Security Incidents: Re: New MSN Messenger Worm

[Bill Schalck <sf () schalck net>]

In-Reply-To: <1013605797.17116.27.camel () deck paradisepoker com>

We had a similar incident today but only one user.  
Could have been a lot more if that user had not gotten 
the same message at exactly the same time from 6 
of his contacts and knew something was wrong and 
did not click on the link.

The details at our office were different.  The message 
was “URGENT: Go to this web site 
www.rjdesigns.co.uk/cool/” (or something very close 
to that).  The strange thing is that this user SWEARS 
that he never clicked on the link but our logs show his 
computer attempted to access that web site.  Luckily 
the site was down, possibly couldn’t handle the load.  
Does anyone know of an exploit that combined with 
the MSN exploit could redirect to a web site without 
the users knowledge or action?

I'm concerned that eventually someone "smart" is 
going to build a nimda like cocktail of MSN, IE and 
other exploits that will spread faster than any virus 
we’ve seen yet.  Can anyone say ARIS ThreatCon 4?

There is some good information and a number of 
links at 
http://www.securityfocus.com/archive/1/255255, 
including a link to a web site at 
http://tom.me.uk/msn/demo.html that is a benign 
sample of how the exploit works.

Now for the good news (if there is ever good news 
with a security vulnerability).  The Microsoft patch 
available at 
http://www.microsoft.com/windows/ie/downloads/criti
cal/q316059/default.asp at least stops the sample 
posted on http://tom.me.uk/msn/demo.html from 
functioning.  Not sure if there are variations on the 
exploit that might still work.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com