Svchost, Microsoft Updates, and 99% CPU Usage

Published: 2007-04-12
Last Updated: 2007-04-13 16:58:04 UTC
by Joel Esler (Version: 3)
0 comment(s)
Update (Kyle Haugsness):  I think we've received enough email on this...  Looks like lots of folks are seeing this in small percentages going back several months (on average it seems like a small handful of machines at any particular site).  Some people are having luck with the 927891 hotfix below.  Other people have had luck just waiting 30 minutes, rebooting 5 times, or going backwards from Microsoft Update to Windows Update.  Your mileage may vary.  (Note that due to the large volume of e-mail we received on this, you might not get a response from us but your message has been read and your contribution is appreciated.)

We received a couple emails today talking about the latest Microsoft Updates and the svchost service taking up 99% of CPU Utilization after applying them.

Is this isolated to a couple people, or is this more widespread?  Then, if it is widespread, and you fixed it, how did you do it?  Share your insight!

One of the other handlers pointed me to this KB article: http://support.microsoft.com/kb/916089/.  Take a look at that if you are affected.

(Thank you Noah, and other readers who wished not to be named for your submission!)

Alot of people wrote in with a patch that takes precedence over the one above.  http://support.microsoft.com/kb/927891/

(Not being a Microsoft guy myself....)

Joel Esler
Handler o' the Day
http://handlers.sans.org/jesler
Keywords:
0 comment(s)

EXE/ZIP e-mail viruses (editorial)

Published: 2007-04-12
Last Updated: 2007-04-13 03:29:38 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)
A quick (technical) update to this otherwise more "philosophical" diary: Its not that hard to figure out if the content of an encrypted ZIP file is a .exe file. The file names are not encrypted! So just run:
$unzip -l patch-58214.zip 
Archive: patch-58214.zip
Length Date Time Name
-------- ---- ---- ----
40649 04-12-07 18:21 patch-58214.exe
-------- -------
40649 1 file

Or, a quick one lines shell script using 'zipinfo' to figure out if the zip file
contains an encrypted .exe:

if zipinfo patch-58214.zip | grep -q 'BX.*\.exe' ; then echo 'encryped executable'; fi


anyway back to the editorial ;-)...
--------------------------------------------------------------------------------------


I label this diary "Editorial", as I would like to go beyond the plain facts of the resent set of "Storm"/"nuwar"/"zhelatin" viruses.

Remember Bagel? It was just a couple years ago when a very similar set of viruses was making the round. Bagel arrived as a plain .exe, waiting for a gullible user to double click and execute it. It later, very much like the new "Storm" virus, used an encrypted ZIP file.

Back with Bagel, we managed to get a hold of some of the web logs from sites Bagel used to "call home". In analyzing these logs we found a large overlap in users infected by various Bagel variants. In short: The same users are getting infected over and over again by the "malware of the day".

I think these viruses offer a sad glimpse into the current state of Internet security. Not only have users still not learned to "never click on an executable". Neither have network administrators learned to filter executables. When was the last time you received a legitimate executable as an attachment? (NO! IE7.exe was not one of them!).

Lastly, "Storm" is yet another hint that current AV software is no longer an adequate means to protect yourself from current and relevant threats. Subscription based business models direct mainstream consumer anti-virus systems into a dead end of signature updates, which haven't work at least since Zotob showed up.

As a reader of this post, you are unlikely to be able to do anything about the current sad state of anti-virus. But you may be able to block .exe files on your mail server. Don't ask me for subject or file names. Block executables!
Keywords:
0 comment(s)

New Storm Worm Going around

Published: 2007-04-12
Last Updated: 2007-04-12 20:54:39 UTC
by Joel Esler (Version: 10)
0 comment(s)
We've received a bunch of emails in the past few minutes indicating the possible presence of a new Worm.

We are being told that it is a "Nuwar/Zhelatin" virus with Virtual Machine detection capabilities.  Basically looks like a rehash of the same ol' Storm worm.

Apparently it indicates itself as a "Patch" for the "New worm" that is going around (whatever that may be, there are just so many I could choose from!)

The Subject of the email (that we have seen so far) say:
"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Dream of You"
"Virus Activity Detected!"

It has two attachments, one being an image with 'panic-worded text', and the other is a password protected zip file, whose password is revealed in the image.

The zip file appears to be named:
"patch-<random 4 or 5 digit number>.zip"
"bugfix-<random 4 or 5 digit number>.zip"
"hotfix-<random 4 or 5 digit number>.zip"
"removal-<random 4 or 5 digit number>.zip"

(Thanks Jesper for the updates!)

Thanks everyone for writing in!


Joel Esler
Handler of the Day
http://handlers.sans.org/jesler
Keywords:
0 comment(s)

Cisco wireless equipment vulnerabilities

Published: 2007-04-12
Last Updated: 2007-04-12 20:15:44 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)
Cisco released an advisory regarding three weaknesses in the Cisco Wireless Control System. This is Cisco’s central platform for the management of their WLAN equipment.

  • WCS apparently uses fixed and unchangeable authentication credentials on the FTP service used by the Wireless Location Appliances for backup purposes. Fixed in WCS 4.0.96.0. This is regular FTP, so these passwords can be sniffed off the network and re-used by an attacker.
  • WCS suffers from a privilege escalation vulnerability that allows valid users to access information from any WCS configuration page (fixed in 4.0.81.0) or to become a member of the SuperUsers group (fixed in 4.0.87.0).
  • Certain WCS directories are not password protected. This may lead to disclosure of private information such as access point location. Fixed in 4.0.66.0.
They also released a second advisory on vulnerabilities in the Cisco Wireless LAN controller and their Lightweight Access Points. A number of fixed versions are pending release, so check the advisory for up-to-date information.

Applicable to the WLC are:
  • Use of default community strings (public/private);
  • The device may be crashed by sending malformed ethernet traffic;
  • Some or all of the Network Processing Units within the WLC may be locked up by sending malformed traffic, including some SNAP packets, malformed 802.11 traffic or packets with unexpected length values in headers;
  • WLAN ACLs could in some cases not survive a reboot.

The Cisco Aironet 1000 and 1500 lightweight access points are reported to contain a hard-coded service password. This is only available over a physical console connection, though.

--
Maarten Van Horenbeeck

Keywords:
0 comment(s)

whois.internic.net outage?

Published: 2007-04-12
Last Updated: 2007-04-12 18:22:46 UTC
by Joel Esler (Version: 1)
0 comment(s)
We are also receiving reports from users (and other handlers), not being able to reach whois.internic.net.  One of our handlers tells us that a traceroute to the host expires in the DC area in alter.net.

Joel Esler
Handler on Duty
http://handlers.sans.org/jesler
Keywords:
0 comment(s)

Oracle Critical Patch Update Pre-Release Announcement

Published: 2007-04-12
Last Updated: 2007-04-12 12:08:37 UTC
by Joel Esler (Version: 1)
0 comment(s)
This was also a notification from one of our readers (thanks Juha-Matti!), as well as all the email blasts we received this morning from the big Oracle in the sky.  Oracle has released their announcements for April.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

"This Critical Patch Update contains 37 security fixes across all products."

So, if you are running Oracle, it's that time of the month again!

Joel Esler
Handler of the Day
http://handlers.sans.org/jesler
Keywords:
0 comment(s)

Opera 9.20

Published: 2007-04-12
Last Updated: 2007-04-12 12:04:05 UTC
by Joel Esler (Version: 1)
0 comment(s)
Thanks to a couple readers that wrote in this morning, we were notified about Opera 9.20 for all platforms.

A cut and paste of the "Security" section says:

Security

  • Fix for character encoding inheritance issue with frames, which could enable cross-site scripting. See the advisory.
  • Fixed an issue regarding handling of FTP PASV response, as reported by Mark at bindshell.net
  • XMLHttpRequest now treats separate ports on the same server as a different server. Issue reported by Egmont Koblinger.
  • Fixed an issue where scripts could continue to run after leaving the page, as reported by Herrmann Manuel.
  • Skandiabanken.no's message about successful certificate installation is now shown.
So, if you are out there running Opera.  Time to upgrade!  /me goes off to upgrade my own.


Joel Esler
Handler of the Day
http://handlers.sans.org/jesler
Keywords:
0 comment(s)

Comments


Diary Archives