Chinese Web sites attack U.S. government networks
Chinese Web sites are doggedly targeting computer networks in the Defense Department and other U.S. agencies, compromising hundreds of unclassified networks, The Washington Post reported Thursday. The newspaper attributed this to several unnamed officials who said the attacks haven't compromised classified systems. But they remain concerned because, as one official said, even seemingly innocuous information, when pulled together from various sources, can paint a valuable picture of an adversary's strengths and weaknesses.
"The scope of this thing is surprisingly big," said one of four government officials quoted in the Post report. The sources spoke separately about the incidents, which stretch back as far as two or three years and have been code-named Titan Rain by U.S. investigators. U.S. analysts are divided on whether the attacks are a coordinated Chinese government campaign to penetrate U.S. networks or the handiwork of other hackers using Chinese networks to disguise the origins of the attacks. "It's not just the Defense Department but a wide variety of networks that have been hit," including the departments of State, Energy and Homeland Security as well as defense contractors, one official said. "This is an ongoing, organized attempt to siphon off information from our unclassified systems." But another official cautioned against exaggerating the severity of the intrusions. He said the attacks, while constituting "a large volume," were "not the biggest thing going on out there."
Kelvir-HI spreads through IM
The latest Kelvir variant is using IM to spread, dropping a second worm onto the machines it infects, according to Cupertino, Calif.-based Symantec. The antivirus giant said in an advisory that W32.Kelvir-HI drops a copy of W32.Spybot-Worm and spreads through MSN Messenger. Users of Windows 95, 98, NT, 2000, ME, XP and Server 2003 are affected. Symantec said the worm will periodically input messages like this into any active IM window: "haha i found your picture!" The messages can be sent in about 10 different languages. The message may also include the following URL, which contains a copy of the worm: [http://]images.rottentomatoes.us/[REMOVED]/search.php?data=. Waltham, Mass.-based IMlogic said in an advisory that the worm is low risk at this point.
Symantec addresses flaw in enterprise products
Users of Symantec's AntiVirus Corporate Edition and Client Security products should upgrade to MR3 or later through the Platinum Support Web Site or FileConnect to guard against a vulnerability attackers could exploit to get elevated privileges, the Cupertino, Calif.-based antivirus giant said in an advisory. "In the vulnerable product versions, the HTML help functionality assumes permissions from the Symantec AntiVirus Corporate Edition privileged access, rather than retaining the more restrictive user privileges assigned to a non-privileged logged-in user," Symantec said. "By manipulating the GUI interface the non-privileged local user gains the ability to browse all system files or execute local system applications and programs with local system privilege." Affected products are AntiVirus Corporate Edition versions 9.0, 9.0.1 and 9.0.2; and Client Security versions 2.0, 2.0.1 and 2.0.2.
Researchers weigh severity of new Windows flaw
Danish security firm Secunia says a new Windows flaw discovered by researcher Igor Franchuk is not critical. But some security experts worry it could be turned into a nasty exploit. Secunia released an advisory Wednesday about a weakness in Windows attackers could use to hide certain information. "The weakness is caused due to an error in the Registry Editor Utility (regedt32.exe) when handling long string names," the firm said. "Successful exploitation makes it possible for malware to hide strings in the 'Run' registry key." Secunia confirmed the weakness in a fully updated Windows XP SP2 system and said it has also been reported in Windows 2000. The firm recommended users ensure their systems have updated antivirus and spyware detection software installed.
While Secunia doesn't consider the problem serious, experts at the Bethesda, Md.-based SANS Internet Storm Center [ISC] worry exploits could be nasty if successful. "On first sight [this] did not appear to be overly scary," ISC handler Daniel Wesemann wrote on the Storm Center's Web site. "Once we started to play with it, though, the nastiness became apparent… An overly long registry entry can be added, but won't be shown by regedit and regedt32. Even better, all registry entries added afterward under the same key, even if not overly long, will be hidden as well."