LovSan Clone Let Loose

JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."

Cloning..

[Stalus]

Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

Re: Cloning..

[Black+Parrot]

> Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

The scary part is that if they mutate and interbreed we could end up with a virus with four asses.

Re: Cloning..

[couch_potato]

I think we all agree that outside or a research environment, virus/worm writing is the lowest form of geekery.

Wrong. It's still a step above Star Trek conventions.

Re: Cloning..

[Henry+V+.009]

Is there some reason that virus writers don't create their viruses to modify themselves automatically? It would be easy to defeat a checksum automatically. If you wanted to get really fancy, you could have it completely rewrite the code randomly by substituting different assembly sequences that are mathematically equivalent.

Re: Cloning..

[Black+Parrot]

> Is there some reason that virus writers don't create their viruses to modify themselves automatically? It would be easy to defeat a checksum automatically.

Maybe some of them do do that, and the A-V firms haven't caught on yet.

Seriously, IMO the kind of worms we've seen so far are child's play compared to what we can expect when someone wants to do some serious damage. In the future we'll have stealth worms that just flip a few bits on your system and then erase themselves after propagating to another computer or two, worms that work as a genetic algorithm to optimize effectiveness and continually feed new variants into new "ecological niches" of the internet, worms that are mathematically optimized for the fastest spread, or conversely for the broadest under-the-radar spread, etc.

The future is bleak, IMO.

Re: Cloning..

[NanoGator]

"Wrong. It's still a step above Star Trek conventions."

Off-topic? By Grabthar's Hammer, I shall avenge you.

Re: Cloning..

[DeadMeat+(TM)]

Self-mutating viruses have been around for over a decade. They're called polymorphic viruses, and they usually work by reordering instructions, randomly inserting useless instructions (like NOP or OR AX, AX), or encrypting the virus against a varying table of keys and then decrypting the virus at runtime.

Re: Cloning..

[Satan's+Librarian]

Uhm - they've been doing that for years. Early types were called polymorphism, an idea pioneered by the 'Dark Avenger'. Search for "MtE Dark Avenger" on the net. Old stuff.

Basically, the concept is that an encryptor is built up in memory randomly, while the inverted code (e.g. add vs. sub, rol vs. ror) is built up in reverse. The virus is encrypted with the encryptor, and the decryptor is prepended.

There were a ton of them in the early 90's. There are polymorphic Word viruses that use different techniques - running their script through a randomizer for variable names and such. Some viruses have also mutated their own opcodes as you suggest, although it's less common - but its been done.

Detecting such viruses is challanging, but usually there are static bytes with known (although possibly variable) distances between them. One can also run an interpreter over a file and pseudo-execute it until it can be proven that it is or is not a virus, or just blast any existing crypto around the body and look to see what's there. If the virus just flips between equivalent opcodes, then just scan with a regular expression that includes each equivalent as an alternative. Another method is analysing the opcodes - if an exe's entry point is at the end of the file where you have a 1k decryptor right before 2k of garbage, and all the decryptor's opcodes fall within what one virus can produce, chances are....

There are a lot more complex and hybrid techniques for it -those are just a few that can be described quickly.

Re: Cloning..

[J.J.]

In my opinion, you have three classes of people that are capable of writing a worm:

The curious amateur

This guy has a couple clever ideas, few scruples, and a lot of spare time. All the wide-spread (and well-covered) worms, to date, have come from this kind of guy.

The white-hat professional

These are your security researchers other security professionals. these are the guys that get paid to work in this field every day. They're smart, the understand the details of the security business, and they're fully aware of the extreme vulnerability of the Internet. Like you, the know how bad a "real worm" could be.

The black-hat professional

These are your security researchers and security professionals. These are the guys who's job is security. They're smart, they understand the details of the security business, and they develop tools (including worms, trojans and viruses) to take advantage of these vulnerabilities. These tools are developed for a specific purpose: to further the objectives of their employer. You don't hear about them, because their tools are low-n-slow and their impact is very targeted and controlled.

The difference between a white-hat and a black-hat is a matter of perspective. The world is a big place. Certain governments do not have the same morals as others. Read The Economist. The French intelligence services work very closely with French businesses. The Chinese have equally questionable practices.

The future is not that bleak. The worms that are designed and released for wide-spread, global impact are the modern-day equivalent of graffiti on billboards. It's an ego trip, nothing more. The ones to worry about are the ones who don't have an ego, and have a specific purpose.

Hope you're checking your logs, and I hope you notice when he hacks your systems.

J.J.

Re: Cloning..

[Doomdark]

The French intelligence services work very closely with French businesses.

And, to be fair, US intelligence service works occasionally closely with US corporations (there were some cases related to airplane industry where EU was investigating how come US company had found out what some european company was bidding).

Point being that perspective certainly matters, like you say, but also that few government agencies if any are completely above using illegal and/or immoral practices to help "their" companies, anywhere in the world.

Open democracies, and especially free press lessen likelihood of such stunts (by retroactively uncovering them, usually leading to scandals... which act as deterrent in the long run). Unfortunately those 'antidotes' are being threatened especially in US, by latest legislations (from "Patriot" act to DMCA).

That's media reporting for ya

[NanoGator]

"It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems."

To be fair, the media's not going to be interested in reporting that it's not as bad as it seems.

(Note: I'm not saying it's not that bad, I'm saying don't trust the media to tell is its dying.)

Re:That's media reporting for ya

[Pharmboy]

Well, to be honest, if it didn't sell, the media wouldn't report it that way. People LOVE catastrophe and doomsday predictions, for some odd reason.

On a similar not, I am witnessing tv hype disaster now. All the power is out in NY, and people have been calmly walking down the street to leave town. Others are "volunteering" to direct traffic, and people are obeying. People are out together in the street with candles, checking on neighbors, almost everyone is calm, even tho with the power out, getting news in was slow and difficult (like 9-11, but much milder). Sure, some will take advantage of the situation, but burglaries happen every night. On the whole, I am pleasantly surprised at how well organized it is, and how well its going so far. Its a success story on dealing, again.

Yet the news channels are TRYING to make it out to be worse than it is. They are saying how people are mad and want to know why this happened, but they can't SHOW someone saying that, they just report that its true. fox/cnn all the same.

The real irony is how calm everyone is, how they are seem to have a "oh well, can't help it, no reason to freak out" attitude even while the news reporters are almost trying to get them to.

It's a little fishy

[Exiler]

that an antivirus lab announced that a new clone was on the way, not spreading but on the way.

Re:It's a little fishy

[WHudson]

I always wondered if the anti-virus companies have some programmers in their payroll who work on developing viruses -- either to predict things before they hit, or to keep product updates coming and profitable.

Re:It's a little fishy

[heli0]

The same warning about the new clone has been released by dozens of other groups including...

http://www.f-secure.com/v-descs/msblast.shtml

http://securityresponse.symantec.com/

http://us.mcafee.com/virusInfo/default.asp

Feeling left out

[cesman]

I'm starting to feel left out.. Maybe I'll install Windows on a box and join the fun.

Re:Feeling left out

[alonsoac]

No seriously, I once was regarded by friends and family as the guy who could fix their computers. Now they call like crazy saying their PC is rebooting and I don't know what the hell they are talking about. Then I read about the virus and tell them what to do but of course I wouldn't know if it will work (or why it didn't work) since I dont have an infected machine to try it. This has made me look like an idiot plus I'm here working all day while my friends enjoy a couple days of forced vacations while someone has time to fix their machines. Grrrr..

Re:Feeling left out

[anubi]

Oooh man, tell me about it. I don't know what I'm missing, I suppose.

I had been working on my CAD system on my home machine running WIN95 and DOS. I wasn't even aware anything was amiss until I logged onto Slashdot to see whats new. I was wondering why it was so slow. My firewall responded in a bit and told me I was getting a helluva lot of connect attempts on port135. So, I go look up the log file and it looked like SQL slammer all over again. Almost a megabyte of infection attempts. I wondered at first if I had made an enemy on a dialup??? In 4 hours??? Why did the whole world seem determined to wax me off the web? Damm, it seemed like everyone in the world was wanting my port135.

Ok.. so I continue to read Slashdot and the story finally loads about this new LoveSan virus making the rounds. Hmmm. When I think of how much work would have been lost had something came in and messed up my machine, I shudder. But then, I don't run my machine wide open to the net. I try to practice secure techniques - such as never allowing any programs to run that I have not verified their intentions, and don't run anything that allows embedded executables ( read: javascript and later things post DMCA that haven't been "cleared" by what I consider trusted groups - which are mostly the groups the DMCA was aimed at in the first place. )

Sure, there are a lot of websites that I can no longer see. I can not even access the Southern California Edison site, nor many business sites - as they require these embedded-executable technologies as a requisite to viewing their content.

So, I sit here, with a pretty fast system, as its pretty simple. I have no virus scanning going on, as I am not running just anything I get in. I do have an integrity monitor running, which does a quickie on startup to see if any critical files are amiss ( it just calculates an MD5 on my key executables and compares to what they should be. ).. if so, booting to GUI is aborted and I drop to DOS to straighten it out - but its never happened outside a test situation.

I keep getting all these people telling me I should upgrade and be current with the times. I would gladly upgrade if the later stuff was actually better and more robust than the earlier stuff - but thats not what I see.

Oh yes, the "presentation skills" are definitely better on the new stuff, but I see the new systems much like a stunningly beautiful secretary that I can't trust, and spends a helluva lot of time doing her makeup.

I try to tell these business people what they are getting into by running software that hasn't been verified for trustworthiness, but they seem happy to go ahead and do it anyway as long as there is someone else to blame if things go amiss. I hoot till I'm blue in the face about these businessmen who put content on the web that can only be viewed with proprietary readers, whose underlying trojan motives, if any, can no longer be legally ascertained as a result of the DMCA.

I am especially puzzled by business's perception of proper etiquette. Would they hire a sales rep that constantly interrupted a customer in mid-question with comments on his grammar or spelling? Or worse yet, rudely hangs up on customers if they don't understand something? Is not a corporate web-site their sales-rep in cyberspace? Why would a business hire such rude representatives that coin their own protocols and chide the customers relentlessly for not adhering to their latest incarnations of the communications protocol "standard"?

At the risk of redundancy, I'll say it again. I do not like these proprietary unverifiable protocols. I consider them very risky - to me. I really don't care if YOU get hit with a virus, but I don't want any part of it.

Ok.. I just had to get this off my chest. It might cost me a bit of karma, but I had to say it in public in the hopes that someone in management that makes the decisions will hear my plea.

Re:Feeling left out

[Nucleon500]

I'm told it works in Wine.

Re:Feeling left out

[Steve+G+Swine]

People who store pornography on their computers deserve to get their data wiped.

And in some cases, their keyboards.

Ugh, lazy patchings

[AEton]

The RPC vulnerability this worm exploits was patched at least three weeks ago. Maybe if people would get it through their skulls that Windows ships with a BIG WINDOWS UPDATE LINK in the Start Menu for a REASON, and maybe if people would at least check for new, fun things weekly, these viruses wouldn't spread quite so far. The news outlets that focus on the "horrific" damage instead of the easy fix are doing their subscribers a disservice.

Besides, even if you don't care about security, you must at least admit it's fun to see a new "This vulnerability could allow an attacker to execute malicious code"-patch every week. I wonder what'll happen when Microsoft's numbering system overflows...

Re:Ugh, lazy patchings

[Doppler00]

Actually, I'm wondered why the heck RPC service is allowed to be exposed to the internet interface in the first place. There is absolutely no good reason for Microsoft to design it this way. Sure, I could understand it being useful for corporate networks, but to leave it on and not allow you to turn it off is ridiculous.

This isn't so much about security as it is poor design on the part of microsoft leaving so many useless services exposed to the internet.

Re:Ugh, lazy patchings

[Pompatus]

I agree that everyone should at least check out windowsupdate.com every once in awhile, but I am always hesitant to update my windows box. Windows Media Player 9??? Don't need it, don't want DRM. What about SP1 deactivating xp installs with pirate serial numbers? I've had DirectX updates that actually crashed previously working games (not lately though, gotta say that's getting better).

I like to wait to update my box for about a week or so to see if there is any outcry about some nasty thing Microsoft slips into the update. I'll bet I am not alone. As far as Blaster is concerned, I rely on independant firewall and antivirus applications to deal with these threats. IMHO it works better than relying on MS to secure their OS.

Re:Ugh, lazy patchings

[wfberg]

Today I noticed that every morning our couple XP computers at work send out a few uPnP related packets to 239.255.255.250:1900. They're going beyond our lan and out through our gateway to the internet. It's probably not worth the effort to investigate further and correct, but it bugs me a little.

Your network is misconfigure. 239.255.0.0/16 is a local scope multicast address. (RFC2365) The message sent is to let other uPNP devices know your computer is there.

Re:And while you all get easy 5, funnies.

[NanoGator]

"Linux has its own problems. But you mod them -1 under the rug until the fsf site gets hax0red. troll but true. "

That was true like a year or two ago, but since this has come up I've been amazed at how things have changed here. It's not that it's turning pro-Microsoft, but the "Everything Linux does is perfect" attitude has settled back down to realistic levels.

I agree with you, though, Linux is a root password away from being ssh'd to hell.

Phew

[tarquin_fim_bim]

"All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update."

Guess they were just damned lucky there.

If we're lucky...

[Black+Parrot]

If we're lucky the power will be out and the worms won't be able to carry out their attack.

Re:If we're lucky...

[LordLucless]

That's right, Microsoft nuked the power station to offset the bad worm publicity.

Damn, Slashdot needs a "+1 Paranoid" mod

Well some are safe from it...

[3seas]

Those in the US north east and south east Canada.....

MS Worm & Power Cuts

OK you'd have to be a cyber terrorism nut to believe the power blackouts were caused by the virus but some friends at Con-Ed have told me the virus isn't totally innocent, apparently the trouble ticketing / work management system some of the affected power companies are using is running on a load of windows servers and not all of them managed to get patched in time. So the recovery operation is being hampered a bit by the worm.
And I thought those guys were just exagerrating things.

News Flash

[ReyTFox]

SCO declares that it holds the copyrights to LoveSan and demands that all clones pay a $1500 licensing fee.

Blaster.B and Blaster.C

[SimplexO]

This post is about what Symantec calls W32.Blaster.C.Worm. Don't forget that there is also a W32.Blaster.B.Worm.

B:

Adds the value: "windows auto update"="penis32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

C:

Adds the value: "Microsoft Inet Xp.."="teekids.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

The new C means that the scan that we use to get the original out of the registry has to be modified so we can find this C variant.

MS Releases Network Scanning Tool

[MacrosTheBlack]

Microsoft have released a tool to scan your local network (or the whole net if u really wanted to).
Download
Network admins have fun.

Re:And while you all get easy 5, funnies.

Point taken, but badly stated. The FSF cracking incident was due to an application that runs on Linux, and does not ship with most Linux distributions--it has to be intentionally downloaded and installed.

So are we going to start adding all securities in third-party apps that run on Windows to the "Windows vulnerability" list? That's crazy.

Linux is a kernel, yes. But the fact that it's available in that form if that's all you want is an advantage, not a technicality. Try getting Windows without a GUI, or SMB.

a deep dark thought....

[ecalkin]

i was wondering about the motivations of the person(s) that wrote this. they seemed to have a mad-on against microsoft. what seemed weird was that if this had been a 'quiet' worm that spread, there would have been a lot more machines that were infected on dday. ms being hit by a large number of zombies and having to *beg* people to clean up their systems would have been pretty funny.

i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story?

somethings smells here.

eric

Re: a deep dark thought....

[Black+Parrot]

> i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story? somethings smells here.

I've always wondered whether someone planning a criminal break-in somewhere might not release a virus as a cover, so that the victim would shrug off any anomalies on their system as side effects of the virus, and think the virus fix was end-of-story.

Benevolent Virii

[pavon]

You know here's an cool idea, seeing as the biggest problem with virii is that people don't keep their systems up-to-date.

When someone finds out about an exploit, they tell the company about it (aka MS) and give them time to come up with a patch. Then after sufficient time has passed for security concience people to patch their systems, a virus is released that takes advantage of the exploit to either inform the user that their system is vulnerable and that they should install the patch, or simply install the patch for them.

Alot of times it seems to take a big attack for busy system admins to roll out a system wide update. I have talked to people whose work computers have been hit pretty hard by virii and I just wonder what would have happened had they been hit by a truely malicious virus, not just these annoying but easily recoverable ones. It scares me.

culpability

[negacao]

This is getting extremely annoying - I'm still getting hits daily from Code Red & Nimda. I'd like to personally line up each person who hasn't patched thier system and slap them.

Along with the idiots at microsoft who don't make updates for IIS available though windowsupdate. (in my experience, ymmv.) C'mon, it's shipped with the OS, you've got automatic updates on by default, so make them patch the goddamn webserver.

Re:I hope this new version runs under WINE

[ihummel]

We at CodeWeavers are proud to announce our new product: Crossover Blaster. This new piece of software for the Linux operating system will provide the same quality that you've come to expect from Crossover Office, but this time with the very popular Blaster worm (known to some as LovSan). It will even work with clones of the worm.

Finally, all the Linux users who have felt left out can participate in the reboot fun. It is a bargain for $50. See www.crossoverblaster.devnull for more details.


Disclaimer: I do not work for CodeWeaver. My views are purely my own.

Re:the average user reaction...

[Un+pobre+guey]

I'm sure many people here have done voluntary tech support for friends and family. What do you find to be the most frequent problems?

Most common "problem" I have seen is that people do the following:

1)Get a computer, with OS and some software installed

2)Use the computer

3)If buy commercial software, install it, hitting OK every time it appears

4)If download arbitrary software from the net, install it, hitting OK every time it appears

5) If computer seems sluggish or something seems wrong, do one or more of the following:

• Go to the Program Files directory (of course it's Windows) and delete one or more directories containing programs you recall having installed recently
• Hunt around the hard disk and delete things that don't look right
• Buy software that supposedly fixes your system, and run it several times consecutively, choosing different options each time
• Reboot
• Re-install the operating system

6) Go to 2)

This algorithm is run continuously for several years.

Oh, it's not that bad!

[jprupp]

Hey AV experts, just wait till the 17th to post a fix, please?, in the meantime, have fun, enjoy the beach, watch windowsupdate.com as it goes DoSed, what a wonderful life!. At last a virus that goes to the source of the problem. hehehe I think I'll get some Karma for saying this, well, some Karma is not too bad!.

Intranets being infected.

[bruthasj]

One major manufacturing facility in Taiwan that I work with had its internal network hit including control devices running on Windows NT. It probably caused between 1 to 2 million dollars in damage because of production delays.

I had to stay up till 12am trying to figure what the crap was going on with my equipment when it was communicating with those stupid NT servers. We're running Redhat and I was sitting there using tcpdump trying to figure out what was wrong with the packets.

It looks normal from the Redhat side, but you'll get no responses from the Application layer on the NT side. It must flood the send pipe in the TCP/IP socket layer on the NT side.

WARNING: If you're running Linux in the Enterprise and you're interfacing NT, you'll be blamed first. Just know it ain't your fault.

I am so sick of these amatures...

[codepunk]

Damn if you are going to write a worm make it do some damage. You back hats are really starting to bore the shit out of me.

For instance take this worm and add the ability for it to seek the network for every single excel spread sheet it can find and randomly mix up a couple of cell values. Then have it set the access time back to the original.

Hell just write a few bytes to a random location in any file you can access.

Come on black hats, quit boring me!

I used to work at an antivirus company.

[morven2]

While some companies in the AV industry have shown (ahem) questionable ethics in the past, I think it's stretching to say they WRITE the viruses, rather than just hype them.

For one thing, there are plenty of idiots out there quite willing to write a virus for free.

For another, if the viruses/worms/trojans were written by the AV firms, they'd be MUCH better. My co-workers and I would regularly discuss how one could, hypothetically, write the ultimate virus ... some of our ideas would have been quite evil indeed. And most of us were pretty good programmers.

Contrast that with the true nature of most successful 'in the wild' viruses -- most of which aren't that well written ...

Is *nix that much more secure?

[sanx]

OK - maybe this is a -5 Flamebait here, but here's a couple of my thoughts.

The desktop world is ruled (by numbers, anyway) by Microsoft. Any potential malware s'kiddie can knock together some malware in a few hours, dump it into some unsuspecting newsgroup somewhere or email it to his Outlook-using mates and start an epidemic relatively easily. The sheer number of vulnerable machines makes that easy.

The installed base of Windows boxes also means that, despite MS not opening up their code to anyone (except governments and universities willing to sign away their first-born as insurance against breaking the NDA), large numbers of people spend vast tracts of time throwing McValue Meal-sized URLs at web-servers and mutant packets at RPC interfaces.

Lots of people x Lots of time x Lots of machines = lots of vulnerabilities found...

Now consider *nix. It has a number of advantages straight off the block:

1. It's open source. Code that finds its way into the kernel goes through the best peer-review system available; public scrutiny.
2. Generally, the people who run *nix are more tech-savvy than an average Joe Blow.
3. Any vulnerabilities that are found get acknowledged and fixed very quickly.

But what would happen if *nix had the sort of desktop penetration that Windows does? How quickly would the kind of person that thinks a computer case is called a 'hard drive' apply a *nix security patch? If *nix was that popular, how many more people would devote vast tracts of time to finding obscure security holes and vulnerabilities?

Just a thought. Now flame away ;)

Massive Legal Ramifications in here

[steveoc]

There are massive legal rammifications to this.

Firstly, the second strain of the virus is clearly derived from
the first strain. This is blatant piracy, and a violation of the
cherished IP of the original authors.

The original author of the virus is now in a position to reap a windfall, by :
- Suing the second author to the tune of $3Bn for having blatantly stolen their code.
- Suing the thousands of owners of infected machines because they may be running pirated code in violation of the DMCA.
- Offering infected users a $699 licence fee for running the derived virus, which will protect them from any further legal action.

What the authors of the second, derived virus have done is abominable, and shows a callous disregard for the IP rights of the original authors. They are nothing but pirates, and a threat to the wholesome values of benign free-trade capitalism.

-----------------------