In-Depth

In Brief

CA Antivirus Vulnerabilities; AOL Patches New Netscape; Beware Phishing E-mails Bearing Keylogging Software; New Trojan Encrypts PCs

• By Mathew Schwartz
• 06/01/2005

CA Antivirus Vulnerabilities

Multiple Computer Associates (CA) antivirus products are vulnerable to a buffer overflow, due to a flaw in a virus-scanning engine. Security information provider Secunia rates the threat as “highly critical.”

“The vulnerability is caused due to an integer overflow in the Vet Antivirus Engine (VetE.dll) when analyzing OLE streams,” says Secunia. “This can be exploited to cause a heap-based buffer overflow via a specially crafted Microsoft Office document.” Using the vulnerability, an attacker could access and compromise a user’s system remotely.

According to security researcher Alex Wheeler, who discovered the problem, the specific flaw is that “within decompressed VBA directories, project name records have a 32-bit length value, which is incremented for a null byte. It is then used as an allocation length.” In other words, if an attacker supplies a false value for the name record, it can cause a buffer overflow.

Vulnerable software includes CA InoculateIT 6.0; eTrust Antivirus r6.0, r7.0, and r7.1; eTrust Antivirus for the Gateway r7.0 and r7.1; eTrust Secure Content Manager; and eTrust Intrusion Detection. Also vulnerable are BrightStor ARCserve Backup r11.1 for Windows; eTrust EZ Antivirus r6.2 - r7.0.5; eTrust EZ Armor r1.0 - r2.4.4, and versions r2.0 - r3.0.0.14 of the LE edition; and Vet Antivirus, for versions up to and including r10.66.

To fix the problem, CA advises upgrading the Vet engine to version 11.9.1 or newer.

AOL Patches New Netscape

After releasing a new version of its Netscape browser, 8.0, based on Mozilla’s Firefox, America Online moved quickly to patch two known vulnerabilities rated “highly critical” by Secunia.

The vulnerabilities include the ability to bypass URL security checks by using JavaScript, the ability to execute code via JavaScript, and the potential to elevate the privileges—beyond those of the context that created them—of JavaScript and script objects.

A newer version of Netscape, 8.0.1, fixes the problems. Netscape says the new version also “includes all Firefox security patches up to 1.0.4.”

Notably, Netscape 8 includes security enhancements over Firefox, including an anti-spyware site feature. According to the Netscape download site, “Netscape 8.0 warns you if you come across possible spyware sites, and automatically configures its settings to help protect you.” To do that, the browser regularly receives updates of trusted or potentially untrusted Web sites, adjusting security warnings and settings as needed.

Phishing Attacks Using Keyloggers Grow

The Anti-Phishing Working Group (APWG) reports that the incidence of keystroke-logging software used in phishing attacks is on the increase. According to APWG, “this code is designed to run on a machine and log keystrokes when connection is made to predetermined Web sites. The keylogger sends that information to a remote location for the purpose of identity theft.” Purloined data can include passwords and bank account numbers.

“From November 2004 through December 2004, Websense Security Labs researched and identified an average of one to two new phishing keylogger variants and 10 to 15 new malicious Web sites hosting this code per week,” reports APWG. By comparison, in February and March 2005, the number of new keystroke loggers appearing per week had increased to eight to 10, and there were more than 100 malicious Web sites hosting the code.

Two recent attacks have included a fake Brazilian music site, as well as a spoofed e-mail from Symantec purporting that the user’s computer is infected with Bugbear. The first was hosted in California; the second in Brazil. Both attacks include a link—to either listen to music or fix the Bugbear infection—that launches an executable that includes a keystroke logger.

Attackers Turn to Trojan Extortion

A recent type of Trojan attack called Trojan.Pgpcoder takes a different approach than the typical keystroke-logging attack, using extortion instead of eavesdropping. The Trojan searches for certain file types, then password-encrypts them. The attacker requires a payment to decrypt the files.

According to Symantec Security Response, the Trojan is neither a serious threat nor spreading quickly, yet “it does signify the growing trend of malicious writers converging with the ‘for-profit’ criminal community.”

“This attack is yet another indicator of the growing trend of criminals using technology for financial gain,” says Oliver Friedrichs, a senior manager with Symantec Security Response. “The good news is that this threat is not self-propagating, which limits its ability to spread in the wild. However, this Trojan horse is certainly an example of using cryptography for malicious purposes. It is the equivalent of someone coming into your home, locking your valuables in a safe, and refusing to give you the combination.”

Related Articles:

What’s Ahead for Enterprise Anti-Spyware
http://www.esj.com/Security/article.aspx?EditorialsID=1338

Social Engineering Bypasses Information Security Controls
http://www.esj.com/Security/article.aspx?EditorialsID=1308

Wild Kingdom: Life and Quick Death of a Phishing Site
http://www.esj.com/security/article.aspx?EditorialsID=1095