Security Bytes: New malware targets Skype users |
 |
By SearchSecurity.com Staff
18 Oct 2005 | SearchSecurity.com |
|
|
New malware targets Skype users
A new variant of the IRCbot Trojan horse is taking aim at users of Skype Technologies S.A.'s VoIP software, according to New York-based e-mail security firm MessageLabs Ltd. As of Monday, the firm said it had blocked more than 150 copies of the Trojan, also known as Fanbot. The malware is being distributed by e-mail disguised as the newest release of the popular Skype software client -- version 1.4, which was released Oct. 10.
"When executed, the attached malware program displays a fake 'installation error' box while, in fact, it is installing itself as %sysdir%remote.exe, altering the registry and shutting down shared access and Windows update services," MessageLabs said. "It then tries to connect to either an IRC server named 'jojogirl.3322.org' or 'smallphantom.meibu.com,' but fails." According to Skype's Web site, its Internet voice-calling software has been downloaded more than 184 million times.
Malicious e-mails include the following characteristics:
Subject lines: Hello. We're Skype and we've got something we would like to share with...; Share Skype.; Skype for Windows 1.4; Skype for Windows 1.4 - Have you got the new Skype?; What is Skype?
Body text: "Dear user, Skype is a little piece of software that lets you talk over the Internet to anyone, anywhere for free. And it just got even better -- download the latest version of Skype: Our call quality is the best ever for talking, laughing and sharing stories. You can forward calls on to mobiles, landlines and other Skype Names. Make calls instantly from Outlook email or Internet Explorer with our new toolbars. Personalize your Skype -- play around with sounds, ring tones and pictures to show the world who you are."
Microsoft patch causes problems
Microsoft has acknowledged problems with one of the patches it issued last week. The problem could, among other things, block users from logging on to Windows, block certain applications from running or installing; keep the Windows firewall from starting; and empty the network connections folder. "Microsoft is aware of reports of isolated issues after deployment with Microsoft Security Bulletin MS05-051," the software giant said in an advisory. "We are working with a limited number of affected customers to help resolve these issues."
Microsoft said the problem appears limited to instances when default permission settings on a Windows directory are changed. The advisory outlines steps users can take to correct the problem. MS05-051 patches vulnerabilities with the Microsoft Distributed Transaction Coordinator (MSDTC) and COM+ service to prevent remote control and privilege escalation by attackers. In addition, the same patch seals important, but not critical, holes in the TIP. Among the affected OS versions are Windows XP with SP1 and SP2, and multiple flavors of Windows Server 2003.
Lynx flaw affects Red Hat, Ubuntu Linux
Attackers could exploit a security hole in Lynx -- a text-based Web browser -- to cause a stack-based buffer overflow and launch malicious code, Danish security firm Secunia said in an advisory. The glitch affects Linux distributions from Red Hat, Ubuntu and possibly others.
"The vulnerability is caused due to a boundary error in the 'HTrjis()' function in the handling of article headers sent from NNTP (Network News Transfer Protocol) servers," Secunia said. "This can be exploited to cause a stack-based buffer overflow by tricking a user into visiting a malicious Web site which redirects to a malicious NNTP server via the 'nntp:' URI handler. Successful exploitation allows execution of arbitrary code."
Secunia said the "highly critical" vulnerability has been reported in Lynx versions 2.8.3, 2.8.4, 2.8.5, and 2.8.6dev.13. Other versions may also be affected. "The vulnerability has been fixed in version 2.8.6dev.14," the advisory said.
|
