Death and taxes...

Finaldo virus spreading slowly; Security zone flaw in ZoneAlarm

Death and taxes are said to be the two things you can count on in life and presumably that applies to the life of security experts too. Unfortunately, a very reliable supply of major security vulnerabilities and fixes therefore is not in that list...

It has been a very quiet week, even compared to past quiet weeks. Some Linux vendors have (finally) shipped updates for things we have mentioned in previous issues and there has been a great deal of debate (much of it misdirected in my opinion) over Scott Culp's recent opinion piece which labelled the practice often termed 'full disclosure' as 'information anarchy'. However, there have been very few major security issues or virus or worm incidents worthy of mention.

So, it seems the system and security managers reading this may have an easy Friday afternoon (and weekend) ahead of them!

Virus News

Finaldo virus spreading slowly

Officially sporting the name Win32/Finaldo.B@mm, this latest self-mailing virus deemed worthy of mention on antivirus developer web pages does not seem to have spread far. Finaldo is a parasitic PE infector that specifically targets .EXE (Windows applications), .SCR (screen savers) and .OCX (ActiveX controls) and that also e-mails itself via MAPI mail functionality. The mail message it sends has a blank body, a variable Subject: line and a variably sized attachment always named '.EXE'. This file has a Chinese flag as its icon.

Borrowing a leaf from Nimda's book, Finaldo's e-mail message is constructed so as to exploit the incorrect MIME header vulnerability in Internet Explorer (MS01- 020). This means the attachment will be automatically extracted and run simply by viewing the message in an e-mail client that uses an unpatched version of IE. Also borrowed from Nimda is Finaldo's search for .HTM, .HTML and .ASP files and the insertion of a short JavaScript snippet into such files so as to download and run a copy of the virus from a .EML file.

Various sites that track virus activity show very little evidence of Finaldo having been at all 'successful' to date.

Various antivirus developers' descriptions: ca.com, vil.nai.com, sophos.com, sarc.com, antivirus.com

Security News

Security zone flaw in ZoneAlarm

The popular personal firewall ZoneAlarm Pro is reported to have a potentially problematic default configuration. By default, ZoneAlarm Pro (and presumably also the free version, ZoneAlarm) includes all machines with IP addresses whose first two octets match the local machine's address as being in the 'Local' rather than 'Internet' networks and such machines are given access to Windows networking shares, servers running on the local machine and so on.

Within a corporate LAN, this is not an unreasonable default, but it is also not entirely safe for small corporate networks and certainly not safe for laptops that access the network (at least while out of the office) via public access dial-up services. Users of ZoneAlarm and ZoneAlarm Pro should read the referenced article and carefully consider how this may affect their use of the product.

- Archived bugtraq message

Join the newsletter!

Error: Please check your email address.

More about LANLinuxScott Corporation

Show Comments

Market Place

[]