August 28, 2007 - Current Activity

Several New Storm Worm Trojan Propagation Techniques

US-CERT is aware of several new propagation techniques being used by the Storm Worm Trojan to spread. The new variants arrive as an email message claiming to contain a link to adult pictures, an erroneous YouTube video link, or as credentials for a membership-based website, asking you to login to change your temporary ID and password. The messages contain links to malicious websites that when visited, install malware on the user's system.

The latest variations may contain some of the following subject lines:

• Dude, what if you wife finds this?
• lol, what are you doing?
• I can't believe you did this
• LOL, that is too cool....
• Sheesh man, what are you thinkin...
• LMAO, your crazy man
  

• Do not follow unsolicited links.
• Configure your web browser as described in the Securing Your Web Browser document.
  
• Install anti-virus software, and keep its virus signature files up-to-date.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  

MSN Messenger Web Camera Stream Vulnerability

MSN Messenger and Windows Live Messenger contain a heap overflow in the handling of malformed webcam streams. By convincing a user to accept a webcam invitation, a remote attacker may be able to execute arbitrary code with the privileges of the user on an affected system.

US-CERT is aware of publicly available exploit code for this vulnerability.

More information regarding this vulnerability can be found in Vulnerability Note VU#166521.

US-CERT recommends users upgrade to Windows Live Messenger 8.1 to mitigate the security risk.

Multiple Vulnerabilities in Trend Micro Products

Trend Micro has released updates to address several vulnerabilities in their ServerProtect, AntiSpyware, and PC-cillin Internet Security products. By sending a crafted RPC request or creating a file on the local file system with an overly long path, an attacker may be able to cause a denial-of-service condition or execute arbitrary code on an affected system.

US-CERT is aware of reports of activity that may indicate attempts to exploit one or more of these vulnerabilities.

More information regarding the vulnerabilities, affected products, and fixes can be found in the following:

• Technical Cyber Security Alert TA07-235A
• Vulnerability Notes Database
• ServerProtect Security Patch 4 - Build 1185 README
• Trend Micro Solution Detail 1035845
  

Yahoo! Messenger Web Camera Invitation Handling Vulnerability

US-CERT is aware of a publicly reported heap overflow vulnerability in Yahoo! Messenger. By enticing a user to accept a specially crafted web camera invitation, a remote attacker may be able to cause a a denial-of-service condition or execute arbitrary code on an affected system.

More information regarding this vulnerability can be found in Vulnerability Note VU#515968.

Until a fix is available, US-CERT recommends that users reject all web camera invitations and block outgoing network traffic on TCP port 5100.

Cisco Releases Security Advisory for Vulnerabilities in Cisco VPN Client

Cisco has issued a Security Advisory to address two vulnerabilities in their VPN Client for Microsoft Windows. These vulnerabilities may allow an attacker to elevate privileges on an affected system.

More information regarding these vulnerabilities can be found in the Cisco Security Advisory: Local Privilege Escalation Vulnerabilities in Cisco VPN Client.

US-CERT strongly recommends that administrators review the Cisco Security Advisory above and follow best-practice security policies to determine what updates or workarounds should be applied.

Microsoft Releases August Security Bulletins

Microsoft has released updates to address vulnerabilities in Windows, Windows Media Player, Windows Gadgets, Office, Excel, Internet Explorer, Visual Basic, Virtual Sever, and Virtual PC as part of the Microsoft Security Bulletin Summary for August 2007.

More information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-226A.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Storm Worm Variant Continues to Spread

US-CERT is aware of public reports that the Storm Worm variant, previously reported in the US-CERT Current Activity on 29-June-2007, is currently on the rise. This variant of the Storm Worm arrives as an email message and contains a link to a malicious website that, when visited, installs malware on the user's system. The subject line of the email message may contain one of the examples listed in these US-CERT Current Activity 16-April-2007 and 20-January-2007 documents.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Block executable and unknown file types at the email gateway.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.