Advisories, Vulnerabilties and Virus Alerts

[ferrarif50]

Hi Guys,

I am starting this thread to issue regular security advisories, vulnerabilites discovered and new virus threats.

I am putting this in Tutorials, since I will be posting HOWTOs to protect urself from these threats and how to patch up the vulnerabilities.

Starting with,
Yahoo toolbar makes false spyware links [ADVISORY]

Yahoo has confirmed that its recently released toolbar has mistakenly linked an alleged spyware program with a product that has nothing to do with the application in question.

A company representative said on Friday that its toolbar's Anti-Spy feature incorrectly identified alleged 'hijacker' software known as SearchCentrix as being bundled with Claria's Gator eWallet product, which is designed to manage usernames and passwords. Hijacking programs redirect search results or tamper with browser settings, according to Yahoo.

"The SearchCentrix hijacker was incorrectly identified by our application" as a component of Claria's eWallet software, a Yahoo representative said. "We have no evidence to believe that Claria's eWallet installs that software. We believe that the misidentification was due to a bug in code from our partner, PestPatrol, and are currently working with them to fix it."

A Claria representative said the company has no relationship with SearchCentrix and that the listing was a mistake.

PestPatrol could not immediately be reached for comment.

[ferrarif50]

Microsoft issues seven security bulletins, two 'critical'

Microsoft issues seven security bulletins, two 'critical'
By Bill Brenner, News Writer
13 Jul 2004 | SearchSecurity.com


An attacker could gain remote control of machines and cause trouble using a variety of security holes Microsoft outlined in seven bulletins yesterday. The software giant said two of them are "critical" and affect several popular products. Information security experts urge people to install the patches immediately.

"My advice to users is to install all the patches and do it early," said David Perry, global director of education for Cupertino, Calif.-based IT security firm Trend Micro Inc. "The critical updates look to be the most serious. But there are a lot of deep security issues in these bulletins and you can never tell which vulnerability someone will choose to exploit. You could patch the critical ones and then the attack could come through the vulnerabilities considered the least serious."

MS04-022 fixes a "critical" vulnerability in Windows Task Scheduler caused by an unchecked buffer.

"If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges," the advisory said. "However, user interaction is required to exploit this vulnerability. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges." Affected components are Internet Explorer 6 Service Pack 1 when installed on Windows NT 4.0 SP6a (Workstation, Server, or Terminal Server Edition). The following software is affected:

* Windows 2000 Service Packs 2 through 4
* Windows XP and XP Service Pack 1
* Windows XP 64-Bit Edition Service Pack 1

MS04-023 fixes a vulnerability in HTML Help that occurs because the program does not completely validate input data. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take control of affected machines. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges, the advisory said. Affected components are the same as the threat in MS04-022. The following software and server programs are affected:

+ Windows 2000 Service Packs 2 through 4
+ Windows XP and XP Service Pack 1
+ Windows XP 64-Bit Edition Service Pack 1
+ Windows XP 64-Bit Edition Version 2003
+ Windows Server 2003
+ Windows Server 2003 64-Bit Edition
+ Windows 98, 98 Second Edition (SE), and Millennium Edition

"These are very critical vulnerabilities and users should install the updates as soon as possible," said Oliver Friedrichs, senior manager of security response for Symantec. "We've seen widespread attacks within weeks of past bulletins for similar flaws. It took only 17 days for Sasser to follow a bulletin. These updates are easy, and there's really no reason to put them off."

Of the five remaining bulletins, four were rated as important and one as moderate.

MS04-019 is rated "important" and resolves a privilege elevation vulnerability that exists in the way Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and could take complete control of the system.

MS04-020 describes an "important" privilege elevation vulnerability in the POSIX operating system component an attacker could use to take over a machine.

MS04-021 addresses an "important" a buffer overrun vulnerability in Internet Information Server 4.0 that could allow remote code execution on an affected system.

MS04-024 fixes an "important" remote code execution vulnerability in how the Windows Shell launches applications.

MS04-018 fixes a "moderate" denial-of-service vulnerability in Outlook Express caused by a lack of robust verification for malformed e-mail headers. If a user running Outlook Express receives a specially crafted e-mail message, the program fails. If the preview pane is enabled, the user must manually remove the message, and then restart Outlook Express to resume functionality. This update also changes the default security settings for Outlook Express 5.5 Service Pack 2.

http://searchsecurity.techtarget.com

[ferrarif50]

A new version of the Mozilla Firefox browser fixes a flaw that made users vulnerable to online fraud. The flaw allowed fraudsters to set up fake Web sites with names indistinguishable from legitimate companies.

More info can be found at :
http://story.news.yahoo.com/news?tmp...y&sid=95573501

[ferrarif50]

Apple has released a security update to Mac OS X Panther that patches a vulnerability in the Safari browser.

Security Update 2005-003 includes the following components: AFP Server; Bluetooth Setup Assistant; CoreFoundation; Cyrus SASL; Folder permissions; Safari and Samba; but most importantly, it includes a script for preventing phishers from fooling users of its Safari browser.

More info can be found at :
http://www.macworld.co.uk/news/index...S&NewsID=11134

[ferrarif50]

Several antivirus firms have spotted a new variant of the Sober worm in the wild, hiding in e-mails with English and German text.

According to Cupertino, Calif.-based Symantec, W32.Sober-J is a mass-mailer that uses its own SMTP engine to send itself to e-mail addresses it gathers from the computers it infects. "The subject of the e-mail varies and is in either English or German," the company said in its advisory. "The e-mail sender address is spoofed. The name of the e-mail attachment varies, and it has a .bat, .com, .pif, .scr or .zip file extension. The attachment may also have a double extension. This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX."

Finnish security firm F-Secure Corp. said Sober-J was seeded in e-mails Jan. 31 and is "quite similar to the previous variants." While most AV companies consider it a low risk, Santa Clara, Calif.-based McAfee said it has seen enough activity to issue a medium-threat alert.

What it looks like
If the worm sends infected messages to domains with suffixes ".de," ".ch," or ".at," it composes a message in German. Otherwise, an English message is made.

In English, the subject line is: I've got YOUR email on my account!!

The body of the e-mail reads: "Hello, First, Sorry for my very bad English! Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but in the mail-text is a name & address. I think it's your name and address. The sender of this mails is in the text file, too. In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. Lol. OK, I've copied all email text in the Windows Text-Editor and i've zipped the text file with WinZip. Bye." The attached file is either "email_text.zip" or "text.zip."

E-mail addresses are harvested from files with the following extensions on the victim's machines: abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; and xml.

source: searchsecurity.com

[ferrarif50]

Attackers could exploit security holes in the Linux kernel to cause a denial of service, corrupt memory and launch malicious code. But users can update to a newer version in which the flaws are fixed.

Danish security firm Secunia described three "moderately critical" vulnerabilities in an advisory:

An error in ROSE due to missing verification of the ndigis argument of new routes;
A user with permission to access a SCSI tape device can send certain commands that could render the device unusable for other users; and
Unspecified glitches in the ISO9660 file system handler, including the Rock Ridge and Juliet extensions, could be exploited by a specially crafted file system to cause a denial of service or memory corruption, which could then allow the attacker to launch malicious code.

Secunia said these issues specifically affect Linux Kernel 2.6 and that the vulnerabilities are fixed in version 2.6.12-rc1.

More information is available at Kernel.org

[ferrarif50]

Microsoft issued patches to close 18 security holes in Internet Explorer, Windows, MSN Messenger, Exchange and Office. But this month's batch doesn't address recently discovered problems in the software giant's popular browser, e-mail and database programs.

"None of the recent vulnerabilities are fixed this month, but I didn't expect them to be fixed, either," said Mike Murray, director of vulnerability and exposure research for San Francisco-based security firm nCircle.

One of those vulnerabilities, discovered by the security research organization HexView, is in Microsoft's Jet Database Engine. Attackers could use a memory handling error in the program to launch malicious code. Danish security firm Secunia said the flaw is "highly critical" because exploit code has been posted to a public mailing list. Secunia confirmed the vulnerability on a fully patched system with Microsoft Access 2003 and Windows XP SP1/SP2.

Also unaddressed this month are two vulnerabilities in Internet Explorer and Outlook brought to light by Aliso Viejo, Calif.-based eEye Digital Security. The first "allows malicious code to be executed, contingent upon minimal user interaction," eEye said, adding that the problem affects Internet Explorer, Outlook and "additional miscellaneous titles." The second vulnerability has the same damage potential and also affects IE and Outlook.

Attackers could use "important" Windows shell and "moderate" message queuing vulnerabilities to launch malicious code, Microsoft said. They could also exploit "important" vulnerabilities in the Windows kernel as well as "critical" Transmission Control Protocol/Internet Protocol (TCP/IP) validation and reset flaws to gain escalated privileges, launch code and cause a denial of service.

A cumulative update for Internet Explorer closes "critical" security holes attackers could use to take over machines and install programs; view, change or delete data; and create new accounts with full user rights, Microsoft said.

"A lot of people use Internet Explorer, and exploits could occur just by browsing," Sutton said. "It's not difficult to exploit. And the TCP/IP flaws are something to pay attention to, because supposedly you can take a malformed IP packet and execute code. This puts a lot of [Windows] boxes in danger, especially in an enterprise setting."

Murray said code execution in the IP stack has the potential to be "super serious."

"All Windows boxes have an IP stack, so you're talking about something that's widely deployed," he said. "This is something that could be easily exploited."

Other fixes

Microsoft fixed another "critical" flaw that could let an attacker connect to the Simple Mail Transfer Protocol (SMTP) port on an Exchange server. A specially-crafted command could then be used to cause a denial of service or allow the attacker "to run malicious programs of their choice in the security context of the SMTP service," the company said.

A "critical" update for MSN Messenger fixes a security hole attackers could exploit to take over affected machines.

Finally, a "critical" update for Microsoft Word and Office fixes buffer overrun vulnerabilities an attacker could exploit to launch malicious code.

Microsoft also re-released two earlier bulletins. The first, originally issued in January, addresses two critical flaws in how cursor, animated cursor and icon formats are handled.

The second re-release, originally from February, fixes a glitch in Media Player, Windows Messenger and MSN Messenger an attacker could also use to take control of vulnerable machines.

The patch release came on a day when the blocker to Microsoft's SP2 download program expired. As the Bethesda, Md.-based SANS Internet Storm Center put it in a Tuesday-morning Web site message, "The Automatic-Download of Microsoft XP Service Pack 2 may soon happen on your network if your organization has opted out of the original update and does not maintain [its] own SMS or SUS servers."


source: searchsecurity.techtarget

[ravimevcha]

gr8 going ............carry on.........

[ferrarif50]

Anti-virus vendor Symantec has released patches for a security vulnerability in several enterprise and consumer products that can be exploited to bypass scanning functionality.

In a public advisory posted last Wednesday, the company said an error in the Symantec Antivirus component that is responsible for processing encoded or archived content has the potential to be exploited through the use of a specially crafted .rar file.

Read the rest of this eWEEK story here:
http://www.eweek.com/article2/0,1759,1790796,00.asp

[ferrarif50]

AOL on Wednesday urged users of its Netscape Web browser to upgrade immediately to the latest beta version to protect against a potentially dangerous security vulnerability.
The flaw, which carries a "highly critical" rating from Secunia, has been confirmed in Netscape versions 6.x through 7.x.

Secunia did not release details on the vulnerability, but it appears to be the same GIF processing error that affected the Mozilla Foundation's Firefox browser

According to a previously released Mozilla advisory, the flaw exists in the way the obsolete Netscape Extension 2 parses GIF images, and can lead to an exploitable heap overrun.

In extreme cases, an attacker can use a specially crafted GIF image to exploit the bug and run arbitrary code on the victim's machine.


source : eweek.com

[ferrarif50]

Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

Release Date: 2005-05-08
Critical: Extremely critical
Impact: Cross Site Scripting,System access.
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 1.x

Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution: Disable JavaScript.

source: http://secunia.com/advisories/15292/

[Choto Cheeta]

maybe...... not to open this months digit DVD without updated KAV or updated NAV05.....

http://www.thinkdigit.com/forum/viewtopic.php?t=20025

[ferrarif50]

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-367
2005-05-11
---------------------------------------------------------------------

Product : Fedora Core 3
Name : pygtk2
Version : 2.4.1
Release : fc3.1
Summary : Python bindings for the GTK+ widget set.
Description :
PyGTK is an extension module for python that gives you access to the
GTK+
widget set. Just about anything you can write in C with GTK+ you can
write
in python with PyGTK (within reason), but with all the benefits of
python.

---------------------------------------------------------------------

* Fri May 6 2005 John (J5) Palmieri - 2.4.1-fc3.1

- Update to fix bug #14423


---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pu...ore/updates/3/

http://www.redhat.com/mailman/listin...-announce-list

For more:
http://www.linuxsecurity.com/content/view/119106/102/

[ferrarif50]

Vulnerability in Web View Could Allow Remote Code Execution (894320)

A script injection vulnerability exists in Web View while handling file attributes, which allows remote code exceution.

Affected Software:

• Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.

Executive Summary:

This update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged on user. The vulnerability is documented in the “Vulnerability Details� section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability

http://www.microsoft.com/technet/security/bulletin/MS05-024.mspx

[ferrarif50]

The Firefox Web browser has two unpatched security holes that could
allow an attacker to take control of a user's computer system, security
researchers have warned.

Firefox has two unpatched security holes that could allow an attacker to take control of a user's computer system, and exploit code is already circulating on the Internet, security researchers have warned.
A patch is expected shortly, but users can protect themselves in the meantime by switching off JavaScript. In addition, the Mozilla Foundation said it has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.

The flaws were confidentially reported to the Foundation on May 2. But by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT).

Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.

In recent months, Firefox has picked up market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that part of the reason the browser is more secure is because it has a relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.

The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist.

The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers.

The Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, it warned that users may be vulnerable if they have added other sites to the whitelist.

"We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," the Mozilla Foundation said in a statement published on Mozillazine.org.

Source: http://www.computerworld.com/securit...S_B&nid=101624

[ferrarif50]

Versions of Windows XP and Server 2003 contain a flaw attackers could use to cause a denial of service, French security firm FrSIRT said in an advisory.

The vulnerability is in the Windows IPv6 TCP/IP stack when processing a specially crafted packet in which the SYN flag is set and the source address and port are the same as the destination address and port. A remote user could exploit this vulnerability to launch a LAND attack, which would cause a vulnerable system to crash.

Microsoft patched a variant of this flaw in April, FrSIRT said. The problem specifically affects Windows XP, XP SP1, XP SP2, Server 2003 and Server 2003 SP1. FrSIRT recommends users filter all traffic with a firewall. The organization said it is "not aware of any official supplied patch for this issue."

Src: searchsecurity.techtarget.com

[ferrarif50]

French security firm FrSIRT reports in a new advisory that the Linux kernel contains "multiple vulnerabilities" attackers could use to cause a denial of service and launch malicious commands.

"These flaws are due to input validation errors in the raw device and pktcdvd block device ioctl handlers when processing specially crafted arguments passed to the 'raw_ioctl(),' 'pkt_ioctl()' and 'ioctl_by_bdev()' functions, which may be exploited by malicious users to execute arbitrary commands with kernel privileges," the advisory said. Linux Kernel version 2.6.11.9 and prior are affected. Users are advised to switch to version 2.6.11.10 via the Linux kernel Web site.

[ferrarif50]

An attacker could use a glitch in Intel Corp.'s hyperthreading technology to steal security keys from a compromised server using a sophisticated timing attack, a researcher said Friday in a paper presented at the BSDCan 2005 conference. According to a report from the IDG News Service, hyperthreading allows software to take advantage of unused execution units in a processor. It essentially allows two separate processes, or software threads, to execute on a single processor at the same time, improving performance on software written to take advantage of the technology. By taking advantage of the fact that the processes share access to a chip's cache memory, an attacker can determine the security keys to a particular computer by monitoring the cache for those keys, said Colin Percival, an independent researcher. Intel and several software companies are working to fix for the problem, but they don't consider it critical, an Intel spokesman told the news service.

Src: searchsecurity.techtarget.com

[ferrarif50]

Linux users who patched their systems for a serious security vulnerability in K Desktop Environment last month will have to patch once again, because of errors in the original patch, according to the KDE project.

The vulnerability affects kdelibs, specifically an error in the kimgio component when processing PCX image files. Kimgio is used in KHTML-based Web browsers as well as KDE imaging applications such as kpresenter and ksnapshot, meaning that if an image crafted to exploit the flaw were viewed in any of these applications, they could allow an attacker to execute malicious code and take over a system. The flaw affects KDE Versions 3.2 to 3.4, according to KDE.


The patches issued last month fixed most of the problems but still allowed local users to exploit the bug by serving files from the /tmp directory, KDE said in an advisory. They also introduced a new bug, breaking kimgio's compatibility with .rgb images.


The problems will mean a fresh round of patching for Unix-derived systems using KDE, one of the two most popular desktop environments for Unix and Linux. KDE released a new patch fixing the problems with the original patch, and operating system vendors such as Red Hat and SUSE have followed suit this week.


Software vendors are under pressure to deliver timely patches, but faulty updates are not unknown as a result, say security experts. This week, for instance, Microsoft re-released a critical security update after it caused networking problems for many users.


Such problems can mean a major headache for system administrators, but they seem to be on the wane, according to Thomas Kristensen, chief technology officer at Danish security firm Secunia. "Generally speaking, I'd say that most vendors have improved significantly over the last two years when it comes to quality testing of their security fixes," he said.

Source: http://www.computerworld.com/softwar...LIN&nid=101858

[ferrarif50]

E-mail users perplexed by the barrage of German-language spam waiting in their in-boxes this morning can blame the latest version of the Sober mass-mailing worm, which began rapidly spreading over the weekend.
Sober.q uses both German- and English-language messages to direct recipients to Web sites with right-wing German nationalistic content, according to an advisory from e-mail security company MX Logic Inc. in Englewood, Colo. One of the URLs points to the Web site of the right-wing German National Democratic Party, the security firm said.

MX Logic said that it had seen over 125,000 instances of Sober.q overnight Saturday and into Sunday and labeled it as a high-severity threat. The variant is downloaded by computers already infected by the Sober.p worm, which began circulating earlier this month, MX Logic said. The virus writers appear to have remote control over the Sober.p-infected machines , giving them a network from which to launch future spam and denial-of-service attacks.

The latest Sober variant is one of a relatively new type of "propaganda spam," meant to spread political messages rather than sell a product or service, MX Logic said. Circulation of the worm coincides with ceremonies marking the 60th anniversary of the end of World War II in Europe and examples of subject lines it sends include "Dresden 1945" and "Du wirst zum Sklaven gemacht!!!" ("You are made slaves!!!").

"We are certainly seeing more propaganda spam," said Graham Cluley, a senior technology consultant at Sophos PLC. Security researchers began detecting religious spam selling a particular view of life last year, Cluley said.

Although Sophos is seeing a lot of German-language spam sent by the new Sober variant, the worm itself doesn't appear to be spreading anymore, Cluley said.

E-mail users are advised to update their spam filters to guard against the new Sober spam.

Source: http://www.computerworld.com/securit...VVR&nid=101760

[ferrarif50]

Users of AOL's instant messaging software should be on the lookout for
an innovative new worm, variously named "Oscarbot-B" and "Doyorg" by
antivirus companies.

Whole story:
http://www.computerworld.com/newslet....html?nlid=VVR

[ferrarif50]

Security researchers warn that a one-letter typo in Google's domain name could lead to a massive virus- and spyware-infection attack.

A simple misspelling of Google's domain name could lead to a Web surfer's worst nightmare.

In a new twist to the old practice of "typosquatting," virus writers have registered a slight variation of Google Inc.'s popular search-engine site to take advantage of any users who botch the spelling of the google.com URL.

The malicious site, googkle.com, is infested with Trojan droppers, downloaders, backdoors and spyware, and an unsuspecting user only has to visit the page to be at risk of computer hijack attacks, according to a warning from Finnish anti-virus vendor F-Secure Corp.

When googkle.com is opened in a browser, two pop-up windows are immediately launched with redirects to third-party sites loaded with scripts. One of the sites, ntsearch.com, downloads and runs a "pop.chm" file, and the other, toolbarpartner.com, downloads and runs a "ddfs.chm" file, F-Secure said.

"Both files are downloaded using exploits and they contain exploits themselves to run embedded executable files. One of the Web pages of the 'toolbarpartner.com' website downloads a file named 'pic10.jpg' using an exploit. This JPG file is actually an executable that replaces [the] Windows Media Player application," the warning reads.
The typosquatters also launch a steady stream of pop-up Web pages with different .exe files.

One batch of exploits loads a malware package that includes two backdoors, two Trojan droppers, a proxy Trojan, a spying Trojan and a Trojan downloader.
The exploits appear to be targeting users of Microsoft Corp.'s Internet Explorer browser. A spokeswoman for Microsoft told Ziff Davis Internet News that the rogue site was attempting to exploit some vulnerabilities that were fixed in past security updates.

"[Users running] Windows XP SP2 are protected from this. Also, users who are up to date on supported platforms are protected," the spokeswoman said.

According to F-Secure's alert, the attack scenario also includes a separate Trojan dropper that copies itself to the Windows System folder with a random name and drops a DLL that modifies the HOSTS file to block connection to several anti-virus Web sites.

Another executable also drops a DLL file into the Windows System folder and prompts a fake virus alert on a desktop. The fake alert warns the user about a computer infection and prompts the user to yet another malicious site promising virus protection.

The Web site offers links to several different sites offering anti-virus and spyware cleaners for download. Those downloads all turn out to be a "toolbar.exe" file that is actually an adware installer, which installs a spyware toolbar known as "Perez," F-Secure said.

The practice of typosquatting was first spotted in the late 1990s and was a common tactic for ****ography sites, used to generate traffic from misspelled Internet addresses.

[ferrarif50]

New Bagle variants spreading
At least three versions of the e-mail worm have been found

At least three new versions of the Bagle e-mail worm were spreading quickly on the Internet today, according to several Internet security firms.
MessageLabs Ltd., which monitors 110 million pieces of e-mail sent per day, found about 145,000 copies of just one of the new Bagle downloader variants, said Maksym Schipka, a senior antivirus researcher at the company. MessageLabs tracked about 4,000 copies of the variant between 7 a.m. and 8 a.m. EDT. That number jumped to nearly 42,000 copies in the next hour and rose to 56,000 copies between 9 a.m. and 10 a.m., the company reported.

About 80 variants of the original Bagle worm, which first appeared in January 2004, have been released on the Internet. The first Bagle downloader variant MessageLabs tracked today drops a Trojan horse program that attempts to download Bagle from a list of about 130 Web sites worldwide. Computer users who activate the file attached in the e-mail activate the virus, which harvests e-mail addresses it finds on the computer's hard drive. The virus then forwards itself onto the list of e-mail addresses found on the infected computer.

In the first variant, the e-mail carrying the Bagle worm had an empty subject line and body text, MessageLabs said.

The variant appeared to start on a Yahoo Inc. Web mail account, Schipka said. "Somebody wanted to refresh his botnets or e-mail addresses," Schipka said. "They want to keep up to date with the things they sell." Botnets are groups of compromised computers that are controlled by hackers and often used in cyberattacks.

Antivirus vendor Symantec Corp. also reported seeing at least one new Bagle variant but found the worm to be spreading slower than MessageLabs reported. Symantec found only about 50 Bagle copies on computers with its virus-protection software installed, said Alfred Huger, senior director of engineering at Symantec Security Response.

Huger said he expected little damage from this Bagle attack.

Damage from the new Bagle variants should be minor as antivirus vendors react quickly to the attacks, said Ken Dunham, director of malicious code at iDefense Inc., another cybersecurity vendor. The first two variants seen today were tentatively dubbed Bagle.CA and Bagle.CB, which would make them the 79th and 80th Bagle variants.

"We're a long way down the line of Bagle worms," Dunham said. "It's very similar to former Bagle attacks."

Dunham encouraged computer users to update their antivirus software, use firewalls and avoid opening suspicious files attached to e-mail. "Just because it looks like it was from your billing department, or it was from your friend, or it was porno doesn't mean it is," he said. "Be careful on e-mail -- don't trust anything."

[ferrarif50]

New Mytob worm poses as IT administrator
It warns recipients that their e-mail accounts are about to be suspended

Another variant of the Mytob worm began wiggling its way into in-boxes this week, enticing recipients to open an e-mail attachment that could allow a remote hacker to access and perform commands on an infected machine.
The variant, dubbed "Mytob.bi" by some security researchers, scans the hard drive of an infected machine and sends copies of itself to e-mail addresses it finds in the Windows Address Book, antivirus firm Trend Micro Inc. said yesterday. The worm poses as a message from an IT administrator, warning recipients that their e-mail accounts are about to be suspended, Trend Micro said.

Possible subject headers for the worm include "*IMPORTANT* Please Validate Your Email Account" and "Notice: **Last Warning**."

The latest variant is the fourth iteration of the Mytob family of worms that were first detected in late February, Cupertino, Calif.-based Trend Micro said. It has backdoor capabilities and can open a random port, allowing a hacker to remotely access an infected machine.

The variant also prevents the infected machine from accessing several antivirus and security Web sites by redirecting the connection to a local machine, the security company added.

While prevalence of the worm is still low, the damage potential is high, Trend Micro said. U.K.-based antivirus company Sophos PLC also rated the worm as a concern, due to the severe damage it could cause.

Researchers speculated that the Mytob worm family is popular with hackers because its code base is relatively easy to manipulate to create a new variant. Another version, Mytob.ar, was detected earlier this week, containing added spyware and adware elements.

Future Mytob variants could take advantage of the .ar version to reap monetary benefits from spyware, Trend Micro warned.

Internet users are advised to update their antivirus software to protect themselves from the new threats.

[ferrarif50]

A trio of malicious programs is working together to hijack as many machines as they can in a short period, antivirus experts warned Thursday. Their apparent mission -- grow an army of zombie machines that can be sold on the black market and used to steal identities, lift bank account numbers and launch other attacks.

"This is all about money," said Roger Thompson, director of malicious content research for New York-based Computer Associates [CA]. "It's about the simple theft of credit card and bank account numbers, and there's probably a nexus with adware."

In the last 24 hours, CA has discovered coordination between three Trojan horse programs -- Glieder, Fantibag and Mitglieder.

Trio of trouble
According to CA, here's how the Trojans operate:

Glieder goes out and "seeds" cyberspace. On June 1, CA watched eight variants spread in quick succession. The whole point is to get to as many victims as fast as possible with a lightweight piece of malware, CA said.
Fantibag then creates a "shields down" on compromised systems, exploiting the infected machines' networking features to prevent them from communicating with antivirus companies or with Microsoft's update site. This means the security software can't call for updates.
Mitglieder then turns the compromised machine into a zombie that can be used to generate future attacks and act in concert with countless other zombie PCs. Machines infected with Mitglieder act as a proxy to force traffic to malicious sites, track user behavior, record keystrokes and set up spam relays.
Glendale, Calif.-based PandaLabs has also been tracking Mitglieder, saying it has been spammed to thousands of users around the world.

"Malware creators try to distribute their creations rapidly to prevent users from having time to update their antivirus solutions. They're trying to exploit the vulnerability window, i.e. the time that it takes between new malware appearing and users installing the updates on their computers," PandaLabs director Luis Corrons said in a statement. "New techniques are frequently being used in order to spread malware as rapidly as possible. So for example, as in this case, thousands of infected mails could be sent simultaneously as spam, or numerous variations can be launched at the same time."

The Bagle connection
Thompson said there's also a connection between the Trojans and this week's outbreak of new Bagle worm variants. "It's hard to tell the difference between Bagle and Mitglieder," he said. "Most of these share common code and they get mixed together."

Which points to a much larger problem, he said: "The bad guys have figured out that if they make a minor variation in their worms, viruses and Trojans and perhaps pack them a bit differently, these things can spread more rapidly and infect more computers before antivirus software has a chance to catch up."

With the first two Trojans spreading too quickly for AV to keep up, Fantibag arrives and cuts access to the security updates, Thompson said. "The attackers are being very cunning," he said. "They could launch one big program but instead they use smaller pieces that can easily be replaced. It's easier to change the smaller bits than fix the big part. It's a very sophisticated approach."

All about the botnets
For now, attackers don't seem to be aiming directly at enterprise networks, Thompson said. "I don't think this is about targeting a large corporation," he said. "I think it's about these guys trying to build botnets out of home systems."

But he said these botnets can eventually be used to hack into corporate databases to steal sensitive data or to launch other attacks.

In recent days security experts have also expressed alarm that hackers are successfully using zombie machines to launch brute force attacks against Secure Shell [SSH] servers that are accessible via the Internet.

Since there's no limit to what the bad guys can do with a zombie army, Thompson said there's growing demand on the black market for compromised machines. "The world is getting exceptionally scary," he said.

Source: searchsecurity.techtarget

[ferrarif50]

The vulnerabilities could give allow back-door access to victims' computers

Sun Microsystems Inc. issued alerts this week about vulnerabilities in its Java platform that security researchers have described as critical and that could allow attackers to execute malicious code on targeted computers.
The affected software is Sun's Java Web Start and Java Runtime Environment. Weaknesses in the programs could allow applications to grant themselves permissions to write local files or execute other applications, allowing an attacker to gain backdoor access to victims' computers. Such an attack could be carried out without any visible symptoms, Sun said.

The vendor recommends that users replace earlier versions of Java 2 Platform Standard Edition with a more recent version. J2SE 5.0 Update 2, released in March, repairs the flaw; Sun's most recent J2SE 5.0 release is Update 3. J2SE updates are available for download on Sun's Web site.

Danish security firm Secunia rates the vulnerabilities "highly critical," its second-highest classification, while the French Security Incident Response Team gave it a "critical" rating, that organization's highest advisory rank. Those rankings are reserved for remotely exploitable vulnerabilities that can be executed without a user's knowledge.

[banned2wise]

There is no point in running a thread like this , becoz all softwares are stupid/vulnerable and can be exploited somehow or the other.

I would suggest ppl to check www.frsirt.com, www.securityfocus.com and www.secunia.com for most of the exploits.