FYI...

- http://isc.sans.org/diary.php?date=2005-08-12
Updated August 13th 2005 01:51 UTC
Infocon Yellow; Windows and Backup Exec exploits are out, where are the exploits...
Infocon: Yellow
Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the infocon to yellow.
>>> Advice: Use the weekend to patch ALL WINDOWS SYSTEMS. It may be worthwhile to consider accelerated deployment of the patches even to critical systems if the weekend is slow anyway. Backup Exec should be firewalled or disabled at this point.
Note: Consider unprotected internet facing machines infected at this point if they do not have this weeks patches applied. Patch and handle them with extra care.

Windows and Backup Exec exploits are out
In case you're waiting to see whether it's worth updating either Windows or Veritas' Backup Exec, now's the time to do so. Live exploits are out for both.
Specifically, MS05-039 appears to have 3 live exploits out for it already, and Backup Exec has at least one exploit out.
We've said it already, but it's worth repeating - get those patches in soon...

Which exploits are really out?
We've gotten a number of questions from readers about the exploits we've mentioned over the past few days in the diary. Some of them are publicly known and easily Google-able. Others are ones that we've found out about from trusted sources that have asked us to not share the exploit itself.
Because our goal is to provide timely alerts to the security community, we generally don't provide the exploit code itself. If it truly is publicly visible, you'll find it in a few minutes without our help. And if the exploit is still generally private, we don't want to be the conduit that accelerates attacks - people with lots of hat colors read this diary. *smile*
Thanks for understanding..."

Where you can get the patches: http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Sometimes older is better.

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

FYI...

MS05-039 Worm in the wild
- http://isc.sans.org/diary.php?date=2005-08-14
Updated August 14th 2005 15:23 UTC
"Starting around 11:30 UTC, we've received several reports on a new worm variant that makes use of MS05-039 to spread. If you're not patched yet, this is your last call.

F-Secure named the critter "Zotob.A", http://www.f-secure.com/weblog/
We've also received a submission of a binary called "pnpsrv.exe", which is recognized by ClamAV as Trojan.Spybot-123. Another reader has contributed evidence that a successful exploit by Zotob.A (or variant)
The worm will download the main payload from the infecting machine. Once a machine is infected, it will become an ftp server itself. It will scan for open port 445/tcp. Once it finds a system with port 445 listening, it will try to use the PnP exploit to download and execute the main payload via ftp
Important facts so far:
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port..."

Although the recently released MS Advisory ( http://www.microsoft.com/technet/security/advisory/899588.mspx - Published: August 11, 2005 | Updated: August 14, 2005) claims "...This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition...", there appears to be some disagreement:

- http://today.reuters.com/news/newsArticle.aspx?type=internetNews&storyID=2005-08-15T104029Z_01_DIT538409_RTRIDST_0_NET-SINGAPORE-VIRUS-DC.XML
Aug 15, 2005
"SINGAPORE (Reuters) - A new Internet virus has been detected that can infect Microsoft's Windows platforms faster than previous computer worms, said an anti-virus computer software maker. The ZOTOB virus appeared shortly after the world's largest software maker warned of three newly found "critical" security flaws in its software, including one that could allow attackers to take complete control of a computer.
The latest worm exploits security holes in Microsoft's Windows 95, 98, ME, NE, 2000 and XP platforms and can give computer attackers remote access to affected systems, said Trend Micro Inc...
The latest virus drops a copy of itself into the Windows system folder as BOTZOR.EXE and modifies the system's host file in the infected user's computer to prevent the user getting online assistance from antivirus web sites, Trend Micro added..."

- http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.A

- http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.B

FYI...

- http://isc.sans.org/diary.php?date=2005-08-15
Updated August 15th 2005 20:51 UTC
"...There appears to be some confusion with AV vendors as to the vulnerability of Windows 95/98/ME/NT4 systems. Symantec claims that while these legacy operating systems cannot be infected (likely due to the fact that they aren't vulnerable to the PnP bug), they can be used as propogation vectors if the Zotob code is executed on the system. Trend Micro briefly mentions that Zotob runs on all of these Windows platforms, but does not provide additional information..."

- http://www.sarc.com/avcenter/venc/data/w32.zotob.a.html
"...W32.Zotob.A can run on, but not infect, computers running Windows 95/98/Me/NT4. Although computers running these operating systems cannot be infected, they can still be used to infect vulnerable computers that they can connect to..."
- http://www.sarc.com/avcenter/venc/data/w32.zotob.b.html
"...W32.Zotob.B can run on, but not infect, computers running Windows 95/98/Me/NT4. Although computers running these operating systems cannot be infected, they can still be used to infect vulnerable computers that they can connect to..."

...but M$ says:
- http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
"...Frequently asked questions (FAQ) related to this security update:
...It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities..."

FYI...

Back to InfoCon Green
- http://isc.sans.org/diary.php?date=2005-08-15
"As of Tuesday, 1:45 AM GMT (Monday 20:45 EDT), we moved back to infocon green.
We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.
As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.
The last week showed once more that there is no more patch window. Defense in depth is your only chance to survive the early release of malware. In this particular case, three distinct best practices can mitigate the vulnerability:
- close port 445 at least at the perimeter.
- patch systems quickly.
- eliminate NULL sessions.
None of these measures is perfect, and some may not be applicable to your network (e.g. you may require NULL sessions in some circumstances).
Another development brought to conclusion in this event is the lesser importance of 'worms' with respect to more sophisticated 'bots'. We received a number of bots using the PnP vulnerability. Antivirus scanners did not identify most of them. In many cases, the same bot was packed differently or some functions were added to evade detection.
Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground. The only way we can keep up with this development is by sharing information as efficiently. Being able to do so openly will make it only easier to do this sharing. Please join our effort, and share future observations with us. We will continue to turn them over quickly and make them available via our diaries for everybody to read and to learn from..."

FYI...

W32.Zotob Removal Tool - (MS05-039 exploits)
- http://www.sarc.com/avcenter/venc/data/w32.zotob.removal.tool.html

More (up to "Zotob.E" now, with other differently named variants/mutants), this one rated Category 3 by Symantec:

- http://www.sarc.com/avcenter/venc/data/w32.zotob.e.html
Discovered on: August 16, 2005
Last Updated on: August 16, 2005 06:07:48 PM
"W32.Zotob.E is a worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) on TCP port 445.
W32.Zotob.E can run on, but not infect, computers running Windows 95/98/Me/NT4/XP. Although computers running these operating systems cannot be infected, they can still be used to infect vulnerable computers that they can connect to..."

- http://isc.sans.org/diary.php?date=2005-08-16
Updated August 17th 2005 01:12 UTC
"...Another PnP Worm: W32.Zotob.E
CNN is reporting a worm outbreak which is affecting their network, ABCNews, NYTimes, as well as Capitol Hill. All statements so far make this look like a Zotob variant...
Symantec just released info on the W32.Zotob.E worm...
Trend Micro also released information under WORM_RBOT.CBQ..."

FYI...

The global PnP problems
- http://www.f-secure.com/weblog/
Wednesday, August 17, 2005
"There's now nine different worms or bots using the week-old Plug-and-Play vulnerability. Most of the recent problems are caused by a worm we call Zotob.D and a two bots we call Ircbot.es and Ircbot.et.
The main scenario remains the same: these things will only infect you via the MS05-039 vulnerability if you're running Windows 2000 with port 445/TCP open - and you haven't installed last weeks patches. Or you have installed the patches but haven't rebooted.
The big organizations that are getting hit right now have most likely introduced the infection to the internal network via infected laptops..."

FYI...

- http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html
Wednesday, August 17, 2005; Posted: 4:26 a.m. EDT (08:26 GMT)
"...The director of Microsoft's security response center, Debbie Fry Wilson, said the computer giant was in an "emergency response" mode. "Right now, we're mobilizing our two war rooms," she told CNN.
"The key thing I want to stress for customers is making sure that they install security updates as quickly as possible," Wilson said.
Although she said that the number of affected computers is unclear, most Windows 2000 customers are business users. And automatic security updates would have protected most home users, she said. Wilson added that "at least 200 million computer users worldwide" have downloaded the patch..."