Ever wondered where all that spam (which often brings down the mail servers)
comes from? Security vendor Sophos has come out with a report that tracks the
countries from where spam mail originates.
Sophos researchers used a global network of honeypots for this study. The results
indicate that United States leads the world when it comes to spamming. Sophos
says that approximately 42.53 percent of the Internet's spam traffic is of US
origin. Next in line comes South Korea which contributes around 15.42 percent
of worldwide spam traffic. The study notes that South Korea's large scale broadband
usage has helped it almost triple the spam traffic originating from the country
since February 2004.
A major worry which studies like these bring up is the extent to which spammers
exploit ordinary users and organizations. A major chunk of spam traffic over
the internet is sent by blackhat hackers (crackers) using exploited computers
and mail servers. These 'Zombie machines' usually have broadband connections
that make it very lucrative spam relaying tools for crackers.
This can be very harmful for organizations as it can unknowingly get them into
major legal hassles. Regular audits of mail servers are essential to avoid getting
into such issues.
Cisco IOS telnet vulnerabilities
US-CERT (www.us-cert.gov) has reported a denial-of-service vulnerability in
Cisco's Internetwork Operating System (IOS). This vulnerability could allow
remote attackers to prevent new connections to remote management services on
a vulnerable device.
An unauthenticated, remote attacker with the ability to send TCP packets to
ports used by the telnet (23/tcp) or reverse telnet (2001-2999/tcp, 3001-3099/tcp,
6001-6999/tcp, 7001-7099/tcp) service could cause a vulnerable device to refuse
subsequent connections to the SSH, SCP, RSH, telnet, reverse telnet, and HTTP
remote management services. Exploitation of this vulnerability could deny remote
access to the device. Existing connections to these services are not affected.
CERT notes that Version 1.0 of the Cisco HTTP server, which is included in IOS
versions prior to 12.2(15) is affected by this vulnerability. Version 1.1 of
the Cisco HTTP server, which is included in IOS versions after and including
12.2(15) is not affected by this vulnerability. In order to regain functionality,
the problematic TCP connection must be cleared, or the device may need to be
Patches for this vulnerability are not available from Cisco at the time of reporting.
However, Cisco's security advisory gives the following workarounds, namely:
- Enabling SSH and disabling telnet
- Configuring a VTY access class
- Configuring Interface Access Lists (ACLs)
- Configuring Infrastructure Access Lists (iACLs)
- Configuring Receive Access Lists (rACLs)
- Clearing TCP connections using the IOS CLI
Oracle app vulnerabilities
US-CERT has sounded a high alert on multiple vulnerabilities affecting several
Oracle applications. Vulnerabilities existing in the Oracle Database Server,
Application Server, Enterprise Manager software, and Collaboration Suite &
E-Business Suite 11i can allow remote attackers to execute arbitrary code on
an affected system.
The affected Oracle applications are:
- Oracle Database 10g Release 1, version 10.1.0.2
- Oracle9i Database Server Release 2, versions 188.8.131.52 and 184.108.40.206
- Oracle9i Database Server Release 1, versions 220.127.116.11, 18.104.22.168 and 9.0.4
- Oracle8i Database Server Release 3, version 22.214.171.124
- Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
- Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
- Oracle Application Server 10g (9.0.4), versions 126.96.36.199 and 188.8.131.52
- Oracle9i Application Server Release 2, versions 184.108.40.206 and 220.127.116.11
- Oracle9i Application Server Release 1, version 18.104.22.168
US-CERT is as yet not clear about the impact of these vulnerabilities. Reported
exploits ranged from remote, unauthenticated execution of arbitrary code to
data corruption or leakage. The exploits used several buffer overflow, format
string, SQL injection and other types of vulnerabilities. Oracle's security
alert on these vulnerabilities can be found at,
The security alert provides upgrade of patching instructions. In the case of
Oracle Collaboration Suite or E-Business Suite 11i, remediation instructions
can be found in the same alert.
According to Oracle's statement as provided by US-CERT, the following product
releases and versions, and all future releases and versions are not affected:
- Oracle Database 10g Release 1, version 10.1.0.3
- Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not yet available)
- Oracle Application Server 10g (9.0.4), version 22.214.171.124 (not yet available)
AMD64 proof of concept virus
Shruggle (W64.Shruggle.1318), the first proof of concept virus infecting 64-bit
Windows executables on the AMD64 platform has been detected by Symantec. The
point to note is that the AMD64 CPUs are expected to ship only in the latter
half of 2004.
Written in AMD64 assembly code and based on the W32.Shrug virus, W64.Shruggle.1318
is a direct-action file infector, similar to W64.Rugrat.3344, that infects AMD64
Windows Portable Executable (PE) files. Symantec says that the execution method
is similar to W64.Rugrat (the IA64 virus). W64.Shruggle.1318 searches 64-bit
executable files in the same folder, and all subfolders, that the virus was
executed. When it finds a 64-bit executable file, the virus appends itself to
the file, unless it is a .dll file (.dll files are not affected).
The virus does not infect 32-bit portable executable files, and will not run
natively on 32-bit Windows platforms. However, it can be run on a 32-bit computer
using 64-bit simulation software.
| Top ten virus threats in asia in