In This Issue:
- Anti-Nimda Software
- Symantec Flaw
- Top Vulnerabilities
- MS Security (Malformed Excel or PowerPoint Document Can Bypass Macro Security)
- Tracking Competitors
- Macro Viruses (WM97/Blowup-A; WM97/Wrench-R; WM97/Marker-GM)
- Worms (VBS/Haptime-C; W32/Nimda; W32/Vote-A/B/C)
Everything associated with the Computer Knowledge Web site and newsletter is free for your education; but bandwidth costs money. If you need Web hosting services, computer tutorials or just want to send a gift please take a look at…
[Ad page taken down, please see if any of the sponsors have something you might need.]
A special welcome to our newest affiliate: CBT, International. They have tutorials on Access 97, Access 2000, Excel 97, Excel 2000, Lotus, PowerPoint 97, PowerPoint 2000, Outlook 97, Outlook 2000, QuickBooks, Quattro Pro, Windows 95, Windows 98, Word 97, Word 2000, WordPerfect, and WordPro. Learn at your computer while you work and slash your computer training costs!
[No longer affiliated.]
Anti-Nimda Software. Because Nimda is so active now there have been reported instances of E-mails from the Security Focus Aris mailing list that claim to have anti-Nimda software from Trend Micro attached. Beware! The attachment is really a remote access Trojan. Do not fall for this. Anti-virus software companies do not send out unsolicited E-mails with program attachments!
Symantec Flaw. Symantec has confirmed there is a flaw in the LiveUpdate part of their anti-virus software. Version 1.4 of the LiveUpdate software is particularly vulnerable; although version 1.6 has a minor flaw that is not quite as serious. Because of the way it looks for updates, LiveUpdate 1.4 can be hijacked using DNS attacks and could be forced to download hostile software. This would only be possible if the attacker knew the exact structure of Symantec’s site but could be a problem. Version 1.6 does not have this vulnerability; but, can be prevented from receiving any updates, even if available. This is done using a network performance degradation attack. Bottom line: Update LiveUpdate to version 1.6 if you are still using version 1.4.
1. Default installs of operating systems and applications
2. Accounts with no passwords or weak passwords
3. Non-existent or incomplete backups
4. Large number of open ports
5. Not filtering packets for correct incoming and outgoing addresses
6. Non-existent or incomplete logging
7. Vulnerable CGI programs
8. Unicode vulnerability (Web Server Folder Traversal)
9. ISAPI extension buffer overflows
10. IIS RDS exploit (Microsoft Remote Data Services)
11. NETBIOS — unprotected Windows networking shares
12. Information leakage via null session connections
13. Weak hashing in SAM (LM hash)
14. Buffer overflows in RPC services
15. Sendmail vulnerabilities
16. Bind weaknesses
17. R Commands
18. LPD (remote print protocol daemon)
19. sadmind and mountd
20. Default SNMP strings
- Malformed Excel or PowerPoint Document Can Bypass Macro Security. It is possible to create an Excel or PowerPoint document that bypasses the normal security checks for macros when the document is opened. Using this bypass, someone could potentially create a document that would automatically carry out hostile code. A patch is available. For more info: http://www.microsoft.com/technet/security/bulletin/ms01-050.mspx
Tracking Competitors. Most in business would love to know what their competitor(s) plan to do. It’s a difficult thing to do, but there are some ways to obtain information you might not have thought of. I’ll list a few of them here for your consideration; and, don’t forget that your competitor(s) may also be watching you via these methods.
- Your competitor’s Web site. It’s actually amazing how much useful information a company will put on their Web site on the theory that it will help their customers. While it likely will, it can also help competitors. Even the support section could help tell a competitor where the problems are.
- Public filings. Public companies must make public filings with the U.S. Securities and Exchange Commission. These are placed into their EDGAR database and, once there, can be searched over the Internet: http://www.sec.gov/edaux/searches.htm
- Usenet postings. It’s amazing what gets posted in the usenet newsgroups. There you can find facts, gossip, and just plain wrong information. But, by collecting all you can relative to a particular company you just might get some idea about what direction they are going. The old Dejanews database is now at http://groups.goggle.com/
- Local information. If you competitor is in another city, subscribe to that city’s newspaper and scan it for local reporting about that competitor. Don’t forget to check the want ads to see what positions they are trying to fill. Further, the ad sections of these papers will often be where public notices are published. These public notices may give information about building permit applications and other information relating to your competitor.
- Government. Check the EPA and OSHA for reports and inspections. Check the U.S. Patent and Trademark office for patents.
- Literature. What are your competitor’s employees working on? You might be able to find out if they are giving talks at conventions and/or publishing papers in scientific journals. The same information might be gathered at trade shows.
Warranty. It used to be that you didn’t have to read the warranty information too closely; a company would just stand by its product(s). Then warranties became more complicated and more specific in what they covered. With computers they mutated yet again into shrink-wrapped agreements and agreements that could be changed at whim by product-makers. In these “Lifetime” at least meant either your lifetime or the lifetime of the company and that was understood. No more. Now, the word “lifetime” in a warranty is being defined as “…the period of time during which the product is an active [company] product” [emphasis added]. In short, if you buy a product and the company decides to discontinue that product it may also fall out of warranty, forcing you to upgrade if you want any support at all. Bottom line: Actually read all warranties.
Steganography. All sorts of speculation has taken place about secret communications since September 11th. One of the methods of communications speculated about is steganography: the science of placing information within information. Hiding text within an image is the most common example cited. It’s done by changing a few of the least significant bit color values in a pattern that represents the text to be transmitted. Changing these color values would result in an image essentially unchanged since the changes could not be seen by the naked eye; but the information is still there. The speculation was that images on eBay were being used to transmit instructions. While certainly possible, a study done by the University of Michigan did not turn up a single instance of encoded information in the two million images examined by them.
There are a number of new viruses described this month. They are listed below.
Don’t forget our virus tutorial site (recently updated!).
More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:
- WM97/Blowup-A. A Word macro virus. It drops INFO.UUE into C:\. This file is an encoded version of a file named INFO.ZIP which, itself, contains INFO.HTM. This HTM file attacks the government of Cuba. Blowup changes the user name, initials and address within Word. It also displays an error message if the Alt+F11 keychord is pressed.
- WM97/Wrench-R. A Word macro virus dropper. The file ASCII.VXD is dropped into the root directory but is only a text version of the virus text and not active.
- WM97/Marker-GM. A corrupted version of Marker-C. As with all Marker viruses it attempts to FTP your user info to the Codebreakers site and also adds this information to the bottom of the macro so it is sent to the next person infected.
- VBS/Haptime-C. A script worm that uses Outlook Express 5.0 to spread. It infects VBS, HTML, HTM, HTT, and ASP files and tries to delete EXE and DLL files when day+month=13 (e.g., 1 Dec).
- W32/Nimda. This beast has several methods of spreading and a number of different attributes that make it interesting (as well as dangerous). Rather than take up the room to fully describe Nimda here I’ve added it to the Virus Tutorial. B and C variants of Nimda exist. These make small changes in attempts to avoid detection.
- W32/Vote-A and Troj/Barrio. The Vote worm attempts to suck you in with references to the 11 Sept attacks and an attachment called WTC.EXE. It arrives with the subject “Fwd:Peace BeTweeN AmeriCa And IsLaM !”. If you happen to have a lapse and actually run the WTC.EXE file the worm will send itself to your Outlook address book. It will also drop MIXDALAL.VBS into the Windows directory. This file searches all drives (local or network) for HTM and HTML files and overwrites them. The browser home is also set to “us.f1.yahoofs.com” and when you go there it will download the file TIMEUPDATE.EXE which is a password-stealing Trojan. The worm also tries to remove anti-virus software. Finally, the worm drops ZACKER.VBS into the Windows System directory and sets the registry so it runs on system start. This script tries to delete all files in the Windows folder and adds a line to the AUTOEXEC.BAT file that formats the hard drive on the next system start. It finally shows a message box and tries to shut Windows down.
- W32/Vote-B. A worm similar to Vote-A but looking less like the work of a hacker (e.g., fewer mixed case words in the E-mail message). The attached file is ANTI_TERRORISM.EXE. The worm functions much like Vote-A except that the script names are different.
- W32/Vote-C. A combination of Vote-A and Vote-B.
In closing: Be careful in today’s world. Being a skeptic is healthy.