Security Watch

HP's new virus warfare initiatives

According to a recent report by Cnet News.com, Hewlett-Packard plans to launch two services aimed at slowing down fast spreading viruses and immunizing networks against threats.

The first service, known as virus throttling, will limit the speed at which viruses and worms can spread by reducing the number of connections an infected computer can have to the Internet. This approach is claimed to be more effective than the traditional signature-based anti-virus solutions. Being signature-based in nature implies that the virus's signature be present for the solution to protect from virus attacks. Today's fast spreading viruses and worms can cause massive damage by the time the signatures are obtained. HP's approach uses the underlying principle that while complete prevention of virus infection is not possible, spread of virus damage can be minimized.

The second service mimics medical vaccinations by placing devices within a network that will continually attack a company's computers with the digital equivalent of dead germs. Running on one or more network devices, the service will constantly probe the network for vulnerable computers. On discovering vulnerabilities, the service will notify the system administrator about it for necessary action. According to HP, this service also helps lock down the estimated 10 percent of devices on corporate networks that the company does not know about.

It is expected that the services will be launched by the end of this year, after trials.

MS ASN.1 library vulnerabilities

According to CERT, multiple integer overflow vulnerabilities in the Microsoft Windows ASN.1 parser library could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM privileges.

Abstract Syntax Notation number One (ASN.1) is an international standard used to describe and transmit data packets between applications and across networks. According to information from eEye Digital Security, the vulnerabilities involve integer overflows and other flaws in integer arithmetic.

Any application that loads the ASN.1 library could serve as an attack vector. In particular, ASN.1 is used by a number of cryptographic and authentication services such as X.509 certificates (SSL/TLS, S/MIME, IKE), Kerberos, and NTLMv2. The Local Security Authority Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1 library. Both client and server systems are affected.

Systems affected are Microsoft Windows NT 4.0/NT 4.0 TSE/2000/ Windows XP/Windows Server 2003. The solution is to apply the appropriate patch as specified by Microsoft Security Bulletin MS04-007.

W32.Netsky.D

W32.Netsky.D@mm is a mass-mailing worm that is a variant of W32.Netsky.C@mm. The worm scans drives C through Z for email addresses and sends itself to those that are found.

The Subject, Body, and Attachment names vary. The attachment will have a .pif file extension. This virus affects systems running Windows XP/2000/98/Me/98/95. Most anti-virus vendors have released anti-virus updates and removal tools to tackle W32.Netsky.D.

W32.Beagle.E@mm

W32.Beagle.E@mm is a mass-mailing worm. This primarily spreads through e-mail and is independent of the victim's e-mail client. W32.Beagle.E@mm will also create a security hole on the victim's machine. This backdoor component will allow a remote attacker to penetrate the victim's machine. To create the backdoor functionality, the worm opens TCP port 2745.

The e-mail that the worm constructs has these characteristics:

• The From field will contain a spoofed e-mail address.
• The Subject field is selected from a list of different phrases available to the worm itself. Thus, the subject line of the e-mail varies from one e-mail to another.
• The Attachment file name field, which is the file name of the worm attached to the e-mail, contains a set of random characters, followed by the file extension ".zip."

The worm is similar in functionality to W32.Beagle.C@mm. This worm affects systems running Windows XP/2000/98/Me/98/95. Major anti-virus vendors have released removal tools and updates.

Security Genesis: The pre mass-viral age

In November 1987, the Lehigh Virus was discovered at Lehigh University in the United States. The virus only infected Command.com. Since Command.com remains resident, this was technically the first memory resident file infector.

In December 1987, the Jerusalem virus, appeared at the Hebrew University of Israel. It was the first file infector designed to go memory-resident. Jerusalem was also the first virus discovered that infected programs with either .COM or .EXE extensions (and the first to contain a bug which causes it to re-infect already infected programs).

Reportedly, around this time, Stoned (the first MBR infector) was written by a student at the University of Wellington in New Zealand, and the Vienna Virus was written by an Austrian high school student.

Source: www.research.ibm.com

lighter side: Hacker/ cracker?

The typical movie stereotype of a cracker has been evolving over time. These days a ‘hacker’ can be an academic, an IT security professional, a bored housewife, a political activist intent on using technology to spread their message or even a spotty teenage boy with too much attitude hell bent on defacing websites just as graffiti artists target trains with spray cans. Their motives will vary, their methods will vary, their favorite food and operating systems will vary, but the end results for the corporations and individuals who are hacked are still the same—a compromised computer system that costs time and money to put back online.