Re: Ongoing Virus problem

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: John Bade (adds_at_NO.ADS)
Date: 09/01/04 

Date: Wed, 01 Sep 2004 12:49:49 +1000

When you are looking to patch Windows 2000 to prevent 'buffer
overflows' or some new vulnerability we don't consider that the
Printer, print server, multifunction fax/photocopier, SANdevices,
routers and firewalls are all running operating systems with possible
vulnerabilities.

When we connect to the router through the convenient web interface
that router is running an operating system e.g cisco IOS 11 and an
application e.g web server. Either the IOS (operating system or the
application can contain vulnerabilities).

Here is such an example
http://www.cisco.com/en/US/products/products_security_advisory09186a00802a9d51.shtml

"Cisco Secure ACS provides a Web-based management interface, termed
CSAdmin, which listens on TCP port 2002. When flooded with TCP
connections the ACS Windows and ACS Solution Engine stops responding
to any new TCP connections destined for port 2002. Additionally,
services on the ACS that process authentication related requests may
become unstable and stop responding, which hampers the ability for ACS
to process any authentication related requests. A reboot of the device
is required to restore these services"

Another example
Norman Firewall operates on HP-UX 10.16 CMW+ or Sun Solaris 2.5.1 x86
operating systems. If a vulnerability is discovered in these operating
systems then they have to patched or they could be used by others to
control your network.

Here is an example of a communications protocol that would introduce a
vulnerability to a "Windows network" if a device ran one of the
following affected operating systems and had enabled the SunRPC.

>From http://www.security-forums.com/forum/index.php
Mon Aug 12, 2002 8:38 pm Post subject: XDR library flaw puts
multiple operating systems at risk

"A security hole in software used by numerous operating systems could
allow attackers to run malicious programs or cause denial-of-service
problems on unprotected servers

Developers at the Massachusetts Institute of Technology have
identified a number of operating system affected by the vulnerability.

These include the Unix operating systems from companies such as Sun
Microsystems and IBM, as well as Red Hat's versions of Linux and Apple
Computer's Mac OS X Server software.

Microsoft and Hewlett-Packard have said they are investigating whether
their operating systems are at risk.

Jeff Havrilla, a member of the CERT Coordination Center at Carnegie
Mellon University, said, "The problem is large enough that pretty much
every single major operating system vendor has reported being affected
by it."

The vulnerability involves a communication protocol that was developed
by Sun and is based on its SunRPC remote procedure call technology.
The flaw exists in a program function distributed as part of an
External Data Representation (XDR) library that's used by Sun and
other vendors to provide platform-independent methods for sending data
between disparate systems.

The problem was first publicised by Internet Security Systems (ISS),
an Atlanta-based security software vendor that posted an advisory on
its Web site late last month. ISS said it had found Sun Solaris and
the open-source FreeBSD and OpenBSD versions of Unix to be vulnerable
to the hole.

CERT followed with its advisory last week and broadened the warning to
include other vendors, as well as popular applications that are
compiled using the flawed library. Those include MIT's Kerberos 5
software, the DMI Service Provider daemon for remote desktop
management and the Common Desktop Environment's Calender Manager
service.

According to the security research organisation, the vulnerability is
caused by an integer overflow in the XDR code that can result in
improper memory allocations. Attackers could take advantage of the
flaw to cause buffer overflows that would let them execute code on
systems, CERT said.

Until patches become available from vendors, Havrilla said, users
could reduce the risk of exposure by disabling the affected services
where possible. "

Looks like Windows Update is only part of the solution. Security
administration will mean keeping up-to-date on all OS vulnerabilities.

Regards

John

On Tue, 31 Aug 2004 10:04:58 -0500, "susan" <smcrey@mindspring.com>
wrote:

I'm not sure I understand what you're saying? It never occurred to me
a
"printer" could be a source of virus-laden emails...??

I'm using SBS Standard > No ISA.

Could you elaborate?

"John Bade" <no adds@NO.ADS> wrote in message
news:7p78j0th4rsff08kvqhgl5e0vjhcd7e60m@4ax.com...
> It may be that a Printer like the lastest CANON running Windows NT4
> could be a source of infection.
> All those network devices run an operating system and they are all
> potential hosts for malware.
>
> At least if you have ISA those devices cannot send info out of the
> SBScompany 'cos they should not be able to perform authentication to
> the ISA firewall.
>
>
> On Mon, 30 Aug 2004 19:32:15 -0500, "susan" <smcrey@mindspring.com>
> wrote:
>
> Forgot to mention: I bought and installed a new firewall that i HOPED
> would
> help me with this problem....
> It's a Netscreen NS-5GT-101-AV.
>
> I'm still trying to decipher how to configure it properly to reject
> these
> emails. Thought i had it, but then virus'es came on in today feeling
> right
> at home, so i have more studying to do.
>
>
> "susan" <smcrey@mindspring.com> wrote in message
> news:O58Jo0ujEHA.2360@TK2MSFTNGP10.phx.gbl...
> > Yep, SP1 installed and the eTrust Mail Option is running...
> >
> > "Kevin Weilbacher [SBS-MVP]" <kweilbacMVP@gte.net> wrote in message
> > news:Ok$UkQujEHA.2236@TK2MSFTNGP12.phx.gbl...
> > > what do you mean when you say -- "except exchange of course"?
> > >
> > > If you are not running an Exchange based mail scanner, then you're not
> > > catching anything until it gets into the user's mailbox and they pick
it
> > up
> > > with Outlook. Not quite the optimal situation, in my view.
> > > --
> > > Kevin Weilbacher [SBS-MVP]
> > > "The days pass by so quickly now, the nights are seldom long"
> > >
> > >
> > > "susan" <smcrey@mindspring.com> wrote in message
> > > news:egpsmCujEHA.3348@TK2MSFTNGP12.phx.gbl...
> > > > I'm having a problem in that we receive 5-15 virus infected emails
> every
> > > > day. Yes, I do have antivirus and sometimes it strips the attachment
> and
> > > > sometimes it doesn't (eTrust antivirus by CA). Sometimes the virus
> > > > identified is Netsky.P and sometimes Netsky.C and i've had a few
id'd
> as
> > > > Netsky.Z -- some say "trojan", some say "worm" !
> > > >
> > > > I have virus scanned (and online scanned using Symantec's online
> > scanner)
> > > > every workstation, laptop and the server (except exchange of course)
> and
> > > > can
> > > > find NOTHING! I've researched the virus'es and know what to look for
> in
> > > > the
> > > > registry etc. and find nothing indicating infection at any station.
> > > >
> > > > These infected emails sometimes have a "sender" address that is
> > familiar,
> > > > but most often not.
> > > >
> > > > I check the headers and what's puzzling is that they read: sent from
> > > > "mydomain.org" received by "mail.mydomain.org".... does this
> > automatically
> > > > mean that they are happening WITHIN the network??? The ip address of
> the
> > > > supposed "sender" is not a valid internal address, but i realize all
> > this
> > > > stuff could be spoofed...
> > > >
> > > > I'm puzzled and don't know what else to do. I just have to find out
> what
> > I
> > > > can do about this as babysitting the mail is tiring.
> > > >
> > > > Any ideas, suggestions, advice??
> > > >
> > > >
> > >
> > >
> >
> >
>
>
> _ ;--:- __---------______________------
____
> c--U---^--''__[__ooo__]---| |_!_||_!_||_!_||_!_||_!
[_][++|--|]
> _--_ _|------------'_|,[______],|_________________|_|,|____|
> / \__ /__(@)(@)==(@)(@) (o)^(o) (o)(o)--(o)(o) (o)
> "/@@@ \~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""

                  _ ;--:- __---------______________------ ____
               c--U---^--''__[__ooo__]---| |_!_||_!_||_!_||_!_||_! [_][++|--|]
     _--_ _|------------'_|,[______],|_________________|_|,|____|
    / \__ /__(@)(@)==(@)(@) (o)^(o) (o)(o)--(o)(o) (o)
"/@@@ \~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""~"""

Relevant Pages