Worm Targets OpenSLL
Posted by configure on 16 September 2002 - 10:35 · no comments & 44 views
About the Author
Full name: Unknown
Forum name:
configure
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name:
configureContact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google
The worm appears to be exploiting one of the vulnerabilities in OpenSSL that were discovered in late July. A preliminary analysis by experts at Symantec Corp. has found that the worm picks targets based on the "server:" response field and is communicating with other infected machines via a peer-to-peer network.
Upon infecting a Web server, the worm compiles itself and then connects back to the server from which it was sent. The infected machines appear to communicate with each other over UDP port 2002.
There is no report yet on whether the worm does any damage to the machines it infects, but it does scan the local network for e-mail addresses, according to Oliver Friedrichs, a senior manager with Symantec's Security Response Center in Cupertino, Calif.
"It's unique in that it communicates using a peer-to-peer network. There's been some talk about a worm eventually doing that, but this is the first one we've actually seen," Friedrichs said.
On July 30, The OpenSSL Project issued a security bulletin warning of four separate vulnerabilities in all versions of the software up to release 0.96d. All four flaws are buffer overruns, and all are remotely exploitable.
Version 0.96e, which was released the same day as the security bulletin, fixes the vulnerability.
Many machines running the popular Apache Web server also run OpenSSL, Friedrichs said, which means there is a large pool of potentially vulnerable machines on the Internet.
Symantec first began receiving reports of the worm on Friday morning, and although there has been a steady stream of reports since, the infection rate does not appear to be anywhere near that of the Code Red or Nimda worms of last year.
MS02-044 (Q328130): Unsafe Functions in Office Web Components
The Office Web Components (OWC) contain several ActiveX controls that give users limited functionality of Microsoft Office in a web browser without requiring that the user install the full Microsoft Office application. This allows users to utilize Microsoft Office applications in situations where installation of the full application is infeasible or undesirable.
The control contains three security vulnerabilities, each of which could be exploited either via a web site or an HTML mail.
MS02-045 (Q326830): Unchecked Buffer in Network Share Provider Can Lead to Denial of Service
SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol.
By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code.
MS02-046 (Q327521): Buffer Overrun in TSAC ActiveX Control Could Allow Code Execution
A security vulnerability results because the control contains an unchecked buffer in the code that processes one of the input parameters. By calling the control on a client system and overrunning the buffer, an attacker could gain the ability to run code in the security context of the currently logged on user. This would enable the attacker to take any desired action on the user's system. The attacker could mount an attack by either hosting a web page that exploits the vulnerability against any user who visits it, or by sending an HTML mail to another user.