Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

RealPlayer Patches, DejaVu & some Mailbag Contributions

Published: 2005-04-20
Last Updated: 2005-04-20 21:56:46 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
News you prolly read already ( ; ^ )

Realplayer/RealOne RAM File Processing Buffer Overflow Vulnerability
Secunia Advisory: SA15023
Release Date: 2005-04-20

http://secunia.com/advisories/15023/

Affected Software - most of it;
Security Patch Update For Realplayer Enterprise


http://www.service.real.com/help/faq/security/security041905.html

Stand alone versions;

http://service.real.com/help/faq/security/050419_player/EN/

Stand alone patches for RealOne and RealPlayer for Windows and Macintosh are available if you use the players "Check for Update".

DejaVu

Trojan.Riler.B
"Discovered on: April 19, 2005
Last Updated on: April 20, 2005 01:26:27 PM
LSP's aren't new, but still sorta notable, ymmv;
Trojan.Riler.B is a back door Trojan horse program that installs itself as a layered service provider (LSP), and allows a remote attacker to have unauthorized access to the compromised system."

http://securityresponse.symantec.com/avcenter/venc/data/trojan.riler.b.html

A "Database" that has an embedded Trojan
"Backdoor.Ryejet is a back door Trojan horse that allows unauthorized remote access to a compromised computer. The Trojan also contains rootkit functionality to hide the presence of its files on the compromised computer. The threat may be distributed embedded in a Microsoft Jet Database".

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ryejet.html

Slashdot referenced news about Bastille from Jay Beale.

http://software.newsforge.com/software/05/04/19/1256244.shtml?tid=78&tid=2&tid=79
"You can take a look at a Web-only demo of this through this link."

http://www.bastille-linux.org/Reporting/audit-report.html">http://www.bastille-linux.org/Reporting/audit-report.html
Bastille folks, thanks for the continuing work!

Bastille;

http://www.bastille-linux.org/

http://www.bastille-linux.org/credits.html

A nice read/analysis from Kaspersky is "Malware Evolution: January - March 2005", by Alexander Gostev , Senior Virus Analyst, Kaspersky Lab. (thanks Swa!)


http://www.viruslist.com/en/analysis?pubid=162454316

Speaking of malware evolution, and DejaVu .....

As resources permit, I surf the Norman Sandbox regularly to try and keep up on trends etcetera.

A trend
I'm writing about is deletion of shares by unidentified malware. I seem to have seen it regularly lately, or I am noticing it more over the last 6 weeks or so.

I assume I'm seeing only a snippet of the malwares complete behavior in the posted Sandbox analysis.

So I read up on related malware and can only come to the conclusion that the deletion of the shares is a part of a total protection package that probably has other usual components like disabling AV etcetera.

So if the shares are disabled, and not renabled later, the exploited system would just disappear from the network ..... unless discovered by a user reporting a problem, or if it's traffic was noticed by some network defenses, or some admin noticed that the system wasn't updating any one of a number of updates it should have been receiving, etcetera. And the system would receive protection from other malware attacking through shares.

I guess my point is that I don't see much if any related information in searching Norman's kb (or anyones, see below) about this behavior as much as the presence of it in Sandbox analysis shows it to exist (in many pieces of "unknown malware"). fwiw, I can think of network security applications and non-security related applications that can point to a system that used to be "visible" but is no longer visible without shares, it's a simple task. "Your task, should you undertake it", is to determine who that person is that should be checking this type of system disappearence .... and who does the follow-up. ( ; ^ )/(apologies to Mission Impossible fans ..).

Fwiw, some of the research I did;


http://sandbox.norman.no/live_2.html?logfile=105241

http://sandbox.norman.no/live_2.html?logfile=105182

A few other share deletion malware references;

W32.Randex.ATX

http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.atx.html
"Drops and executes the file, %Temp%\secure.bat, which deletes the C$, D$, IPC$ and ADMIN$ shares."

BAT.NetStop.Trojan

http://securityresponse.symantec.com/avcenter/venc/data/bat.netstop.trojan.html

Trojan.Delsha

http://securityresponse.symantec.com/avcenter/venc/data/trojan.delsha.html

Backdoor.IRC.Flood.E

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.e.html

Graps
ALIAS: Worm.Win32.Graps, W32/Graps.worm, W32.HLLW.Graps

http://www.f-secure.com/v-descs/graps.shtml

A fwiw, a piece of typical malware that takes the opposite action...... just to illustrate one reason for the behavior I'm describing;
HLLW.Gaobot

"This is a generic description intended to cover common functionality found in the Gaobot series of worms."

http://www.norman.com/Virus/Virus_descriptions/14822/14823/en-us?show=destructivity

"The worm may also re-enable the following administrative shares on the system:

C$

D$

E$

IPC$

ADMIN$ "

Other;

The Art of Computer Virus Research and Defense
by Peter Szor

ISBN: 0321304543; Published: Feb 3, 2005; Copyright 2005
Published by Addison Wesley in collaboration with Symantec Press (c) 2005.

Updates added;
Contributions from the shift MailBag;


Windows 2000 has a "File Selection May Lead to Command Execution" issue with POC out for it.
The POC recommends that "Until a patch becomes available, disable the Web View by going to: Tools -> Folder Options -> Select 'Use Windows classic folders'".
Thanks for the pointer
anonymous"!


APPLE-SA-2005-04-19 Security Update 2005-004 is available for: iSync 1.5
CVE-ID: CAN-2005-0193
"Impact: A buffer overflow in iSync could lead to local privilege escalation". "Security Update 2005-004 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/ "
Thanks Jim!

POC was released for"ICMP Vulnerability Issues in ICMP packets with TCP payloads".
Get patches from your Vendor, read the original/updated Advisory here:
NISCC Vulnerability Advisory 532967/NISCC/ICMP Vulnerability Issues in ICMP packets with TCP payloads

http://www.uniras.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en

Patrick Nolan with assists from everyone! Thanks!
Keywords:
0 comment(s)
Diary Archives