July 01, 2005 - Current Activity

US-CERT is aware of a public exploit for a vulnerability in phpBB's "viewtopic.php" script. We have seen reports of attempts at exploitation, but we have no confirmed evidence of successful system compromises. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

VU#497400 - phpBB viewtopic.php fails to properly sanitize input passed to the "highlight" parameter

A fix for this vulnerability was addressed in version 2.0.11, but did not adequately resolve the issue. In 2004, this vulnerability lead to the propagation of the Santy worm.

The phpBB Development Team has released phpBB version 2.0.16 to fully correct this issue. US-CERT encourages administrators to apply the appropriate fixes as soon as possible.

US-CERT has received reports of an email message circulating purporting to be a Microsoft Security Bulletin. The email directs the user to download and install an executable that is supposed to be a cumulative patch. Through the use of social engineering that attacker is hoping to trick the user into thinking they will be installing a cumulative patch when in fact they are installing a version of SDBot, a commonly used Trojan horse.

This variant of SDBot is part of a family of backdoor Trojan horse programs commonly controlled remotely by an attacker via Internet Relay Chat (IRC). Some variants of SDBot may not be detected by anti-virus applications.

In 2003, a similar email message masquerading as a Microsoft Security Bulletin was circulated via email. Users that clicked on the link in this email message were infected with the Swen mass-mailing worm.

US-CERT recommends:

• Users do not follow unsolicited web links received in email messages.
• Users should manually type in the URL when attempting to go to the web sites recommended in an email.
• Users install anti-virus software, and keep its virus signature files up-to-date.

US-CERT has seen reports indicating an increase in scanning activity of port 445/tcp.  This port is used by Server Message Block(SMB) to share files, printers, serial ports and communicate between computers in a Microsoft Windows environment. Scanning for port 445/tcp has been active for a number of years.

In 2004, Microsoft released a bulletin (MS04-011) describing a vulnerability in the Local Security Authority Subsystem Service (LSASS). Since this time a number of exploits have been published that take advantage of this vulnerability. More recently, Microsoft published two security bulletins (MS05-011 and MS05-027) that describe vulnerabilities in the Server Message Block (SMB). More information about these vulnerabilities can be found in the following US-CERT Vulnerability Notes:

VU#753212 - Microsoft LSA Service contains buffer overflow in DsRolepInitializeLog() function (MS04-011)
VU#652537 - Microsoft Windows SMB packet validation vulnerability (MS05-011)
VU#489397 - Microsoft Server Message Block vulnerable to buffer overflow (MS05-027)

The LSASS and SMB services utilize RPC for communications. Ports configured to support RPC (i.e., port 445/tcp) may be scanned to locate vulnerable hosts. Scanning for port 445/tcp could be a result of attempts to exploit any of the vulnerabilities referenced above or attempts to authenticate to Microsoft Windows systems through brute force password attacks.

More recently, an exploit was released that attempts to take advantage of the vulnerability described in MS05-011. While reports of successful system compromises using this vulnerability have not  been confirmed, US-CERT strongly recommends that users patch their systems as soon as possible.

US-CERT has received reports of increased scanning activity on port 10000/tcp. This increase is believed to be related to the public release of a new exploit for a recently published vulnerability in VERITAS Backup Exec Remote Agent. More information about the vulnerability can be found in US-CERT Vulnerability Note:

VU#492105 - VERITAS Backup Exec Remote Agent fails to properly validate authentication requests

Normally the VERITAS Backup Exec Remote Agent listens on network ports 6101/tcp and 10000/tcp. Reports indicate that once the vulnerability has been exploited, port 6101/tcp will still be listening but the service on port 10000/tcp will have crashed.

Possible workarounds include using a firewall to restrict incoming connections to trusted workstations running the Backup Exec client software which uses port 10000/tcp.

VERITAS has issued patches for each vulnerable version of Backup Exec Remote Agent. Information about this patch and other recent critical patches can be found in the VERITAS Patch summary for Security Advisories VX05-001, VX05-002, VX05-003, VX05-005, VX05-006, VX05-007. Administrators are strongly encouraged to apply the appropriate fixes as soon as possible.

US-CERT has received reports of the existence of a working exploit for a recently published vulnerability in Microsoft Outlook Express. While reports of successful system compromise using this vulnerability have not yet been confirmed, US-CERT urges users to review the information in US-CERT Vulnerability Note:

VU#130614 - Microsoft Outlook Express vulnerable to remote code execution

Microsoft has released a patch to address this vulnerability in Microsoft Security Bulletin MS05-030. Administrators are encouraged to apply the appropriate fixes as soon as possible.

US-CERT continues to receive reports of phishing attempts. Because of recent media reports regarding attacks against financial institutions, users may see an increase in targeted phishing emails.  Phishing emails may appear as requests from a financial institution asking the user to click on a link that takes them to a fraudulent site that looks like the legitimate one.  The user is then asked to provide personal information that can further expose them to future compromises.

US-CERT warns users to expect media reports about financial institution breaches to be leveraged in future phishing attempts.  Users are encouraged to take the following measures to protect themselves from this type of phishing attack:

1. Don’t follow unsolicited web links received in email messages
2. Contact your financial institution immediately if
   • you believe your account has been compromised.
   • you are unsure whether an email you received purporting to come from them is legitimate.

US-CERT has received reports indicating an increase in the scanning for and exploitation of systems affected by one or more vulnerabilities in the Microsoft ASN.1 Library (MSASN1.DLL). These vulnerabilities are caused by the way that certain ASN.1 length values and bit strings are decoded. By sending specially crafted ASN.1 data, an attacker may be able to execute arbitrary code with SYSTEM privileges and gain complete control of a vulnerable system.

MS04-007 explains how an attacker could exploit these vulnerabilities:

"Because ASN.1 is a standard for many applications and devices, there are many potential attack vectors. To successfully exploit this vulnerability, an attacker must force a computer to decode malformed ASN.1 data. For example, when using authentication protocols based on ASN.1 it could be possible to construct a malformed authentication request that could expose this vulnerability."

It is possible that these attacks target Secure Sockets Layer (SSL) or other cryptographic authentication capabilities in Microsoft Internet Information Server (IIS). In addition, a number of exploit tools now include functionality to take advantage of these vulnerabilities.

More information about these vulnerabilities is available in the following US-CERT Vulnerability Notes:

VU#216324 - Microsoft ASN.1 Library improperly decodes malformed ASN.1 length values
VU#583108 - Microsoft ASN.1 Library improperly decodes constructed bit strings

Microsoft has released a patch to address these vulnerabilities in Microsoft Security Bulletin MS04-007.

US-CERT has received reports of three new variants of the W32/Mytob virus. These variants, 'W32/Mytob.DP', 'W32/Mytob.DV', and 'W32/Mytob.DY', propagate via email and contain backdoor functionality. As with many viruses, these variants rely on social engineering to propagate. Specifically, the user must click on a link or execute an attachment. In the case of W32/Mytob.DY, once a system is infected, it may continue to propagate by exploiting several vulnerabilities in Microsoft Windows. More information about these vulnerabilities is available in the following US-CERT Vulnerability Notes:

VU#753212 - Microsoft Windows 2000 LSASS fails to properly handle certain LDAP messages
VU#568148 - Microsoft Windows RPC vulnerable to buffer overflow

Although each variant has different functionality, the list below contains a subset of the common characteristics of these variants. Once a system is infected, the malicious code may:

• Modify the system registry to prevent the Windows XP's built-in firewall from starting
• Attempt to harvest email addresses from a configurable list of file extensions
• Utilize its own SMTP engine to send itself to the harvested email addresses
• Modify the HOSTS file to prevent the computer from accessing certain security and commercial web sites.
• Attempt to terminate a number of running processes, some of which are security related
• Open a backdoor on the system that allows the attacker to communicate remotely with the system via IRC. This may allow the attacker to upload and execute arbitrary code on the infected machine.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received reports of an email message that purports to be news of a Michael Jackson suicide attempt.

The email message has the following characteristics:

• A Subject line of:
  Re: Suicidal aattempt
• Body text containing the following:
  Last night, while in his Neverland Ranch, Michael Jackson has made a suicidal attempt.
  They suggest this attempt follows the last claim was made against the king of pop.
  46 years old Michael has left pre-suicid note which describes and interpretes some of his sins.
  Read more...

The "Read more..." text in the body of the message is a hyperlink. Upon clicking this hyperlink, the user is taken to a web site that attempts to load malicious code onto the user's computer. A web page is then displayed to the user indicating that the web site is unable to service the user's request.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source.

You may also wish to visit the US-CERT's computer virus resources page.