Security Manifest : DAILY UPDATES

Daily Update -- Monday, November 7th, 2005

trafton — Mon, 07 Nov 2005 22:06:00 GMT

It's been a fairly slow week, but today we see a new Linux worm. Lupper takes advantage in a PHP vulnerability. The Register has details here, and the Internet Storm Center has technical details here.

Daily Update -- Tuesday, November 1st, 2005

trafton — Tue, 01 Nov 2005 22:59:00 GMT

Two new viruses worth mentioning today - one a mass-mailer spreading, one an interesting conceptual specimen.

Bagle-Based “Lodear“ Appears
A new worm family, Lodear, has appeared. The first variant seems to be spreading some in the wild. Information can be found here. Some antivirus companies consider this a variant of Bagle itself, and the family may be merged with the Bagle name. Lodear is similar to past Bagle variants. The primaray symptom of infection is a file called hloader_exe.exe in the Sytem folder.

First KiXTart Virus Appears
A virus infecting .KIX (KiXTart Script File) files has appeared. This is unlikely to effect most people, but it is the first example of such a virus. Information is here. KiXTart is a batch processing script that runs at logon on some Windows computers. For more information on KiXTart, see here.

Daily Update -- Wednesday, October 19th, 2005

trafton — Wed, 19 Oct 2005 21:10:00 GMT

Not much is in the news today, although I am happy to announce that rumours regarding the discovery of a worm using the latest Windows vulnerabilities was a false alarm. More details follow

Trend Announces Fanbot.C Error
From InformationWeek:

A security firm on Monday mistakenly identified a new Trojan as the first to exploit one of last week's vulnerabilities in Windows, but corrected itself and labeled it as one which attacks the same bug as August's Zotob bot worm.

Fanbot.c, said Trend Micro late Monday, included a proof-of-concept exploit against one of the vulnerabilities disclosed Tuesday, Oct. 11 in Microsoft's MS05-051 security bulletin. Trend also said that although the Trojan was written in Visual Basic -- which usually indicates low-level skills on the part of the attacker and often means it's a "script kiddy" copy-cat -- arming malware with yet another exploit matched earlier hacker habits.

By early Tuesday, however, Trend had modified its technical description of Fanbot.c to say that the exploit was actually one directed toward the Plug and Play bug unveiled in August's MS05-039 bulletin.

The full article about the good news can be found here.

Daily Update -- Thursday, October 6th, 2005

trafton — Fri, 07 Oct 2005 02:04:00 GMT

A quick daily update today. Symantec has now named Sober.Q (aka .R) to be a low-medium (2) risk, although McAfee maintains it at Medium. It looks like this one is not going to be a huge outbreak. More coverage of Sober.R should be available tomorrow as we start to see reports on spread rates coming in. Symantec's write-up of Sober.R, which they call Sober.Q, can be found here.

Also in news today, a small percentage of the Internet was taken down today. This was not security-related as many feared, but instead due to a contract dispute between two major service providers. Full details can be found here.

Daily Update -- Tuesday, October 4th, 2005

trafton — Tue, 04 Oct 2005 23:57:00 GMT

Flaws Discovered in Kaspersky Antivirus
Techworld reports that Kaspersky, a Russian security program, is having security issues with its Antivirus program due to an exploit:

Kaspersky Lab has been hit by a security bug affecting a wide range of its anti-virus products. The bug isn't limited to a particular platform, and can be exploited through several common protocols to take over a protected system.

The attack is apparently related to malicious .cab files. When scabbing an infected .cab file, Kaspersky can experience a heap overflow and allow a malicious attacker to control the infected machine.

Microsoft Office Exploit Code Circulating
The same article goes on to talk about circulating code for a Microsoft Office exploit:

Separately, security vendors warned that exploit code has begun circulating publicly for an unpatched flaw in Microsoft Office that was first disclosed in April. The exploit makes it easier for attackers to take advantage of the hole, which, like the Kaspersky flaw, could allow attackers to take over a system.

Note that just because code is circulating does not mean it is associated with a known threat at this point, and this one isn't.

Daily Update -- Monday, October 3rd, 2005

trafton — Mon, 03 Oct 2005 21:37:00 GMT

Yes, Daily Updates are back. And permanently this time!

Good News, Bad News: Virus Attacks Down, but Attacks More Sophisticated
As anyone who follows viruses knows, this has been a rather quiet year for viruses of all types, especially mass-mailers. This is part in thanks to better technology and enforcement, and part in thanks to luck. In any case, though, ZDNet is reporting that antivirus firm Sophos and email security company BlackSpider Technologies both have reported a significant downturn in the quantity of viruses coming in. This is hardly a surprise, especially when you consider that after nineteen months, the top worm still is Netsky.P, which celebrated its eighteen month birthday last month. Worms rarely last longer than a few months on top. A notable exception being Klez.H's two-year reign on the charts starting in early 2002, but unlike Klez, Netsky remains on the top primarily because it lacks any competition for the spot.

Although mass-mailers have downturned over the last few months, an even more damaging threat, especially on the corporate level, looms:

"Smaller, targeted attacks are on the increase, with the emergence of a new breed of financially-motivated online criminal. The concern is that if users continue to combine unsafe computing practices with outdated threat protection, they'll be a soft target for this new form of attack," Theriault warned.

I tend to believe there is little, if any, correlation between the two. Targeted attacks, especially of a financial nature, have been developing for a while, and even made national news when it was suggested that the Sobig.F worm was linked to organised crime. The news about the reduced number of mass-mailer hits is promising, but not necessarily a trend that will last very long. We can only keep our fingers crossed and our software secure.

Bagle Naming Convention Split
Apparently, a number of antivirus companies have determined that recent variants of the prolific and previously successful Bagle worm family are not Bagle-y enough. Computer Associates named a recent Bagle variant Wreckage.A, while Trend Micro has donned a new Yabe family of worms for two recent Bagle variants. These splits have not been uncommon throughout Bagle's naming, and it is possible that the names will be reconciled if a breakout occurs. However, should a major version of the “Wreckage” or “Yabe” worm families be reported in the news, it is fairly safe to assume that they are Bagle versions.

Cool Link of the Day
The University of Virginia provides a Security Tip of the Day on their web site here. The messages are meant for University of Virginia students, and it's not exactly a Tip of the Day (unless refreshing the page somehow has an effect on the space-time continuum, in which case I do not recommend that anyone above 30 use this web site), but it's certainly interesting. The tips are pretty basic, but even the best of us need reminders sometimes. And so do all of your friends and family members who think that “.pif“ stands for “picture information file.“

That's all for today.

The Daily Update - Monday, April 26th, 2004

trafton — Mon, 26 Apr 2004 17:41:00 GMT

BREAKING NEWS: Bagle “Z“ Wants to Be Your Friend; Spreads Rapidly

W32/Bagle.Z-mm (or “W) has been found spreading quickly throughout the field. Most antivirus companies rank this as a Medium threat.

The worm spreads by using email messages that sound like requests for pen pals who don't exactly speak English that great. An example email is titled “Re: Msg reply“ and reads “I very much love productive leisure, to prepare for new exotic dishes, at leisure to leave with friends on the nature, to float, I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going. Read the attach. Have a good day, Christie.“

Other emails are similarly humorous. Full information can be found here.

“E“ Variant of BugBear Appears Quietly Today

W32/BugBear.E-mm, which is unrelated to W32/BugBear.C-mm (accidentally named .E by a few antivirus companies), has appeared quietly. It is not believed to be in the Wild, although it does have some interesting features. First, the zero day exploit used in .C has been removed from .E. Next, it logs actions such as words typed, clipboard entries, cookies, and text from open windows and sends it to the writer, who is believed to be in Malaysia. More information about the latest variant can be found here.

CIH Activation Today; More for Nostalgia than Anything

It's been five years since the W95/CIH, or Chernobyl, virus first activated. The virus, which became a pandemic, especially in Asia where it infected poorly protected, pirated software, has destroyed progressively fewer machines since its first payload, which was a major media event. Most experts agree that 2001 was the last time the W95/CIH activation caused any significant damage (the virus itself has nothing to do with the nuclear disaster - it just activates on that date.) However, the BIOS-flashing, which damaged some retro-era motherboards, is still a risk to some users. Infections are still somewhat common in the Asian countries, and outbreaks of W95/CIH due to pirated software is an occasional event.

Chen Ing-Hau (whose abbreviations lend the virus its name) was detained by Taiwanese authorities in 2000 following legal roadblocks that prevented his arrest. Sophos reflects on this and other parts of the history of W95/CIH here.

The Daily Update - Sunday, April 25th, 2004

trafton — Sun, 25 Apr 2004 12:48:00 GMT

“Osama Capture“ Trojan Horse More Widespread Than Thought

A number of field reports have been received about an email with the subject “Osama bin Laden Captured“ that uses a recent vulnerability to drop a Trojan Horse onto infected computers. This was previously mentioned in a recent news post. The email message, it is important to note, does not spread on its own. It is believed that the Trojan Horse was mass-spammed to millions of addresses worldwide. Users who reported receiving emails usually received “several“ copies, with few reporting just one copy. Although this threat is still a low risk, it is out there, so be vigilant.

US Defends “Cybercrime Treaty“

The Register reports that the United States government is currently on the defensive in respect to the “Convention on Cybercrime,“ introduced by the Council of Europe. The measure, which the Senate has not ratified, seeks to globally outlaw computer intrusion (“hacking,“) child pornography, commercial copyright infringement, and online fraud.

Some civil libertarians are worried about the scope of the treaty, potentially allowing countries with corrupt governments to utilize American surveillance power. Betty Shave, who heads the Department of Justice's international computer crime division, admits that the measure does not contain any dual criminality. “There is no requirement that the act that is being investigated be a crime both in a nation that is asking for assistance, and the nation that is providing assistance,“ says Barry Steinhardt of the left-leaning civil rights group the American Civil Liberties Union (ACLU).

Although 34 European nations in addition to Canada, Japan, South Africa, and the U.S. have signed on to the treaty, only five have ratified it: Albania, Croatia, Estonia, Hungary, and Lithuania.

This Week's Top Viruses

Here are the counts of the most common viruses in my inbox this week:

W32.Swen.A-mm (22)
W32.NetSky.B-mm (14)
W32.NetSky.S-mm (6)
W32.NetSky.P-mm (5)
W32.Klez.H-mm (5)
W32.MyDoom.F-mm (4)
W32.NetSky.D-mm (4)
W32.NetSky.Q-mm (4)
W32.Parite.B (3)
W32.Dumaru.Z-mm (2)
W32.MyDoom.A (2)
W32.Bagle.J-mm (2)
W32.HLLP.Hantaner.A (1)
W32.HLLW.Upering.A-mm (1)
W32.Parite.A (1)
W32.SirCam.A-mm (1)
W95.Hybris.B-mm (1)

The Daily Update - Thursday, April 22nd, 2004

trafton — Thu, 22 Apr 2004 12:40:00 GMT

Britons to British Government: “We Want ID Cards, But You'll Mess Them Up“

The Register reports that the British want ID cards, but believe even more strongly that there's a snowball's chance in a warm locale that the government will be able to maintain the high-tech gizmos properly.

According to IT consultant company Datica, 80 per cent of Britons interviewed say that they would be either moderately or strongly in favor of the identification cards, with only 11 per cent moderately or strongly against. Civil liberties were not a major concern of those interviewed. The most major issue, in fact, is the public's distrust of the British government's ability to handle the cards. Sixty per cent of those interviewed don't believe the government could make a smooth rollout; 41 per cent of respondents just don't trust the government with the technology.

Despite all of this, most experts agree that the public is misinformed about the benefits of ID cards. A spokesperson for Datica agreed that the results were somewhat disappointing, noting that the belief that the cards will stop illegal immigration in its tracks is largely a myth.

And, of course, the perennial result of any survey involving anything costing more than $50: just shy of half of those surveyed think the ID cards should be absolutely free.

“Mercurycas“ Trojan Horse Reported in the Field

Symantec has posted a write-up on their site for Trojan.Mercurycas, and reports that it is moderately in the Wild. As this is a Trojan Horse, and thus does not spread itself, email mass-spammings were probably the source of the infections.

The Trojan Horse, which serves as a spamming proxy on infected machines, connects to www.mercuryloungecasino.com (hence its name) to upload a file. At the time of this writing, this site was unavailable. However, a quick bit of detective work reveals that a Mr. Jeroen Puttemans of Perk, Belgium operates the site, as well as sister site TurnKeyCasino.com, which also appears to be down. Additionally, the Trojan Horse contacts an IP address that resolves to a Mexican AOL service. The connection is for backdoor purposes and is on port 25.

“Blaster“ Variant Spotted in the Wild

W32/Blaster.T (aka .F, .G, .I, and .L to various companies) has been spotted in the field by Symantec. The company reports that only 3-9 sites have been infected, which is a fairly trivial number. However, various companies are reporting higher statistics. The extent to which W32/Blaster.T is spreading is unknown, but it is out there. As it only uses the old W32/Blaster vulnerabilities, users are strongly urged to run Windows Update and get current with their patches. Most unpatched systems will probably end up experiencing infection every few minutes and constant reboots (stop this by going to the Start menu, then Run, and then typing “shutdown -a“ without the quotes.)

New “MyDoom“ Borrows from BugBear, But Seems Bust

W32/MyDoom.J-mm is yet another variant of the W32/MyDoom.A-mm worm, which appeared earlier this year and became the fastest-spreading email worm in history. The only other variant of the original to be very successful, W32/MyDoom.F-mm, was at most a medium-risk occurrence. The latest version, W32/MyDoom.J-mm, isn't even in the Wild. The only thing notable about it, in fact, is that it borrows a good degree of code from W32/BugBear-mm. Otherwise, it is the same old stuff to be expected, with similar message bodies to the original, W32/MyDoom.A-mm.

The Daily Update - Wednesday, April 21st, 2004

trafton — Wed, 21 Apr 2004 12:44:00 GMT

Breaking News: Fundamental Flaw in Internet Revealed

Many sources are reporting that officials from the United Kingdom and United States have reported that there is a major flaw in the Transmission Control Protocol (TCP). The use of this vulnerability could bring down the entire Internet. According to the article:

“The U.K. National Infrastructure Security Coordination (NISCC) said systems that rely on persistent TCP connections, for example routers using Border Gateway Protocol (BPG), are most at risk. The impact of this vulnerability varies by vendor and application, according to NISCC, but in some deployment scenarios it is rated critical.“

Interested users should read the advisory at the NISCC site here.

“Opasa“ Worm Spreading

Symantec reports that a worm by the name of W32/Opasa-mm (there W32.Opasa@mm) is spreading a bit in the field. The worm, which uses either a .html file or a .zip file with a .html file within it, has been reported from a few locations, although not yet a significant enough number to warrant much worry.

The worm spreads via P2P programs in addition to a highly polymorphic email. The worm is clever, so subsequent variants may be threats.

“Z“ Variant of “NetSky“ Appears

W32/NetSky.Z-mm, also known as NetSky.AA, has appeared. F-Secure says that it is currently a low risk. The only difference from previous variants is that W32/NetSky.Z-mm does not attempt to spread via P2P programs and does not uninstall W32/Bagle-mm variants. It listens on port 665.

More information about this worm can be found here.

FTC: “No Need for Spyware Legislation“

The Register reports that the Federal Trade Commission (FTC) does not currently believe that spyware constitutes a significant enough threat to warrant laws against its creation. The commission instead recommends industry self-regulation, which Security Manifest would like to point out is nearly as likely as the spyware industry deciding to clean off its programs from every affected machine and issue an apology message. The alternative, user education, is also not very viable.

Commissioner Mozelle Thompson says that it is “too early” for laws banning spyware to be put in place. The question of what should be considered spyware and what should be not is one to be mulled. Many advocates objected when the state of Utah declared spyware a crime on the grounds that the law was too wide, potentially also disallowing legitimate programs.

This just shows how complex the issue of spyware is. The claim that it is “too early” for spyware legislation is interesting, because really there is no perfect time for it. Spyware has been around for many years now, and is fast-emerging as more of a threat than viruses. Only time will tell whether we see legislation in this department anytime soon, but if the average of 28 spyware programs on the average user's machine is any indication, end users are already being affected by this developing pandemic.

The Daily Update - Tuesday, April 20th, 2004

trafton — Tue, 20 Apr 2004 12:30:00 GMT

Breaking News: W32/NetSky.X-mm Outbreak

A number of major security companies are reporting a medium-risk outbreak of the latest W32/NetSky-mm variant, W32/NetSky.X-mm. This variant sends itself in a number of languages, badly translated, including the obscure inclusion of a local dialect from the Turks and Caicos. Recent outbreaks such as W32/Sober and, to an extreme extent, W32/Zafi-mm (see below), have shown that even a locally-oriented worm can become a regional outbreak.

Little technical revelation in this worm: although much of the function has changed, 86 per cent of the code remains identical to W32/NetSky.U-mm. Between the 28th and 30th of this month, the worm performs a Denial of Service attack on two academic sites, one German and one Swiss, and a site for the medical department at the University of Florida in the United States.

Descriptions of this worm are available at many antivirus vendor sites, including F-Secure (Medium), McAfee (Low), Symantec (Medium), and Trend Micro (Low).

The Register has posted an article about the worm and its semi-humorous mangling of several major world languages here. It cleverly referrs to it as “The Babel Fish worm.“ For those who do not know, Babel Fish is a translation engine that allows Internet users to translate text and web sites into a range of languages. The name “Babel Fish“ comes from the book The Hitchhiker's Guide to the Galaxy.

“Zafi“ Worm at Outbreak Levels in Hungary

W32/Zafi-mm, variously also known as Erkaz and Erkez, has become a major problem in Hungary. The worm only sends itself using a Hungarian messages to emails ending with the suffix .hu. One might consider this a limitation, along with the fact that Hungary does not have an exceptionally large Internet userbase. However, it has successfully spread quite well in the small region. Hungarians users are recommended to remain alert, although it is doubtful that there will even be a ripple of the worm in any other countries.

Descriptions of this worm are available at the web sites of F-Secure (Low), McAfee (Low), Panda Software (Low), Sophos (n/a), Symantec (Low-Medium), and Trend Micro (Low). Security Manifest would put the risk to users worldwide at Low, with a special Medium-High risk exclusively for Hungary and Hungarian speaking regions with .hu suffixes.

The good news? We won't have to deal with W32/Zafi-mm for too long: it deactivates itself at the end of the month.

1-in-3 E-Mails Spam (Only That Much?)

Analysis company IDC says that 1-in-3 corporate emails are now spam, The Register reports. The company surveyed 1,000 IT managers representing various sectors of the business to reach this figure, which some may point out is a tad on the conservative side. Competing companies such as MessageLabs report that over half of e-mails received are bulk mail.

Password for a Chocolate Bar...Or Nothing?

The Register is reporting here that the British apparently are a bit too friendly with information about their passwords. According to a survey that involved walking up to random people on the street, around 60 per cent of people approached would give hints regarding their password to e-commerce sites to a random person on the street. The information, which included what type of password it was (for instance, a pet's name), could easily be used by a resourceful black hat to invade the unsuspecting pedestrian's bank account, for instance.

Another similar study reveals that sweetening the pot with a chocolate egg increases the odds to about 70 per cent. This study was also conducted in Britain. To the credit of those interviewed, British candy is indeed rather strong, although it is doubtful that this will be any consolation after their bank account is drained.

The Daily Update - Sunday, April 18th, 2004

trafton — Sun, 18 Apr 2004 14:29:00 GMT

Weekly Virus List

Another look at which nasties were caught in my inbox this week:

1. W32.Swen.A-mm (31)
2. W32.NetSky.Q-mm (18)
3. W32.NetSky.P-mm (16)
3. W32.NetSky.S-mm (16)
5. W32.NetSky.B-mm (15)
6. W32.NetSky.D-mm (5)
7. W32.Bagle.J-mm (4)
7. W32.Klez.H-mm (4)
9. W32.MyDoom.F-mm (2)
9. W32.Parite.B (2)
11. W32.BugBear.C-mm (1)
11. W32.Dumaru.Y-mm (1)
11. W32.Dumaru.Z-mm (1)
11. W32.HLLP.Hantaner.A (1)
11. W32.HLLW.Upering.A-mm (1)
11. W32.Klez.E-mm (1)
11. W32.Magistr.B-mm (1)
11. W32.Mapson.A-mm (1)
11. W32.MyDoom.A (1)
11. W32.Parite.A (1)
11. W32.SirCam.A-mm (1)

For the past month:

1. W32.Swen.A-mm (97)
2. W32.NetSky.P-mm (56)
3. W32.NetSky.S-mm (53)
4. W32.NetSky.Q-mm (40)
5. W32.Bagle.J-mm (34)
6. W32.Klez.H-mm (18)
6. W32.NetSky.B-mm (18)
8. W32.MyDoom.F-mm (17)
9. W32.MyDoom.A (15)
10. W32.Dumaru.Z-mm (13)
11. W32.Sobig.F-mm (10)
12. W32.NetSky.D-mm (9)
13. W32.SirCam.A-mm (7)
14. W32.Bagle.C-mm (6)
14. W32.Dumaru.Y-mm (6)
16. W32.BugBear.B-mm (5)
16. W32.Parite.B (5)
18. W32.Lovgate.C-m (4)
18. W32.Mimail.J-mm (4)
18. W32.Valla.B (4)
21. JS.Kak.A-m (3)
21. W32.Bagle.B-mm (3)
21. W32.BugBear.C-mm (3)
21. W32.Klez.E-mm (3)
21. W32.Yaha.R-mm (3)
26. VBS.Redlof.A-m (2)
26. VBS.VBSWG.X-mm (2)
26. W32.Bagle.A-mm (2)
26. W32.Ganda.A-mm (2)
26. W32.HLLW.Fizzer.A-mm (2)
26. W32.Parite.A (2)
26. W32.Sober.F-mm (2)
33. VBS.VBSWG.Z-mm (1)
33. W32.BadTrans.B-mm (1)
33. W32.BugBear.A-mm (1)
33. W32.Dumaru.A-mm (1)
33. W32.Elkern.C (1)
33. W32.HLLP.Hantaner.A (1)
33. W32.HLLW.Upering.A-mm (1)
33. W32.Magistr.B-mm
33. W32.Mapson.A-mm
33. W32.Mimail.A-mm (1)
33. W32.Yaha.J-mm (1)
33. W32.NetSky.C-mm (1)
33. W32.Nimda.A-mm (1)
33. W32.Sober.D-mm (1)
33. W32.Sober.F-mm (1)
33. W32.Sobig.A-mm (1)
33. W32.Sobig.E-mm (1)
33. W32.Weird.A (1)
33. W95.MTX.A-m (1)
33. W95.Padania.1335 (1)
33. W95.Spaces.1445 (1)
33. W97M.Ethan.A (1)
33. WM.CAP.A (1)

The Daily Virus Update

Nothing much to note today.

The Daily Update - Saturday, April 17th, 2004

trafton — Sat, 17 Apr 2004 15:54:00 GMT

Back Again

After an absence which I will falsely blame the IRS for, I'd like to apologize for not posting TDU in the form it should be: daily. ;)

Windows Update Slow; Get Patched Anyway

I would like to remind everyone to get patched if they have not yet. Although the Windows Update server is somewhat slow, it is absolutely necessary that everyone download the latest patches. Several sources report that there is quite a good chance that we will be seeing a W32/Blaster.worm-like exploit of these vulnerabilities. Although nothing has yet appeared, there is no reason not to get updated. The server is slow for a good reason, however: many people are downloading the patch at once. This should mean that a record number will be patched when and if the next Blaster-like worm strikes.

Sentencing Under CAN-SPAM Announced; Sexually Explicit Spam Has Special Clause

“News for Nerds“ site SlashDot is reporting (if you can call three sentences a report) that The United States Sentencing Commission has issued its Guidelines for Punishment. The recommended sentence for spam-sending is 1 to 3 years under the law, which passed last November. Additionally, The Register reports that the Federal Trade Commission (FTC) is imposing a rule on spammers to take effect by May 19th, 2004, forcing them to label all pornographic spams with the prefix “SEXUALLY-EXPLICIT:“. This will make it easier for ISPs and home users to filter out such spams. The CAN-SPAM act has been in effect for months now, and no decrease in spamming traffic has yet been noted. Although the law is considered a step forward for prosecution of bulk e-mailers, most industry experts say it is doubtful the average user will see a decrease in spam traffic from it.

W32.NetSky Family Adds Two More Variants

The W32.NetSky worm family, which is currently in a near-tie race with the W32.Bagle worm family to use every single letter in the alphabet, adds two new variants to its repertoire, both considered low risks.

W32.NetSky.V-mm is quite similar to W32.NetSky.U-mm, sharing (according to F-Secure) approximately 86 per cent of its code. It was discovered late on Wednesday, April 14th GMT. The presence of EastAV.exe in the Windows directory is an indication of infection, as is KasperskyAVEng.exe in the same folder. The email routine is basically identical to W32.NetSky.U-mm. This variant attacks a number of P2P sites; the list has mainly changed to reflect the web sites which relocated to avoid the onslaught of previous W32.NetSky versions. The attacked web sites still are P2P sites and illegal software portals.

W32.NetSky.W-mm was discovered on Friday, April 16th. It seems to be more of a step back than anything, and is strikingly similar to W32.NetSky.P-mm. The only differences are that it will add itself to startup as VisualGuard.exe, drop a number of files into the Windows directory (base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, and zipped.tmp), and delete the registry keys of recent W32.Bagle variants. Like W32.NetSky.V-mm, the amount of spread is so far trivial.

Another W32.HLLW.Gaobot Variant

The huge W32.HLLW.Gaobot family has finally made it into triple-lettering. This means that the latest variant, W32.HLLW.Gaobot.AAY (there listed as W32.Gaobot.AAY), is the 727th variant of the family. The latest spring chicken uses no less than seven vulnerabilities in addition to spreading through backdoors left by W32.Bagle and W32.MyDoom versions. Although W32.HLLW.Gaobot.AAY does not appear to be significantly in the wild, it is another step for this ever-advancing family of pains-in-the-neck.

The Daily Update - Tuesday, April 13th, 2004

trafton — Tue, 13 Apr 2004 19:15:00 GMT

Monthly Updates Released: 3 Critical, 1 Important

Microsoft has released the monthly updates, and this time around there are four, three of which are labeled critical and one important. Patch yourself up at Windows Update today. Here are descriptions of the patches (unless noted, all vulnerabilities affect Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003):

MS04-011
Rated critical, this vulnerability could allow an attacker to remotely execute code. Read more here.

MS04-012
This critical patch replaces previous patches that fix a vulnerability that could allow an attacker to remotely execute code. Read more here.

MS04-013
This critical patch is also rated critical under Windows 98 and Windows Millennium Edition (ME). Read more here.

MS04-014
Rated important, which is slightly below critical, this patch fixes a vulnerability in Jet Database Engine 4.0 that could allow remote execution of code. Read more here.

Of course, all users should apply these patches immediately, although MS04-014 is not as urgent as the others.

Most Ignored Security Problem of the Month

Too often the antivirus world is fixated on the evils that occur when a virus is executed from an email message. But what about the evils caused even when they aren't? Several users have recently brought up an interesting observation on the Microsoft Newsgroups: email viruses are increasingly becoming a spam-like problem. Even for those vigilant souls who resist the urge to play the latest EXCELLENT_GAME.scr or perhaps unlock the secrets behind IMPORTANT_DOCS.ZIP, viruses are still causing damage by flooding their inboxes. This has really been an issue for quite a while (some people had to switch email addresses after being spammed with enough copies of W32.Klez.H and W32.SirCam to choke a horse) and the bad thing is there is not all that much that can be done about it. Blocking emails detected with viruses attached instead of just removing the files is not extremely practical, but it may eventually come to that: after all, a few precious months ago, the idea of blocking .zip files at the gateway seemed an absurdity.

ClearSwift: Stock Tip Scam Spams on the Rise

The Register reports that mail filtering company ClearSwift has announced a 10.8-26 per cent rise in financially-based spam mails in March, mostly due to bogus stock tips. It seems that, although it isn't new, the practice of flooding a small stock with many buy orders to artificially inflate it and then allowing it to crash is the latest hot tactic from the dark side. Gullible email readers who invest in UltraMegaInterCorp aren't likely to see any return on their investments, but the spammers certainly are. ClearSwift does note, however, that such spams have a ways to go to catch up with the numero uno spam genre, healthcare, which makes up 57 per cent of bulk mails.

The Good News...

The Computer Technology Industry Association (CompTIA) reports that the number of virus attacks has fallen significantly since this time last year. Only 68.6 per cent of organizations reported a virus breach this time around, down from 80 per cent twelve months ago. Also, network intrusion attacks have fallen some, from 65.1 per cent to 39.9 per cent. VPN and dial-up remote access breaches fell slightly from 49.9 per cent to 41.7 per cent, while social engineering also tumbles from 21.9 per cent to 17.9 per cent. Can this all be attributed to increased security awareness? Maybe. A heartening 95.5 per cent of organizations say they use antivirus software, while a still-to-low but certainly decent 90.8 per cent use firewalls. Use of network penetration tests to verify security awareness also went on the rise, from 53 per cent to 61 per cent.

...And the Bad

The same report showed a sharp increase in browser-based attacks, especially in threats delivered via spam emails. The figure for these sorts of intrusions jumped from 25 per cent to 36.8 per cent. Although this is not an extreme jump, it is significant, especially considering that all other figures fell in the past year. This technique's increased use can be attributed to more vicious spam-spyware hybrid operations, among other things. Human error still remains the top reason for intrusions, going up from 63 per cent last year to a staggering 84 per cent today. Although an optimist could say that this reflects increasing security preparation among network administrators, the problem is getting worse no matter what way you slice it. This study, as well as the above, can be found here.

Real-Time WildList Updated

The newest real-time WildList, released seemingly randomly (much like the regular WildList these days), is now available at the WildList site (http://www.wildlist.org/), has been updated. New additions are the .D, .G, .H, .I, .J, .N, .P, .Q, and .U versions of W32/Bagle and the .F, .J, .M, .O, .P, and .Q versions of W32/NetSky. The .D version of W32/Sober is the only other addition that is not contained within these two families. For those who do not know, the WildList is a somewhat slow-to-respond but still insightful list of viruses encountered by a group of 76 “reporters“ from across the globe. Since it is released only monthly, it is not a good source of outbreak information, but is useful to find viruses that may have slipped under the radar but still are spreading well in the field.

The Daily Virus Update

Antivirus vendors were busy getting their databases updated after the weekend, and some spent time catching up on previously un-posted descriptions of lesser evils. Symantec posted a number of descriptions, the only one of which that is worthwhile spending words on being W32.HLLW.Gaobot.ZX (here W32.Gaobot.ZX). This latest version of the gigantic W32.HLLW.Gaobot family, which should reach triple lettering very, very soon, exploits seven whole vulnerabilities plus backdoors left by the W32.Bagle and W32.MyDoom family of worms. This latest version, which is listed as being slightly in the wild with 3-9 sites, is yet another great reason to get patched and keep a good, updated antivirus program and firewall. More information about W32.HLLW.Gaobot.ZX can be found here.

The Daily Update - Monday, April 12th, 2004

trafton — Mon, 12 Apr 2004 18:39:00 GMT

A Quiet Weekend

I hope everyone out there had a good Easter Sunday, or weekend in general, whichever you happen to celebrate. In addition to the holiday festivities, there was little activity in the realm of viruses, with no new W32/Netsky or W32/Sober variants appearing. Sunday is a popular day to release worms because users oftentimes will open their emails for the first time in days more or less at the same time on Monday morning, increasing the likelihood that the worm will successfully replicate before protection is introduced.

Microsoft STILL Does Not Send Patches Via Email!

It truly should not be stressed enough: no sane company emails out patches via email. Even after W32/Swen, among other worms, successfully spread by claiming to be patches for vulnerabilities, mostly in Microsoft Windows, users are still falling for the same old tricks. And, as long as there is a user to trick, there will be a virus to exploit that misplaced trust. The latest worm to exploit this, an amoeba by nature (meaning it does nothing but spread), is W32.HLLW.Gearbug@mm. This is not nearly as clever as previous worms, sending itself in a grammatically-challenged email from the suspicious address of liveupdate@microsoft.com. Although it is doubtful W32.HLLW.Gearbug@mm will ever go anywhere, the existence of the files C:\Windows\System32\ElimB.exe and C:\Windows\ElimB.exe, in addition to an email with the attachment ElimB.exe, are all symptoms of infection. The worm assumes that C:\Windows\System32 is the System32 folder and C:\Windows is the Windows folder; if this is not true, it will not work. The pathogen is 32,768 bytes in size.

Particularly Clever Citibank Scam

This notification comes from Mr. Aaron Bertrand, so thanks go to him. Users have reported receiving a particularly clever and advanced scam to steal user's Citibank information. Although it appears to link to Citibank servers, the scam actually goes to a subpage at easysolutions24.net. The registration information for this site leads to a Mr. Ludwig Ritz of Muenchen, Germany, and a Mr. Eduard Mehrtens of Bremen, Germany. Hopefully, the host will bring Mr. Ritz and Mr. Mehrten's site down as soon as possible, although it may have just been hacked.

The Daily Virus Update

There is nothing new today other than the .AI variant of W32/Dumaru, which does not have the mass-mailing function of its relatives. Information on this can be found here. Symantec also reports the appearance of the IRC backdoor Aladinz.P, and has a write-up posted here.

The Daily Update - Sunday, April 11th, 2004

trafton — Sun, 11 Apr 2004 14:37:00 GMT

Holiday Greetings

I'd like to wish all of those who celebrate it a very happy Easter. As expected on a Sunday, especially a holiday Sunday, there has been little activity today. However, it is worth being reminded of that there is the chance of a new variant of W32/Sober tonight, as the author of said worm seems to be releasing a new variant on and off on Sundays.

“Homeless Hacker“ Faces Sentencing Delay

The Register reports that Adrian Lamo, a 22-year-old homeless, gray-hat hacker with a pension for press coverage, faces a delay in his sentencing. Lamo is charged with a 2002 incident in which he hacked into the web site of The New York Times, exposing personal information such as social security numbers, and listing himself as an op-ed contributor in the fields of “computer hacking, national security, [and] communications intelligence.“ Lamo has received a cult following for his unusual history: he is completely uneducated in any programming language, and uses only Internet Explorer to rummage for personal data. Per a deal cemented last January, Lamo will serve six to twelve months under house arrest or in a half way house.

Germany Ponders Tougher Spam Punishments

An article from The Register reports that Germany's ruling Social Democratic Party is considering tough sanctions for spammers, such as big fines, or for the worst offenders, prison sentences. Although this is a good step toward reducing the amount of spam, it is unlikely to affect the amount of junk going through the average user's inbox. Previous acts such as CAN-SPAM have similarly been lauded, but ended up in somewhat predictably disappointing outcomes.

The Daily Virus Update

Symantec has posted a description for the utterly uninteresting W32.HLLW.Donk.M, which attempts to get into vulnerable systems using the standard password-guessing methods. The worm then will connect to a pre-defined IRC server to await for backdoor commands. Finally, the worm listens on TCP port 4444. The existence of Keymgr.exe and Cool.exe is an indication of infection. This worm appears to be identical to Sophos's W32/Sdbot-HK, which Sophos claims to have received “several” reports of.

The Daily Update - Saturday, April 10th, 2004

trafton — Sat, 10 Apr 2004 14:30:00 GMT

Weekly Virus List

As weekends tend to be slow in the realm of virus news, I might as well post a list of the worms which have been invading my inbox this week:

1. W32.Swen-mm (45)
2. W32.Netsky-mm (31)
3. W32.Bagle-mm (12)
4. W32.Klez-mm (5)
5. W32.MyDoom (3)
5. W32.Dumaru-mm (3)
7. W32.BugBear-mm (2)
7. W32.Mimail-mm (2)
9. VBS.Redlof-m (1)
9. W95.Padania (1)

For the past month:

1. W32.Netsky-mm (106)
2. W32.Swen-mm (66)
3. W32.Bagle-mm (41)
4. W32.MyDoom (29)
5. W32.Dumaru-mm (18)
6. W32.Klez-mm (16)
7. W32.Sobig (12)
8. W32.BugBear-mm (8)
9. W32.SirCam-mm (6)
10. W32.Mimail-mm (5)
11. W32.Yaha-mm (4)
11. W32.Sober-mm (4)
11. W32.Lovgate-m (4)
11. W32.Parite (4)
11. W32.Valla (4)
16. JS.Kak-m (3)
16. VBS.VBSWG-mm (3)
18. W32.Ganda-mm (2)
18. W32.Fizzer-mm (2)
18. VBS.Redlof-m (2)
21. W32.Elkern (1)
21. W32.Nimda-mm (1)
21. W95.Spaces (1)
21. W32.Weird (1)
21. W32.BadTrans-mm (1)
21. W95.Padania (1)
21. W95.MTX-m (1)
21. WM.CAP (1)
21. W97M.Ethan (1)

F-Secure's Web Log

F-Secure's excellent “blog“ has posted some information about the MacOS/MP3Concept.A virus, in addition to a short history of various viruses. It is a good read, and I highly recommend that everyone who is interested in it have a read.

The Daily Virus Update

New write-ups today are as follows: Trojan.Mitglieder.H (Symantec); VBS.Gaggle.D-mm (Symantec); various W32.Agobot.worm variants (Sophos, Symantec, Symantec again, Trend Micro); and W32.Lovgate.S-mm (McAfee).

The Daily Update - Friday, April 9th, 2004

trafton — Fri, 09 Apr 2004 14:13:00 GMT

Mac OS X? Say It Ain't So!

According to an article on MacCentral, Macintosh security company Intego has announced the discovery of the first virus to affect the Mac OS X platform. The pathogen exploits a vulnerability in the handling of MP3 ID3 tags to perform its dirty deeds, which, according to the announcement, include “the potential to delete all of a user's personal files; send an e-mail message containing a copy of itself to other users; and infect other MP3, JPG, GIF, or QuickTime files.“ An announcement from Symantec read “Symantec Security Response is aware of the MP3Virus.Gen Trojan. It is a proof of concept Trojan that does affect the Mac platform[;] however[,] it is currently not present in the wild...“

There are a few things wrong with this picture. Perhaps the most obvious is the term “MP3Virus.Gen Trojan.“ As many of you are probably aware, a Trojan cannot by its very nature be a virus; a virus, by definition, infects, while a Trojan horse does not spread itself automatically. This sort of confusing naming is a disappointment coming from Symantec. The next questionable item is the use of “the potential,“ as opposed to “the ability.“ The MacCentral article goes on to say that “the technique could be used to infect .jpg or .gif files, although no such cases have been found.“ This leaves in question whether the virus, worm - whatever it is - deletes files, infects anything other than MP3's, e-mails itself, or deletes a user's files, or whether these simply are possibilities for future malwares. For the purposes here, it will be referred to as MacOS/MP3Concept.A, since it remains unclear whether the ability to mail itself exists or not. Unfortunately, the Mac security world is not exactly active, not having seen a significant virus incident since W32/AutoStart.worm, over five years ago. Thus, all that has been seen so far is press releases, and nothing in the way of white papers to clear up the current from the theoretical. It may remain this way for good time, in fact.

To add to the problem, users have started to report what appears to be an MP3Virus.gen false positive in Intego's product, although Security Manifest would like to note that newsgroup chatter is not always true and should be taken with a grain of salt. The reports tell of what seems to be an incorrect detection when Adobe's InDesign program is started, specifically in a number of plug-ins. According to the USENET posts, Intego's virus scanner is detecting MP3Virus.gen in plug-ins when InDesign is started. These plug-ins appear to have a filename of random numbers. More information about all of this mess will be posted when available. A response from the company read “we are aware of the potential issue identified by Intego and are working proactively to investigate it.“ Of course, Apple will likely use this opportunity to remind users of its “excellent security,“ a good PR tool, although quite irrelevant to the current problem.

Netsky.Q - 4, P2P Sites - Barely 1

CNET News is reporting that four of the five P2P-related sites attacked by the W32/Netsky.Q-mm worm are down for the count as of 8 AM PDT yesterday. Security Manifest's informal tests showed that their reports remain true today. The only remaining site, KaZaA's, is used to a relatively high load and appears to be operating just a bit slower, but with full functionality. eDonkey reports that since the worm only targets one of its addresses, an alternative web site remains available. eMule has moved their main site to an alternative location, while one of the two attacked “Cracks“ domains remains OK.

The attack is to continue until Sunday, April 11th, 2004, although incorrectly set clocks may prolong some of the slowness of the servers for a while. These attacks are similar to W32/Sobig.F-mm's attack on anti-spam sites that prompted several of their closings and suggested that, along with its opening of spam-relaying proxies, W32/Sobig.F-mm was probably created by the spam industry. The payload became popular after the not-so-successful attack on Microsoft's Windows Update site last August by W32/Blaster.worm. Although some may find NetSky.Q's attack on P2P sites admirable or even moral, Security Manifest would like to note that they are still just as illegal.

The Daily Virus Update

Other than the aforementioned Macintosh virus, the only even slightly notable worm today was yet another W32/Agobot variant. This time around we have W32/Agobot.worm.mb (there listed as WORM_AGOBOT.MB), which appears strikingly similar to Sophos's W32/Agobot-EI. Trend labels it as in-the-wild, and Sophos does notate that they have received one infection report, but this doesn't seem to be spreading like wildfire. The Trend Micro report can be found here. Users are strongly urged to patch the used vulnerabilities to avoid having their computers become a cesspool.

The Daily Update - Thursday, April 8th, 2004

trafton — Fri, 09 Apr 2004 12:35:00 GMT

Originally posted: Thursday, April 8th, 2004 at 3:30 PM PDT

Vulnerability in Internet Explorer ITS Protocol Handle

A mildly slow news day today, but CERT has commented on the new Internet Explorer vulnerability associated with the W32/BugBear.C-mm worm (see yesterday's post). Their full comments on the situation can be found here. Microsoft still has not released a patch, but the attention it is getting may cause an earlier release.

Brevity is the Soul of Witty

The oft-scathing British IT 'zine The Register, which now has a new-and-improved layout, reports that the recent W32/Witty.worm is now next to extinct. The hard drive-formatting, quick-burning worm appeared in early March and was never predicted to be around for long due to its destructive nature. Although this is good news for most, it will likely serve as little consolation for the unfortunate system administrators who fell prey to the wrath of an angry Witty.

Mea Culpa

Although I had exciting information on a new piece of spyware for the Mozilla browser, which would make the first of its kind, I have unfortunately misplaced it. I will attempt to post this information as soon as I can.

The Daily Virus Update

Thankfully little activity in this realm. Symantec has reported the appearance of the nasty mass-mailer/Windows file infecter combination W32/Tunk.A-mm (there listed as W32.Tunk.A). The virus, which trashes critical Windows files when started May 2004 or later, is not believed to be in the Wild. It is ranked a 2 (Low-Medium) because of its damaging payload. More information can be found here.

The Daily Update - Wednesday, April 7th, 2004

trafton — Fri, 09 Apr 2004 12:34:00 GMT

Originally posted: Wednesday, April 7th, 2004 at 11:23 PM PDT

The BugBear’s Out of the Bag

W32.BugBear.E-mm, also known widely as W32.BugBear.C-mm, has been isolated. A moderately damaging zero day worm in that it uses a thus-unpatched exploit that allows it to execute whenever email with it is read. This threat is known as the Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability, which does not lend itself well to an acronym.

Symantec mentions 3-9 sites as being infected, but it is questionable whether it actually is spreading even that much. If it is, though, W32.BugBear.C/E-mm could potentially become a major threat. Only time will tell.

.WOah...Get Patched!

Symantec has announced the appearance of W32.HLLW.Gaobot.WO (their name being W32.Gaobot.WO), which (judging by the variant lettering) would make 639 variants of the Gaobot family alone. According to Symantec, the worm has already received a “medium” in the Wild category - this is actually similar to many medium-risk mass-mailers. Whether or not this is an overestimation remains unclear, but the worm, which uses four major vulnerabilities, including the one used by Blaster, is still a disturbing reminder of the number of unpatched systems.

If you are not patched already (which I sincerely hope everyone is - especially those reading this), please do so immediately. You are not only affecting your own machine, but spreading the virus to others, too. Most every updated antivirus program can detect the more common fiends out there.

Pie in the Netsky, and a Bit of Bagle, Too

And on your right, you’ll see a set of mostly non-notable variants of everyone’s least favorite dueling worm families, NetSky and Bagle. NetSky adds .S, .T, and .U. McAfee reports that W32.NetSky.S-mm constitutes a Medium risk. Expect to see this added to your usual assortment of junk within the next few weeks. The rest probably will not be seeing much in the way of spread.

Bagle being fairly inactive for a bit adds a single apparently intended variant to its line-up, W32.Bagle.X. Because the mass-mailing does not work, some companies are calling this Trojan.Mitglieder.F, or in the case of Kaspersky, Trojan.Mitglieder.AG.