Mydoom-M leaves more trouble in its wake
Antivirus companies reported Tuesday that Mydoom-M was winding down, but warned the damage it left behind could be used for more attacks. Symantec warned that a new worm, W32.Zindos-A, was in the wild taking advantage of doors Mydoom-M left open. The worm is designed to perform a denial-of-service attack against microsoft.com, Symantec said in its advisory. There is no indication the worm was successful, however. Zindos-A spreads through the backdoor opened on TCP port 1034 by a Trojan horse called Backdoor.Zincite. Mydoom-M dropped the Trojan as part of Monday's attack, antivirus experts said in reports Tuesday. Due to bugs in the code, Symantec said that when a system infected with Backdoor.Zincite-A becomes infected with Zindos, an infinite infection loop is entered, with each infection of Zindos re-infecting the system. This may cause the system to become slow and unresponsive, the advisory said. Dee Liebenstein, group product manager for Symantec's security and response team, told the Reuters news agency that Zindos was not spreading quickly and that Microsoft's Web site was not at risk of being toppled by a flood of "hits" on its Web site. "At this point, there's no evidence Microsoft.com is in trouble," she said. Symantec was receiving about 30 reports an hour from customers on Tuesday about Mydoom, down from about 100 an hour when the worm was at its peak on Monday.
Gentoo fixes flaw in Pavuk
Gentoo Linux has fixed bugs in its Pavuk Web spider and Web site mirroring tool that could allow an attacker to run arbitrary code. Gentoo's advisory said Pavuk contains several buffer-overflow vulnerabilities in the code handling digest authentication. An attacker could cause a buffer overflow, leading to arbitrary code execution with the rights of the user running Pavuk. Gentoo said there is no known workaround at this time, and encouraged users to upgrade to the latest available version of Pavuk.
Vulnerability in Opera browser
A vulnerability in the Opera browser could allow malicious people to conduct phishing attacks against a user, Copenhagen, Denmark-based IT security firm Secunia said in an advisory. "The problem is that Opera fails to update the address bar if a Web page is opened using the 'window.open' function and then 'replaced' using the 'location.replace' function," the advisory said. "This causes Opera to display the URL of the first Web site while loading the content of the second Web site." The flaw has been confirmed using Opera version 7.53. Secunia recommends users avoid links to untrusted Web sites.
Mandrake fixes flaws
Mandrake has fixed several vulnerabilities an attacker could use to compromise susceptible systems. The first update is for Mandrake Corporate Server 2.x, Mandrake Linux 9.x and Mandrake Multi Network Firewall 8.x. This fixes a flaw in mod_ssl malicious people could exploit to gain access to a vulnerable system. The second update fixes a flaw that affects Mandrake Corporate Server 2.x and Mandrake Linux 9.x. An unknown vulnerability in Webmin 1.140 allows a remote attacker to bypass access control rules and gain read access to configuration information for a module. The account lockout functionality does not parse certain character strings, which allows a remote attacker to conduct a brute force attack to guess user IDs and passwords, the advisory said. The third update fixes a buffer-overflow vulnerability in the ODBC driver of PostgreSQL. It is possible to exploit this problem and crash the surrounding application. A PHP script using php4-odbc can be used to crash the surrounding Apache Web server, the advisory said, adding that other parts of PostgreSQL are not affected. The problem affects Mandrake Corporate Server 2.x.
A sophisticated attack wreaked havoc Tuesday on DoubleClick Inc., a New York company that provides online advertising services for some of the nation's most popular Web sites, according to the Bethesda, Md.-based Internet Storm Center. The trouble started at about 10:30 a.m. ET, when unknown attackers overwhelmed DoubleClick's Internet servers with a flood of bogus Web page requests, blocking many major sites from loading ad images on their sites, The Washington Post reported. The attack stymied Internet users trying to load pages at nearly all of the 40 Web sites affected. At the height of the assault, affected Web pages were available less than 25% of the time, according to Keynote Systems Inc., a Web performance monitoring company in San Mateo, Calif. In the report, DoubleClick spokeswoman Jennifer Blum said the attack targeted the company's domain name servers (DNS), causing "severe service disruptions" for all 900 of its customers. Blum said the outage was caused by a distributed denial-of-service attack. Nortel Networks, Gateway Inc., MCI Inc., CNN.com and Schwab.com were among the hardest hit, according to Keynote. Security experts said the DoubleClick attack was similar to the assault hackers waged last month against Cambridge-based Akamai Technologies, which distributes Web content for such companies as Google, Microsoft and Yahoo! In that attack, hackers used tens of thousands of enslaved machines to overwhelm Akamai's DNS servers, blocking access to many of the company's customers for nearly two hours.