Security Manifest

A Smattering of Sobers

2005-11-15T20:52:00Z

It's not often we get prior warning of worms spreading. But yesterday, German officials warned that we would see a new Sober variant using the attachment names “Word Text.zip” or “registration.zip” and, sure enough, we have Sober.V. Unfortunately, on the same day, we also have Sober.S, Sober.T, and a fairly minor variant, Sober.U. Although none are spreading extremely rapidly, both have been reported in the United States, Germany, and several other countries.

An article from About.com is available here. Amusingly, as the article points out, antivirus vendor Trend Micro published a description for the worm (as WORM_SOBER.AD) before it was released - and dubbed it as in the wild! Impressive forethought, indeed.

Users should be careful with any executables or files that can contain executables (like .zips), of course. Conventional common sense is the key to avoid infection with worms like Sober. Filenames associated with these threats are reg_text.zip (Sober.S), excel_table.zip (Sober.T), tabelle.zip (Sober.T), registration.zip (Sober.V), and Word-Text.zip (Sober.V).

Trend Micro Reports MS05-053 Worm in the Wild - But is it?

2005-11-11T21:54:00Z

Trend Micro has reported that they have found a worm in the wild that abuses the recently-discovered MS05-053 vulnerability, according to their analysis here. The vulnerability, published three days ago, was rated as critical. The discovery of a worm in the field this quickly could make for one of the fastest turn-arounds from patch publishing to discovery in the wild. But, Trend Micro says, upon further review, it's unclear whether the detection is accurate. CNET News's Joris Evers reports:

Trend Micro on Wednesday reported the discovery of a Trojan horse that it said attacked Windows users through an image rendering flaw in Windows, a day after Microsoft provided a fix for the bug. But it isn't so sure anymore.

The Trojan is referred to as "emfsploit.a" by the Tokyo-based antivirus company. Initially the antivirus software maker reported that the malicious code would crash "explorer.exe" on unpatched Windows machines. Explorer runs key parts of the Windows graphical user interface, including the Start menu, taskbar, desktop and file manager.

But late Thursday Trend Micro said its initial analysis of the Trojan might be incorrect.

"We asked another team to start the disassembly process again," said Raimund Genes, chief technologist for Trend Micro in Europe. That means researchers will reinvestigate the Trojan code to see what it does.

The full article is available here, and a brief mention at the Internet Storm Center is available here.

Daily Update -- Monday, November 7th, 2005

2005-11-07T22:06:00Z

It's been a fairly slow week, but today we see a new Linux worm. Lupper takes advantage in a PHP vulnerability. The Register has details here, and the Internet Storm Center has technical details here.

Daily Update -- Tuesday, November 1st, 2005

2005-11-01T22:59:00Z

Two new viruses worth mentioning today - one a mass-mailer spreading, one an interesting conceptual specimen.

Bagle-Based “Lodear“ Appears
A new worm family, Lodear, has appeared. The first variant seems to be spreading some in the wild. Information can be found here. Some antivirus companies consider this a variant of Bagle itself, and the family may be merged with the Bagle name. Lodear is similar to past Bagle variants. The primaray symptom of infection is a file called hloader_exe.exe in the Sytem folder.

First KiXTart Virus Appears
A virus infecting .KIX (KiXTart Script File) files has appeared. This is unlikely to effect most people, but it is the first example of such a virus. Information is here. KiXTart is a batch processing script that runs at logon on some Windows computers. For more information on KiXTart, see here.

Daily Update -- Wednesday, October 19th, 2005

2005-10-19T21:10:00Z

Not much is in the news today, although I am happy to announce that rumours regarding the discovery of a worm using the latest Windows vulnerabilities was a false alarm. More details follow

Trend Announces Fanbot.C Error
From InformationWeek:

A security firm on Monday mistakenly identified a new Trojan as the first to exploit one of last week's vulnerabilities in Windows, but corrected itself and labeled it as one which attacks the same bug as August's Zotob bot worm.

Fanbot.c, said Trend Micro late Monday, included a proof-of-concept exploit against one of the vulnerabilities disclosed Tuesday, Oct. 11 in Microsoft's MS05-051 security bulletin. Trend also said that although the Trojan was written in Visual Basic -- which usually indicates low-level skills on the part of the attacker and often means it's a "script kiddy" copy-cat -- arming malware with yet another exploit matched earlier hacker habits.

By early Tuesday, however, Trend had modified its technical description of Fanbot.c to say that the exploit was actually one directed toward the Plug and Play bug unveiled in August's MS05-039 bulletin.

The full article about the good news can be found here.

Daily Update -- Tuesday, October 18th, 2005

2005-10-18T22:09:00Z

The Daily Update returns after a small hiatus for testing week...

October 2005 Security Release
Three critical updates, five important updates, and one moderate update have been released to address issues in Windows. You can view the bulletin here. And make sure to update!

Mytob Over 300 Variants
Mytob.LE has been released, making it the 317th variant of the prolific Mytob family. The latest variant offers more of the same, with new passwords and emails.

Daily Update -- Thursday, October 6th, 2005

2005-10-07T02:04:00Z

A quick daily update today. Symantec has now named Sober.Q (aka .R) to be a low-medium (2) risk, although McAfee maintains it at Medium. It looks like this one is not going to be a huge outbreak. More coverage of Sober.R should be available tomorrow as we start to see reports on spread rates coming in. Symantec's write-up of Sober.R, which they call Sober.Q, can be found here.

Also in news today, a small percentage of the Internet was taken down today. This was not security-related as many feared, but instead due to a contract dispute between two major service providers. Full details can be found here.

Sober.R - Developing Outbreak

2005-10-06T01:27:00Z

A new worm, Sober.R, is spreading moderately in the field. More details about this when they are available, and can be found here in the meantime: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=136390

Daily Update -- Tuesday, October 4th, 2005

2005-10-04T23:57:00Z

Flaws Discovered in Kaspersky Antivirus
Techworld reports that Kaspersky, a Russian security program, is having security issues with its Antivirus program due to an exploit:

Kaspersky Lab has been hit by a security bug affecting a wide range of its anti-virus products. The bug isn't limited to a particular platform, and can be exploited through several common protocols to take over a protected system.

The attack is apparently related to malicious .cab files. When scabbing an infected .cab file, Kaspersky can experience a heap overflow and allow a malicious attacker to control the infected machine.

Microsoft Office Exploit Code Circulating
The same article goes on to talk about circulating code for a Microsoft Office exploit:

Separately, security vendors warned that exploit code has begun circulating publicly for an unpatched flaw in Microsoft Office that was first disclosed in April. The exploit makes it easier for attackers to take advantage of the hole, which, like the Kaspersky flaw, could allow attackers to take over a system.

Note that just because code is circulating does not mean it is associated with a known threat at this point, and this one isn't.

Daily Update -- Monday, October 3rd, 2005

2005-10-03T21:37:00Z

Yes, Daily Updates are back. And permanently this time!

Good News, Bad News: Virus Attacks Down, but Attacks More Sophisticated
As anyone who follows viruses knows, this has been a rather quiet year for viruses of all types, especially mass-mailers. This is part in thanks to better technology and enforcement, and part in thanks to luck. In any case, though, ZDNet is reporting that antivirus firm Sophos and email security company BlackSpider Technologies both have reported a significant downturn in the quantity of viruses coming in. This is hardly a surprise, especially when you consider that after nineteen months, the top worm still is Netsky.P, which celebrated its eighteen month birthday last month. Worms rarely last longer than a few months on top. A notable exception being Klez.H's two-year reign on the charts starting in early 2002, but unlike Klez, Netsky remains on the top primarily because it lacks any competition for the spot.

Although mass-mailers have downturned over the last few months, an even more damaging threat, especially on the corporate level, looms:

"Smaller, targeted attacks are on the increase, with the emergence of a new breed of financially-motivated online criminal. The concern is that if users continue to combine unsafe computing practices with outdated threat protection, they'll be a soft target for this new form of attack," Theriault warned.

I tend to believe there is little, if any, correlation between the two. Targeted attacks, especially of a financial nature, have been developing for a while, and even made national news when it was suggested that the Sobig.F worm was linked to organised crime. The news about the reduced number of mass-mailer hits is promising, but not necessarily a trend that will last very long. We can only keep our fingers crossed and our software secure.

Bagle Naming Convention Split
Apparently, a number of antivirus companies have determined that recent variants of the prolific and previously successful Bagle worm family are not Bagle-y enough. Computer Associates named a recent Bagle variant Wreckage.A, while Trend Micro has donned a new Yabe family of worms for two recent Bagle variants. These splits have not been uncommon throughout Bagle's naming, and it is possible that the names will be reconciled if a breakout occurs. However, should a major version of the “Wreckage” or “Yabe” worm families be reported in the news, it is fairly safe to assume that they are Bagle versions.

Cool Link of the Day
The University of Virginia provides a Security Tip of the Day on their web site here. The messages are meant for University of Virginia students, and it's not exactly a Tip of the Day (unless refreshing the page somehow has an effect on the space-time continuum, in which case I do not recommend that anyone above 30 use this web site), but it's certainly interesting. The tips are pretty basic, but even the best of us need reminders sometimes. And so do all of your friends and family members who think that “.pif“ stands for “picture information file.“

That's all for today.

MVP Conference Retrospective

2005-10-03T21:13:00Z

I returned from the MVP conference and slept in yesterday. It was a wonderful three days, although certainly tiring! I learned some, got to see what Microsoft has up their sleeve, and I am indeed quite impressed. I didn't manage to take any photos, but fellow Security MVP Steve Friedl over at BroadbandReports.com logged the public parts of the session. His write-up and commentary can be found here. It comes highly recommended, although it's definitely for techies.

It wasn't a big trip for me, as I live just about 40 miles to the south of Bellevue, but it's always nice to go up to the east side of Lake Washington. If you happen to find yourself in the area and are looking for some food, I recommend Byblos Deli in downtown Bellevue. Delicious! :)

Microsoft MVP Conference!

2005-09-28T03:08:00Z

I'm currently in Bellevue, Wash., a suburb of Seattle about 50 miles north of my hometown, for the MVP conference. It is quite a cultural difference (it's an entire county away!), but hopefully I'll get used to it. :) I'll try to post pictures of interesting things when I get back.

Zotob Authors Nabbed

2005-08-26T23:35:00Z

The good news about the Zotob outbreak is that we're unlikely to see future versions after two men - one in Morroco and one in Turkey - were arrested Thursday.

From The Washington Post's article:

The FBI and Microsoft Corp. collaborated with law enforcement officials in Turkey and Morocco to secure the arrest on Thursday of two men thought to be responsible for creating computer worms that infected hundreds of thousands of computers worldwide this year.

Police in Morocco arrested Farid Essebar, 18, a Moroccan national born in Russia who used the online moniker "Diabl0." Authorities in Turkey arrested 21-year-old Atilla Ekici, known by the online alias "Coder."

Essebar and Ekici are suspected of releasing the "Zotob" and "Mytob" computer worms that were designed to take advantage of flaws in Microsoft's widely used Windows operating system. Both of the suspects' nicknames can be found in the original computer programming code for Zotob, according to the FBI and Microsoft.

In addition to Mytob and Zotob, vnunet.com reports that the pair are responsible for the Rbot worm family, too.

Here's to hoping for a fair trial and harsh punishment. The computer laws of Turkey and Morroco may both be put to test by this case.

Retrospective Zotob Articles

2005-08-25T17:20:00Z

Here are a collection of recent articles on the Zotob worm, which is at this point no longer spreading very quickly:

Some XP machines vulnerable to Zotob worm (TechWorld) - A full news article about the (rare) registry modifications that can result in Windows XP being vulnerable to the Zotob worm. Not a new threat.

Zotob epidemic past its peak (SmoothWall.net) - A good summary of events, with links.

From Melissa to Zotob: 10 Years of Windows Worms (eWeek) - Although “From Melissa to Sasser: 6 Years of Windows Worms” would actually be a more exact title for this article, this is a decent, albeit compacted, summary of significant computer worms of the modern Internet age.

We can now officially say that the Zotob worm outbreak is, for all intents and purposes, over.

F-Secure looks at new threats we're dealing with at their Weblog, in an article entitled “More pnp related malware.”

Zotob - Slowing Down

2005-08-18T03:55:00Z

Good news on the Zotob front. McAfee has lowered the risk to Medium. Correspondingly, it is now considered a moderate outbreak.

Looking more at Plug N' Play worms and Zotob

2005-08-17T18:45:00Z

If you've been following the news about Zotob, IRCBot, Bozori, and the other families of worms to attack the recent Plug-and-Play vulnerability (MS05-039), you know that another worm war has begun between the latter two worm families and Zotob, which so far is not “fighting back” with a new variant that deletes the others. F-Secure's highly recommended weblog provides this “high-tech illustration” of who's killing who:

Also a good read is vnunet.com's article, W32/IRCBot worm beats Sasser record, which talks a bit about how quickly this worm appeared after its associated vulnerability was released relative to the more widely successful (especially among home users) Sasser worm.

I received an email about this worm's ability to affect Windows XP machines, and the answer to that appears to be that Windows XP machines are not natively able to be infected, but with registry modifications (that are rare but occasionally found) it can be, although I have not been able to specifically verify this.

Zotob.E (IRCBot) Outbreak News Round-Up

2005-08-16T22:44:00Z

Early news reports indicate that the group most affected (or at least most publicly affected) by the IRCBot is the media. Brian Krebs at The Washington Post reports:

ABC News had an extensive outage today due to infections from Zotob or one of its variants [most probably IRCBot, which is also known as Zotob.E], which knocked out computers in the network's newsrooms on the East and West coasts today, said ABC News Vice President Jeffrey Schneider. The outage lasted two hours, he said.

“This was the first time I've ever seen writers at World News Tonight banging away on electric typewriters,” Schneider said.

Also affected by the worm is international news outfit CNN:

CNN's Wolf Blitzer is reporting that a computer worm has taken out many of their computer systems in Atlanta, New York and in other bureaus around the country, showing pictures of a computer constantly rebooting after being infected by the worm. CNN spokeswoman Edie Emery said the outage affected computers across the country, but that at no time did the outage affect the company's ability to report the news. A staffer I spoke with earlier from CNN's Washington bureau said many reporters in the company's New York and Atlanta bureaus relied on other bureaus to file their stories for them.

CNN International makes a quick mention of Washington, D.C. being affected, but information is sparse.

The Post's headline, A Media Worm?, is perhaps more telling than it means: so far, little information is available about how quick spreading the worms are, and two worms - Zotob.E and Esbot, which Symantec gives a medium risk rating, are spreading simultaneously. There is some possibility that this media coverage is less related to the rate of infection and more to the rate of media infection. Certainly, reports that this worm affects Windows 2000 more than Windows XP suggest that businesses are being affected even more than home users.

More information about the Zotob.E outbreak - as well as the Esbot incident - throughout the evening.

OUTBREAK: Zotob.E (IRCBot) worm hitting unpatched systems

2005-08-16T22:18:00Z

A new worm utilizing the MS05-039 vulnerability has became a major outbreak. More coverage upcoming.

Details
IRCBot is a fast-spreading worm affecting systems not patched for the MS05-039 vulnerability. Infected machines will reboot frequently, as well as connect to an IRC server and await further instructions

Protection
Detection of this worm, as it is an outbreak, should be released very soon, if it is not already out.

The Gist
IRCBot is an urgent outbreak and all systems should be patched that have not already been.

Links
McAfee - Write-up.

Zotob - New worm hitting unpatched machines

2005-08-15T00:57:00Z

A new version of the extensive and successful MyDoom worm family has appeared. Fortunately, like many recent variants, this version has got off to a slow start and is unlikely to become a major threat.

Details
MyDoom.CF was discovered Tuesday, June 28th, 2005. It is a standard MyDoom family member, faking the email address it is sent from. Messages MyDoom.CF use typically make a relatively unsuceesful attempt at seeming either personal (“Is it your name listed here? It seems this is the Pentagon listing“) or official (“Your file hasn't passedour security check and thus was returned“) and are typically caught by spam filters, if they are present. MyDoom.CF is not a very damaging virus, and exists only to spread. Attachments associated with MyDoom.CF are 32,256 bites in size, although if in the .zip format, they can vary.

Protection
Detection for this worm may be covered generically under some current DAT files, as it is an unremarkable variant of a well-known worm family. Updates will likely start appearing within the next 24 hours. As this is a low-risk threat, emergency detection releases are unlikely. MS05-039 can be downloaded at windowsupdate.microsoft.com.

The Gist
MyDoom.CF, although it may spread some, is an unremarkable MyDoom variant and does not pose a significant risk at this time.

Links
F-Secure - Write-up.

Return

2005-08-15T00:47:00Z

I have returned from my vacation, which bled into yet another vacation to beautiful Toronto, a rich and diverse city. I was simply astounded by the number of languages that I couldn't even recognize! I hope everyone is having a good summer and tolerating the heat.