Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: McAfee Antivirus vulnerability; Java WebStart vulnerability; pwsteal.bank trojan clarification; 18905/tcp scanning - Internet Security | DShield

SANS Site Network

Current Site

Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

SANS ISC InfoSec Forums

Log In or Sign Up for Free!

McAfee Antivirus vulnerability; Java WebStart vulnerability; pwsteal.bank trojan clarification; 18905/tcp scanning
McAfee AntiVirus Library Stack Overflow The ISS X-Force has another notch in their belt today, releasing information about a flaw they have discovered in AntiVirus Library versions prior to 4400. To exploit this vulnerability, an attacker is required to craft a custom LHA Archive file which will allow the attacker to run arbitrary code on the McAfee protected system when the file is scanned for viruses. This makes the third antivirus package in recent memory to have a fatal flaw, and when one includes the Witty worm; a definite trend of attacks against security infrastruture software is emerging. This, of course, is a natural progression in attack and defense; AntiVirus packages are, in a sense, becoming victims of their own success. Fortunately, security practitioners already have a framework for dealing with this type of threat, and that is to practice Defense-in-Depth. Relying on only one vendor's security product or suite of security products is a guaranteed disaster at some point in time. Use multiple Antivirus packages. Get a screening router with AV gatewaying in addition to your host AV. Use other technologies to protect your security infrastructure. Build a heterogeneous environment. These arn't going to be "nice-to-have" characteristics of a secure site for much longer. Soon, they will be as mandatory as a quality A/V package and a firewall is today. Get ready early and it will hurt less later. For more information; see the or the Java WebStart Cross Platform Vulnerability Systems running Java J2SE 1.4.2_06 and earlier 1.4.2 releases have been determined to be vulnerable to a malicious JNLP file, resulting in an untrusted application being able to elevate its privileges and escape the restricted environment. This affects browsers (and other applications using "javaws") on Windows, Linux, and Solaris, and could lead to a cross-platform worm. Solutions are to upgrade the J2SE environment, or disable "application/x-java-jnlp-file" JNLP handlers within your web browsers. According to the discoverer, Jouko Pynnonen, versions of J2SE prior to 1.4.2 (eg; the 1.3 and earlier 1.4 series) are not vulnerable to this attack. A proof of concept has been released, and overall impact is similar to the recent IFRAME attack, so it is likely that we'll see this one in the wild. See also the and the SunSolve Alert Notification A minor clarification on the Pwsteal.Bankash.D trojan A trusted third-party has reported to us that Symantec's analysis of the PWSteal.Bankash.D trojan is slightly off. Their report lists a large number of sites that traffic is logged to, when in reality, only URLs matching these seven URL substring patterns is logged: ba-ca.com, onba.zkb.ch, banking.bawag.com, raiffeisendirect. , ebankas.vb.lt, and tatrabanka.sk. The remaining URLs are used in an apparent blacklist routine, and are not logged. This is interesting because it appears that the attacker has a very specific set of targets in mind this time around, and an apparent fondness for european online banks. 18905/tcp scanning One of our readers has spotted an interesting trend of scanning for recently, but we're all at a loss as to what this scanning represents. If you've got any ideas, please drop us a note!	Erik 21 Posts
Subscribe	Mar 19th 2005 1 decade ago

Sign Up for Free or Log In to start participating in the conversation!