Security Manifest : SECURITY

A Smattering of Sobers

trafton — Tue, 15 Nov 2005 20:52:00 GMT

It's not often we get prior warning of worms spreading. But yesterday, German officials warned that we would see a new Sober variant using the attachment names “Word Text.zip” or “registration.zip” and, sure enough, we have Sober.V. Unfortunately, on the same day, we also have Sober.S, Sober.T, and a fairly minor variant, Sober.U. Although none are spreading extremely rapidly, both have been reported in the United States, Germany, and several other countries.

An article from About.com is available here. Amusingly, as the article points out, antivirus vendor Trend Micro published a description for the worm (as WORM_SOBER.AD) before it was released - and dubbed it as in the wild! Impressive forethought, indeed.

Users should be careful with any executables or files that can contain executables (like .zips), of course. Conventional common sense is the key to avoid infection with worms like Sober. Filenames associated with these threats are reg_text.zip (Sober.S), excel_table.zip (Sober.T), tabelle.zip (Sober.T), registration.zip (Sober.V), and Word-Text.zip (Sober.V).

Trend Micro Reports MS05-053 Worm in the Wild - But is it?

trafton — Fri, 11 Nov 2005 21:54:00 GMT

Trend Micro has reported that they have found a worm in the wild that abuses the recently-discovered MS05-053 vulnerability, according to their analysis here. The vulnerability, published three days ago, was rated as critical. The discovery of a worm in the field this quickly could make for one of the fastest turn-arounds from patch publishing to discovery in the wild. But, Trend Micro says, upon further review, it's unclear whether the detection is accurate. CNET News's Joris Evers reports:

Trend Micro on Wednesday reported the discovery of a Trojan horse that it said attacked Windows users through an image rendering flaw in Windows, a day after Microsoft provided a fix for the bug. But it isn't so sure anymore.

The Trojan is referred to as "emfsploit.a" by the Tokyo-based antivirus company. Initially the antivirus software maker reported that the malicious code would crash "explorer.exe" on unpatched Windows machines. Explorer runs key parts of the Windows graphical user interface, including the Start menu, taskbar, desktop and file manager.

But late Thursday Trend Micro said its initial analysis of the Trojan might be incorrect.

"We asked another team to start the disassembly process again," said Raimund Genes, chief technologist for Trend Micro in Europe. That means researchers will reinvestigate the Trojan code to see what it does.

The full article is available here, and a brief mention at the Internet Storm Center is available here.

Daily Update -- Monday, November 7th, 2005

trafton — Mon, 07 Nov 2005 22:06:00 GMT

It's been a fairly slow week, but today we see a new Linux worm. Lupper takes advantage in a PHP vulnerability. The Register has details here, and the Internet Storm Center has technical details here.

Daily Update -- Wednesday, October 19th, 2005

trafton — Wed, 19 Oct 2005 21:10:00 GMT

Not much is in the news today, although I am happy to announce that rumours regarding the discovery of a worm using the latest Windows vulnerabilities was a false alarm. More details follow

Trend Announces Fanbot.C Error
From InformationWeek:

A security firm on Monday mistakenly identified a new Trojan as the first to exploit one of last week's vulnerabilities in Windows, but corrected itself and labeled it as one which attacks the same bug as August's Zotob bot worm.

Fanbot.c, said Trend Micro late Monday, included a proof-of-concept exploit against one of the vulnerabilities disclosed Tuesday, Oct. 11 in Microsoft's MS05-051 security bulletin. Trend also said that although the Trojan was written in Visual Basic -- which usually indicates low-level skills on the part of the attacker and often means it's a "script kiddy" copy-cat -- arming malware with yet another exploit matched earlier hacker habits.

By early Tuesday, however, Trend had modified its technical description of Fanbot.c to say that the exploit was actually one directed toward the Plug and Play bug unveiled in August's MS05-039 bulletin.

The full article about the good news can be found here.

Daily Update -- Tuesday, October 4th, 2005

trafton — Tue, 04 Oct 2005 23:57:00 GMT

Flaws Discovered in Kaspersky Antivirus
Techworld reports that Kaspersky, a Russian security program, is having security issues with its Antivirus program due to an exploit:

Kaspersky Lab has been hit by a security bug affecting a wide range of its anti-virus products. The bug isn't limited to a particular platform, and can be exploited through several common protocols to take over a protected system.

The attack is apparently related to malicious .cab files. When scabbing an infected .cab file, Kaspersky can experience a heap overflow and allow a malicious attacker to control the infected machine.

Microsoft Office Exploit Code Circulating
The same article goes on to talk about circulating code for a Microsoft Office exploit:

Separately, security vendors warned that exploit code has begun circulating publicly for an unpatched flaw in Microsoft Office that was first disclosed in April. The exploit makes it easier for attackers to take advantage of the hole, which, like the Kaspersky flaw, could allow attackers to take over a system.

Note that just because code is circulating does not mean it is associated with a known threat at this point, and this one isn't.

Zotob - Slowing Down

trafton — Thu, 18 Aug 2005 03:55:00 GMT

Good news on the Zotob front. McAfee has lowered the risk to Medium. Correspondingly, it is now considered a moderate outbreak.

Looking more at Plug N' Play worms and Zotob

trafton — Wed, 17 Aug 2005 18:45:00 GMT

If you've been following the news about Zotob, IRCBot, Bozori, and the other families of worms to attack the recent Plug-and-Play vulnerability (MS05-039), you know that another worm war has begun between the latter two worm families and Zotob, which so far is not “fighting back” with a new variant that deletes the others. F-Secure's highly recommended weblog provides this “high-tech illustration” of who's killing who:

Also a good read is vnunet.com's article, W32/IRCBot worm beats Sasser record, which talks a bit about how quickly this worm appeared after its associated vulnerability was released relative to the more widely successful (especially among home users) Sasser worm.

I received an email about this worm's ability to affect Windows XP machines, and the answer to that appears to be that Windows XP machines are not natively able to be infected, but with registry modifications (that are rare but occasionally found) it can be, although I have not been able to specifically verify this.

Zotob.E (IRCBot) Outbreak News Round-Up

trafton — Tue, 16 Aug 2005 22:44:00 GMT

Early news reports indicate that the group most affected (or at least most publicly affected) by the IRCBot is the media. Brian Krebs at The Washington Post reports:

ABC News had an extensive outage today due to infections from Zotob or one of its variants [most probably IRCBot, which is also known as Zotob.E], which knocked out computers in the network's newsrooms on the East and West coasts today, said ABC News Vice President Jeffrey Schneider. The outage lasted two hours, he said.

“This was the first time I've ever seen writers at World News Tonight banging away on electric typewriters,” Schneider said.

Also affected by the worm is international news outfit CNN:

CNN's Wolf Blitzer is reporting that a computer worm has taken out many of their computer systems in Atlanta, New York and in other bureaus around the country, showing pictures of a computer constantly rebooting after being infected by the worm. CNN spokeswoman Edie Emery said the outage affected computers across the country, but that at no time did the outage affect the company's ability to report the news. A staffer I spoke with earlier from CNN's Washington bureau said many reporters in the company's New York and Atlanta bureaus relied on other bureaus to file their stories for them.

CNN International makes a quick mention of Washington, D.C. being affected, but information is sparse.

The Post's headline, A Media Worm?, is perhaps more telling than it means: so far, little information is available about how quick spreading the worms are, and two worms - Zotob.E and Esbot, which Symantec gives a medium risk rating, are spreading simultaneously. There is some possibility that this media coverage is less related to the rate of infection and more to the rate of media infection. Certainly, reports that this worm affects Windows 2000 more than Windows XP suggest that businesses are being affected even more than home users.

More information about the Zotob.E outbreak - as well as the Esbot incident - throughout the evening.

OUTBREAK: Zotob.E (IRCBot) worm hitting unpatched systems

trafton — Tue, 16 Aug 2005 22:18:00 GMT

A new worm utilizing the MS05-039 vulnerability has became a major outbreak. More coverage upcoming.

Details
IRCBot is a fast-spreading worm affecting systems not patched for the MS05-039 vulnerability. Infected machines will reboot frequently, as well as connect to an IRC server and await further instructions

Protection
Detection of this worm, as it is an outbreak, should be released very soon, if it is not already out.

The Gist
IRCBot is an urgent outbreak and all systems should be patched that have not already been.

Links
McAfee - Write-up.

Zotob - New worm hitting unpatched machines

trafton — Mon, 15 Aug 2005 00:57:00 GMT

A new version of the extensive and successful MyDoom worm family has appeared. Fortunately, like many recent variants, this version has got off to a slow start and is unlikely to become a major threat.

Details
MyDoom.CF was discovered Tuesday, June 28th, 2005. It is a standard MyDoom family member, faking the email address it is sent from. Messages MyDoom.CF use typically make a relatively unsuceesful attempt at seeming either personal (“Is it your name listed here? It seems this is the Pentagon listing“) or official (“Your file hasn't passedour security check and thus was returned“) and are typically caught by spam filters, if they are present. MyDoom.CF is not a very damaging virus, and exists only to spread. Attachments associated with MyDoom.CF are 32,256 bites in size, although if in the .zip format, they can vary.

Protection
Detection for this worm may be covered generically under some current DAT files, as it is an unremarkable variant of a well-known worm family. Updates will likely start appearing within the next 24 hours. As this is a low-risk threat, emergency detection releases are unlikely. MS05-039 can be downloaded at windowsupdate.microsoft.com.

The Gist
MyDoom.CF, although it may spread some, is an unremarkable MyDoom variant and does not pose a significant risk at this time.

Links
F-Secure - Write-up.

July Microsoft Updates Released

trafton — Wed, 13 Jul 2005 17:58:00 GMT

Microsoft has released three critical updates, one affecting Microsoft Word 2000 and 2002 and Microsoft Works Suite, and the others affecting Windows. In addition, a Moderate security bulletin affecting the Microsoft Telnet client has been re-released. Everyone running affected software should update as soon as possible.

Links
Click Here - All Bulletins
Click Here - Vulnerability in Microsoft Word Could Allow Remote Code Execution (MS05-035)
Click Here - Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (MS05-036)
Click Here - Vulnerability in JView Profiler Could Allow Remote Code Execution (MS05-037)
Click Here - Moderate re-release: Vulnerability in Telnet Client Could Allow Information Disclosure (MS05-033)

Microsoft Security Advisory 903144 - IE Crash Vulnerability

trafton — Sat, 02 Jul 2005 20:16:00 GMT

Microsoft reported yesterday that a bug in Internet Explorer may allow a malicious or malformed COM object (Javaprxy.dll) to terminate the program. From the notice:

Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but we are aggressively investigating the public report.

At the completion of this investigation, Microsoft will take the appropriate action to help protect our customers, which may include providing additional mitigation guidance through this Security Advisory, and if appropriate, a security update through our monthly release process or an out-of-cycle security update, depending on the results of the investigation and customer needs.

To help protect your system from this issue Microsoft encourages users to exercise caution when opening links in e-mail. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in North America at no charge using the PC Safety line (1866-PCSAFETY). International customers can contact Product Support Services by using one of the available methods found at the Microsoft Security Help and Support for Home Users Web site.

The full notice, as well as a Frequently Asked Questions section, workarounds, and more, has been published here. It is important to note that so far, no reported incidents of this bug being made use of in a malicious way have surfaced.

MyDoom.CF - New Minor Variant

trafton — Wed, 29 Jun 2005 18:44:00 GMT

The Gist
MyDoom.CF, although it may spread some, is an unremarkable MyDoom variant and does not pose a significant risk at this time.

Links
Symantec - Write-up.

Worm Infects Washington State Tax Network

trafton — Thu, 24 Mar 2005 22:01:00 GMT

This is locally a fairly large story which I thought I'd share as a case study of how even the smallest crack in security can become a major problem on a large network. From the Tacoma News Tribune:

The FBI and the Washington State Patrol are investigating the source of an Internet worm that crippled the state Department of Revenue’s computer network this week and double-billed 1,400 businesses for tax payments.

The worm, a variant of a computer program that infected state government networks a few months ago, most likely entered the system over the weekend, according to Ralph Osgood, the Revenue Department’s deputy director.

As employees logged onto their computers Monday morning, Osgood said “it multiplied very rapidly and took the system down.”

The department, which collects state business and sales taxes, began rebooting its computers Wednesday afternoon and planned to be fully operational today.

As of Wednesday evening, department officials said they had not found any lasting damage. No confidential taxpayer information was lost or compromised. The agency issued credits to the businesses that were charged twice and planned to contact each to explain what happened.

Osgood said the worm “doesn’t appear to scramble data or retrieve data and send it different places.” The goal, he said, seemed to be “to cause chaos.”

FBI Special Agent Roberta Burroughs wouldn’t say if the bureau’s Northwest cyber crimes task force had any leads. “Just trying to figure out what happened,” she said.

The 21/2-day system shutdown made the crash among the most debilitating to strike a state government agency, according to interviews with state agency technology officers.

Worms are independent programs that replicate themselves, spreading from computer to computer on a network.

This particular worm is a variation of a program known as Rbot that has periodically infected the state network over the last few years, said Nancy Jackson, the Department of Information Services’ spokeswoman.

This last paragraph is especially worrisome - apparently the worm has been infecting the system “over the last few years.” Even though this statement is somewhat overdone, considering Rbot was discovered in September 2004, it does show how large institutions should focus on repairing holes that can allow reinfection, something which has obviously failed to be done here.

Despite Revenue Department deputy director Ralph Osgood's assertion that the worm “doesn't appear to scramble data or retrieve data and send it different places,” it should be noted that Rbot opens a backdoor on the infected system, making infection of machines handling tax returns an even more disturbing prospect.

Ad-Aware Fixed!

trafton — Sun, 20 Mar 2005 18:13:00 GMT

Good news in that last week's problem with Lavasoft's Ad-Aware adversely affecting LANs seems to have been resolved.

http://www.lavasoftsupport.com/index.php?showtopic=60859

A link to the original post can be found here:

http://msmvps.com/trafton/archive/2005/03/11/38236.aspx

Ad-Aware Signature Files May Crash LAN

trafton — Fri, 11 Mar 2005 22:53:00 GMT

CD from the McAfeeHelp.com Forums has graciously highlighted here an issue that should be considered before running Lavasoft's popular anti-spyware program Ad-Aware this week:

Please don't run AdAware (seems limited to the free version) without extreme caution this week. It's killing internet connection, running system restore isn't fixing it for all.

More information can be found at the Lavasoft Support site here. As far as I know, the company has not released information on the problem, but users may want to consider waiting before they update their definitions just in case.

The folks at Lavasoft produce Ad-Aware for free and it is among the problems that I recommend most frequently. It is an excellent program, and comes from a small company. There is no evidence that these problems are part of any continuing pattern that I can see, so I will still feel confident in recommending Ad-Aware after these problems are resolved.

Sober.L - New Sober Variant Going Around

trafton — Mon, 07 Mar 2005 21:52:00 GMT

Sober.L is mass-mailing worm that appeared this morning around 10 AM PST and is believed to be spreading rapidly in Germany, and is beginning to appear in several other countries. The worm, like previous Sober variants, spreads in both English and German email addresses, depending on the language of the installed copy of Windows.

Messages containing Sober.L typically pretend to be from an administrator in regards to the victim's password. The emails are written with poor capitalization and broken English. Hopefully, this will be a warning flag that will limit spread outside of Germany (although the German message also suffers from poor punctuation and capitalization.)

Sober.L has been declared a Medium risk at Trend Micro.

Details
Sober.L was discovered on March 8, 2005, with details first published around noon PST. It is a worm that spreads via email. It also terminates a small handful of security programs. The attachment containing Sober.L is named either MailTexte.zip (German) or acc_text.zip (English).

Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so. It is unlikely emergency detection will be published, as the worm reminds a Low risk threat on all descriptions at this time. In the meantime, users should practice common sense and avoid opening suspicious emails, and, when in doubt, contact the alleged recipient to see if they really sent them.

Infected users should wait for detection files and/or more detailed information and removal information to be published before attempting to remove the worm. Until then, infected users should avoid connecting to the Internet or any open network.

Links
McAfeeHelp Forums - Excellent resource for latest information and updates.
Secunia - Compiles latest descriptions and links.
Trend Micro - Detailed write-up with good removal instructions.
Symantec - Detailed write-up with limited removal instructions.

Crog aka Fatso - MSN Messenger Outbreak

trafton — Mon, 07 Mar 2005 21:38:00 GMT

Crog (also known by several other names, such as Sumom, Serflog, and Fatso - the last name which is likely to become the media name) is an MSN Messenger worm that appeared today and is spreading quickly, earning Medium risk from some antivirus companies. The worm sends itself to victims via MSN Messenger from the infected computer. File names are likely to end in a .pif extension, but there is a 1-in-12 chance that the extension will instead be .scr. Most of the file names infer a photograph, either humorous or pornographic in nature.

Crog has been declared a Medium Risk threat at Sophos, Trend Micro, and Secunia.

Details
Crog was discovered on March 7, 2005, with details first published shortly after midnight GMT. It is a worm that spreads via MSN Messenger and the eMule P2P network. Additionally, machines infected with Crog will have their security settings adjusted to lower levels. Access to security related web sites is blocked on Crog-infected computers, and a range of security programs also is disabled by the worm. The worm also intercepts CD writes and adds itself to them - this is an uncommon feature in worms.

Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so. It is unlikely emergency detection will be published, as the worm reminds a Low risk threat on all descriptions at this time. In the meantime, MSN Messenger users should exercise common sense and not open any executable file format that is sent to them randomly, including .pif and .scr, which this worm uses.

Links
McAfeeHelp Forums - Excellent resource for latest information and updates.
Secunia - Compiles latest descriptions and links. Refers to worm as “Fatso.“
Trend Micro - Excellent, highly detailed write-up with pictures. Refers to worm as “Fatso.”
Symantec - Fairly detailed write-up without some additional details. Uncluttered. Refers to worm as “Serflog.”
Panda - Fairly detailed write-up. Excellent removal instructions. Refers to worm as “Fatso.“
F-Secure - Fairly detailed write-up. No removal instructions. Refers to worm as “Sumom.“
McAfee - Fairly detailed write-up. No removal instructions.
Sophos - Fairly detailed write-up. No removal instructions. Refers to worm as “Sumom.”

Kelvir.B Worm - Developing Minor MSN Messenger Outbreak

trafton — Sun, 06 Mar 2005 23:49:00 GMT

Kelvir.B (Kelvir.A at Symantec) is an MSN Messenger worm that appeared yesterday, has now been characterized by Symantec as spreading in the field. The worm arrives as a link to the file cute.pif on a web site on the home.att.net domain. It also downloads a variant of W32/SDBot, a backdoor and open share worm, as patch.exe from a web site on the home.comcast.net domain.

Details
Kelvir.B was discovered on March 6, 2005, with details first published shortly after midnight GMT. So far, details are limited, other than that at this time it appears that the targeted web sites are still up (I am unable to verify this as no description that includes the URL uncensored has yet been published).

So far it is unknown how quickly Kelvir.B is spreading, but Symantec's characterization of the worm as Medium on their Wild scale and their publishing of a temporary description while they were investigating the threat suggests that it may be spreading somewhat quickly in the MSN Messenger community.

The format for messages is “omg this is funny! (Link to worm)“.

Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so. It is unlikely emergency detection will be published, as the worm reminds a Low risk threat on all descriptions at this time. In the meantime, MSN Messenger users should exercise common sense and not open any executable file format that is sent to them randomly, including .pif, which this worm uses.

Links
Secunia - Compiles latest descriptions and links.
Sophos - Basic description with some details. No removal instructions. “More detailed information to follow shortly.“
McAfee - Basic description with some details. No removal instructions.
Symantec - Very basic description with no details. No removal instructions. “More information [will be posted] as it becomes available.” Refers to worm as “Kelvir.A.”

Worms and Instant Messaging

trafton — Sun, 06 Mar 2005 23:32:00 GMT

It has been nearly four years since the first worm to spread via an instant messaging program, the Hello worm, appeared on the AOL Instant Messenger network. At that time, IM program worms were more of a curiosity. Despite a significant number of doomsday predictions from the media, few of these worms actually ended up becoming common. Those that made it in the field were typically quick burners, dropping off the radar in a few days when most worms last weeks. However, recent worms have proven that IM programs are a significant potential distribution area for new worms.

Instant Messengers vs. Email
One thing to consider when assessing the risk of instant messaging worms is that the target audience is different from that of email worms. Users of instant messaging programs are typically younger and much less likely to be corporate users. As IMing is generally more fast-paced than emails, it is also more likely that users will accept files without much discretion. However, it is also easier to ask about a suspicious file via instant messenger than it is in email.

With only a small range of major instant messengers out there, there is opportunity to solve many of the problems that have plagued email as an open standard. Together, AOL Instant Messenger, MSN Messenger, Yahoo Messenger, and ICQ make up the lion's share of the US IM market, with similar programs popular throughout the world (Asia is the home to many alternative IM programs). Three companies thus control almost all of the IM market (AIM and ICQ are both owned by AOL). These companies can, and have, enforced security standards and provided warnings. However, it has been demonstrated that, despite warnings, users will gladly accept files if they do not understand what they are. Education is a major problem on the IM front.

Case study
On the morning of March 6, 2005, I received a report of a small outbreak of an undocumented AOL Instant Messenger worm among roughly a dozen users belonging to a group interested in climatology and Internet broadcasting from one of the infected users, who resides in Ohio. The worm (which I will refer to Ostow here for the sake of simplicity) appeared to randomly set away mode. In the away message was a link to a .pif file on a remote Internet server (at this time, the file remains up) and a promise that the file contained “beach photos.”

The user explained that he had opened the file, assuming that the .pif extension stood for “something like Picture Image Format.” Since the file was offsite, not send via AOL Instant Messenger, there was no notification that the file opened could be damaging other than the download notification in Internet Explorer. He opened the file and became infected with Ostow; subsequently, a number of other members of the community clicked on his away message and became infected. None realized that anything was wrong until the Ohioan user observed that his status was changing to away randomly.

Eventually, HijackThis was installed on an infected machine in Louisiana and a suspicious file masquerading as the BitDefender antivirus program was discovered to contain what was detected as a “variant W32/Spybot“ and a dropper from the web site, detected as a “variant W32/SDBot.“ Despite several hits on Google that mentioned the AIM away message, it appeared that all detections were generic and Ostow was not recognized specifically by antivirus programs (neither W32/Spybot nor W32/SDBot are described as AOL Instant Messenger worms). Manual removal instructions were created and followed by all infected users, and no infections have been since reported.

This case is not exceptional other than that it shows the confusion that can result from unknown worms spreading via AOL Instant Messenger. Without assistance from knowledgeable users, the average person infected by a worm like Ostow could do nothing to fix their problem and likely would ignore the problem, allowing the worm to spread further. It also shows how a worm can spread among members with linked AOL Instant Messenger relations.

Conclusion
With an increasing number of IM worms, and the recent medium risk rating received by Bropia.P, increasing attention is being, deservedly, given to this growing threat area. With detection often here-and-there, and users who are less tech-savvy and less likely to submit discovered worms to antivirus companies, IM worms may soon become a top-tier vector for new threats in the upcoming months.