IDGNet Virus & Security Watch Friday 22 February 2002

Virus News: * A yarn you don't want to receive * Inactive virus shipped in IBM memory keys no threat Security News: * Patch fixes SQL Server 7.0/2000 buffer overflows * More privacy invasion concerns with Windows Media Player * SANS releases SNMP scanning tool * Cisco router security evaluation tool * Review of 802.1x wireless security extensions sceptical...

This issue's topics:

Virus News:

* A yarn you don't want to receive

* Inactive virus shipped in IBM memory keys no threat

Security News:

* Patch fixes SQL Server 7.0/2000 buffer overflows

* More privacy invasion concerns with Windows Media Player

* SANS releases SNMP scanning tool

* Cisco router security evaluation tool

* Review of 802.1x wireless security extensions sceptical...

Virus News:

* A yarn you don't want to receive

Several variants of Win32/Yarner caused a brief flurry of activity earlier this week. This new family of mass-mailing worms debuted with seven variants and although it initially spread quite rapidly, its effects seem to have been quite muted. This is probably because the message the worm attached itself to was a German language announcement of a German language program and hopefully that raises enough of a red flag for most non-German speakers to be wary of running the attachment.

If this story has a familiar ring, it is probably because you remember the Anset worm story from late October 2001. That worm's e-mail message was a bogus announcement of the German language anti-Trojan program ANTS v3.0. Yarner takes the same approach, 'attacking' another anti-Trojan product from the author of ANTS, YAW v2.0. YAW is a legitimate anti-Trojan product that detects attempts to call '0190' phone numbers from a computer's modem. '0190' numbers are the German (and some other European countries') equivalent of premium-rate 0900 numbers and are often used by so-called 'porn dialler' software promising 'free' access to 'premium' web content (the web access is free, but the victim ends up with staggering phone charges).

Unlike Anset however, Yarner's e-mail message does not include both English and German text. This probably accounts for Yarner's reduced impact, relative to Anset.

YAW author and distributor statement (German)

Various antivirus developer descriptions:

Computer Associates Virus Information Center

F-Secure Security Information Center

McAfee Security

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Inactive virus shipped in IBM memory keys no threat

In the last couple of months, several antivirus researchers have been puzzled by a small, but noticeable, increase in reports of the rather old boot sector virus WYX. Perhaps the fact that IBM inadvertently shipped an inactive copy of the virus in some of its 32MB Memory Keys may account for this. The Memory Key is a small USB device stuffed with persistent memory that looks to the system like a small removable hard drive. The affected devices have IBM part number 22P5296 and should not be confused with other Memory Keys of differing capacities which apparently were not affected.

As no currently shipped computer systems are known to be configurable to boot from a USB storage device, there should be no possibility of a system becoming infected from an infected Memory Key. This is because the WYX virus is solely a master boot record (MBR) and boot sector infector and under normal operation a PC only ever executes the code in MBRs and boot sectors during the boot process.

According to IBM's advisory, Memory Keys with 'a manufacturing date (found on the label on the packaging box) after 12/21/01 or a serial number above 2320000 (found on the white label on the side of the key)' are not affected. A utility that will clear the virus from the Memory Key is available from the IBM advisory page and can be run, as a precaution, against any Memory Key.

IBM memory gadgets infected with computer virus - Computer Buyer

32 MB USB Memory Key - "Wyx" Boot Sector Virus - IBM Advisory

Security News:

* Patch fixes SQL Server 7.0/2000 buffer overflows

Microsoft has released patches for SQL Server 7.0 and 2000 that correct several buffer overflow flaws in the servers code handling 'ad hoc' database connections. Such connections utilize OLE DB providers and the attack is possible because inputs to queries using these providers are not properly checked.

There are a couple of mitigating factors that lessen the severity of this flaw. First, by default SQL Server does not run as an especially privileged user, so successful exploitation of one of these overflows should normally not yield special privileges to an attacker. This should limit an attacker to doing whatever damage the SQL Server user could do (deleting files within that user's security context, etc). The second mitigating factor is that to exploit the vulnerability the attacker must have access to a stored query using a vulnerable provider on the server. If best practice has been followed, untrusted users should not be able to store their own queries on the server. Of course, if existing queries using vulnerable providers are available, these could be used without the attacker needing to create and store their own query.

Overall, Microsoft rates the severity of these flaws as moderate for all systems and for both tested versions of the software. Users of earlier releases of SQL Server may be vulnerable, but Microsoft has not tested and no longer supports those products.

If you are an SQL Server administrator, regardless of the version, you should read the full details in the security bulletin. As generally accepted guidelines for best practice can nullify the risks of these flaws, checking that your SQL Server implementations meet the best practice outlined in the bulletin may remove the urgency of updating or even allow you to ensure earlier SQL Server versions cannot be exploited should they also be vulnerable to these flaws.

Microsoft Security Bulletin MS02-006

* More privacy invasion concerns with Windows Media Player

Privacy and security researcher, Richard Smith, has discovered that the latest version of WMP, Windows Media Player for XP (MPXP), contains potential privacy invasion (or 'spyware') capabilities. Smith points out that certain potentially identifying information about an MPXP user is uploaded to a Microsoft web site each time a DVD is played if the user is online at the time. Ostensibly this is to allow enhanced DVD chapter title navigation. Smith's full analysis of the possible privacy concerns the implementaiton of this feature raises is linked below. Toward the end of Smith's analysis, he has a link to Microsoft's response to his analysis - in short, Microsoft assures that it is not doing anything untoward with the data it receives from MPXP and will revise its privacy statement so it is clearer what is sent to Microsoft. The official Microsoft response also explains some workarounds that can prevent the information being sent.

Smith's analysis of XPMP privacy problems -

* SANS releases SNMP scanning tool

Following last week's news of multiple SNMP weaknesses in a huge range and number of products, concerns have been raised that many network and system administrators do not know where all the equipment is in their network that may be running SNMP. For example, many network printers and print servers (and other devices) have SNMP enabled by default and may even have SNMP enabled when the device's configuration apparently has TCP/IP disabled (and this is often poorly, or not, documented). Further, many devices have been found to not properly disable SNMP, leaving them vulnerable to some SNMP problems even though their administrators think they have 'done the right thing' by disabling unnecessary SNMP.

To address these concerns, SANS has released an SNMP scanning tool named SNMPing. Because SANS foresees updating this tool, you are asked to send a blank e-mail message to the address and an automated reply message will direct you to a URL from which the tool can be downloaded. As this seems entirely reasonable, we will not publish the direct URL to the tool, but a little more information is available from the SANS page linked below.

Note that this tool is supplied in executable form suitable for NT, Windows 2000 and XP and not for Unix and other OSes. The source code is also provided, should you be interested in compiling the tool yourself or perhaps in modifying it.

SNMPing download instructions - SANS Institute

* Cisco router security evaluation tool

Another initiative sponsored by SANS is the just released Router Audit Tool. Currently targeted specifically at Cisco routers, this tool checks router configurations against the recommendations of the NSA Security Recommendation Guide for routers. The tool produces a report of tested settings, an overall rating and a listing of Cisco IOS commands that will correct any problems the tests identify. A PDF of the NSA Security Recommendation Guide is downloaded with the tool.

Router Auditing Tool was released earlier this week, accompanied by a webcast from the tool's author. An archived copy of the 45 minute webcast can be played from, and a PDF file of the accompanying presentation slides can be downloaded from, one of the links at the end of this article. (Do not be fooled by the first eight pages of the PDF _not_ being anything about the Router Audit Tool but rather promotional material for the GIAC (Global Information Assurance Certification) program and the related SANS security training courses.) Please note that the Router Auditing Tool is designed for Unix systems and requires Perl to be installed, so will not be useful to Windows-only shops.

Archived webcast and presentation slides - SANS Institute Events

Cisco Router Audit Tool - the Center for Internet Security

* Review of 802.1x wireless security extensions sceptical...

Two academic security researchers have reviewed various aspects of the proposed Robust Security Network (RSN). RSN, which uses IEEE 802.1X protocols, coupled with 802.11 (Wireless LAN) protocols, is the big hope for improving the security and data integrity of WLAN traffic and was intended to improve the current widespread view that WLANs are hopelessly insecure and can only safely be used if all traffic across them is in a VPN tunnel or part of a similar additional security layer. The researchers, one of whom (William (Bill) Arbaugh) has quite a track record researching and uncovering security holes in wireless networking issues. They conclude that the current combination of 802.11 and 802.1X protocol standards are insufficient without significant modification. Their report, in PDF format, is available from the link below.

Mishra & Arbaugh report on 802.1X (PDF format - Acrobat Reader required)

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about BillCA TechnologiesCiscoF-SecureIBM AustraliaIEEELANMcAfee AustraliaMcAfee SecurityMicrosoftNSASANS InstituteSNMPSophosSymantecTrend Micro Australia

Show Comments