Slashdot Mirror

Symantec Security Response has an excellent video about Backdoor.Ghostnet on their youtube channel.

I think the message here is that if you don't practice safe computing, the tools exist that empower just about anyone to pwn you

There are still plenty of chat-based worms such as the recent W32.Serflog.C worm, which is quite unpleasant.

It's more than a patch you download, it's an entire new CD, it was 218MB for me.

You don't have to do it "manually" unless your network is completely unmanaged, if you can't run login scripts, or push via Active Directory, or use the client install utility with Administrative username and password, what were you networking these computers for exactly? :)

According to the advisory 9.0.2.1000 is safe from this so you don't have to upgrade ASAP.

here is the list

http://www.sarc.com/avcenter/security/Content/2005 .02.08.html

Got this link from Platinum support. UPX Parsing Engine Heap Overflow

It provides a bit more information on the specific builds that are a problem. Affects a great deal of their software.

I'm not doubting the fact that eXeem installed Cydoor into their client, but I checked out the details that Symantec offers regarding Cydoor, and neither of the .dll files, nor registry entries occur on my computer. So, either this is a different version of Cydoor, or eXeem has not installed it on my box yet.

I most certainly installed eXeem from the eXeem website. I don't know what's going on.

At the enterprise level we are using a Barracuda spam firewall, which since we installed it in Oct of 2004 has caught 789,000 infected emails. In addition we are running Symantec Antivirus on our domino servers. In addition we just rolled out Webroot Spysweeper Enterprise, and it all works great!

No more headaches due to virus and spyware!

One of the nastier ones I've dealt with lodged itself as a subkey in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Of course you couldn't delete the file because it was in use. You couldn't kill it because it was a DLL loaded by the winlogon process, which you can't kill. Attempting to remove it from the registry just triggered it to put it right back.

Ended up booting to recovery console and deleting the file there so it wouldn't load, then was able to remove the entry from the registry.

A quick Google search reveals it as "Look2Me". More info here.

The article says, "The security firm, Symantec, has given this worm a critical warning and states that this worm could be as as dangerous as the MyDoom virus." Funny, Symantec's description isn't nearly so dire: "Threat containment: Easy; Removal: Moderate."

W32.Korgo.F is a minor variant of W32.Korgo.E. It is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports.

W32.Korgo.F is a minor variant of W32.Korgo.E. It is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports.

W32.Korgo.F is a minor variant of W32.Korgo.E. It is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports.

...64-bit windows viruses here!

All Sasser-infected boxes (at least the original variant) have a FTP server running on port 5554 (see Symantec's information on Sasser for the full details). This might explain it...

According to Symantec, the worm code can run on Windows 95/98/ME machines, but not be infected. As far as I'm aware LSASS isn't included with these versions of Windows, but the code used to spread the worm would still work.

It's logical for virus/worm writers to target the most popular vulnerable systems, and Windows 2000 and XP are now in use more than earlier versions.

First Worm with a EULA?
W32.Friendgreet.worm

Symantec has a free online virus scan and virus removal tools.

Lavasoft makes an adware removal program called Ad-Aware which will help you with adware/spyware.

In six years, Intego has made a name for itself in the Internet security and privacy market for Macintosh.

I always wonder where the sources are for the majority of viruses. It is quite ironic that a company selling you a fix happens to find the problem and releases the solution for the low price of 59.95. Yet a goggle and Symantec Security search didn't yield anything about MP3Virus.Gen. Hmmm - it's awfully nice they fixed this virus so fast.

According to Symantec's Witty information page, Norton Antivirus can't detect it because it is memory resident only, and never written to disk.

As the story summary states, it "attempts to overwrite 128 sectors in a random location of one of the first eight physical hard drives with data from memory. If the randomly picked physical hard disk does not exist, the worm simply continues." Devastating.

BlackICE patches are available.

TechTV's The Screen Savers last night suggested that one of the motivations of competitive virus writers is because the anti-virus companies put out rank-order lists such as the one shown on SARC's homepage. Maybe those lists should be discontinued to at least knock down some of the motivation?

MyDoom.F does destroy word, excel, access, jpg, and other files.
SARC
This was a major headache for me the past few weeks. Backup tapes suck. Worms suck harder.

The MyDoom Internet worm claimed its first scalp Sunday, paralyzing the Web site of American software firm SCO Group (SCOX.O: Quote, Profile, Research) with a massive data blitz.

In a statement issued Sunday morning, the Utah-based company confirmed MyDoom knocked its site, http://www.sco.com, out of commission.

"Internet traffic began building momentum Saturday evening and by midnight Eastern Time the SCO Web site was flooded with requests beyond its capacity," the statement read.

From this page:

The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack

I'm typing this and the time is currently 14:30UTC.

For those who are interested, it does appear to work in wine, before the news of it reached slashdot, I ran a copy of it in controlled conditions under Wine to see what it would do. It appears to be mainly a spam relay with SCO DOS'ing added as an afterthought.

FWIW, one of the examples the author gives as a AV spam -- the one with the content "Mail Transaction Failed" -- is one of the mails MyDoom/Novarg sends out.

But, in a way, the virus is spamming, too.

So how is it that SCO is supposedly already feeling the effects of the DDoS from the virus?

So how is it that SCO is supposedly already feeling the effects of the DDoS from the virus?

The fact that they are listing on the DDOS list for the MiMail.L Virus might have taken their servers offline.

That would make sense... if Spamcop wasn't one of the targets. Check Symantec's advisory; SpamCop is on the list. The only reason SpamCop isn't being phased too badly is because they've been Akamai-ized, thanks to IronPort paying for it. Now, this isn't to say that IronPort did all of that to cover their tracks, but by no means is SpamCop being spared by the spammers.

Reading Symantec's Advisory, they list disney.go.com as one of the 8 random targets for the DDoS attacks. I'm sorry, but have the spammers lost their marbles here?! I mean, if you're going to attack someone at least do something you can accomplish; attacking Disney is going to be like trying to attack a tank with a butterknife, it's just not going to work. I swear, these spammers are getting sleezier and stupider at the same time.

Re-reading the article won't help, as the article isn't correct on that point. If you check a technical write-up, e.g. Symantec's, you can see that this worm actually arrives as a .zip file.

So, users need to do something like click on the attachment, wait for Winzip to appear, and then double-click on the executable file (the type will be displayed) in the Winzip interface to run it (and if they're using a version of Winzip that's not ancient, they'll get a Winzip pop-up pointing out that the file is executable and asking for confirmation that they want to run it).

The problem isn't the software, it's the users.

From Symantec report the file extensions are just .pif and .scr. Filtering "executable" extensions at mail server (i.e. renaming normal executables like exe to _exe.renamed and removing/putting in quarantine not normal executable extensions like pif, scr, sys, etc) in addition to scanning with antivirus (with a combination like Anomy Sanitizer and a good antivirus) avoid me all of the troubles with this one.

Adds the value: "windows auto update"="penis32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

Adds the value: "Microsoft Inet Xp.."="teekids.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

Adds the value: "windows auto update"="penis32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

Adds the value: "Microsoft Inet Xp.."="teekids.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

Adds the value: "windows auto update"="penis32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

Adds the value: "Microsoft Inet Xp.."="teekids.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!

Now, it may just be me, but putting an easter egg in a virus is just kind of cute.

So, it's been about 5 days since my computer started crashing. Actually, it didn't toally crash, but DCOM kept crashing, and occasionally RPC would crash and I'd be forced to reboot. No biggie it only happenned once that I noticed. A more common problem was Mozilla staying memory resident after I closed it out, and sucking up 50 MB of RAM (not Windows's fault). So I got used to CTRL+ALT+DEL'ing, and closing it manually. But suddenly, one day last week, Program Manager kept crashing - but not...it was closing. I did a series of rapid CAD's, and saw a program that was obviously bull. A quick trip through the registry turned up the "WindowsSuckz 4 Driver - gloaub.exe". Turned out I had a worm which was installing a backdoor. My computer could have been used as a DOS zombie, or they could have installed keylogging software! I felt....DIRTY.

So I said "screw Microsoft". I've been a good boy. I apply an endless march of patches, service packs, hotfixes, and upgrades - more often then necessary IMHO. Well Microsoft didn't post a fix for this until nearly two weeks after it was discovered in the wild! By contrast, I remember the last Linux server I ran, a vulnerability was discovered in Apache+SQL that allowed backdoor access to a Linux system. Before my sweaty hands had finished an executive summary for da boss, a fix was issued. Literally...TWO HOURS for OpenSource to fix a bug vs Micrsoft taking TWO WEEKS!

Well I had dabbled in Linux for a while, I felt confident, and I was impressed by the latest round of offerings from RedHat, Suse, Mandrake, and Knoppix. So, I switched. I now run KDE, I use XawTV for my tuner card, Xine for playing DVD and video files, CUPS lets me print even over a network, SAMBA lets me share files....hell, you get the idea. The only thing I can't do is play windows games. I left a clean WinXP install for playing games until Wine gets that little "reentrant libc" issue fixed, and I'm sure the /dev/ team over at America's Army will get my v1.9 for Linux edition out soon enough.

Microsoft might have to learn about free market competition the hard way - by competing with an OS that is not only free, but better.

Or, simply put, we need the companies like Symantec to consider any program that is distributed by tag-along means to be a trojan horse virus (even if it does technically click a "Yes" somewhere in the sequence) and then wipes it out.

Actually, Symantec has a class of viruses called Adware.* that covers just this sort of thing. Unfortunately, they don't consider them "malicious," so don't take any action against them. Go here and search for "Adware" to see some examples...

Actually it does have a payload, the users will be emailed a zip file which will either contain a .pif or .scr. If the user executes this, it will attempt to search .wab, .dbx, .htm, .html, .eml and .txt files to harvest email addresses and re-propogate.

Taken from SARC

Symantec AntiVirus Research Center has a write-up on 55808 (they're calling it "Trojan.Linux.Typot") at http://www.sarc.com/avcenter/venc/data/trojan.linu x.typot.html.

I always thought Slashdot should have a boss button.

I don't need one.

Remember that article about the Worm with the EULA? Well, today, my company got that. Mailstorm. It spread like a regular e-mail virus would. 10,000 users x an average of 100 e-mails per user = a lot of mail to our poor servers. I had someone read me the link in the e-mail (people called in saying "I just got 15 e-mails about a greeting card") and I remembered it from Slashdot. So I looked up the article and found the link to Symantec's website about the worm and figured out what was going on. They ended up adding the installed executable to the virus definitions(not my dept, thank you), and all the users had to do was reboot, and their machines would be cleaned.

Thanks Slashdot. Proud to spend my time at work with you. :)

How seriously can the courts take EULAs? Clickthoughs are already a joke. People will click on anything, include a worm with a EULA.

Those are from the W32.Opaserv.Worm. Read more about it here.

SARC Analysis

Sophos' Write-Up

If over 1,000 boxen are already compromised, I have to wonder about SARC's statement that this is 'unlikely to spread.'

Um.....No.

This is the W32/Badtrans-B virus. You can find out about it here.

We are actually talking about the different variants of the W32.Klez.gen@mm virus.

If you are really an "engineer" at a small security firm, you might want to try looking at the correct virus next time.

Um.....No.

This is the W32/Badtrans-B virus. You can find out about it here.

We are actually talking about the different variants of the W32.Klez.gen@mm virus.

If you are really an "engineer" at a small security firm, you might want to try looking at the correct virus next time.

Exim probably accepted them because it comes not as an .exe From Symantec's web site, "The attachment will have one of the following extensions: .bat, .exe, .pif or .scr"

This *additonal* behavior that affects .NET enabled computers is the part that could possibly be written in C#, and it looks like it's not responsible for any of the bulk emailing...

You are correct, this is the only part that is written in .NET compiled down to MSIL. Here's a cut from the Symantec writeup: The replication code of the virus is written in C# and compiled to MSIL...

The emailing routine is done by dropping a VBS file that enumerates the outlook addressbook sending an email to everyone in there.

This is said to be the second virus that infects .NET files. The first one was W32.Donut (even though W32.Donut doesn't actually infect the MSIL part of the executable, but the one containing the normal X86 code).

In my opinion, we still haven't seen the first *true* .NET virus. When there is a virus that infects the MSIL (Microsoft Intermediate Language) code, then I think it qualifies as a .NET virus. All the .NET virus we have seen so far appear to be attempts by viruswriters to get media attention, and as we can see, it worked :-/

If you use Windows, you have to spend money to get some basic software products. One of these is a good antivirus utility. It sucks, but that's life for the Windows user.

Go one step further, disable the Windows Scripting Host. It's easy to do, and we do it for all of our users at my shop, with a simple command in the login scripts. Symantec makes a free tool, which you can find here.

This renders those nasty .vbs files as harmless as .txt files, very handy for when a hot virus/worm sneaks past Norton before the new definitions are out. Of course, if you block attachments with executable extensions, you're fine, but, you can never be too paranoid. :)

That'd be Sircam.

I recently came across a program that'd let strip the payload off of the attachment, allowing you to read the "confidential information" therein, but I doubt an article from Foreign Policy magazine would really be that juicy.

If you really want to read it, just open it up as text. The document should still be in there somewhere.