historical
vector date. stop tomorrow's worm.
|
|
|
October 2004 VECTORBLOG
October 29, 2004 happy Halloween Anyone who watches "The Great Pumpkin Charlie Brown" special every year knows that Beagles and Halloween are a tradition. And like that Great Pumpkin, Beagle has risen up and into the lives (networks) of many admins today. Three new variants released (at least) today. Check out the updated report on the worm here.
October 27, 2004 train tracks There have been a few derisive articles written recently about security training for end users. infectionvectors.com is one of the biggest proponents of such training. As such, it is a good time to post some of the reports and presentations used to promote and execute virus awareness programs for the general user base. The Powerpoint presentations are meant to serve as a guide to how basic virus defense can be and still be an effective tool in your arsenal against malcode. The reports hope to convince you that such training can fit into your enterprise. As promised earlier this month, more to come. The awareness section now has its own page.
October 19, 2004 and a bag of Another entry that does it all: the second iteration of the worm known as Darby is in the wild. Darby writes 11 sets of Registry values, hooking everything from autostartup on login through ensuring it runs whenever an executable is launched. It may arrive as an email attachment, a shared folder file, or via IRC. Darby will email passwords it finds on the local machine, use the IFRAME OE exploit to download additional files automatically, and disable security software. Just for good measure, the worm adds its own classic routines (see October 18 and 8), modifying autoexec.bat and Win.ini. More details at Symantec's site: http://www.sarc.com/avcenter/venc/data/w32.darby.b.html.
October 18, 2004 old school 2 Following in the footsteps of Nemsi, another virus has gone back to classic tactics for replication. The virus copies itself to local file systems (i.e.: CDs and floppies become vectors). Another feature giving it the retro-style: it attempts to delete all the files on the hard disk. How sweet. Check it at F-Secure: http://www.f-secure.com/v-descs/bacros_a.shtml.
October 14, 2004 less for you to do If you've taken a look at the paper, Lessons from Virus Infections, then the idea of learning something about how your network really operates based on the success or failure of viral propagation routines is not new. The latest worm to spread solely by using crummy username/password pairs on default shares is called Nits by Symantec and was discovered today. Discovering that this worm reached network clients would indicate 3 things: users are not using strong passwords, clients are available as servers to other devices, and AV software is not running as well as it should. These may be obvious when discussed in a forum like this, but they are often overlooked during the cleanup stages of an infection.
October 13, 2004 decompression The list of advisories from Microsoft offered yesterday (check out the infectionvectors summary tables here) has been translated into a few early detection signatures by the AV companies. Reaching the top of the threat charts are the GRP flaw and the compressed file handling flaw in XP/2003. Both of these make for good targeted Trojan (phishing style) attacks, like we saw with the GDI+ exploits, or mass mailers (which we have not seen yet). Take a look at what some of the big guys have to say: Trend's report, Symantec, and McAfee.
October 12, 2004 i know you This month brings a big helping of Microsoft security advisories, 10 in all. They range from updates to the graphic rendering engine (deja vu) to patches for Excel. The vectors abound in this list of advisories, and it may take a few days to shake out a few contenders for worms, once a few pieces of sploit code can be examined. The updates to IE don't count, we've seen Trojans sneak in through the vulnerabilities patched here already. That said, the vectorblog is taking aim at a few of the newly announced holes and their candidacy for malcode:
-The Excel hole which allows code execution-the possibility of a Macro Rebound may be les likely if an attacker can just hook any piece of code with an XLS -Picking the graphics rendering engine vuln from MS04-032 seems a little played considering the massive hype over MS04-028 -NNTP flaws - Could be the scourge of Exchange boxes, which have not seen their share of specific attacks, could there be that many machines that allow communications to TCP 119 inbound? -The Windows Shell vuln will get some press, but didn't it get attention with MS04-024? Again, user interaction required.
The rundown is offered in 2 forms, one standard XLS doc and a CSV (seemed strange to only offer XLS considering this month's list warns you that an Excel doc may be carrying a sploit)
October 11, 2004 positive ID There has been a rash of new Trojans making the threat lists at major AV companies (check out http://www.sarc.com for an example today). The Trojan threat has become muddied up by the tremendous growth in spyware over the last few years. Muddied because sometimes AV software grabs it, sometimes it doesn't. Sometimes it is cleaned, sometimes identified and uncleaned (or is uncleanable by the software). Much of this has to do with the definition of malware, some because of legal wrangling over what is spyware/adware/virus/malware, and some because the spyware is too new or too hard to remove. If this represents the new frontier for attacks and malware, we are at a critical time for guarding network borders. In short, read the newest vector, the feature titled "Vector Defense" has been updated this month.
October 9, 2004 Sleepy Late to the party on this article that appeared last month on viruslist.com, but it makes good points in the debate of hiring virus coders to work for anti-virus/security outfits. http://www.viruslist.com/eng/index.html?tnews=461455&id=2255449 October 8, 2004 Old school Today Nemsi was added to the Malagents list for no other reason than the interest generated by a virus that brings back the MBR dump payload. This virus adds itself to the beginning of an EXE and attempts to overwrite the first hard disks MBR, it has a code flaw and ends up causing Windows to crash instead, but it is an homage to earlier viruses nonetheless (that’s how I see it anyway). The MalAgent report is here.
October 7, 2004 keeping up Bound to continue: two fresh worms target the Windows XP built-in firewall. The first, catalogued by the vendors as "Bagz" is a mass mailer that executes the following command: netsh firewall ipv4 set opmode | mode=disable
For anyone not familiar with the powerful net shell (netsh) check out all that an informed user/attacker could do by reviewing the Microsoft documentation (and here). Or look at your own box, a quick perusal of available commands may convince you to restrict user access or remove the shell:
C:\>netsh firewall set ?
The netsh commands extend to things like DNS and DHCP server, as most Windows admins likely know as they are awfully handy in scripting.
Last week, a backdoor app known as Surila.K (as identified by viruslist.com) inserted itself into the "allowed apps" list of a WinXP firewall, thereby making itself look OK to the OS and the new security console. The backdoor uses this status to reach out to an IRC channel and open proxies on the infected machine.
October 6, 2004 really no challenge Beagle.AS has been bombarding mail servers for about a week now. It is another variant that was widely seeded by the author, in what has proven to be a very successful tactic. The number of real infections still reported due to variants that use the same vectors is troubling (as companies continue to spend tremendous resources preparing for projected threats built upon the gdiplus.dll vulnerability). Speaking of which, the list of new apps that exploit MS04-028 is stalling out, while the phishing attempts are rolling in rather steadily. Keep patching/testing/monitoring, but don't go nuts (especially at the expense of defending the network against threats like Beagle).
October 5, 2004 the combo MyDoom hits the streets again (called AD by Symantec) today with a variant that combines its familiar routine with a laundry list of choices for P2P share names, process kills, subject lines (mostly about a new "patch" or update), a solid number of message bodies (18), and a few dozen attachment names. It carries the same "avoid" list (is gold-certs@hotmail already taken? at least it would dodge the MyDooms...). MyDoom and contemporaries like Beagle prove why security admins don't get much traction out of specific warnings about viruses anymore, there are so many variations built into a single version, a user couldn't possibly be expected to be able to recognize each by subject line or message body alone. It's another reason for holistic awareness training, this month's theme a infectionvectors.com. Do you have training success stories? Something unique that worked for your organization? Share it with infectionvectors for public consumption through the contact address.
October 4, 2004 all aboard When the word "train" is uttered at your organization, is there usually some sarcastic line about not seeing any investment in the staff? This month will be dedicated to training materials and awareness sessions that are truly useful here at infectionvectors. Any submission ideas are welcome, but the current releases will include a sample Powerpoint presentation and a new Vector Space report, identifying what training makes sense for users and IA folks. With the hysteria about detecting and blocking unknown JPEG attacks and the general comments heard here at infectionvectors.com, it seems like an appropriate time. Stay tuned.
October 1, 2004 Out with a whimper The month closes without a an explosive worm built on the JPEG vulnerability, as predicted by the vectorblog. There a coupke of public hack tool kits that allow anyone to build a JPEG file with the overflow - keep up with the testing and patching. Of special note are any non-Microsoft products that may be installing gdiplus on your workstations. Search a few representative boxes for "gdiplus.dll" and then examine versions. It may be surprising where it turns up, lots of PCs are shipped with the manufacturers' or some test imaging software, especially in regards to digital photography packages.
|
Copyright Ó 2004 infectionvectors.com. All rights reserved.
