December 2004 - Posts
A new worm that seems to attack the vulnerability exploited by Santy has appeared, according to F-Secure's excellent blog, which I cannot recommend enough. Apparently, this worm patches the vulnerability that Santy opens. The worm then drops secure.php which looks like this:
Like most “good worms,” this one has a major side effect: it can crash sites it attempts to infect that are already patched with a ton of requests, and the patch itself might very well not work well.
More on this threat when it gets a name to it.
Recently I wrote about two worms (here and here) that promised to make Christmas a little less merry for the unlucky souls who fell for their festive email-based tricks. For New Years, a worm by the name of Kipis.B appeared a week ago and McAfee has just now posted a description of it. The fact that McAfee decided to wait a week before publishing the description is a good indication that so far, Kipis.B is not much of an issue. However, it is worth taking a look at it as a good example of a bare-bones holiday email worm.
Kipis.B, like most recent email worms, contains it own mailing engine, sends itself under the names of other people. These may include email addresses such as madonna@madonna.com, in addition to other emails suggesting female pop artists. The subject is either a swear word, “Happy New Year,“ or “Hello.“ The email can vary, either consisting of a fake server error message, a somewhat offensive phrase, or “Hello! baby :)”. The attachment varies, but always ends with .scr.
It should be noted that the worm will not always send itself with a New Years message; only one of the email subjects mentions New Years, while two of the attachments contain “03” or “04” in their filenames. The worm also can spread itself via P2P shared folders, usually using filenames suggesting pornographic content or illegal files (”warez.”)
The worm will not email itself to certain addresses, mainly consisting of antivirus sites, files that may be confused with emails (it won't send to any email containing “.txt” for instance), as well as various technology web sites and other minor web sites of unknown reason for not mailing to. Most of these minor web sites are located in Russia or are associated with the Russian language, suggesting that this worm may originate from there.
At this time, I haven't heard of any reports about this worm spreading significantly. However, as it is not themed after New Years in many instances, there is a small possibility of this worm appearing in the field after New Years.
We are currently carefully tracking developing threats centered around vulnerabilities in the Windows operating system.
As the Internet Storm Center (sans.org) puts it:
The holiday news continues to be bleak, with a pair of critical vulnerabilities for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited via HTML delivered either via email or a website. This vulnerability can be used to execute code. Secondly, there is a heap overflow in winhlp32.exe while processing help files on Windows, including XP SP2, apparently. Try not to install help files until some Tuesday in, we hope, January.
Zero day vulnerabilities are those that are released before a patch is available for the software that is affected. Some of them appear while the patch is being made (this is a long process - oftentimes several months). As always, I'm going to focus on the threats that have originated from this and how to protect against them as, at this time, there is no way to patch the vulnerabilities.
Phel Trojan
The first threat to emerge from this incident was Trojan.Phel, emerging yesterday morning. The Trojan horse, which comes as an HTML file, exploits the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability. When executed, Phel downloads information from a domain located in New York City and saves a malicious file as My.hta to the Startup folder. It then adds itself to startup and downloads a backdoor program to the infected computer from a server in Madrid.
This worm is compatible with many languages of Windows: Danish, Dutch, English, Finnish, French, German, Italian, Norweigian, Polish, Portuguese, Spanish, Swedish, and Turkish. At this time, it is believed that Phel is has limited spread. Also, at the time of this writing, the New York City server was down, further limiting its spread. However, the server in Madrid was up, returning a “no web site configured at this address” error. Other than using the zero day exploit, Phel is an unremarkable Trojan and is incapable of spreading on its own.
More information can be found here, courtesy Symantec.
Downloader-TO
The other threat known at this time to use the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability is Downloader-TO. Like Phel, it is a Trojan horse that downloads a file and has no other apparent purpose. It does not spread itself.
When the user visits an infected web site, Downloader-TO drops itself to the startup directory as Microsoft Office.hta. When the machine is rebooted, Microsoft Office.hta triggers and downloads a program named server.exe, which is saved as C:\malware.exe. This is the Downloader-TO trojan.
The Trojan horse will also add itself to the Windows XP SP2 authorized applications firewall policy list as cmsscs. It also features the ability to disable a limited number of firewall and antivirus programs. When this is finished, the Trojan horse downloads from a server owned by a hosting company in Houston, Texas. At this time, this file is believed to be a proxy server Trojan horse. This file is also added to firewall policy as module32 and saved to C:\Windows\tgbcde\module32.exe.
For more information, please consult the McAfee write-up.
LoadImage API Vulnerability
For users not running Windows XP Service Pack 2, there is another vulnerability in the LoadImage API while allows animated cursor data files (.bmp, .cur, .ico, and .ani all qualify) to be exploited via HTML. This can include email and web sites. Unlike the Help Control vulnerability, this one can be patched by upgrading to Service Pack 2, which I strongly recommend. So far, there have been no non-proof of concept threats using this vulnerability.
Protection
At this time, no patch is available for either of these vulnerabilities. However, it is important to note that the LoadImage API vulnerability can be fixed by upgrading to Service Pack 2. Those who have not should do so as soon as humanly possible. On the other hand, all systems are at this time vulnerable to the Help Control exploit. Users should wait to install help files that they cannot totally verify the integrity of until a patch is available. When it is, I will of course post the information.
Have a happy, safe New Years!
PERL.Santy is a worm that utilized the search engine Google in order to search for vulnerable web sites running phpBB software. phpBB 2.0.10 is affected; 2.0.11 is not. Vulnerable web sites will have this at the footer:
Powered by phpBB 2.0.10 © 2001 phpBB Group
Yet again, F-Secure's weblog did an excellent job of covering a major event:like this and I highly recommend it. Defaced sites typically display the text, in red, with varying fonts:
This site is defaced!!!
NeverEverNoSanity WebWorm generation x.
x here represents the number of infections that this worm has made before, similar to the generations in any human disease (thus not allowing us to know exactly the number of infections, since there can be multiple infections for each generation.) So far the highest generation that both Google and MSN show is 24.
Fortunately, Google has blocked the search string that Santy uses to spread, so further infections are unlikely. This was done around midnight GMT. Google sent F-Secure this reply:
While a seven hour response for something like this is not outrageous, we think we can and should do better. We will be reviewing our procedures to improve our response time in the future to similar problems.
This is a good response in my eyes and hopefully the .B variant, which has appeared, will do little.
However, all users running phpBB 2.0.10 should IMMEDIATELY upgrade to phpBB 2.0.11 as this exploit allows anyone to hack outdated sites, not just the Santy worm.
'Tis the season when the Christmas lights go up and the virus writers go into high gear trying to ride the latest wave of viral festivity with a theme-related worm or two. Zafi.D appeared on Tuesday and spread quickly with its provocative email message and Christmas cheer (and subsequent misery for those who managed to open it), and now ZDNet has highlighted yet another worm, Atak.H (.I to other vendors), that could make the egg nog taste a tad sour this year.
The ZDNet article is not very specific or technically in-depth, but provides some interesting information. The article states that F-Secure characterized the reports as “rolling in,” which is not a great measure of how fast a worm is spreading, but from what I have heard from various sources, any rolling in that is being done is being done quite slowly - this worm has not made much of a splash yet.
F-Secure's Mikko Hypponen offers a simple, but relevant suggestion for emailing Christmas cards on the Internet - don't do it:
“There are different levels of risk with these email Christmas cards,” said Mikko Hypponen, director of antivirus research for F-Secure. “It's very similar to past ones we've seen. There's little risk in sending Christmas cards, but there is in opening them. We recommend people to send old-school Christmas cards because there's no security risk in that.”
It's not common to see a recommendation like this, but I have to concur, at least to an extent: it is just a bad idea to send Christmas cards with attachments, and with many online card senders making at least some of their money through mailing lists, it might be easier (and more personal) to splurge on postage and drop a snail mail, at least to family and friends. Otherwise, I would recommend that everyone closely examines the privacy policy of any web site that they are entering their email into, especially if they are also entering the email of others who may not appreciate the spam (I would hope this would be pretty much everyone).
On a technical and social engineering level, Atak.I is a fairly uninteresting prospect. It harvests email addresses from files on the hard drive, and emails with one of two subject lines and one of two message bodies. The subject lines are “Merry X-Mas!” and “Happy New Year!” The body texts are “Happy New year and wish you good luck on next year! [sic]” and “Merry Christmas! Happy New Year! 2005 will be the beginning!” The attachment consists of combining two extensions to make a file name of the following extensions: .pif, .com, .bat, or .scr. This results in file names like pif.scr, com.bat, and scr.scr. The worm will sometimes send with a .zip extension. The message body will be formatted to include large, red text, like this image (courtesy of F-Secure):
http://www.f-secure.com/virus-info/v-pics/atak_h_email.gif
Atak.H is not very destructive and does nothing but spread, which it has not done significantly. A good measure of the outbreak potential of a new worm variant is how well previous versions of the same worm have done. McAfee notes 9 versions of the Atak worm, five of which were interesting enough to warrant write-ups. Of these, three have received media attention and a Low-Profiled risk, but none have received a Medium risk. The WildList, interim edition December 1st, indicates that Atak.A and Atak.B have both spread a small amount.
At this point, it is fairly safe to say that Atak.H/I will not become a major outbreak incident, but may very well be out there. So keep safe during the holiday season, and use common sense when dealing with any email - even if it's a Christmas card from your aunt.
The new Zafi.D worm is spreading rapidly and has earned a high risk at security company Secunia, which combines write-ups from various vendors and assigns them a risk.
Zafi.D was discovered on Tuesday, and has since then maintained a relatively steady spread rate, which has since declined slightly. Antivirus company Sophos, according to BBC News (WARNING: mildly offensive smilies within), estimates that at its peak spread Tuesday evening, the worm was in 10% of all emails sent.
One of the most notable features of Zafi.D is its multilingual abilities. This has allowed other worms to spread more significantly. Language is one of the more interesting aspects of virus spread: it allowed the Japanese worm FBound.C to become a worldwide outbreak with huge spread in western Europe, Canada, and the United States in March 2002 after curious people opened the attachment to the worm, which appeared as junk text to them. This also allowed the Mexican worm Mapson to become prevalent in the summer of 2003 among Hotmail users, especially in communities with both Spanish and English speakers.
Perhaps more likely to facilitate in the spread is the image of two smiley faces copulating between the words “Happy Hollydays [sic].” Contrary to what it should do (be a red flag that something is up), childishly semi-offensive imagery like this simply increases the chances that the worm will spread more. The Christmas theme only adds to this.
Once it gets onto your machine, Zafi.D is a fairly standard, not incredibly damaging worm. Like most worms of this day, it contains its own mailing server to spread itself and harvests email addresses from the host machine in the usual way (searching through files on the machine). Also featured are the now-standard P2P spreading capabilities and the equally common ability to shut down security programs.
I have received conflicting reports about the language abilities of Zafi.D; one report says that “outgoing email message bodies are either in English or Hungarian“ while another gives an example of the outgoing message body being in German. Despite the minor successes of local Hungarian worms like Magold, it is doubtful that adding Hungarian message bodies to the worm would increase its spread all that significantly from just using English.
The December month is typically breeding ground for holiday-related worms, such as Navidad, which appeared in November 2000 and became a major problem the month after, and the Ska (Happy99) worm, which offered a greeting for the 1999 New Years, and inexplicably remained one of the most common worms through 2001.
The moral of the story is, as usual, avoid opening Christmas cards from friends you never knew you had, or for that matter friends who probably would not be sending you Christmas cards in some weird sort of sub-English. And, of course, that any attachment, no matter who it is from, should be regarded with extreme suspicion.
Happy holidays, everyone, and please do be safe. :)
Resources for Zafi.D
McAfeeHelp.com - My fellow MVPs Harry Waldron and Jurren Bouman have here compiled a list of many known write-ups for Zafi.D, as well as news stories. An excellent portal to information for this threat.