research the vector. close the door.         

    vectorblog  about  contact

 

 

 

 

 

 

 

 


 November 2004 VECTORBLOG

November 24, 2004

just not right

Certainly vandals are attracted to virus writing, as are criminals of all varieties. And there's nothing new about destructive worms. Still, deleting DOCs and picture files from someone's hard disk seems to be especially evil. Tasin (aka Inzae) is spreading lightly and carries a file erasing routine that aims at many very popular formats (including JPG). The report is here

 

November 23, 2004

unquestioned trust

So, you've probably heard about the exploits over the weekend. A banner ad serving company had sploit code for the IE IFRAME vulnerability injected into its feed--delivering malcode to well-known sites around the Internet (need some background? check out The Register's warning and Falk's explanation). The attack on Falk's load balancers allowed an outside group to redirect some banner requests to a site hosting Bofra code. The lesson is that even going to "well known" sites is not going to block exposure to virus vectors. Ad content is piped in from all corners of the Internet and is the latest in innovations from virus coders, but certainly not the last.

 

November 21, 2004

just an update

The Sober.I report update appears in Malagents now. 

 

Also, PDF links appear in Vector Spaces, Hotzone, and Emergency Prep--links on the individual reports soon.

 

November 20, 2004

not you again

Another IE vulnerability that allows remote code to be executed on a machine. This exploit is said to apply to XP's SP2, making it of great interest to the security and Microsoft community. Read Secunia's vulnerability report.

 

November 19, 2004

sobering

The latest version of Sober appears to be in wide distribution, reaching Category 3 at Symantec upon release. Also check out Sophos' review of the worm, which has stuck to its same basic design, right here

 

November 18, 2004

angel or devil

Are all worms bad? Are some harmless, how about beneficial? Tagging an application as a virus certainly doesn't help its reputation as being useful (just look at adware company complaints with AV/spyware removal vendors that strip their products). The debate over a "good" virus as been around for a while, a new report in Vector Spaces adds the Netsky/Beagle war to the mix and reconsiders the beneficial worm again. Check the analysis here.

 

November 17, 2004

imagine that

Golten spreads initially via mass mailing (relying upon a wide, but still manual seeding process). Once the mail is opened, the user is presented with a few words on Arafat and 2 EMF files; one is a legitimate picture file, the other is tagged with an exploit to the EMF handling vulnerability described as part of MS04-032 (see the infectionvectors.com write-up on the October bulletins here). The exploit installs a backdoor and a proxy onto the infected machine. At that point, the worm takes on a file sharing propagation routine (searching random addresses for default ADMIN$ shares with weak passwords). The write up is available via Malagents here

 

Golten relies upon the laziness of users to leave machines with crummy passwords. Auditing such visible shares has been advocated here before, especially since the word lists used by bots seem to be copied (for the most part) between variants. To check out the type of passwords that need to be banned, look at these three files: the Golten list, and 2 that are used in different bots, list 1 and list 2

 

November 16, 2004

root of all evil

The release of another Beagle variant (Symantec is up to AX if you're keeping score at home) has got to be leading you to the same question vectorblog is asking: is it really this easy? Maybe the Beagle author makes it seem that way just like Barry Bonds makes winning MVP awards seem easy. Even in the semi-pro world of virus coding there are stars that take the medium to new places, and Beagle's writers seem to be effortlessly turning thousands of machines every month into their own private nets. Is the money in spamming/relays that good?

 

In other seedy parts of the Internet, a new version of the Webber/Berbew/Qukart Trojan was released. This will likely add fuel to the "dump IE" fire... The new version works like the others, taking "spyware" and unquestionably crossing into Trojan. The code chooses an 8 character name for itself at random (so one can't look it up on Google or recognize the install), attempts to drop local security setting, steals keystrokes, hooks the Registry, and makes for generally unpleasant time. 

 

November 15, 2004

tight job market

Anti-virus/security software developer Zoner recently hired virus writer Benny (of 29A fame) to work on an in-house anti-virus product. Combined with the SecurePoint hiring of Sven Jaschen (see September 20 vectorblog entry here) is a bit of a reversal of the Vx fortunes provided by security companies of late. Most every AV vendor will say that they will never hire a virus coder and that they don't want to promote the idea that being a good malware artist makes one a good candidate for a security job. After the SecurePoint hiring, the company found itself losing a partner over the deal, that story is reported by the Register and is picked up by SecurityFocus.com.

 

November 9, 2004

spawned a monster

Worms initially called MyDoom.AH and AI by Symantec (other sites are going with Bofra) are making the rounds. What is significant about these two is the propagation mechanism: they send links to a mass mail audience that point to the machine that was infected. This link is a request for a file (via HTTP to TCP 1649 or 1650) that is actually the worm code. The code executes by exploiting a 7-day-old vulnerability in IE (IFRAME vuln, see the Secunia advisory and the BID). This is a fairly interesting P2P worm, spreading like Blaster did, except via HTTP vice TFTP. The versions only seem to differ in the file name used on the makeshift web server in initial analysis.

 

For Snort users, one quick way to detect this worm moving around inside your network:

var BOFRA_PORTS 1649,1650

alert tcp $INTERNAL_NETS any -> any $BOFRA_PORTS (msg"possible bofra/mydoom.ah propagation"; content"/index";)

alert tcp $INTERNAL_NETS any -> any $BOFRA_PORTS (msg"possible bofra/mydoom.ai propagation"; content"/reactor";)

 

Unfortunately, the November Security releases from Microsoft did not have a fix for the IFRAME issue. There is a single patch in the scheduled release, for ISA/Proxy Server boxes, to address the spoofed content issue. Read about the November bulletin here.

 

November 8, 2004

progress

The attention that bot-nets have received recently often points to the demise of mass mailers and the rise of these zombie-producing Trojans as the next wave of Internet terror. Although the bot net development is significant and undoubtedly a problem, it seems interesting that while mass mailer code continues to evolve (see reports on Lovgate, MyDoom/Sykel, and Beagle/Mitglieder) with new exploits, the Agobot development has halted with the arrest of the supposed author. Today marks the release of yet another Agobot variant, with simply another permutation of the same exploits (all from 2003) found in the publicly released "kit." Have a look at it on Symantec's site.

 

November 5, 2004

naming revisited

Viruslist.com posted an interesting entry today in their new weblog (worth checking out if you have any interest in the virus world) describing a new malware naming convention they will be using. Naming is, of course, an issue that continues to be the bane of the virus research world and all of its fans/critics. Check out the viruslist entry here.

 

In related news, ISC posted an "open letter" describing the pain associated with the current naming "system." Check that out here.

 

November 4, 2004

all mine

The discovery of another Proxy-FSBR/Ranky variant reminds us that many organizations still find themselves cleaning up Trojans that have allowed some anonymous attacker backdoor access to one or more systems. Keep AV, awareness, desktop settings, gateway filters, etc. tuned for security; asking the question, "I wonder how long that was on there?" will never result in a good night's sleep. 

 

FYI, Ranky.L/FBSR attempts to get out and alert the author by connecting to one of the following:

 

gdvme.mine.nu

fvcqx.dynalias.net 

vhdefag.homeip.net

www.ird-gmbh.com

 

seeing any of these in firewall/IDS logs should be an immediate tip-off and will serve to help answer the question above.

 

November 2, 2004

paper or plastic

The development of what some have called a dying viral medium, mass mailers, continues with two fresh versions of Bagz and a VBS-based mailer going by the name Yeno. Compiled VBS (VBE attachments) worms are tough to spread since a lot of Windows users have relatively new or patched versions of Outlook/OE that prevent VBE files from being opened, however, Yeno seems to have received pretty good distribution thus far. 

 

November 1, 2004

thinking cap

The use of the fake Red Hat update site, fedora-redhat.com (vice fedora.redhat.com) has spawned a complementary mail-borne version of the enticement to download a Trojan (to go with the one that existed on the website (not reachable at present). This social engineering pointed at the Linux users of the world seems to have received a pretty good distribution, based on the number of reports, and goes to show that social engineering vectors will continue to cut across all OS users, not just Windows fans. Check out the Malagent report on this event here.

 

 

Copyright Ó 2004 infectionvectors.com. All rights reserved.