Well the new MS patches have been out for a few weeks now so I'm sure that we will be seeing a new run of worms before long. Has anyone heard about any possible new worms related to the Messenger service vulnerability or the Workstation vulnerability? Things are quiet at my usual haunts so I figured I'd throw out a line here and see what I get.

TIA.


--Th13
:p

well we had the MSBLASTER after quite sometime abt a month...i ecepected it earlier though....i think it wud take abt a month to show up...just a guess then who knows whos cooking what.

Hi,
Theres some people being attacked while on some sort of messenger service -

http://www.antionline.com/showthread.php?s=&threadid=251029

I havent heard of any worms/trojans that uses any instant messaging service, but i heard of some aim exploits - Im trusting that this is all for educational purposes :

http://cert.uni-stuttgart.de/archive/bugtraq/2001/10/msg00045.html

This one lets you change a user's e-mail address that AIM uses so the person doesnt know about it (pretty much, you just need him/her to sign on and once he/she uses the bathroom, he/she is screwed) -

http://aimlabs.net/UpEmail.htm

This one lets you warn someone without having them talk to you-

http://aimlabs.net/IconEx.htm

Hope this helps.

Fat, thanks for the info. I was referring to the Messenger service, not the IM client. Below you will find links to the vulnerabilities which I believe will be leveraged in upcoming worms.

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-049.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Bulletin/MS03-043.asp

I know BugTraq Mailling List have resealed a Proof of concept for Windows Workstation Service overflow..

http://www.securityfocus.com/archive/1/344212

Just a piece of info from Securityfocus I'd thought I'd share about MS03-049 vuln:

"...a buffer overflow happens on the specified host if the debug file is
writeable."

"Generally, the "debug" subdirectory in the Windows directory is not
writeable by everyone if the drive is formatted as NTFS, which means that we
cannot append to the log using a null session. The WsImpersonateClient() API
is called before opening the log file, and if the connected client does not
have the privilege to write to the log file, then CreateFile() will fail,
and the vulnerable call to vsprintf() is not performed. So, in this case, we
can exploit FAT32 systems (which do not support ACLs on directories), or
systems where the "%SYSTEMROOT%\debug" directory is writeable by everyone.
However, there are some extended RPC functions implemented in Windows XP
which open the logfile before calling WsImpersonateClient()... "

"So my guess is that if this gets to be a worm, it probably will affect
mostly XP systems and not Windows 2000 systems (given that NTFS is a default
file type for W2k and that by default this is not writeable by a NULL
session). So that reduces the number of potential worm candidates and along
with this needs to use the same ports as Blaster the list of targets grows
smaller (because of the XP firewall), in itself it does not look to have the
same level of potential impact as Blaster."



So even though this may make it to worm form, I don't see it propagating any where near as well as blaster did.

-Maestr0

http://www.securityfocus.com/archive/1/344247
http://www.securityfocus.com/archive/1/344137

exploit codes been out for a couple of weeks, pre-compiled exes are being distributed....worm should be any time now but the answer is no. i havent heard anything yet

well...what more could be said..Hail to Bill Gates..

Hi guys

I actually work for an anti virus company, and the biggest threat at the moment are viruses that use ADS (Alternate Data Streams). These viruses hide in the ADS and so the viral file may only be 4Kb but the files ADS can be hundreds of Megabytes without you knowing about it.
For an example check out http://www.sophos.com/virusinfo/analyses/trojcoreflooc.html , nasty little thing, once some writer gets this functionality into a free spreading worm, such as blaster and nachi were then we are all going to have some serious fun getting rid of it.