Quick ISC Update: New e-mail virus, default password in Cisco MARS, and Quicktime
Results 1 to 2 of 2

Thread: Quick ISC Update: New e-mail virus, default password in Cisco MARS, and Quicktime

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Quick ISC Update: New e-mail virus, default password in Cisco MARS, and Quicktime

    Hello-

    Nothing really huge right now, but some interesting advisories that I listed in the title from ISC:

    Link: http://isc.sans.org/

    Stories so far:
    New email virus making the rounds
    Published: 2006-01-11,
    Last Updated: 2006-01-11 22:28:25 UTC by Daniel Wesemann (Version: 1)

    We are currently analyzing a copy of .. something. Attachment name "message.zip", detection by AV is still thin to nonexistent. When run, the code tries to pull additional files from web servers in Russia, so if you have a chance, you might consider blocking the following TLDs on your proxy / perimeter:

    1gb.ru / t35.com / hzs.nm.ru / users.cjb.net / h16.ru

    UPDATE 2200UTC : message.zip contains a file named "Secure E-mail File.hta", which is according to current Virustotal output only detected by Panda and Kaspersky, the latter calls it Worm.Win32.Feebs.k . Samples we've seen come in an email with subject "Secure Message from HotMail.com user". The HTA file is nicely obfuscated, it has 2 obfuscation functions, one being easy unescape, while the other one is a bit more complex. Once it is executed by a user, it will run in the local zone, so it can use various ActiveXObjects. It will try to download executables from 5 web sites (domains listed above), all of which are up and working at this moment.

    MD5 sums for the original exploit file and the two variants of EXEs it downloads when run:
    7eb24b4c7b7933b6a0157e80be74383c Secure E-mail File.hta
    9cbd9710087bff6f372b1e3f652d8f7c feebs1.exe

    983bf330aae51535c7382dc82429364b feebs2.exe

    Analysis and write-up by fellow handler Bojan Zdrnja. Thanks!


    Default Password in Cisco MARS
    Published: 2006-01-11,
    Last Updated: 2006-01-11 19:04:23 UTC by Daniel Wesemann (Version: 1)

    Cisco MARS (Cisco Security Monitoring Analysis and Response System) seems to contain an undocumented "make me root" command. If you are using CS-MARS, Cisco have just published an advisory.


    Quicktime patches for Mac and Windows
    Published: 2006-01-11,
    Last Updated: 2006-01-11 05:39:21 UTC by Kyle Haugsness (Version: 2(click to highlight changes))

    Is Apple hiding behind Microsoft's advisories? Seems like Apple has been conveniently releasing security advisories on the same day as Microsoft's. Conspiracy theory? You be the judge.

    Anyway, Apple released a security update to Quicktime. http://docs.info.apple.com/article.html?artnum=303101 There are multiple vulnerabilities patched. To summarize the advisory: A maliciously-crafted GIF/TIFF/TGA/QTIF image or multimedia file may result in arbitrary code execution. Well that pretty much covers the whole web browsing thing.

    Given the week we've had, I suppose that everyone should go back to using netcat for surfing the web.

    Update (from Scott):

    For those using Quicktime on Windows, a quick note about the versions of Quicktime available to download at http://www.apple.com/quicktime/ . As of 5:30 UTC that the default installer you download includes iTunes. The version of Quicktime included is 7.0.3 which is vulnerable per the advisory above. However, if you download the standalone installer located at http://www.apple.com/quicktime/download/standalone.html , then you get the updated version of Quicktime 7.0.4.

    Additionally, if you try to update the software using the "Update existing software..." item under the Help menu, then you receive a message about not being able to make an Internet connection to the software server. I receive the same message if I use the update message under the Quicktime settings window. Not sure if this is an odd configuration problem on my end, or if their update server is having problems.
    I'll check from time to time today to see if there are any updates on the new e-mail virus.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Quick ISC Update: New e-mail virus, default password in Cisco MARS, and Quicktime

    Hello-

    Nothing really huge right now, but some interesting advisories that I listed in the title from ISC:

    Link: http://isc.sans.org/

    Stories so far:
    New email virus making the rounds
    Published: 2006-01-11,
    Last Updated: 2006-01-11 22:28:25 UTC by Daniel Wesemann (Version: 1)

    We are currently analyzing a copy of .. something. Attachment name "message.zip", detection by AV is still thin to nonexistent. When run, the code tries to pull additional files from web servers in Russia, so if you have a chance, you might consider blocking the following TLDs on your proxy / perimeter:

    1gb.ru / t35.com / hzs.nm.ru / users.cjb.net / h16.ru

    UPDATE 2200UTC : message.zip contains a file named "Secure E-mail File.hta", which is according to current Virustotal output only detected by Panda and Kaspersky, the latter calls it Worm.Win32.Feebs.k . Samples we've seen come in an email with subject "Secure Message from HotMail.com user". The HTA file is nicely obfuscated, it has 2 obfuscation functions, one being easy unescape, while the other one is a bit more complex. Once it is executed by a user, it will run in the local zone, so it can use various ActiveXObjects. It will try to download executables from 5 web sites (domains listed above), all of which are up and working at this moment.

    MD5 sums for the original exploit file and the two variants of EXEs it downloads when run:
    7eb24b4c7b7933b6a0157e80be74383c Secure E-mail File.hta
    9cbd9710087bff6f372b1e3f652d8f7c feebs1.exe

    983bf330aae51535c7382dc82429364b feebs2.exe

    Analysis and write-up by fellow handler Bojan Zdrnja. Thanks!


    Default Password in Cisco MARS
    Published: 2006-01-11,
    Last Updated: 2006-01-11 19:04:23 UTC by Daniel Wesemann (Version: 1)

    Cisco MARS (Cisco Security Monitoring Analysis and Response System) seems to contain an undocumented "make me root" command. If you are using CS-MARS, Cisco have just published an advisory.


    Quicktime patches for Mac and Windows
    Published: 2006-01-11,
    Last Updated: 2006-01-11 05:39:21 UTC by Kyle Haugsness (Version: 2(click to highlight changes))

    Is Apple hiding behind Microsoft's advisories? Seems like Apple has been conveniently releasing security advisories on the same day as Microsoft's. Conspiracy theory? You be the judge.

    Anyway, Apple released a security update to Quicktime. http://docs.info.apple.com/article.html?artnum=303101 There are multiple vulnerabilities patched. To summarize the advisory: A maliciously-crafted GIF/TIFF/TGA/QTIF image or multimedia file may result in arbitrary code execution. Well that pretty much covers the whole web browsing thing.

    Given the week we've had, I suppose that everyone should go back to using netcat for surfing the web.

    Update (from Scott):

    For those using Quicktime on Windows, a quick note about the versions of Quicktime available to download at http://www.apple.com/quicktime/ . As of 5:30 UTC that the default installer you download includes iTunes. The version of Quicktime included is 7.0.3 which is vulnerable per the advisory above. However, if you download the standalone installer located at http://www.apple.com/quicktime/download/standalone.html , then you get the updated version of Quicktime 7.0.4.

    Additionally, if you try to update the software using the "Update existing software..." item under the Help menu, then you receive a message about not being able to make an Internet connection to the software server. I receive the same message if I use the update message under the Quicktime settings window. Not sure if this is an odd configuration problem on my end, or if their update server is having problems.
    I'll check from time to time today to see if there are any updates on the new e-mail virus.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •