I learned this morning from Chris Mosby’s blog that Symantec had performed a site redesign. This was news to me because everything was normal last night at 1am.
Normally I’d say hopefully this is a sign Symantec is migrating from Lotus Notes and we wont have to deal with slow site updates (replication) and incredibly long URLs anymore. Unfortunately what has replaced it is worse.
Normally my entrance page to Symantec’s antivirus information is www.symantec.com/avcenter. This now redirects me out to the main page.
Virus page URLs used to be somewhat predictable. This made it possible to find a writeup before it was posted to the main page and before it was searchable. Now virus links look like http://www.symantec.com/enterprise/security_response/risks/advisories/virus.jsp?id=32736 You cant tell at a glance what that link is for. Once you are at the writeup page, instead of having everything you need on one page, there are now four links. Overview, Removal, Technical Details and Recommendations. I’m so glad that Symantec already sends me these writeups through the DeepSight Subscription service. I’d hate to have to load 4 pages when one would do.
I’m getting 404s from the site, so hopefully they are still in the process of working out the kinks.
Feedback related to the Symantec website can be posted here
Archive for April 2005
Symantec Site Redesign
W32.Velkbot.a – IM Virus
W32.Velkbot.a when executed sends a message to all MSN Messenger, Yahoo Messenger, and AIM contacts on the compromised computer. The message is as follows:
“rofl
http://albound.com/pictures.php /r[email_address]”
The recipient must click on the link and download/execute the file to become infected.
Once infected you’ll have %system%\winmsg.exe along with the usual run registry keys.
Additional bits of fun:
disables task manager and the regedit.
Connects to an irc server at afil.canadiangov.info and waits for commands.
They can do pretty much whatever they want at that point.
Links:
http://www.symantec.com/avcenter/venc/data/w32.velkbot.a.html
I can see how this is listed as high severity and high impact. But the contagion potential doesn’t seem that high. It relies on one website that is likely shut down by now. If you are going to rely on a distribution mechanism that can be shut down hit your targets monday morning, not saturday night. During the week you’ll get the office workers.
This virus is of concern because it is sending IMs to all buddy lists on the top three networks instead of just targeting MSN. Also the mesage likely comes from someone you know (strangers generally dont have me on their buddy list, and people can only contact me if they are already on my list).
SANS Conference
I mentioned a few posts back that I was going to a local SANS conference.
We’re 2/3s of the way through the SANS – CISSP + S conference and its been a great experience. Because it is a prep course, by nature it avoids two of my main annoyances in training. No one is signed up for the class who doesn’t have a clue. (ISC)^2 has experience requirements associated with the CISSP so there is a lower threshold on the type of people who will be in the course.
Also because the course is about prepping for a test, there isnt’ a lot of debate and side issues. People recognize that there is (ISC)^2 world and then everything else.
Its a long day with a lot of tough material, but thus far its been very enjoyable. We return for the final two days next Thursday and Friday.
Hijacked 404, Last Word, no really
I thought I’d said all I was going to say on the hijacked 404 web page, but there was a little bit of news today.
1. A moderator reports that the problem is resolved. So at least that is progress if they are admitting there was a problem. I’d prefer to know what was wrong and how they made sure it doesn’t happen again. That’s how we treat users where I work, I and I’d expect the same when I’m the customer.
2. POWWeb support did get back to me Sunday morning (1.5 days after the ticket was entered). All they really said was there was no problem and they closed the ticket.
3. PoWWeb locked a thread on their bulletin board discussing this issue. I dont think the thread was at all out of line. I’m a bit annoyed at their ham-handedness in closing the thread as well as their unresponsiveness in general.
Over the past 6 months I’m really starting to doubt powweb’s commitment to security. Certainly users installing Content Management Systems like phpnuke doesn’t help things. People picking dumb passwords doesn’t help things. But when I do everything I can to run a secure site, and the host fouls things up, that pisses me off.
Hacked 404 – Final Chapter
I got a note back from Websense today that they’ve added the link I sent them to the block list, so Websense customers with the Premium Spyware Group will be protected from that little baddie.
I also finally added in the custom 404 redirect. I didn’t take the time to add in a redirect for 401,403 or 500. I really should do that, just to protect myself from further ISP incompetence. I haven’t noticed any 404 hijacking for the past day or two, so we may be out of the woods.
Proof of Concept for MS05-019 available
There is now proof of concept code available for ms05-019 (Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)).
http://www.frsirt.com/exploits/20050417.ecl-winipdos.c.php
This one was actually interesting, an off-by-one
“When processing an IP packet with an option size (2nd byte after the option) of 39, it will crash – since the maximum available size is 40 for the whole IP options field, and two are already used:
[ OPT ] [ SIZE ] [ 38 more bytes ]
Checks are done to validate that the option-size field is less than 40, where a value less than !39! should be checked for validation.
Note that this doesn’t affect ALL options, and is also dependant upon the underlying protocol. “
There is now PoC code for MS05-016, MS05-017, MS05-019, and MS05-020. The time for patching is now.
Hacked 404 Part 3
I took the files that the fake 404 error page was attempting to install and sent them to Symantec. As I mentioned in my last post, virus total showed several other vendors detecting it as a virus, but not Symantec. I should mention that virustotal.com does not use version 9 of Symantec and would be unable to detect adware, so I checked it myself before submitting with SAV 9.0.2.
Symantec’s Antvirus Response Center reports that the chm file is a trojan downloader and the exe file is a trojan adclicker. The 4/17 intelligent updater files should contain defs for this.
Another user on the web server cluster I am on reported that users of his website are reporting virus detections. Sure enough, with McAfee when I go to his site, I get a virus detection immediately. I can see in the source for the page I get that there is an iframe loading something from a .la TLD. This is like what happened to me. I suspect that he has a bad link on his page.
Just like my problem, it comes and goes. 3 hours later, I now cant reproduce the problem on his site.
New Mitglieder variants
FSecure posted today that more mitglieder variants have been sent out as spam. Not sure if that is what I’m seeing. Sounds like it though.
http://www.f-secure.com/weblog/#00000533
At my company I began seeing heuristic detections in our inbound email at 1:30pm eastern and lasted until 4:30pm. There were about 250 virus emails in that time period.
The file is 1.exe. Usually the message I get is about the actual viral code so that file is probably inside another file. There was not a single source IP address for the messages.
