IDGNet Virus & Security Watch Friday 10 May 2002

This issue's topics: Introduction: * MSN Chat/Messenger, Winamp, DHCPD & BSD kernel patches, Solaris workarounds Virus News: * Melissa man gets another 10 years jail * New SubSeven variant adds mass-mailing capability * 'JDBGMGR.EXE is a virus' is a hoax * Nimda strikes new Hitachi computer security offshoot Security News: * Patch for remotely exploitable buffer overflow in MSN Chat control * CIS updates NT and Windows 2000 security configuration benchmarks * Update fixes Winamp arbitrary code execution vulnerability * Workarounds for two Solaris remote code execution vulnerabilities * Critical update for ISC DHCPD fixes remote code execution bug * Root privilege escalation through stdio file handle tricks

This issue's topics:

Introduction:

* MSN Chat/Messenger, Winamp, DHCPD & BSD kernel patches, Solaris workarounds

Virus News:

* Melissa man gets another 10 years jail

* New SubSeven variant adds mass-mailing capability

* 'JDBGMGR.EXE is a virus' is a hoax

* Nimda strikes new Hitachi computer security offshoot

Security News:

* Patch for remotely exploitable buffer overflow in MSN Chat control

* CIS updates NT and Windows 2000 security configuration benchmarks

* Update fixes Winamp arbitrary code execution vulnerability

* Workarounds for two Solaris remote code execution vulnerabilities

* Critical update for ISC DHCPD fixes remote code execution bug

* Root privilege escalation through stdio file handle tricks

Introduction:

David L. Smith, writer of the Melissa virus, received what looks like another 10 years in jail, but isn't, and despite that, the writer of a widespread Trojan Horse program seems undaunted, having just added a mass-mailing function to their program. We also report on a new and rapidly spreading hoax, akin to last year's SULFNBK.EXE hoax and the unfortunate events surrounding the launch of a computer security site.

On the patch and update front, we have a critical update for MSN Chat, MSN Messenger and Exchange Messenger users and another for Winamp users under Windows. There are workarounds for a couple of serious Solaris security holes, kernel patches for local root exploits for a couple of BSD-derived OSes and a critical DHCP server update for several Unix-ish OSes. We also mention recent updates to the Center for Internet Security's benchmarks for NT and Windows 2000 systems.

Virus News:

* Melissa man gets another 10 years jail

Further to last week's coverage of David L. Smith's sentencing on federal charges, his sentencing on State of New Jersey charges also related to the Melissa incident was announced after last week's newsletter was posted. Monmouth County, New Jersey, Superior Court Judge Lawrence Lawson imposed the maximum 10-year sentence for the charges that Smith had pleaded guilty to. However, this is only an apparently harsher prison term than the federal one imposed earlier in the week. The 10-year term is to 'run concurrently and co-terminously to the federal sentence', meaning that his state sentence is completed at the end of his federal jail time.

Melissa Creator Sentenced On State Charges - NewsBytes

* New SubSeven variant adds mass-mailing capability

What is believed to possibly be a new variant of the SubSeven remote access Trojan (RAT) has had the additional functionality of mass-mailing added. The new variant of this RAT accepts a 'spread' command that instigates a fairly typical mass-mailing routine, sending copies of itself to further potential victims whose addresses are found on the current victim's machine. As is common for several widespread RATs, this one can advise its 'owner' of a victims online status and network address via IRC messaging and other means. As seems to be becoming increasingly popular, if this malware is run it will attempt to kill any other running processes with names matching those on a long list of antivirus and personal firewall products. The final classification of this variant remains uncertain, which of course, means that more than one name is being used for it...

Handler's Diary - incidents.org

'Cute' Trojan Horse Spreading by E-Mail - pcworld.com

Computer Associates Virus Information Center - SubSeven

Network Associates Virus Information Library - SubSeven

Symantec Security Response - SubSeven

Trend Micro Virus Information Center - SubSeven

* 'JDBGMGR.EXE is a virus' is a hoax

Remember the SULFNBK.EXE hoax from the middle of last year? Well, Very much along the same lines, recent reports suggest similarly bogus warnings against the completely innocuous Windows JDBGMGR.EXE program are circulating and apparently leading gullible computer users to delete this harmless (and largely unused) program. JDBGMGR.EXE is the Windows Java virtual machine debugger registrar. Various reports suggest translations of the bogus warning into several languages other than English have also been spotted.

David Chess is one of the longest standing members of the antivirus research community, and by dint of being in the right place at the right time (working for IBM when the original PC was released and started being used inside the company) arguably _the_ original PC support guru. Although IBM is now out of the antivirus research business, having sold or licensed its technology, and transferred its own virus scanner product and users to Symantec, Dave still keeps an interested eye on malware matters. He is also known for a rather dry sense of humour and it does not surprise those who know him that he used humour to cover the 'JDBGMGR.EXE is a virus' hoax in his web log this week.

David Chess' web log - www.davidchess.com

Computer Associates Virus Information Center - JDBGMGR.EXE

F-Secure Security Information Center - JDBGMGR.EXE

Kaspersky Lab Virus Encyclopedia - JDBGMGR.EXE

Symantec Security Response - JDBGMGR.EXE

Trend Micro Virus Information Center - JDBGMGR.EXE

* Nimda strikes new Hitachi computer security offshoot

Imagine having to explain to the boss that your newly unveiled computer security website had become infected with then started distributing, the Nimda worm within hours of being brought online? Well, maybe you don't have to, but someone at Hitachi or its computer security subsidiary, Quadrasis, presumably had that task late last month.

Security Firm's Site Preview Marred By Nimda Worm - NewsBytes

Security News:

* Patch for remotely exploitable buffer overflow in MSN Chat control

Users of the MSN Chat control, which is part of MSN Chat, MSN Messenger v4.5 and v4.6, and Exchange Messenger v4.5 and v4.6 are vulnerable to remote buffer overflow that can allow execution of arbitrary code under the Chat control user's security context. Microsoft rates this vulnerability as critical for all affected products on client systems. As best practice use of intranet and Internet servers includes _not_ running applications such as chat and e-mail clients, and web browsers, this should be a non-issue for Windows servers.

Microsoft Security Bulletin MS02-022

* CIS updates NT and Windows 2000 security configuration benchmarks

The Center for Internet Security (CIS) has released updated drafts of its NT and Windows 2000 security benchmarks, and updated scoring tools for assessing a system's conformity to the standards outlined in the benchmarks. The benchmarks represent the consensus of many hundreds of security experts for 'hardening' a default installation of the product(s) each benchmark applies to.

Center for Internet Security Website

* Update fixes Winamp arbitrary code execution vulnerability

Nullsoft's Winamp v2.79 (and probably earlier) contains a buffer overflow in the minibrowser. Playing specially crafted MP3 files could overflow a buffer in Winamp's code handling the ID3v2 tag and run arbitrary code. Disabling the minibrowser or updating to Winamp v2.80 or later is advised.

Archived Bugtraq list message - securityfocus.com

Winamp home page

* Workarounds for two Solaris remote code execution vulnerabilities

Sun has confirmed two possible remote root vulnerabilities - one in rpc.rwalld and the other in the NFS/RPC file system cachefs daemon (cachefsd). Solaris v2.5.1, v2.6, v7, and v8 are vulnerable to both . No patches have been released yet, and in the meantime Sun recommends disabling rwalld and cachefsd - details of doing this are provided in the Solaris Alert Notifications linked below. If disabling rwalld is not possible, judicious fiewalling of rpc.rwalld (typically UDP port 32777) can alleviate, but not entirely remove, the threat. A few more details about the vulnerabilities are provided in the CERT Advisories CA-2002-10 and CA-2002-11, also linked below.

CERT Advisory CA-2002-10 Format String Vulnerability in rpc.rwalld

Security Vulnerability in the rpc.rwalld(1M) Daemon - Sun Alert ID: 44502

CERT Advisory CA-2002-11 Heap Overflow in Cachefs Daemon (cachefsd)

Buffer Overflow in cachefsd in Solaris - Sun Alert ID: 44309

* Critical update for ISC DHCPD fixes remote code execution bug

A format string bug in the Internet Software Consortium (ISC) DHCP daemon software has been patched. The bug, which may allow a remote attacker to run arbitrary code with the privileges of the DHCPD user (usually root), is present in all DHCPD releases v3.0 through 3.0.1rc8 inclusive. Updates to v3.0p1 and v3.0.1rc9 fix this vulnerability and users of any vulnerable version are strongly advised to update to the appropriate patched version as soon as practicable.

ISC DHCPD code ships in several non-ISC products or packages. For example, several Linux and BSD-derived OSes include or ship ports of this code. Updated packages should be available from the appropriate distributors soon.

ISC DHCP products page

CERT Advisory CA-2002-12 Format String Vulnerability in ISC DHCPD

* Root privilege escalation through stdio file handle tricks

A couple of weeks ago Joost Pol of Pine Internet Services discovered that local root privileges could be obtained on FreeBSD by closing one or more of stdin, stdout and stderr file handles then running a suid application that 'expects' those handles to be available. A variation on this, but under OpenBSD, has just been described by the self-described 'FozZy from Hackademy and Hackerz Voice newspaper.

FreeBSD kernel patches have been released to fix this (they are linked from the Pine security advisory linked below). Patches for this issue (named 'fdalloc2') have been committed to the CVS for OpenBSD 2.9, 3.0 and 3.1.

Pine Advisory: Setuid application may give local root in FreeBSD

Archived Bugtraq list message - securityfocus.com

OpenBSD security

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaCreatorCVSF-SecureHitachi AustraliaIBM AustraliaInternet ServicesInternet Software ConsortiumKasperskyKasperskyLawsonLinuxMessengerMicrosoftMSNNullsoftOpenBSDSymantecTrend Micro Australia

Show Comments

Market Place

[]