research the vector. close the door.         

    vectorblog  about  contact

 

 

 

 

 

 

 

 


 August 2005 VECTORBLOG

 

August 30, 2005

complaint department

Not really a complaint, but there is something that irritates me about the classification of malware as a "bot." Bot incorporation is indicative of what the author is attempting to do with the malware once it is on the device; it is not a type of malware. Bots are a payload, not a classification of worm. File infectors, mass mailers, and Internet worms can all carry destructive routines, but there is not class of malware known as “file deleting viruses.” Incorporating remote control function, reporting to a central location, and allowing one-to-many management are, however, popular features in malware. Just an extra 2 cents.

 

August 29, 2005

seizure

The Zotob arrest made for one of the biggest stories in the year of malware reports, to go along with the equally big story of the worm's release. A short write up is available, here and as a PDF

 

August 28, 2005

busted

The big news of the weekend? Surely you've heard about the Zotob authors being caught. Write-up tomorrow. 

 

Best wishes to all US readers near Katrina.

 

August 25, 2005

cycle again

Latest Zotob samples appear to use not only the Plug & Play exploit, but also the Message Queuing vulnerability from this year (see the April summary for more), the Workstation Service flaw from 2003 (MS03-049), and the ASN.1 overflow (MS04-007) that it employed early on in its (so far) short life. 

 

And, although the worm has seen only a few weeks worth of life, expect it to hang around for quite some time. The MyDoom authors appear to have been successful at giving their older code new life in the form of Mytob, and have now resuscitated it again in Zotob. This vehicle will be around as long as there are new "modules" to insert. This is the same plan that the Agobot author made popular with one of the greatest malware kits of all time (if you are expecting that link to take you to the source package for Agobot, you will be disappointed).

 

August 24, 2005

similarities in common

The relationship between Mytob and Zotob is unmistakable, with only the seeding left to examine as common strategies. The code is very much alike, and the speed with which it was adapted indicates someone was familiar with the source and its interworkings. That would tend to favor the theory that the same authors released both worms. In addition, the relationship to the "parent" code, MyDoom is an interesting search as well. 

 

The variants continue to roll out, however, the crisis seems to be over, if there ever was one. F-Secure posted a tremendous summary, from the perspective of front-line analysts, definitely check that out if you have not already: http://www.f-secure.com/weblog

 

August 19, 2005

delivery

Well, maybe things are like they appear after all. The Zotob.C variant, which reportedly spreads by email as well as the PnP/ASN.1 exploits, did not send itself in controlled lab attempts to view the propagation. I thought maybe there was something very tricky that the worm checked for during infection and that it knew that the virtual machines were not real Internet hosts. However, the analysts at CA (who put together some great descriptions) have reported that the SMTP vector does not seem to work because of flaws in the routine - likely in the way the file is attached to the messages. That is probably why it only lasted for one version of the worm. Read the CA description here:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43369

 

In other Zotob news, a better explanation of the attack sequence is in order after requests for clarification: Early versions (by my estimates, through the 4th iteration) used only the first 2 octets of the host's IP address, and randomized the last 2. Variants after that would switch to completely random combinations after a series of failures (Symantec reports after 32 consecutive if no success is achieved or after 512 failures). 

http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.e@mm.html 

 

August 18, 2005

zzzzz

The Zotob reports continue to flood into every security site on the Internet, with high-profile attacks at CNN, etc. making for fairly exciting reading. The propagation of such a worm (one that is confined to the first 2 octets of each seeding) forces a fairly large release pattern, one that needs to be broad and well-planned. Only Zotob.C broke this requirement, by emailing itself to new targets. Although it is a slow process, the research on this worm's origins should make for some compelling reading as well. Be sure to check out the Zotob report in the meantime. 

 

August 17, 2005

benchmark

If you're running a shop full of W2K boxes, it is likely that you didn't have to read this when it was published - patching for MS05-039 became a super high priority with the release of Zotob. This worm highlights the issues with patching in a hurry, the state of the network perimeter (whether wondering laptops, firewall issues, host-based firewalls, etc.) and the speed with which a well-coordinated malware effort can hit the web. The initial report is available here and is PDF'd for your enjoyment.

 

 

Click diagram for full image from report. 

 

August 16, 2005

obsolete

It's always nice to see something made to look ancient a day after it is released, especially when it's a report on this web site. The proof-of-concept code for Ms05-039, the Plug and Plug flaw, circulated late in the week, turned into the propagation mechanism for a very Mytob-like worm over the weekend, and then found its way into a few different pieces of malware by the time everyone was ready for work Monday. That makes the "Time to Exploit" report rather toothless, as it didn't have any of this in it - and it appears that the PnP malcode will be one of the biggest stories in malware this year. Of course, this will be wrapped into the year end version of the report, and in the meantime, we're putting together initial analysis of the MS05-039 worm released a few days back.

 

August 11, 2005

timeout

The number of advisories is a little ahead of 2004, but overall, that has not translated into a more potent year for malware. There has been no Sasser this year, nor anything the size of MyDoom. Part 2 of the "Just in Time: Microsoft Time to Exploit" report is available here and as a PDF. Part 1 is still out there too.

 

August 10, 2005

dog days

The summer rolls on with this month's Microsoft's bulletins. 

August brings a familiar set of flaws, including one in RDP and new updates for Internet Explorer. Three have been marked Critical by Microsoft, with a single Important and even two Moderate entries this month. The bulletin is summarized below and is available in table XLS and CSV format.

 

MS05-038: As always, flaws in IE that allow code execution need special care and attention. This one, like July’s is the most likely to spawn a worm or two – especially as proof of concept code is already floating around.

 

MS05-039: The Plug and Play threat is a remote code execution/local escalation (bad combination) problem; however, a user must have valid logon credentials on XP/2003 boxes (and admin rights at that for remote execution) to execute the exploit. Nonetheless, the exploit doesn’t appear too complicated to engineer, and it received the Critical stamp.

 

MS05-040: Similar in credential requirements to MS05-039, the Telephony flaw allows remote execution on systems with the service running. Telephony can be turned on and off by applications that utilize it, such as caller ID programs, etc. If your machines utilize telephone services for remote assistance, communications backup, etc. invest time in the patch.

 

MS05-041: This Moderate warning does have proof of concept code available, making it at least more likely that exploits will occur – even if that exploit “only” results in a denial of service condition.

 

MS05-042: Another DoS is possible via a specially crafted RDP packet. In the past, these types of flaws have not been especially coveted by worm writers, although due to the simplicity of the attack, they are explored by vandals.

 

MS05-043: The Print Spooler vulnerability does not require logon credentials on XP SP1 and W2K systems, likely a big reason for the Critical rating. This buffer overflow allows remote code execution, making it a valuable flaw for attackers.

 

Of all the vulnerabilities disclosed this month, the IE flaws are certain to garner the most attention, and rightfully so. Due to the nature of the attack, the Plug and Play patch may be especially necessary on the broadband networks of the world.

 

August 9, 2005

hiatus

After a bit of a break, it is back to work at infectionvectors.com. It was a good time, as far as malware releases go, for some time away. The Beagle worm is back, a little later in the month than we have come to expect it, and in basically the same form. The inclusion of the Mitglieder code directly in the worm code is a little different I suppose, but it is far from a major alteration of the business plan. As stated at the beginning of the summer, these few months are a great time to make a suggestion or submission - send them into the vectorblog address above.

 

Copyright Ó 2005 infectionvectors.com. All rights reserved.