Symantec

How to troubleshoot a suspected Malware infection

Leave a comment

Please follow the below steps if you suspect that you may be infected with a threat which your Symantec product isn’t detecting:

–    Ensure you have the latest virus definitions by running LiveUpdate.
–    Run a full system scan, removing any malicious files which are detected.

If, after following the above steps, no threat is found, check for any recently created or suspicious files in the following locations:

–  C:Documents and SettingsAll UsersStart MenuProgramsStartup
–  C:Documents and Settings[user name]Start MenuProgramsStartup
–  C:Documents and SettingsAdministratorStart MenuProgramsStartup
–  C:Documents and SettingsDefault UserStart MenuProgramsStartup
–  C:WinNTProfilesAll UsersStart MenuProgramsStartup
–  C:WinNTProfiles[user name]Start MenuProgramsStartup
–  C:WinNTProfilesAdministratorStart MenuProgramsStartup
–  C:WinNTProfilesDefault UserStart MenuProgramsStartup
–  C:WindowsStart MenuProgramsStartup
–  C:WindowsAll UsersStart MenuProgramsStartup

Check the common loading points for any suspicious files using the msconfig utility:

For Windows 98/Me
–  Click Start, and click Run. The Run window appears.
–  In the Open box, type msconfig and click OK. The System Configuration Utility appears.
–  Click the Startup tab.
–  Scroll through the list of files.
–  If you see a suspicious file, then note the name.
–  Click the Win.ini tab and then clear the checkbox in front of [windows]. Look for any entries in the Load= or Run= lines. Note any files that you see.
–  Click the System.ini tab and then clear the checkbox in front of [boot]. You should see an entry Shell=Explorer.exe. Check to see if there is another file name to the right of Explorer.exe. If there is, then note the file name.
–  Click Cancel to close the System Configuration Utility.

For Windows XP
–  Click Start, and click Run. The Run window appears.
–  In the Open box, type msconfig and then click OK. The System Configuration Utility appears.
–  Click the General tab.
–  Click Selective Startup.
–  Click the Startup tab.
–  Scroll through the list of files.
–  If you see a suspicious file, then note the name.
–  When you are finished, click Cancel to close the System Configuration Utility.

Check registry load points:

–  Click Start, and click Run. The Run window appears.
–  In the Open box, type regedit and then click OK. The Registry Editor appears.
–  Browse to the following registry keys and note any suspicious file names in the right hand pane.

HKEY_CURRENT_USERSoftwareMicrosoftWindowscurrentversionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowscurrentversionrunonce
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowscurrentversionrunservices
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowscurrentversionrunservicesonce

HKEY_CURRENT_USERSoftwareMicrosoftWindowscurrentversionPoliciesExplorerRun
HKEY_CURRENT_USERSoftwareMicrosoftwindowsntcurrentversionWindows
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionrunonce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowscurrentversionrunonceex
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionrunservices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionrunservicesonce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowscurrentversionPoliciesExplorerRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftwindowsntcurrentversionWindows
HKEY_LOCAL_MACHINESOFTWAREMicrosoftwindowsntcurrentversionWinlogon
HKEY_LOCAL_MACHINESoftwareMicrosoftwindowsntcurrentversionWindowsappinit_dlls
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionExplorersharedtaskscheduler
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
HKEY_LOCAL_MACHINESoftwareMicrosoftSharedToolsMSConfigstartupfolder
HKEY_LOCAL_MACHINESoftwareMicrosoftSharedToolsMSConfigstartupreg

Check for any suspicious processes running in task manager:

–  Press Ctrl+Shift+Esc to open the Task Manager.
–  Click the Process tab.
–  Click “Image Name” twice to sort the processes.
–  Look through the list for possible threats and take a note of the file name.

Submit suspicious files for analysis:

Any suspicious files identified in the above steps should be submitted to Symantec Security Response for analysis:

–  There are 2 locations to which you can submit malware:

http://www.threatexpert.com/submit.aspx – use this submission page if you would like a quicker response on your submitted malware. It also provides a place to track your past submissions

https://submit.symantec.com/retail – use this submission page if you would like to pass along malware information to Symantec without an immediate follow-up

–  Locate the files identified above and submit for analysis following the instructions provided

–  An email with a tracking number one will sent once the submission has been received.
–  A closing email will be sent once submissions have been processed with the results of the analysis
–  For files which are determined to be malicious, details of the definition versions which provide detection will be included in the email.

Nagios

CVE-2008-6373

Leave a comment

Unspecified vulnerability in Nagios before 3.0.6 has unspecified impact and remote attack vectors related to CGI programs, “adaptive external commands,” and “writing newlines and submitting service comments.” (CVSS:5.0) (Last Update:2009-07-22)

Drupal

SA-CORE-2009-004 – Local file inclusion on Windows

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2009-004
  • Project: Drupal core
  • Versions: 5.x
  • Date: 2009-February-25
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Local file inclusion on Windows
  • Reference: SA-CORE-2009-003 (6.x)

Description

This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used.

The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn’t take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site.

Important note: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site.

Versions Affected

  • Drupal 5.x before version 5.16

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.16.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 5.16.

Reported by

Bogdan Calin (www.acunetix.com)

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal

SA-CORE-2009-003 – Local file inclusion on Windows

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2009-003
  • Project: Drupal core
  • Versions: 6.x
  • Date: 2009-February-25
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Local file inclusion on Windows

Description

This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used.

The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn’t take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site.

Important note: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site.

Versions Affected

  • Drupal 6.x before version 6.10

Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.10.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 6.10.

Reported by

Bogdan Calin (www.acunetix.com)

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 6.x
Drupal

SA-CORE-2009-001 Drupal core – Multiple vulnerabilities

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2009-001
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2009-January-14
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Access Bypass

The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content (a node). In that process the existing node’s content is copied into the new node’s submission form.

The module contains a flaw that allows a user with the ‘translate content’ permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they do not have permission to view unpublished nodes.

This issue only affects Drupal 6.x.

Validation Bypass

When user profile pictures are enabled, the default user profile validation function will be bypassed, possibly allowing invalid user names or e-mail addresses to be submitted.

This issue only affects Drupal 6.x.

Hardening against SQL injection

A parameter passed into the node access API was not properly escaped or validated before being used in SQL queries. While there is no direct risk of SQL injection from Drupal core, it’s possible that this could have presented a risk in combination with a contributed module. Additional validation has been added to eliminate this risk.

This issue affects both Drupal 5.x and Drupal 6.x.

Versions Affected

  • Drupal 5.x before version 5.15.
  • Drupal 6.x before version 6.9.

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.15.
  • If you are running Drupal 6.x then upgrade to Drupal 6.9.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

The access bypass issue for translations was reported by Wolfgang Ziegler.

The validation bypass was reported by v1nce, supersmashbrothers, Tejus Pratap, and Limiting Factor.

The need for SQL hardening was reported by Derek Wright of the Drupal Security Team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Apple

CVE-2009-0070

Leave a comment

Integer signedness error in Apple Safari allows remote attackers to read the contents of arbitrary memory locations, cause a denial of service (application crash), and probably have unspecified other impact via the array index of the arguments array in a JavaScript function, possibly a related issue to CVE-2008-2307. (CVSS:9.3) (Last Update:2009-01-29)

Apple

CVE-2008-5821

Leave a comment

Memory leak in WebKit.dll in WebKit, as used by Apple Safari 3.2 on Windows Vista SP1, allows remote attackers to cause a denial of service (memory consumption and browser crash) via a long ALINK attribute in a BODY element in an HTML document. (CVSS:5.0) (Last Update:2009-01-10)

Apache

[ANNOUNCEMENT] Apache HTTP Server 2.2.11 Released

Leave a comment 
                       Apache HTTP Server 2.2.11 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.11 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a bug fix
   release.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.11 is available for download from:

     http://httpd.apache.org/download.cgi

   Apache 2.2 offers numerous enhancements, improvements, and performance
   boosts over the 2.0 codebase.  For an overview of new features
   introduced since 2.0 please see:

     http://httpd.apache.org/docs/2.2/new_features_2_2.html

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.11 provides the
   complete list of changes since 2.2.10. A summary of security
   vulnerabilities which were addressed in the previous 2.2.10 and earlier
   releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently
   available.  See the appropriate CHANGES from the url above.  See the
   corresponding CHANGES files linked from the download page.  The Apache
   HTTP Project developers strongly encourage all users to migrate to
   Apache 2.2, as only limited maintenance is performed on these legacy
   versions.

   This release includes the Apache Portable Runtime (APR) version 1.3.3
   bundled with the tar and zip distributions.  The APR libraries libapr
   and libaprutil (and on Win32, libapriconv) must all be updated to ensure
   binary compatibility and address many known platform bugs.

   This release builds on and extends the Apache 2.0 API.  Modules written
   for Apache 2.0 will need to be recompiled in order to run with Apache
   2.2, and require minimal or no source code changes.

     http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.
Drupal

SA-2008-073 – Drupal core – Multiple vulnerabilities

Leave a comment
  • Advisory ID: DRUPAL-SA-2008-073
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-December-10
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross site request forgery

The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database.

Cross site scripting

When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from ‘malicious’ content that was posted earlier.

Versions Affected

  • Drupal 5.x before version 5.13
  • Drupal 6.x before version 6.7

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.13.
  • If you are running Drupal 6.x then upgrade to Drupal 6.7.

Note: the robots.txt and .htaccess files have changed and need to be replaced. The settings.php file has not been changed and can be left as it was if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

Both issues were reported by David Rothstein (David_Rothstein).

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Apple

CVE-2008-5406

Leave a comment

Stack-based buffer overflow in Apple QuickTime Player 7.5.5 and iTunes 8.0.2.20 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a MOV file with “long arguments,” related to an “off by one overflow.” (CVSS:9.3) (Last Update:2009-01-29)

Software and Security Information