Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Worm Installs Sniffer

Posted by CmdrTaco on from the hope-you're-using-ssl-for-everything dept.

fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T : More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users. The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea). F-Secure has a copy of the sound file generated by the message."

13 of 491 comments (clear)

  1. More technical details by Lord+Grey · · Score: 5, Informative
    Here is propagation information on the worm WORM_SDBOT.UH from Trend Micro (link pulled from the article):

    Network Propagation and Exploits

    This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. Read more on this vulnerability from the following link:

    Microsoft Security Bulletin MS03-026

    It also takes advantage of the Buffer Overflow in SQL Server 2000 vulnerability. Read more on this vulnerability from the following link:

    Microsoft Security Bulletin MS02-061

    This worm also exploits the IIS5/WEBDAV buffer overrun vulnerability affecting Windows NT platforms, which enables arbitrary codes to execute on the server. The following link offers more information from Microsoft about this vulnerability:

    Microsoft Security Bulletin MS03-007

    It also exploits the Windows LSASS vulnerability. This is a buffer overrun vulnerability that allows remote code execution. Once successfully exploited, a remote attacker is able to gain full control of the affected system. For more information about this vulnerability, refer to the following Microsoft Web site:

    Microsoft Security Bulletin MS04-011
    This worm spreads via network shares, using NetBEUI functions to get available lists of user names and passwords. It then searches for and lists down the following shared folders, where it drops a copy of itself using the gathered information:
    • Admin$\system32
    • C$\windows\system32
    • C$\winnt\system32
    • Ipc$
    Trend Micro reports that the worm runs on Windows 95, 98, ME, NT, 2000, and XP. But notice that they report that the worm as not in the wild. So... where is it? Did they get a prerelease?
    --
    // Beyond Here Lie Dragons
  2. Encrypt! by WD_40 · · Score: 5, Informative

    As demonstrated at DEFCON with "The Wall of Sheep" (stupid name, cool idea) it seems that a lot of people who should know better still don't encrypt their password transmissions.

    If you haven't already, it's time to get serious about encryption.

    --

    "With sufficient thrust, pigs fly just fine." -- RFC 1925

    1. Re:Encrypt! by rainer_d · · Score: 4, Informative

      > You can encrypt your password six ways from
      > Sunday and it will still have been intercepted
      > before it ever reaches your encryption software.

      Indeed. But there's that nice Squirrelmail plugin that lets you use a virtual keyboard to enter your password ;-)

      Rainer

      --
      Windows 2000 - from the guys who brought us edlin
  3. Proper switches will defeat the sniffer by Jailbrekr · · Score: 5, Informative

    If you have a proper switch, then sniffing should not be a problem, as the traffic on the network will not reach the infected computer (unless it is also a server). Sadly, I fear that alot of the consumer "switches" on the market do not do proper routing, and have insufficient mac routing tables.

    --
    Feed the need: Digitaladdiction.net
    1. Re:Proper switches will defeat the sniffer by Anonymous Coward · · Score: 5, Informative

      Hubs, switches and routers are three different pieces of network equipment.

      Hubs are collapsed ethernet busses: Every attached device can see every ethernet frame sent by any other attached device.

      Switches work on a higher layer: They inspect the frames and send only broadcast frames to all devices. For the rest of the frames, they maintain a table of MAC-layer addresses of all devices attached to the switch ports. Targeted frames only get sent to the port to which the target device is connected.

      Routers work on an even higher level: They inspect IP packets and do with them about the same as what switches do with ethernet frames. Routers are generally more flexible about the rules regarding the packet flow than switches. It is not uncommon for routers to have the ability to perform switch-like ethernet level functions as well, but conceptually routing and switching are two different beasts.

      At least cheap home switches can be tricked into passing frames to the "wrong" ports in several ways. One method is to flood the MAC-address-to-port table. Most switches then fall back into hub mode. Generally speaking, non-manageable switches and switches without clearly-defined reactions to MAC flooding are not security devices. You should assume that an attacker can read your packets on a switched network.

  4. Re:Non-malicious worms by newend · · Score: 4, Informative

    If you delete everything on the machine, then the virus can't propagate. What would have to happen is the virus would have to have a delay, and then there is a risk that it will be discovered before the payload (deletion) takes place. Futher, I think most of the virus writers think of it more as a game, and don't really want to destroy data so much as see what they can accomplish. Would you rather destroy Rome or own it?

  5. uIP already exists... by Anonymous Coward · · Score: 5, Informative

    Seems like the uIP embedded TCP/IP stack would be ideal for this, as it is very small and portable. Also, it apparently already has been ported to and run on laptop keyboard microcontrollers. How about that kind of sniffer virus!

  6. yep! by Zilfondel2 · · Score: 5, Informative

    Yea, actually, a lot of the time the virus writers DO email them to the different antivirus companies. Having your virus added to the weekly virus definition files is part of their bragging rights.

    Do you really think there are 55,000 viruses in the wild?

    Yea yea, I worked for symantec for a couple of years.

  7. Re:Best AntiVirus? Help... by jcr · · Score: 5, Informative

    This reminds me, I'm in the process of building a new pc and want to get the opinion of the shack collective on what is the best antivirus software.

    Take your pick: *BSD, SuSE, Red Hat...

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  8. Proper switches cannot always defeat a sniffer by thanasakis · · Score: 4, Informative

    Why your switched network isn't secure.

  9. Re:HACKED BY CHINESE by Cheffo+Jeffo · · Score: 4, Informative

    Um ... I THINK that was an attempt at humour ... HACKED BY CHINESE was the tagline appearing on web servers infected with Code Red ... IIRC, that is.

  10. Beating keystroke loggers by JaredOfEuropa · · Score: 4, Informative

    You can beat keystroke loggers by entering your password a few letters at a time in random order, using the mouse to place the cursor at the correct location in the half-finished password. I don't think there's a keystroke logger that is able to work out where you clicked in the password entry box.

    Cumbersome, but it's something I do on untrusted computers like the ones in web cafés.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  11. PromiscDetect by rsteele19 · · Score: 4, Informative
    The Netcraft article noted that checking to see if your network adapter is in promiscuous mode is a good way to tell if your machine has a sniffer running on it. Unfortunately, they did not mention how one can go about doing this.

    If you're using Linux, just run
    ifconfig -a
    and look for the string "PROMISC".

    If, however, you're using Windows, you need to get a utility called PromicDetect. Run it from a command prompt. If it indicates the Directed, Multicast and Broadcast filters are active, then you're probably OK.

    Source: Computerworld
    --

    This sig is umop apisdn.