New worms talk and sniff their way through networks
Antivirus companies are warning of two unusual worms circulating in the wild: one that talks to its victims; one that installs a network sniffer to monitor traffic on a LAN. The more serious of the two is the latest iteration of Sdbot, which installs a bot that uses the NetBios Extended User Interface protocol to grab usernames and passwords before they are encrypted, particularly those used for system administration, e-mail and PayPal accounts, and online banking applications. Though considered dangerous, Trend Micro, which discovered the worm, says infection rates have been low to date and that anyone with updated AV software should be shielded from infection.
Less dangerous but just as novel is Amus-A, a mass-mailer that carries an embedded audio message to its victims. The worm arrives with a subject line: "Listen and smile" and the body text: "Hey, I beg your pardon. You must listen." Those unlucky enough to click the masum.exe attachment are then treated to a female robotic voice that says, "How are you? I am back. My name is mister hamsi. I am seeing you. Haaaaaaa…." It also includes Turkish references. The worm tries to delete all .ini and .dll files from the Windows folder and changes Internet Explorer settings to display a Turkish message that translates to: "What difference does it make if you get connected or not. The local line quality is terrible anyway." Enterprises should update their AV software to prevent network infections.
Samba fixes denial-of-service vulnerabilities
Samba recommends users download patches to fix two denial-of-service vulnerabilities in Samba 3.x. The first is a defect in smbd's ASN.1 parsing that could allow an unauthenticated user "to cause smbd to spawn new processes; each one entering an infinite loop," Samba's advisory said. "After sending a sufficient amount of packets it is possible to exhaust the memory resources on the server." The second is a defect in nmbd's processing of mailslot packets that could allow an attacker to remotely crash the nmbd daemon.
Gentoo updates Linux 1.x against Usermin flaws
Gentoo has updated Linux 1.x to fix vulnerabilities in the Webmail function of Usermin. The problems are an input validation bug in the Webmail feature of Usermin and a flaw in which the Webmin and Usermin installation scripts write to /tmp/.webmin without properly checking if it exists first. "The first vulnerability allows a remote attacker to inject arbitrary shell code in a specially crafted e-mail," the advisory said. "This could lead to remote code execution with the privileges of the user running Webmin or Usermin." The advisory said the second problem "could allow local users who know Webmin or Usermin is going to be installed to have arbitrary files be overwritten by creating a symlink by the name /tmp/.webmin that points to some target file, e.g. /etc/passwd." There is no known workaround. Gentoo recommends users install the updates.