Feb
8
Boletín 00001 – 24/01/2005
Category: Seguridad | 
Leave a Comment
1.- Search Engines Increase Web Site Security
2.- The Scoop on Microsoft’s Malicious Software Removal Tool
3.- Low-Profiled Threat Notice: W32/Zar@MM UPDATE
4.- Reporte de seguridad de Microsoft
5.- Trend Micro Weekly Virus Report – January 21, 2005
==== 1.- Search Engines Increase Web Site Security ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Back in July 2004, I mentioned a whitepaper, “Demystifying Google Hacks,” by Debasis Mohanty. The paper outlines several ways in which someone can use a particular search syntax in Google to query for sites that might have known vulnerabilities. The paper is at the first URL below. The Security UPDATE in which I wrote about it is at the second URL below.
http://www.infosecwriters.com/texts.php?op=display&id=191 http://www.windowsitpro.com/Article/ArticleID/43376/43376.htmlFor example, Google supports query syntax that uses the commands intitle:, inurl:, allinurl:, filetype:, intext:, and more. Google isn’t the only search engine that supports this sort of query syntax.
MSN Search, AlltheWeb, Yahoo! Search, and others support a similar syntax to varying degrees.
As you know, the Santy worm, which takes advantage of search engine queries to find vulnerable sites, was released around the Christmas holidays. Recently, someone posted a message to a popular techno-gadget-related blog site stating that he’d found a search query that can locate vulnerable Webcams.
If worm writers and other people are using search engines to find vulnerabilities, you might want to try the same techniques to check your own Web sites for vulnerabilities. Instead of typing or pasting query after query into search engines, you can use scripts to store queries and automate the actual querying and result-gathering process.
Another solution is to use a tool specifically designed for the task.
Foundstone (now a division of McAfee) recently released a new version of its SiteDigger tool (2.0) that automates the process of using Google to scan for vulnerabilities in a given site.
http://www.foundstone.com/resources/proddesc/sitedigger.htmSiteDigger 2.0 has several added capabilities. Foundstone boasts that it now provides “10 times more results.” The tool also has an improved user interface, an expanded Help file, an improved results page, and improvements for signature updates. The company also said that SiteDigger 2.0 produces less false positives, which means it’s less prone to alert you to problems that don’t really exist. The new tool can also perform raw searches, and as you might expect, it can detect some of the latest vulnerabilities, such as overly exposed Webcams.
SiteDigger requires the Microsoft .NET Framework and also relies on the Google API, so you’ll need to obtain the API license key, which is a simple process. More information about how to get the license key can be found at Foundstone’s SiteDigger Web page.
I wonder why Foundstone limits SiteDigger to Google queries. I think the tool would be even more useful if the company added support for other major search engines. Nevertheless, it’s a useful tool as it stands. Get yourself a copy and check it out.
==== 2.- The Scoop on Microsoft’s Malicious Software Removal Tool ====
Microsoft’s Malicious Software Removal Tool (MSRT) is now available and will be updated on the second Tuesday of each month, according to Microsoft. The tool is essentially a consolidation of the company’s other malware cleaning tools. The new all-in-one tool is currently designed to remove the Blaster, MyDoom, Sasser, Zindos, Nachi, Gaobot, Doomjuice, and Berbew forms of malware.
http://www.windowsitpro.com/Article/ArticleID/45064==== 3.- Low-Profiled Threat Notice: W32/Zar@MM UPDATE ====
AVERT_Notice@avertlabs.com to me
Show options Jan 18 (3 days ago)
Notice
This is a Low-Profiled Threat Notice Update for W32/Zar@MM.
Justification
W32/Zar@MM has been updated from Low to Low-Profiled due to Media Attention
http://www.itweb.co.za/sections/internet/2005/0501181134.asp?O=FPQQ.W32/Zar@MM is referred to as WORM_ZAR.A within the article.
Read About It
Information about W32/Zar@MM is located on VIL at:
<
http://vil.mcafeesecurity.com/vil/content/v_130860.htm>Detection
W32/Zar@MM was first discovered on 01/17/2005 but has been proactively detected as W32/Generic.a@MM since 01/16/2004 (approximately one year)
To stay updated and protected download the latest dat files from
http://www.mcafeesecurity.com/us/downloads/default.aspIf you suspect you have W32/Zar@MM, please submit a sample to
http://www.webimmune.net.Risk Assessment Definition
For further information on the Risk Assessment and AVERT Recommended Actions please see:
http://www.mcafeesecurity.com/us/security/resources/risk_assessment.htmBest Regards,
McAfee AVERT – Anti Virus and Vulnerability Research, Analysis, and
Solutions visit us at
www.avertlabs.com==== 4.- Reporte de seguridad de Microsoft ====
Actualización de Seguridad
Resumen del boletín de seguridad de Microsoft de Enero de 2005, en este documento informativo se incluyen actualizaciones para vulnerabilidades descubiertas recientemente. Esta vulnerabilidad posee un grado de gravedad importante.
http://www.microsoft.com/latam/technet/seguridad/boletines/ms05-jan.mspx==== 5.- Trend Micro Weekly Virus Report – January 21, 2005 ====
* Tsunami Worm – WORM_ZAR.A (Low Risk)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAR.AWORM_ZAR.A is a mass-mailing worm that uses its own Messaging Application Programming Interface (MAPI) engine to propagate. It gathers email addresses from Microsoft Outlook, and sends itself as an attachment. It runs on all Windows platforms (95, 98, ME, NT, 2000, and XP), and is currently spreading in-the-wild.
This mass-mailing worm drops the following files in the Windows folder:
crssr.exe
raz32.exe
tsunami.exe
It then creates a registry entry to ensure that it automatically executes at every Windows startup.
The worm propagates via email using MAPI. It gathers recipient addresses from Microsoft Outlook, and sends a copy of itself as an attachment. The email it sends contains the following details:
Subject:
Tsunami Donation! Please help!
Body:
Please help us with your donation and view the attachment below! We need you!
Attachment:
tsunami.exe
This worm also also attempts to perform a distributed denial of service attack (DDoS).
If you would like to scan your computer for WORM_ZAR.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro’s free, online virus scanner at:
http://housecall.trendmicro.com/
