Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More Sober Variants

Published: 2005-11-22
Last Updated: 2005-11-22 23:33:21 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

We continue to receive reports about new Sober variants. Thanks to Chris M. for supplying a very comprehensive list of links (see below). the CME system assigned these variants the ID CME-681.

IMPORTANT: Antivirus software does not provide any reliable protection against current threats. Viruses like Sober tend to change every few hours well in advance of AV signature updates. The fact that an attachment did not get marked is no indication that it is harmless. We do receive reports of up to date versions of AV software missing some of the recent Sober variants.

Sober is now considered the "largest virus outbreak of the year" according to F-Secure (thanks Matthias J. for pointing this out). It looks like the fake FBI e-mails are working for them.

Note from reader Marc R: Please do not have your AV software reply to viruses. All commonly seen viruses use fake 'From:' headers. Rumor has it that fbi.gov is having a hrad time keeping up with all the bounces in the first place.

One not of interested: We had another Sober outbreak last year in June, around the same time we had the "Download.ject". Download.Ject (aka Berbew) used a Internet Explorer 0-day exploit to download and install a trojan. A number of well known, trusted, web sites had been compromissed and spread the trojan.

None of these does anything new or fancy. They all try to trick users into executing the attached ZIP file. The best defense at this point is probably to strip ZIP file attachments.

The subjects and the body text vary widely. Many of them suggest that the attachment was sent by some government authority (FBI, CIA) and requests that you open it in order to verify some charges brought against you. A version in German refers to the 'BKA' (German equivalent of FBI). Other versions claim to be sent by banks and ask you to open  an attachment to verify account details.

List of Links:

Symantec (Level 3 risk) W32.Sober.X@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html

McAfee (currently Low risk) W32/Sober@MM!M681
http://vil.nai.com/vil/content/v_137072.htm

Trend Micro (Medium risk) WORM_SOBER.AG
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EAG

F-Secure (Radar Level 2) Sober.Y
http://www.f-secure.com/v-descs/sober_y.shtml

Sophos (low risk) W32/Sober-{X, Z}
http://www.sophos.com/virusinfo/analyses/w32soberx.html
http://www.sophos.com/virusinfo/analyses/w32soberz.html

Computer Associates (Medium risk) Win32.Sober.W
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49473

Panda Antivirus (Medium risk) Sober.Y
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=92673&sind=0




Keywords:
0 comment(s)

Infocon back to green

Published: 2005-11-22
Last Updated: 2005-11-22 19:44:11 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
After elevating the Infocon to 'Yellow' 24 hours ago, we now switched back to green as there is no new development regarding the Internet Explorer issue.

There is still no fix, and even on our site, which is mostly frequented by users interested in security, 50% of all visitors are likely  vulnerable based on them using Internet Explorer with Javascript enabled.

We do not see any use of the exploit "in the wild", but the proof of concept version could trivially be modfied, so the risk persists.

If you use Microsoft Internet Explorer, make sure that you have Javascript turned off. While Windows 2003 is not vulnerable in its default configuration, it may be vulnerable in a more relaxed configuration.

Personal preference: Use Firefox and the "noscript" extension. It will allow you to turn javascript on as needed.

In MSIE, you have the option to have MSIE prompt you whenever a site contains Javascript. This is not only a bit annoying, but the warning that pops up may not get the message across to your users:



Keywords:
0 comment(s)

2005 SANS Top 20

Published: 2005-11-22
Last Updated: 2005-11-22 16:51:57 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Keywords:
0 comment(s)

New I.E Exploit Security Advisory Released

Published: 2005-11-22
Last Updated: 2005-11-22 06:43:15 UTC
by Kevin Hong (Version: 2)
0 comment(s)
We raised our Infocon to Yellow due to the new exploit for Internet Explorer.
Microsoft finally research a security advisory regarding this issue. 

Based on the advisory, Windows server 2003 and 2003 SP1 are not affected by this vulnerability. All other versions are vulnerable.
We recommend follow Microsofts security advisory for a temporary workaround.

You can read MS security advisory here

Keywords:
0 comment(s)
Diary Archives