X-Force Threat Insight Quarterly

Wireless Technology

April 2006
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY
Contents
Introduction .......................................................................... 2
Wireless Technology – A Constant Evolution ...... 3
Mobilization of the Work Force –
Fueling the Wireless Threat ..................................................3
Wireless Threats ....................................................................4
Protecting a Wireless Network ............................................7
Conclusion ..............................................................................8
Prolific and Impacting Issues of Q1 2006 ............8
Significant Disclosures ........................................................8
Mac OS X: The Impenetrable OS? ...................................... 10
Malicious Code: Exploits and
Proof-of-Concept Publications.......................................... 11
Reactivating Worms .......................................................... 11
Malicious Payloads.............................................................. 12
X-Force Catastrophic Risk Index ...................................... 13
Future X-Force Threat Insight Quarterly Topics ..............14
References ..................................................................14
Additional References ..............................................16
About Internet Security Systems ..........................17
Internet Security Systems X-Force® Threat Insight Quarterly – April 2006
©2006 Internet Security Systems. All rights reserved worldwide. All contents of this
document are the property of Internet Security Systems, Inc. Any third party logos or
names are the trademarks or registered trademarks of their respective companies. This
document is intended for the development of internal and external marketing tools and
materials only, and should be published or distributed internally or to third party
marketing firms or agencies.
2
Introduction
Most corporations now realize the importance of employing security on their
wired networks. However, addressing the security concerns of a wireless network
and associated mobile devices may seem less consequential than addressing
their wired network needs, despite the severity of the threats. A number of the
cyber-threats observed in a wired network, such as malware, phishing and
hacking, also thrive in a wireless environment. Attacks have also surfaced
which specifically target wireless networks and devices, such as worms that
spread via mobile phones that are Bluetooth-enabled.
The malicious exploitation of wireless technology is in its infancy, and X-Force
expects targeted attacks to grow more sophisticated over the next several years.
The steady rise in the mobilization of the work force has intensified the problem
of securing wireless devices. This report discusses wireless technology today,
the threats that target it and the steps corporations can take to establish a
secure wireless environment.
Additionally, this report will recap some other significant challenges faced by
security professionals during Q1 2006.
About this report
The X-Force Threat Insight Quarterly (Threat IQ) is designed to highlight some
of the most significant threats and challenges facing security professionals
today. This report is a product of Internet Security Systems Managed Security
Services and is compiled by Internet Security Systems (ISS) X-Force® security
intelligence team. Each issue focuses on a specific challenge and provides a
recap of the most significant recent online threats.
ISS X-Force is a primary security research organization that discovers
vulnerabilities and security flaws in computer networks and tracks emerging
Internet threats. The ISS X-Force serves as trusted security advisor to the U.S.
Department of Homeland Security as well as many other federal, state and
local government organizations, helping create governmental security
standards and initiatives.
X-Force research forms the basis for the ISS protection platform. By
researching vulnerabilities, ISS is able to update its products and services to
prevent attacks before they negatively impact an organization. All ISS
products and services rely on X-Force research to preempt threats.
Questions or comments regarding the content of this report should be
addressed to X-ForceThreatIQ@iss.net
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY
Wireless Technology – A Constant Evolution
The meaning of the term “wireless,” which has been evolving since the
turn of the twentieth century, depends on the context in which it is used.
At one point, “wireless” and radio receiver were synonymous, as it was
used to conduct wireless telegraphy. In modern vernacular, wireless is a
method of cordless communication between two devices using radio
waves. Telephone or computer networks that use this means of
communication are known as wireless networks.
Notebooks, personal digital assistants (PDAs) and mobile phones are all
examples of mobile computing devices that can be used to connect to a
wireless network. Wireless is also used to connect stationary devices where
wiring is impractical. These devices can run on a number of different
platforms and often integrate services such as e-mail, instant messaging,
Internet and voice telephony. The global demand for mobile devices has been
strengthening for several years. This is clearly evident within the mobile
phone industry. The IDC's “Worldwide Quarterly Mobile Phone Tracker”
reports that the fourth quarter of 2005 saw a new record of shipments, and
over 825 million mobile phones were sold worldwide last year. Devices that
integrate mobile phone and PDA functionalities, Smartphones, are also
becoming more prevalent among working professionals.
A wireless network is frequently referred to as a wireless local area
network (WLAN) or wireless fidelity (WiFi) network. The term WiFi actually
refers to a set of wireless networking standards for a WLAN based on the
IEEE 802.11 specifications. WiFi allows users in the proximity of an
access point to connect to a wireless network and/or the Internet via a
wireless-enabled device. Areas that provide publicly available wireless
access points (WAPs) are known as hotspots – most commonly found on
college campuses and in coffee shops, hotels and airports. According to
JiWire, worldwide hotspots grew 87 percent in 2005 – surpassing the
100,000 mark. Some analysts expect this number to double by 2008.
Other standards-based wireless technologies that are growing in
popularity include Bluetooth and Worldwide Interoperability for
Microwave Access (WiMAX). Bluetooth technology allows for short-range
wireless connections between various devices. Two key features of this
technology are that it is robust and low cost. On the downside, there are
several concerns regarding the security of Bluetooth devices. For
instance, a paper published last year, “Cracking the Bluetooth PIN,”
demonstrated different methods for obtaining an individual's Personal
Identification Number (PIN).
Since its initial development by Ericsson, Bluetooth has been
implemented in a number of vendors' products such as Apple Computer,
Hewlett-Packard and Motorola. This technology also expands across
several markets ranging from automotive to computing. In May of last
year, the Bluetooth Special Interest Group (SIG) announced plans to
3
make Bluetooth interoperable with Ultra-wideband (UWB) technology.
According to SIG, this technology will benefit Bluetooth users by meeting
“the high-speed demands of synchronizing and transferring large
amounts of data as well as enabling high quality video applications for
portable devices.” Many analysts predict that by combining the
functionality of these two technologies, Bluetooth has secured a place
for itself in the wireless market for years to come.
However, WiMAX or WirelessMAN (Metropolitan Area Network) is seen as
the next evolution in wireless technology, due to its enhanced
performance over more substantial distances. Though similar to WiFi, it
is based on IEEE 802.16 specifications. The WiMAX Forum and a number
of other vendors are lobbying for adoption of this technology. There are
over 150 service providers worldwide that are already deploying and
operating WiMAX networks. This industry will continue to expand, with
Mobile WiMAX or IEEE 802.16 products expected in mid-to-late 2006.
Third-generation (3G) cellular technologies also bring improved
capability and broad bandwidth data services to 3G-capable mobile
phones. Some examples of these networks include Enhanced Data GSM
Environment (EDGE), General Packet Radio Service (GPRS) and Evolution-
Data Optimized (EV-DO). The exponential growth of new innovation and
consumer demand continually fuels the underground's interest in the
exploitation of wireless technology.
Mobilization of the Work Force –
Fueling the Wireless Threat
The demand for mobile devices is in part fueled by the expanding mobile
landscape. As of December 2005, a little over 68 percent of the United
States' population were using the Internet, according to statistics listed
on the Internet World Stats Web site. Contributing to this growing
percentage is the number of adolescents and seniors who increasingly
turn to the Internet for various reasons. A study published by the Pew
Internet & American Life Project reports that between 2000 and 2004,
there was a 47 percent increase in the number of Americans 65 and
older who became Internet users. The availability of free or low cost Wi-
Fi hotspots in restaurants, airports, hotels and other public areas has
made it possible to connect from just about anywhere.
According to an IDC study, the global mobile population is expected to
increase by more than 200 million users between 2004 and 2009. A
significant contributing factor is the increasing desire for individuals to
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY 4

telecommute, or work from remote or mobile locations. Other factors that the hacker can connect to sensitive information or turn a corporation's
may be influencing this trend include government efforts to reduce servers into resource cows – i.e., phishing or spam relays.
congested transportation routes and corporations' revised compensation
policies or their need for global positioning. The growth of available hotspots throughout the world aids users and
intruders alike. It is a matter of convenience versus security as many
This need for mobility has made the possession of a cell phone, laptop individuals use unsecured laptops. Many locations that offer free WiFi do
and/or PDA essential for today's working professional. Gartner, Inc. not require authentication or the display of credentials prior to accessing
reported that worldwide PDA shipments in 2005 increased by 19 the Internet. Attackers not only take advantage of unsuspecting users by
percent over the previous year – a record 14.9 million units sold. sniffing their unsecured traffic, but also utilize such locations to perform
Gartner analysts also forecast that by the end of 2009, 2.6 billion criminal activities without fear of association. Tracking offenders can
mobile devices will be in regular use worldwide. prove difficult for law enforcement agencies. Assailants only need to be
close enough to connect to the wireless network, but do not have to
Today's IT departments and system administrators are already tasked with physically enter the location hosting the unsecured network. High-gain
supporting their company's wired network. The introduction of wireless directional antennas, obtained directly off the shelf, make it even easier
networks and devices adds a whole set of new problems, which may not be for the attackers to work anonymously from a distance.
present in traditional wired networks. For one
thing, mobile devices compound the issue of Laws to prevent this type of activity have been
ensuring effective support over a wireless slow in coming, in large part because of the
“More than 28 million, or 1 in 5 U. S.
network – especially when system administrators confusion surrounding whom to prosecute. It is
must be aware of devices that have not received
employees, participate in some form difficult to prove whether a user is deliberately
corporate approval.
of teleworking - at home, on the road, or accidentally accessing a wireless network.
in telework centers or in satellite Some believe the service provider should be
Almost half of the IT managers interviewed in offices. Most work on the road (24.1 held accountable if there is lack of security. For
a global survey conducted by research agency percent) or from home (21.7 instance, last year, a law was proposed in a
Dynamic Markets reported that security percent), while a smaller percentage New York county that would require any
settings for mobile devices can be enforced work at telework centers (7.5 business or home office with a wireless network
only when they are physically in the corporate percent) or at satellite offices (4.2 to also run a firewall. If passed, this law would
environment. A third of the respondents cited percent).” be the first of its kind in the United States.
the connection of unauthorized mobile devices Though this proposal is not without merit, it
to their organization's network as a common Telecommute Connecticut may prove impractical to enforce the law from
cause of security breaches. a technical and financial standpoint. It could
also inadvertently create a situation in which users believe they are
secure, even though the individual deploying the firewall has limited
experience – essentially providing little to no protection.
Wireless Threats
As the threats utilizing wireless technology grow more sophisticated,
The growth in popularity of a new networking technology has historically
securing critical infrastructure will become more important. There are a
ignited the interest of the Internet underground. Highly publicized issues
number of ways attackers could accomplish their goal – through
often receive the most pointed focus. A similar trend has begun to
“Wardriving” or “WiPhishing,” or the distribution of malware. Many of the
emerge with wireless technology.
same security threats that plague networked devices, including denial of
An attacker's motivation for targeting wireless networks and devices is service (DoS) attacks and malware, also affect mobile phones and PDAs.
essentially the same as in the wired world – to gain profitable
information and resources. Previously, a hacker's main incentive for
engaging in malicious activity included the fame and bragging rights
associated with gaining unauthorized access to a system. Today's
hackers are entrepreneurs looking for the next “investment” through
which they may obtain serious financial gain. The new “investment”
turns out to be the latest technology's security flaws, by which means
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY
Wardriving
Individuals who drive around searching for and logging wireless access
points are wardriving. They need only a WiFi-equipped machine, such as
a laptop or a PDA, and wardriving software to accomplish this. External
WiFi antennas, including off-the-shelf directional antennas, assist in
providing broader range to wardriving setups and adding direction-
finding capabilities. A Global Positioning System (GPS) is often used to
aid in mapping the wireless networks on geographical maps.
It is disturbing to note that one does not have to be skilled in order to attempt
this activity. With an abundance of freely available resources on the Internet,
even a novice computer user can learn how to wardrive. Popular Web sites
such as WiGLE.net and WiFiMaps.com have made it simple to find and log
wireless networks. Furthermore, wardriving software is just as easy to obtain.
The most commonly used wireless network discovery tools are NetStumbler for
Microsoft Windows, KisMac for Macintosh and Kismet for Linux.
Data from wardrivers in cities around
the world shows that approximately 70%
of wireless networks do not encrypt
data in any way.
Wardriving in China
There has been much debate surrounding the ethics of wardriving. Some
assert that wardriving can be beneficial when conducted by legitimate
network security professionals for academic or research purposes. The act
of wardriving is not illegal; however, additional actions such as obtaining
unauthorized access to a network may be punishable by law. For instance,
in 2004, an individual was convicted under the Can-Spam Act of 2003 for
gaining unauthorized access to hotspots (discovered while wardriving)
which were used to send spam.
Organizations should keep in mind that wardriving can be used as a
launching pad for malicious activities such as denial of service attacks
or unauthorized access attempts. Businesses with unsecured wireless
networks run the risk of undergoing these attacks, which could prove
devastating. Besides suffering significant financial losses, corporations
could face serious legal complications as a result of a cyber-attack. This
further impacts a company's financial stability as additional resources
and money are depleted to address the incident.
WiPhishing
“Phishing” is commonplace in today's society. Many users have either
received a spoofed e-mail or been lured out to a fraudulent Web site. The
phisher's hope is that the user will be tricked into divulging financial and
personal information. Phishing in the wireless arena is known as
“WiPhishing” and the attacker's goal is the same – to obtain information.
5
To conduct WiPhishing, an attacker sets up a wireless-enabled laptop or
access point using a service set identifier (SSID), also referred to as a
network name, in use for an existing network. Much like a basic phishing
e-mail, the SSID – which is case-sensitive – attempts to trick users into
thinking they are connecting to a legitimate network or hotspot. Once a
connection is made, the attacker can intercept the victim's traffic to
obtain and record personal as well as corporate data. This is also
commonly referred to as an “evil twin” attack.
“An estimated one in five access points
uses default SSIDs (such as linksys).”
The Register
Not only is the information streaming across a wireless network at risk,
but data on a company's wired network could also be accessed. If a
laptop's wireless networking is enabled and it is connected to a wired
network, an attacker could use the laptop as a portal to the wired
network. Many mobile devices are configured to connect to “any” access
point by default. Hence, an individual may not be aware that a
connection has been made to an unauthorized access point.
Another attack technique involves sniffing for laptops that are
attempting to reconnect to previously connected access points. WiFi
software commonly remembers one or more previously connected access
points. When starting up, the software will attempt to connect to those
previous access points preferentially. An attacker can detect these probes
and respond with a form of “evil twin” whereby it acts as the access point
from a remote location. A laptop user at an office can then be attacked
by an evil twin that responds as if it is the user's home access point,
without even having that access point or twin within range. This can
import the insecurity of home networks into corporate networks indirectly.
Mobile Malware
Over the past couple of years, the threat of mobile malware has become
a growing concern. For years analysts have been theorizing about this
threat. Now the danger of a wireless virus or Trojan has become a reality
for many corporations. Mobile phones' standardization has made it more
attractive to attackers to develop malware targeting these devices. The
feasibility of spreading malware across these platforms also appeals to
malicious individuals.
Several security issues affecting Symbian OS-based devices have
surfaced over the past year. Symbian OS is an operating system for data-
enabled mobile phones. There are other mobile operating systems
available for mobile phones including Palm OS, Windows Mobile, BREW
and Linux. However, in much the same way attackers have focused on
Windows desktop OS because of its popularity, hackers have been drawn
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY
to Symbian OS devices. “Cabir” and “CommWarrior,” two worms that
target the Symbian Series 60 Platform, garnered a great deal of media
attention in 2005. At the same time, the Windows Mobile platform is
steadily receiving more focus as its integration with handheld devices
grows. Another commonality of these worms is that they spread over
Bluetooth connections, sending infected SIS files to phones they encounter.
“The number of malicious software
programs created for mobile devices is
expected to reach 726 by the end of
2006, up from an estimated 226 at the
end of 2005, according to McAfee.”
CNET
Bluetooth
Bluetooth technology allows different devices to talk to each other.
Bluetooth-enabled wireless devices open users up to a whole new
realm of attacks which have been coined “Bluejacking,”
“Bluesnarfing” and “Bluebugging.” Sending unsolicited messages to
Bluetooth-enabled devices is called bluejacking. Though this activity
is not necessarily malicious in nature, it can be irritating. An
unsuspecting user who receives these messages may assume the
device is malfunctioning in some way. A message stating “You've been
owned” may cause the user, unfamiliar with bluejacking, to waste time
and resources trying to determine if the messages are the result of
data compromise or merely a prank.
There are a number of Web sites and forums dedicated to bluejacking.
Some sites encourage bluejackers to follow a code of ethics including
limiting the number of messages sent and excluding certain content.
Inevitably, however, there are those that will not adhere to such a code.
Bluesnarfing is a more serious type of attack. It involves the theft of
information from a Bluetooth-enabled wireless device. An attacker could
obtain or modify the sensitive information stored in the victim's calendar,
contact list, e-mails and text messages. Even more disconcerting, these
attacks often go unnoticed and are untraceable. An attacker conducts a
bluesnarf attack by exploiting the OBEX Push Profile (OPP) service, which
is used for exchanging business cards and other objects.
Any device with its Bluetooth connection enabled and set to
“discoverable” mode may be vulnerable to attack. When a device is in
discoverable mode, it is visible to other devices and therefore may be
vulnerable to unauthorized connections. Devices that are discoverable
6
BlackBerry
Devices
The BlackBerry wireless handheld
device, developed by Research in
Motion Ltd. (RIM), was introduced in 1999. Since then, the
popularity of this device has ballooned, with subscribers to the
BlackBerry service soaring to over 3 million as of last May.
Businesses depend so greatly on these devices that the recent
threat of a service shutdown had some analysts predicting a
resultant crippling of the U.S. economy. The situation was
resolved once RIM agreed to pay NTP Inc., which had sued RIM
for infringing on its wireless e mail patents, $612.5 million to
settle the patent dispute.
This case demonstrates our economy's reliance on these types
of devices. Cyber-threats could result in similar consequences
for BlackBerry users. A number of remote code executions and
denial of service vulnerabilities affecting BlackBerry products
surfaced in December of last year.
The “first” Trojan affecting mobile phones capable of running
Java 2 Mobile Edition (J2ME) software appeared this quarter. This
software is included in a number of BlackBerry devices as well
as many other vendors' products. Known as “RedBrowser,” this
program purports to access Wireless Application Protocol
(WAP) Web pages via Short Message Service (SMS) messaging.
However, the malicious program actually sends SMS messages
to premium rate numbers and the victim incurs the cost.
While there is cause for concern, there are several best
practices that BlackBerry users can follow to mitigate
cyber-threats including:
• Enable password protection on the device, ensuring it
meets the standard criteria used to create a strong
complex password (longer than 8 characters).
• Periodically reset the password.
• Encrypt the information transmitted between the BlackBerry
device and another device.
• Disable options and applications such as Bluetooth when
not in use.
• Use an antivirus solution compatible with the
BlackBerry platform.
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY
are not necessarily vulnerable; they may be perfectly secure if set up
properly. Additionally, non-discoverable devices are still “visible” to
other devices; they just cannot be enumerated for the purpose of pairing.
There are tools available that can break the pairing between devices and
force them to re-pair, which is how some non-discoverable devices are
attacked. Users should watch for unexpected requests for a pairing
password – often “0000” on Bluetooth headsets.
When a malicious individual accesses a targeted phone's commands, it
is called bluebugging. This hacking technique allows the hacker to
perform operations on the phone such as initiate calls, modify contact
information, eavesdrop on conversations and connect to the Internet. As
with bluesnarfing, bluebugging allows the attacker to perform these
actions without the user's knowledge. The Bluetooth SIG is aware of
these threats and has provided users with general guidelines to follow
at the Official Bluetooth Web site. Users of
Bluetooth wireless technology are encouraged
to review this information, which can assist in
protecting their Bluetooth devices.
In-Stat reported
One might compare the ubiquity of mobile Bluetooth shipments to
devices to that of household appliances such
as microwaves – almost everyone has one and reach 316 million units in
would feel lost without it. Mobile devices can 2005 and rise to 866
be used as an attacker's doorway into an
organization, allowing him or her to generate million units in 2009.
revenue and possibly destroy a company's
reputation. The damaging effects to an
enterprise in the event of a security breach
could be considerable. Still, many organizations do not allocate as many
resources to securing their mobile devices as they do their wired security.
Attackers are fully aware of this and will increasingly take advantage of
these circumstances to carry out malicious acts.
Protecting a Wireless Network
As the wireless movement advances, corporations will need to have the
necessary protection solutions in place to address the problems
associated with this technology. A large number of companies still lack
the crucial security checks needed to prevent unauthorized laptops and
other devices from accessing their network. Fortunately, many wireless
security issues can be addressed by the same security solutions used to
secure an organization's wired network – the only difference may be the
method of implementation.
What things should I keep in mind to mitigate risk?
Develop a Plan: One of the biggest challenges for an organization can
be implementing and managing a wireless network if the proper
7
planning has not been conducted prior to deployment. Items that should
be addressed during the planning stage include the type of wireless
security protocol needed as well as what usage and security policies
should be put into place. Organizations that approach wireless security
defensively rather than proactively may find themselves incurring higher
costs in the long term, especially if a security breach were to occur.
Use a Wireless Security Protocol: Encryption and authentication
technologies like Virtual Private Networks (VPNs) and wireless security
protocols (WEP, WPA and WPA2) assist in securing a wireless network.
Wired Equivalent Privacy (WEP) was designed to provide wireless LAN
security; however, serious limitations have been discovered with this
protocol. WiFi Protected Access (WPA) is in compliance with the majority of
the IEEE 802.11i standard. WPA2, released shortly after WPA, is in full
compliance with the standard. Both WPA and
WPA2 are capable of providing enhanced wireless
security and address the limitations and
vulnerabilities in WEP. However, WPA PreShared
Key (PSK) is less secure than WEP, requiring less
effort to crack it with tools readily available. Many
modern cards support WEP as well as WPA and
WPA2. Companies should examine the level of
protection needed to determine which technology
is appropriate to adopt.
Establish a Management Strategy: Proper
management of remote devices is another key
factor in establishing a secure wireless
environment. Enterprises need to establish a
strategy that will allow IT departments to troubleshoot devices remotely
and identify and prevent network threats. This includes making sure
that the appropriate patches are applied on a regular basis. Prior to
being connected to the wireless network, mobile devices should be
tested and certified by the corporation. This process should involve
changing default settings. Wireless-enabled applications should also
adhere to the company's security and performance requirements prior
to being deployed.
Enforce a Wireless Usage Policy: Establishing a clear wireless
usage policy and briefing users on this policy is also important. The
main purpose of this policy would be to inform employees that access
to the company's network via unsecured wireless communication
devices is prohibited.
Access to a company's wireless network should be conducted solely
through company-approved products and security configurations. The
appropriate personnel should first approve the purchase or
installation of access points. Finally, there should be a method in
place that will allow the organization to effectively disseminate the
security policy to its employees.
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY
Deploy a Mobile Enterprise Server Solution: An organization may want
to consider deploying a mobile enterprise server solution. The solution
chosen should integrate existing systems and mobile users with
secure access to corporate data. It should be installed behind a
company's firewall and assist in supporting all corporate-sanctioned
mobile devices and networks. Some mobile server solution products
include BlackBerry Enterprise Server, Visto Mobile Enterprise Server
and iAnywhere.
End User Recommendations: The issues associated with maintaining
a corporation's wireless network and associated devices fall on the
administrators; however, the end user must take some responsibility.
End users should be cautious when using their mobile devices to launch
or download applications via the Internet, avoiding those from unknown
origins. A corporation should also ensure that its general use policies are
readily accessible to all personnel.
Conclusion
The wireless technology arena continues to make progress as its
convenience and profitability drives innovation. For example, Voice over
Internet Protocol (VoIP) and WiFi services have been combined,
incorporating newer technology over older technology to allow users to
make mobile calls from hotspots. As these products become more
mainstream, however, X-Force expects to see attackers focusing their
efforts more and more on the exploitation of these devices.
A number of companies still lack the necessary security measures to
protect their wireless networks and mobile devices from attack. A survey
of attendees at the Cellular Telecommunications Industry Association
(CTIA) Wireless IT and Entertainment conference found that only 40
percent currently use mobile security tools.
Wireless technology creates a competitive advantage and is an integral
part of an enterprise's network. The challenge comes when attempting
to seamlessly integrate a wireless network into the existing
infrastructure while also trying to address security. It is important to
implement a wireless protection solution that facilitates the detection,
prevention and assessment of wireless attacks. Policies should provide
a clear understanding of the organization's guidelines on wireless usage
to ensure employee compliance. By implementing this strategy, an
enterprise can reap the benefits associated with having a secure
wireless network.
8
Prolific and Impacting
Issues of Q1 2006
Significant Disclosures
In the first quarter of 2006, Internet Security Systems X-Force analysts
researched and assessed 1,655 security-related threats. A significant
percentage of the vulnerabilities featured within the X-Force research
database became the focal point of malicious code writers whose
productions included viruses, worms and/or targeted exploits. This
section of the report features the noteworthy cyber-security-related
issues that arose during the first quarter.
TOTAL VULNERABILITIES Q1' 06: 1,655
Critical High Medium Low
Vulnerability Vulnerability Vulnerability Vulnerability
5 270 973 407
In March, ISS X-Force Research and Development (R&D) independent
research led to the discovery of a critical issue within Sendmail. X-Force
analysts discovered a vulnerability in Sendmail that could allow a
remote attacker to execute arbitrary code on a targeted system with the
privileges of the Sendmail server daemon. Shortly following the
disclosure, a submission was posted to a popular open Web forum by an
individual working on exploiting this issue. One can remediate this
vulnerability by upgrading to version 8.13.6 of Sendmail.
• ISS Protection Advisory: Sendmail Remote Signal
Handling Vulnerability
- Sendmail Security Advisory: Sendmail MTA Security Vulnerability
Two days after the release of the Protection Advisory for the Sendmail
issue, ISS published a Protection Alert to highlight a remote code
execution vulnerability in Microsoft Internet Explorer. A vulnerability
exists when Internet Explorer displays a Web page that contains
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY 9

unexpected createTextRange() method calls to HTML objects. Exploits,
malicious Web sites and Trojans have surfaced which attempt to
capitalize on this vulnerability. The threat associated with the issue
prompted Microsoft to release an advisory. The disclosure of these
critical vulnerabilities subsequently led to X-Force's elevation of the
Internet threat level to AlertCon 2.
The timeline in the X-Force Threat Insight Quarterly Q4 2005 report
highlighted a zero-day vulnerability affecting the Microsoft Windows Meta
File (WMF) graphics rendering engine. This issue led to the elevation of
the threat level throughout the first week of the new year. The vulnerability
lies in the GDI32.DLL, commonly used by several applications to render
WMF formatted image files. On January 5th, Microsoft published an out-
of-cycle Security Bulletin to address this issue.

• ISS Protection Alert: Microsoft IE createTextRange() Remote

Command Execution • ISS Protection Alert: Microsoft Shared DLL WMF graphics
- Microsoft Security Advisory 917077: Vulnerability in the way HTML Rendering Code Execution
Objects Handle Unexpected Method Calls Could Allow Remote - Microsoft Security Bulletin MS06-001: Vulnerability in Graphics
Code Execution Rendering Engine Could Allow Remote Code Execution (912919)

An additional five ISS Protection Alerts were published within the first X-Force later conducted additional research which produced new
quarter as a result of ISS X-Force R&D analysts' research. This analysis information regarding the GDI32.DLL vulnerability, triggered by the
led to the discovery of underlying threats in previously disclosed flaw in the code that handles WMF file parsing, to include additional
security issues. attack vectors.

The chart below categorizes the vulnerabilities researched by X-Force analysts by the most severe consequence that could occur
as a result of exploitation of the vulnerability. The categories are: Bypass Security, Data Manipulation, Denial of Service, File
Manipulation, Gain Access, Gain Privileges and Obtain Information. During this quarter, vulnerabilities allowing attackers to Gain
Access had the highest number of disclosures, whereas those leading to File Manipulation were the lowest percentile.

Gain Access 43.25 %

Data Manipulation 16.55 %
Denial of Service 14.25 %
Obtain Info 12.69 %
Gain Priv 6.10 %
Bypass Security 5.04 %
File Manipulation 2.12 %
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY
• ISS Protection Alert: Additional Vectors for GDI32.DLL WMF Image
Rendering Vulnerability
Applying the MS06-001 patch effectively mitigates against the Microsoft
vectors. However, in addition to the applications noted in this Protection
Alert, other third-party applications may also be vulnerable.
On January 10th, Microsoft published two “critical” Security Bulletins
during its scheduled release. The TNEF issue could allow a remote attacker
to cause a heap corruption on Microsoft Exchange Servers as well as
Microsoft Outlook clients, allowing for a denial of service or arbitrary code
execution to occur. X-Force warns that compromise of networks and
machines using these products may lead to exposure of confidential
information, loss of productivity and further network compromise.
• ISS Protection Alert: Malformed TNEF Processing Vulnerability
- Microsoft Security Bulletin MS06-003: Vulnerability in TNEF Decoding
in Microsoft Outlook and Microsoft Exchange Could Allow Remote
Code Execution (902412)
On Tuesday February 14th, the AlertCon was elevated in response to the
remote code execution issue affecting Windows Media Player, which
Microsoft rated “Critical” during the February release. X-Force analysts
predicted that this vulnerability would be easily exploitable. Within 24
hours, proof-of-concept (PoC) code was made publicly available. A
second PoC code targeting this issue was published that same week.
• ISS Protection Alert: Windows Media Player Malformed Bitmap
Processing Vulnerability
- Microsoft Security Bulletin MS06-005: Vulnerability in Windows
Media Player Could Allow Remote Code Execution (911565)
X-Force analysts were also concerned with the potential damaging
impact of another Windows Media Player vulnerability disclosed in
Microsoft's February publication cycle. Three pieces of malicious code
utilizing this issue were posted shortly following its disclosure. While the
PoCs result in a denial of service, X-Force verified that simple
modifications to one PoC could lead to a robust exploit resulting in
consistent remote compromise of vulnerable systems. To date, X-Force
analysts are not aware of a robust exploit for this issue in the wild.
However, there is still a potential for future development. Older
vulnerabilities are often targeted at a later date, sometimes being
incorporated into a phishing scam or malware.
10
• ISS Protection Alert: Windows Media Player Plugin EMBED
Buffer Overflow
- Microsoft Security Bulletin MS06-006: Vulnerability in Windows
Media Player Plug-in with Non-Microsoft Internet Browsers Could
Allow Remote Code Execution (911564)
The last ISS Protection Alert published this quarter highlights a chunked
transfer-encoding buffer overflow vulnerability affecting RealNetworks'
RealPlayer and RealOne Player. X-Force analysts feel that this issue may
be a choice vector for malicious Web sites to install spyware, adware or
other code on end users’ systems. One should keep in mind that the
latest version of the software may be installed, but this does not
guarantee that it is the latest build available. It is also important to note
that, though not all builds of the latest software are vulnerable, it is not
always common for users to upgrade this type of application. This,
combined with the popularity of this software, prompted X-Force to
release preemptive protection prior to exploitation.
• ISS Protection Alert: RealNetworks RealPlayer chunked
Transfer-Encoding buffer overflow
- RealNetworks Security Update: RealNetworks, Inc. Releases
Update to Address Security Vulnerabilities.
Mac OS X: The Impenetrable OS?
Many people hold the perception that Apple's Mac OS X is relatively
“safe” or contains fewer vulnerabilities. Though the percentage of
threats affecting Mac OS X is smaller than other popular platforms, it is
not invulnerable to threats and malware. This perception has started to
shift as an increasing number of threats targeting this platform have
been brought to light.
Two pieces of malware which surfaced in February, Leap.A and
Inqtana.A, illustrate this point. Apple describes Leap.A, also known as
Oompa Loompa, as a piece of malicious software, but many antivirus
vendors classified it as a virus. This malware utilizes the iChat instant
message software to spread – forwarding itself to contacts on the
victim's buddy list as a file called latestpics.tgz. Though the majority of
antivirus vendors rate this malware a “low,” it is seen as a proof of
concept that may be developed further to produce something more
destructive. Fortunately, Apple published Security Update 2006-001
which addresses this issue.
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY
The same week a proof-of-concept Bluetooth worm also surfaced:
Inqtana.A. This worm utilizes a previously disclosed directory traversal
issue within the Bluetooth file and object exchange services in Mac OS
X. While this worm was also rated “low,” it received a significant
amount of media attention because it emerged on the heels of Leap.A.
In addition to malware, a number of critical vulnerabilities and exploits
affecting Mac OS X were announced this quarter. One of the critical
issues involves tricking a user into opening a specially crafted file that
could allow a remote attacker to compromise the user's system. This
vulnerability can be exploited via the Safari Web browser without user
interaction when the “Open Safe Files after downloading” option is
enabled, which is the default setting. The Metasploit Project included
an exploit module which utilized this attack vector. Additionally, a report
surfaced indicating that Apple Mail could be used as an exploitation
vector for this vulnerability. Apple released Security Update 2006-001
to protect consumers against this attack.
Malicious Code: Exploits and
Proof-of-Concept Publications
An exploit is a piece of code that takes advantage of a bug, glitch or
vulnerability, leading to privilege escalation, code execution and/or
denial of service on a system. Proof-of-concept code may be used
synonymously with the term exploit, though a PoC is often considered
less reliable than an exploit. Proof-of-concepts and exploits are
frequently incorporated in malware, allowing an attacker to create a
blended attack.
Today, individuals who want to cause harm to an organization's
infrastructure do not need to be skilled. A number of exploit tools
available on the Internet provide the inexpert attacker with the means
to do damage. The Metasploit Framework, for instance, is just one of
many tools utilized by both system administrators and hackers to
determine which systems are affected by certain vulnerabilities. The
Metasploit Project updated the Metasploit Framework to include fifteen
new modules in Q1 2006.
There is often an increase in activity on the ports associated with exploit
code when it is first released. In January, X-Force analysts observed
some scanning associated with a vulnerability in Symantec's
NetBackup Enterprise Server/Client. This scanning occurred just two
days following the release of exploit code targeting the issue on port
13701. Similarly, activity on UDP port 5060 was observed about two
weeks after an exploit was posted targeting a vulnerability in eStara
SoftPhone. Analysis of these issues, as well as the majority of
vulnerabilities targeted by Metasploit modules, is highlighted in the
threat assessments provided with the X-Force Threat Analysis Service.
11
The ethics of releasing exploits has been a constant source of debate
among researchers and vendors. This quarter, a researcher was fined
for breaching French copyright laws after publishing information about
security vulnerabilities in an antivirus application. One wonders what
effect this may have on similar legal battles in other parts of the globe.
Many in the security industry favor a form of disclosure whereby the
discoverer notifies the vendor of exploits prior to public disclosure, to
allow sufficient time to produce and deploy a fix. Yet there are a number
of individuals who not only publish vulnerabilities without first
informing the affected vendor, but also include code with their
disclosure. There is also a growing market for undisclosed
vulnerabilities and exploit code that is sold to the highest bidder. Even
some security vendors are now among the bidders, wrapping press
releases around purchased research.
Reactivating Worms
A reactivating worm is one whose payload activates at a later point
after the initial activation cycle. Worms can also contain additional
payloads which may activate at different times. A worm's lifecycle may
include “hibernation” and reactivation stages. If a worm enters a
“hibernation” phase, it basically lies dormant in an infected system
until it either reactivates or enters the “death” stage. It is also
important to note that worm reactivation cycles may vary. For instance,
the Nyxem variant, CME-24, was coded to reactivate the third day of
every month, whereas Nimda was expected to reactivate every ten or
eleven days from the start of its reactivation cycle (2001).
The method used to determine when the worm should reactivate also
varies. For instance, Sober.Z (CME-681) monitors a fixed list of NTP
servers to synchronize its reactivation time, whereas the Nyxem.E (CME-
24) reactivation time is based on the infected system's clock. Hence,
files may be overwritten at any point if the clock has been prematurely
set to the third of the month. Similarly, worms coded to reactivate via
this method may continue to propagate after the deactivation date if
the system clock is not set correctly.
A worm's functionality after reactivation may vary as well. It may
attempt to disable or remove antivirus or file-sharing software on the
system. Some worm variants delete files with certain file extensions, as
is the case with Nyxem.E. Another function of the worm could be to
search the infected machine for e-mail addresses and then attempt to
mail itself to those addresses.
During this past quarter, a great deal of media focus surrounded the
expected resurgence of the CME-24 and CME-681 variants. Many
antivirus vendors considered the initial propagation of Sober.Z to be one
of the biggest outbreaks of 2005, contributing to the concern
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY
surrounding its potential resurgence. In February, media attention turned
to the reactivation of a different worm, Nyxem.E. With all the attention, it
may have appeared as though this type of worm behavior is a new
phenomenon, when it is actually an older technique.
Media Attention – Hype or Warranted?
As the reactivation deadline for these worms passed, no significant
activity was observed. The resurgence of Sober.Z, associated with the
Federal Bureau of Investigation (FBI) phishing alert published last
November, did not occur. Reportedly, infected machines attempted to
download malicious code from five different sites; however, those sites
did not have the malicious file. Similarly, X-Force analysts, as well as
other forums, noted a lack of activity regarding the reactivation of
Nyxem.E – expected to delete certain files from infected systems the third
day of each month, starting February 3rd.
One might conclude that the amount of media exposure given to the
resurgence of reactivating worms is without warrant. One concern is that
this type of publicity may lead to a “crying wolf” scenario. Users
eventually become accustomed to these warnings and begin to view them
as less serious in nature – then fail to take action when it is needed.
It is important to note that the attention given these worms certainly aids
in preventing serious damage from occurring, as consumers heed the
warnings. A survey conducted by America Online and the National Cyber
Security Alliance found that a little over 80 percent of home computers
still lack “core protections,” which they listed as recently updated
antivirus software, a properly configured firewall and/or spyware
protection. Additionally, Consumer Reports' 2005 “State of the Net”
determined that American consumers spent more than $9 billion on
computer repairs and replacements over a two-year period due to issues
with malware. Hence, there are a significant number of Internet users
that benefit from the media's warnings.
CME – Minimizing the Confusion
Last October, the MITRE Corporation announced the availability of the
Common Malware Enumeration (CME) initiative, which is similar to the
Common Vulnerabilities and Exposures (CVE) initiative. CME provides a
shared numerical identifier for malware threats and aims to help minimize
the confusion surrounding the multitude of differing naming conventions
often assigned to such threats.
The CME initiative was put to the test as antivirus vendors began publishing
their write-ups for the well-publicized Nyxem variant. The names given to this
worm were so varied that initially it seemed as though completely separate
issues were being reported. Few of the top antivirus vendors had naming
conventions that resembled each other. The ambiguity surrounding the issue
for many users and researchers dissipated once CME-24 was published.
12
Though the CME is a good source for vendor name comparisons and
obtaining additional information, consumers should review the publication
provided by their antivirus vendor. For those interested in learning more
about how antivirus names are formed, the About.com article titled
“Understanding virus names” provides additional information.
Remain Vigilant via a Multi-layered Approach
No matter what type of reactivation routine it uses, it is important to
remain vigilant throughout a worm's lifecycle – applying appropriate
protection as it is made available. If a worm attempts to capitalize on a
vulnerability and a patch is available, the patch should be applied in
addition to antivirus updates. This is important to ensure that the worm
does not re-infect machines (new and reinstalled) at a later point.
However, if a machine has already been infected, the worm must be
completely removed to defuse its activation routine. X-Force suggests
referring to one's antivirus vendor for appropriate removal instructions
for each worm.
There should also be a balance between accepting every threat as serious
and considering most publicized threats as only media hype. X-Force
encourages its customers to maintain a consistent multi-layered
approach at the gateway, network and host level to address today's
cyber-security threats.
Malicious Payloads
Malware infection techniques have gone through a number of
transformations since the release of the first generally accepted MS-DOS
virus, the Brain, over twenty years ago. In today's era of hybrid threats,
the motivation is profit. The malicious payload delivered by today's
malware ranges in severity from the spread of propaganda to the gross
financial loss of individuals and corporations. Infected systems
experience distributed denial of service (DDOS), spam forwarding,
extortion and spyware installation. Performing all of these unwanted
functions are bot-network agents, which have become hackers' favored
way to cause widespread damage.
As a result, security professionals are prioritizing efforts to unlock certain
information such as the URL links hidden within malware used to
command and control the installation of malicious programs. Recent
Win32.Sober variants, for instance, have been identified featuring
encrypted URL control links that are only decrypted when they are meant
to be used. Because it is not exactly a new technique, this indicates that
advances in obscuring malware payloads have been largely stagnant. In
the case of Sober.Z, there was sufficient time for security experts to
decrypt the URL links, distribute the information and respond
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY 13

accordingly. Security vendors were able to block the URLs, shut down the
content hosts and block the related accounts. Had the intended URLs
X-Force Catastrophic Risk Index
been better obfuscated, this Sober variant would have successfully
Many of the threats addressed in this and previous X-Force Threat IQ
downloaded a supplementary Trojan that could have caused a higher
reports are contained in the X-Force Catastrophic Risk Index (CRI).
degree of damage and financial loss. However, the outcome will not
Encompassing the most recent critical threats facing organizations, the
always be so fortunate and we will have to contend with malware that
CRI is a consolidated list of the most serious, high-risk vulnerabilities
features hidden payloads.
and attacks. Developed by ISS X-Force, the CRI enables cost-effective
Another worm that demonstrates the advancement in techniques used and proactive protection around threats and vulnerabilities that pose the
by malicious code writers is the recent Oracle Voyager worm beta. While greatest risk to confidentiality, integrity and availability of critical
lacking a propagation mechanism, this worm features an interesting business systems and applications.
way to add additional functionality. Voyager makes a Google query to
The following chart shows that the signatures associated with the
search for code updates that are posted to the Full-Disclosure mailing
X-Force Catastrophic Risk Index (CRI) represented 14.64 percent of the
list. Since neither Google nor Full-Disclosure is likely to take itself offline,
accumulated events tracked across ISS Managed Security Services
this is a fairly robust method – capable of thwarting non-proactive
global network of customer sensors for the first quarter.
protection technologies.
Over the quarter, 3,634,099,060 IPS/IDS log events were collected and
A future Windows worm may use a similar mechanism to obtain a zero-
analyzed each day from devices located across the globe. Internet
day posting of new download URLs or payload scripts. Unlike the
Security Systems Managed Security Services provides 24/7/365 global
encrypted URLs in the binaries like Sober.Z or easily identifiable bot-
analysis and correlation of events, with data coming from five Security
network Internet Relay Chat (IRC) channels, worms using postings to
Operations Centers via customers in over 72 countries.
online message boards are more problematic. Reason being, Usenet
(news) does not have a filter, and many security-related Web forums do
X-Force
not have a filtering mechanism. In fact, even with a filter available, it CRI
may not be possible to reliably create a signature for the communication 14.64%
without the potential for high false positives. This problem only
increases with malcode innovation. Consider the threat of a worm with
a decentralized peer-to-peer (P2P) communication channel. One has at
best a moving target, and at worst, a situation in which bot-network
control becomes sufficiently anonymous.

X-Force analysts predict continued advancement in malware infection

techniques and delivery mechanisms. Those providing threat protection
need to be concerned about not only protecting against the exploit, but
also against the malicious payloads delivered. The best defense against
hidden malware payloads is proactive security solutions that remain
Ahead of the threat.
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY 14

Future X-Force Threat Insight Wardriving in China

http://www.viruslist.com/en/analysis?pubid=175676429
Quarterly Topics
WiPhishing hack risk warning
http://www.theregister.co.uk/2005/04/20/wiphishing/
The threats described in this report are but a sample of the challenges
facing corporate security teams. Because education is a key defensive
BlackBerry Subscribers Surge to Over Three Million
element, ISS is committed to producing similar reports like this one on a
http://www.blackberry.com/news/press/2005/pr-09_05_2005-01.shtml
quarterly basis. Future topics will include:
2006: Year of the mobile malware
• Vulnerability Management
http://news.com.com/2006+Year+of+the+mobile+malware/2100-7349_3-6001651.html
• Regulatory Compliance
• New Security Technology Bluetooth shipments to hit 316 million units in 2005
• Botnets http://www.telecom.globalsources.com/gsol/I/Bluetooth-headset/a/9000000067685.htm
• Rootkits
Mobile Users Are Lax On Security: Survey
http://www.networkingpipeline.com/171200908

References
Educational Material
Wireless
Focus Topic http://en.wikipedia.org/wiki/Wireless
Statistics
Worldwide Mobile Phone Market Breaks 200 Million Unit Mark in 3Q05, Wireless network
According to IDC http://en.wikipedia.org/wiki/Wireless_network
http://www.idc.com/getdoc.jsp?containerId=pr2005_10_13_112836
Mobile phone
Worldwide Wi-Fi Hotspots Hits the 100,000 Mark http://en.wikipedia.org/wiki/Mobile_phone
http://www.jiwire.com/press-100k-hotspots.htm
Wi-Fi
TOP 20 COUNTRIES WITH THE HIGHEST NUMBER OF INTERNET USERS http://en.wikipedia.org/wiki/WiFi
http://www.internetworldstats.com/top20.htm

WAP
Pew Internet & American Life Project Report: Older Americans and the Internet
http://en.wikipedia.org/wiki/Wap
http://www.pewinternet.org/PPF/r/117/report_display.asp

IDC Finds Global Mobile Worker Population Will Increase By More Than 200 WiMAX
Million Users Between 2004-2009 http://en.wikipedia.org/wiki/Wimax
http://www.idc.com/getdoc.jsp?containerId=prUS00254405
Wireless Networking Standards
Number of Teleworkers Increases By 17 Percent http://www.webopedia.com/quick_ref/WLANStandards.asp
http://www.telecommutect.com/content/itacsurvey01.htm
Understanding Wireless LAN Routers
Gartner Says Worldwide PDA Shipments Reach Record Level in 2005 http://www.wi-fiplanet.com/tutorials/article.php/1586861
http://www.gartner.com/press_releases/asset_145348_11.html
Cracking the Bluetooth PIN
Gartner Says Mobile Phone Sales Will Exceed One Billion in 2009 http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/
http://www.gartner.com/press_releases/asset_132473_11.html
CTIA – The Wireless Association
Survey Finds that More than 65 percent Experience Security Breaches; Most http://www.ctia.org/
Report No Way to Scan Devices and Ensure Security Policy Compliance
http://www.landesk.com/Preview/Press.aspx?pressid=541 Wi-Fi Alliance
http://www.wi-fi.org/
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY 15

Prolific and Impacting Issues of Q1 2006 Internet Security Systems Protection Alert: Windows Media Player Malformed
Bitmap Processing Vulnerability
Internet Security Systems Protection Advisory: Sendmail Remote Signal
http://xforce.iss.net/xforce/alerts/id/214
Handling Vulnerability
http://xforce.iss.net/xforce/alerts/id/216
Microsoft Security Bulletin MS05-053
http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
Sendmail Security Advisory: Sendmail MTA Security Vulnerability
http://www.sendmail.com/company/advisory/index.shtml
Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005)
http://www.frsirt.com/exploits/20060215.wmp-ms06-005.cpp.php
Full-disclosure Mailing List: sendmail stuff
http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1511.html
Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005) #2
http://www.frsirt.com/exploits/20060216.redms06-005.py.php
Internet Security Systems Protection Alert: Microsoft IE createTextRange()
Remote Command Execution
http://xforce.iss.net/xforce/alerts/id/217 Internet Security Systems Protection Alert: Windows Media Player Plugin EMBED
Buffer Overflow
http://xforce.iss.net/xforce/alerts/id/215
MS Internet Explorer (checkbox) Remote Code Execution Exploit (0day)
http://www.milw0rm.com/exploits/1606
Microsoft Security Bulletin MS06-006
http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx
MS Internet Explorer 6.0 (mshtml.dll checkbox) Crash
http://www.milw0rm.com/exploits/1604
Internet Security Systems Protection Alert: RealNetworks RealPlayer chunked
Transfer-Encoding buffer overflow
MS Internet Explorer (createTextRang) Download Shellcoded Exploit
http://xforce.iss.net/xforce/alerts/id/218
http://www.milw0rm.com/exploits/1607
RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.
MS Internet Explorer (createTextRang) Remote Exploit (metasploit)
http://service.real.com/realplayer/security/03162006_player/en/
http://www.milw0rm.com/exploits/1620

Microsoft Security Advisory (917077)

http://www.microsoft.com/technet/security/advisory/917077.mspx
Mac OS X: The Impenetrable OS?
Apple: “Leap-A is Not a Virus”
X-Force Threat Insight Quarterly – January 2006
http://www.macobserver.com/article/2006/02/16.15.shtml
http://documents.iss.net/ThreatIQ/ISS_XFTIQ_Q405.pdf

Apple Security Update 2006-001

Microsoft Security Bulletin MS06-001
http://docs.info.apple.com/article.html?artnum=303382
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

F-Secure Worm Information Pages: Inqtana.A

Internet Security Systems Protection Alert: Additional Vectors for GDI32.DLL
WMF Image Rendering Vulnerability http://www.f-secure.com/v-descs/inqtana_a.shtml
http://xforce.iss.net/xforce/alerts/id/212
Apple Security Update 2005-006
Microsoft Security Bulletin MS06-002 http://lists.apple.com/archives/security-announce/2005/Jun/msg00000.html
http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx
Apple Safari Browser Automatically Executes Shell Scripts
Microsoft Security Bulletin MS06-003 http://www.heise.de/english/newsticker/news/69862

http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx
Safari Archive Metadata Command Execution
Internet Security Systems Protection Alert: Malformed TNEF Processing Vulnerability http://metasploit.com/projects/Framework/exploits.html#safari_safefiles_exec
http://xforce.iss.net/xforce/alerts/id/213

Microsoft Security Bulletin MS06-005

http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY 16

Malicious Code: Exploits and McAfee: Virus Profile: W32/MyWife.d@MM!M24

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=138027
Proof-of-Concept Publications
Symantec: W32.Blackmal.E@mm
The Metasploit Project
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html
http://www.metasploit.net/projects/Framework/

Trend Micro: WORM_GREW.A

Harvard University researcher punished for finding bugs
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GREW.A
http://www.zdnet.com.au/news/security/soa/Harvard_University_researcher
_punished_for_finding_bugs/0,2000061744,39240570,00.htm
Trend Micro: WORM_NYXEM.E
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NYXEM.E

Reactivating Worms
ISS X-Force Research
Common Malware Enumeration
X-Force Catastrophic Risk Index
http://cme.mitre.org/data/list.html
http://xforce.iss.net/xforce/riskindex/index.php

Nimda worm propagation

ISS X-Force Security Alerts
http://xforce.iss.net/xforce/xfdb/7130
http://xforce.iss.net/xforce/alerts/alerts

Sophos – W32/Sober-Z
ISS X-Force Security Advisories
http://www.sophos.com/virusinfo/analyses/w32soberz.html
http://xforce.iss.net/xforce/alerts/advisories

F-Secure Virus Information Pages: Nyxem.E

http://www.f-secure.com/v-descs/nyxem_e.shtml

Additional References
Media Attention – Hype or Warranted?
X-Force Threat Insight Quarterly (Threat IQ):
http://xforce.iss.net/xforce/threat_insight_quarterly/index.php
FBI ALERTS PUBLIC TO RECENT E-MAIL SCHEME
http://www.fbi.gov/pressrel/pressrel05/emailscheme112205.htm
X-Press Update™ service:
http://www.iss.net/xpu/
Situation calm. For a change.
http://www.f-secure.com/weblog/archives/archive-012006.html#00000773
Internet Security Systems Managed Security Services
http://www.iss.net/products_services/managed_services/
Nyxem: nothing happened?
http://www.f-secure.com/weblog/archives/archive-022006.html#00000802
Managed Security Services Customer Portal
http://www.iss.net/products_services/managed_services/customer_portal.php
AOL/NCSA Online Safety Study
http://www.staysafeonline.info/pdf/safety_study_2005.pdf
Choose an Effective Desktop Protection System
http://www.iss.net/find_products/desktop.php
State of the Net – Online Security 2005
http://www.consumerreports.org/cro/electronics-computers/laptop-desktop-
computers/protect-yourself-online-905/cr-state-of-the-net.htm X-Force Research: The AlertCon
http://xforce.iss.net/

CME – Minimizing the Confusion

Common Malware Enumeration Initiative Now Available
http://www.mitre.org/news/releases/05/cme_10_05_2005.html

Computer Associates: Win32/Blackmal.F!CME24

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=50198
X - F O R C E T H R E AT I N S I G H T Q U A R T E R LY 17

About Internet Security Systems

Internet Security Systems is the trusted expert to global enterprises and world governments providing products and services that protect
against Internet threats. An established world leader in security since 1994, ISS delivers proven cost efficiencies and reduces regulatory and
business risk across the enterprise. ISS products and services are based on the proactive security intelligence conducted by ISS X-Force
research and development team – the unequivocal world authority in vulnerability and threat research. With headquarters in Atlanta, Internet
Security Systems has additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. For more information, visit
the Internet Security Systems Web site at www.iss.net or call 800-776-2362.

Copyright ©2006 Internet Security Systems. All rights reserved worldwide.

Internet Security Systems, ADDME, AlertCon, the AlertCon logos, SecurityFusion, SecurePartner, SiteProtector, System Scanner, Virtual Patch and X-Press Update are trademarks and service marks of Internet Security Systems,
Inc. The Internet Security Systems logo, Proventia, Internet Scanner, RealSecure and X-Force are registered trademarks of Internet Security Systems, Inc. Other marks and trade names mentioned are the property of their
owners as indicated. All marks are the property of their respective owners and used in an editorial context without intent of infringement. Specifications and content are subject to change without notice.

Distribution: General

XF-Q1XFTIQ-0406