2007 is really starting with a bang, eh? The latest outbreak seems to be defined so far by a Windows Mutex Object service. Mutex are meant to provide mutual exclusion for resource contention to allow synchronization. Here’s what seems to happen to affected systems:

1. mutex.exe starts and runs in task manager, and can restart itself if you terminate it
2. attempts to contact link.hottest.es over random high ports
3. kills the RPC service
4. prevents regedit from running
5. disables services

The first symptom appears to be loss of network connectivity.

Symantec is calling this lokkest and warns of backdoors and keyloggers. They also suggest a large number of attack vectors:

11. Spreads through Yahoo! Messenger, AOL Instant Messenger, MSN Messenger, and ICQ.

12. Spreads to SQL server and to network shares protected by weak passwords, and by exploiting the following vulnerabilities:

* Symantec Client Security and Symantec AntiVirus Elevation of Privilege (as described in Symantec Advisory SYM06-010)
* The RealVNC Remote Authentication Bypass Vulnerability (as described in Bugtraq ID 17978)
* The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-040)
* The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow vulnerabilities (as described in Microsoft Security Bulletin MS04-007)

Patch, patch, patch…

The SecuriTeam site reports on a new GaiaOnline (web-based game) worm:

Kyran ran the worm for 3-4 hours (with a central .js file it’s easy to stop the worm) and logged 1500 unique usernames, but not much more can be deduced in terms of growth over time due to the lack of timestamps. Since the passwords weren’t logged we cannot check statistics on those, but I would hazard a guess at the statistic being similair to those of sites like MySpace. Furthermore, the point of this exercise was to see how well a reflective XSS worm can spread on a large site.

Very effectively, they argue. And even more to the point:

Reflective XSS can viably be used to spread an effective worm and sending variables via POST does not make people any safer. Considering how very common reflective XSS is (34 pages of reflective XSS flaws) this is something web masters really need to start getting to grips with. Furthermore it’s clear that Gaiaonline aren’t ready for users reporting flaws, they don’t know what to do when a flaw is reported and they aren’t too quick at fixing them (at the time of writing the flaw is still up).

Reputation risk?

CNN reports on yet another bizarre statement by Bush:

A signing statement attached to postal legislation by President Bush last month may have opened the way for the government to open mail without a warrant.

The White House denies any change in policy.

The law requires government agents to get warrants to open first-class letters.

But when he signed the postal reform act, Bush added a statement saying that his administration would construe that provision “in a manner consistent, to the maximum extent permissible, with the need to conduct searches in exigent circumstances. …”

“The signing statement raises serious questions whether he is authorizing opening of mail contrary to the Constitution and to laws enacted by Congress,” said Ann Beeson, an attorney with the American Civil Liberties Union.

“What is the purpose of the signing statement if it isn’t that?”

And we worry so much about digital information in transit, I guess the question will soon be how to encrypt and sign mail sent via US Post Office.

Typically, presidents have used signing statements for such purposes as instructing executive agencies how to carry out new laws.

Bush’s statements often reserve the right to revise, interpret or disregard laws on national security and constitutional grounds.

“That non-veto hamstrings Congress because Congress cannot respond to a signing statement,” ABA president Michael Greco has said.

The practice, he added, “is harming the separation of powers.”

And that’s from the president of the ABA!