March 2005 - Posts
This is locally a fairly large story which I thought I'd share as a case study of how even the smallest crack in security can become a major problem on a large network. From the Tacoma News Tribune:
The FBI and the Washington State Patrol are investigating the source of an Internet worm that crippled the state Department of Revenue’s computer network this week and double-billed 1,400 businesses for tax payments.
The worm, a variant of a computer program that infected state government networks a few months ago, most likely entered the system over the weekend, according to Ralph Osgood, the Revenue Department’s deputy director.
As employees logged onto their computers Monday morning, Osgood said “it multiplied very rapidly and took the system down.”
The department, which collects state business and sales taxes, began rebooting its computers Wednesday afternoon and planned to be fully operational today.
As of Wednesday evening, department officials said they had not found any lasting damage. No confidential taxpayer information was lost or compromised. The agency issued credits to the businesses that were charged twice and planned to contact each to explain what happened.
Osgood said the worm “doesn’t appear to scramble data or retrieve data and send it different places.” The goal, he said, seemed to be “to cause chaos.”
FBI Special Agent Roberta Burroughs wouldn’t say if the bureau’s Northwest cyber crimes task force had any leads. “Just trying to figure out what happened,” she said.
The 21/2-day system shutdown made the crash among the most debilitating to strike a state government agency, according to interviews with state agency technology officers.
Worms are independent programs that replicate themselves, spreading from computer to computer on a network.
This particular worm is a variation of a program known as Rbot that has periodically infected the state network over the last few years, said Nancy Jackson, the Department of Information Services’ spokeswoman.
This last paragraph is especially worrisome - apparently the worm has been infecting the system “over the last few years.” Even though this statement is somewhat overdone, considering Rbot was discovered in September 2004, it does show how large institutions should focus on repairing holes that can allow reinfection, something which has obviously failed to be done here.
Despite Revenue Department deputy director Ralph Osgood's assertion that the worm “doesn't appear to scramble data or retrieve data and send it different places,” it should be noted that Rbot opens a backdoor on the infected system, making infection of machines handling tax returns an even more disturbing prospect.
Good news in that last week's problem with Lavasoft's Ad-Aware adversely affecting LANs seems to have been resolved.
http://www.lavasoftsupport.com/index.php?showtopic=60859
A link to the original post can be found here:
http://msmvps.com/trafton/archive/2005/03/11/38236.aspx
CD from the McAfeeHelp.com Forums has graciously highlighted here an issue that should be considered before running Lavasoft's popular anti-spyware program Ad-Aware this week:
Please don't run AdAware (seems limited to the free version) without extreme caution this week. It's killing internet connection, running system restore isn't fixing it for all.
More information can be found at the Lavasoft Support site here. As far as I know, the company has not released information on the problem, but users may want to consider waiting before they update their definitions just in case.
The folks at Lavasoft produce Ad-Aware for free and it is among the problems that I recommend most frequently. It is an excellent program, and comes from a small company. There is no evidence that these problems are part of any continuing pattern that I can see, so I will still feel confident in recommending Ad-Aware after these problems are resolved.
To anyone interested in computer viruses, their origins, and their functioning with an involved or better knowledge of computers, I would highly recommend legendary virus analyst Peter Szor's The Art of Computer Virus Research and Defense. You can find it at Amazon.com for a scant $32.99, which is very much worth this in-depth, 744 page book. From the cover:
Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.
Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.
Szor also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process.
Sober.L is mass-mailing worm that appeared this morning around 10 AM PST and is believed to be spreading rapidly in Germany, and is beginning to appear in several other countries. The worm, like previous Sober variants, spreads in both English and German email addresses, depending on the language of the installed copy of Windows.
Messages containing Sober.L typically pretend to be from an administrator in regards to the victim's password. The emails are written with poor capitalization and broken English. Hopefully, this will be a warning flag that will limit spread outside of Germany (although the German message also suffers from poor punctuation and capitalization.)
Sober.L has been declared a Medium risk at Trend Micro.
Details
Sober.L was discovered on March 8, 2005, with details first published around noon PST. It is a worm that spreads via email. It also terminates a small handful of security programs. The attachment containing Sober.L is named either MailTexte.zip (German) or acc_text.zip (English).
Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so. It is unlikely emergency detection will be published, as the worm reminds a Low risk threat on all descriptions at this time. In the meantime, users should practice common sense and avoid opening suspicious emails, and, when in doubt, contact the alleged recipient to see if they really sent them.
Infected users should wait for detection files and/or more detailed information and removal information to be published before attempting to remove the worm. Until then, infected users should avoid connecting to the Internet or any open network.
Links
McAfeeHelp Forums - Excellent resource for latest information and updates.
Secunia - Compiles latest descriptions and links.
Trend Micro - Detailed write-up with good removal instructions.
Symantec - Detailed write-up with limited removal instructions.
Crog (also known by several other names, such as Sumom, Serflog, and Fatso - the last name which is likely to become the media name) is an MSN Messenger worm that appeared today and is spreading quickly, earning Medium risk from some antivirus companies. The worm sends itself to victims via MSN Messenger from the infected computer. File names are likely to end in a .pif extension, but there is a 1-in-12 chance that the extension will instead be .scr. Most of the file names infer a photograph, either humorous or pornographic in nature.
Crog has been declared a Medium Risk threat at Sophos, Trend Micro, and Secunia.
Details
Crog was discovered on March 7, 2005, with details first published shortly after midnight GMT. It is a worm that spreads via MSN Messenger and the eMule P2P network. Additionally, machines infected with Crog will have their security settings adjusted to lower levels. Access to security related web sites is blocked on Crog-infected computers, and a range of security programs also is disabled by the worm. The worm also intercepts CD writes and adds itself to them - this is an uncommon feature in worms.
Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so. It is unlikely emergency detection will be published, as the worm reminds a Low risk threat on all descriptions at this time. In the meantime, MSN Messenger users should exercise common sense and not open any executable file format that is sent to them randomly, including .pif and .scr, which this worm uses.
Infected users should wait for detection files and/or more detailed information and removal information to be published before attempting to remove the worm. Until then, infected users should avoid connecting to the Internet or any open network.
Links
McAfeeHelp Forums - Excellent resource for latest information and updates.
Secunia - Compiles latest descriptions and links. Refers to worm as “Fatso.“
Trend Micro - Excellent, highly detailed write-up with pictures. Refers to worm as “Fatso.”
Symantec - Fairly detailed write-up without some additional details. Uncluttered. Refers to worm as “Serflog.”
Panda - Fairly detailed write-up. Excellent removal instructions. Refers to worm as “Fatso.“
F-Secure - Fairly detailed write-up. No removal instructions. Refers to worm as “Sumom.“
McAfee - Fairly detailed write-up. No removal instructions.
Sophos - Fairly detailed write-up. No removal instructions. Refers to worm as “Sumom.”
Kelvir.B (Kelvir.A at Symantec) is an MSN Messenger worm that appeared yesterday, has now been characterized by Symantec as spreading in the field. The worm arrives as a link to the file cute.pif on a web site on the home.att.net domain. It also downloads a variant of W32/SDBot, a backdoor and open share worm, as patch.exe from a web site on the home.comcast.net domain.
Details
Kelvir.B was discovered on March 6, 2005, with details first published shortly after midnight GMT. So far, details are limited, other than that at this time it appears that the targeted web sites are still up (I am unable to verify this as no description that includes the URL uncensored has yet been published).
So far it is unknown how quickly Kelvir.B is spreading, but Symantec's characterization of the worm as Medium on their Wild scale and their publishing of a temporary description while they were investigating the threat suggests that it may be spreading somewhat quickly in the MSN Messenger community.
The format for messages is “omg this is funny! (Link to worm)“.
Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so. It is unlikely emergency detection will be published, as the worm reminds a Low risk threat on all descriptions at this time. In the meantime, MSN Messenger users should exercise common sense and not open any executable file format that is sent to them randomly, including .pif, which this worm uses.
Infected users should wait for detection files and/or more detailed information and removal information to be published before attempting to remove the worm. Until then, infected users should avoid connecting to the Internet or any open network.
Links
Secunia - Compiles latest descriptions and links.
Sophos - Basic description with some details. No removal instructions. “More detailed information to follow shortly.“
McAfee - Basic description with some details. No removal instructions.
Symantec - Very basic description with no details. No removal instructions. “More information [will be posted] as it becomes available.” Refers to worm as “Kelvir.A.”
It has been nearly four years since the first worm to spread via an instant messaging program, the Hello worm, appeared on the AOL Instant Messenger network. At that time, IM program worms were more of a curiosity. Despite a significant number of doomsday predictions from the media, few of these worms actually ended up becoming common. Those that made it in the field were typically quick burners, dropping off the radar in a few days when most worms last weeks. However, recent worms have proven that IM programs are a significant potential distribution area for new worms.
Instant Messengers vs. Email
One thing to consider when assessing the risk of instant messaging worms is that the target audience is different from that of email worms. Users of instant messaging programs are typically younger and much less likely to be corporate users. As IMing is generally more fast-paced than emails, it is also more likely that users will accept files without much discretion. However, it is also easier to ask about a suspicious file via instant messenger than it is in email.
With only a small range of major instant messengers out there, there is opportunity to solve many of the problems that have plagued email as an open standard. Together, AOL Instant Messenger, MSN Messenger, Yahoo Messenger, and ICQ make up the lion's share of the US IM market, with similar programs popular throughout the world (Asia is the home to many alternative IM programs). Three companies thus control almost all of the IM market (AIM and ICQ are both owned by AOL). These companies can, and have, enforced security standards and provided warnings. However, it has been demonstrated that, despite warnings, users will gladly accept files if they do not understand what they are. Education is a major problem on the IM front.
Case study
On the morning of March 6, 2005, I received a report of a small outbreak of an undocumented AOL Instant Messenger worm among roughly a dozen users belonging to a group interested in climatology and Internet broadcasting from one of the infected users, who resides in Ohio. The worm (which I will refer to Ostow here for the sake of simplicity) appeared to randomly set away mode. In the away message was a link to a .pif file on a remote Internet server (at this time, the file remains up) and a promise that the file contained “beach photos.”
The user explained that he had opened the file, assuming that the .pif extension stood for “something like Picture Image Format.” Since the file was offsite, not send via AOL Instant Messenger, there was no notification that the file opened could be damaging other than the download notification in Internet Explorer. He opened the file and became infected with Ostow; subsequently, a number of other members of the community clicked on his away message and became infected. None realized that anything was wrong until the Ohioan user observed that his status was changing to away randomly.
Eventually, HijackThis was installed on an infected machine in Louisiana and a suspicious file masquerading as the BitDefender antivirus program was discovered to contain what was detected as a “variant W32/Spybot“ and a dropper from the web site, detected as a “variant W32/SDBot.“ Despite several hits on Google that mentioned the AIM away message, it appeared that all detections were generic and Ostow was not recognized specifically by antivirus programs (neither W32/Spybot nor W32/SDBot are described as AOL Instant Messenger worms). Manual removal instructions were created and followed by all infected users, and no infections have been since reported.
This case is not exceptional other than that it shows the confusion that can result from unknown worms spreading via AOL Instant Messenger. Without assistance from knowledgeable users, the average person infected by a worm like Ostow could do nothing to fix their problem and likely would ignore the problem, allowing the worm to spread further. It also shows how a worm can spread among members with linked AOL Instant Messenger relations.
Conclusion
With an increasing number of IM worms, and the recent medium risk rating received by Bropia.P, increasing attention is being, deservedly, given to this growing threat area. With detection often here-and-there, and users who are less tech-savvy and less likely to submit discovered worms to antivirus companies, IM worms may soon become a top-tier vector for new threats in the upcoming months.