IDGNet Virus & Security Watch Friday 19 July 2002

This issue's topics: Introduction: * Patches for VirusWall & Norton Personal Firewall, scene news and a worm Virus News: * Cry Frethem! * Patch for attachment scanning bypass in Trend Micro VirusWall * A serious interview about antivirus comedy Security News: * Old Exchange bug rediscovered in IIS 4.0 & 5.0 * More serious problems in IE * Remote buffer overflow in Norton Person Internet Firewall 2001 * Lessons from USA Today defacement * Hacker 'sell out' claims stir the pot... * Do you need a honeypot? - Humour from El Reg...

This issue's topics:

Introduction:

* Patches for VirusWall & Norton Personal Firewall, scene news and a worm

Virus News:

* Cry Frethem!

* Patch for attachment scanning bypass in Trend Micro VirusWall

* A serious interview about antivirus comedy

Security News:

* Old Exchange bug rediscovered in IIS 4.0 & 5.0

* More serious problems in IE

* Remote buffer overflow in Norton Person Internet Firewall 2001

* Lessons from USA Today defacement

* Hacker 'sell out' claims stir the pot...

* Do you need a honeypot? - Humour from El Reg...

Introduction:

Although not being seen in anything like the numbers Klez still is, several new variants of the Frethem e-mail worm were discovered in the wild over the past weekend (your newsletter compiler had a rather late night last Friday because of this). Most antivirus products were quickly updated, as usually happens in these cases nowadays, but one of these variants has been seen in modest numbers, having become quite widespread particularly in Europe. Other antivirus news is that a critical update for Trend Micro's VirusWall e-mail gateway scanner has been released to prevent it missing some 'malformed' e-mail attachments that are, nonetheless, still seen as attachments by popular e-mail client software. And, as a long time reader of the VMyths web site, I have included a link to an interview with the maintainer of that site whose cynicism and humour are near-legendary.

On the security side of things, it was a quite quiet week in terms of discovery of gnarly exploits and release of critical patches, but the 'people side' of the industry got a bit agitated. Aside from the articles linked in the item below on claims of a 'hacker sell out', the timing of the announcement of antivirus giant Symantec (makers of the Norton range of products, among others) taking over mainstream computer security companies Security Focus, Recourse and Riptech could hardly have been more ironic.

Aside from that, we have news of more remote arbitrary code execution flaws in Internet Explorer, the resurfacing of an old Exchange bug in the IIS SMTP service and a remote buffer overflow in Norton Personal Internet Firewall. We also cover the defacement of the USA Today web site and a humourous look at buying decisions affecting state-of-the art security products.

Virus News:

* Cry Frethem!

Several new variants of the Frethem e-mail worm were released very late last week and over weekend. Frethem is a fairly typical binary (executable program) mass mailer, collecting addresses from various places a typical Windows PC will likely have such addresses and sending copies of itself out via its own SMTP mail code. This approach improves its chances of 'success', as it means the mass distribution function is not dependent on the victim having a particular e-mail client installed and even if the user does have a richly populated Windows address book, addresses for further potential victims may be gathered from other files on the victim's machine.

Frethem also incorporates another feature commonly seen in recent successful e-mail worms. It sends itself as an 'inline attachment' in HTML e-mail messages that exploit the 'Incorrect MIME Header' vulnerability in Internet Explorer. This means that the copy of the virus runs automatically on viewing (or 'reading'), and even previewing, of the virus' e-mail messages in several popular e-mail client programs.

Aside from its mass-mailing routines, Frethem is interesting because apart from spreading itself by e-mail, it also has a potentially nasty backdoor feature. The virus tries to contact various machines around the Internet and can either run arbitrary code sent back to it or download and execute program files from the wen. Either mechanism could be used to 'update' the virus or to install further malicious code on the infected machine - perhaps a DDoS agent, a more complex backdoor allowing remote control of the victim machine or damaging payload code to delete files or worse.

Of course, the usual issue of naming conflicts arises. Although this time all the major vendors are using the same family name for these viruses, there is some confusion over the variant ascriptions with, for example, different vendors calling the same actual virus Frethem.J and Frethem.K. Note that while many of the following links are to descriptions of a specific Frethem variant, most of these sources also have descriptions of the other recently discovered Frethem variants.

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Patch for attachment scanning bypass in Trend Micro VirusWall

Users of Trend Micro's VirusWall e-mail gateway scanner should update to recent patch releases according to a SecuriTeam researchers. Older versions of VirusWall do not see certain 'improperly formed' MIME headers as valid and presumably ignore them, thereby failing to see that messages with such headers may, in fact, have attachments that should be scanned for viruses. Unfortunately, Outlook Express and some other e-mail client software accept some of these non-standard MIME headers and thus have no trouble seeing the attachments or allowing the users to access them. The SecuriTeam advisory links to Trend Micro download locations from which the necessary updates can be obtained.

TrendMicro's VirusWall Space Gap - securiteam.com

* A serious interview about antivirus comedy

Rob Rosenberger, maintainer of the Virus Myths ('VMyths') web site, is a long time observer and critic of the antivirus industry. He is well known for taking a humourous approach to expressing his often skeptical views of the antics of the purveyors of antivirus technology and that was the focus of an interview he gave to staff from about.com's antivirus page recently. The interview can be read at the link below. (Note - we borrowed the sub-title of the interview for our item title.)

Is Antivirus a Joke? - about.com

Security News:

* Old Exchange bug rediscovered in IIS 4.0 & 5.0

Researchers at Portcullis Computer Security have discovered that a vulnerability originally announced as affecting just Exchange Server 5.5 is also present in the Microsoft SMTP Service component of IIS 4.0 and 5.0. Known as the 'encapsulated SMTP address vulnerability', this flaw allows e-mail to be relayed through a vulnerable server despite the administrator having properly configured the anti-relaying features provided in the server. Exploitation of this vulnerability can allow unauthorized e-mail relaying, and inappropriately send e-mail to foreign domains. This type of flaw is most attractive to spammers, who prefer obscuring their tracks as much as possible and have made widespread use of open SMTP relays in the past.

Microsoft has not released a patch yet, but hopefully the fact that apparently much the same problem has been fixed before means a patch should not be too long in the making and testing.

IIS SMTP Service Encapsulated SMTP Address Vulnerability - portcullis-security.com

Microsoft Security Bulletin MS99-027

Microsoft Security Bulletin FAQ MS99-027

* More serious problems in IE

Often several 'small' or apparently not very serious vulnerabilities can be exploited together to make for a much worse exposure. Developments in the last few days have exposed another such case regarding Internet Explorer. First, it should be noted that in general it is a very bad idea for active content in web browsers to be able to directly access other files that have been downloaded at the behest of either that web page or others that an 'evil attacker' may have control over.

This is one of the reasons why Internet Explorer sets up a series of randomly named (and slowly changing) sub-directories under the 'top level' of the 'Temporary Internet Files' (TIF) tree and has its own file management mechanism for keeping track of which file in the TIF maps to which web resource. Netscape and Mozilla handle this slightly differently, including a single random, but static to each user profile, directory name and storing all cached files under randomly generated names. This is also why some old security patches for IE involved 'fixing' code that copied browser-directed downloads to the system's temporary files folder rather into the TIF (the location of the system temporary folder is much more readily guessed than the random sub-directory names IE places under the root of the TIF).

Unfortunately, many popular network client programs other than the major web browsers are not so careful about such matters, making it easy to create content directed to those products that 'plants' a file with a known name in a known, or readily guessable, location. This is the first kind of 'minor' security flaw that this latest problem with IE depends on and files and content associated with (at least) ICQ, WinAmp and the v1.4 Java Runtime Environment all readily save remotely supplied arbitrary content into known (that is, 'statically named') locations in the file system. Further, all of these products either use the system's web browser, or have protocol extensions for use 'inside' the browser that allow the ready mingling of content supplied to these applications and HTML content to be interpreted by the browser.

The second 'problem behaviour' that has been glued onto these applications' proclivities for saving arbitrary files in known places is that IE can be guided to execute local files from remote HTML without necessarily performing the appropriate security zone checks. Three examples of these types of problems, disclosed in the last few days on the Bugtraq mailing list, are linked below.

Archived Bugtraq list messages - securityfocus.com (282631)

Archived Bugtraq list messages - securityfocus.com (282993)

Archived Bugtraq list messages - securityfocus.com (283018)

* Remote buffer overflow in Norton Person Internet Firewall 2001

Security researchers at @stake have announced that a remotely exploitable buffer overflow in Norton Personal Internet Firewall (NPIF) 2001 v3.0.4.91 (and probably earlier versions) has been fixed. Normally Norton LiveUpdate will fetch and install the necessary upgrade to fix this vulnerability. However, whether that has happened or not is unclear - the update was, according to @stake, posted by Symantec on 18 April this year although Symantec's own advisory implies the update is still under development. The @stake advisory also mentions AtGuard v3.2 - the product that NPIF was originally based on. AtGuard users may have to upgrade to NPIF, or an alternative product, to remove this vulnerability, which although present in the HTTP proxy component of NPIF, affects all NPIF users whether HTTP proxying is enabled in their browsers or not.

Norton Personal Internet Firewall HTTP Proxy Vulnerability - atstake.com

Symantec Norton Internet Security 2001 Denial of Service - symantec.com

* Lessons from USA Today defacement

The USA Today web site was defaced early this week, with several bogus stories being added to the online news portal's site. Despite the embarrassment this caused and a short period of downtime for the whole site, the consensus among some security experts and hackers is that USA Today actually got off lightly, as reported in the linked new article.

Hackers to corporate America: You're lazy - computerworld.com

* Hacker 'sell out' claims stir the pot...

As reported by The Register, the H2K2 hacker conference in New York last weekend was stirred up by the claims of 'hacker activist' Gweeds. If you are at all interested in the types of in-fighting and competition between hacker groups, then The Register's coverage of Gweeds' claims and the reactions to them make interesting reading.

Security industry's hacker-pimping slammed - theregister.com

Gweeds gets killed - theregister.com

'Hacker' security biz built on FBI snitches - theregister.com

* Do you need a honeypot? - Humour from El Reg...

Perhaps the previous item on the commercialization of hacker groups did not appeal. If not, perhaps the light-hearted treatment of a related issue - corporate IT managers struggling to come to grips with swathes of new security technologies they are unsure whether they really need - may tickle your fancy instead. This piece is also from The Register (which has surpassed itself this last week) and reminiscent of the style of the BOFH series (which The Register also hosts at the moment - honestly, this issue is not an unpaid advertisement for El Reg...).

Snouts in the honeypot - theregister.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesFBIF-SecureICQKasperskyKasperskyMicrosoftMozillaNortonRiptechSecurity FocusSophosSymantecTrend Micro Australia

Show Comments

Market Place

[]