Invasion Of The Wrigglies

[Nancy McAleavey]

PSC Newsletter- Coming very soon...Invasion of the Wrigglies

On Tuesday, Microsoft released a "nine-pack" of patches for WindowsXP and components for other flavors of its OS, INCLUDING WIN98, WIN98SE, WINME, WIN2000 and other versions. While results of the "bandaid" has been mixed, and it's caused a number of problems, one component of the patch is so extremely critical that one absolutely needs to take their chances and install it as the exploits are about to appear full force as exploit code was reportedly published by "eEye security" and "cut and pastes" are already circulating on some "VX'er" sites.

This is PARTICULARLY critical for our customers who are using Windows 2000 and earlier! We've already seen signs of interest among numerous "hacker" sites anxious to complete code to make use of the particular exploit associated with "MS05-051" It is CRUCIAL that if you haven't already upgraded your Windows XP to SP2 that you do so immediately and that users of Win2000 and other versions of Windows install MS05-051 without delay to head the script kiddies off at the pass. We expect major outbreaks in the next few days for those who are unpatched and unprotected by fully up to date antivirus and antimalware software.

Information for the script kiddies was also provided by Microsoft in its narrative for this particular patch and it is perhaps one of the easiest exploitable security holes in unpatched machines we've seen in years. A number of security sites went into even further detail on how precisely the exploits can be used against unpatched machines. In addition to the ability to exploit DTC and COM+ as outlined in MS05-051, MS05-050 is another patch which mitigates a problem which would permit a properly crafted AVI file to "root" your machine. And again, Windows 2000 is fully exposed, as are Win98, Win98SE, WinME, Win2000, and WinXP (all versions). And while those still using Win95 are also exposed, there will be no patches for Win95.

SANS Institute has the following information including some workarounds on the MS05-051 security bulletin here that is worth reading and acting upon

http//isc.sans.org/diary.php?storyid=750

Details on the DirectShow flaw which allows certain AVI files to take over your system can be read on Microsoft's site - this is of particular interest to those who visit "adult" and "humor" sites which offer "clips" and are the primary vector for "CoolWebSearch" (CWS), "Integrated Search Technologies" (IST), "Virtumonde" (VUNDO) and other hijackers who are now offered a new mode to hijack your machine

http//www.microsoft.com/technet/security/Bulletin/MS05-050.mspx

And a vulnerability in IE resulted in MS05-052 which covers DDS and COM+ vulnerabilities and is described here

http//www.microsoft.com/technet/security/Bulletin/MS05-052.mspx

In total, NINE major patches for ALL versions of Windows are required, and despite a number of problems with some of them on machines whose configurations have been modified based on advice obtained from forums and newsgroups, these patches are the absolute highest level of critical even if they result in some instabilities for some people. A description of some of the observed instabilities appears down below near the bottom so you know what you might expect if things go sideways.

Over the past two days, our BOCLEAN antimalware software has been updated through our daily updates to monitor for suspicious behavior based on these exploits. However the security holes are very serious and require patching. And while we expect the "usual suspects" such as LOP, NAIL, IST, CWS, MYBOT, AGOBOT and VIRTUMONDE (a/k/a VUNDO to the AV's) to "zero hour" as quickly as possible, our greatest concern is new malware which has no prior variants which BOClean is already aware of until they're actually sighted. New variants of existing malware should be detected even if they're "new." This has usually been the pattern in the past as the script kiddies recycle old nasties with modifications to make use of newly discovered exploits.

Our laboratory crew is on full alert and will continue trolling the "hacker" sites in search of new items which might appear and our customers can expect frequent updates as they turn up before they spread. You may notice more activity in BOClean checking for updates multiple times a day, that's the reason why.

Some of the side effects reported from Tuesday's patches include

Instability of email client on AOL's service.

Failure of some web sites to load.

Scripting errors and access denied errors.

Perpetual rebooting, even in safe mode.

In addition, one of our associates reported the following on his "heavily adjusted XP box" ...

Following reboot, XP did come alive. But with problems aplenty

- Welcome screen now echoes loading of user profile (auto logonadmin).

- App requiring admin credentials won't launch (not authorized error).

- Policy editor won't open in snap-in.

- Networking icons no longer appear (b/band access working).

- TCP/IP Simple no longer in Win components.

- Search function not working.

- Dependencies tab in Services snap-in won't display (W32 error).

- etc.

So despite the possibilities of adventures requiring a rollback and taking the fixes one by one, the vast majority of people who don't routinely muck with settings should go smoothly. And for those who haven't already installed XP SP2, now is the time! No turning back. This situation is extremely serious and while "zero hour" hasn't happened yet, it WILL before the day is out or possibly even before this report is distributed.

For those with BOClean, once you've gotten today's update, any minor incompatibilities with Microsoft's changes have been ameliorated and BOClean has been adjusted so as to not be part of the problem. We STRONGLY urge you to apply the patches before doing anything else and to ensure that your BOClean has been updated and carries "today's" date. You can check by right clicking on the BOClean traybar icon - the date and time of the latest update will appear on the top of the button bar which pops up. This date and time can be compared with our update page here to ensure that you're current

http//www.nsclean.com/trolist.html

We have reprogrammed BOClean through today's update to check more often than usual, overriding any defaults you have if you left BOClean in full automatic update mode. If you update BOClean manually rather than using the built-in automatic update, you may want to check twice a day for the time being. Updates can occur at any time of the day or night, depending on the urgency.