Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: GAO Report on DHS; ezSTUB; Worm.Gibe.F; BlueTooth Security? ClamAv MACosX SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
GAO Report on DHS; ezSTUB; Worm.Gibe.F; BlueTooth Security? ClamAv MACosX

Bluetooth security


Juha-Matti Laurio sent a link about bluetooth security.
A new article "Bluetooth Security Review", i.e. Part 2,
was published at SecurityFocus Infocus which includes "Easy Bluetooth security tips":
.



GAO report on DHS


GAO published a report on DHS challenges in fulfilling cybersecurity responsibilities.
In brief they state:
"DHS has Initiated Efforts that begin to address its responsibilities but more work remains."




In my personal opinion DHS is facing some tough challenges.
The bureaucracy required to organize such a large group of independently funded and semi-autonomous
departments will nearly always cause such an effort to proceed slowly and potentially never reach its goals.



You might want to add to your SUMMER reading list the "Mythical Man-Month" by Frederick P. Brooks, Jr.
Its a short book of essays on software engineering.
Some of the management principles
can be applied outside of software development.

ClamAV local privilege escalation vulnerability for MACosX.


The advisory can be found here:

Here is their summery:
"Under the Mac OS file system (HFS) files are saved as to parts data and
resource fork.  In ClamAV version 0.80rc4, support was added to copy
both the data and the resource fork when moving a virus infected file.
The mechanism they used was the Mac local system utility ditto.  While
there isn't a security issue with using the "ditto" command itself, the
system() call they use to execute it is insecure."
An update can be found here:




Worm.Gibe.F being reported


Viatcheslav Fedorov received a bit of malware from Microsoft a ``Partner''
He stated it "Smelled like a trojan".
A few minutes later he wrote back stating
"Yep, that's Worm.Gibe.F"
Information on Gibe.F from:

"Gibe is a mass-mailing worm written in Visual Basic.
It disguises itself as a Microsoft security update"



ezStub3.dll


A user wrote in asking about ezStub3.dll.
Fellow handler Tony Carothers answered:
This file is typically linked with the "Adware.Ezula" strain of
spyware/adware.  From Symantec: "Adware.Ezula alters Web pages viewed
in Internet Explorer and can add extra links to certain keywords that
advertisers target. This adware runs under the name TopText."  As with
any other adware, there are several ways to remove this;
Spyware/adware removal tools, such as SpyBot S&D; Some AntiVirus
applications have the ability to prevent, detect, and remove these; or
manually, which is the most difficult and typically not the preferred.
My research discovered this information.
It was "discovered" as one of the many "nice" malware additions
that were scheduled to be installed later during Tom Liston's "follow the bouncing malware II".
If you missed Tom's malware forensics-humor it here:

Information and removal instructions for ezStub3.dll.
CA SecurityAdvisor

Symantec
SpyBot SandD
I hope everyone has a good weekend.
Those of you celerbrating Memorial Day enjoy yourselves but
PLEASE drive safely both on the roads and the internet.
Donald.Smith hex_to_ascii(40 base16)qwest.com
donald

206 Posts
May 28th 2005

Sign Up for Free or Log In to start participating in the conversation!