Security
Storm worm gains strength
Spam rates are rising, rapidly, with a lot of the blame being placed on the "storm worm." The worm is targeted at PCs, to build an enormous botnet for purposes that can only be speculated upon. Estimates of the size of the botnet vary, but it is probably fair to say that millions of machines are infected. Interestingly, the techniques used to propagate the worm are evolving and some defense mechanisms are emerging.
The storm worm has been with us since January, its name stems from the subject of the earliest emails that propagated it, attacking in multiple waves of spam since then. It uses the simplest of all infection techniques: tricking recipients into running a program. Those programs, which, from all reports, only run on Windows, then install various kinds of malware, including programs to connect the machine to a massive botnet.
At its root, the storm worm uses various "social engineering" tactics to convince people to either open an executable in the email or to visit a website and download software from there. Several different messages have been tried recently, electronic greeting cards, welcome messages from various "groups" (Wine Lovers, Poker Players, etc.) and the most recent, that claims to be a pointer to a YouTube video that shows you or your family. These messages have been pumped out at enormous rates by the botnet as it tries to grow bigger.
Some defensive behavior has been noted as well. When infected machines are scanned for vulnerabilities or malware, they sometimes react by calling in a distributed denial-of-service (DDoS) attack on the scanning machine. The main concern is for academic networks that sit directly on the internet, machines behind firewalls are generally protected, unless a significant part of the botnet also lives there.
These evolving tactics and defensive measures are not being implemented for fun, the botnet herders probably have a plan for using such a huge botnet, the only question is: for what? The most likely explanation is for DDoS attacks on targeted sites, quite possibly to get paid to stop, which is also known as extortion. They presumably also get paid to send spam – other than that used to increase their size – but extorting money from sites that depend on traffic is probably much more lucrative.
Unlike other botnets, storm's does not rely on a single central server that can be shut down, destroying the botnet. Instead it uses peer-to-peer technology, distributing its command and control infrastructure throughout the network, making it much more difficult to combat. That coupled with the furious spamming and defensive responses makes this the most robust botnet we have seen yet.
While this particular attack does not appear to affect Linux users directly, we should not be resting on our laurels. Linux users likely have a higher clue level, overall, than Windows users, but that level is dropping. As Ubuntu and other desktop, newbie-oriented distributions gain ground, the average computer literacy of the Linux community drops. There is no defense, other than educating users, against folks who download random things and run them on their computer. If the storm botnet herders decide they need even more machines for their plan for total world domination, they might just turn to Linux.
New vulnerabilities
bugzilla: several vulnerabilities
| Package(s): | bugzilla | CVE #(s): | |||||
| Created: | August 28, 2007 | Updated: | August 29, 2007 | ||||
| Description: | This Bugzilla security advisory covers several vulnerabilities in Bugzilla 2.20.4, 2.22.2, and 3.0. | ||||||
| Alerts: |
| ||||||
id3lib: insecure tmpfile creation
| Package(s): | id3lib | CVE #(s): | CVE-2007-4460 | ||||||||||||||||||||||||
| Created: | August 27, 2007 | Updated: | October 2, 2007 | ||||||||||||||||||||||||
| Description: | The RenderV2ToFile function in tag_file.cpp in id3lib (aka libid3) 3.8.3 allows local users to overwrite arbitrary files via a symlink attack on a temporary file whose name is constructed from the name of a file being tagged. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
opera: multiple vulnerabilities
| Package(s): | opera | CVE #(s): | CVE-2007-4367 CVE-2007-3929 CVE-2007-3142 CVE-2007-3819 | ||||||||||||
| Created: | August 23, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | The Opera browser has multiple vulnerabilities. The JavaScript engine is vulnerable to a virtual function call on an invalid pointer that can be triggered by specially crafted JavaScript. A freed pointer in the BitTorrent support may be accessed, this can be used for malicious code execution. The browser is vulnerable to several memory read protection errors. There are URI display errors that can be used to trick users into visiting arbitrary web sites. | ||||||||||||||
| Alerts: |
| ||||||||||||||
pam_ssh: authentication restriction bypass
| Package(s): | pam_ssh | CVE #(s): | CVE-2007-0844 | ||||
| Created: | August 27, 2007 | Updated: | August 29, 2007 | ||||
| Description: | The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the allow_blank_passphrase option is disabled, allows remote attackers to bypass authentication restrictions and use private encryption keys requiring a blank passphrase by entering a non-blank passphrase. | ||||||
| Alerts: |
| ||||||
po4a: information leak
| Package(s): | po4a | CVE #(s): | CVE-2007-4462 | ||||||||
| Created: | August 27, 2007 | Updated: | September 14, 2007 | ||||||||
| Description: | This update fixes a potential security problem (information leak) due to use of predictable name in /tmp. | ||||||||||
| Alerts: |
| ||||||||||
star: directory traversal vulnerability
| Package(s): | star | CVE #(s): | CVE-2007-4134 | ||||||||||||||||
| Created: | August 28, 2007 | Updated: | October 23, 2007 | ||||||||||||||||
| Description: | Star saves many files together into a single tape or disk archive, and can restore individual files from the archive. Star supports ACL. Version 1.5a84 fixes a directory traversal vulnerability. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
sylpheed: format string vulnerability
| Package(s): | sylpheed | CVE #(s): | CVE-2007-2958 | ||||||||||||
| Created: | August 28, 2007 | Updated: | October 26, 2007 | ||||||||||||
| Description: | Ulf Harnhammar (Secunia Research) has discovered a format string vulnerability in sylpheed and claws-mail in inc_put_error() function in src/inc.c when displaying POP3 error reply. The problem can be exploited by malicious POP3 server via specially crafted POP3 server replies containing format specifiers. See this Secunia advisory for more information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
tar: symlink path traversal vulnerability
| Package(s): | tar | CVE #(s): | CVE-2007-4131 | ||||||||||||||||||||||||||||||||||||||||
| Created: | August 23, 2007 | Updated: | December 28, 2007 | ||||||||||||||||||||||||||||||||||||||||
| Description: | The tar utility has a symlink path traversal vulnerability involving extracted archives. Maliciously created tar archives can be used to write arbitrary data to files that the tar user has write access to. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
wordpress: cross-site scripting
| Package(s): | wordpress | CVE #(s): | CVE-2007-4139 | ||||
| Created: | August 29, 2007 | Updated: | August 29, 2007 | ||||
| Description: | Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php. | ||||||
| Alerts: |
| ||||||
xterm: local user unauthorized access
| Package(s): | xterm | CVE #(s): | CVE-2007-2797 | ||||||||||||
| Created: | August 27, 2007 | Updated: | November 15, 2007 | ||||||||||||
| Description: | Previous versions of the xterm package assigned incorrect ownership and write permissions to pseudo-terminal devices, permitting local users to direct output to other users' xterm sessions. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>