Security Manifest : VIRUSES

A Smattering of Sobers

trafton — Tue, 15 Nov 2005 20:52:00 GMT

It's not often we get prior warning of worms spreading. But yesterday, German officials warned that we would see a new Sober variant using the attachment names “Word Text.zip” or “registration.zip” and, sure enough, we have Sober.V. Unfortunately, on the same day, we also have Sober.S, Sober.T, and a fairly minor variant, Sober.U. Although none are spreading extremely rapidly, both have been reported in the United States, Germany, and several other countries.

An article from About.com is available here. Amusingly, as the article points out, antivirus vendor Trend Micro published a description for the worm (as WORM_SOBER.AD) before it was released - and dubbed it as in the wild! Impressive forethought, indeed.

Users should be careful with any executables or files that can contain executables (like .zips), of course. Conventional common sense is the key to avoid infection with worms like Sober. Filenames associated with these threats are reg_text.zip (Sober.S), excel_table.zip (Sober.T), tabelle.zip (Sober.T), registration.zip (Sober.V), and Word-Text.zip (Sober.V).

Daily Update -- Monday, November 7th, 2005

trafton — Mon, 07 Nov 2005 22:06:00 GMT

It's been a fairly slow week, but today we see a new Linux worm. Lupper takes advantage in a PHP vulnerability. The Register has details here, and the Internet Storm Center has technical details here.

Daily Update -- Tuesday, November 1st, 2005

trafton — Tue, 01 Nov 2005 22:59:00 GMT

Two new viruses worth mentioning today - one a mass-mailer spreading, one an interesting conceptual specimen.

Bagle-Based “Lodear“ Appears
A new worm family, Lodear, has appeared. The first variant seems to be spreading some in the wild. Information can be found here. Some antivirus companies consider this a variant of Bagle itself, and the family may be merged with the Bagle name. Lodear is similar to past Bagle variants. The primaray symptom of infection is a file called hloader_exe.exe in the Sytem folder.

First KiXTart Virus Appears
A virus infecting .KIX (KiXTart Script File) files has appeared. This is unlikely to effect most people, but it is the first example of such a virus. Information is here. KiXTart is a batch processing script that runs at logon on some Windows computers. For more information on KiXTart, see here.

Daily Update -- Wednesday, October 19th, 2005

trafton — Wed, 19 Oct 2005 21:10:00 GMT

Not much is in the news today, although I am happy to announce that rumours regarding the discovery of a worm using the latest Windows vulnerabilities was a false alarm. More details follow

Trend Announces Fanbot.C Error
From InformationWeek:

A security firm on Monday mistakenly identified a new Trojan as the first to exploit one of last week's vulnerabilities in Windows, but corrected itself and labeled it as one which attacks the same bug as August's Zotob bot worm.

Fanbot.c, said Trend Micro late Monday, included a proof-of-concept exploit against one of the vulnerabilities disclosed Tuesday, Oct. 11 in Microsoft's MS05-051 security bulletin. Trend also said that although the Trojan was written in Visual Basic -- which usually indicates low-level skills on the part of the attacker and often means it's a "script kiddy" copy-cat -- arming malware with yet another exploit matched earlier hacker habits.

By early Tuesday, however, Trend had modified its technical description of Fanbot.c to say that the exploit was actually one directed toward the Plug and Play bug unveiled in August's MS05-039 bulletin.

The full article about the good news can be found here.

Daily Update -- Tuesday, October 18th, 2005

trafton — Tue, 18 Oct 2005 22:09:00 GMT

The Daily Update returns after a small hiatus for testing week...

October 2005 Security Release
Three critical updates, five important updates, and one moderate update have been released to address issues in Windows. You can view the bulletin here. And make sure to update!

Mytob Over 300 Variants
Mytob.LE has been released, making it the 317th variant of the prolific Mytob family. The latest variant offers more of the same, with new passwords and emails.

Daily Update -- Thursday, October 6th, 2005

trafton — Fri, 07 Oct 2005 02:04:00 GMT

A quick daily update today. Symantec has now named Sober.Q (aka .R) to be a low-medium (2) risk, although McAfee maintains it at Medium. It looks like this one is not going to be a huge outbreak. More coverage of Sober.R should be available tomorrow as we start to see reports on spread rates coming in. Symantec's write-up of Sober.R, which they call Sober.Q, can be found here.

Also in news today, a small percentage of the Internet was taken down today. This was not security-related as many feared, but instead due to a contract dispute between two major service providers. Full details can be found here.

Sober.R - Developing Outbreak

trafton — Thu, 06 Oct 2005 01:27:00 GMT

A new worm, Sober.R, is spreading moderately in the field. More details about this when they are available, and can be found here in the meantime: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=136390

Daily Update -- Monday, October 3rd, 2005

trafton — Mon, 03 Oct 2005 21:37:00 GMT

Yes, Daily Updates are back. And permanently this time!

Good News, Bad News: Virus Attacks Down, but Attacks More Sophisticated
As anyone who follows viruses knows, this has been a rather quiet year for viruses of all types, especially mass-mailers. This is part in thanks to better technology and enforcement, and part in thanks to luck. In any case, though, ZDNet is reporting that antivirus firm Sophos and email security company BlackSpider Technologies both have reported a significant downturn in the quantity of viruses coming in. This is hardly a surprise, especially when you consider that after nineteen months, the top worm still is Netsky.P, which celebrated its eighteen month birthday last month. Worms rarely last longer than a few months on top. A notable exception being Klez.H's two-year reign on the charts starting in early 2002, but unlike Klez, Netsky remains on the top primarily because it lacks any competition for the spot.

Although mass-mailers have downturned over the last few months, an even more damaging threat, especially on the corporate level, looms:

"Smaller, targeted attacks are on the increase, with the emergence of a new breed of financially-motivated online criminal. The concern is that if users continue to combine unsafe computing practices with outdated threat protection, they'll be a soft target for this new form of attack," Theriault warned.

I tend to believe there is little, if any, correlation between the two. Targeted attacks, especially of a financial nature, have been developing for a while, and even made national news when it was suggested that the Sobig.F worm was linked to organised crime. The news about the reduced number of mass-mailer hits is promising, but not necessarily a trend that will last very long. We can only keep our fingers crossed and our software secure.

Bagle Naming Convention Split
Apparently, a number of antivirus companies have determined that recent variants of the prolific and previously successful Bagle worm family are not Bagle-y enough. Computer Associates named a recent Bagle variant Wreckage.A, while Trend Micro has donned a new Yabe family of worms for two recent Bagle variants. These splits have not been uncommon throughout Bagle's naming, and it is possible that the names will be reconciled if a breakout occurs. However, should a major version of the “Wreckage” or “Yabe” worm families be reported in the news, it is fairly safe to assume that they are Bagle versions.

Cool Link of the Day
The University of Virginia provides a Security Tip of the Day on their web site here. The messages are meant for University of Virginia students, and it's not exactly a Tip of the Day (unless refreshing the page somehow has an effect on the space-time continuum, in which case I do not recommend that anyone above 30 use this web site), but it's certainly interesting. The tips are pretty basic, but even the best of us need reminders sometimes. And so do all of your friends and family members who think that “.pif“ stands for “picture information file.“

That's all for today.

Zotob Authors Nabbed

trafton — Fri, 26 Aug 2005 23:35:00 GMT

The good news about the Zotob outbreak is that we're unlikely to see future versions after two men - one in Morroco and one in Turkey - were arrested Thursday.

From The Washington Post's article:

The FBI and Microsoft Corp. collaborated with law enforcement officials in Turkey and Morocco to secure the arrest on Thursday of two men thought to be responsible for creating computer worms that infected hundreds of thousands of computers worldwide this year.

Police in Morocco arrested Farid Essebar, 18, a Moroccan national born in Russia who used the online moniker "Diabl0." Authorities in Turkey arrested 21-year-old Atilla Ekici, known by the online alias "Coder."

Essebar and Ekici are suspected of releasing the "Zotob" and "Mytob" computer worms that were designed to take advantage of flaws in Microsoft's widely used Windows operating system. Both of the suspects' nicknames can be found in the original computer programming code for Zotob, according to the FBI and Microsoft.

In addition to Mytob and Zotob, vnunet.com reports that the pair are responsible for the Rbot worm family, too.

Here's to hoping for a fair trial and harsh punishment. The computer laws of Turkey and Morroco may both be put to test by this case.

Retrospective Zotob Articles

trafton — Thu, 25 Aug 2005 17:20:00 GMT

Here are a collection of recent articles on the Zotob worm, which is at this point no longer spreading very quickly:

Some XP machines vulnerable to Zotob worm (TechWorld) - A full news article about the (rare) registry modifications that can result in Windows XP being vulnerable to the Zotob worm. Not a new threat.

Zotob epidemic past its peak (SmoothWall.net) - A good summary of events, with links.

From Melissa to Zotob: 10 Years of Windows Worms (eWeek) - Although “From Melissa to Sasser: 6 Years of Windows Worms” would actually be a more exact title for this article, this is a decent, albeit compacted, summary of significant computer worms of the modern Internet age.

We can now officially say that the Zotob worm outbreak is, for all intents and purposes, over.

F-Secure looks at new threats we're dealing with at their Weblog, in an article entitled “More pnp related malware.”

Zotob - Slowing Down

trafton — Thu, 18 Aug 2005 03:55:00 GMT

Good news on the Zotob front. McAfee has lowered the risk to Medium. Correspondingly, it is now considered a moderate outbreak.

Looking more at Plug N' Play worms and Zotob

trafton — Wed, 17 Aug 2005 18:45:00 GMT

If you've been following the news about Zotob, IRCBot, Bozori, and the other families of worms to attack the recent Plug-and-Play vulnerability (MS05-039), you know that another worm war has begun between the latter two worm families and Zotob, which so far is not “fighting back” with a new variant that deletes the others. F-Secure's highly recommended weblog provides this “high-tech illustration” of who's killing who:

Also a good read is vnunet.com's article, W32/IRCBot worm beats Sasser record, which talks a bit about how quickly this worm appeared after its associated vulnerability was released relative to the more widely successful (especially among home users) Sasser worm.

I received an email about this worm's ability to affect Windows XP machines, and the answer to that appears to be that Windows XP machines are not natively able to be infected, but with registry modifications (that are rare but occasionally found) it can be, although I have not been able to specifically verify this.

Zotob.E (IRCBot) Outbreak News Round-Up

trafton — Tue, 16 Aug 2005 22:44:00 GMT

Early news reports indicate that the group most affected (or at least most publicly affected) by the IRCBot is the media. Brian Krebs at The Washington Post reports:

ABC News had an extensive outage today due to infections from Zotob or one of its variants [most probably IRCBot, which is also known as Zotob.E], which knocked out computers in the network's newsrooms on the East and West coasts today, said ABC News Vice President Jeffrey Schneider. The outage lasted two hours, he said.

“This was the first time I've ever seen writers at World News Tonight banging away on electric typewriters,” Schneider said.

Also affected by the worm is international news outfit CNN:

CNN's Wolf Blitzer is reporting that a computer worm has taken out many of their computer systems in Atlanta, New York and in other bureaus around the country, showing pictures of a computer constantly rebooting after being infected by the worm. CNN spokeswoman Edie Emery said the outage affected computers across the country, but that at no time did the outage affect the company's ability to report the news. A staffer I spoke with earlier from CNN's Washington bureau said many reporters in the company's New York and Atlanta bureaus relied on other bureaus to file their stories for them.

CNN International makes a quick mention of Washington, D.C. being affected, but information is sparse.

The Post's headline, A Media Worm?, is perhaps more telling than it means: so far, little information is available about how quick spreading the worms are, and two worms - Zotob.E and Esbot, which Symantec gives a medium risk rating, are spreading simultaneously. There is some possibility that this media coverage is less related to the rate of infection and more to the rate of media infection. Certainly, reports that this worm affects Windows 2000 more than Windows XP suggest that businesses are being affected even more than home users.

More information about the Zotob.E outbreak - as well as the Esbot incident - throughout the evening.

OUTBREAK: Zotob.E (IRCBot) worm hitting unpatched systems

trafton — Tue, 16 Aug 2005 22:18:00 GMT

A new worm utilizing the MS05-039 vulnerability has became a major outbreak. More coverage upcoming.

Details
IRCBot is a fast-spreading worm affecting systems not patched for the MS05-039 vulnerability. Infected machines will reboot frequently, as well as connect to an IRC server and await further instructions

Protection
Detection of this worm, as it is an outbreak, should be released very soon, if it is not already out.

The Gist
IRCBot is an urgent outbreak and all systems should be patched that have not already been.

Links
McAfee - Write-up.

Zotob - New worm hitting unpatched machines

trafton — Mon, 15 Aug 2005 00:57:00 GMT

A new version of the extensive and successful MyDoom worm family has appeared. Fortunately, like many recent variants, this version has got off to a slow start and is unlikely to become a major threat.

Details
MyDoom.CF was discovered Tuesday, June 28th, 2005. It is a standard MyDoom family member, faking the email address it is sent from. Messages MyDoom.CF use typically make a relatively unsuceesful attempt at seeming either personal (“Is it your name listed here? It seems this is the Pentagon listing“) or official (“Your file hasn't passedour security check and thus was returned“) and are typically caught by spam filters, if they are present. MyDoom.CF is not a very damaging virus, and exists only to spread. Attachments associated with MyDoom.CF are 32,256 bites in size, although if in the .zip format, they can vary.

Protection
Detection for this worm may be covered generically under some current DAT files, as it is an unremarkable variant of a well-known worm family. Updates will likely start appearing within the next 24 hours. As this is a low-risk threat, emergency detection releases are unlikely. MS05-039 can be downloaded at windowsupdate.microsoft.com.

The Gist
MyDoom.CF, although it may spread some, is an unremarkable MyDoom variant and does not pose a significant risk at this time.

Links
F-Secure - Write-up.

Trend Micro: "Massive hike" in computer virus infections

trafton — Sun, 17 Jul 2005 21:02:00 GMT

Although we have not seen many outbreaks today, antivirus vendor Trend Micro still reports a 22 percent increase in infections since last quarter:

During the second quarter (April-June) of this year, more than 10 million virus infections have happened worldwide, according to Trend Micro, a leading anti virus and internet content security software services provider.

Trend Micro's World Tracking Centre recorded 10,248,989 infections worldwide during the April-June quarter of this year.
This number is huge hike (22 per cent) from last quarters 8,279,477, a company statement said.

The full article, published in the Hindu, is here. No statistics were provided on whether Trend Micro had substantially increased the number of computers which they cover, which could account for the spike in reported infections.

ZDNET: Anti Gypsy-Music Virus Welcomed By Victims

trafton — Sun, 17 Jul 2005 20:58:00 GMT

I thought I had read it all, but ZNET reports that some Romanians welcome the “socially useful” Antiman.A worm, which certainly brings an entirely new facet to the “good worm“ debate:

Romanian security firm BitDefender has revealed that after releasing signatures to protect its customers from a virus that deleted files from their computers containing gypsy music, it was inundated with letters of complaint from customers who wanted the virus to spread.

The virus, dubbed Antiman.A, was discovered at the end of April and duped users into executing its payload by pretending to contain news about three Romanian journalists that had been kidnapped. When run, the virus searched the victim's computer for files containing the names of Romanian gypsy music singers.

The last paragraph is truly priceless:

Last word went to a BitDefender customer that offered to keep the antivirus labs staff busy to try give the virus more time to spread: "I would have gotten all of you drunk just to make sure you didn't get the [detection] tool out… god bless the guy who created this virus."

The full article is here.

Three Minor New Mytob Variants

trafton — Thu, 30 Jun 2005 20:18:00 GMT

Symantec reports that three new low-risk versions of the Mytob family, which has gained some success in part thanks to the sheer number of different versions in existence, have appeared. The variants are Mytob.GM, Mytob.GN, Mytob.GP. Going soley by the naming conventions of Symantec, this makes the 195th, 196th, and 198th versions of Mytob discovered, respectively. At this time, all three variants are considered low-risk and it is unclear if they are spreading in the field at all.

Details
Mytob.GM and Mytob.GN were discovered Wednesday, June 29th, 2005; Mytob.GP was discovered Thursday, June 30th, 2005. Like past Mytob versions, these worms are mass-mailers. They also share several characteristics: all three disable shared network access, contact an IRC (Internet Relay Chat) server to open a backdoor on the infected system that hackers can enter through, block access to security web sites, and terminate antivirus programs and various types of security-related software programs. There are a number of important differences between the variants, though. The file names vary, though: Mytob.GM uses Lien Van de Kelder.exe, Mytob.GN uses Lien Vande Kelder.exe, and Mytob.GP uses deneme.exe. Additionally, Mytob.GP downloads a program known as Ranky.U that turns the infected computer into an unauthorized proxy server. The email subjects vary, although most of them suggest important information is enclosed, such as email account or password information, as does the email body.

Unlike many mass-mailers of international original (it is probable that the worm originates from Belgium), the grammar in the emails sent out is mostly realistic. The emails sound realistically professional enough (despite awkward lines such as “Thank you for your attention to this question“) as to not raise red flags, even among native English speakers. In the case of Mytob.GM, there is no attachment to the email, but rather a link. At the time of writing, the domain hosting the file still remained up, although I could not verify whether or not the specific account on the free hosting site had been disabled, which would effectively kill the worm's spread mechanism. The final detail that varies between the three is the IRC server used for the backdoor, which is either diablowashere.blackcarder.net on port 12000 (Mytob.GM and Mytob.GN) or hack3rz.turanduygu.com on port 3344 (Mytob.GP).

It is worth noting that because of the number of different variants, cases are often reported generically as “Mytob.“ Because of this, underreporting occurs, and occasionally Mytob versions that are spreading in the wild are listed as very low risks. Nonetheless, any significant spread by a Mytob variant would be noticed quickly. Just because an antivirus company lists a Mytob version as not spreading does not necessarily mean it is not. However, it does mean that spread is probably relatively limited. At this point, this appears to be the case for all three of these versions.

Protection
As these are fairly minor modifications of a large worm family, it is possible that a generic detection may already be in place for some antivirus programs. If not, detection should be available at the next regular update. No emergency detection files will probably be published due to the low-risk nature of these worms.

The Gist
Mytob variants GM, GN, and GP have the potential to spread, but so far appear to be very limited and pose a low-risk. However, users should remain vigilant and be wary of any email that purports to be a notification from their ISP, especially if it requests personal information or offers a file.

Links
Symantec - Mytob.GM write-up.
Symantec - Mytob.GN write-up.
Symantec - Mytob.GP write-up.
Symantec - Ranky.U write-up.

MyDoom.CF - New Minor Variant

trafton — Wed, 29 Jun 2005 18:44:00 GMT

The Gist
MyDoom.CF, although it may spread some, is an unremarkable MyDoom variant and does not pose a significant risk at this time.

Links
Symantec - Write-up.

Sober.P - New Medium Risk Worm

trafton — Tue, 03 May 2005 00:42:00 GMT

Sober.P is a mass-mailing worm that was discovered earlier this afternoon and, as with all Sober worm variants that have previously became common, is spreading quickly, especially in Germany, where the family originates. Unlike previous variants, it is spreading much more quickly among home users than it is corporate users. McAfee, for instance, has upgraded it to Medium risk for home users only. In the past, we've seen Sober spread pretty equally between both classes, heavily relying on international business between the United States and Germany.

Messages containing Sober.P typically follow the usual Sober profile: the message body is in poor English or decent German, with the attachment either suggesting that it originates from the system administrator of the email service or is a friendly joke. The message body, on the other hand, can be one of two things: in German, it involves the apparent suggestion of tickets to a soccer game. The English version promises that “account and password information are attached!“ [sic].

Details
Sober.P was discovered on May 2nd, 2005, with details first published around noon PST. It is a worm that spreads via email. It also terminates a small handful of security programs. The attachment containing Sober.P varies, but is always one of the following: account_info.zip, autoemail-text.zip, LOL.zip, Fifa-Info_Text.zip, mail_info.zip, okTicket-info.zip, our_secret.zip, or _PassWort-Info.zip.

Protection
Updated detections for most antivirus programs should appear within the next 24 hours or so when they have not already. Although some antivirus companies rate this worm as a Medium risk, others do not; this may mean that emergency detections will be issued by some companies, but not others. Infected users should wait for detection files and/or more detailed information and removal information to be published before attempting to remove the worm. Until then, infected users should avoid connecting to the Internet or any open network.

The Gist
Like previous Sober variants, Sober.P is written in poor English and will probably raise red flags among users more experienced with worms. However, since this variant is especially common among home users, unlike previous versions, the infected usergroup may be less likely to know where to look for these red flags. Although it is not an outbreak, Sober.P is still spreading quite rapidly and warning precautions should be taken and antivirus programs updated. Germany and the United States, as well as possibly Australia and Great Britain (if the worm follows previous Sober family members' track) may be hardest hit.

Links
McAfeeHelp Forums - Excellent resource for latest information and updates.
Secunia - Compiles latest descriptions and links.
Trend Micro - An excellent and detailed description with generic removal instructions. Refers to worm as Sober.S.
McAfee - Detailed description with excellent, specific removal instructions.
Symantec - Detialed description, but with no specific removal instructions. Refers to worm as Sober.O.
F-Secure - Detailed description with no removal information.
Sophos - At this time, no information posted.