Security Watch

The spamtroves

Ever wondered where all that spam (which often brings down the mail servers) comes from? Security vendor Sophos has come out with a report that tracks the countries from where spam mail originates.

Sophos researchers used a global network of honeypots for this study. The results indicate that United States leads the world when it comes to spamming. Sophos says that approximately 42.53 percent of the Internet's spam traffic is of US origin. Next in line comes South Korea which contributes around 15.42 percent of worldwide spam traffic. The study notes that South Korea's large scale broadband usage has helped it almost triple the spam traffic originating from the country since February 2004.

A major worry which studies like these bring up is the extent to which spammers exploit ordinary users and organizations. A major chunk of spam traffic over the internet is sent by blackhat hackers (crackers) using exploited computers and mail servers. These 'Zombie machines' usually have broadband connections that make it very lucrative spam relaying tools for crackers.

This can be very harmful for organizations as it can unknowingly get them into major legal hassles. Regular audits of mail servers are essential to avoid getting into such issues.

Cisco IOS telnet vulnerabilities

US-CERT (www.us-cert.gov) has reported a denial-of-service vulnerability in Cisco's Internetwork Operating System (IOS). This vulnerability could allow remote attackers to prevent new connections to remote management services on a vulnerable device.

An unauthenticated, remote attacker with the ability to send TCP packets to ports used by the telnet (23/tcp) or reverse telnet (2001-2999/tcp, 3001-3099/tcp, 6001-6999/tcp, 7001-7099/tcp) service could cause a vulnerable device to refuse subsequent connections to the SSH, SCP, RSH, telnet, reverse telnet, and HTTP remote management services. Exploitation of this vulnerability could deny remote access to the device. Existing connections to these services are not affected. CERT notes that Version 1.0 of the Cisco HTTP server, which is included in IOS versions prior to 12.2(15) is affected by this vulnerability. Version 1.1 of the Cisco HTTP server, which is included in IOS versions after and including 12.2(15) is not affected by this vulnerability. In order to regain functionality, the problematic TCP connection must be cleared, or the device may need to be reloaded.

Patches for this vulnerability are not available from Cisco at the time of reporting. However, Cisco's security advisory gives the following workarounds, namely:

• Enabling SSH and disabling telnet
• Configuring a VTY access class
• Configuring Interface Access Lists (ACLs)
• Configuring Infrastructure Access Lists (iACLs)
• Configuring Receive Access Lists (rACLs)
• Clearing TCP connections using the IOS CLI

Oracle app vulnerabilities

US-CERT has sounded a high alert on multiple vulnerabilities affecting several Oracle applications. Vulnerabilities existing in the Oracle Database Server, Application Server, Enterprise Manager software, and Collaboration Suite & E-Business Suite 11i can allow remote attackers to execute arbitrary code on an affected system.

The affected Oracle applications are:

• Oracle Database 10g Release 1, version 10.1.0.2
• Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
• Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
• Oracle8i Database Server Release 3, version 8.1.7.4
• Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
• Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
• Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
• Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
• Oracle9i Application Server Release 1, version 1.0.2.2

US-CERT is as yet not clear about the impact of these vulnerabilities. Reported exploits ranged from remote, unauthenticated execution of arbitrary code to data corruption or leakage. The exploits used several buffer overflow, format string, SQL injection and other types of vulnerabilities. Oracle's security alert on these vulnerabilities can be found at,

http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf

The security alert provides upgrade of patching instructions. In the case of Oracle Collaboration Suite or E-Business Suite 11i, remediation instructions can be found in the same alert.

According to Oracle's statement as provided by US-CERT, the following product releases and versions, and all future releases and versions are not affected:

• Oracle Database 10g Release 1, version 10.1.0.3
• Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not yet available)
• Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet available)

AMD64 proof of concept virus

Shruggle (W64.Shruggle.1318), the first proof of concept virus infecting 64-bit Windows executables on the AMD64 platform has been detected by Symantec. The point to note is that the AMD64 CPUs are expected to ship only in the latter half of 2004.

Written in AMD64 assembly code and based on the W32.Shrug virus, W64.Shruggle.1318 is a direct-action file infector, similar to W64.Rugrat.3344, that infects AMD64 Windows Portable Executable (PE) files. Symantec says that the execution method is similar to W64.Rugrat (the IA64 virus). W64.Shruggle.1318 searches 64-bit executable files in the same folder, and all subfolders, that the virus was executed. When it finds a 64-bit executable file, the virus appends itself to the file, unless it is a .dll file (.dll files are not affected).

The virus does not infect 32-bit portable executable files, and will not run natively on 32-bit Windows platforms. However, it can be run on a 32-bit computer using 64-bit simulation software.