Unidentified E-mail worm, PHP server vulnerabilities, MS SMS Client DoS
Unidentified E-mail Worm
Update: AV Vendors are now getting signatures out that identify this as Bagel.AF (TL)
Handler Tom Liston captured what appears to be a new hybrid network/email worm that is not currently detected with any of 12 popular anti-virus tools. The worm included a Control Panel Applet (.cpl) attachment that, when executed, drops an EXE file and scans other systems on the local network for Windows networking service including TCP/1033, TCP/1034, UDP/1027, UDP/137 and UDP/138.
Early analysis indicates the malware may try to avoid detection by stopping popular anti-virus and personal firewall tools, and may try to spread over peer-to-peer networks by posing as key generation and crack software for Microsoft Office, Windows XP and other popular software. Strings in the executable code include the filenames "sysxp.exe" and "re_file.exe" in the C:\WINDOWS\System32 folder, as well as several website URL's that include the filename "o.php" in the root directory. One potentially telling string is "DesignedAsTheFollowerOfSkynet".
While this worm resembles a variant of the NetSky worm, the alleged author of NetStky Sven Jaschan was arrested 10 weeks ago today as reported by F-Secure. This may be the work of a copycat author. Yay.
Potential subject lines for this worm include:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
More information will be posted as warranted.
http://www.f-secure.com/weblog/
PHP Server Vulnerabilities
Two vulnerabilities have been reported that affect PHP servers versions 4.3.7 and earlier, and 5.0.0RC3 and earlier. The first vulnerability allows a remote attacker to overwrite portions of memory by exceeding the memory_limit directive in the PHP configuration, allowing them to execute arbitrary code on vulnerable systems. The second vulnerability is a weakness in the PHP strip_tags() function, commonly used to sanitize input fields in a web form to eliminate HTML tags. A weakness in the filtering mechanisms allows an attacker to bypass this check by embedding a NULL byte in the HTML tags.
While an exploit for the first vulnerability has not been released to the public, the second vulnerability was announced with sufficient detail such that it can be abused by an attacker to exploit Opera and Internet Explorer browsers in cross-site scripting attacks in conjunction with sites that run PHP. Administrators with PHP websites (which is included by default in many Apache installations) are encouraged to upgrade their version of PHP to the 4.3.8 or the released 5.0.0 version.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595
Microsoft SMS Client DoS Vulnerability
A post on the BUGTRAQ mailing list indicates that the Microsoft Systems Management Server client software is vulnerable to a denial of service attack from an attacker who can reach the client software on TCP port 2702. Sufficient details have been posted to reproduce this attack - Microsoft was not notified of this flaw before the public release of this vulnerability.
We have not had the opportunity to confirm this vulnerability at this time. If anyone can confirm or deny this issue, please send the details of your analysis to http://isc.sans.org/contact.php.
--Joshua Wright/Handler du jour
Update: AV Vendors are now getting signatures out that identify this as Bagel.AF (TL)
Handler Tom Liston captured what appears to be a new hybrid network/email worm that is not currently detected with any of 12 popular anti-virus tools. The worm included a Control Panel Applet (.cpl) attachment that, when executed, drops an EXE file and scans other systems on the local network for Windows networking service including TCP/1033, TCP/1034, UDP/1027, UDP/137 and UDP/138.
Early analysis indicates the malware may try to avoid detection by stopping popular anti-virus and personal firewall tools, and may try to spread over peer-to-peer networks by posing as key generation and crack software for Microsoft Office, Windows XP and other popular software. Strings in the executable code include the filenames "sysxp.exe" and "re_file.exe" in the C:\WINDOWS\System32 folder, as well as several website URL's that include the filename "o.php" in the root directory. One potentially telling string is "DesignedAsTheFollowerOfSkynet".
While this worm resembles a variant of the NetSky worm, the alleged author of NetStky Sven Jaschan was arrested 10 weeks ago today as reported by F-Secure. This may be the work of a copycat author. Yay.
Potential subject lines for this worm include:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
More information will be posted as warranted.
http://www.f-secure.com/weblog/
PHP Server Vulnerabilities
Two vulnerabilities have been reported that affect PHP servers versions 4.3.7 and earlier, and 5.0.0RC3 and earlier. The first vulnerability allows a remote attacker to overwrite portions of memory by exceeding the memory_limit directive in the PHP configuration, allowing them to execute arbitrary code on vulnerable systems. The second vulnerability is a weakness in the PHP strip_tags() function, commonly used to sanitize input fields in a web form to eliminate HTML tags. A weakness in the filtering mechanisms allows an attacker to bypass this check by embedding a NULL byte in the HTML tags.
While an exploit for the first vulnerability has not been released to the public, the second vulnerability was announced with sufficient detail such that it can be abused by an attacker to exploit Opera and Internet Explorer browsers in cross-site scripting attacks in conjunction with sites that run PHP. Administrators with PHP websites (which is included by default in many Apache installations) are encouraged to upgrade their version of PHP to the 4.3.8 or the released 5.0.0 version.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595
Microsoft SMS Client DoS Vulnerability
A post on the BUGTRAQ mailing list indicates that the Microsoft Systems Management Server client software is vulnerable to a denial of service attack from an attacker who can reach the client software on TCP port 2702. Sufficient details have been posted to reproduce this attack - Microsoft was not notified of this flaw before the public release of this vulnerability.
We have not had the opportunity to confirm this vulnerability at this time. If anyone can confirm or deny this issue, please send the details of your analysis to http://isc.sans.org/contact.php.
--Joshua Wright/Handler du jour
Keywords:
0 comment(s)
×
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago