* Patches from Gentoo, OpenPKG * Trojan e-mails suggest trend toward targeted attacks
Last week (http://www.networkworld.com/newsletters/bug/2005/0613bug2.html) we mentioned that a reader was having a potential problem with Symantec’s Norton Internet Security suite and the way it interacted with HTTPS sites. Some sites were rendered inaccessible, including Amazon.com, unless Norton was completely shut down. We asked you for suggestions and the responses flowed in:
* Reader G. Peterson says he’s encountered the similar problems with some of his client’s PCs, to the point he couldn’t even reach the Symantec Web site to download the fix as recommended by the company’s tech support staff. Peterson writes, “Symantec corporate support could not resolve the problem. Hey guys, you need both the canoe and a paddle when you go up a creek.”
* Reader P. McConnell dumped the Symantec suite all together, going with a “best of breed” approach, including Kerio firewall and Avast anti-virus.
* Chris wrote in saying a neighbor was running into a similar sounding problem in the past week or so. The good news: The most recent Symantec update seemed to have fixed the problem.
Hopefully Chris is right and Symantec has fixed the problem.
Today’s bug patches and security alerts:
Gentoo patches libextractor
Libextractor, a code library used for extracting meta data from files, is vulnerable to a number of buffer overflows. An attacker could exploit this to run malicious code on the affected machine. For more, go to:
https://security.gentoo.org/glsa/glsa-200506-06.xml
Gentoo issues fix for LutelWall
LutelWall, a firewall configuration tool, is vulnerable to symlink attacks. A malicious user could exploit this to overwrite files on the affected machine. For more, go to:
https://security.gentoo.org/glsa/glsa-200506-10.xml
Gentoo releases patch for Ettercap
Ettercap, a suite of tools that could be used for network monitoring, contains a format string vulnerability. It could be exploited to run malicious application on the affected machine. For more, go to:
https://security.gentoo.org/glsa/glsa-200506-07.xml
**********
OpenPKG patches bzip2
A race condition in bzip2, a file compressor and decompressor, could be exploited by an attacker to change permissions of a file being decompressed. For more, go to:
https://www.openpkg.org/security/OpenPKG-SA-2005.008-bzip2.html
OpenPKG releases update for cvs
A denial-of-service vulnerability has been found and fixed in cvs, a version control system. For more, go to:
https://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html
OpenPKG patches gzip
Two vulnerabilities in gzip, an open source compression/decompression utility, could be exploited by an attacker to overwrite arbitrary files on the affected machine. For more, go to:
https://www.openpkg.org/security/OpenPKG-SA-2005.009-gzip.html
**********
Today’s roundup of virus alerts:
Trojan e-mails suggest trend toward targeted attacks
A report on Trojan e-mail attacks against critical infrastructure systems in the U.K. highlights an emerging trend away from mass-mailing worms and viruses to far more targeted ones, analysts said. The U.K.’s National Infrastructure Security Co-Ordination Center Thursday released a report disclosing that more than 300 government departments and businesses were targeted by a continuing series of e-mail attacks designed to covertly gather sensitive and economically valuable. Computerworld, 06/17/05.
http://www.networkworld.com/news/2005/061705-trojan.html?nl
W32/Rbot-AGA – An Rbot network worm variant that spreads by exploiting a number of known Windows vulnerabilities. It installs itself as “taskemngr.exe” and can be used for a number of malicious purposes, including providing backdoor access via IRC. (Sophos)
W32/Rbot-AFP – This Rbot variant installs itself as “wintnask32.exe” after spreading through a network share. It too can provide backdoor access via IRC. (Sophos)
W32/Sdbot-ZH – This bot too spreads through network shares, exploitiung a number of known Windows flaws. It drops “SP00ISS.exe” on the infected machine and can be used to run arbitrary files on the infected machine. (Sophos)
W32/Sdbot-ZM – Another Sdbot variant. This version uses “nawdll32.exe” as its infection point. It too can be used to steal passwords and other local system information. (Sophos)
Troj/Istbar-BE – A Trojan download that attempts to grab code from a pre-configured Web site. It enters “BandRest” in the system registry. (Sophos)
Troj/Banker-DV – A password stealing Trojan that targets Brazilian banking Web sites. It drops “winlogin.exe” in the infected machine’s Windows System folder. (Sophos)
W32/Codbot-L – An IRC backdoor worm that spreads by exploiting the Windows RPC-DCOM vulnerability. This variant drops “rpcclient.exe” on the infected machine. It can be used to steal passwords and download additional code. (Sophos)
Troj/Spyre-E – A Trojan that drops “hookdump.exe” on the infected machine and displays a message claiming the user’s system is infected. It attempts to direct the user to a remote Web site. (Sophos)
W32/Mytob-BL – A new Mytob variant that spreads through e-mail and network shares. It drops “h3.exe” on the infected machine and modifies the Windows HOSTS file to limit access to security related Web sites. (Sophos)
Troj/Chum-C – A Trojan that provides backdoor access through IRC. It drops “iexpIore.exe” on the infected machine. (Sophos)
Troj/Subzero-B – Another Trojan that tries to connect to a remote server via HTTP. It installs itself as “svhosts.exe” in the Windows System folder. (Sophos)
Dial/DialCar-I – A dialer application that tries to connect to remote sites. It installs as “MAPPE.EXE” in the Windows folder. (Sophos)




