Security watch

Attack program makes surfing in IE improbable

A malicious program, dubbed QHosts, infects PCs using a recent flaw in Microsoft's Internet Explorer to take control of how computers look up Internet addresses. The program takes advantage of a critical flaw in the Internet Explorer Web browser, which Microsoft has made an integral part of its Windows OS. The flaw, which Microsoft has labeled an 'object type' vulnerability, can cause Website visitors to unknowingly run malicious code onto their computers when surfing a compromised site. Such an attack is referred to as a Trojan horse.

How it works

The QHosts program changes the Internet addresses of the computers at which the infected PC looks to resolve unknown Websites and domain names. Known as the domain name service (DNS) servers, such computers are generally operated by a trusted organization, like an ISP. However, QHosts will send the requests to other servers, which are likely to be owned by the originator of the Trojan horse.

Such hostile servers could reroute an infected computer's request for a Website to an entirely different page.

Impact

The Trojan horse uses a banner ad that the attacker places on the Web hosting provider's site to infect PCs running Windows. When a page containing the booby-trapped ad is displayed in Internet Explorer, the malicious code automatically installs the Trojan horse on the user's PC.

The banner ad displays another pop-up, and that pop-up loads the content. Viewing that page would allow the Trojan to execute.

While the QHosts program does not seek out new computers to infect—it is not considered a worm or virus—its ability to automatically infect PCs and with no immediate fix available for the vulnerability, makes it an issue to worry about.

Solution/patches

While the release of a fix for this variation is shortly expected, users can help protect against this newly reported issue by changing their IE Internet security zone settings to prompt them before running ActiveX components according to a company statement.

Microsoft had originally patched the flaw in late August, but later discovered that the fix didn't solve the problem.

A Microsoft representative said that the company was working to solve the problem, but had no timeframe for a fix.

More information is available in the advisory on Microsoft's Web site.

Backdoor Trojan

Backdoor.Hacarmy is a Backdoor Trojan horse that gives its creator access and complete control over a compromised system.

Also known as Backdoor. Hackerarmy [KAV], BackDoor-AZV[McAfee]

Systems Affected

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Backdoor.Hacarmy is spammed to some newsgroups.

Impact

When Backdoor.Hacarmy runs, it does the following:

Copies itself as %System%\ Win32server.scr.

%System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\ Windows\System32 (Windows XP).

Adds a value: "Winsock32driver"="win32server.scr" to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the Trojan runs when you start Windows.

Creates the mutex "botsmutex." This mutex allows only one instance of the Trojan to execute in memory.

Opens randomly changed TCP and UDP ports to connect to the Trojan's creator.

Attempts to connect to an IRC server at port 6666. If it connects, it allows the following actions:

• Downloads and executes files
• Terminates processes
• Steal system information, like OS information, system uptime, current user name, IP address, and hostname

Solutions/patches

Encourage users and administrators to adhere to the following basic security 'best practices'.

Turn off and remove unneeded services. By default, many OSs install auxiliary services that are not critical, like an FTP server, telnet, and a Web server.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Always keep your patch levels updated, especially on computers that host public services and are accessible through the firewall, like HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your e-mail server to block or remove e-mail that contains file attachments that are commonly used to spread viruses, like .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis
and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Website can cause infection if certain browser vulnerabilities are not patched.

• Disable System Restore (Windows Me/XP)
• Update the virus definitions
• Run a full system scan and delete all the files detected as Backdoor.Hacarmy
• Delete the value that was added to the registry

Top ten viruses reported to Sophos in September 2003

Gibe-F reaches top spot by playing on security fears