July 31, 2008 - Current Activity

Airline E-ticket Email Attack

US-CERT is aware of public reports indicating that a new email attack is circulating. This attack uses email messages that appear to be from legitimate airlines and contain information about a bogus e-ticket. These email messages instruct the user to open the attachment to obtain the e-ticket. If a user opens this attachment, a file may be executed to infect the user's system with malicious code.

Reports, including a posting by Sophos, indicate that these messages have the following characteristics. Please note that these attributes may change at any time.

• The subject line "E-Ticket#XXXXXXXXXX"
• An attachment named "eTicket#XXXX.zip"

• Install anti-virus software, and keep its virus signature file up to date.
• Do not open attachments in unsolicited email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

AVG Releases Update

AVG has released version 8.0.156 to address multiple issues. Some of these issues could allow an attacker to cause a crash, resulting in a denial-of-service condition. This version also reduces the amount of incidental traffic generated by the program when searching on particular websites.

US-CERT encourages users to review the AVG Program update and apply any necessary updates to help mitigate the risks.

New Storm Worm Activity Spreading

US-CERT is aware of public reports of a new Storm Worm Campaign. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook. This Trojan horse virus is spread via an unsolicited email message that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file "fbi_facebook.exe" to infect the user's system with malicious code.

Reports, including a posting by Sophos, indicate the following email subject lines are being used. Please note that subject lines can change at any time.

• F.B.I. may strike Facebook
• F.B.I. watching us
• The FBI's plan to "profile" Facebook
• The FBI has a new way of tracking Facebook
• F.B.I. are spying on your Facebook profiles
• F.B.I. busts alleged Facebook
• Get Facebook's F.B.I. Files
• Facebook's F.B.I. ties
• F.B.I. watching you

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Oracle Releases Security Advisory for WebLogic Plug-in Vulnerability

Oracle has released a Security Advisory to address a vulnerability in the WebLogic plug-in for Apache. Exploitation of this vulnerability may allow a remote, unauthenticated attacker to compromise the confidentiality or integrity of WebLogic Server applications or cause a denial-of-service condition. The advisory indicates that exploit code for this vulnerability is publicly available.

US-CERT encourages users to review the Oracle Security Advisory and implement the workarounds listed in the document to help mitigate the risks. At this time, a patch or update is not available.

US-CERT will provide additional information as it becomes available.

RealPlayer Releases Update

RealNetworks has released an update to address multiple vulnerabilities in RealPlayer. These vulnerabilities may allow an attacker to execute arbitrary code or obtain sensitive information. RealNetworks identifies the vulnerabilities as the following:

• RealPlayer ActiveX controls property heap memory corruption.
• Local resource reference vulnerability in RealPlayer.
• RealPlayer SWF file heap-based buffer overflow.
• RealPlayer ActiveX import method buffer overflow.

U.S. Customs and Border Protection Email Attack

US-CERT is aware of public reports of an attack circulating via bogus email messages that claim to be from "US Customs Service." The messages may contain the subject line "Parcel requires declaration" and indicate that a parcel has been received addressed to the recipient of the email. These messages may also encourage users to open an attachment to the message that may contain malicious code.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the alert posted by the U.S. Customs and Border Protection regarding this issue.
• Do not open attachments contained in unsolicited email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
• Install anti-virus software and keep virus signature files up to date.

DNS Cache Poisoning Public Exploit Code Available

US-CERT is aware of publicly available exploit code for a cache poisoning vulnerability in common DNS implementations. Exploitation of this vulnerability may allow an attacker to cause a nameserver's clients to contact the incorrect, and possibly malicious hosts for particular services. As a result, web traffic, email and other important network data could be redirected to systems under the attacker's control.

US-CERT strongly urges administrators to patch affected systems immediately. Please review the following US-CERT documents for further details:

• Current Activity - DNS Implementations Vulnerable to Cache Poisoning
• Current Activity - NAT/PAT Affects DNS Cache Poisoning Mitigation
• Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
• Technical Cyber Security Alert TA08-190B - Multiple DNS implementations vulnerable to cache poisoning

NAT/PAT Affects DNS Cache Poisoning Mitigation

US-CERT released a Current Activity entry and a Vulnerability Note on July 8, 2008 regarding deficiencies in DNS implementations. These deficiencies could leave an affected system vulnerable to cache poisoning. Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch systems or apply workarounds immediately.

A number of patches implement source port randomization in the name server as a way to reduce the practicality of cache poisoning attacks. Administrators should be aware that in infrastructures where nameservers exist behind Network Address Translation (NAT) and Port Address Translation (PAT) devices, port randomization in the nameserver may be overwritten by the NAT/PAT device and a sequential port address could be allocated. This may weaken the protection offered by source port randomization in the nameserver.

US-CERT encourages users to consider one of the following workarounds:

• Place the nameserver outside of the NAT/PAT device in the network infrastructure.
• Configure the NAT/PAT device to perform source port randomization.
• Configure the NAT/PAT device to preserve the source port assigned by the nameserver.

DNS Implementations Vulnerable to Cache Poisoning

US-CERT is aware of deficiencies in the DNS protocol. Implementations of this protocol may leave the affected system vulnerable to DNS cache poisoning attacks. If an attacker can successfully conduct a cache poisoning attack, they may be able to cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. This may allow an attacker to obtain sensitive information or mislead users into believing they are visiting a legitimate website.

UPDATE: Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch vulnerable systems immediately.

US-CERT encourages users to review "VU#800113 - Multiple DNS implementations vulnerable to cache poisoning" and apply any necessary solutions listed in that document to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

BlackBerry Security Advisory

Research In Motion has released a Security Advisory to address a vulnerability in the BlackBerry Enterprise Server. This vulnerability is due to the improper processing of PDF files within the distiller component of the BlackBerry Attachment Service. By convincing a user to open a maliciously crafted PDF attachment on a BlackBerry smartphone, an attacker may be able to execute arbitrary code on the system running the BlackBerry Attachment Service.

US-CERT encourages users to review BlackBerry Security Advisory KB15766 and apply the resolution or implement the workarounds listed in the document to help mitigate the risk.

US-CERT will provide additional information as it becomes available.