OpenOffice.org has additional security notes on their site that address the three specific issues:

• Java Applets
  
  It is possible for some Java applets to break out of the secure "sandbox" in which they are normally constrained.  The  applet code could potentially have access to the entire system with whatever privileges the current user has.
  
  A workaround is provided to temporarily disable support for Java applets.  Instructions are provided for both 1.1.x and 2.0.x.
  

• Macros
  
  A flaw with the macro mechanism could allow an attacker to include certain macros that would be executed even if the user has disabled document macros.  Such macros could potentially have access to the entire system with whatever privileges the current user has.
  
  There is no workaround for this issue
  

• File Format
  
  A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents.  The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.
  
  There is no workaround for this issue.
  

Cisco has released a vulnerability disclosure for their Wireless Access Points:

http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml

The vuln is in the web interface for the APs and could allow wiping of the security config and access to the administrative interface without authentication.

To quote Cisco:

A vulnerability exists in the access point web-browser interface when Security > Admin Access is changed from Default Authentication (Global Password) to Local User List Only (Individual Passwords). This results in the access point being re-configured with no security, either Global Password or Individual Passwords, enabled. This allows for open access to the access point via the web-browser interface or via the console port with no validation of user credentials.

The following access points are affected if running Cisco IOS® Software Release 12.3(8)JA or 12.3(8)JA1 and are configured for web-interface management:

• 350 Wireless Access Point and Wireless Bridge
  
• 1100 Wireless Access Point
  
• 1130 Wireless Access Point
  
• 1200 Wireless Access Point
  
• 1240 Wireless Access Point
  
• 1310 Wireless Bridge
  
• 1410 Wireless Access Point

Apple announced yesterday that a new version of OSX (10.4.7) is available and recommended for all users:

To quote the announcement:

It includes fixes for:
- preventing AFP deadlocks and dropped connections
- saving Adobe and Quark documents to AFP mounted volumes
- Bluetooth file transfers, pairing and connecting to a Bluetooth mouse, and syncing to mobile phones
- audio playback in QuickTime, iTunes, Final Cut Pro, and Soundtrack Pro applications
- ensuring icons are spaced correctly when viewed on desktop
- determining the space required to burn folders
- iChat audio and video connectivity, creating chat rooms when using AIM
- importing files into Keynote 3
- PDF workflows when using iCal and iPhoto
- reliable use of Automator actions within workflows
- importing and removing fonts in Font Book
- syncing addresses, bookmarks, calendar events and files to .Mac
- compatibility with third party applications and devices
- previous standalone security updates

SHA1: MacOSXUpd10.4.7Intel.dmg = 2a25ed61d586b71ba7282fb896b2c910785ff358

SHA1: MacOSXUpd10.4.7PPC.dmg= 223d1fc9197a6a96c9d2f2a9110d37abc219c3a6

We've seen a lot of new malware being spammed in last couple of hours.

First malware exploits an old vulnerability in Microsoft Word, MS01-034 (http://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx). This vulnerability allows an attacker to execute embedded macros no matter what the user set his Microsoft Word to. Of course, as this is a pretty old vulnerability, only terribly outdated installations will be affected. If you are running any newer version of Microsoft Word, macro settings are on High by default so only macros signed by trusted sources are executed - all other macros are disabled. A user would have to change this setting to Medium (so they get asked) or Low in order to run this macro.The Word document comes in a ZIP file and, once executed, installs a Trojan. Detection on the Word document is pretty good at the moment.
The document pretends to list computer prices:



The other malware is a plain old (and boring?) downloader, but we've seen a large number of e-mails being spammed with it. The downloader uses typical social engineering to trick user into opening the archive. Besides the e-mail telling user there's a nice photo in the attachment, the executable name will be like DC0019.JPG__[lots of _]__JPG.exe.
The executable always seems to be in a ZIP archive, but sometimes it is encrypted (and in this case the password is in the e-mail body) and sometimes it's not.

Once executed, the downloader will install on the system and try to download two files:

http:// 206.204.52.54  /img/util/logo_nav.jpg

which is a Symantec logo (more social engineering) and

http:// 218.239.223.224 /flash/menu.swf

this is a site in Korea and the last time we checked the file was not there.

AV detection is pretty low at the moment and only couple of AV products detected this: Symantec, NOD32, Norman, Trend Micro, Sophos. They either detect it as a downloader or generically (Bloodhound.W32.EP in Symantec's case).

The original patch from Microsoft caused issues with dialup.  A new patch was released June 21 (or thereabouts) that addressed this issue.  Exploit code is available that leverages this issue.  This allows an authenticated attacker to execute arbitrary code on Windows 2000 and XP SP2 systems.  Previous versions allow unauthenticated attackers to execute arbitrary code, this you garden-variety "bad-thing(tm)."

Over this weekend, ham radio operators (who aren't at the World Cup) are participating in an annual emergency communications preparations exercise known as Field Day (http://en.wikipedia.org/wiki/Field_day).  It emphasizes the use of emergency and alternative power sources.  In the spirit of this exercise I'm running on backup power today to determine how long my setup will last and work out the bugs.

It has not been going smoothly today, but that's the point of the exercise I suppose.

How long can your critical systems operate without grid power?

Microsoft recently released a report on the statistics they are collecting via MSRT.

If you need to know what kinds of malware is being detected and removed by the Malicious software removal tool this is a great report. It only covers windows of course but that makes sense.

There is a nice executive summary but please read beyond that. One security trade publication clearly misread the summary and posted a misquote (62% of computers infected with backdoor). That is not what the report states. The 62% number is the percentage of machines that had malware removed from them by MSRT AND had a backdoor installed on them. Restated more then ½ of the machines where an infection was detected and removed also had remote control backdoors on them. No surprise there really. Although there are ways for the hackers to use a system without a backdoor tool installed for the most part the hackers want to be able to remotely upgrade and control systems they have compromised.

The actual report comes from the Rapid Response Team Waggener Edstrom Worldwide.

Overall the report is very good. There are lots of nice charts and graphs. The author did a good job normalizing statistics but also provided the unnormalized view. They don't really mention false negatives until nearly the end of the document. I do not completely agree with their malware categories however since those are well defined up front I had no problem understanding what they meant by email worm, p2p worm, im worm exploit worm, backdoor Trojan, rootkit or virus. They also claim that MSRT is part of a defense in depth even when you have another antivirus package installed. Due to its lack of realtime protection I would say its not defense at all. Its reactive and only comes into play after the fact of infection. Since it is also fairly limited in the malware it detects and the signatures are usually only updated once a month I don't know of any current antivirus package that would miss a virus that MSRT would detect. So I do not agree this provides defense in depth. I do however see serious benifit to running MSRT. It certainally has contributed to the effort of getting infected systems cleaned.

Some other fun facts I gleaned from this report:
MSRT only removes live malware or malware that will be autorun during a reboot.
1 computer in 355 had malware that was recognized and removed.
5% of the root kits removed were WinNT/F4IRootkit (aka the sony root kit) with about 420k removals from 250k machines.
35% of the computer infected were infected via the end user clicking or opening something.
20% of the computers cleaned had been infected sometime in the past. 

So if you have a little time and you are interested in malware propagation I recommend reading this report.

A new version of BIND 9.3.3b1 was recently released. The changes file had one security fix listed. That fix addresses a ddos reflection issue.

ISSUE:
Some services respond to potentially spoofed udp packets. 

MITIGATION:
Upgrade to bind 9.3.3b1.

Drop udp packets from standard services ports 7,13,19, 37 and 464 (echo, daytime, chargen, time, and kpasswd) towards your DNS server(s). You will probably never see any valid queries from such a low port. In general dns queries should be sourced from ports > 1024.

Disable or restrict access to UDP services that don't need to be open to the internet.

Detailed Description:
The basic issue here is very old. It was originally reported in 1999. The CVE number for it is CVE-1999-0103. http://nvd.nist.gov/nvd.cfm?cvename=CVE-1999-0103
"Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm."  

If you consider DNS to be one side of an "other combination" of UDP services this is not new. What is new is that this version of bind will not send FORMERR packets if the original packet came from the set of well known UDP ports listed above. ISC.ORG has added some code to mitigate attacks with well known spoofed source ports. I do not know of any other DNS software vendor that has added this capability.

7 years ago CERT and others warned us not to leave things like echo and chargen open.
However some OSes and network equipment vendors still ship products with those types of services enabled by default and open to the world. Those services haven't not been in common usage since the 1990's.

From the CHANGES file from 9.3.3b1 source code directory.
--- 9.3.3b1 released ---
<SNIP>
1951.    [security]           Drop queries from particular well known ports.
<SNIP>

• Don't go with the lowest bidder. You still rely on the hosting company to maintain the server and there is not much maintenance that can be done for $1/month.
• Check references. Look at sites like zone-h.org for defacement history and netcraft.com for stats like uptime.
• Keep solid backups of your files on a local system!
• Avoid files and directories that are writeable by anybody but yourself. In particular, avoid files writable by the web server.
• Do not rely on any access control provided by php/perl/cgi scripts. Other users may bypass it with their own scripts.

• know your customers. Avoid handing out accounts before billing details are validated. Try to verify credit card payments by phone.
• consider virtual systems (xen, vmware...). While not perfect, its a lot better then housing all users on the same system.
• chrooted user accounts can be almost as good as virtual hosts. But they can be hard to maintain, and they still use the same web server process which may cross over chrooted users.
• monitor user activity carefully.
• use a host based IDS to detect intrusions quickly.
• got backups?
  

Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name:

%System%\svc.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

1. Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
   
2. Attempts to download a file from the following location:
   [http://]210.6.90.153:7890/svcho[REMOVED]
   Note: At the time of writing the remote file was not available.
   
3. Saves the file as the following and if the download was successful, executes the file:
   c:\temp.exe
   
4. Creates an empty file before exiting:
   c:\bool.ini

http://www.sendmail.org/releases/8.13.7.html
http://www.kb.cert.org/vuls/id/146718

• Microsoft Exchange 2000 Server Pack 3 with the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup
• Microsoft Exchange Server 2003 Service Pack 1
• Microsoft Exchange Server 2003 Service Pack 2

• http://isc.sans.org/diary.php?storyid=1398
• http://isc.sans.org/diary.php?storyid=1399

• Block packets with source routing options in the firewall. According to Microsoft "IP source route options 131 and 137" are the dangerous ones, but why would you allow source routing through your firewall anyway?
• Personal firewall might help as well
• Disable source routing in windows by setting a registry key (see the Microsoft bulletin for details) [highly recommended action, even if you patched already]
  

• MS06-021 Cumulative patch for Internet Explorer - Critical
  
• MS06-022 ART image library buffer overflow - Critical
  
• MS06-023 Microsoft JScript memory corruption - Critical
  
• MS06-024 Windows media player - Critical
  
• MS06-025 RRAS - Critical
  
• MS06-026 Graphics rendering engine remote code execution - Critical
• MS06-027 Word remote code execution - Critical
• MS06-028 Powerpoint remote code execution -Critical
  
• MS06-029 Exchange - Important
  
• MS06-030 SMB privilege escalation - Important
  
• MS06-031 RPC mutual authentication spoofing - Moderate
  
• MS06-032 IP source routing allows remote code execution - Important

• MS06-011

• Do not login as administrator or with an account with administative rights, it's dangerous.
• Consider switching to an alternative browser, they work really well and it makes the lives of the hackers harder is not all of us use the same browser with the same vulnerabilities.
  

Detection

Analysis

Lessons?

As always learning lessons is the most important part of handling incidents. Anti-virus doesn't do much for you when the malware is not detected obviously. So we should learn not to place all our trust in that channel for detecting malware. Robert detected this piece of malware through an IDS and correlation of logs. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. The blocking of the traditional sites using a hosts file is also a good thing to build monitoring for. If it gets used you know there's something going on and a second look wil be well spent effort.

Removal? Well once you deal with dozens of pieces of malware embedding itself left and right your luck in getting it off painlessly ran out.

Finding all that went wrong is very hard as you might be looking at malware being pulled in that changes in between the machine got it and you go and get it again, potentially changing (thus invalidating) much of the results.

Proactively keeping all systems up to date is good and helps, but making sure the really secret stuff cannot reside or even be consulted from a machine connected somehow to the Internet is a good step as well. A good place to build this is in a data classification (actually handling) policy. Define the most critical information assets and isolate them.

At this point we have not identified the intial infection vector yet.

--
Bojan Zdrnja
Swa Frantzen

• Tcp stream properly reassembled after failed sequence check, which may lead to possible detection evasion.
• Added configurable stream flushpoints.
• Improved rpc processing.
• Improved portscan detection.
• Improved http request processing and handling of possible evasion cases.
• Improved performance monitoring.

• Initialize and script ActiveX controls not marked as safe for scripting
• Access data sources across domains