We detail two patches for Solaris systems this week which fix some fairly long-standing remote root exploit vulnerabilities in the OS. Also, as mentioned last week, Microsoft has released its IIS lockDown Tool for securing IIS servers -- if interested in the tool, read the associated commentary from an experienced IIS security expert.
After a few rather quiet weeks on the virus front, it felt a bit more like 'business as usual' thiss last week and there are four rather important virus-related developments featured this week. Three involve e-mail worms and the other is an IRC worm. The latter is likely of little direct signicance to business system administrators, but it raises the interesting point that '.theme' files are effectively a form of script file and can be carriers of malicious code.
Mass-mailer masquerades as 'readme' file
A new twist in the tricks used by virus writers in their attempts to entice unsuspecting computer users into opening attachments that they shouldn't appeared this week. As with most mass-mailers, Win32/Apost usually arrives in its victims' mailboxes apparently from someone known to the victim. Borrowing from the apparently very successful tactic used by SirCam, the message part of Apost's e-mail attempts to convince the recipient that the attachment was genuinely sent and requires the recipient's attention.
It does this with a Subject: line of 'As per your request!' and a message that reads 'Please find attached file for your review. I look forward to hear from you again very soon. Thank you.' The polite and conversational, yet also quite neutral tone may well be enough to lure sufficient recipients of such messages to open the attached 'readme.exe' file and thus become victims of the virus.
As with promises of pictures of scantily clad pop stars, parrot screen savers and other such apparently unlikely stuff, 'readme.exe' files may be very tempting to the less-experienced and the perrenially optimistic. However, unbidden attachments should still be treated as such and their legitimacy checked with the sender via some other communication channel than e-mail, regardless of how plausible the covering letter seems.
'Lara Croft' desktop theme worm
Aside from the increasingly devious 'social enginerring' tricks described in the surrounding items, virus writers have discovered yet another mechanism for distributing viruses. Desktop themes, as initially used by Microsoft Plus! and now included in the desktop features of some Windows OSes, have been found to be exploitable. A virus that distributes itself through IRC chanells via the scripting capabilities of the popular Windows IRC client mIRC, was discovered this week.
Describing itself as a theme based on the popular Lara Croft character from the Tomb Raiders games, VBS/Forca (aka IRC/Theme) encourages its victims to use the Theme viewer to preview the screen saver included in the theme file. In reality there is no screen saver, but the victim's action of trying to preview the screen saver causes the theme file to be copied elsewhere on the machine and subsequently run as a batch file. A cycle of file copying and script creation then ensues, resulting in the
victim eventually distributing the viral theme file via IRC if they use mIRC client software.
'Invalid' worm aptly named? It was 'invalidly' hyped anyway...
Yet another e-mail worm has been distributed under the guise of a Microsoft security warning with an attached 'security patch'. Win32/InvalidSSL (aka Invalid, Qint, Support) sends copies of itself with e-mail messages claiming there is an invalid SSL certificate that requires users to install the attached patch. Of course, Microsoft does not mass-mail patches to randomly selected users nor does it e-mail security warnings to people who have not specifically signed up to its security advisory mailing list. Aside from these, hopefully obvious signs of the warning being a fake, unlike real security bulletins from Microsoft, the message is not cryptographically signed by Microsoft's security centre.
Although Win32/InvalidSSL was apparently posted to a web site by its author late last week, it gained some undeserved media attention through a rather histrionic press release by a US-based antivirus software distributor. What should have been a clear indicatio to the media that this distributor's 'warning' was pure hype was the claim in the press release (which was widely repeated in the media coverage) that 'At this time, we've received one report of this new worm, but [vendor] is monitoring this worms [sic] activity very closely.' If the antivirus industry 'closely monitored' every mass-mailer it received one sample of, it would have to employ thousands more people...
New Magistr variant discovered
Win32/Magistr has become quite widespread, which is worrying given the potential damage its several payloads can inflict. This week a new variant, that increases the likelihood of some of the nasty payloads and adds a new, drive-trashing payload, was discovered. This variant was discovered in the wild and in the first few days following its discovery, it has been reported from several countries and is clearly spreading. Newsletter readers not in the habit of very regularly updating their virus scanners would be well-advised to do so now to ensure they have detection of this very damaging virus.
Sun finally releases snmpXdmid patch
CERT/CC posted its original advisory about a locally and remotely exploitable buffer overflow in Solaris' snmpXdmid on 30 March this year. By that date heightened scanning for related ports had already been noted and CERT warned it had 'received numerous reports indicating that a vulnerability in snmpXdmid is being actively exploited'.
Sun has just released patches. See the Sun security bulletin below for the details of patch location and installation.
Solaris patch for in.lpd
Sun has also just posted patches for another buffer overflow in Solaris -- this one in the BSD print protocol daemon in.lpd. This is remotely exploitable and believed to potentially allow running of arbitrary code. Again, as with the snmpXdmid issue above, there is recent evidence of heightened scanning for the ports this vulnerable service listens on.
IIS LockDown tool
Last week we mentioned, in passing, the release of the IIS LockDown Tool from Microsoft. The tool sounds like a good thing for inexperienced web server administrators to obtain and use, providing protection for many of the worst problems to have hit IIS servers even if they are not patched to current service pack and hotfix levels. That may seem and odd, even bold statement, but the reality is a default IIS install has just about every bell and whistle imaginable installed and enabled, despite the fact that very few sites need any of them. Further, most of IIS's problems have been in these additional, mainly unused, features. Good system administration practice is to disable everything you do not need and that is the general approach of the LockDown Tool, removing or disabling the seldom-used features.
If you are thinking of using the LockDown Tool, there are a few shortcomings you should be aware of. The moderator of the NTBugtraq mailing list, Russ Cooper, has written a rather detailed commentary on this, so as well as the LockDown Tool download link, we include a link to Russ' commentary on the tool in the NTBugtraq archives.