SANS ISC: Redhat Kernel Packages (one AMD64 CVE security item), Bagel AV Vendor Summary - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

"Updated kernel packages available for Red Hat Enterprise Linux 3"

Advisory: RHSA-2004:017-06
"On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue."
http://rhn.redhat.com/errata/RHSA-2004-017.html

Affected Products:
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)

CVEs (cve.mitre.org): CAN-2004-0001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0001

Bagel AV Vendor Summary

Reports to the ISC indicate that AV gateways intercepting this worm and configured to "Autoreply" to the spoofed "From:" source are once again causing needless congestion (see SOBIG issues). Offenders should consider changing this configuration.

Three write-ups specify the worm's email will have an attachment "Length: 15,872 bytes" and one write-up says it is "an .exe file extension and consists of 3 - 11 randomly-generated lowercase characters."

After infection and initiation of it's email routine AV write-ups state that Bagel "will initialize and open a TCP socket in listening mode on port 6777."

The Trojan Retrieval Routine consists of:

"[HTTP connection]
HTTP GET REQUEST
GET /1.php?p=6777&id=[uid value, same value as used in the registry key]
User-Agent: beagle_beagle"

In AV Vendor write-ups so far the worm has hardcoded URLS which have not had 1.php available.

One Vendor (TrendMicro) cryptically reports "This worm may perform port scanning to connect to a remote system."

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
http://vil.nai.com/vil/content/v_100965.htm
http://www3.ca.com/virusinfo/virus.aspx?ID=38019
http://www.sophos.com/virusinfo/analyses/w32baglea.html
http://www.f-prot.com/virusinfo/descriptions/bagle_a.html
http://www.messagelabs.com/viruseye/threats/list/default.asp
http://wtc.trendmicro.com/wtc/summary.asp

Patrick Nolan