Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Update 20:10 GMT 2004-1-28: New variant of Novarg/MyDoom found, Microsoft Changing IE's URL Handling, Solaris Local Privilege Escalation

Published: 2004-01-28
Last Updated: 2004-01-28 21:34:20 UTC
by Tom Liston (Version: 1)
0 comment(s)
New Variant of Novarg/MyDoom Found (18:20 GMT)



There are reports of a new variant of the Novarg/MyDoom worm being found. Initial reports indicate that the new worm adds www.microsoft.com as a DDoS target and also alters an infected machine's "hosts" file to block access to several "banner" site, windowsupdate.microsoft.com, and many antivirus vendor websites. It appears that most AV software will require new signatures to flag this. Keep an eye on the diary and your antivirus vendor's website for additional details.



(News links added 18:40 GMT)



http://www.f-secure.com/v-descs/mydoom_b.shtml

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.b@mm.html

http://www.kasperski.com/news.html?id=3657414
http://vil.nai.com/vil/content/v_100988.htm




Microsoft To Change IE's URL Handling (Added 19:50 GMT)



In response to security issues, Microsoft will be releasing an update to IE that will change the web browser's default URL syntax handling. URLs like the following:



http(s)://username:password@server/resource.ext



will no longer be supported.



In Microsoft Knowledge Base Article 834489 ( http://support.microsoft.com/?kbid=834489 ), the software giant explains that the change in default behavior is necessary to protect users from being tricked into visiting spoofed or malicious websites.



According to the HTTP specific section of RFC 1738 ( http://www.faqs.org/rfcs/rfc1738.html ) this behavior is appropriate, but it will still cause problems with many existing implementations. Microsoft offers workarounds in KB834489.



Microsoft has not specified a release date for the update.





Solaris Local Privilege Escalation (Added 20:10 GMT)



A buffer-overflow in the runtime linker ld.so.1 under versions of Solaris 2.6, 7, 8, and 9 on both the SPARC and x86 platform can allow an unprivileged local user to gain unauthorized root privileges.



http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F55680
http://www.idefense.com/application/poi/display?id=1&type=vulnerabilities




Port 3127 Scanning



We're seeing an enormous surge in scanning for port 3127, as the race begins to find/exploit machines backdoored by Novarg/MyDoom.



http://isc.sans.org/port_details.html?port=3127&days=10



Yep... "surge" is appropriate.





Once more, with feeling...



Ok, we've said it and said it and said it, and we're going to keep saying it, so you might as well just do it, 'cause we're starting to get grumpy:



TURN OFF THE AUTO-RESPONDER ON YOUR AV SCANNER!



Way back in the 20th century, when your AV gateway received an email with a viral attachment, perhaps (!) it made sense to fire off a notice to the sender informing them that they were sending out infected email.



It doesn't anymore. Viruses routinely spoof the "From:" field on infected mail and the notifications sent by AV gateways are just plain wrong. They only add to the load on mailservers already under stress. They also give out far more information about your network configuration than you should be willing to freely give away.



If you're running an AV gateway, turn off the notices. If you receive a notice, find a polite way to suggest to the sender that they turn them off.



On a related note, why don't AV Vendors take care of this? They know what viruses spoof headers. Why don't they simply flag those to not initiate an auto-response?



----------------------------------------------------------------

Handler on duty: Tom Liston - http://www.labreatechnologies.com
Keywords:
0 comment(s)
Diary Archives