IDGNet Virus & Security Watch Monday 17 February 2003

This issue's topics: Introduction: * Valentines malware, MS02-071 & MS03-004 updated, OS X local root exploit Virus News: * Valentines Day massacre? * Another viral marketing con... * TK Worm writers arrested Security News: * MS02-071 updated (at least for NT 4.0 users) * MS03-004 updated (at least for IE 6 users) * Very weak encryption in CryptoBuddy; other flaws * Local root exploit through TruBlueEnvironment on OS X * Interesting paper on relative security of open and closed systems

This issue's topics:

Introduction:

* Valentines malware, MS02-071 & MS03-004 updated, OS X local root exploit

Virus News:

* Valentines Day massacre?

* Another viral marketing con...

* TK Worm writers arrested

Security News:

* MS02-071 updated (at least for NT 4.0 users)

* MS03-004 updated (at least for IE 6 users)

* Very weak encryption in CryptoBuddy; other flaws

* Local root exploit through TruBlueEnvironment on OS X

* Interesting paper on relative security of open and closed systems

Introduction:

** Note: Viruswatch was delayed in being sent out last Friday and was shifted to Monday instead. We apologise for the inconvenience**

Another relatively quiet week despite Valentines Day often being the attractant of more than just romantic thoughts... There was one Valentines Day related malware issue, but it was more of interest than heavy-duty news value. On top of that, a new viral marketing scam, similar to last year's FriendsGreeting, using the address books and computers of the advertised product's users to run its mailouts was uncovered. And, adding to the slow but encouraging growth of success stories of law enforcement acting against malware writers and distributors, three men alleged to have been behind the TK Worm have been arrested and charged.

It was also quiet on the security front, with few items likely of much interest or concern to our readers. Two recent Microsoft security advisories were revised, one noting a re-release of the original patch to fix a bug introduced in the NT 4.0 version of the patch and one noting the availability of a non-security hotfix to address a problem that may affect some users of the IE 6.0 version of that patch. Other than that, any readers who use CryptoBuddy should read the advisory linked in that item, as its claims to provide effective encryption are apparently quite misleading. Macintosh administrators with OS X machines should also carefully consider the implications of the local root exploit described in the latest @stake security advisory, and we close this issue with a link to a very interesting new research paper considering the relative security strength of open and closed systems that concludes attackers and defenders are equally advantaged under either approach.

Virus News:

* Valentines Day massacre?

Put aside thoughts of surprise gifts of flowers, perfume, lingerie and jewellery, unexpected invitations to romantic dinners and candlelit dancing, and the other stereotypical trappings of the day. Valentines Day is one of the 'traditional' days targeted by lesser mortals with mayhem and destruction on their minds.

However, this year Valentines Day seems to have been let off lightly. As Valentines Day 'e-cards' start pouring into e-mail boxes, the first malware trying to take advantage of the expected lowering of the guard on such days was spotted.

Last Wednesday an HTML e-mail message exhorting the recipient to pick up a Valentines e-card from the website 'Valentines-ecard.com' was extensively spammed around the world. Visitors to the advertised pickup site were presented with a page that supposedly linked to their secret admirer's message, but which in fact was a download link for a Windows executable. Anyone unwary enough to download and run the program was not only subjected to the display of a cheesy Flash-animation Valentines Day card, but also had three .DLL files silently installed. These comprise an Internet Explorer 'add-on' that pipes advertisements straight to the user's desktop.

Although several antivirus vendors updated their products' definition files to detect the 'installer' component (classifying it as a Trojan or a 'dropper'), few have added descriptions to their web sites.

F-Secure Security Information Center

Network Associates Virus Information Library

Trend Micro Virus Information Center

* Another viral marketing con...

Following similar lines to the malware in the previous item, but adding a pinch of 'FriendsGreeting' bravado from late last year, is the newly discovered 'TellAFriend'.

E-mail messages advertising a 'popup blocker' named 'ZeroPopup' were being delivered late last week. Often apparently from someone known to the recipient, these messages were being delivered by the TellAFriend component of the ZeroPopup bundle. One of the terms of the end user agreement of this software is that the user will allow the software to 'email all your friends and contacts a short message with a link so they too can install [the software]'. Because the way the end user agreement is displayed (via a web page) is 'disconnected' from the 'confirm installation' process of the software installer, the TellAFriend component of this package has been deemed 'undesirable' and thus is likely to be detected in future antivirus updates. (This may be moot however, as the web site hosting the ActiveX control that is the TellAFriend installer has, of this writing, been taken down so the product is currently not available from its advertised location.) Apart from this, TellAFriend is of some minor technical interest, being one of the few e-mail aware malwares to date to use not only the common Windows address book, but also the Eudora address book (if present) for sourcing e-mail addresses to target.

As with the Valentines e-card item above, and the FriendsGreeting issue last year, the desirability of allowing end-users the choice of what ActiveX controls are installed and/or run on corporate systems has to be questioned. If you must stick with Internet Explorer (and its record is such that that must be a really hard sell to anyone who is vaguely security or privacy conscious) then later versions can be configured to only allow 'administrator approved' controls. Corporate users sticking with IE who have not already looked into enabling and supporting this feature should consider it again.

Network Associates Virus Information Library

* TK Worm writers arrested

Two men in County Durham, UK and another in Illinois, USA have been arrested on charges related to the TK Worm. The worm is a variation on the illicit IRC-controlled, FTP-based warez and pornography distribution chains that have become common over the last few years. Unlike most of these previous networks however, TK went a step further, adding auto-detection of potential new targets and auto-deployment of new network nodes to those targets, transforming a so-called 'bot' into a full-blown worm. The men were arrested after a combined investigation by the UK's relatively new National Hi-Tech Crimes Unit (NHTCU) and the US CATCH (Computer And Technology Crime Hi-tech Response) Team (both acronymed units are themselves collaborative efforts between various government departments and law enforcement units).

US and UK arrests in computer worm probe - theregister.co.uk

Network Associates Virus Information Library - IRC-Demfire

Sophos Virus Info - Troj/TKBot-A

Symantec Security Response - W32.Tkbot.Worm

Trend Micro Virus Information Center - BKDR_KTBOT.A

Security News:

* MS02-071 updated (at least for NT 4.0 users)

Perhaps the biggest surprise security bulletin of 2002 - that announcing the release of partial patches for the vulnerabilities behind the so-called 'shatter attack' against the core Windows system messaging component - has been updated. Under unspecified 'certain conditions' on NT 4.0, the original version of the patch has been found to cause system failures. Updated NT 4.0 versions of this patch that rectify those problems have been released and are linked from the updated security bulletin, itself linked below.

The MS02-071 patches for Windows 2000 and XP are unaffected by this problem, so users of those systems who have already installed the MS02-071 patches need not be concerned.

Microsoft Security Bulletin MS02-071

* MS03-004 updated (at least for IE 6 users)

Last week's cumulative update for IE has been updated, but not the patch itself, just the security bulletin. The bulletin now warns that subsequent to the release of the cumulative update, under certain conditions some users could be adversely affected. Specifically, IE 6.0 users may be unable to login to MSN (some may say that is an advantage!) and possibly some other subscription-based sites after installing the cumulative update.

A non-security hotfix that addresses this issue (and which only installs on IE 6SP1)has been released. You can read a little more about it in the revised security bulletin and/or on its specific IE updates page.

Microsoft Security Bulletin MS03-004

February 2003, Update for Internet Explorer 6 SP1 (813951)

* Very weak encryption in CryptoBuddy; other flaws

An advisory posted to the Bugtraq mailing list this week claims that the CryptoBuddy product from Research Triangle Software (RTS) suffers from grievous design and implementation errors in its cryptographic routines. The effect of these is that the product is essentially worthless for its stated purpose which is still overstated on the RTS web site as 'allow[ing] users to effectively protect and encrypt their files and data'. Version 1.2 and all earlier versions of the software are said to be vulnerable to multiple flaws and weaknesses in the cryptography implemented in the product.

The worst of these flaws renders the product worthless. CryptoBuddy uses the same encryption algorithm and key for all file encryption by all users and stores an encrypted version of the user-supplied passphrase (key) with the encrypted file. When decrypting, if the user supplies the right passphrase then CryptoBuddy decrypts the actual file. Thus, all an attacker needs to do to 'crack' a CryptoBuddy encrypted file is encrypt any file with whatever key suits them, copy this part of the resulting 'encrypted file plus encrypted key' to the 'encrypted key' part of the file to be 'cracked' (using a hex editor or similar) then ask CryptoBuddy to decrypt the file. CryptoBuddy will check the passphrase (which will now match the one the attacker has planted into the file) then happily decrypt the file.

The other flaws are similarly basic cryptography errors, although none of them are quite the show-stopper of this. An archived copy of the full advisory can be read at the link below. RTS is reported to have acknowledged these flaws and claims they will be 'mitigated' in the next version of the product.

Archived Bugtraq list message - securityfocus.com

* Local root exploit through TruBlueEnvironment on OS X

Security researchers at @stake have released an advisory describing a trivial root privilege escalation under OS X 10.2.3 and earlier. The exploit is possible because the MacOS Classic emulator TruBlueEnvironment runs as root, uses some poorly chosen file permissions, and ordinary users are able to set an environment variable that the TruBlueEnvironment uses for its debug log file name. TruBlueEnvironment is included in the default installation of OS X.

This flaw has been fixed in OS X 10.2.4. If upgrading is not possible the @stake security advisory describes some partial workarounds.

TruBlueEnvironment Privilege Escalation Attack - atstake.com

* Interesting paper on relative security of open and closed systems

Acclaimed security researcher Ross Anderson has presented an paper on the relative security of open and closed systems with some further commentary on the effect Trusted Computing Platform Alliance (TCPA) moves and the further development Digital Rights management (DRM) technology such as Microsoft's proposed Palladium might have on open systems development. The relative security part of the paper in particular struck your newsletter compiler as being sufficiently interesting to merit linking here. In it Anderson argues that 'under quite reasonable assumptions the security assurance problem scales in such a way that making it either easier, or harder, to find attacks, will help attackers and defendants equally'.

Security in Open versus Closed Systems - cam.ak.uk (PDF)

Join the newsletter!

Error: Please check your email address.

More about F-SecureMicrosoftMSNSophosSymantecTechnologyTrend Micro AustraliaTrusted Computing Platform Alliance

Show Comments

Market Place

[]