivirus developer pages linked below.

Aside from spreading via e-mail, which it did very effectively, the first variant of the family, Mydoom.A, targets the SCO Group's www.sco.com web site for a distributed denial of service (DDoS) attack. This is set to run from 1 through 12 February with all still active and online copies of the virus firing repeated requests to that server for its home page. Because of the potential of this attack, SCO has offered a bounty of US$250,000 for information leading to the arrest and prosecution of the person or people responsible for writing and releasing the virus.

Following the rapid and massive spread of Mydoom.A, a second variant named Mydoom.B was discovered. Despite early reports of it starting to spread by e-mail, there have been very few confirmed reports of this variant 'in the wild'. Mydoom.B changes the focus of its DDoS attack to Microsoft and adds some further wrinkles, such as blocking access to many security and antivirus web sites, but again, there is nothing new or technically interesting in this variant.

Of course, the antivirus industry would not be what it is if it were not to use a few different names for the same thing. So, although we have presented this report using the 'official' name (i.e. the name most widely agreed upon among professional antivirus researchers), the virus has also been referred to as SCO, Novarg and Mimail.R (it is clearly not a Mimail variant, and don't confuse that name (originally used by Trend Micro for Mydoom.A) with Symantec's use yesterday of Mimail.R for the next real Mimail variant - it has been agreed to call the latter Mimail.S).

Mydoom passes Sobig.F to become fastest spreading virus - messagelabs.com

SCO Offers Reward For Arrest And Conviction Of Mydoom Author - sco.com

Computer Associates Virus Information Center (mydoom_a)

Computer Associates Virus Information Center (mydoom_b)

F-Secure Security Information Center (mydoom_a)

F-Secure Security Information Center (mydoom_b)

Kaspersky Lab Virus Encyclopedia (mydoom_a)

Kaspersky Lab Virus Encyclopedia (mydoom_b)

Network Associates Virus Information Library (mydoom_a)

Network Associates Virus Information Library (mydoom_b)

Sophos Virus Info (mydoom_a)

Sophos Virus Info (mydoom_b)

Symantec Security Response (mydoom_a)

Symantec Security Response (mydoom_b)

Trend Micro Virus Information Center (mydoom_a)

Trend Micro Virus Information Center (mydoom_b)

Security News:

* MS to fix IE URL obfuscation issue - sometime...

Diligent readers will recall that late last year we warned of the use of URLs that include 'user information' fields (normally used for user authentication to 'sensitive' URLs) in so-called 'phishing' scams. In particular, we were concerned at a new twist on that trick which depended on a bug in IE and Mozilla whereby the full URL would not be displayed in the browser's address and/or status bars.

Since then several industry commentators have been quite critical of Microsoft's apparent lack of action on these issues, especially as several large phishing scams over the Christmas period utilized the first and, increasingly, the second trick. Microsoft is aware of and working on at least the user information approach to URL obfuscation as indicated in a just-released KnowledgeBase article.

This KB article (linked below) is clearly aimed at developers who may have functionality dependent on the previously documented behaviour of the APIs Microsoft is now altering. The article is oddly silent on the fact this change will actually bring IE into line with the RFC that defines HTTP URL syntax (RFC 2616, section 3.2.2, also linked below). Specifically, that syntax denies a role for user information data in HTTP URLs whereas, since version 3.0, IE has taken the more liberal but non-compliant approach of accepting HTTP URLs that fit the generic URI syntax which does allow for a user information field.

Anyway, there is no mention whether Microsoft is also working on fixing the other issue (the display truncation or URLs containing certain non- printable characters), which is an outright bug. There is also no indication of when Microsoft plans to release an IE update or patch that includes the fixes for these URL obfuscation issues.

MS to fix IE's handling of user information in URLs - microsoft.com

RFC 2612: Hypertext Transfer Protocol -- HTTP/1.1 - ietf.org

* MAILsweeper DoS fixed

A flaw in its handling of certain RAR archive files can cause a denial of service in ClearSwift's MAILsweeper for SMTP. Registered users can obtain the necessary 'Technology Update' from a link at the URL below.

MAILsweeper for SMTP RAR Attachment DoS Vulnerability - clearswift.com

* Multiple security fixes for Mac OS X

Apple has released a raft of security fixes for Mac OS X and Mac OS X Server. Brief descriptions of the fixes and the OS versions affected are available in Apple's security update document linked below. Security researchers at @stake have also described a local root privilege escalation flaw in OS X that is claimed fixed in the same bundle of security updates (but a quick skim through the Apple document did not reveal specific mention of this to your newsletter compiler). According to @stake, the TruBlueEnvironment component of the MacOS Classic emulator runs as root and is susceptible to a locally exploitable buffer overflow that can allow any user to run arbitrary code as the root user. The @stake advisory (also linked below) provides a permissions-based workaround should installing the security update not be immediately feasible.

TruBlueEnvironment Buffer Overflow - atstake.com

Apple Security Updates - apple.com

* Multiple buffer overflows fixed in Gaim, Ultramagnetic

Stefan Esser, a security researcher at German web developers e-matters, has discovered multiple buffer overflows - many of which are remotely exploitable to run arbitrary code of an attacker's choice in Gaim. Gaim is a popular cross-platform, multi-protocol instant messaging client. Ultramagnetic is a development fork from the Gaim codebase and also suffers these same vulnerabilities.

Although the fixes for these overflows are known, the Gaim CVS has not been updated due to pressing bug fixes for a recent Yahoo! messaging service change. Several Linux and other Unix-like distributions have shipped updated Gaim packages for their platforms. An alternative approach would be to apply source code diffs from the FreeBSD security team to your Gaim source and rebuild. Links to the FreeBSD patch are available in the e-matters security advisory and from Gaim's home page (both linked below).

Gaim client versions 0.75 and earlier, and Ultramagnetic versions prior to 0.82 are affected and should be updated or the code patched and recompiled as soon as practicable.

12 x Gaim remote overflows - e-matters.de

Gaim home page - sourceforge.net

Ultramagnetic home page - sourceforge.net

Join the newsletter!

Error: Please check your email address.

More about AppleCA TechnologiesCVSF-SecureKasperskyKasperskyLinuxMessageLabsMicrosoftMozillaSCOSophosSymantecTechnologyTrend Micro AustraliaYahoo

Show Comments

Market Place

[]