OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/octet-stream attachment: Cat.com
 
RE: [ok] [Full-Disclosure] Possible Virus/Trojan

From: Edward Ray (supportmmicman.com)
Date: Mon Jul 26 2004 - 13:53:11 CDT

Got something similar to that a few days ago on another mailing list,
informing me Arnold Schwarzenegger hung himself last night. the file was a
*.exe.html, or *.html.exe

  _____

From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Todd Towles
Sent: Sunday, July 25, 2004 8:03 PM
To: 'Curt Purdy'; 'Mailing List - Full-Disclosure'
Subject: RE: [ok] [Full-Disclosure] Possible Virus/Trojan

I would say that the latter is the more likely, but the message came from a
hotmail account. Doesn't hotmail check attachments? I didn't look at the
headers really so spoofing is possible. I am getting a copy to a research
company so I can get some more answers maybe.

 

-----Original Message-----
From: Curt Purdy [mailto:purdytecman.com]
Sent: Sunday, July 25, 2004 2:07 PM
To: 'Todd Towles'; 'Mailing List - Full-Disclosure'
Subject: RE: [ok] [Full-Disclosure] Possible Virus/Trojan

 

Todd Towles wrote:

> I received an e-mail today that looked very much like a virus. Here is the
message

>

> Attachment - erupts.avi.exe

>

> Subject - New Southern California wildfire erupts

<snip> .

>

> Either this is a new Trojan that changes it body and subject based on the
current AP news or someone used a very lame trick against me. =)

 

I'm guessing the latter. Although story scraping would be possible,
intellegent naming of the .exe would not be. Most likely a friend... or
enemy.

 

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity adviser Richard Clarke

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [ok] [Full-Disclosure] Possible Virus/Trojan

From: Todd Towles (toddtowlesbrookshires.com)
Date: Mon Jul 26 2004 - 14:03:38 CDT

I heard about a small thing going around about Bin Laden hanging himself and
some CNN reporters had pictures. But it was a virus. I didn't hear much
about it, maybe it is a small time thing and they are just picking people to
spread the virus around.

 

-----Original Message-----
From: Edward Ray [mailto:supportmmicman.com]
Sent: Monday, July 26, 2004 1:53 PM
To: 'Todd Towles'; 'Curt Purdy'; 'Mailing List - Full-Disclosure'
Subject: RE: [ok] [Full-Disclosure] Possible Virus/Trojan

 

Got something similar to that a few days ago on another mailing list,
informing me Arnold Schwarzenegger hung himself last night. the file was a
*.exe.html, or *.html.exe

 

  _____

From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Todd Towles
Sent: Sunday, July 25, 2004 8:03 PM
To: 'Curt Purdy'; 'Mailing List - Full-Disclosure'
Subject: RE: [ok] [Full-Disclosure] Possible Virus/Trojan

I would say that the latter is the more likely, but the message came from a
hotmail account. Doesn't hotmail check attachments? I didn't look at the
headers really so spoofing is possible. I am getting a copy to a research
company so I can get some more answers maybe.

 

-----Original Message-----
From: Curt Purdy [mailto:purdytecman.com]
Sent: Sunday, July 25, 2004 2:07 PM
To: 'Todd Towles'; 'Mailing List - Full-Disclosure'
Subject: RE: [ok] [Full-Disclosure] Possible Virus/Trojan

 

Todd Towles wrote:

> I received an e-mail today that looked very much like a virus. Here is the
message

>

> Attachment - erupts.avi.exe

>

> Subject - New Southern California wildfire erupts

<snip> .

>

> Either this is a new Trojan that changes it body and subject based on the
current AP news or someone used a very lame trick against me. =)

 

I'm guessing the latter. Although story scraping would be possible,
intellegent naming of the .exe would not be. Most likely a friend... or
enemy.

 

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity adviser Richard Clarke

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200407-20 ] Subversion: Vulnerability in mod_authz_svn

From: Joshua J. Berry (condordesgentoo.org)
Date: Mon Jul 26 2004 - 13:26:37 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200407-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: Subversion: Vulnerability in mod_authz_svn
      Date: July 26, 2004
      Bugs: #57747
        ID: 200407-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Users with write access to parts of a Subversion repository may bypass
read restrictions in mod_authz_svn and read any part of the repository
they wish.

Background
==========

Subversion is an advanced version control system, similar to CVS, which
supports additional functionality such as the ability to move, copy and
delete files and directories. A Subversion server may be run as an
Apache module, a standalone server (svnserve), or on-demand over ssh (a
la CVS' ":ext:" protocol). The mod_authz_svn Apache module works with
Subversion in Apache to limit access to parts of Subversion
repositories based on policy set by the administrator.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 dev-util/subversion <= 1.0.4-r1 >= 1.0.6

Description
===========

Users with write access to part of a Subversion repository may bypass
read restrictions on any part of that repository. This can be done
using an "svn copy" command to copy the portion of a repository the
user wishes to read into an area where they have write access.

Since copies are versioned, any such copy attempts will be readily
apparent.

Impact
======

This is a low-risk vulnerability. It affects only users of Subversion
who are running servers inside Apache and using mod_authz_svn.
Additionally, this vulnerability may be exploited only by users with
write access to some portion of a repository.

Workaround
==========

Keep sensitive content separated into different Subversion
repositories, or disable the Apache Subversion server and use svnserve
instead.

Resolution
==========

All Subversion users should upgrade to the latest available version:

    # emerge sync

    # emerge -pv ">=dev-util/subversion-1.0.6"
    # emerve ">=dev-util/subversion-1.0.6"

References
==========

  [ 1 ] ChangeLog for Subversion 1.0.6
        http://svn.collab.net/repos/svn/tags/1.0.6/CHANGES

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

    http://security.gentoo.org/glsa/glsa-200407-20.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBBUzdaIxeYlQMsxsRAoTpAJ9AAqgcgLj/xBYo8m7+g22WnFNkigCcDyZh
8u/QON1iQqjd/c59jY7sOJg=
=8c8r
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [ok] [Full-Disclosure] Possible Virus/Trojan

Valdis.Kletnieksvt.edu
Date: Mon Jul 26 2004 - 15:18:48 CDT

On Sun, 25 Jul 2004 14:06:55 CDT, Curt Purdy <purdytecman.com> said:

> I'm guessing the latter. Although story scraping would be possible,
> intellegent naming of the .exe would not be. Most likely a friend... or
> enemy.

http://www.cnn.com/2004/WEATHER/07/26/new.mexico.flooding.ap/index.html
"Rain floods New Mexico".

http://www.cnn.com/2004/SHOWBIZ/Movies/07/26/halle.berry.ap/index.html
"Halle Berry falls for feline co-star"

Looks pretty easy to scrape the URL for a useful name... and if you've already
scraped the story, you probably HAVE the URL you scraped it from... ;)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFBBWcocC3lWbTT17ARAsSQAJ9jv1nBIlAA3buYmIThgKUH/aKY6ACg8B9Q
XvZ972566DU76Fv53RGdXdc=
=Z2/f
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cry For help

Valdis.Kletnieksvt.edu
Date: Mon Jul 26 2004 - 15:21:05 CDT

On Sun, 25 Jul 2004 00:28:40 PDT, g0bb13s <g0bb13syahoo.com> said:
> Good sirs and madames,
>
> Please. Fifty dollar.
>
> My name is G0ibbles Bugtrack,16 years from the mall of
> some stupid

I thought it was amusing, but it could probably do better. SpamAssassin said:

X-spam-status: No, score=1.6 required=5.5 tests=CASHCASHCASH,
        FROM_HAS_MIXED_NUMS,FROM_HAS_MIXED_NUMS3

Lots of room for improvement there.....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFBBWexcC3lWbTT17ARAnN0AJwLydNanHDhHAV/ibpouYIahv2ucQCgsYYG
g5BLsRUqkbMEXgtcOmM4Yjo=
=Tmt1
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Google recovers after virus hits

leeseethrusec.co.uk
Date: Mon Jul 26 2004 - 17:56:43 CDT

Net search engine Google appeared to resume normal service in the UK around
2000BST after a virus crippled its search engine.
Net security firms reported that the havoc seemed to have been caused by a
new variant of the MyDoom virus.

Google confirmed a number of users in the UK and some US and French users
were experiencing problems.

The search engine is one of the most popular on the net, dealing with 200
million global queries a day.

Huge index

First reports of the problems with the UK service started emerging at around
1530 GMT (1630 BST).

Instead of getting a page of results, some users in the UK, US and France
were confronted with a server error instead. Other net users have reported
no problems.

In a statement Google said on Monday night: "The Google search engine
experienced slowness for a short period of time earlier today because of the
MyDoom virus, which flooded major search engines with automated searches.

"A small number of users and networks that have the MyDoom virus have been
affected for a longer period of time.

"At no point was the Google website significantly impaired."

Google is one of several search engines used by MyDoom to find valid e-mail
addresses on the net. Past versions of the virus only searched a user's own
computer or address list.

The MyDoom-O variant spreads in the form of an e-mail attachment.

The attached message pretends to be from the user's net provider's or
company's support team saying that their PC has been used by hackers to send
spam.

Previous versions of MyDoom have launched distributed denial of service
attacks (DDoS) on websites like Microsoft and software firm SCO.

Infected computers are used to bombard target websites with bogus data
packages that utterly paralyse the sites.

"It does not appear to launch a traditional DDoS attack," said Graham
Cluley, senior technology consultant for anti-virus firm Sophos, "and it is
not just Google, but Altavista, Yahoo and Lycos."

"MyDoom uses a revolutionary new technique - I don't think we have seen this
before," he added.

The new MyDoom variant searches infected machines for e-mail addresses, like
other viruses before it.

But it also uses search engines to look for even more addresses in online
forums and webpages.

High price

Google, based in Mountain View, California, announced its plans to float on
the stock market in April.

On Monday it announced it hoped its initial public offering (IPO) could
raise as much as $3.3bn (£1.8bn), although no date for the IPO has been set.

This would give the California-based firm an initial market capitalisation
as high as $36.25bn.

Google's web index is huge, carrying more than six billion items.

The phrase "to google" has entered popular parlance as a verb to describe an
internet search.

But it faces growing competition from MSN and Yahoo, which are investing in
search technology to try to win back web surfers.

Source http://news.bbc.co.uk/1/hi/technology/3927963.stm

"The saddest aspect of life right now is that science gathers knowledge
faster than society gathers wisdom."
-Isaac Asimov (1920-1992)

Lee STS
http://www.seethrusec.co.uk
Building Knowledge and Security..

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [ok] [Full-Disclosure] Possible Virus/Trojan

From: Todd Towles (toddtowlesbrookshires.com)
Date: Mon Jul 26 2004 - 15:29:23 CDT

It is a good idea but if it was a new version of a e-mail virus, we will be
seeing it all over the place by now.

I don't have a copy of the exe, it was deleted off the server before I could
get someone to save it. I have it on my client but Outlook is blocking it.
There may be a way of getting it out of Outlook but I am not sure if it is
worth the effort. Therefore I don't have the ability to dissemble it.

I was the only person in the company to get this type of e-mail which is
very odd, but I did get the very cool MyDoom.0 today as well.

-Todd

-----Original Message-----
From: Valdis.Kletnieksvt.edu [mailto:Valdis.Kletnieksvt.edu]
Sent: Monday, July 26, 2004 3:19 PM
To: Curt Purdy
Cc: 'Todd Towles'; 'Mailing List - Full-Disclosure'
Subject: Re: [ok] [Full-Disclosure] Possible Virus/Trojan

On Sun, 25 Jul 2004 14:06:55 CDT, Curt Purdy <purdytecman.com> said:

> I'm guessing the latter. Although story scraping would be possible,
> intellegent naming of the .exe would not be. Most likely a friend... or
> enemy.

http://www.cnn.com/2004/WEATHER/07/26/new.mexico.flooding.ap/index.html
"Rain floods New Mexico".

http://www.cnn.com/2004/SHOWBIZ/Movies/07/26/halle.berry.ap/index.html
"Halle Berry falls for feline co-star"

Looks pretty easy to scrape the URL for a useful name... and if you've
already
scraped the story, you probably HAVE the URL you scraped it from... ;)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [ok] [Full-Disclosure] Possible Virus/Trojan

From: Charles Heselton (charles.heseltongmail.com)
Date: Mon Jul 26 2004 - 21:21:02 CDT

On Mon, 26 Jul 2004 08:08:27 -0500, Todd Towles
<toddtowlesbrookshires.com> wrote:
> Sorry guys, I just noticed in my Outlook that the attachment name was really
> "New Southern California wildfire erupts.avi (spaces) .exe"
>
> It was released to me after being blocked, but Outlook blocks access to exe
> files. Therefore I don't have a direct copy of it to look into. I am trying
> to find another copy somewhere.
>
> That means the file name was the same as the header. If I was going to
> custom make a fake e-mail to send to one person, it wouldn't be so
> automatically looking.
>
>
>
>
> -----Original Message-----
> From: Andrew Farmer [mailto:andfarmteknovis.com]
> Sent: Sunday, July 25, 2004 6:06 PM
> To: Curt Purdy
> Cc: 'Mailing List - Full-Disclosure'; 'Todd Towles'
> Subject: Re: [ok] [Full-Disclosure] Possible Virus/Trojan
>
> On 25 Jul 2004, at 12:06, Curt Purdy wrote:
> > Todd Towles wrote:
> >> I received an e-mail today that looked very much like a virus. Here
> >> is the message
> >>
> >> Attachment - erupts.avi.exe
> >
> >> Subject - New Southern California wildfire erupts
> >
> > <snip>
> >
> >> Either this is a new Trojan that changes it body and subject based on
> >> the current AP news or someone used a very lame trick against me.
> >> =)
> >
> > I'm guessing the latter. Although story scraping would be possible,
> > intellegent naming of the .exe would not be. Most likely a friend...
> > or
> > enemy.
>
> Sure it would be. In this case, at least, the executable is just named
> based on the last word of the headline plus ".avi.exe".
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Sounds like a variant of the new MyDoom. MyDoom.M (as named by
Symantec) grabs email domains, then does a google search for other
email addy's in the same domain. I would be more or less trivial to
craft the filename/subject from something pulled off of a "current
event search".

--
Charlie Heselton
Network Security Engineer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re:

From: Thor (thorpivx.com)
Date: Mon Jul 26 2004 - 16:58:24 CDT