IDGNet Virus & Security Watch Friday 3 October 2003

Introduction: * MS03-032 Trojans, et al.; another arrest; critical OpenSSL patches Virus News: * QHosts messes with DNS, IE Search entries * MS03-032 widely exploited to install Trojans, spyware, etc * Another Blaster-related arrest Security News: * Computer security negatively affected by Windows monoculture - report * Multiple OpenSSL DoS and possible arbitrary code execution bugs fixed

Introduction:

* MS03-032 Trojans, et al.; another arrest; critical OpenSSL patches

Virus News:

* QHosts messes with DNS, IE Search entries

* MS03-032 widely exploited to install Trojans, spyware, etc

* Another Blaster-related arrest

Security News:

* Computer security negatively affected by Windows monoculture - report

* Multiple OpenSSL DoS and possible arbitrary code execution bugs fixed

Introduction:

Administrators of Windows desktop systems should pay special consideration to the variants of the Object Data Type vulnerability not fixed in the recent MS03-032 cumulative patch. Microsoft is expected to release a new IE patch, or to re-release MS03-032 with further fixes, as unpatched variants of this vulnerability are now being actively exploited, as described in two items in the virus section of today's newsletter.

On the security front, users of OpenSSL and related products, should be on the lookout for patches or updated packages from their vendors as three serious flaws have been uncovered in the OpenSSL code through extensive programmatic testing performed by the UK NISCC. Also, an independent report from some of the security industry's best-respected researchers has been released, questioning whether computing monocultures - such as we tend to have on desktop systems where Windows dominates almost entirely - are potentially unhealthy for computer security in general.

Virus News:

* QHosts messes with DNS, IE Search entries

Several variants of a Trojan that modifies its victims' DNS configuration options and Internet Explorer search options have been seen during the previous couple of days. Most antivirus vendors have named this family 'QHosts', but a couple refer to it as 'Delude'. The Trojan itself is a very simple beast and cannot spread by itself. QHosts is primarily of interest because it has been successfully delivered to many victim machines through exploitation of one of the unfixed variants of the 'Object Data Type' vulnerability _not_ patched by the MS03-032, the most recent cumulative patch for Internet Explorer (see following item for more details on this).

Computer Associates Virus Information Center - 37191

F-Secure Security Information Center - delude

Network Associates Virus Information Library - v_100719

Sophos Virus Info - trojqhosts1

Symantec Security Response - trojan.qhosts

Trend Micro Virus Information Center - troj_qhosts.a

* MS03-032 widely exploited to install Trojans, spyware, etc

Several weeks ago when we discussed the release of the MS03-032 security bulletin, we pointed out that 'proof of concept' (PoC) exploits of the so-called 'Object Tag' (more accurately the 'Object Data Type') vulnerability fixed in the associated cumulative update were available and it was likely only a matter of time before real-world exploits of that vulnerability were seen. Well, that time has arrived, however it is worse than we predicted - the MS03-032 fix for the Object Data Type vulnerability has been shown to be far from complete, missing at least two obvious forms of attack that the patch's authors clearly did not foresee, but that had been used in previous exploits of conceptually similar vulnerabilities. Microsoft has still not updated the MS03-032 cumulative (nor released a new cumulative patch) that addresses these weaknesses, yet over the last week or so several active exploits of the original and unfixed variants of the vulnerability have been seen in the wild.

As a variant of the Object Data Type vulnerability that is not fixed by the MS03-032 patch is being actively exploited - the QHosts example described above is just one of many cases; probably the best known, but far from an isolated incident - even if you have installed the MS03-032 cumulative patch you should re-check the associated security bulletin (linked below) and apply as many of the workarounds as possible so as to reduce your exposure to the unpatched variants of this vulnerability. The CERT Coordination Center has also released an Incident Note warning of the noticeable increase in Object Data Type exploitation and describes some mitigating configuration options to reduce one's risk (simply binning IE and installing a browser that is not targeted for attacks every other week must be an increasingly attractive option too).

Microsoft Security Bulletin MS03-032

CERT Incident Note IN-2003-04 Exploitation of IE Vulnerability - cert.org

* Another Blaster-related arrest

A US juvenile has been arrested on charges relating to his writing and release of an IRC bot net agent that automatically spread by exploiting the same Windows security hole as Blaster exploited. Although most press reports associate this case directly with Blaster, the code involved is quite different, being referred to in the press as RPCSDbot (which is also known as a variant of the Randex family by several antivirus products). As the suspect is a juvenile very few of the details of the case or of the suspect's identity are available. It is, nonetheless, encouraging to those in the antivirus industry to see active pursuit and arrest, where possible, of the miscreants responsible for writing and/or releasing malicious code.

Juvenile arrested for creating Blaster variant

Computer Associates Virus Information Center - 36298

F-Secure Security Information Center - sdbot_rpc_a

Network Associates Virus Information Library - v_100549

Sophos Virus Info - w32rpcsdbota

Symantec Security Response - w32.randex.e

Trend Micro Virus Information Center - worm_rpcsdbot.a

Security News:

* Computer security negatively affected by Windows monoculture - report

Seven computer security researchers, generally seen as authorities in their various specialist sub-fields, have written a report considering the effect of the increasing dominance of a 'Windows monoculture' on the security of computing in general. Their findings should be predictable to regular readers of this newsletter - the Windows monoculture is a bad thing, both for all Windows users and the wider computing community.

Although inspired independently, the resulting report has been published in PDF format and made available for download from the Computer & Communications Industry Association (CCIA) web site. The CCIA has previously testified as to what it sees as the dangers posed by software monopolies, including at the infamous antitrust proceedings against Microsoft (which were largely ineffectual in changing the computing landscape by breaking up the perceived 'Microsoft monopoly').

The report's publication has raised as much interest in the security community for the subsequent sacking of one of its authors as it has for its analysis of the effects of computing monocultures on security. Dan Geer, formerly Chief Technology Officer at @stake, a security consultancy and services company that lists Microsoft as a major client, was fired for his involvement in the report, or at least for associating himself with @stake in his authorship credit in the report.

CyberInsecurity: The Cost of Monopoly - ccianet.org (PDF)

Former @stake CTO Dan Geer on Microsoft report, firing - computerworld.com

* Multiple OpenSSL DoS and possible arbitrary code execution bugs fixed

Multiple flaws in the parsing of ASN.1 data in OpenSSL 0.9.6j and 0.9.7b (and all prior versions)have been disclosed and patched. Left unfixed, these versions of OpenSSL are open to denial of service (DoS) style attacks and the possibility these bugs expose some arbitrary code execution attacks has not been excluded.

Aside from the many Linux and Unix distributions shipping OpenSSL versions, or equivalent code based closely on OpenSSL code, many third-party applications are also potentially affected - the SSLeay library, many applications including SSL and/or TLS connectivity options, etc. The large Linux and Unix vendors have already released, or are known to be working on, updates for affected components. The CERT Coordination Center has released an advisory covering this situation and it lists many (but almost certainly not all) affected OSes and applications with vendor responses as to their vulnerability and availability of fixes.

As well as linking to the CERT/CC advisory, we have linked to the original advisory from the UK's National Infrastructure Security Co-ordination Centre (NISCC), published on the UNIRAS (Unified Incident Reporting and Alert Scheme) web site. This advisory describes the results of NISCC performed and commissioned research into OpenSSL, similar to that conducted by the University of Oulu which uncovered the horde of SNMP flaws reported last year.

CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS - cert.org

NISCC Advisory 006489 Vulnerability Issues in OpenSSL - uniras.gov.uk

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaF-SecureLinuxMicrosoftSNMPSophosSymantecTechnologyTrend Micro Australia

Show Comments
[]