January 10, 2006 - Current Activity

US-CERT is aware of active exploitation of a vulnerability in how Microsoft Windows handles Windows Metafiles (".wmf"). Several variations of the WMF exploit file have been released that attempt to avoid detection by anti-virus software and intrusion detection and intrusion prevention systems.

A Windows system may be compromised through several methods including:

• Opening a specially crafted WMF file which may be masquerading as a MS Word or MS Office document.
• Opening a specially crafted WMF file which may be masquerading as a JPEG or other type of image file.
• Visiting a specially crafted web site.
• Placing a malicious WMF file in a location that is indexed by Google Desktop Search or other content indexing software.
• Viewing a folder that contains a malicious WMF file with Windows Explorer.

Once the vulnerability is exploited, a remote attacker may be able to perform any of the following malicious activities:

• Execute arbitrary code
• Cause a denial-of-service condition
• Take complete control of a vulnerable system

More information about this vulnerability can be found in the following:

• US-CERT Vulnerability Note: VU#181038 - Microsoft Windows Metafile handler SETABORTPROC GDI Escape vulnerability

• Technical Cyber Security Alert: TA06-005A- Update for Microsoft Windows Metafile Vulnerability

• Cyber Security Alert: SA06-005A - Microsoft Windows Metafile Vulnerability

• Microsoft Security Bulletin: MS06-001

Microsoft has released an update to address this vulnerability in Microsoft Security Bulletin MS06-001. US-CERT strongly encourages users and administrators to apply the appropriate updates as soon as possible.

US-CERT is aware of functionality that could allow the latest Sober mass-mailing worm variants known as "W32/Sober.X", "W32/Sober.Y", and "W32/Sober.Z" to automatically update themselves. These Sober worm variants are dual-language (English and German) mass-mailing worms that utilize a built-in SMTP engine to propagate. There have been over 20 Sober worm variants since October 2003. The latest Sober worm variant has been propagating since November 15, 2005 and will attempt to update itself on January 6, 2006.

The latest Sober worm variant may have a global impact due to its use of pseudorandom URLs that are hosted on servers in European countries, such as Germany and Austria. Systems that have already been compromised by the W32/Sober.X, W32/Sober.Y or W32/Sober.Z worm are expected to receive this update. Once the update is received, the Sober worm variant may execute code that reduces the security protection of infected systems.

US-CERT strongly recommends that users and administrators implement the following general protection measures:

• Install anti-virus software, and keep its virus signature files up-to-date
• Do not follow unsolicited web links or execute attachments received in email messages, even if sent by a known and trusted source
• Keep up-to-date on patches and fixes for your operating system
• Refer to Microsoft's Security Advisory for some suggested actions to protect your system
• Visit the US-CERT Computer Virus Resources for additional information

Information about multiple vulnerabilities in RIM BlackBerry products has been presented at the 22nd Chaos Communication Congress.

The vulnerabilities could allow an attacker to execute arbitrary code on or cause a denial of service to the BlackBerry Attachment Service. An attacker could also cause a denial of service to the BlackBerry Router or the web browser on BlackBerry Handheld devices. To exploit these vulnerabilities, an attacker would need to supply a crafted file that is viewed or downloaded by a BlackBerry Handheld; or the attacker would need redirect a network connection directed to the BlackBerry Infrastructure.

US-CERT recommends that BlackBerry sites upgrade BlackBerry Enterprise Server to the latest version and consult the BlackBerry Technical Knowledge Center for remediation information.

For further details please see the related US-CERT Vulnerability Notes.

US-CERT is aware of a third-party report of multiple heap buffer overflows in the Symantec RAR decompression library (Dec2RAR.dll). Using a specially crafted RAR archive, a remote attacker may be able to perform any of the following malicious activities:

• Execute arbitrary code, possibly SYSTEM privileges
• Cause a denial-of-service condition, possibly disabling antivirus capabilities
• Take complete control of a vulnerable system

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#305272 - Symantec RAR decompression library contains multiple heap overflows

Although there is limited information concerning this reported vulnerability, US-CERT encourages users and system administrators to consider filtering or disabling the scanning of RAR archives at email or proxy gateways. However, disabling RAR scanning may compromise the effectiveness of the security product. In addition, blocking RAR archives may prevent legitimate information from entering the network.

US-CERT is aware of malicious software exploiting a vulnerability in the Microsoft Distributed Transaction Coordinator (MSDTC). Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code on the system. US-CERT is also aware of increased scanning activity on port 1025/tcp, a port commonly used by this service.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#180868 - Microsoft Distributed Transaction Coordinator vulnerable to buffer overflow via specially crafted network message

Microsoft has released an update to address this vulnerability in Microsoft Security Bulletin MS05-051. US-CERT encourages administrators to apply the appropriate updates as soon as possible.

US-CERT is aware of a vulnerability in the way Microsoft Internet Explorer handles requests to the window() object. If exploited, the vulnerability could allow a remote attacker to execute arbitrary code with the privileges of the user. Additionally, the attacker could also cause IE (or the program using the WebBrowser control) to crash.

According to Microsoft, malicious software is targeting this vulnerability. We have confirmed that the proof-of-concept code is successful on Windows 2000 and Windows XP systems that are fully patched as of November 30, 2005.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#887861 - Microsoft Internet Explorer vulnerable to code execution via mismatched DOM objects

Microsoft has released an update to address this vulnerability in Microsoft Security Bulletin MS05-054. US-CERT encourages administrators to apply the appropriate updates, patches, or fixes as soon as possible.

US-CERT is aware of a cross domain violation in Internet Explorer. This may allow a script in one domain to access web content in a different domain.

Web browsers should adhere to the "Same Origin Policy", which prevents documents or scripts loaded from one origin from getting or setting properties of a document from a different origin. Internet Explorer does not follow this policy when importing CSS documents.

If the cross-domain violation in Internet Explorer occurs on a system that has Google Desktop Search (GDS) installed, then an attacker may be able to search for private data, execute programs, or execute arbitrary code on this vulnerable system.

Note: Google has modified its web pages to prevent exploitation of GDS through this particular vulnerability in Internet Explorer. The cross-domain violation vulnerability in Internet Explorer is still present, however.

Although there is limited information concerning this vulnerability, US-CERT encourages users to disable Active scripting to prevent exploitation. Users can also refer to the Microsoft Security Response Center Blog for some additional information on this vulnerability affecting Internet Explorer.

US-CERT has received reports of a phishing email scam that attempts to convince the user that it is from the Internal Revenue Service (IRS) by using a spoofed "From" address of "tax-refunds@irs.gov".

Upon clicking on the link provided in the email, the user is taken to a fraudulent site that looks like a legitimate U.S. government site. The user is then asked to provide personal information, such as their social security, credit card and bank pin numbers.

Users are encouraged to take the following measures to protect themselves from this type of phishing attack:

1. Do not follow unsolicited web links received in email messages.
2. Contact your financial institution immediately if you believe your account/and or financial information has been compromised.

For additional information on ways to avoid phishing email attacks, US-CERT recommends that all users reference the following:

• Avoiding Social Engineering and Phishing Attacks
• Spoofed/Forged Email

US-CERT is aware of a publicly-reported vulnerability in the way Cisco PIX firewalls process legitimate TCP connection attempts. A remote attacker may be able to send spoofed, malformed TCP packets with incorrect checksum values through affected PIX firewalls. As a result, legitimate network traffic to the destination may be blocked until the invalid PIX connection-attempt entry times out (around two minutes by default).

Public exploit code for this reported vulnerability may be useful for automating a sustained attack. More information about the reported vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#853540 - Cisco PIX TCP checksum verification failure report

Until a patch or more information becomes available, US-CERT recommends that system administrators who may be affected consider reconfiguring certain connection timers on Cisco PIX systems. More workaround information is also available in the solution section of VU#853540.

US-CERT is aware of several new variants of the W32/Sober virus that propagate via email. As with many viruses, these variants rely on social engineering to propagate. Specifically, the user must click on a link or open an attached file.

A recent variant sends messages that appear to be from the CIA or FBI, while a German version appears to be coming from the Bundeskriminalamt (BKA), the German Federal police service. US-CERT encourages users to review the appropriate alert below:

• FBI ALERTS PUBLIC TO RECENT E-MAIL SCHEME
• BKA warnt vor gefälschten E-Mails mit BKA-Absender - Variante des Sober-Wurms

These new variants of the W32/Sober virus identified above share common characteristics listed below. Once infected, the malicious code may:

• Attempt to harvest email addresses from a configurable list of file extensions
• Utilize its own SMTP engine to send itself to the harvested email addresses

Although each variant has different functionality, the list below contains a subset of the common characteristics found in previous variants. Once a system is infected, the malicious code may:

• Modify the system registry to prevent Windows XP's built-in firewall from starting
• Attempt to harvest email addresses from a configurable list of file extensions
• Utilize its own SMTP engine to send itself to the harvested email addresses
• Modify the HOSTS file to prevent the computer from accessing certain security and commercial web sites
• Attempt to terminate a number of running processes, some of which are security related
• Open a backdoor on the system that allows the attacker to communicate remotely with the system via IRC. This may allow the attacker to upload and execute arbitrary code on the infected machine.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. You may also wish to visit the US-CERT Computer Virus Resources.

US-CERT is aware of several vulnerabilities regarding the XCP Digital Rights Management (DRM) software by First 4 Internet, which is distributed by some Sony BMG audio CDs. The XCP copy protection software uses "rootkit" technology to hide certain files from the user. This technique can pose a security threat, as malware can take advantage of the ability to hide files. We are aware of malware that is currently using this technique to hide.

One of the uninstallation options provided by Sony also introduces vulnerabilities to a system. Upon submitting a request to uninstall the DRM software, the user will receive via email a link to a Sony BMG web page. This page will attempt to install an ActiveX control when it is displayed in Internet Explorer. This ActiveX control is marked "Safe for scripting," which means that any web page can utilize the control and its methods. Some of the methods provided by this control are dangerous, as they may allow an attacker to download and execute arbitrary code.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#312073 - First 4 Internet XCP "Software Updater Control" ActiveX control incorrectly marked "safe for scripting"

US-CERT recommends the following ways to help prevent the installation of this type of rootkit:

• Do not run your system with administrative privileges. Without administrative privileges, the XCP DRM software will not install.
• Use caution when installing software. Do not install software from sources that you do not expect to contain software, such as an audio CD.
• Read the EULA (End User License Agreement) if you do decide to install software. This document can contain information about what the software may do.
• Disable automatically running CD-ROMs by editing the registry to change the Autorun value to 0 (zero) as described in Microsoft Article 155217.