IDGNet Virus & Security Watch Friday 28 February 2003

This issue's topics: Introduction: * Windows ME, Webmin/Usermin, QT/Darwin and terminal emulator patches Virus News: * Beware self-mailing security updates... * Spreading more love around * Windows backdoor patches netstat to help hide presence Security News: * Another Help and Support Center patch for Windows ME * Privilege escalation fixed in Webmin and Usermin * Fixes for QuickTime and Darwin streaming media administration servers * Terminal emulator security issues * ATM PIN cracking * Is mumbling the latest social engineering trick?

This issue's topics:

Introduction:

* Windows ME, Webmin/Usermin, QT/Darwin and terminal emulator patches

Virus News:

* Beware self-mailing security updates...

* Spreading more love around

* Windows backdoor patches netstat to help hide presence

Security News:

* Another Help and Support Center patch for Windows ME

* Privilege escalation fixed in Webmin and Usermin

* Fixes for QuickTime and Darwin streaming media administration servers

* Terminal emulator security issues

* ATM PIN cracking

* Is mumbling the latest social engineering trick?

Introduction:

The major security patches are spread around the OSes this week. Windows ME users have a critical Help and Support Center patch to deal with, Unix and Linux admins may have Webmin, Usermin and terminal emulator patches and Mac OS X Server administrators running streaming media services who have not already updated to OS X 10.2.4 should consider doing so for security reasons. Aside from those patches and updates, we have an interesting paper on ATM PIN number hacking and mumbling as a social engineering trick.

On the virus front, a couple of e-mail worms made a bit of a (media) splash this week though neither seems to have really 'taken off'. And, a new backdoor may be a forerunner to further Windows malware that tries to hide itself from common diagnostic tools.

Virus News:

* Beware self-mailing security updates...

A new variant of Gibe - a mass-mailer that garnered some attention when the first version was released - made a small splash early this week. It was mainly a media event though, showing some fascination with the fact that the virus' e-mail message purports to be a security update posted by Microsoft. However, as of this writing, data from MessageLabs shows that since it was released close to a week ago, about as many messages carrying Gibe.B have been seen by MessageLab's e-mail scanning service as it would see in a typical six hour period carrying Klez.H.

Computer Associates Virus Information Center - Gibe.B

F-Secure Security Information Center - Gibe.B

Network Associates Virus Information Library - Gibe.B

Sophos Virus Info - Gibe.B

Symantec Security Response - Gibe.B

Trend Micro Virus Information Center - Gibe.B

* Spreading more love around

Several variants of a new family of self-mailing viruses have been released in the last few days, with one - Win32/Lovgate.C - making a very sizable initial splash. Compared to Gibe.B (above) it Lovgate.C was seen at about half the typical rate of Klez.H. As is increasingly common with recent new e-mail worms, Lovgate not only sends itself via e-mail from its victims' machines but arranges for itself to be distributed via IRC (if the victim machine runs mIRC) and also copies itself around a LAN via open or otherwise available network shares. Further, it installs a remote access Trojan (RAT) on victim machines allowing the writer (and possibly others) to 'return' later and cause further trouble.

Computer Associates Virus Information Center - Win32/Lovgate.C

F-Secure Security Information Center - Win32/Lovgate.C

Kaspersky Lab Virus Encyclopedia - Win32/Lovgate.C

Network Associates Virus Information Library - Win32/Lovgate.C

Sophos Virus Info - Win32/Lovgate.C

Symantec Security Response - Win32/Lovgate.C

Trend Micro Virus Information Center - Win32/Lovgate.C

* Windows backdoor patches netstat to help hide presence

Although it should be of little real concern to anyone vaguely serious about security, a newly discovered remote access Trojan (RAT) or 'backdoor' for Windows systems introduces an interesting development. Win32/Redkod not only has the usual RAT functions of spying on its victims, sending them screen messages and so on, but adds the new twist of patching the standard TCP/IP networking utility netstat.exe so it will not display the state of the port used by the RAT. As the netstat utility is commonly used as a diagnostic tool to uncover precisely the types of network actions Redkod displays, it should not be surprising that netstat is targeted for this kind of treatment. Rootkits for various operating systems have, for years, taken similar approaches, installing additional software or modified versions of standard utilities so as to hide the presence of the rootkit, at least from casual inspection by a local system administrator.

Symantec Security Response - Redkod

Security News:

* Another Help and Support Center patch for Windows ME

Already the source of a widely reported security flaw allowing the deletion of arbitrary local files from reading a malicious HTML e-mail message or browsing a malicious website, the Help and Support Center has been patched again. This newly reported vulnerability allows the execution of remotely supplied script code in the local ('My Computer') security zone (that is, with virtually no restrictions or user warnings).

The initial flaw affected only Windows XP versions of the Help and Support Center but this new flaw also affects the Windows ME version. However, the fix for the previous flaw (see MS02- 060 and included in XPSP1) also corrects this new problem. Thus, sites that are up to date with service packs and security patches will only be affected if they have Windows ME users.

Microsoft rates the severity of this vulnerability as critical.

Microsoft Security Bulletin MS03-006

* Privilege escalation fixed in Webmin and Usermin

Webmin and Usermin provide web-based root- and user-level access to several Unix and Unix-like OSes. The web server underlying both has aserious security flaw in its user authentication procedures, such that any use who can authenticate can takeover the main administrative user via session ID spoofing. In most cases this means any Webmin or Usermin user can gain system root privileges via the product.

Users should upgrade to Webmin v1.070 and/or Usermin v1.000. As an exploit has been published, this update should not be delayed. Both packages have been included in several popular Linux distributions and update packages have been made available in those cases.

Usermin homepage - usermin.com

Webmin homepage - webmin.com

* Fixes for QuickTime and Darwin streaming media administration servers

Security researchers at @stake have discovered multiple vulnerabilities in the administration services of Apple QuickTime v4.1.2 of and Darwin streaming media servers. These flaws include pre-authentication remote code execution via buffer overflow, access to files outside the Web root, revelation of full file paths and local system configuration information and cross-site scripting. The overall severity rating of these vulnerabilities should be considered 'severe'.

All issues are addresses in the latest server OS update from Apple. Two versions of the update are available - a smaller one if upgrading from Mac OS X Server 10.2.3 and a larger, 'combined' update, incorporating all fixes since 10.2.1 inclusive if updating from any earlier 10.2.x version.

QuickTime/Darwin Streaming Server Multiple Vulnerabilities - atstake.com

Mac OS X Server Update 10.2.4 - apple.com

Mac OS X Server Update Combined 10.2.4 - apple.com

* Terminal emulator security issues

In what seems to the newsletter compiler like a blast from past, H D Moore from Digital Offense has published a research paper investigating the security implications of the features of some common terminal emulators. For those not already familiar with the possibilities available through many of the documented features of their favourite Unix-ish terminal emulators (including xterm), this may be salutary reading. Even if you are familiar with these issues, you may wish to check how your preferred emulator stacks up against some of the issues if it is not among those specifically tested by Moore.

Updates for some of the vulnerable terminal emulators have either been prepared and shipped or will be soon (depending on the distributor, etc). If emulators you use are mentioned in the article or found wanting in your own testing, contact the developer or your distributor regarding availability of updates.

Terminal Emulator Security Issues - digitaloffense.net

* ATM PIN cracking

Rather than ensuring ATM PIN security as they are supposed to, a couple of researchers at Cambridge University discovered systematic weaknesses in the design of HSMs (Hardware Security Modules). These flaws significantly weaken HSMs, allowing an attacker with access to one to obtain the PIN associated with an account in an average of about 15 guesses rather than the average 5000 guesses expected from the specification of the system.

As the details are too complex to succinctly describe here, interested readers may wish to download and read the 220KB PDF linked below. The researchers claim that an untrustworthy programmer at a bank using the HSMs they investigated would be able to harvest about 7000 PINs during a 30-minute lunch break, rather than the 24 a brute force method would be expected to discover.

This is yet another case of a cryptosystem being broken through an unexpected use of a useful interface designed and intended for a different, legitimate purpose. It also seems that the legitimate interface abused in this attack is fundamentally problematic, but as it is also crucial to the working of such ATM PIN systems, it seems the mid-term prospects are that such systems will have to be entirely re-engineered (at significant cost) to obviate this problem. The paper's authors note that randomly generated PINs stored encrypted in an online database are immune from these problems. It is unknown if ATMs used in the New Zealand banking system are vulnerable to the HSM decimalization table attack or not. Finally, this result should not be terribly alarming, as its exploitation requires direct access to an HSM - such access should be limited to a bank's programming staff who (hopefully!) are closely monitored and specially chosen for their trustworthiness.

Decimalisation table attacks for PIN cracking - cam.ac.uk (PDF)

* Is mumbling the latest social engineering trick?

A teenager interviewed by Wired claims to have 'hacked' AOL simply by repeatedly phoning technical support and mumbling. Telling support staff on the phone that he had just had surgery on his jaw, the teenager identified by the nickname 'hakrobatik', claims he was able to elicit snippets of valid information about the accounts he was trying to take over with this tactic then he would phone again, repeat the story about surgery and armed with a little more about the real identity of the account holder, try again to get his 'forgotten' password reset. Eventually he would either persuade support staff he was the account owner or they would give in to his mumbling and just change the password.

The Wired article also includes claims from others that they have hacked AOL's new user database, Merlin. This was reputedly achieved by duping support staff into running remote access Trojans and more social engineering. An article in The Register questions this however, noting that the SecureID system involved in Merlin's user authentication should be beyond the kinds of tricks described in the Wired article.

Hackers Run Wild and Free on AOL - wired.com

AOL probes hacker "breach" - theregister.co.uk

Join the newsletter!

Error: Please check your email address.

More about AOLAppleApple.Cambridge UniversityCA TechnologiesF-SecureKasperskyKasperskyLANLinuxMessageLabsMicrosoftSophosSymantecTrend Micro Australia

Show Comments
[]