January 2005 - Posts
McAfee has gone Medium risk on the latest version of the Sober worm family, Sober.K. Due to illness, my coverage of this worm will be limited. I highly recommend checking out the McAfeeHelp topic here where they will be tracking this developing threat:
http://forums.mcafeehelp.com/viewtopic.php?t=40406
McAfee upgraded the worm to Medium at 9:37 AM Eastern this morning.
F-Secure calls this worm Sober.I, but otherwise names seem standardized. McAfee is the only company to rate this anything but low at this point.
Microsoft has announced that it will release three patches for its Windows operating system next week.
The fixes, which will carry a maximum threat rating of "critical," will be issued Tuesday, the company said. Under its two-month-old advance notification program, Microsoft typically gives the public early notice of the number of updates it plans to deliver and of the severity of the vulnerabilities the updates fix.
Click here for more.
I got a welcome surprise in the mail today - a notification that I have been awarded as an MVP for the second year, which I suppose makes me a sophomore member of the program. I am honored to continue to be in this wonderful program with such great people.
To Microsoft and my fellow MVPs, a *huge* thank you - you rock! :)
Before I head off to bed, I just want to give a very quick update on the “Anti-Santy” worm I have discussed previously in a post, as well as a follow-up. We now have a name to this worm - Asan - and information that its spread seems to be slowing from already limited levels. The good folks at F-Secure have more information in this weblog entry.
In addition, F-Secure reports Spyski.D, a new variant of the Spyski family (McAfee posts generic information for earlier versions here), which scans for 50 common phpBB vulnerabilities and coding mistakes to infect systems. There is little word on how much this worm, referred to as Spyki.D by F-Secure, is spreading, but I'd bet that checking for 50 phpBB vulnerabilities is going to put a lot of strain on already overloaded servers.
Of course, anyone who has not already upgraded should do so at the phpBB web site. And if you think that your install might have sloppy security, unless it is critical to keep PHP functions up, it might be worth going offline and patching up the holes - being infected is a lot worse. Then again, if it is critical, it would probably be wise to take a long, hard look at why those holes are there in the first place.
Remember, just not being on search engines isn't good enough. It isn't just worms that can use these vulnerabilities.
I'd like to give you all a quick-update on the phpBB worm that targets the vulnerability used by Santy and patches it I reported yesterday. Although it still lacks a name, and little is actually known about it, the media is beginning to report on it. From ZDNet (underlining for emphasis on new details mine):
F-Secure said on Friday that it was aware of seven sites that had been defaced by the worm, which appears designed to combat the Santy worm. The anti-Santy worm searches Google for sites that use the PHP Bulletin Board (phpBB) software exploited by the earlier worm, infects the sites and attempts to make the sites more secure by installing a patch.
Mikko Hyppönen, director of antivirus research at F-Secure, said that although the worm may seem beneficial, in fact it is likely to cause problems for administrators who will have to handle the increase in traffic.
"I can't comment how effective it is in fixing the sites," said Hyppönen. "If a site is infected, the worm causes a huge amount of traffic and slows down the site. I don't think it's possible to write a beneficial worm."
Sites that have been attacked by the anti-Santy worm are defaced with the words: "viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."
Hyppönen said he has seen two versions of the defacement page, which lead to two different IP addresses. Both IP addresses resolve to Argentina, which suggest that that is where the anti-Santy worm originated.
The Santy worm wreaked havoc in the weeks before Christmas, spreading to more than 40,000 Web sites by Dec. 21. On Dec. 22, Google started blocking queries that were generated by the worm, to stop the worm from replicating. But a few days later it was discovered that it was using America Online and Yahoo's search engines and was still targeting Google.
It is hard to estimate how quickly Anti-Santy is spreading, as the message that the worm drops is much more hidden. However, if F-Secure is only aware of seven sites, this worm likely is a small-scale threat.
To Google's credit, it is doing a good job of protecting against this worm. I was surprised to find this on page two of my search when using a string to search for infected sites. They may want to adjust this before pranksters take the opportunity to fool unsuspecting non-techies into thinking Google is telling them for certain that they are infected.
More on this when and if it is available.
The fireworks just ended over the Seattle Space Needle and I just wanted to drop in to wish everyone a happy and safe new year!
I thought this picture might be especially appropriate given the season (hopefully one that no one reading this will ever get to see first-person):
Being that this is the new year, I also put up a new theme for the blog as well as added a blogroll, which I will hopefully have many entries to add to in the future. Enjoy everyone, and do have a good 2005!