Santa IM Worm (bot) update
Further info: gift.com renames itself to c:\windows\winrpc.exe, and sets itself up as the service "Windows RPC Services". There is no rootkit built in, it is totally dependant on download instructions from the command and control site. Rather than calling it a "worm" as was reported in the press, a more accurate description is that it's a bot with replicating capabilities. Digging a bit deeper into the code, we found that it was also likely compiled/pushed to the distro point on 2005-12-18 18:09:11.000000000 -0500.
Exploits in the wild for several PHP-based web apps
Several days ago Secunia issued a bulletin discussing a new vulnerability in phpBB-2.0.18 (which is the latest one and which, unfortunately, has been a pretty popular target over the last year or so). Fortunately, the vulnerability can only be exploited if a couple of settings are changed from the default to values that will open your web server to a lot more problems than just this one. Having said that, the exploit is now in the wild, so if you are running phpBB, make sure that you follow the recommendations and that "Allow HTML" and register_globals are both disabled. On a sort of related note (in so far as it has to do with phpBB-2.0.18, too), one of our intrepid readers also noticed that an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users. The disabling of those settings above will protect against the first issue, but not the second. There are a number of possible solutions to the second problem including temporary lockouts after several unsuccessful login attempts.
Also, a couple of days ago a worm started making the rounds exploiting a vulnerability in the genealogy application PhpGedView. The authors have posted patches here which users are encouraged to apply as soon as possible.
Update: Frank Knobbe pointed out to me that there is a snort signature available from BleedingSnort (here) to detect the PhpGedView exploit.
---------------------
Jim Clausing, jac /at/ isc.sans.org
Update on the SUS issues
-----------------------------
Jim Clausing, jclausing /at/ isc.sans.org
Help us out with a Christmas story
Santa IM Worm
One of our attentive readers sent us a note yesterday and we missed posting it in the diary. There's a nasty present waiting under your IM tree if you have been naughty this past year. Read on...
Techweb -
"A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they're infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed "M.GiftCom.All," is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a "Medium" threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a "Low" classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs. When users naively visit that site -- which is billed as a harmless Santa site -- a file is automatically downloaded to their computers. The file, usually named "gift.com" includes rootkit elements that cloaks it from security software. In addition, the downloaded executable tries to disable a number of anti-virus programs, adds a keylogger to the system to capture confidential information, and then spreads to others by snatching names from the user's IM client contact list..."
IM Logic -
"...Description: This worm broadcasts a URL out over IM clients which downloads an executable file, often named gift.com. When this file is executed, it hides itself and scans the registry, file system, and internet cache. By operating as a rootkit, the process is hidden from all tools and anti-virus software. It also attempts to shut down anti-virus software and makes several networking calls. Also it does keystroke logging and may attempt to propagate itself over IM clients..."
Comments