September 2004 - Posts
Low-Risk Worm is a New Twist on Old Risk
The reliable SysAdmin Audit Network Security Institute (SANS) reports that a worm has appeared on AOL Instant Messenger that utilizes the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (MS04-028).
According to Johannes Ullrich, chief technical officer at SANS' Internet Storm Center, this sort of thing has been done in the past, except with HTML code instead of JPEG. “It is a virus, but it didn't spread very far. We've only had two reports of it,” Ullrich said. The worm, which has not been officially named, sent a message to the victim urging them to “Check out my profile, click GET INFO!”. When the profile site was visited, infected code would be downloaded on the computer, and execute the worm.
”We haven't seen any damage reports of this worm,” F-Secure's Mikko Hypponen says. “I've seen some discussion, but our best estimate is that it hasn't got very far.”
Getting a user to visit an infected web page or downloaded an infected file via instant messengers is not a new trick among virus makes, though. It has been around since the first instant messenger-based threat, the Fleming worm, was isolated in October 2002.
Minor Trojans, Not Major Mass-Mailers, Appear
In addition to the Moo Trojan that I recently reported on, we now four new threats based on the recent MS04-028 vulnerability.
Roxe
Roxe is a simple backdoor that also abuses the MS04-028 vulnerability. Note that it does not spread itself, and the vulnerability has only been used to drop it. When executed, Roxe connects to a predefined computer and gives it control of the target system. Roxe may also download various files onto the machine, perhaps more advanced backdoors.
Ducky
Ducky is a Trojan horse that downloads the file y.exe from maybeyes.biz, which is registered to what is likely a fake (based on the misspelled last name and email address) P.O. Box in New York City. Other things suggest that Ducky actually originates from France.
Ducky.B
Ducky.B is identical to the original Ducky, except y.exe is downloaded from a Russian web server.
Unnamed AIM Worm
This is the most interesting new GDI+ exploit threat. I am going to devote an entire post to this worm, and should be posted shortly.
Waters Apparently Calming
Ever since MessageLabs stopped updating its statistics frequently, it has become harder to judge how fast mass-mailing email-borne viruses spread. However, I am happy to report that 24 hours after it first appeared, it seems that Bagle.AZ is not a significantly high-spreading Medium risk worm.
Although there is currently a consensus over the risk in the lower part of the Medium range, many vendors do not even consider this a Medium risk. The current reports are:
F-Secure: Medium
Network Associates: Medium
Panda Software: Medium
Sophos: Low-Medium
Symantec: Low-Medium
Trend Micro: Low
(Note that Panda uses a slightly different scale than other vendors listed here, so their site lists as “High” what is really “Medium.”)
Also, Symantec uses the name “Beagle“ instead of “Bagle.“
Despite the lower-than-initially-reported risk, it is important to remain vigilant for this version and subsequent variants. This shows that the Bagle family creator is still out there, still making new variants, and most notably still attempting to make those variants widespread.
Thanks to Harry Waldron for the alert on this threat.
Recently I mentioned on this blog that the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability described in Microsoft Security Bulletin MS04-028. Now we have the first example of a non-proof of concept use of this vulnerability with the Moo Trojan.
Moo is a simple Trojan horse which has no functionality other than to download the file m00.exe from a web server and run it. It is unknown what m00.exe is, although chances are it is a backdoor program that allows unauthorized access to infected computers.
This has been labeled as the first Trojan horse to be found “in the wild” using this method. While technically true, it must be understood that “in the wild” simply means that the threat was found after it was released, and was not just directly submitted to antivirus companies. This does not necessarily mean that this threat is spreading significantly and, in fact, there have been no or few reports of Moo so far.
It is unlikely Moo will become a major threat in the field, especially as it is unable to spread by itself. Incorporating methods used in Moo could later result in much more dangerous worms, so it is important to watch this threat and patch all systems that could be affected. Also important to note is that this is not a virus and does not infect files; rather, it is a Trojan horse that downloads a file from a web server.
More information about Moo from Symantec is available here.
Breaking News: New Bagle Variant Spreading Quickly Worldwide
The latest variant of the Bagle worm, Bagle.AZ, has now been declared a Medium risk at McAfee due to increasing spread. For more information, see this link from the McAfeeHelp forums:
http://forums.mcafeehelp.com/viewtopic.php?t=32387
This is notably the first time McAfee has declared a Medium risk alert since MyDoom.S on August 15th. I personally received a copy in my Yahoo! email box this morning, and reports continue to come in that spread is increasing, although it seems unlikely at least at this point to become a major outbreak.
I will continue to monitor this developing threat. More information will be posted as it is made available.
The potentially very dangerous buffer overflow
exploit that recently surfaced has already turned into a proof-of-concept, according to various sources. Symantec
describes it thusly:
Hacktool.JPEGDownload is a program that can be used to generate .jpg files that exploit the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028). The .jpg files that this Trojan generates can download a URL hardcoded in the .jpg file, and are detected by Symantec products as Download.Trojan. F-Secure's
weblog has posted a picture of the program (click on the image for a larger view):
Although there are no known uses in any current malware other than this proof-of-concept program, once an exploit has been used as a proof-of-concept, it typically is not long before it is in the field, so
patch up.
It should also be noted that Kaspersky's Exploit.IE.Crashos detection is not related to this vulnerability, and does work in SP2. This can also be activated by using a .JPG file in Internet Explorer and has generated some concern. When and if Kaspersky publishes information on this detection, it will be posted.