Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

McAfee Antivirus vulnerability; Java WebStart vulnerability; pwsteal.bank trojan clarification; 18905/tcp scanning

Published: 2005-03-18
Last Updated: 2005-03-19 13:51:22 UTC
by Erik Fichtner (Version: 1)
0 comment(s)

McAfee AntiVirus Library Stack Overflow




The ISS X-Force has another notch in their belt today, releasing information about
a flaw they have discovered in AntiVirus Library versions prior to 4400. To exploit
this vulnerability, an attacker is required to craft a custom LHA Archive file
which will allow the attacker to run arbitrary code on the McAfee protected system
when the file is scanned for viruses.



This makes the third antivirus package in recent memory to have a fatal flaw, and
when one includes the Witty worm; a definite trend of attacks against security
infrastruture software is emerging. This, of course, is a natural progression
in attack and defense; AntiVirus packages are, in a sense, becoming victims of
their own success. Fortunately, security practitioners already have a framework
for dealing with this type of threat, and that is to practice Defense-in-Depth.
Relying on only one vendor's security product or suite of security products is
a guaranteed disaster at some point in time. Use multiple Antivirus packages.
Get a screening router with AV gatewaying in addition to your host AV. Use other
technologies to protect your security infrastructure. Build a heterogeneous
environment. These arn't going to be "nice-to-have" characteristics of a secure
site for much longer. Soon, they will be as mandatory as a quality A/V package
and a firewall is today. Get ready early and it will hurt less later.



For more information; see the

or the


Java WebStart Cross Platform Vulnerability




Systems running Java J2SE 1.4.2_06 and earlier 1.4.2 releases have been determined
to be vulnerable to a malicious JNLP file, resulting in an untrusted application
being able to elevate its privileges and escape the restricted environment.
This affects browsers (and other applications using "javaws") on Windows, Linux,
and Solaris, and could lead to a cross-platform worm. Solutions are to upgrade
the J2SE environment, or disable "application/x-java-jnlp-file" JNLP handlers
within your web browsers. According to the discoverer, Jouko Pynnonen, versions
of J2SE prior to 1.4.2 (eg; the 1.3 and earlier 1.4 series) are not vulnerable
to this attack. A proof of concept has been released, and overall impact is
similar to the recent IFRAME attack, so it is likely that we'll see this one
in the wild.



See also the

and the
SunSolve Alert Notification

A minor clarification on the Pwsteal.Bankash.D trojan




A trusted third-party has reported to us that Symantec's analysis of the
PWSteal.Bankash.D trojan is slightly off. Their report lists a large number
of sites that traffic is logged to, when in reality, only URLs matching these
seven URL substring patterns is logged: ba-ca.com, onba.zkb.ch, banking.bawag.com,
raiffeisendirect. , ebankas.vb.lt, and tatrabanka.sk. The remaining URLs are
used in an apparent blacklist routine, and are not logged. This is interesting
because it appears that the attacker has a very specific set of targets in mind
this time around, and an apparent fondness for european online banks.

18905/tcp scanning



One of our readers has spotted an interesting trend of scanning for

recently, but we're all at a loss as to what this scanning represents. If you've
got any ideas, please drop us a note!
Keywords:
0 comment(s)
Diary Archives