Since I am pressed for time and am presently unable to completely digest what the vulnerability is and how to stop it, how can we configure our Declude installs to protect/find/stop these messages?
John T eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Andy Schmidt > Sent: Tuesday, May 31, 2005 11:30 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] MS05-16 Exploit > > Hi, > > Enclosed a notice for the MS05-16 Exploit. > > For the record: > I'm actually in favor of using STRICT interpretation of vulnerabilities - no > matter how seldom one might actually occur. Whether a violation of > standards is due to an actual virus - or just a poor mass-mailer > application, I gladly use the reason of "vulnerability" of a potential virus > to reject these messages early. > > As far as some features suggested here: > > - I do agree that it might be helpful for some people not to scan for > viruses, if a vulnerability is found (to conserve CPU). > > - I do agree that there is little reason (other than statistics) to run the > second scanner after the first scanner already found a virus. > > - I do agree that it is desirable for some people, if there was an option > that would delete vulnerabilities rather than "isolate" them in the Virus > folder. > > - I do NOT agree that Declude should NOT detect certain vulerabilities, just > because they only occur very rarely. > > > Best Regards > Andy Schmidt > > Phone: +1 201 934-3414 x20 (Business) > Fax: +1 201 934-9206 > > > > -----Original Message----- > > From: Nick FitzGerald [mailto:[EMAIL PROTECTED] > > Sent: Sunday, May 29, 2005 9:31 AM > > To: Bugtraq@securityfocus.com > > Subject: Spam exploiting MS05-016 > > > > Yesterday at least two of my spam-traps received the following message > (I've elided the MIME boundary values just in case...): > > Subject: We make a business offer to you > MIME-Version: 1.0 > Content-type: multipart/mixed; > boundary="[...]" > > [...] > Content-Type: text/plain; > charset="Windows-1252" > Content-Transfer-Encoding: 8bit > > Hello! It is not spam, so don't delete this message. > We have a business offer to you. > Read our offer. > You can increase the business in 1,5 times. > We hope you do not miss this information. > > > Best regards, Keith > > [...] > Content-type: application/octet-stream; > name="agreement.zip" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; > filename="agreement.zip" > > <<encoded ZIP file data>> > > There are a few trivial differences between the messages to the > different addresses I checked, so don't anyone try to turn the above > into a totally literal filtering rule... > > Anyway, the "agreement.zip" attachment held only one file, apparently > called "agreement.txt", but on closer inspection it turned out the file > was called "agreement.txt " where the apparent trailing space was > actually a 0xFF character. This "pseudo-TXT" file was, in fact, an > OLE2 format file (originally a Word document file) with the OLE2 Root > Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA). > This was all done as per the description in the iDEFENSE advisory > announcing this vulnerability: > > http://www.idefense.com/application/poi/display?id=231&type=vulns > > This "pseudo-TXT" file is an example of what is produced by the PoC > generator posted to Bugtraq. Oddly, that message is not archived in > SecurityFocus' own mailing list archives, but its PoC code is listed > with the vulnerability's BID entry: > > http://www.securityfocus.com/bid/13132/info/ > > That PoC may be identified from the comment at the top of its code: > > MS05-016 POC > Made By ZwelL > [EMAIL PROTECTED] > 2005.4.13 > > Anyway, the "agreement.txt " file contained a script to write a text > file with commands and responses for use with the Windows ftp client > via its "-s" option and further commands to run ftp with those scripted > > commands and then to run the executable that ftp script would cause to > be downloaded from a Russian web site. At the time of writing, that > site is still up and the executable that is downloaded (a backdoor) is > the same one that was there when the spam was first seen. > > If you haven't installed the MS05-016 Windows Shell patch yet: > > http://www.microsoft.com/technet/security/bulletin/ms05-016.mspx > > or at least taken reasonable precautions to defang possible > exploitation of this vulnerability (particularly through MSHTA), it > would be advisable to do so now. When initially discovered, only two > of more than 20 tested virus scanning engines detected the exploit in > "agreement.txt ". Since alerting the antivirus developer community of > the field discovery of this exploit, a couple more "big name" scanners > have added a degree of detection for this exploit, and I expect that > number to grow as the new week dawns and new updates are pushed to > customers. > > > -- > Nick FitzGerald > Computer Virus Consulting Ltd. > Ph/FAX: +64 3 3267092 > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
