Symantec Update: State of Internet Security -- May 2, 2004
- 03 May, 2004 11:22
<p>Within recent weeks, several critical vulnerabilities have been disclosed and in some cases, worms and other automated tools have been launched exploiting these vulnerabilities. Exploit code has been made publicly available for all of these vulnerabilities. Most notably, W32.Sasser.B.Worm, which attempts to exploit the LSASS vulnerability, has been impacting systems worldwide. W32.Sasser.B.Worm, rated today by Symantec as a Level 4 threat, spreads by scanning randomly chosen IP addressed for vulnerable system. Currently Symantec Security Response is seeing approximately 150 submissions per hour (see below for more information regarding this threat).</p>
<p>"Over the last several weeks Symantec Security Response has monitored a shift in malicious threat propagation," said Alfred Huger, senior director, Symantec Security Response. "During the first several months of the year, most of the threats we tracked spread through e-mail. However, now we are tracking more threats that are exploiting vulnerabilities to spread. Users need to be diligent in patching systems, updating virus definitions and implementing best practice solutions."</p>
<p>To provide clarity on some of the most recent and significant cyber threat activities, below you'll find a brief update outlining the top three recent vulnerabilities and the malicious threats associated with them.</p>
<p>1. Microsoft Windows LSASS Buffer Overrun Vulnerability/W32.Sasser.B.Worm
The Microsoft Windows LSASS Buffer Overrun Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. A buffer overflow vulnerability exists in the LSASS service that could allow remote code execution on an affected system. LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. If the system was compromised, an attacker could gain complete control of the machine and perform actions on the affected machine similar to a user or administrator, such as erase files, steal information, etc. Exploitation may occur over TCP ports 135, 139, 445, 593 and ports greater than 1024, as well as UDP ports 135, 137, 138 and 445. More information about the LSASS vulnerability can be found at http://securityresponse.symantec.com/avcenter/security/Content/10108.html</p>
<p>Symantec recommends users to update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.</p>
On May 1, 2004, Symantec Security Response identified a variant of the Sasser worm as a Level 3 threat -- W32.Sasser.B.Worm. On May 2, W32.Sasser.B.Worm was upgraded to a Level 4 threat due to the increased submission rate. Symantec Security Response has tracked 2,234 worldwide submissions, including 23 corporate submissions. Unlike the original Sasser worm, W32.Sasser.Worm is predominately infecting consumer systems. The worm also attempts to exploit the LSASS vulnerability and spreads by scanning randomly chosen IP addresses for vulnerable systems. Additional information on W32.Sasser.B.Worm can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html.
On April 30, 2004, Symantec Security Response identified W32.Sasser.Worm as a Level 3 threat. W32.Sasser.Worm attempts to exploit the MS04-011 vulnerability and spreads by scanning randomly-chosen IP addresses for vulnerable systems. Symantec Security Response tracked 301 worldwide submissions, including 113 corporate submissions. For additional information on W32.Sasser.Worm, visit http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html.
Symantec has also identified malicious code based on a Gaobot variant that has been modified to propagate through the Microsoft Windows LSASS vulnerability. Gaobot is a type of Trojan that uses IRC. While not as epidemic as a worm, Gaobot still presents an immediate threat due to it's ability to compromise a wide range of computers. W32.Gaobot.AFW is a Level 1 threat that spreads through open network shares and several Windows vulnerabilities including LSASS. W32.Gaobot.AFW can also spread through backdoors installed by Beagle and Mydoom worms, and the Optix family of backdoors. W32.Gaobot.AFJ is another variant that leverages the Microsoft Windows LSASS vulnerability.</p>
<p>2. Microsoft Private Communications Transport (PCT) Protocol Buffer Overrun Vulnerability/backdoor.mipsiv
The Microsoft PCT Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. The Microsoft PCT vulnerability affects all IIS Web servers running Microsoft IIS with SSL enabled. Windows 2003 servers are not vulnerable unless the PCT protocol has been enabled by the administrator. Symantec recommends users to install the PCT patch immediately. If it is not possible, IT administrators can disable the PCT protocol in the registry. Additionally, vulnerability assessment and intrusion detection systems can be deployed to detect the presence of the vulnerability and/or the presence of the exploit. For more information about this vulnerability: http://securityresponse.symantec.com/avcenter/security/Content/10116.html.</p>
On April 28, Symantec identified a new Trojan called backdoor.mipsiv. Backdoor.Mipsiv is a Trojan that performs different backdoor-type functions by connecting to an IRC server and joining a specific channel to listen for instructions. Additionally, the Trojan contains keylogging and network scanning functionalities. Backdoor.Mipsiv uses the same port as the PCT vulnerability.
On April 21, exploit code was made public.</p>
<p>3. Multiple Vendor Transmission Control Protocol (TCP) Sequence Number Approximation Vulnerability
A vulnerability in TCP implementations was reported on April 20, 2004, that may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. This issue may permit TCP sequence numbers to be more easily approximated by remote attackers. This vulnerability is possible because affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial-of-service attacks. An attacker could exploit this issue by sending a packet with an approximated sequence number and forged source IP address and TCP port. The end result would be a disruption of normal Internet traffic.</p>
<p>Internet Service Providers are aware of the TCP flaw and there are a number of mitigation strategies. Among others, IT administrators should turn on IP security (IPSEC) which will allow for sensitive TCP protocol data to be encrypted when transmitted over the wire. While there are serious risks if systems are left unpatched, Symantec feels the majority of the systems should be safe. Additional information can be found at http://securityresponse.symantec.com/avcenter/security/Content/10183.html</p>
On April 22 2004, Symantec Security Response confirmed that an exploit has been publicly released for the Transmission Control Protocol (TCP) vulnerability. At this time, there is no evidence of a widespread threat.