July 2004 - Posts
Similar to Monday's Mydoom; Low Risk
McAfee is reporting a new variant of the Mydoom worm that appeared on Monday, referred to here as Mydoom.M and at McAfee as Mydoom.O. From the description:
This new variant of W32/Mydoom is packed with ASPack.
The dropped SERVICES.EXE is the same binary W32/Mydoom.o@MM uses. Detection for the this file is included in since 4381 DATs (07/26/2004)
The behaviour is simmilar to W32/Mydoom.o@MM and bears the following characteristics:
mass-mailing worm constructing messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address
contains a peer to peer propagation routine
More information can be found here.
News From 12th Annual Hacker Convention
F-Secure's Mikko Hyppönen writes from Las Vegas, Nevada:
This is a short conference report from DEFCON 12 conference in Las Vegas. DEFCON is the largest underground hacking event in the world with thousands of black, grey and white hat hackers gathering for a weekend in extreme heat (41 C today) in Las Vegas.
This year's program is especially interesting from antivirus point of view, as several conference speakers focus on the issue. Today we've heard two presentations on mobile phone and PDA security, with direct implications for future mobile viruses. It seems perfectly possible that we will see totally automated Bluetooth worms in the future. Such worms would spread airborne among the mobile phone population, and really would spread much like flu - to get infected, it's enough to be close enough.
There has also been lots of discussion on Windows XP Service Pack 2, which should be out in August. This service pack includes a firewall which monitors traffic in both directions and which will be on by default. SP2 will also have generic protection against overflows. Consensus is that once SP2 becomes commonplace, it will make it much harder to create automatic network worms like Blaster or Sasser.
Also, I've seen three Feds spotted so far...
Signing off, Mikko
For those who do not know, DEFCON is an annual meeting of hackers of all types - malicious and otherwise - to see the newest develops in the world of hacking and computer security. For $80, anyone can enter and learn from speakers, presentations, and direct contact about the latest methods used by hackers, what is being done to prevent those methods from being used, what is being done to bypass that prevention, what is being done to prevent that bypass, and so on. Oh, and, of course, Capture the Flag.
The event may produce some malicious results, but it still remains one of the most honest looks at the security field today. After all, what could be more of an honest look at the hacker world that a discussion about security among hackers themselves?
Post-event, I will try to post a look at some of the things that were discussed and comments on them. More information about the event, including pictures, can be found at the always excellent F-Secure Weblog.
Low Risk So Far
The second version of the Mobatu, or Mota, worm family has appeared, in the form of Mobatu.B. So far, most antivirus programs have addeed detection and the worm is rated as low. Thus, it is unlikely that there will be any significant spread. However, subsequent variants could be more troublesome.
Mobatu.B is a moderately complex mass-mailer, using multiple possible subject lines, many of which suggest pornographic content. However, the worm is also capable of adding its attachments into .zip files (this does not always happen.) Spoofing is also used to disguise the sender. This shows that it may be possible that additional, more complex functionality could later be added to this family.
The only payload to this low-damage worm is to connect to one of many servers for the IRC network undernet.org, probably to allow for backdoor commands. The worm's file size is always 32,786 bytes.
Worm Performs Denial of Service on Microsoft.com
It has become increasingly popular among virus writers to release worms that exploit backdoors left by successful worms such as Sasser and the original Mydoom worm. The purpose of these worms vary, but usually fall into one of three categories: innoculations against the worm whose backdoor is exploited, simple piggyback worms that do not relate to the originals, and worms meant to add functionality to the original.
The Zindos worm, which uses the recently discovered Mydoom.M worm to spread, falls inbetween the second and third categories. Although it does not directly affect the Mydoom.M worm or the backdoor it drops (known as Zincite,) it does perform a Denial of Service against Microsoft.com, indicating that this may be a worm made by the author to add a payload to an otherwise semi-harmless worm.
Fortunately, the Denial of Service attack is fairly disorganized and does not activate on any specific date, but rather a few minutes after infection. This means that the “blast” effect which has manged to take down even large web sites in the past does not come into effect here. In addition, most antivirus vendors indicate that spread has so far not been very high. However, infected users will notice a slowdown in both machine and Internet access speed.
Anyone who receives a detection of Zindos is very likely also infected with Mydoom.M and Zincite. Zindos has no other spread method than the backdoor left by Mydoom.M. TCP port 1034 is used for connection.
Follow-Up: Most High Ratings Downgraded to Medium
Despite interesting new techniques, such as using a search engine to find additional email addresses, it appears that the recent Mydoom variant (which goes by many different names, but for practical uses will here be called “Mydoom.M”) has lowered enough that various vendors have downgraded the worm.
Downgrades include Network Associates, which went from Medium-On-Watch to Medium; Symantec, which went from 4 (High) to 3 (Medium); and Panda Software, which went from 4 (Severe) to 3 (High). Other vendors, such as Trend Micro and F-Secure, that never went to High are remaining at Medium, signifying that the worm is still spreading some.
The worm, which debuted Monday afternoon in the United States, spread significantly, and its use of search engines eventually crashed several for a few hours, including the popular Google search engine. The interruption was resolved, but left the site down for some up to five hours.
Follow-Up: Popular Search Engine Rendered 503 Error
A viewer of Portland, Ore. television station KATU was among the affected users and submitted this image. Courtesy KATU.com.
As reports of the latest MyDoom variant stream in, we're beginning to see the effects of its use of search engines to find email addresses. Specifically, google.com was temporary down, rendering a 503 error. Google has released a statement:
"The Google search engine experienced slowness for a short period of time early today because of the MyDoom virus, which flooded major search engines with automated searches. A small percentage of our users and networks that have the MyDoom virus have been affected for a longer period of time. At no point was the Google website significantly impaired, and service for all users and networks is expected to be restored shortly.”
Their server is made to withstand many searches, showing that this pandemic is quite significant.
BREAKING NEWS: Mydoom Variant Medium-High Risk
At 9:25 AM Pacific Time, security company Secunia released a Medium risk alert for the latest variant of the Mydoom family, which is known by various names, including MyDoom.L, MyDoom.M, MyDoom.N, MyDoom.O, and MyDoom.R. The following are various vendor's aliases for this worm:
Computer Associates: Win32.Mydoom.O
F-Secure: Mydoom.M
Network Associates: W32/Mydoom.o@MM
Panda Software: Mydoom.N
Sophos: W32/MyDoom-O
Symantec: W32.Mydoom.M@mm
Trend Micro: WORM_MYDOOM.M
Contrary to the Secunia bulletin, Panada Software's Mydoom.M is an unrelated worm.
The following are vendor risks:
Computer Associates: High (4/5)
F-Secure: Medium (2/3)
Network Associates: Medium-On-Watch (2.5/3.5)
Panda Software: High (3/4)
Sophos: Unassigned
Symantec: High (4/5)
Trend Micro: Medium (2/3)
OVERALL: Medium-High (7.3/10)
Worldwide Spread
Trend Micro reports significant spread from Germany, Singapore, and the United States, indicating that it is likely this worm has already became common in all continents.
Recognition
Email messages appear similar to the following, although may be variable:
More Information
McAfeeHelp Forums (thanks to CD)
NAI Description
Symantec Description
Trend Micro Description
Panda Software Description
F-Secure Description
Computer Associates Description
Sophos Description
L/N Variant in Wild Say Sophos and Symantec
Symantec is reporting W32.Mydoom.L@mm, which is the same virus as McAfee's W32/Mydoom.n@MM. They both currently call it a low risk, although Symantec also notes it is spreading in the field. Sophos also notes receiving "several" reports from the wild, indicating spread, although not an outbreak.
This worm can be considered low risk, although I am putting it on sticky because two companies have confirmed noticeable spread in the field.
More information is available at this topic.
Follow-Up: Panda Goes to High Risk; Most Remain Medium
Users are reporting higher spread of the latest Bagle variant, Bagle.AI, than originally it was estimated the worm was achieving. This is mainly heresay, but some web sites such as VirusTotal would back this statement up. While a high risk consensus is unlikely at this point, users should still keep an eye out for this variant, which appears to be spreading faster than Bagle.AG.
BREAKING NEWS: 3 New Bagle Variants Appear; 2 Medium Risk
I reported in the last post here that Bagle.AF has been assigned Medium-On-Watch risk at McAfee (it remains there.) However, since that, three new variants (.AG, .AH, and .AI) have appeared, and .AG and .AI are listed as Medium risk.
They are extensions on the standard Bagle theme, not varying too much from earlier variants. Typical modifications can be found here, with .AF and .AI seeming to have shifted toward an animal-related theme in the subject messages with which they mass-mail.
We're beginning to get some naming confusion here (which actually started in around .J but vendors are now trying to correct unsuccessfully), so to sort things up:
Variant “One”
Computer Associates: Win32.Bagle.AC
Kaspersky: I-Worm.Bagle.ah
Network Associates: W32/Bagle.ag@MM
Symantec: W32.Beagle.AC@mm
Variant “Two”
Computer Associates: Win32.Bagle.AD
F-Secure: Bagle.AH
Network Associates: W32/Bagle.ah@MM
Variant “Three”
Network Associates: W32/Bagle.ai@MM
Sophos: W32/Bagle-AI
Symantec: W32.Beagle.AG@mm
Although little is known about Variant “Two” (which is low risk at McAfee), variants “One” and “Three” appear to mass-mail with messages containing animal themes, such as “Dog,” “Fish,” “Lovely animals,“ or “Predator.” However, some unrelated subject lines exist too, such as “Cool_MP3” and “Garry.”
The remote access function remains in this version, relying on .php scripts hosted on a large number of sites, all with .de suffixes (Germany.) This suggests that, like Netsky, the Bagle worm was created in Germany. However, this may be a smokescreen, especially considering that .com and .net suffixes are also frequently used for German sites, and it is statistically unlikely that a random pool of German sites would all have the suffix .de. This indicates that there is a good chance the virus author intentionally chose only German sites.
More information about individual variants can be found under their various topics here:
http://forums.mcafeehelp.com/viewforum.php?f=23
BREAKING NEWS: Medium-On-Watch Warning for Bagle.AF
It's been a while since we've had a Medium-On-Watch worm (the last Medium-On-Watch was Bagle.AA in April; the last High risk Mydoom in January), but this drought has been broken by the latest version of the Bagle family, Bagle.AF. The worm, which appeared earlier today, has been spreading at a very rapid speed, earning it Medium-On-Watch from McAfee, which signifies that there is a significant chance that a High risk upgrade will occur within the next 72 hours.
The following risks have been applied:
Trend Micro - MEDIUM
NAI - MEDIUM-ON-WATCH
Symantec - MEDIUM
F-Secure - LOW/NO ALERT RELEASED
Sophos - “MANY REPORTS”
Computer Associates - LOW-MEDIUM/NOT ASSESSED
The Secunia information file is available here. More information is also available from Harry Waldron at the McAfeeHelp Forums.
Anti-Debugging Methods Not Really New
Various sources, including InformationWeek, are reporting about a new worm by the name of Atak. There is nothing all that interesting about Atak, which has only been reported by Panda Software and F-Secure, other than a property that will have little relevance to anyone who isn't an antivirus researcher: it disables debugging programs.
Debugging programs are used by virus researchers to analyze virus samples. The average user is unlikely to have them, as for anyone but experts they are not really viable for virus detection. As Panda Software's Patrick Hinojosa puts it:
”It's really just a lame attempt to stop people who are trying to research it. But any researcher worth his salt will blow right past it.”
This more or less summarizes the threat of Atak: amateur virus analyzers may be fooled, but none of the professionals will be. In fact, a write-up has been posted on Panda's web site. The only other interesting aspect of the worm is that it contains text which suggests it is an attack against various other worms.
This isn't even the first worm to terminate debugging programs, although it spends more code on the futile effort than almost all of them. In other words, Atak isn't a threat, but rather more of a minor curiosity.
Breaking News: Security Holes Leave Hard Drive Read/Write Functions Open
Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer.
More information and a download that should be applied on Windows NT/2000/2003 Server/XP machines is available here.
Breaking News: Lovgate.AD Goes Medium at McAfee
The virus that McAfee calls Lovgate.AD has now been upgraded to Medium following significant spread, mostly in the business world, where Lovgate has in the past been most prevelant. More information is available from Harry Waldron and the McAfeeHelp Forums here:
http://forums.mcafeehelp.com/viewtopic.php?t=28644
Symantec calls this virus Lovgate.Y.
NOTE: An earlier post referred to this worm mistakenly as Lovgate.AB. That is an unrelated worm.
Secunia Virus Bulletin for Bagle.x!proxy Appears to Be Bug
Trend Micro's upgrade of WORM_BAGLE.X to a Medium risk has prompted a somewhat questionable automated security bulletin release from Secunia. Their system, which is machine-processed, attempts to sort all descriptions of a virus into one file. In this case, the processing system seems to have sorted a legitimate mass-mailing variant of the Bagle family with a version that does not mass-mail, prompting a bulletin for Bagle.x!proxy, a version of Bagle released in April.
Although what Trend Micro considers to be WORM_BAGLE.X is now listed as Medium at trend, it is not a new virus. Users who have kept up-to-date antivirus programs are already protected against this worm.
“VirusTotal“ Excellent Tool For Virus Submission
A few months ago, I wrote an article on submitting viruses which is available on this site. Now, however, it seems pointless; Harry Waldron has discovered an excellent up-and-coming web site called VirusTotal (http://www.virustotal.com/), which offers automatic submission to almost a dozen of the largest antivirus vendors. It also offers a number of other services, like automatic signature upgrading. If you've discovered what you think is a new virus but your antivirus program doesn't detect it, VirusTotal offers an excellent resource if the most important thing to you is not necessarily detection from your specific vendor but also information from various ones.
Statistics on the web site are also available, but at this point the use rate is so low that they do not show much other than outbreaks. News is also provided, collected from a handful of resources. However, the best thing about this service is the simplicity of the process, which requires little more than entering an email address, selecting a file to submit, and clicking go.
The site requires Macromedia Flash for its visual effects, which are mostly just for show. Although I have not been able to test it personally, I will report back when I get a sample to submit with my experiences. If anyone has used this service and has anything to say about it, feel free to post it as a comment!