Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Bagle variants

Published: 2005-11-01
Last Updated: 2005-11-01 23:04:43 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)

We have received numerous reports of new Bagle variants being spammed. They look typical for this family of worms ? empty message body with a ZIP file in the attachment.
Some of them don't have any subject and the sender name will be same as the recipient name with (sometimes) random domain appended.

Some names that have been used are:

Max.zip
Business_dealing.zip
Text_sms.zip
Health_and_Knowledge.zip
The_new_prices.zip
Info_prices.zip

MD5 sums of some variants are:

8275444ac2caac4b90bfd07d0b2b17be    t_535475.exe
18ae7a2fa4dbbf703c3ae157f224186a    text.exe

In the archive there is an executable which, when executed, copies itself to %sysdir%\hloader_exe.exe and drops another DLL header_dll.dll. It also creates an entry in the registry key HKLM/Software/Microsoft/Windows/CurrentVersion/Run named auto__hloader__key.

Thanks to Mike S, Sean K and others for submitting samples and information about these worms.

Mark Tombaugh sent us Snort sigs which can help protect from these new Bagle variants:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.dk SMTP Inbound"; flow:to_server,established; content:"UEsDBBQA"; content:"YT"; distance:8; within:11; content:"AAAA"; distance:8; within:13; reference:url,vil.nai.com/vil/content/v_136751.htm; sid:2002665; rev:1;)

alert tcp $HOME_NET 25 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE VIRUS Bagle.dk SMTP Outbound"; flow:to_server,established; content:"UEsDBBQA"; content:"YT"; distance:8; within:11; content:"AAAA"; distance:8; within:13; reference:url,vil.nai.com/vil/content/v_136751.htm; sid:2002666; rev:1;)

Keywords:
0 comment(s)

Oracle Worm Proof-of-concept

Published: 2005-11-01
Last Updated: 2005-11-01 17:25:01 UTC
by Joshua Wright (Version: 1)
0 comment(s)
On Monday (31-OCT-2005), an anonymous developer on the Full-Disclosure mailing list contributed a post titled "Trick or Treat Larry", disclosing a proof-of-concept worm that targets Oracle databases with default user accounts and passwords.

The worm uses the UTL_TCP package to scan for remote Oracle databases on the same local network.  Upon finding another database, the SID is retrieved and the worm uses several default username and password combinations to attempt to login to the remote database.  Currently, the default/username password list includes:
  • system/manager
  • sys/change_on_install
  • dbsnmp/dbsnmp
  • outln/outln
  • scott/tiger
  • mdsys/mdsys
  • ordcommon/ordcommon
When the worm discovers a default username and password, it creates a table "X" in the current user's schema with a date column called "Y".  This could easily be changed to a more dramatic payload.

In its current state, the worm isn't a terribly significant threat.  However, is can be treated as an early warning sign for future variants of the worm that include additional propagation methods.  Oracle DBA's can take several actions to mitigate the effect of this worm and possible future variants:
  • Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it)
  • Drop or lock default user accounts if possible.  Ensure all default accounts do not use default passwords.
  • Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
  • Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.
More information is available at the following resources:

http://www.red-database-security.com/advisory/oracle_worm_voyager.html
http://www.petefinnigan.com/weblog/archives/00000606.htm

If you are concerned or interested about Oracle security issues, a wonderful resource for keeping current is Pete Finnigan's blog at www.petefinnigan.com/weblog/.  I make it a point to check Pete's blog every day and I'm never disappointed.
Keywords:
0 comment(s)

Mac OS X security updates

Published: 2005-11-01
Last Updated: 2005-11-01 01:54:53 UTC
by Jason Lam (Version: 2)
0 comment(s)
Apple has released security updates for OS X, the new version 10.4.3 addresses issues in Finder, Software Update, memberd, Keychain and Kernel. It's time for the Mac folks to patch the boxes....

OS X 10.4.3 can be downloaded from  http://www.apple.com/support/downloads/
Keywords:
0 comment(s)
Diary Archives