================================
Virus & Security Watch
from IDGNet NZ



Friday, 05 November 2004

================================

This issue's topics:

Introduction:
* Sun Web & App Server, MIME-tools, Archive::Zip patches; 
Sobig writer named?

Virus News:
* A trio of Bagles...
* Possible Sobig writer named; denies allegations

Security News:
* Patch fixes DoS in Sun Java System Web, and Application, servers
* MIME-tools module updated to fix boundary-handling flaws
* Archive::Zip updated to fix zero-size bypass
* Dozens arrested on identity theft charges


Introduction:

Generally a pretty quiet week, perhaps in preparation for another 
huge Windows patch-fest following November's 'patch Tuesday' 
next week??

Sun has released updates for its Java System Web Server and 
Java System Application Server products to address a denial of 
service vulnerability and a couple of Perl modules commonly used 
in e-mail content scanning gateways have been updated to fix 
bugs in their handling of some unusual border cases. We close 
the security section with news of the arrests of dozens on identity 
theft and related fraud charges following a US Secret Service 
investigation that ran for longer than a year...

On the virus front, three new Bagles erupted on the scene last week, 
with two of them being much more 'successful' than usual. This last 
week also saw the unusual step of an anonymous person or group 
posting a very detailed description of their reasons for suspecting 
an individual, named in the report, as the writer of a high-profile 
virus from last year; Sobig.


Virus News:

* A trio of Bagles...

Late last Friday, shortly after the previous issue of the newsletter 
was posted, a new Bagle variant was isolated. As Friday evening 
unfolded into the small hours of Saturday morning, it transpired 
that this variant - Bagle.AP, but also known as a bunch of other 
things (need we remind you of the huge mess there is in virus 
naming?) - was, in fact, the first of three released in quick succession...

Bagle.AP is possibly a 'test release', as it only searches a very limited 
location (the 'C:\Emails' directory) for further victim Email addresses. 
As this directory is not part of any default Windows installation, it is 
unlikely many victim machines where this variant was run would have 
successfully sent any further copies of the virus out.

Bagle.AQ and Bagle.AR however, have been very successful, becoming 
two of the most widely seen viruses during the last week. There is 
nothing particularly notable or different in their modus operandi, 
compared with earlier variants or other recent, but generally 
unsuccessful, mass-mailing viruses. Of course, normal e-mail safety 
procedures should have protected anyone from these viruses, so 
although huge numbers of samples are clearly being posted, it is 
unlikely that many folk have actually fallen victim to these viruses.

Computer Associates Virus Information Center
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40588

Computer Associates Virus Information Center
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40589

Computer Associates Virus Information Center
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40602

F-Secure Security Information Center
http://www.f-secure.com/v-descs/bagle_at.shtml

F-Secure Security Information Center
http://www.f-secure.com/v-descs/bagle_au.shtml

Kaspersky Lab Virus Encyclopedia
http://www.viruslist.com/en/viruses/encyclopedia?virusid=64658

Kaspersky Lab Virus Encyclopedia
http://www.viruslist.com/en/viruses/encyclopedia?virusid=64659

Network Associates Virus Information Library
http://vil.nai.com/vil/content/v_129509.htm

Network Associates Virus Information Library
http://vil.nai.com/vil/content/v_129510.htm

Network Associates Virus Information Library
http://vil.nai.com/vil/content/v_129510.htm

Sophos Virus Info
http://www.sophos.com/virusinfo/analyses/w32bagleau.html

Sophos Virus Info
http://www.sophos.com/virusinfo/analyses/w32bagleav.html

Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.beagle.au@mm.html

Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.beagle.av@mm.html

Symantec Security Response
http://www.sarc.com/avcenter/venc/data/w32.beagle.aw@mm.html

Trend Micro Virus Information Center
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AT&VSect=T

Trend Micro Virus Information Center
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AU&VSect=T


* Possible Sobig writer named; denies allegations

An anonymous person or group has posted a .PDF file outlining their 
suspicions as to the identity of the writer of the Sobig virus. The 
Sobig family has six variants that were released sequentially from 
Sobig.A in late January 2003 through to Sobig.F in mid-August. It has 
been widely believed for some time that Sobig was likely to have 
been written by a spammer, or by someone providing a network of 
e-mail proxies and relays to a spammer, or to several spammers.

The anonymous report fingers Ruslan Ibragimov, owner of Russia-based 
Send-Safe. Ibragimov has strongly denied all claims that he or his 
company have been involved in Sobig's development and release. His 
anonymous accusers point to large amounts of identical binary code in 
versions of Send-Safe and Sobig. They also document out that 
surprisingly many new versions of Send-Safe were released 'coincidentally' 
with the release of new Sobig variants, and that techniques introduced 
into new versions of Send-Safe or variants Sobig matched the introduction 
of the same technique in the new variant of Sobig or release of Send-Safe.

Who Wrote Sobig - geocities.com (~300 KB PDF)
http://www.geocities.com/author_travis/WhoWroteSobig.pdf

Russian Denies Authoring "SoBig" Worm - oreillynet.com
http://www.oreillynet.com/pub/a/network/2004/11/02/sobig.html


Security News:

* Patch fixes DoS in Sun Java System Web, and Application, servers

Sun has announced that malformed client certificates may be used to 
execute a remote denial of service attack against its Java System Web 
Server 6.0 and 6.1, and Sun Java System Application Server 7 products.

Various service packs and updates have been made available to correct 
this in the affect products, and full details and links to the appropriate 
downloads are available from Sun's security advisory, linked below.

DoS in Sun Java System Web and Application Server Products - sun.com
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57669-1


* MIME-tools module updated to fix boundary-handling flaws

MIME-tools is a Perl module for handling MIME-encoded messages. It is 
used by some popular content-scanning gateways and in many 'roll your 
own' e-mail content filters. MIME-tools 5.414 and earlier have a flaw in 
their handling of empty boundary strings, and some self-mailing viruses 
have been seen using such a boundary separator.

MIME-tools 5.415 has been released to address this, and some brief 
explanation of the update (and a diff to patch against 5.414) is included 
in a message to the MIME- tools mailing list, archived at roaringpenguin.com. 
Further, several Linux distributions that include MIME-tools have already 
released update packages.

MIME-tools home page - cpan.org
http://search.cpan.org/dist/MIME-tools/

Patch for MIME-tools - roaringpenguin.com
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-October/024959.html


* Archive::Zip updated to fix zero-size bypass

Last week we reported that several commercial antivirus products were 
vulnerable to bypassing contents of a ZIP archive with specially manipulated 
internal directory structures that set (some) contained file's lengths to zero 
bytes. This prompted checking of several other ZIP archive handling programs, 
including the Perl module Archive::Zip, which was found to have the same 
vulnerability.

As Archive::Zip is used in several popular (e.g. Amavisd) and custom e-mail 
content and virus scanners, this flaw could also lead to such systems 
bypassing scanning of specially malformed ZIP archives. Several popular 
distributions ship Amavisd so have already produced update packages, 
and of course, an updated module is available from CPAN.

Archive::Zip home page - cpan.org
http://search.cpan.org/dist/Archive-Zip/


* Dozens arrested on identity theft charges

The US Secret Service has arrested dozens on identity theft and related 
charges following an investigation of several underground groups 
accused of running web sites trading in counterfeit and stolen credit card 
details. This stolen identity information and the tools to commit fraud 
using such data were traded through various web sites and involved 
individuals not just from the United States, but also Bulgaria, Belarus, 
Poland and other European countries.

Secret Service busts online organized crime ring - computerworld.com
http://www.computerworld.com/securitytopics/security/story/0,10801,97017,00.html





(C) IDG Communications 2004

================================
ARCHIVED NEWSLETTERS
================================

Archive of Virus & Security Watch newsletters:
http://www.idg.co.nz/cw.nsf/WebArchiveByColumn?OpenView&Category=Virus


