Manager's Briefing for Microsoft Security Bulletins, MS04-036 Exploit Code, VERITAS Security Patch, Comxt Alternate Data Stream Trojan

Published: 2004-10-15
Last Updated: 2004-10-16 14:09:32 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
Senior IT manager's briefing for this month's Microsoft Security Bulletins


Hot off the press: Marcus Sachs put together a set of PowerPoint slides that provide an overview of this month's Microsoft Security Bulletins from the perspective of senior IT managers. The briefing provides high-level descriptions of the vulnerabilities, explains their relevance, and suggests corrective actions.

Power Point File: http://isc.sans.org/presentations/MS04Oct.ppt
Proof-of-concept exploit for the Windows NNTP vulnerability (MS04-036)


If you were wondering how quickly you needed to apply the patches that Microsoft released a couple of days ago, please keep in mind that proof-of-concept exploit code for the Windows NNTP vulnerability (MS04-036) is publicly available. The recent Core Security advisory includes the exploit code, and provides detailed technical information about the vulnerability, which they seem to have reported to Microsoft in mid-August. The Core Security advisory was published just hours after the patches became publicly available--this is a good illustration of the rapidly shrinking time window in which you need to apply security patches. ( http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10 )


A "serious" security vulnerability in VERITAS Cluster Server


VERITAS issued patches to address the "potential for a serious system security breach" in VERITAS Cluster Server for all UNIX platforms. According to the company's advisory, the recently-discovered flaw may provide the attacker with unauthorized root access to the server. ( http://seer.support.veritas.com/docs/271040.htm )


It's tough to assess the severity of this vulnerability, because the advisory doesn't provide any details regarding the issue. Is the problem exploitable over the network, or is local access to the server required? How difficult is it for the attacker to exploit the vulnerability? The generic advice is often to apply the patch as soon as possible; however, real-world system administrators need additional information to prioritize the issue, weighing its risk against other technical and business concerns.


A note at the bottom of the VERITAS advisory suggests that its customers may be able to obtain additional information about the patches by contacting VERITAS Technical Support.


The Comxt trojan and the use of NTFS Alternate Data Streams


The Comxt trojan is somewhat unusual in that it uses NTFS Alternate Data Streams (ADS) to hide its presence in a directory. Although this is not the first such malware specimen, the use of ADS for hiding malicious executable code is not yet widespread. More information about the Comxt trojan is available at:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.comxt.html


If you have a copy of Comxt, and don't mind sharing it with us, please send it our way. To learn about ADS take a look at the Hidden Threat: Alternate Data Streams article at:

http://www.windowsecurity.com/articles/Alternate_Data_Streams.html


The article mentions several tools that can detect the presence of ADS on your system. In addition, you may want to check out the Stream Shell Extensions utility that Ryan Means created as part of his GCWN practical write-up on the topic. Ryan's utility adds a "Streams" tab to Windows Explorer when you look at a file's properties; the tab allows you to view and delete streams hidden in the file. You can access the utility and the paper at the following URLs:

http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.zip

http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf


Note that anti-virus software varies in its ability to detect malware in ADS. When fellow handler Ed Skoudis tested anti-virus products for his June 2004 Information Security article, he found that only "Network Associates detected malware in ADSes during both on-demand and real-time scans with its default configuration... Default real-time protection against ADS-borne malware is also provided by Computer Associates (CA), F-Secure, Grisoft, Panda Software and Sophos." ( http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss407_art803,00.html )



Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com
Keywords:
0 comment(s)

Comments


Diary Archives