|
Declude Virus will *not* detect abuse of MS05-16 with the Declude CLSID
vulnerability detector.
They
are entirely different animals, which happen to have CLSID at their
heart.
The
only way to attack MS05-16 abuse with Declude Virus is with a) keep your virus
scanner up to date, and/or b) to watch for virus news and ban extensions that
are deliberately crafted as bogus, e.g. .d0c or .doc_ instead of
.doc
The
only way to attack MS05-16 abuse with Declude JunkMail is to dream up ways to
tell apart MIME filename lines that are valid from the ones that are
bogus. Given that Macintoshes will send files to PC users without a file
extenstion, and given the lack of regular expressions and fine control over
substring matching, I think this is a fool's errand. Leave it up to your
antivirus scanner.
Ok,
John, get back to fixing that mirrored drive set.
Andrew
8)
This is the one that Andy pointed out:
Microsoft Windows Shell Remote Code Execution
Vulnerability
http://www.securityfocus.com/bid/13132/discussion/
Microsoft
Windows is prone to a vulnerability that may allow remote attackers to
execute code through the Windows Shell. The cause of the vulnerability is
related to how the operating system handles unregistered file types. The
specific issue is that files with an unknown extension may be opened with
the application specified in the embedded CLSID.
The victim of the
attack would be required to open a malicious file, possibly hosted on a Web
site or sent through email. Social engineering would generally be required
to entice the victim into opening the file.
I can't say
whether or not it is a broad enough threat to be exploited in a mass-mailing
virus. Declude defaults to BANCSLID ON which may or may not protect from
such an attack. Some CSLID calls are entire valid and normal for
Outlook/Office generated E-mails, and I'm not totally sure what Declude
considers to be good to ban with this switch. Andrew previously
indicated that he had never seen it triggered.
Anyway, these things pop
up about once a month and most are never exploited in E-mail viruses, so there
is probably no reason to not treat all of them the same. I see no reason
why virus scanners wouldn't detect the infected attachments once they were
updated with definitions for known
threats.
Matt
John Tolmachoff (Lists) wrote:
Since I am pressed for time and am presently unable to completely digest
what the vulnerability is and how to stop it, how can we configure our
Declude installs to protect/find/stop these messages?
John T
eServices For You
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Andy Schmidt
Sent: Tuesday, May 31, 2005 11:30 AM
To: [email protected]
Subject: [Declude.Virus] MS05-16 Exploit
Hi,
Enclosed a notice for the MS05-16 Exploit.
For the record:
I'm actually in favor of using STRICT interpretation of vulnerabilities -
no
matter how seldom one might actually occur. Whether a violation of
standards is due to an actual virus - or just a poor mass-mailer
application, I gladly use the reason of "vulnerability" of a potential
virus
to reject these messages early.
As far as some features suggested here:
- I do agree that it might be helpful for some people not to scan for
viruses, if a vulnerability is found (to conserve CPU).
- I do agree that there is little reason (other than statistics) to run
the
second scanner after the first scanner already found a virus.
- I do agree that it is desirable for some people, if there was an option
that would delete vulnerabilities rather than "isolate" them in the Virus
folder.
- I do NOT agree that Declude should NOT detect certain vulerabilities,
just
because they only occur very rarely.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax: +1 201 934-9206
-----Original Message-----
From: Nick FitzGerald [mailto:[EMAIL PROTECTED]]
Sent: Sunday, May 29, 2005 9:31 AM
To: [email protected]
Subject: Spam exploiting MS05-016
Yesterday at least two of my spam-traps received the following message
(I've elided the MIME boundary values just in case...):
Subject: We make a business offer to you
MIME-Version: 1.0
Content-type: multipart/mixed;
boundary="[...]"
[...]
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 8bit
Hello! It is not spam, so don't delete this message.
We have a business offer to you.
Read our offer.
You can increase the business in 1,5 times.
We hope you do not miss this information.
Best regards, Keith
[...]
Content-type: application/octet-stream;
name="agreement.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="agreement.zip"
<<encoded ZIP file data>>
There are a few trivial differences between the messages to the
different addresses I checked, so don't anyone try to turn the above
into a totally literal filtering rule...
Anyway, the "agreement.zip" attachment held only one file, apparently
called "agreement.txt", but on closer inspection it turned out the file
was called "agreement.txt " where the apparent trailing space was
actually a 0xFF character. This "pseudo-TXT" file was, in fact, an
OLE2 format file (originally a Word document file) with the OLE2 Root
Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA).
This was all done as per the description in the iDEFENSE advisory
announcing this vulnerability:
http://www.idefense.com/application/poi/display?id=231&type=vulns
This "pseudo-TXT" file is an example of what is produced by the PoC
generator posted to Bugtraq. Oddly, that message is not archived in
SecurityFocus' own mailing list archives, but its PoC code is listed
with the vulnerability's BID entry:
http://www.securityfocus.com/bid/13132/info/
That PoC may be identified from the comment at the top of its code:
MS05-016 POC
Made By ZwelL
[EMAIL PROTECTED]
2005.4.13
Anyway, the "agreement.txt " file contained a script to write a text
file with commands and responses for use with the Windows ftp client
via its "-s" option and further commands to run ftp with those scripted
commands and then to run the executable that ftp script would cause to
be downloaded from a Russian web site. At the time of writing, that
site is still up and the executable that is downloaded (a backdoor) is
the same one that was there when the spam was first seen.
If you haven't installed the MS05-016 Windows Shell patch yet:
http://www.microsoft.com/technet/security/bulletin/ms05-016.mspx
or at least taken reasonable precautions to defang possible
exploitation of this vulnerability (particularly through MSHTA), it
would be advisable to do so now. When initially discovered, only two
of more than 20 tested virus scanning engines detected the exploit in
"agreement.txt ". Since alerting the antivirus developer community of
the field discovery of this exploit, a couple more "big name" scanners
have added a degree of detection for this exploit, and I expect that
number to grow as the new week dawns and new updates are pushed to
customers.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
