Security Manifest : FOLLOW-UPS

Daily Update -- Thursday, October 6th, 2005

trafton — Fri, 07 Oct 2005 02:04:00 GMT

A quick daily update today. Symantec has now named Sober.Q (aka .R) to be a low-medium (2) risk, although McAfee maintains it at Medium. It looks like this one is not going to be a huge outbreak. More coverage of Sober.R should be available tomorrow as we start to see reports on spread rates coming in. Symantec's write-up of Sober.R, which they call Sober.Q, can be found here.

Also in news today, a small percentage of the Internet was taken down today. This was not security-related as many feared, but instead due to a contract dispute between two major service providers. Full details can be found here.

Zotob Authors Nabbed

trafton — Fri, 26 Aug 2005 23:35:00 GMT

The good news about the Zotob outbreak is that we're unlikely to see future versions after two men - one in Morroco and one in Turkey - were arrested Thursday.

From The Washington Post's article:

The FBI and Microsoft Corp. collaborated with law enforcement officials in Turkey and Morocco to secure the arrest on Thursday of two men thought to be responsible for creating computer worms that infected hundreds of thousands of computers worldwide this year.

Police in Morocco arrested Farid Essebar, 18, a Moroccan national born in Russia who used the online moniker "Diabl0." Authorities in Turkey arrested 21-year-old Atilla Ekici, known by the online alias "Coder."

Essebar and Ekici are suspected of releasing the "Zotob" and "Mytob" computer worms that were designed to take advantage of flaws in Microsoft's widely used Windows operating system. Both of the suspects' nicknames can be found in the original computer programming code for Zotob, according to the FBI and Microsoft.

In addition to Mytob and Zotob, vnunet.com reports that the pair are responsible for the Rbot worm family, too.

Here's to hoping for a fair trial and harsh punishment. The computer laws of Turkey and Morroco may both be put to test by this case.

Retrospective Zotob Articles

trafton — Thu, 25 Aug 2005 17:20:00 GMT

Here are a collection of recent articles on the Zotob worm, which is at this point no longer spreading very quickly:

Some XP machines vulnerable to Zotob worm (TechWorld) - A full news article about the (rare) registry modifications that can result in Windows XP being vulnerable to the Zotob worm. Not a new threat.

Zotob epidemic past its peak (SmoothWall.net) - A good summary of events, with links.

From Melissa to Zotob: 10 Years of Windows Worms (eWeek) - Although “From Melissa to Sasser: 6 Years of Windows Worms” would actually be a more exact title for this article, this is a decent, albeit compacted, summary of significant computer worms of the modern Internet age.

We can now officially say that the Zotob worm outbreak is, for all intents and purposes, over.

F-Secure looks at new threats we're dealing with at their Weblog, in an article entitled “More pnp related malware.”

Zotob - Slowing Down

trafton — Thu, 18 Aug 2005 03:55:00 GMT

Good news on the Zotob front. McAfee has lowered the risk to Medium. Correspondingly, it is now considered a moderate outbreak.

Looking more at Plug N' Play worms and Zotob

trafton — Wed, 17 Aug 2005 18:45:00 GMT

If you've been following the news about Zotob, IRCBot, Bozori, and the other families of worms to attack the recent Plug-and-Play vulnerability (MS05-039), you know that another worm war has begun between the latter two worm families and Zotob, which so far is not “fighting back” with a new variant that deletes the others. F-Secure's highly recommended weblog provides this “high-tech illustration” of who's killing who:

Also a good read is vnunet.com's article, W32/IRCBot worm beats Sasser record, which talks a bit about how quickly this worm appeared after its associated vulnerability was released relative to the more widely successful (especially among home users) Sasser worm.

I received an email about this worm's ability to affect Windows XP machines, and the answer to that appears to be that Windows XP machines are not natively able to be infected, but with registry modifications (that are rare but occasionally found) it can be, although I have not been able to specifically verify this.

Zotob.E (IRCBot) Outbreak News Round-Up

trafton — Tue, 16 Aug 2005 22:44:00 GMT

Early news reports indicate that the group most affected (or at least most publicly affected) by the IRCBot is the media. Brian Krebs at The Washington Post reports:

ABC News had an extensive outage today due to infections from Zotob or one of its variants [most probably IRCBot, which is also known as Zotob.E], which knocked out computers in the network's newsrooms on the East and West coasts today, said ABC News Vice President Jeffrey Schneider. The outage lasted two hours, he said.

“This was the first time I've ever seen writers at World News Tonight banging away on electric typewriters,” Schneider said.

Also affected by the worm is international news outfit CNN:

CNN's Wolf Blitzer is reporting that a computer worm has taken out many of their computer systems in Atlanta, New York and in other bureaus around the country, showing pictures of a computer constantly rebooting after being infected by the worm. CNN spokeswoman Edie Emery said the outage affected computers across the country, but that at no time did the outage affect the company's ability to report the news. A staffer I spoke with earlier from CNN's Washington bureau said many reporters in the company's New York and Atlanta bureaus relied on other bureaus to file their stories for them.

CNN International makes a quick mention of Washington, D.C. being affected, but information is sparse.

The Post's headline, A Media Worm?, is perhaps more telling than it means: so far, little information is available about how quick spreading the worms are, and two worms - Zotob.E and Esbot, which Symantec gives a medium risk rating, are spreading simultaneously. There is some possibility that this media coverage is less related to the rate of infection and more to the rate of media infection. Certainly, reports that this worm affects Windows 2000 more than Windows XP suggest that businesses are being affected even more than home users.

More information about the Zotob.E outbreak - as well as the Esbot incident - throughout the evening.

Ad-Aware Fixed!

trafton — Sun, 20 Mar 2005 18:13:00 GMT

Good news in that last week's problem with Lavasoft's Ad-Aware adversely affecting LANs seems to have been resolved.

http://www.lavasoftsupport.com/index.php?showtopic=60859

A link to the original post can be found here:

http://msmvps.com/trafton/archive/2005/03/11/38236.aspx

Anti-Santy: Near Death?

trafton — Sun, 02 Jan 2005 09:39:00 GMT

Before I head off to bed, I just want to give a very quick update on the “Anti-Santy” worm I have discussed previously in a post, as well as a follow-up. We now have a name to this worm - Asan - and information that its spread seems to be slowing from already limited levels. The good folks at F-Secure have more information in this weblog entry.

In addition, F-Secure reports Spyski.D, a new variant of the Spyski family (McAfee posts generic information for earlier versions here), which scans for 50 common phpBB vulnerabilities and coding mistakes to infect systems. There is little word on how much this worm, referred to as Spyki.D by F-Secure, is spreading, but I'd bet that checking for 50 phpBB vulnerabilities is going to put a lot of strain on already overloaded servers.

Of course, anyone who has not already upgraded should do so at the phpBB web site. And if you think that your install might have sloppy security, unless it is critical to keep PHP functions up, it might be worth going offline and patching up the holes - being infected is a lot worse. Then again, if it is critical, it would probably be wise to take a long, hard look at why those holes are there in the first place.

Remember, just not being on search engines isn't good enough. It isn't just worms that can use these vulnerabilities.

Follow-Up: Anti-Santy Worm

trafton — Sun, 02 Jan 2005 01:07:00 GMT

I'd like to give you all a quick-update on the phpBB worm that targets the vulnerability used by Santy and patches it I reported yesterday. Although it still lacks a name, and little is actually known about it, the media is beginning to report on it. From ZDNet (underlining for emphasis on new details mine):

F-Secure said on Friday that it was aware of seven sites that had been defaced by the worm, which appears designed to combat the Santy worm. The anti-Santy worm searches Google for sites that use the PHP Bulletin Board (phpBB) software exploited by the earlier worm, infects the sites and attempts to make the sites more secure by installing a patch.

Mikko Hyppönen, director of antivirus research at F-Secure, said that although the worm may seem beneficial, in fact it is likely to cause problems for administrators who will have to handle the increase in traffic.

"I can't comment how effective it is in fixing the sites," said Hyppönen. "If a site is infected, the worm causes a huge amount of traffic and slows down the site. I don't think it's possible to write a beneficial worm."

Sites that have been attacked by the anti-Santy worm are defaced with the words: "viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."

Hyppönen said he has seen two versions of the defacement page, which lead to two different IP addresses. Both IP addresses resolve to Argentina, which suggest that that is where the anti-Santy worm originated.

The Santy worm wreaked havoc in the weeks before Christmas, spreading to more than 40,000 Web sites by Dec. 21. On Dec. 22, Google started blocking queries that were generated by the worm, to stop the worm from replicating. But a few days later it was discovered that it was using America Online and Yahoo's search engines and was still targeting Google.

It is hard to estimate how quickly Anti-Santy is spreading, as the message that the worm drops is much more hidden. However, if F-Secure is only aware of seven sites, this worm likely is a small-scale threat.

To Google's credit, it is doing a good job of protecting against this worm. I was surprised to find this on page two of my search when using a string to search for infected sites. They may want to adjust this before pranksters take the opportunity to fool unsuspecting non-techies into thinking Google is telling them for certain that they are infected.

More on this when and if it is available.

Bagle.AZ 24 Hours Later

trafton — Thu, 30 Sep 2004 01:05:00 GMT

Waters Apparently Calming

Ever since MessageLabs stopped updating its statistics frequently, it has become harder to judge how fast mass-mailing email-borne viruses spread. However, I am happy to report that 24 hours after it first appeared, it seems that Bagle.AZ is not a significantly high-spreading Medium risk worm.

Although there is currently a consensus over the risk in the lower part of the Medium range, many vendors do not even consider this a Medium risk. The current reports are:

F-Secure: Medium
Network Associates: Medium
Panda Software: Medium
Sophos: Low-Medium
Symantec: Low-Medium
Trend Micro: Low

(Note that Panda uses a slightly different scale than other vendors listed here, so their site lists as “High” what is really “Medium.”)

Also, Symantec uses the name “Beagle“ instead of “Bagle.“

Despite the lower-than-initially-reported risk, it is important to remain vigilant for this version and subsequent variants. This shows that the Bagle family creator is still out there, still making new variants, and most notably still attempting to make those variants widespread.

Spread of Mydoom.M Slows

trafton — Sun, 01 Aug 2004 02:13:00 GMT

Follow-Up: Most High Ratings Downgraded to Medium

Despite interesting new techniques, such as using a search engine to find additional email addresses, it appears that the recent Mydoom variant (which goes by many different names, but for practical uses will here be called “Mydoom.M”) has lowered enough that various vendors have downgraded the worm.

Downgrades include Network Associates, which went from Medium-On-Watch to Medium; Symantec, which went from 4 (High) to 3 (Medium); and Panda Software, which went from 4 (Severe) to 3 (High). Other vendors, such as Trend Micro and F-Secure, that never went to High are remaining at Medium, signifying that the worm is still spreading some.

The worm, which debuted Monday afternoon in the United States, spread significantly, and its use of search engines eventually crashed several for a few hours, including the popular Google search engine. The interruption was resolved, but left the site down for some up to five hours.

Spread of New MyDoom Quite High; Google Hit

trafton — Tue, 27 Jul 2004 00:19:00 GMT

Follow-Up: Popular Search Engine Rendered 503 Error

A viewer of Portland, Ore. television station KATU was among the affected users and submitted this image. Courtesy KATU.com.

As reports of the latest MyDoom variant stream in, we're beginning to see the effects of its use of search engines to find email addresses. Specifically, google.com was temporary down, rendering a 503 error. Google has released a statement:

"The Google search engine experienced slowness for a short period of time early today because of the MyDoom virus, which flooded major search engines with automated searches. A small percentage of our users and networks that have the MyDoom virus have been affected for a longer period of time. At no point was the Google website significantly impaired, and service for all users and networks is expected to be restored shortly.”

Their server is made to withstand many searches, showing that this pandemic is quite significant.

Bagle.AI Spread More than First Estimated

trafton — Tue, 20 Jul 2004 02:32:00 GMT

Follow-Up: Panda Goes to High Risk; Most Remain Medium

Users are reporting higher spread of the latest Bagle variant, Bagle.AI, than originally it was estimated the worm was achieving. This is mainly heresay, but some web sites such as VirusTotal would back this statement up. While a high risk consensus is unlikely at this point, users should still keep an eye out for this variant, which appears to be spreading faster than Bagle.AG.

"Wallon" Correction and Additions

trafton — Tue, 11 May 2004 17:02:00 GMT

Follow-Up: Wallon Does NOT Spread Via LSASS Vulnerability

I had some information passed on earlier that W32/Wallon.worm spreads via the LSASS vulnerability. It does NOT. It does, however, use a number of Outlook Express exploits.

My opinion on W32/Wallon.worm is that several factors will contribute to a quick demise:

It relies heavily upon a single web site to facilitate its spread.
It is, by nature, a predictable mass-mailer.
It simply isn't a very advanced worm.
It does not install itself on infected machines.

The bad news is that as I write this Secunia has upgraded the risk to Medium and the web site with the worm is still up.

Secunia Site
http://secunia.com/virus_information/9320/wallon.a/

McAfee Write-Up (thanks to Sgt. Matthew Mitlyng):
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125096

A note as to the naming: This worm is not being called W32/Wallon.A-mm, but instead W32/Wallon.worm, because it is not a true mass-mailer in that it links to an external site.

Removed Outbreak Warning for Sasser.B

trafton — Sat, 08 May 2004 16:10:00 GMT

Follow-Up: Five Days Since Initial Outbreak, Downgrade Appropriate

I have just removed the outbreak warning for W32/Sassser.worm.B. Although Secunia still rates it as a High risk, at five days old, it is unlikely that it is any longer an outbreak as much as a very widespread worm. Speaking of Secunia, I have also added it to the Recommended Links area, which now can be scene in place of the Sasser.B outbreak warning.

Netsky.AC May Be Widespread

trafton — Sun, 02 May 2004 21:47:00 GMT

Follow-Up: Most Rate Low Risk; Sophos Rates High

W32/Netsky.AC-mm, the latest variant, is currently ranked low by most companies, except Sophos. They say they have received “many” infection reports, which is equivilant to a high risk from them. Monday will be a very interesting day, with four worms (W32/Sasser.worm, W32/Sasser.worm.b, W32/Sasser.worm.c, and W32/Netsky.AC-mm) up in the air as to how they will affect the corporate world. Of course, I'll keep an eye on all of this to see how it develops.

Sophos - W32/Netsky-AC
http://www.sophos.com/virusinfo/analyses/w32netskyac.html

Outbreak Warning Declared For Sasser.B

trafton — Sun, 02 May 2004 16:56:00 GMT

BREAKING NEWS: Added Outbreak Warning for Sasser.B

I have added an outbreak warning for W32/Sasser.worm.b. This reflects Symantec's upgrade to High a few minutes ago.

Symantec Goes High on Sasser.B

trafton — Sun, 02 May 2004 16:39:00 GMT

BREAKING NEWS: Symantec Upgrades Sasser.B to HIGH (4)

Symantec has just upgraded Sasser.B to a HIGH risk (4). This is due to increased spread. The worm, which appeared yesterday, has now achieved higher spread than the original, according to Symantec.

http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html

Sasser A/B Removal Tools Available

trafton — Sun, 02 May 2004 14:05:00 GMT

Follow-Up: Microsoft, McAfee, Symantec, F-Secure, and Trend Pitch In

This is from Harry Waldron's excellent blog, which I highly recommend. It can be found here.

===EDITED===
The full post from Harry's blog can now be found here:
http://forums.mcafeehelp.com/viewtopic.php?t=26143
===EDITED===

Sasser.B Goes Medium

trafton — Sun, 02 May 2004 13:18:00 GMT

BREAKING NEWS: Sasser.B Spreading Quickly

Most companies are now calling W32/Sasser.worm.b Medium risk. This reflects increased spread. The worm, which debuted yesterday, is not all that different from the original. The main indication of difference is the prescence of a “2“ at the end of the file name before the .exe.

Descriptions
F-Secure (Low): http://www.f-secure.com/v-descs/sasser_b.shtml
McAfee (Medium): http://vil.nai.com/vil/content/v_125008.htm
Symantec (Medium): http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html
Trend Micro (Low): http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B