• United States

Another Cisco vulnerability

Aug 30, 20046 mins

* Patches from Gentoo, OpenPKG, others * Beware latest Rbot and Bagle variants * WilTel and VeriSign team on security services, and other interesting reading

Windows XP SP2 update: I mentioned last week that my wife’s laptop had prompted us to download the new service pack. Well, I had hit download before leaving for work on Thursday, but as of yet, I haven’t seen anything prompting me to install it or confirming it’s downloading at all. So we’re still in a holding pattern. Three other machines that various family members own have also gotten the download prompt, but I’m telling them to hold off until I see how it affects the laptop first.

Today’s bug patches and security alerts:

Cisco warns of IOS flaw

Cisco warned of another security vulnerability to its products this week, one that could allow an attacker to disable remote administration access to a Cisco device running IOS. Network World Fusion, 08/27/04.

Cisco advisory:


Flaw found in Winamp “skins”

A bug in the way Winamp “skins” are implemented could be exploited by an attacker to run their code of choice on the targeted machine. An exploit for this has been found and takes the form of a virus. Download version 5.05 to fix the problem:


ISS warns of flaws in LibKmp

A buffer overflow has been found in LibKmp, an ISAKMP library used by many VPN vendors. An attacker could exploit this to compromise VPN systems that use the library. For more, go to:


Gentoo, OpenPKG patches zlib

A denial-of-service vulnerability has been found in zlib, a compress library used by a number of popular applications including Apache. For more, go to:




Trustix releases a pseudo service pack

A new update from Trustix fixes flaws in courier-imap, samba and zlib. For more, go to:


Gentoo, Mandrake Linux and SGI release kernel updates

According to the Gentoo alert, “Multiple information leaks have been found in the Linux kernel, allowing an attacker to obtain sensitive data which may be used for further exploitation of the system.” For more, go to:


Mandrake Linux:



Today’s roundup of virus alerts:

W32/Rbot-HC – A typical Rbot variant that spreads via network shares (using the file “BLING.EXE”) and allowing backdoor access via IRC. The virus tries to delete network shares and also logs keystrokes. (Sophos)

W32/Rbot-HE – Very similar to Rbot-HC, except that it infects the file “WUAMGRD.EXE” in the Windows System directory. (Sophos)

W32/Rbot-X – Another Rbot variant that spreads via network shares, infects the file “MSlti32.exe” in the Windows System directory and allows backdoor access via IRC. (Sophos)

W32/Forbot-E – A bot that attempts to exploit various Windows vulnerabilities, including LSASS, to spread between machines. It infects the “SVXHOST.EXE” file and terminates security-related applications. (Sophos)

W32/Forbot-L – Similar to Forbot-E above, except it uses the file “w32usb2.exe” as its infection point. (Sophos)

W32/Wukill-C – An e-mail pain-in-the-neck that spreads in a message titled “MS” with an attachment called “mshelp.exe”. It copies itself to a number of places, but no word on any permanent damage it may cause. (Sophos)

Troj/Agent-BX – A Trojan horse that runs as a DLL in the Windows System directory (msoleapi.dll) and is used to collect information from the infected system and send it to a remote site. (Sophos)

W32/Sdbot-OC – Guess what this virus does? Yes, it spreads via network shares and allows backdoor access via IRC. It installs itself as “NTSYSMGR.EXE” and as “COOL.EXE” and can be used to terminate security-related applications running on the infected machine. (Sophos)

W32/Bagle-AJ – Another Bagle variant that spreads via e-mail, peer-to-peer networks and network shares. When the virus infects a machine it displays the message “Can’t find a viewer associated with the file”. (Sophos)


From the interesting reading department:

States prepping cyberalert plan

Looking to gauge the risk of attacks against their networks, state officials this week will vote on new measures that would assess threats and dictate specific actions to take to protect key resources. Network World, 08/30/04.

Behind the perimeter

As more attacks penetrate traditional perimeter defenses, smart organizations adopt defense-in-depth strategies in which application-level security plays an increasingly critical role. Network World, 08/30/04.

Technical Update: Generic exploit blocking stops infections

A new security technology called generic exploit blocking shields systems from malicious threats before they appear. When incorporated into desktop and network firewalls, the technology prevents infections rather than responding to them. Network World, 08/30/04.

HP exec targets security priorities

Tony Redmond, vice president and CTO at HP Services and HP Security Program Office, explains HP’s priorities, including a new service called Active Countermeasures, now in beta. Network World, 08/30/04.

Cast Iron device gets security, file handling boost

Cast Iron Systems last week unveiled an updated version of its application integration appliance designed to provide simplified data-integration capabilities for corporate projects in which a full-blown enterprise application integration system would be overkill. Network World, 08/30/04.

Juniper tackles remote access security

Juniper this week is announcing technology that promises to give businesses more ways to guarantee computers making remote links to corporate networks have appropriate security software in place. Network World, 08/30/04.

FrontBridge service secures e-mail

FrontBridge Technologies this week will add secure e-mail and archiving to its lineup of hosted services to appease corporate users that seek tools to satisfy regulatory compliance issues. Network World, 08/30/04.

WilTel and VeriSign team on security services

WilTel Communications announced last week that it’s teaming with VeriSign to offer users managed firewall and intrusion-detection services. Network World, 08/30/04.

Mano a mono

One IT consultant’s battle against the Microsoft monoculture. Network World, 08/30/04.

Feds bust DDoS ‘Mafia’

A Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors, in what federal officials are calling the first criminal case to arise from a DDoS-for-hire scheme. The Register, 08/27/04.

Nokia, Pointsec team on mobile data security

Enterprises seeking higher security for their growing number of mobile devices may be interested in new encryption technology that Nokia is deploying in its smart phone products. IDG News Service, 08/26/04.

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector

The Secret Service National Threat Assessment Center (NTAC) and the CERT Coordination Center of Carnegie Mellon University’s Software Engineering Institute (CERT/CC) joined efforts to conduct a unique study of insider incidents, the Insider Threat Study (ITS), examining each case from a behavioral and a technical perspective. CERT, 08/2004. (PDF document)