research the vector. close the door.         

    vectorblog  about  contact

 

 

 

 

 

 

 

 


 February 2005 VECTORBLOG

 

 

February 26, 2005

peanut butter in my chocolate

Blended threats are not new, years ago Nimda ensured that everyone in charge of malware defense in any fashion realized that there is no reason a mass mailer cannot travel with Internet worm propagation routines. Recently released is a worm being called Mytob: a mass mailer that also spreads by exploiting last year's LSASS (MS04-011) vulnerability. The worm delivers a few special functions as well, such as an IRC client, capability to download and execute "updates," and a system uptime monitor. This worm looks very much like early MyDoom variants (and is identified as a MyDoom iteration by McAfee) with the addition of the SDbot portions (MyDoom + SDbot reversed = Mytob, credit F-Secure). The IRC connection is to irc.blackcarder.net on the traditional TCP 6667, if you're interested in checking firewall logs or creating an IDS signature for the duration of the outbreak(something akin to "alert tcp $INT_NET any -> 62.193.224.155 6667 (msg:"Mytob Worm IRC Connection";  reference:url,www.infectionvectors.com/malagents/mytob.htm;)". This worm is a good model for what was mentioned last month in "Demise of the Mass Mailer," email is too good a propagation mechanism to go away any time soon, it is easy to bring a bot to thousands of desktops in a short period of time. More to the point, check out the last part of the Beagle worm history, "Year of the Beagle" for coverage of the Beagle-built bot net that is often overlooked. This MyDoom-based bot net delivery agent is a much more overt example of how the mass mailer/bot net blanket can be sewn together. The malagent report is here.

 

February 24, 2005

hi again

Interestingly, each time a new Sober variant hits the Internet, it seems to gather a lot of attention, even though they do little damage outside of resource consumption. Sober.K has been around for 4 days now. vectorblog is the first to give the author credit for a well-written worm, the fact that it's email message stating "new Sober variant released, run attachment to protect your computer" is kind of funny, and that the dedication to carrying a German and English version is worth some applause. However, the repeated news reports about this worm because of its fake FBI message version seems overdone. How many reports have you heard about any of the Beagle releases in the last year? Not as many. A quick update on the worm is here.

 

February 22, 2005

animation

Another Trojan built on the animated cursor/icon vulnerability from last month was released today, Anicmoo.B. The details are available at Symantec's site. This one reaches out to sweetbar.com to retrieve additional goodies for the infected machine. This follows the original version of this malware as well as Hebolani, all of which exploit the flaw reported in MS05-002. 

 

The release of a new worm comes in the midst of releases from MyDoom (additional details for AX added recently) and Sober, two established mass mailers that have been the most successful at their craft at some point in their respective lifecycles. The continued production of these worms is additional evidence that mail relays continue to require improved filtering tools to combat the SMTP-based malware applications of the Internet.

 

February 21, 2005

that was last monday

A new mass mailer hit the streets today (currently only catalogued at Sophos) with a subject line of "LOV YA" much like the ILOVEYOU worm of 1999. This might have been a little more effective on Valentine's Day, but it will probably snag a few curious romantics nonetheless. It drops an interesting poem; interesting in the sense that it would appear to have been written by someone familiar with the verse hidden in some variants of the Beagle worm. See this report for details. 

 

Secondly today, a new review of the Netsky worm was posted. This report examines why Netsky (approaching the anniversary of its release) was so immensely successful for so long. See the article for the not so secret reasons. 

 

February 17, 2005

warmed over

MyDoom made headlines again (in the AV world anyway) with a repackaged version of MyDoom.M from last summer. This variant appears identical; the only noticeable difference at this point is the use of MEW to pack the code (the original used UPX). Check out the updated report here.

 

February 16, 2005

triumvirate

"Year of the Beagle" marks the last part of the Beagle History trilogy. It is available today as a special infectionvectors.com feature in the vector spaces section. Check it out there, along with parts 1 and 2 (80+ pages of Beagle goodness), all available as PDFs for your reading and printing pleasure. As always, send feedback to the author or the contact address.

 

February 15, 2005

coming soon

No flood of "Valentine"-inspired mass mailers yesterday, which is just as well. 

 

Bill Gates announced that Microsoft would deliver an anti-virus tool to customers by year's end. Fans of the spyware tool and previous malware-removers from Microsoft are undoubtedly looking forward to getting all updates from one source. The new tool will be based on RAV, which was purchased by the company in 2003.

 

February 10, 2005

cut bait

Part 2 of the "Phishing Trip" series has been released, "Phishing Defense." This report examines a few of the strategies available to organizations to defeat phishing attacks. This growing issue requires companies to support all users, internal and external in order to keep the Internet safe for online business.

 

Also, the widely reported (maybe too widely) Symantec AV vulnerability involving the DEC2EXE code is discussed as a means of presenting heap overflows. This is a complex topic that is given a brief overview in the SAV Vulnerability Report just to introduce the background of a subject that is tangentially discussed with a lot of worm reports.

 

February 9, 2005

the target demographic

As a sociological study, it is often very interesting to examine the filenames that virus writers use when coming up with enticing titles for file share copies of worms, those that rely on a user attempting to open them up to propagate. This was studied as an aside in the Beagle papers; the author used the same set for a year, presumably finding the success he/she wanted. The latest MyDoom (AR at Symantec) has an interesting set of titles too, see if you fit the demo: of the 10 filenames, 9 are hard core pornographic in nature, the other is "Windows Longhorn Screen.scr." Nerds of the world unite. 

 

Also of note: anti virus vendors are reporting samples of malware that employ exploit code based on the PNG vulnerability released yesterday. If you are a WMP or Messenger user, test and patch asap. And, check the full list of advisories here

 

February 8, 2005

comin' back around again

Haven’t patched IE since last year’s cumulative update? Good news, you can scrap the roll out plan you have in your head and work on the latest, released with 11 other updates today. These 12 bulletins translate into 8 Critical alerts, 3 Importants, and a Moderate.

 

Some of these even apply to Win98 devices, which are still supported under Critical Support (no matter how you feel about Microsoft, at give them credit for turning out patches for 98 in 2005). There are few complicated ones so as always, be sure to check the versions and product details before rolling out into production.

 

The interesting thing this month is the proportion of vulnerabilities that allow for unattended remote code execution (by which I mean Internet worm like Sasser) versus those that require some type of user interaction (client-side attacks, like malicious web pages, mass mailed Trojan delivery, etc.). There are 3 that fit into the first group, but 7 that fit into the second. Check the rundown here. Get the infectionvectors.com breakdown in Excel format here and CSV right here.

 

February 5, 2005

aaaa-choo

The "Virolution" feature examined malware as evolving, how it acts like biological viruses. The "Demise of the Mass Mailer" report takes a shot at prognosticating the life of mail-borne worms. A really good article on Security Focus this week analyzes the threat of mobile device malware, such as Cabir, Lasco, etc. Kelly Martin writes a compelling argument against the fearful predictions of a mobile device virus outbreak. The article is available here

 

February 4, 2005

spy vs. anti-spy

We do hold the belief that Microsoft gets a lot of criticism that they don't deserve, but the vectorblog is no MS disciple. That being said, today's entry is a review of the spyware tool that doesn't seem to fit as a report all its own, so the truncated version appears here.

 

Whether you love Microsoft or hate the company, the AntiSpyware beta release free until July of 2005 is hard to bash. Not to say it doesn’t take a beating; there are plenty of negative articles out there. Most of these seem influenced by political problems, if you already hate all things Redmond, you likely hate the latest offering. However, the AntiSpyware application is remarkably powerful, incorporating all the best parts of tools like HijackThis! (still the vectorblog’s favorite spyware tool) and spyware busters like Lavasoft’s Adaware and Spybot Search & Destroy and packages them in the attractive GUI created originally by Giant Software (purchased by Microsoft in 2004).

 

 

The scanner seems adequate for most users, although there have been a few false positives raised during the beta stage, especially where foreign language versions of applications are concerned. The overall strength of the scanner seems average at this point, based on basic tests conducted against common spy applications. True, controlled bench tests will likely appear in the technical media during the coming weeks.

 

Beyond the general spyware scanning and removal functions (which allow for quick scans, full system scans, and scheduled scanning), the tool allows a user to view all the BHO (browser helper objects), plugins, and startup entries currently set on their machine.

 

 

AntiSpyware also helps remove stored data that reveals what a user had viewed on their machine, from local documents to cached web data.

 

The downside? Well, depending on the way one looks at it, the future charges for this software are unattractive. There are still a number of free tools that will help identify spyware (although removal is not always available) that advanced users will undoubtedly prefer over the Microsoft product. And, Microsoft has not announced a definitive pricing structure for the software as of yet, or if there will be one at all. If there is a charge, getting program, updates right alongside other Windows patches is very convenient and make it worth a nominal fee.

 

February 3, 2005

it was this big

Online fraud is a big money-maker. Is that a surprise? The compilation of FTC complaints may shock you. According to "The Register" the FTC reports that $548 million US was reported lost to scammers last year. As always with these statistics, remember that that can only include the people who admitted to being taken and actually called in a federal complaint. Internet-related cases account for a big percentage: 53% of the complaints and about $265 million US. 

 

The information from "The Register's" John Leyman is reprinted at Security Focus. Check out infectionvectors.com reports on phishing here (continued in an Appendix, an Addendum, and a final shot), with the first part of the "Phishing Trip" series, to be continued next week. The second part of the story will involve defense mechanisms. 

 

February 2, 2005

and rising

After the January posting of the "Demise of the Mass Mailer" report (available here), there are questions about the actual state of email worms so far in 2005. The answer is: as expected, there are quite a few new mailers running around and established worms have not backed off. For example, Beagle resurged in late January, as did MyDoom and Mugly. We've also seen new guys Crowt, Nodmin, Zar, Ahker, Salga, and Gormelez. These worms look very different in composition (from the VBS Gormelez through the professional Beagle) and tactics - but they all use the most effective means of blanketing network assets: email. Info on each of these worms can be found at Symantec's site

 

February 1, 2005

groundhog shadow

It has been just a month since the release of the January Microsoft advisories and of the 3 vulnerabilities mentioned, 2 have widely-distributed malware. Just in case you forgot about the patching required for the animated cursor/icon vulnerability (you thought that MS05-002 was a joke?), a Trojan known as Hebolani is making the rounds. MS05-001 (HTML Help/ActiveX) was beaten to the punch as malware known as Phel was around weeks in advance of the patch release. A report on Hebolani is available here.

 

If you're curious, MS05-003 (Indexing Service) has public exploits available, but no automated attack code as of yet. Enjoy.

 

 

Copyright Ó 2005 infectionvectors.com. All rights reserved.