Security Bytes: Mytob variants on the march

By SearchSecurity.com Staff 14 Apr 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Mytob worm keeps multiplying
Antivirus firms say the Mytob worm is multiplying at a dizzying pace with no end in sight. By Wednesday morning Symantec was reporting the appearance of Mytob-AV@mm and Mytob-AU@mm and its ThreatCon was at level 2.

Russian-based Kaspersky Lab had its threat level at yellow -- indicating a medium threat -- partly because of Mytob's spread. The original worm was first detected Feb. 26, Kaspersky said on its Web site, adding, "According to our detections, there are now 25 versions of the worm, with six new versions being detected between [April 9 and 11]." The lab said the worm has been at the top of its virus stats, accounting for about 30% of all mail traffic. "Additionally, six or seven other variants from the Mytob family are present in our Virus Top 20, showing that these worms have [been] propagating steadily, intensifying the outbreak," the firm said.

Kaspersky said the outbreak could be made worse by Microsoft's latest security update, which listed several new critical vulnerabilities. Eugene Kaspersky, head of AV research at the lab, said in a statement, "We're certain that the computer underground is working actively on creating new and even more dangerous malicious code [that] will exploit these loopholes. To keep your data safe, we strongly recommend that you download and install the latest Microsoft patches now."

Kaspersky said Mytob is a modification of the Mydoom source code, but the author has added network worm functionality. This means the worm can propagate via Microsoft's LSASS vulnerability. It also has a bot function that lets a remote malicious user control infected computers through Internet Relay Chat [IRC] channels and freely access files on affected machines.

IBM fixes Lotus Notes/Domino flaws
IBM has fixed several flaws in its Lotus Notes and Domino products. Danish security firm Secunia said the security holes are "highly critical" and that users should update to the 6.5.4 or 6.0.5 releases of Lotus Notes and Domino. The firm said the specific problems are:

• A boundary error within the Domino server during the processing of certain time and date fields that can be updated from the Internet. Attackers can use this to cause a buffer overflow by passing a specially crafted POST request. IBM said this could crash the Domino server.
• A format string error in the Domino server when handling authentication using the NRPC Notes protocol. IBM said this could also be exploited to crash the Domino server.
• An unspecified boundary error in notes.ini on a Lotus Notes client attackers can exploit to cause a buffer overflow.
• An error in the @SetHTTPHeader function attackers can exploit to inject malicious content into the header and potentially conduct HTTP response splitting attacks or proxy cache poisoning.

The first problem was reported by Mark Litchfield of NGSSoftware. The second and third flaws were discovered by Ollie Whitehouse at Symantec. Researcher Juan Calderon reported the fourth issue. The Secunia advisory links to the various bulletins from IBM and NGS Software.

COAST collapses
The COAST antispyware consortium died this week after a member exodus left it on life support. According to the Register, Computer Associates, Alluria and Webroot left in February, saying COAST appeared unable to develop effective antispyware standards. The icing on the cake came when a controversial member, 180solutions, joined the group. CA and McAfee both described 180solutions as adware, though the company claimed to be "a provider of search marketing solutions," the Register said. Either way, that point is now moot for the consortium.

Veritas patches flaw
Surrey, U.K.-based NGSSoftware reported a critical flaw in the Veritas i3 Focalpoint Server, which is bundled with other servers such as Indepth for Oracle. Versions 7.1 and earlier are vulnerable to the flaw. Veritas has released a patch and describes it as "enhancing the i3 Listener agent to support the installation of the Siebel AppTier with Interpoint/Oracle on the i3 server." The company recommends patching the servers that have Indepth for Oracle Collector agents installed.

Sun fixes flaws in Java servers
Sun Microsystems has fixed flaws in the Java System Web Server and Java System Directory Server attackers could exploit to cause a denial of service.

The first problem is an unspecified vulnerability affecting Sun Java System Web Server 6.0 Service Pack 7 and earlier on Windows platforms. Sun said the issue has been fixed in version 6.0 Service Pack 8 and later. The second problem is that a local or remote unprivileged user could launch malicious commands and cause a denial of service by exploiting a vulnerability in Java System Directory Server 5.0.

At issue is a lack of bounds checking in some implementations of the Lightweight Directory Access Protocol (LDAP) -- used to access network-based directories -- may allow a buffer used to generate error messages to overflow. "If a remote unauthenticated attacker supplies a LDAP server with a specially crafted request, they may be able to trigger the buffer overflow to compromise the vulnerable server," Sun said.

The advisory outlines steps for patching this problem.

PHP updated to fix flaws
PHP has released updated versions of its software to correct multiple medium-risk vulnerabilities reported by David Litchfield of NGSSoftware in Surrey, U.K. Versions affected include PHP 5.0.3 and PHP 4.3.10. NGSSoftware is withholding details of the flaws for three months to allow users to apply the patches.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary