Security Hero Rotating Header Image

March, 2007:

NACATTACK Presentation

NACATTACK Presentation

This is Cisco PSIRT’s response to the “NACATTACK” presentation by Dror-John Roecher and Michael Thumann, presented at Blackhat Europe on March 30th, 2007.

URL: http://www.cisco.com/en/US/products/products_security_response09186a00808110da.html

Cisco VTP Vulnerability

Cisco VTP Vulnerability

An issue has been reported to the Cisco PSIRT involving malformed VLAN Trunking Protocol (VTP) packets. This attack may cause the target device to reload, causing a Denial of Service (DoS).

URL: http://www.cisco.com/en/US/products/products_security_response09186a00807d1a81.html

Cisco IP Phone 7940/7960 SIP INVITE Denial of Service

Cisco IP Phone 7940/7960 SIP INVITE Denial of Service

This is Cisco PSIRT’s response to the statements made by Radu State in his message titled: CISCO Phone 7940 DOS vulnerability posted on 2007 March 20 0630 UTC (GMT). The original email is available at:http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053070.html Cisco has confirmed the findings of the statements made. Cisco IP Phone 7940/7960 SIP firmware version 7.4(0) is vulnerable to the denial of service. Firmware version 8.6(0) is not vulnerable to this issue. The latest firmware images for Cisco IP 7940/7960 phones can be obtained here: http://www.cisco.com/cgi-bin/tablebuild.pl/sip-ip-phone7960 We would like to thank Radu State, Humberto J. Abdelnur and Olivier Festor of the Madynes research team at INRIA for reporting these issues to Cisco Systems. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.

URL: http://www.cisco.com/en/US/products/products_security_response09186a00808075ad.html

Enterprise IT Survey Highlights Network Outages and High Operating Costs Caused by Under-Investment in Core Network Services Infrastructure

Enterprise IT Survey Highlights Network Outages and High Operating Costs Caused by Under-Investment in Core Network Services Infrastructure

A new research report published by The Enterprise Strategy Group, “The Core Network Services Disconnect,” states that enterprise IT departments consider core network services critical.

URL: http://feedproxy.google.com/~r/InfobloxNewsFeed/~3/6MT8HXE8k_w/release.cfm

Viking.GT

Viking.GT

This is a worm with file infecting capabilities. Standalone file size : 68303 bytes.When it first executes on a machine it installs itself and creates registry entries to make sure it is run from bootup. It also installs a number of files:File system changes:%WINDIR%\uninstall\rundl132.exe%WINDIR%\Logo_1.exe%WINDIR%\RichDll.dll%root%\_desktop.iniInfects executable files.May leave temporary BAT files in various locations and with semi-random names.The files rundl132.exe and Logo_1.exe are identical and contain the main worm, while the DLL file RichDll.dll is a backdoor/downloader trojan. _desktop.ini is a text file that contains the date of infection.File infection procedure:The virus looks for files to infect in two possible ways; first by enumerating mapped drives from C: to Z and searching for executable files in these, and also by connecting to network shares it gets access to and searching these. If an eligible file is found, the virus makes a temporary copy of this using the original file name but with an extra “.exe” extension, and proceeds to infect this by prepending its own code. It then deletes the original file and renames the temporary copy (now infected) back to the original name. Sometimes, if for some reason it cannot remove the original file, the virus circumvents this problem by making a temporary looping batch file that will delete the original file and install the infected file once the file becomes deletable – f.ex. if the application in question is closed. The virus will not infect files that are over 16MB in size or files residing under the following folders:systemsystem32windowsDocuments and SettingsSystem Volume InformationRecycledwinntProgram FilesWindows NTWindowsUpdateWindows Media PlayerOutlook ExpressInternet ExplorerComPlus ApplicationsNetMeetingCommon FilesMessengerInstallShield Installation InformationMicrosoft FrontpageMovie MakerMSN Gaming ZoneRegistry changes:HKLM\Software\Microsoft\Windows\CurrentVersion\Run load=%WINDIR%\uninstall\rundl132.exeHKLM\Software\Soft\DownloadWWW auto = 1Network activity: The worm pings the local subnet to establish whether machines are available, using the string “Hello,World!” as request data.  It then attempts to log on to found machines using the WNetAddConnection API, with the following combinations for username/passwords:administrator/no passwordadministrator/default passworddefault user/default passwordno user/no passwordIf it finds machines that it can connect to, it will attempt to copy itself over as a standalone file to the remote ADMIN$ share, using the file name it is currently running under (be it rundl132.exe or logo_1.exe). If it has been granted administrator rights on the remote machine it then proceeds to set the remote file up as a sceduled task on the remote machine using NetScheduleJobAdd. If it is unable to connect to the ADMIN$ share, or if it is running under Win9x/ME, it finds visible shares on the machine using Windows Networking and attempts to connect to these using the following credentials:default user/default passworddefault user/no passwordIf connection is successful, it attempts to infect files remotely using the file infection procedure described above. This procedure also happens once the worm is done pinging the 255 lowest IP’s on the local network, it then starts enumerating network resources looking for shares and files to infect in the same manner.

URL: http://www.norman.com/Virus/Virus_descriptions/45535