Slashdot Mirror
New Worm Installs Sniffer
fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T :
More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users.
The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea).
F-Secure has a copy of the sound file generated by the message."
Then dust free computers for all!
Network Propagation and Exploits
This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. Read more on this vulnerability from the following link:
It also takes advantage of the Buffer Overflow in SQL Server 2000 vulnerability. Read more on this vulnerability from the following link:
This worm also exploits the IIS5/WEBDAV buffer overrun vulnerability affecting Windows NT platforms, which enables arbitrary codes to execute on the server. The following link offers more information from Microsoft about this vulnerability:
It also exploits the Windows LSASS vulnerability. This is a buffer overrun vulnerability that allows remote code execution. Once successfully exploited, a remote attacker is able to gain full control of the affected system. For more information about this vulnerability, refer to the following Microsoft Web site:
This worm spreads via network shares, using NetBEUI functions to get available lists of user names and passwords. It then searches for and lists down the following shared folders, where it drops a copy of itself using the gathered information:- Admin$\system32
- C$\windows\system32
- C$\winnt\system32
- Ipc$
Trend Micro reports that the worm runs on Windows 95, 98, ME, NT, 2000, and XP. But notice that they report that the worm as not in the wild. So... where is it? Did they get a prerelease?How much longer before worms use their own TCP/IP stack? Wouldn't much suprise me, and might be beneficial for getting around firewalls. Might be a cool little project to make a zoo virus that does it.
Disconnect and self-destruct, one bullet at a time.
The newest MyDoom variant has the author asking for a job...
http://www.vnunet.com/news/1158043
The arnus worm speaks to infected users.
I don't know if I should laugh or cry. I just know I'm getting calls in the next few days because someone's computer says "How are you...".
As demonstrated at DEFCON with "The Wall of Sheep" (stupid name, cool idea) it seems that a lot of people who should know better still don't encrypt their password transmissions.
If you haven't already, it's time to get serious about encryption.
"With sufficient thrust, pigs fly just fine." -- RFC 1925
2. I love the fact that this worm drops itself as BLING.EXE
3. This worm uses carnivore network sniffer and checks for the following strings
As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.
4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm
- It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
- It attempts to steal CD keys for some games.
- It installs a network sniffer
- It has an interface with 26 commands that the bad guys can use on an 0wned box
- It can log keystrokes
It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.I'm still waiting for the really bad one...
for the "INDUCEd PATRIOT" worm that detects P2P traffic and then promptly shuts down the computer.
"Me fail English, that's unpossible." --Ralphie
my password to asianthumbs.org may have been jepeordized!
Oh no, I have said too much!
Damn you autopr0n, why, why did you have to die!!!
Monstar L
.. if your network smells bad.
This one talks to the infectee through Windows speech interface. Nice!
Life is the leading cause of death in America.
If you have a proper switch, then sniffing should not be a problem, as the traffic on the network will not reach the infected computer (unless it is also a server). Sadly, I fear that alot of the consumer "switches" on the market do not do proper routing, and have insufficient mac routing tables.
Feed the need: Digitaladdiction.net
"When I read these things it kind of makes me wonder why it took this long."
I often wonder the same thing. With all the different worms that infect unpatced Windows machines, why hasn't someone wrote one that effectively deletes everything on the machine just short of rendering itself unable to propogate?
...or does the term "packet sniffer" remind anyone of someones pet dog?
We need someone to go after these people with the intensity that the RIAA goes after 13 year old girls who don't want to pay for Hoobastank songs. If only the hackers would start going after people like the RIAA instead of trying to screw the everyday person out of their information so they can buy more mods for their Xbox. Then we could air it on MTV as Celebrity Geek Match!
..but I, for one, don't care about our network-sniffing overlords.
Personally, I find this scary as shit. I think virii like this are going to be the reasons to compel a lot of middle-ability users to switch to Linux. Hell, I might cast off Windows now once and for all...
Most networks are switched these days, making this pointless. Why not install a keylogger???
Then the evil person doesnt have to deal with all the encryption mumbo-jumbo.
Pluralitas non est ponenda sine neccesitate
......ran windows update on all infected machines? Would people get pissed?
-Randy
...Afterwards it took me over an hour to unscrew the side of my case to get my nose out...
I've been telling my old 'customers' that I'm retired. I then tell them that I will give them support for free for life if they buy a Mac.
This is usually met with, 'Wha? Really?"
Yup. I'm enjoying the stories of crazy Windows happenings, virus mystery, and constant crashing (Yeah, XP is ok, but not when you have 127 viruses, trojans, spyware and keyloggers all vying for a clock cycle and outgoing port.)
And I'm especially loving not working on Windows boxes.
Seems like the uIP embedded TCP/IP stack would be ideal for this, as it is very small and portable. Also, it apparently already has been ported to and run on laptop keyboard microcontrollers. How about that kind of sniffer virus!
... a new worm installs a network sniffer ... it kind of makes me wonder why it took this long.
What's new about that?
Network sniffers installed on compromised machines is the ENTIRE REASON DMZs were invented - so the network sniffer can only sniff the DMZ, not the LAN behind the second packet-filtering router/bridge.
DMZs have been standard practice for over a decade. If there's anything new about this, it's just that it's the first time a worm in the wild has been identified as installing a sniffer.
But that's hardly surprising. The explosion of professionally-engineered worms is quite recent, as is consumer-level deployment of multi-machine LANs behind firewall+NAT appliances. (I'd expect packet-sniffing cracks aimed at businesses to be more targeted rather than worm-style scatterguns, if only to reduce their chances of discovery.) Seems to me the time became ripe JUST NOW for general deployment of a sniffer-installing Microsoft-exploiting worm.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
We could all be doooooooomed!
And regarding another thing, how come so many services require a certificate (such as SSL with email, imap, pop, etc) rather than auto-negotiating it like SSH does?
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
This is strange - I found a bling.exe on a Windows machine at work a while ago, as it was spewwing out 445 if I remember rightly - several weeks. I searched for info on it, and I didn't find anything, which I thought was strange.
I think I must have got hit by an early-adopter version.
Get your own free personal location tracker
And it's the same with worms. Rather than hand-coding them in assembly to get them in under 1000 bytes (or whatever) they can now be developed with good tools, useful libraries, and they can have all kinds of extra functionality built in. So expect worms with more features as we go along.
It's time to really start thinking about security-by-design. VM systems like Java, or capability-based systems like EROS are the way we are going to finally squish these worms. I'm so tired of helping relatives with anti-virus software. There shouldn't be anti-virus software. Operating systems shouldn't allow viruses and worms to exist. Security problems like this are not an inherent part of software.
Dear Worm Writers,
Please create a worm that will actually destroy the users harddrive that way at work when they call up I can tell them its a hardware problem and we do not support that. Also it will teach everyone a valuable lesson in running windows update and enabling their firewalls.
Thank you
Student worker @ University Helpdesk
Yea, actually, a lot of the time the virus writers DO email them to the different antivirus companies. Having your virus added to the weekly virus definition files is part of their bragging rights.
Do you really think there are 55,000 viruses in the wild?
Yea yea, I worked for symantec for a couple of years.
A lot of /.'ers have pointed out that most networks are switched nowadays; however, there are still plenty of networks out there that aren't.
Every mid-level enthusiast home network I've known was just running a dumb hub, and I'm also familiar with a university that ran hubs per floor in the dorms (you couldn't get floor 8's data on floor 9, but as for everyone on floor 9...). This worm still has a plenty big playground.
If other reasons we do lack, we swear no one will die when we attack
This reminds me, I'm in the process of building a new pc and want to get the opinion of the shack collective on what is the best antivirus software.
Take your pick: *BSD, SuSE, Red Hat...
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Especially if it gives warning messages, like:
"It is time to empty the litter box."
or
"Please do your laundry."
or
"Are you really sure you want to eat that leftover pizza?"
or
"For the love of god, please try deodorant. Any deodorant."
Of course, there are also downsides, like your stash of coke always vanishing.
paintball
I'm waiting for a virus that greps all your documents for each name in your address book.
If a document contains a person's name, email it to them.
I can see it now, salary spreadsheets and confidential memos flying around to the very people who are not allowed to see them...
How does it Normally spread? .. or its variants??
What windows vulnerabilities is it using?
is it an email attachment? what is the attachement called
For christ sake...
Love, Zaq
Perhaps it took this long because the bad guys were busy installing keystroke recorders so that they could defeat encrypted network traffic. Also, switched networks help keep the impact of the sniffing to the infected computer -- unless the network terminates at an infected computer -- thus making this less as threat to large organization using 100% switched networks...
-- @rjamestaylor on Ello
Why your switched network isn't secure.
Um ... I THINK that was an attempt at humour ... HACKED BY CHINESE was the tagline appearing on web servers infected with Code Red ... IIRC, that is.
You can beat keystroke loggers by entering your password a few letters at a time in random order, using the mouse to place the cursor at the correct location in the half-finished password. I don't think there's a keystroke logger that is able to work out where you clicked in the password entry box.
Cumbersome, but it's something I do on untrusted computers like the ones in web cafés.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
nVIR on the early Macintoshes would use the Macintalk speech engine to say "Don't Panic". One source says nVIR got discovered in January 1987.
"How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye"
AMAZING. The first virus that has the capacity to destroy not only the victim's computer, but his BRAIN as well. I swear, these guys need to start hiring professional comedians to do their dirty work, or we're all screwed.
You need a FREE iPod Nano
If you're using Linux, just run and look for the string "PROMISC".
If, however, you're using Windows, you need to get a utility called PromicDetect. Run it from a command prompt. If it indicates the Directed, Multicast and Broadcast filters are active, then you're probably OK.
Source: Computerworld
This sig is umop apisdn.