May 2004 - Posts
Watch Out For New Worm
A new worm bearing some similarities to Swen just hit my inbox. Kaspersky calls it I-Worm.Turta.a. Here is an image of the email it came in:
http://www.n00bshop.com/images/torta.jpg
I'm not yet sure if this is spreading significantly, but it was at least distributed partially via USENET. I will update this as more information becomes available.
W64/Rugrat Represents New Turn in Viruses
Symantec and McAfee have both released write-ups for an interesting new file infector by the name of W64/Rugrat. The “W64” designates that, as opposed to the usual “W32” (Windows 32-bit operating system), this virus infects only 64-bit Windows PE (portable executables.) The Rugrat virus will only function under systems capable of running 64-bit programs, either naturally or via emulation.
Rugrat is a standard virus in every way other than being the first 64-bit virus and written in IA64 assembly code. Much of the code, in fact, was stolen from the interesting but dated W32/Chiton virus. It directly infects Windows programs, including .dll files, and is 3,344 bytes in length.
W64/Rugrat is actually a member of a larger family of viruses, as indicated by the following text:
Shrug - roy g biv
This references a family of viruses known as W32/Shrug. Specifically, this virus is related to several variants of W32/Chiton, which is related to W32/Shrug. “roy g biv” (the colors of the rainbow, for trivia's sake) is the name of the virus writer who wrote all these viruses, and probably also W64/Rugrat.
”roy g biv” has in the past released his viruses as proof of the concept, never spreading them intentionally. This along with the fact that 64-bit process is far from commonplace make it unlikely that “Rugrat” will spread significantly in the Wild. Still, this concept shows that virus writers are definitely starting to work on viruses to support the new standard.
Word Macro/IRC Worm
A write-up for the IRC worm and Microsoft Word macro virus W97M.Nobody can now be found here.
Strategies for Virus Info Searching
I've posted a new article about finding information on viruses. You can access it by clicking on “Finding Virus Info“ under links or by clicking here.
Latest Netsky Variant Copies Password Stealer
Now here's an odd twist.
As anyone who has been paying much attention to the virus field for the past few months is well aware, three virus families are currently in a sparring match for some sort of pathogenic supremacy: Bagle, MyDoom, and Netsky. Despite arrests made in the Netsky case, new variants keep appearing, the latest of which is Netsky.AD.
Netsky.AD is a fairly typical Netsky variant with an odd inclusion that is worth taking a look at. Although details are few and far between, it appears that Netsky.AD contains the password stealer (”Hooker”) from BugBear.A. The sparsity of information about this latest variant makes it hard to tell whether this is a modification or the exact original, but it could mean cooperation between the creators of the two worms.
The odd thing about the inclusion of this password stealer is that it may not be useful. BugBear.A sent the logged passwords out to a number of free email inboxes, all of which are obviously disabled by this point. It is unknown whether Netsky.AD relies upon any mechanism to distribute the passwords, but the file size of Hooker remains the same. The distribution mechanism was originally written into BugBear.A, so perhaps Netsky.AD's authors thought that the passwords could remain on the infected machines for retrieval at a later date.
Does this mean a cooperation between the authors of the two worms? Maybe - although there is little evidence to support it. If the file is unchanged, the source code would not be required in order to use it in Netsky.AD. Additionally, it is possible that someone simply managed to come accross the code and wanted to use it, in which case it is unlikely that any other portion of BugBear will find its way into later Netsky versions.
Does it mean the authors are one in the same? Unlikely, but possible - accusations that BugBear was created in Malaysia after a somewhat poorly-done comment by MessageLabs claiming its first intercept originated from Malaysia (obviously not necessarily an indication that it came from there) were soon thereafter dropped, but no other similarities between the two families exist.
The million dollar question in this case would be: Does this mean a new breed of super-powerful Netsky/BugBear hybrid worms? Most definitely not. By this point, BugBear is not a huge threat and subsequent variants beyond .A and .B have not been elevated beyond low risk by most firms.
Still, though, the security world will most definitely be watching for more similarities if they develop.
Breaking News: Lovgate.AB Spreading Quickly
McAfee has released an advisory upgrading W32/Lovgate.ab@MM to Medium risk. More information can be found here.
Sasser Author Also May Be Tried as Juvenille
Two bits of news relevant to the prosecution of suspected Sasser creator Sven Jaschan today. First of all, BBC News reports that a “Support Sasser” fund/scam has been started. At the time of this writing, the Paypal account that accepted donations was down. From the site:
Do you feel like you're a part of the security scene? Give the SASSER author a better time in jail then. Sven Jaschan really needs your support in a time like this, with multi-million dollar law suits ahead. After all, SASSER was just a harmless wake-up call to the world.
Although there are immediately visible flaws in any argument that Sasser was “harmless,” this did not stop a few people from donating small sums. A few days before the donation system was taken down, about $70 had been donated.
In other news, the author of Sasser will be tried as a juvenile defendant. The E-Commerce Times reports that Sven Jaschan was arrested only two days after his eighteenth birthday, and all the crimes he is accused of committing took place before he was legally an adult. This is likely to mean a lesser sentence. Various lawsuits have been mulled over the Sasser worm and the Netsky family of worms, which Jaschan is also believed to have been involved in authoring, but at this time any formal action is pending.
February Vulnerability Used
Antivirus company Kaspersky Labs has posted a press release claiming that the Trojan Horse downloader Agent has been spammed to a moderate number of addresses using an infective .BMP form and a vulnerability discovered after a Windows source code leak in February of this year. More information about the vulnerability can be found here.
The Agent Trojan Horse is an occasional find in Russia, as it only affects the Russian version of Windows. Eugene Kaspersky predicts the inevitable: “It is very likely that malware [using this vulnerability] attacking other versions of Windows will soon appear.”
At this time, the spamming is considered a very low risk except in Russia, where it should be considered a mild threat. Microsoft has not yet released a patch.
Commentary: The Antivirus Industry Reacts to Spyware, and Some Other Stuff, Too
In October 2002, an aggressive marketing scheme was hatched by a company known as FriendGreetings that would cause a mild uproar in the security field and force antivirus vendors to decide how they would handle the detection of spyware programs and gray area programs. FriendGreetings concocted a “greeting card” program that would mass-mail itself out to everyone in the infected user's address book. There was a EULA, but the truth was no one would ever even look through that. The question was, at that time, should it be detected? And, if it should be, as a worm or an “unwanted application” to avoid litigation issues?
The level of bravery in detection varied vendor by vendor. SOFTWIN was the most straightforward, detecting it as a plain mass-mailer. Computer Associates, H+BEDV, MKS, Panda, Symantec, and Trend Micro designated it a worm out of the box. ESET and Network Associates both originally called it an unwanted application, but later detected it as HideMinimized, saying that this particular part of the program was a Trojan Horse. Frisk Software, GeCAD, and Sophos detected it as an unwanted application and still do. Kaspersky Labs detects it as a “flooder” for some reason. To this day, it appears that Dialogue Science, Grisoft, IKARUS, and VirusBuster do not detect it at all. I found the reaction to this interesting.
Many years ago, in the early '90s, there was a large but fairly uninteresting family of kit-based viruses known as NuKE. One strain of NuKE even contained text stating that, as the virus was “copyrighted,” antivirus vendors could not legally add it to detection lists. Every single antivirus vendor detected it anyway. NuKE's kit was mainly used by people we would now called “script kiddies.” There was no legal base for these threats. And there also was little legal base for any threats from Friendgreetings, a country so solid in their business practices that they used a Panamanian address, probably fake.
Now I am happy to say that antivirus companies now commonly detect all sorts of spyware. There was a good degree of discussion about this around the same time that Friendgreetings came out, and the consensus was that detection should be defaultly disabled or not present at all. Nowadays, the worst spyware offenders are detected by mainstream antivirus products. It is good to see that the developers of antivirus programs have realized that having a corporate logo on a malicious program doesn't make it not malicious.
On a similar note, it has been interesting to see the development of the anti-spyware industry. Small developers like PepiMK (Spybot Search & Destroy) and Lavasoft (Ad-Aware) still remain the top names in the game, despite giving their software out for free (PepiMK doesn't even have an enhanced pay version of Spybot - all the money they receive is donations.) Other small developers such as Webroot (Spy Sweeper), Bazooka (Adware and Spyware Scanner), and the Enigma Software Group (SpyHunter) also frequently grace the Download.com Top 50. Many major players have tried to enter the anti-spyware field with pay products with mixed results. Frequently, the “big guys” have received poor reviews for their products. The delay before major security companies entered the field puts them at a major disadvantage, facing free programs that are better than their pay offerings. It will be interesting to see how this field develops over the next few years.
Still Not Going Fast Enough For Alarm
The highly successful worm family W32/Sober-mm adds yet another member to its family, W32/Sober.G-mm. It looked like Sober.G, like .E, would be DOA, but F-Secure has announced they are upgrading it to Medium following increased spread. F-Secure's ratings are a good watching point for W32/Sober variants, as of all the major virus companies, F-Secure is the most focused on the European market.
More information can be found here.
Award-Winning Spyware Killer Gets Better
PepiMK Software, maker of the Spybot Search & Destroy program, has uploaded their latest version on their web site at www.safer-networking.org. In case this is down, a direct download can be found here. The software is a must-have for anyone concerned about privacy on the Internet and the performance of their computer. Another excellent tool is Ad-Aware, which can be downloaded at www.lavasoftusa.com. Running these programs once a month at the least should allow for a safe, clean-running computer. Despite Spybot's message recommending uninstalling Ad-Aware, I personally have never had a conflict.
Changes in the latest version include enhanced immunization features, improved user interface, browser integration, a new hosts file feature, and a good deal of bug fixes. Download.com rates the software 5, its highest score. Full information can be found here, including Download.com's review.
There is a known bug in the Resident Shield that causes it to mishandle DoubleClick cookies when set to notify. To circumvent this, right click on the system tray icon and either uncheck “use Resident in IE sessions” or check “block all bad pages silently.”
Thus Far Little Threat; “B“ Variant Also Known
A new family of worms that exploits the LSASS vulnerability recently used by W32/Sasser.worm has appeared, although neither of the two variants known at this time are believed to be spreading quickly.
The worm family has been named “Kibuv” by Symantec and was apparently discovered late yesterday. The .A version is 11,776 bytes and UPX-packed. It uses both the LSASS (MS04-011) and DCOM RPC (MS03-026) vulnerabilities to spread. Activity on TCP ports 135, 420, 445, 5300, and 9604 is a potential sign of infection. W32/Kibuv.worm also adds itself to the registry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and RunServices as “Vote For Kerry” pointing to KillBush.exe. This refers to John Kerry, American Democratic presidential nominee, and Republican incumbent George W. Bush, who are both running for President in the United States. This suggests that W32/Kibuv.worm may have originated from the U.S., although it would not be surprising if it did not.
The second variant, W32/Kibuv.worm.B, or Kibuv.B, starts the FTP server on TCP port 7955. It accepts any username or password, and any attempt to download a file from the infected server will cause the downloading user to receive the worm. More vulnerabilities are used in the B variant than the original, having Messenger Service Buffer Overrun (MS03-043), IIS 5.0 WebDAV3 (MS03-007), Universal UPnP, and Sasser FTPd exploits in use. Kibuv.B is 18,944 bytes but it is unknown if this variant registers itself on startup. A connection to the IRC server irc.nugs.us will be made on port 6667 to receive backdoor commands. At this time, nugs.us appears to be down. nugs.us is registered to a Mr. Eric Kerr of Bryan, Ohio, in the United States. It is unknown whether Mr. Kerr has any connection to this worm; there is a distinct possibility that his IRC server is simply being abused for the purposes of controlling infected machines.
All users who haven't recently are strongly recommended to visit Windows Update at windowsupdate.microsoft.com and update their security patches as soon as possible to avoid infection. Symantec's write-up of the “A” variant can be found here, and their write-up of the “B” variant can be found here.
A Threat - But Just a Dab
PC World is reporting that a new worm, known as W32/Dabber.worm, has begun spreading using a vulnerability in the File Transfer Protocol (FTP) code used in the earlier “Sasser” worm. The Chicago-based internet security firm LURHQ reports that the number of infections from W32/Dabber.worm is rising, but this may simply be marketing junk. Users who are infected with Sasser should consider themselves at risk and should remove the worm and install the latest patches as soon as possible. Everyone else with an updated patch set and no infection is at a risk of about zero for Dabber. I mentioned the exploit used by Dabber in a previous post, available here.
Symptoms of Dabber infection include the prescence of the file package.exe in the Windows directory, size 29,696 bytes with a compile date of Wed May 12 00:46:01 2004 and a MD5 hash of 149dd119425ec801fbca6237413db631. Another indication is the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key “sassfix” pointing to the worm. Dabber also removes the registry keys for Sasser and a number of other worms. This is yet another example of a “good worm,” but there isn't such a thing in reality. All worms are harmful, including Dabber, which (according to early reports) neither patches the machine nor removes itself.
Time Should Be (Sort Of) Correct Now
For some reason, probably the server configuration, the time was displaying as GMT -11 (my time zone is GMT -8, but it subtracts three hours for some reason.) It is now PST/-8 as it should be (which is GMT -5 in the configuration.) Sorry for any inconvenience.
Follow-Up: Wallon Does NOT Spread Via LSASS Vulnerability
I had some information passed on earlier that W32/Wallon.worm spreads via the LSASS vulnerability. It does NOT. It does, however, use a number of Outlook Express exploits.
My opinion on W32/Wallon.worm is that several factors will contribute to a quick demise:
It relies heavily upon a single web site to facilitate its spread.
It is, by nature, a predictable mass-mailer.
It simply isn't a very advanced worm.
It does not install itself on infected machines.
The bad news is that as I write this Secunia has upgraded the risk to Medium and the web site with the worm is still up.
Secunia Site
http://secunia.com/virus_information/9320/wallon.a/
McAfee Write-Up (thanks to Sgt. Matthew Mitlyng):
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125096
A note as to the naming: This worm is not being called W32/Wallon.A-mm, but instead W32/Wallon.worm, because it is not a true mass-mailer in that it links to an external site.
Users Should Patch Immediately; Nothing Critical, Though
From Jerry Bryant's blog:
May 11, 2004
Today Microsoft released the following Security Bulletins.
Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.
Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.
Bulletin Summaries:
Windows: http://www.microsoft.com/technet/security/Bulletin/winmay04.mspx
Important Bulletins:
MS04-015 - Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)
http://www.microsoft.com/technet/security/Bulletin/MS04-015.mspx
Re-Released Bulletins:
The following bulletins have been re-released. Please see the bottom of each bulletin for revision information.
MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) - Important
http://www.microsoft.com/technet/security/Bulletin/MS04-014.mspx
Summary Bulletin:
http://www.microsoft.com/technet/security/Bulletin/winapr04.mspx
MS01-052 - Invalid RDP Data can Cause Terminal Service Failure - Moderate
http://www.microsoft.com/technet/security/bulletin/MS01-052.mspx
This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.
If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
Breaking News: W32/Wallon.worm LSASS/Mass-Mailer Spreading Rapidly
W32/Wallon.worm is a remote-reliant mass-mailing worm that also makes use of LSASS vulnerabilities. It relies on a web site to download its files for mass-mailing. It is notable that W32/Wallon.worm is the first mass-mailing/LSASS worm yet discovered. Full information can be found here, from the McAfeeHelp Forums. I will continue to monitor this breaking story for new information.
Breaking News: Bagle #28 is Medium Risk at McAfee
Bagle is now just one variant “behind“ Netsky with the appearance of W32/Bagle.AB-mm.
The latest variant is W32/Bagle.AB-mm, a mass-mailing worm which McAfee currently rates as Medium. Secunia has not yet started full coverage on it, so a risk consensus has not yet been met. W32/Bagle.AB-mm is almost identical to W32/Bagle.AA-mm.
The worm was originally discovered last Thursday but has only been upgraded for a few hours.
McAfee Description
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125089
Little Threat, But Highly Ironic
There was some sort of twisted tongue-in-cheek humor to what is otherwise a standard exploit posted by the French hacker Mandragore on a gray hat site on Tuesday. The vulnerability itself was not unusual. It made use of a bug in the FTP protocol of a computer program in order to break into the infected machine. No patch will be released. And with good reason.
That's because the program exploited is not a commercial piece of software, but rather the Sasser worm. Yes, an exploit has been publically released for the Sasser worm. The code, complete with comments, was published, but is unlikely to be much of a threat considering that machines must already be infected with Sasser. To reiterate, this is not code that Sasser spreads with, but rather code that makes use of a bug in Sasser to spread further threats.
Because the vulnerability code was included with the original post, it will not be published in Security Manifest.
Various Explanations for Appearance of New Variant
The fact that this isn't getting much play in the security world yet is topping Google News' technology area is a sign that it is somewhat overblown. Nonetheless, it is worthy of mention.
Even as Microsoft (Quote, Chart) and law enforcement authorities celebrated the arrest of a German teenager believed to be the mastermind behind the malicious Sasser worm, anti-virus firms have quarantined yet another mutant attacking vulnerable Windows users.
Over the weekend, Microsoft announced the arrest of an unidentified 18-year-old in connection with the creation and distribution of the Sasser worm that exploits a flaw in the Local Security Authority Subsystem Service (LSASS), but the new development does not end to the threat.
According to anti-virus specialist Symantec (Quote, Chart), a new variant (W32.Sasser.E.Worm) has appeared and is exploiting the LSASS vulnerability described in Microsoft's MS04-011 patch. Sasser.E, which is being widely distributed, spreads by scanning randomly selected IP addresses for vulnerable systems. “W32.Sasser.E.Worm can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable computers,“ Symantec warned.
Possibilities abound: A pre-release of the worm, a release by the other authors of the worm if they exist (the “Skynet” group signed Sasser and Netsky variants,) or perhaps just the discovery of a worm that has been “out there” for a while.
Either way, I would like to thank the German authorities and Microsoft for their help in getting the person responsible for this, as well as a similar, possibly related arrest. Virus writers are not typically hardened criminals, and I am also glad that the 18-year-old confessed, probably rendering a lowered sentence. He has no reason to throw ten years of his life away on inverted principals, and I'm sure that this would scare a good lesson into any 18-year-old virus writer.
More Posts
Next page »