Slashdot Mirror
New Worm Installs Sniffer
fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T :
More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users.
The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea).
F-Secure has a copy of the sound file generated by the message."
Network Propagation and Exploits
This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. Read more on this vulnerability from the following link:
It also takes advantage of the Buffer Overflow in SQL Server 2000 vulnerability. Read more on this vulnerability from the following link:
This worm also exploits the IIS5/WEBDAV buffer overrun vulnerability affecting Windows NT platforms, which enables arbitrary codes to execute on the server. The following link offers more information from Microsoft about this vulnerability:
It also exploits the Windows LSASS vulnerability. This is a buffer overrun vulnerability that allows remote code execution. Once successfully exploited, a remote attacker is able to gain full control of the affected system. For more information about this vulnerability, refer to the following Microsoft Web site:
This worm spreads via network shares, using NetBEUI functions to get available lists of user names and passwords. It then searches for and lists down the following shared folders, where it drops a copy of itself using the gathered information:- Admin$\system32
- C$\windows\system32
- C$\winnt\system32
- Ipc$
Trend Micro reports that the worm runs on Windows 95, 98, ME, NT, 2000, and XP. But notice that they report that the worm as not in the wild. So... where is it? Did they get a prerelease?As demonstrated at DEFCON with "The Wall of Sheep" (stupid name, cool idea) it seems that a lot of people who should know better still don't encrypt their password transmissions.
If you haven't already, it's time to get serious about encryption.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
If you have a proper switch, then sniffing should not be a problem, as the traffic on the network will not reach the infected computer (unless it is also a server). Sadly, I fear that alot of the consumer "switches" on the market do not do proper routing, and have insufficient mac routing tables.
Feed the need: Digitaladdiction.net
If you delete everything on the machine, then the virus can't propagate. What would have to happen is the virus would have to have a delay, and then there is a risk that it will be discovered before the payload (deletion) takes place. Futher, I think most of the virus writers think of it more as a game, and don't really want to destroy data so much as see what they can accomplish. Would you rather destroy Rome or own it?
The idea is to sniff the infected computer, not it's connected network. Works wonders even on switched LANS. Once you're running local, the net infrastructure is meaningless.
nos laetus epulor qui would domito nos
Seems like the uIP embedded TCP/IP stack would be ideal for this, as it is very small and portable. Also, it apparently already has been ported to and run on laptop keyboard microcontrollers. How about that kind of sniffer virus!
... a new worm installs a network sniffer ... it kind of makes me wonder why it took this long.
What's new about that?
Network sniffers installed on compromised machines is the ENTIRE REASON DMZs were invented - so the network sniffer can only sniff the DMZ, not the LAN behind the second packet-filtering router/bridge.
DMZs have been standard practice for over a decade. If there's anything new about this, it's just that it's the first time a worm in the wild has been identified as installing a sniffer.
But that's hardly surprising. The explosion of professionally-engineered worms is quite recent, as is consumer-level deployment of multi-machine LANs behind firewall+NAT appliances. (I'd expect packet-sniffing cracks aimed at businesses to be more targeted rather than worm-style scatterguns, if only to reduce their chances of discovery.) Seems to me the time became ripe JUST NOW for general deployment of a sniffer-installing Microsoft-exploiting worm.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
That would be a good thing, IMO.
The problem with a sniffer virus like this is that it can sniff network data that comes from any OS, not just the infected one. So in this case this Windows only virus is a bad thing for Linux users as well (assuming the Linux users are sending plain-text passwords and the like).
Cannot check this right now, but wouldn't it be possible to write a Windows executable that writes to the HOSTS file? The file is at a known location, and couldn't you add a line to redirect msn.com and yahoo.com to your own site?
Seems like a fairly simple exploit.
Yea, actually, a lot of the time the virus writers DO email them to the different antivirus companies. Having your virus added to the weekly virus definition files is part of their bragging rights.
Do you really think there are 55,000 viruses in the wild?
Yea yea, I worked for symantec for a couple of years.
A lot of /.'ers have pointed out that most networks are switched nowadays; however, there are still plenty of networks out there that aren't.
Every mid-level enthusiast home network I've known was just running a dumb hub, and I'm also familiar with a university that ran hubs per floor in the dorms (you couldn't get floor 8's data on floor 9, but as for everyone on floor 9...). This worm still has a plenty big playground.
If other reasons we do lack, we swear no one will die when we attack
This reminds me, I'm in the process of building a new pc and want to get the opinion of the shack collective on what is the best antivirus software.
Take your pick: *BSD, SuSE, Red Hat...
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I think you are forgetting OpenSSH and Cygwin.
[blue] - The Ministry of Information approved this message...
I vote for Norton, but that's probably because its what I've used for a long time. McAfee tends to run background scans (at least in implentations I've seen) while Norton runs in the foreground. Obviously, both do realtime protection as well, but I prefer foreground virus scans that I can schedule when I'm not using my computer, like at 3:37 am.
CitrusTV (http://www.citrustv.net): the Nation's Oldest & Largest Entirely Student-Run Television Station
The idea is that you can verify the certificate belongs to who it says it belongs to (like www.yourbank.com), without exchanging any other communication (such as SSH's fingerprints) - you just verify the site's signature from Verisign (or whomever). SSH relies on you confirming the fingerprint the first time you connect.
You can generate your own SSL certs if you don't care about proving them to anyone. Check out the apache docs for examples. Then, once you've accepted it the first time, you'll have no more prompts on further connects - exactly like SSH.
See, for example, http://www.apache-ssl.org/#FAQ, "Now I've got my server installed, how do I create a test certificate?"
Why your switched network isn't secure.
"It is time to empty the litter box."
If I forget, Mrs. Underfoot lets me know by leaving a present in the middle of the floor. Believe me, I rarely forget.
"Please do your laundry."
Done on an as-needed basis. I'll run out, and live off the least-wrinkled shirts until the weekend.
"Are you really sure you want to eat that leftover pizza?"
Of-fricken-course! Pizza is the only food I've ever had that's even better microwaved than fresh.
"For the love of god, please try deodorant. Any deodorant."
Why? It's not like anyone comes near me...
tasks(723) drafts(105) languages(484) examples(29106)
Grep has been ported to Windows. (And most GNU command-line tools too) Omni
Um ... I THINK that was an attempt at humour ... HACKED BY CHINESE was the tagline appearing on web servers infected with Code Red ... IIRC, that is.
I believe UltraVnc (what I use, mostly) has an ecryption plugin?
:-p
as for services--I don't believe any of the SSH clients can run as a service.. I'd be very surprised if there isn't some software out there that could do that though--would be a good project
Trend Micro Analysis
DJ kRYPT's Free MP3s!
I'd have to recommend AVG. It's free for home use, and so are the (daily) virus definitions. You can set it up to download the latest definitions and do a full scan at any time of day. It comes with some more advanced stuff, like inbound/outbound email scanning, which I've disabled but some folks might like.
You can beat keystroke loggers by entering your password a few letters at a time in random order, using the mouse to place the cursor at the correct location in the half-finished password. I don't think there's a keystroke logger that is able to work out where you clicked in the password entry box.
Cumbersome, but it's something I do on untrusted computers like the ones in web cafés.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
If you're using Linux, just run and look for the string "PROMISC".
If, however, you're using Windows, you need to get a utility called PromicDetect. Run it from a command prompt. If it indicates the Directed, Multicast and Broadcast filters are active, then you're probably OK.
Source: Computerworld
This sig is umop apisdn.
From MS:
By default, software-enforced DEP only protects limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
--
I'm guessing MS runs its own software NX because it knows what memory these system binaries should and shouldnt be using. So even if it worked for DCOM/RPC it probably wouldn't work with the SQL server hole.
Hardware DEP is a whole different story.
Short and sweet thread on DEP here.
Actually, you can enable software DEP for all programs. There's a button you can click on in system properties under advanced. Might be fun playing with to see if it breaks anything. Might be good to leave on if it doesnt.
the trend micro link kindly provided in this comment says that it connects to an irc server.