Bagle outbreak, MBSA and Honeyd updates

This issue's topics: Introduction: * Bagle outbreak, MBSA and Honeyd updates Virus News: * Hot cross Bagle * A horse ate my homework! Security News: * New Microsoft Baseline Security Analyzer released * Fix for unintended remote Honeyd detection

This issue's topics:

Introduction:

* Bagle outbreak, MBSA and Honeyd updates

Virus News:

* Hot cross Bagle

* A horse ate my homework!

Security News:

* New Microsoft Baseline Security Analyzer released

* Fix for unintended remote Honeyd detection

Introduction:

It has been a very quiet week this week -- well, apart from the year's first notable virus outbreak! There have been no major security updates and really on the Bagle virus story. Although few of our readers are likely to be running the Honeyd honeypot, any that are should pay special attention to the item announcing an updated version, and Windows security admins should also be interested in the latest release of MBSA.

Virus News:

* Hot cross Bagle

Unless you have just crawled out from under a rock, or are freshly returned from holiday in one of the more remote areas, you must have heard that the first widespread computer virus 'epidemic' of 2004 struck earlier this week. Although most anti-virus vendors called it Bagle, at least one of the large vendors dubbed it Beagle, but this is nowhere near as bad name divergence as we have seen recently.

Aside from its 'successful' distribution, the only notable thing about Bagle is that it does not seem to have any especially notable features. It does not send cunningly crafted HTML e-mails that look as if they should be from Microsoft security and that claim the attachment is necessary, critical security update for Windows nor does it make any other sophisticated social engineering attempts. In fact, 'banal' would probably be the best description of its e-mail, consisting simply of a Subject: line of 'Hi' and very short message that effectively, but not literally, says 'This is a test'.

Levels of the virus being mailed around seem to have dropped significantly in the last 24 to 36 hours, suggesting the epidemic has all but burned out. The virus has a built-in drop-dead date of 28 January, which has prompted many to suggest that it is 'similar to' the biggest virus news story of 2003 - Sobig. However, apart from the drop- dead date (which is not that uncommon a feature), Bagle has little in common with Sobig, although it was also coded to download a possible updated version of further malware. The targets of these downloads were either removed or never uploaded to the URLs coded into the virus before its release and the administrators of the (intended) hosts have cooperated in making sure the file(s) the virus expected on their servers were not made available.

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* A horse ate my homework!

Could this be the trendy new excuse offered by computer-savvy kids attempting to avoid trouble at school?

Perhaps...

At least, it could if the "Trojan defense" we have mentioned in previous issues of the newsletter becomes better known or more widely practised in the IT legal scene. Although not considering its extension to school homework scenarios, a recent column at the SecurityFocus site provides interesting reading around the issues raised by the Trojan defense. The column is by Mark Rasch, a US lawyer specializing in IT security issues and author of a regular column on such for SecurityFocus.

The Giant Wooden Horse Did It! - securityfocus.com

Security News:

* New Microsoft Baseline Security Analyzer released

Microsoft Baseline Security Analyzer (MBSA) v1.2 has just been released. Aside from adding support for three further languages (that is, MBSA now 'speaks' French, German and Japanese), v1.2 adds support for several further products including Microsoft Office, Exchange Server 2003 and supported versions of MDAC (2.5, 2.6, 3.0 and 4.0).

MBSA v1.2 is approximately a 1.5 MB download from the MBSA home page, linked below

MBSA Home Page - microsoft.com

* Fix for unintended remote Honeyd detection

All versions Honeyd prior to 0.8 are vulnerable to an unintended remote detection flaw. Honeyd is a virtual honeypot daemon, used to simulate computers occupying unused IP addresses. Because it has a unique response to a specific nmap probe, hosts simulated by Honeyd can be detected and although there are currently no known remotely exploitable vulnerabilities in Honeyd, it is advisable to update any affected Honeyd installations with the 0.8 (or any subsequent) release as this unintended giveaway of Honeyd may be used to detect and avoid Honeyd simulated hosts, thus reducing its usefulness.

Remote Detection Via Simple Probe Packet -honeyd.org

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureKasperskyKasperskyMBSAMicrosoftSecurityFocusSophosSymantecTrend Micro Australia

Show Comments
[]