Security Manifest : Viruses (Urgent)

OUTBREAK: Zotob.E (IRCBot) worm hitting unpatched systems

trafton — Tue, 16 Aug 2005 22:18:00 GMT

A new worm utilizing the MS05-039 vulnerability has became a major outbreak. More coverage upcoming.

Details
IRCBot is a fast-spreading worm affecting systems not patched for the MS05-039 vulnerability. Infected machines will reboot frequently, as well as connect to an IRC server and await further instructions

Protection
Detection of this worm, as it is an outbreak, should be released very soon, if it is not already out.

The Gist
IRCBot is an urgent outbreak and all systems should be patched that have not already been.

Links
McAfee - Write-up.

Zafi.D - High Risk at Secunia

trafton — Thu, 16 Dec 2004 22:59:00 GMT

The new Zafi.D worm is spreading rapidly and has earned a high risk at security company Secunia, which combines write-ups from various vendors and assigns them a risk.

Zafi.D was discovered on Tuesday, and has since then maintained a relatively steady spread rate, which has since declined slightly. Antivirus company Sophos, according to BBC News (WARNING: mildly offensive smilies within), estimates that at its peak spread Tuesday evening, the worm was in 10% of all emails sent.

One of the most notable features of Zafi.D is its multilingual abilities. This has allowed other worms to spread more significantly. Language is one of the more interesting aspects of virus spread: it allowed the Japanese worm FBound.C to become a worldwide outbreak with huge spread in western Europe, Canada, and the United States in March 2002 after curious people opened the attachment to the worm, which appeared as junk text to them. This also allowed the Mexican worm Mapson to become prevalent in the summer of 2003 among Hotmail users, especially in communities with both Spanish and English speakers.

Perhaps more likely to facilitate in the spread is the image of two smiley faces copulating between the words “Happy Hollydays [sic].” Contrary to what it should do (be a red flag that something is up), childishly semi-offensive imagery like this simply increases the chances that the worm will spread more. The Christmas theme only adds to this.

Once it gets onto your machine, Zafi.D is a fairly standard, not incredibly damaging worm. Like most worms of this day, it contains its own mailing server to spread itself and harvests email addresses from the host machine in the usual way (searching through files on the machine). Also featured are the now-standard P2P spreading capabilities and the equally common ability to shut down security programs.

I have received conflicting reports about the language abilities of Zafi.D; one report says that “outgoing email message bodies are either in English or Hungarian“ while another gives an example of the outgoing message body being in German. Despite the minor successes of local Hungarian worms like Magold, it is doubtful that adding Hungarian message bodies to the worm would increase its spread all that significantly from just using English.

The December month is typically breeding ground for holiday-related worms, such as Navidad, which appeared in November 2000 and became a major problem the month after, and the Ska (Happy99) worm, which offered a greeting for the 1999 New Years, and inexplicably remained one of the most common worms through 2001.

The moral of the story is, as usual, avoid opening Christmas cards from friends you never knew you had, or for that matter friends who probably would not be sending you Christmas cards in some weird sort of sub-English. And, of course, that any attachment, no matter who it is from, should be regarded with extreme suspicion.

Happy holidays, everyone, and please do be safe. :)

Resources for Zafi.D
McAfeeHelp.com - My fellow MVPs Harry Waldron and Jurren Bouman have here compiled a list of many known write-ups for Zafi.D, as well as news stories. An excellent portal to information for this threat.

Bagle.AZ Goes Medium at McAfee

trafton — Tue, 28 Sep 2004 23:23:00 GMT

Breaking News: New Bagle Variant Spreading Quickly Worldwide

The latest variant of the Bagle worm, Bagle.AZ, has now been declared a Medium risk at McAfee due to increasing spread. For more information, see this link from the McAfeeHelp forums:

http://forums.mcafeehelp.com/viewtopic.php?t=32387

This is notably the first time McAfee has declared a Medium risk alert since MyDoom.S on August 15th. I personally received a copy in my Yahoo! email box this morning, and reports continue to come in that spread is increasing, although it seems unlikely at least at this point to become a major outbreak.

I will continue to monitor this developing threat. More information will be posted as it is made available.

Outbreak Alert for New MyDoom Variant

trafton — Tue, 27 Jul 2004 00:01:00 GMT

BREAKING NEWS: Mydoom Variant Medium-High Risk

At 9:25 AM Pacific Time, security company Secunia released a Medium risk alert for the latest variant of the Mydoom family, which is known by various names, including MyDoom.L, MyDoom.M, MyDoom.N, MyDoom.O, and MyDoom.R. The following are various vendor's aliases for this worm:

Computer Associates: Win32.Mydoom.O
F-Secure: Mydoom.M
Network Associates: W32/Mydoom.o@MM
Panda Software: Mydoom.N
Sophos: W32/MyDoom-O
Symantec: W32.Mydoom.M@mm
Trend Micro: WORM_MYDOOM.M

Contrary to the Secunia bulletin, Panada Software's Mydoom.M is an unrelated worm.

The following are vendor risks:

Computer Associates: High (4/5)
F-Secure: Medium (2/3)
Network Associates: Medium-On-Watch (2.5/3.5)
Panda Software: High (3/4)
Sophos: Unassigned
Symantec: High (4/5)
Trend Micro: Medium (2/3)
OVERALL: Medium-High (7.3/10)

Worldwide Spread
Trend Micro reports significant spread from Germany, Singapore, and the United States, indicating that it is likely this worm has already became common in all continents.

Recognition
Email messages appear similar to the following, although may be variable:

More Information
McAfeeHelp Forums (thanks to CD)
NAI Description
Symantec Description
Trend Micro Description
Panda Software Description
F-Secure Description
Computer Associates Description
Sophos Description

Bagle Variants Keep on Coming

trafton — Mon, 19 Jul 2004 22:51:00 GMT

BREAKING NEWS: 3 New Bagle Variants Appear; 2 Medium Risk

I reported in the last post here that Bagle.AF has been assigned Medium-On-Watch risk at McAfee (it remains there.) However, since that, three new variants (.AG, .AH, and .AI) have appeared, and .AG and .AI are listed as Medium risk.

They are extensions on the standard Bagle theme, not varying too much from earlier variants. Typical modifications can be found here, with .AF and .AI seeming to have shifted toward an animal-related theme in the subject messages with which they mass-mail.

We're beginning to get some naming confusion here (which actually started in around .J but vendors are now trying to correct unsuccessfully), so to sort things up:

Variant “One”
Computer Associates: Win32.Bagle.AC
Kaspersky: I-Worm.Bagle.ah
Network Associates: W32/Bagle.ag@MM
Symantec: W32.Beagle.AC@mm

Variant “Two”
Computer Associates: Win32.Bagle.AD
F-Secure: Bagle.AH
Network Associates: W32/Bagle.ah@MM

Variant “Three”
Network Associates: W32/Bagle.ai@MM
Sophos: W32/Bagle-AI
Symantec: W32.Beagle.AG@mm

Although little is known about Variant “Two” (which is low risk at McAfee), variants “One” and “Three” appear to mass-mail with messages containing animal themes, such as “Dog,” “Fish,” “Lovely animals,“ or “Predator.” However, some unrelated subject lines exist too, such as “Cool_MP3” and “Garry.”

The remote access function remains in this version, relying on .php scripts hosted on a large number of sites, all with .de suffixes (Germany.) This suggests that, like Netsky, the Bagle worm was created in Germany. However, this may be a smokescreen, especially considering that .com and .net suffixes are also frequently used for German sites, and it is statistically unlikely that a random pool of German sites would all have the suffix .de. This indicates that there is a good chance the virus author intentionally chose only German sites.

More information about individual variants can be found under their various topics here:

http://forums.mcafeehelp.com/viewforum.php?f=23

Bagle.AF Outbreak Alert

trafton — Fri, 16 Jul 2004 05:38:00 GMT

BREAKING NEWS: Medium-On-Watch Warning for Bagle.AF

It's been a while since we've had a Medium-On-Watch worm (the last Medium-On-Watch was Bagle.AA in April; the last High risk Mydoom in January), but this drought has been broken by the latest version of the Bagle family, Bagle.AF. The worm, which appeared earlier today, has been spreading at a very rapid speed, earning it Medium-On-Watch from McAfee, which signifies that there is a significant chance that a High risk upgrade will occur within the next 72 hours.

The following risks have been applied:

Trend Micro - MEDIUM
NAI - MEDIUM-ON-WATCH
Symantec - MEDIUM
F-Secure - LOW/NO ALERT RELEASED
Sophos - “MANY REPORTS”
Computer Associates - LOW-MEDIUM/NOT ASSESSED

The Secunia information file is available here. More information is also available from Harry Waldron at the McAfeeHelp Forums.

Symantec Goes High on Sasser.B

trafton — Sun, 02 May 2004 16:39:00 GMT

BREAKING NEWS: Symantec Upgrades Sasser.B to HIGH (4)

Symantec has just upgraded Sasser.B to a HIGH risk (4). This is due to increased spread. The worm, which appeared yesterday, has now achieved higher spread than the original, according to Symantec.

http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html

Sasser.B Goes Medium

trafton — Sun, 02 May 2004 13:18:00 GMT

BREAKING NEWS: Sasser.B Spreading Quickly

Most companies are now calling W32/Sasser.worm.b Medium risk. This reflects increased spread. The worm, which debuted yesterday, is not all that different from the original. The main indication of difference is the prescence of a “2“ at the end of the file name before the .exe.

Descriptions
F-Secure (Low): http://www.f-secure.com/v-descs/sasser_b.shtml
McAfee (Medium): http://vil.nai.com/vil/content/v_125008.htm
Symantec (Medium): http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html
Trend Micro (Low): http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B

W32/Sasser Spreading Quickly

trafton — Sat, 01 May 2004 13:48:00 GMT

BREAKING NEWS: Sasser Goes Medium

McAfee has just upgraded W32/Sasser.worm (which uses MS04-011) to Medium risk reflecting the amount it has spread. I personally have received a number of reports of this worm being in the wild. All users should upgrade immediately. A new Stinger detection is available that covers this. Also, the Internet Storm Center has declared Infocon Yellow to reflect the global spread.

McAfee Description
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125007

Bagle.AA Pre-Outbreak Warning

trafton — Wed, 28 Apr 2004 10:46:00 GMT

BREAKING NEWS: Bagle.AA is Approaching Outbreak Levels

W32/Bagle.AA-mm has been assigned a Medium-on-Watch risk by McAfee, meaning a HIGH risk assessment is a possibility. Users should upgrade their antiviruses as soon as detection is available. A pandemic (high risk from most vendors) is not immediately likely, as Bagle.AA is narrowly an outbreak at this time.

More info is available here and a description can be found here.

The Daily Update - Monday, April 26th, 2004

trafton — Mon, 26 Apr 2004 17:41:00 GMT

BREAKING NEWS: Bagle “Z“ Wants to Be Your Friend; Spreads Rapidly

W32/Bagle.Z-mm (or “W) has been found spreading quickly throughout the field. Most antivirus companies rank this as a Medium threat.

The worm spreads by using email messages that sound like requests for pen pals who don't exactly speak English that great. An example email is titled “Re: Msg reply“ and reads “I very much love productive leisure, to prepare for new exotic dishes, at leisure to leave with friends on the nature, to float, I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going. Read the attach. Have a good day, Christie.“

Other emails are similarly humorous. Full information can be found here.

“E“ Variant of BugBear Appears Quietly Today

W32/BugBear.E-mm, which is unrelated to W32/BugBear.C-mm (accidentally named .E by a few antivirus companies), has appeared quietly. It is not believed to be in the Wild, although it does have some interesting features. First, the zero day exploit used in .C has been removed from .E. Next, it logs actions such as words typed, clipboard entries, cookies, and text from open windows and sends it to the writer, who is believed to be in Malaysia. More information about the latest variant can be found here.

CIH Activation Today; More for Nostalgia than Anything

It's been five years since the W95/CIH, or Chernobyl, virus first activated. The virus, which became a pandemic, especially in Asia where it infected poorly protected, pirated software, has destroyed progressively fewer machines since its first payload, which was a major media event. Most experts agree that 2001 was the last time the W95/CIH activation caused any significant damage (the virus itself has nothing to do with the nuclear disaster - it just activates on that date.) However, the BIOS-flashing, which damaged some retro-era motherboards, is still a risk to some users. Infections are still somewhat common in the Asian countries, and outbreaks of W95/CIH due to pirated software is an occasional event.

Chen Ing-Hau (whose abbreviations lend the virus its name) was detained by Taiwanese authorities in 2000 following legal roadblocks that prevented his arrest. Sophos reflects on this and other parts of the history of W95/CIH here.

The Daily Update - Tuesday, April 20th, 2004

trafton — Tue, 20 Apr 2004 12:30:00 GMT

Breaking News: W32/NetSky.X-mm Outbreak

A number of major security companies are reporting a medium-risk outbreak of the latest W32/NetSky-mm variant, W32/NetSky.X-mm. This variant sends itself in a number of languages, badly translated, including the obscure inclusion of a local dialect from the Turks and Caicos. Recent outbreaks such as W32/Sober and, to an extreme extent, W32/Zafi-mm (see below), have shown that even a locally-oriented worm can become a regional outbreak.

Little technical revelation in this worm: although much of the function has changed, 86 per cent of the code remains identical to W32/NetSky.U-mm. Between the 28th and 30th of this month, the worm performs a Denial of Service attack on two academic sites, one German and one Swiss, and a site for the medical department at the University of Florida in the United States.

Descriptions of this worm are available at many antivirus vendor sites, including F-Secure (Medium), McAfee (Low), Symantec (Medium), and Trend Micro (Low).

The Register has posted an article about the worm and its semi-humorous mangling of several major world languages here. It cleverly referrs to it as “The Babel Fish worm.“ For those who do not know, Babel Fish is a translation engine that allows Internet users to translate text and web sites into a range of languages. The name “Babel Fish“ comes from the book The Hitchhiker's Guide to the Galaxy.

“Zafi“ Worm at Outbreak Levels in Hungary

W32/Zafi-mm, variously also known as Erkaz and Erkez, has become a major problem in Hungary. The worm only sends itself using a Hungarian messages to emails ending with the suffix .hu. One might consider this a limitation, along with the fact that Hungary does not have an exceptionally large Internet userbase. However, it has successfully spread quite well in the small region. Hungarians users are recommended to remain alert, although it is doubtful that there will even be a ripple of the worm in any other countries.

Descriptions of this worm are available at the web sites of F-Secure (Low), McAfee (Low), Panda Software (Low), Sophos (n/a), Symantec (Low-Medium), and Trend Micro (Low). Security Manifest would put the risk to users worldwide at Low, with a special Medium-High risk exclusively for Hungary and Hungarian speaking regions with .hu suffixes.

The good news? We won't have to deal with W32/Zafi-mm for too long: it deactivates itself at the end of the month.

1-in-3 E-Mails Spam (Only That Much?)

Analysis company IDC says that 1-in-3 corporate emails are now spam, The Register reports. The company surveyed 1,000 IT managers representing various sectors of the business to reach this figure, which some may point out is a tad on the conservative side. Competing companies such as MessageLabs report that over half of e-mails received are bulk mail.

Password for a Chocolate Bar...Or Nothing?

The Register is reporting here that the British apparently are a bit too friendly with information about their passwords. According to a survey that involved walking up to random people on the street, around 60 per cent of people approached would give hints regarding their password to e-commerce sites to a random person on the street. The information, which included what type of password it was (for instance, a pet's name), could easily be used by a resourceful black hat to invade the unsuspecting pedestrian's bank account, for instance.

Another similar study reveals that sweetening the pot with a chocolate egg increases the odds to about 70 per cent. This study was also conducted in Britain. To the credit of those interviewed, British candy is indeed rather strong, although it is doubtful that this will be any consolation after their bank account is drained.