Security Watch

Worming into security infrastructure

According to Trend Micro, nearly half of the virus alerts issued in May were internet worms. This is not surprising since present day virus writers prefer worms due to their obvious advantages over traditional virus attack methods.

Trend Micro issued a total of 248 virus alerts in May. Nearly half (121, or 48.8 percent) were Internet worms. Trojan viruses and backdoor programs took the second and third positions and accounted for another 26.2 percent and 10.9 percent of the total, with 65 and 27 alerts respectively. Trend Micro points out that worms are spreading not just via email. Worms can also be combined with backdoors, trojan programs and other blackhat hacker tools to steal information.

Trend Micro has also noted some interesting patterns in the evolution and behavior of worms as security attack mechanisms. They are the following.

Increased outbreak pace

The typical pace of worm outbreaks has undergone a jump from once a month to once a week. Trend Micro Senior Consultant Jamz Yaneza said, "Since the very first worm, Morris, appeared in 1988, worms have been wreaking havoc across the Internet. Over the last 18 months, worms have caused a major virus outbreak on average nearly once a month."

This trend took a sharp upturn at the beginning of this year. Yaneza said, "In the first quarter of 2004 alone, TrendLabs issued 12 virus alerts for major worm outbreaks. Largely the result of three new worms MYDOOM, NETSKY, and BAGLE, a new major outbreak has occurred nearly once a week on average so far this year."

According to TrendLabs, worm outbreaks in May are using new advanced techniques. "The virus writers are learning from the behavior of previous malicious code, using alternative intrusion methods that are more difficult to detect and attacking the latest vulnerabilities."

Sasser is one of the best examples. However Sasser, which caused delays at British Airways, cancellation of 40 Delta Airlines flights and infected 19 British Coast Guard control centers, did not make it into Symantec's top 10 list in May. On the contrary, it was the reemergence of the two year old PE_ELKERN.D that secured the number 1 position virus during May.

Virus cross-infection issues

The next trend is that virus cross-infection provides route for old viruses to reappear. TrendLabs noted that cross-infection could pose an even more troublesome security problem as modern worms learn to cross-infect with older viruses. On that Yaneza suggests “Abnormal inter-virus alliances are emerging as users infected with PE_FUNLOVE.4099 may also be simultaneously infected with PE_ELKERN.D, and PE_FUNLOVE.4099 in turn could be a side-effect of being infected with WORM_BRAID.A or WORM_WINEVAR.A.”

This kind of tenacious virus outbreak clearly illustrates the importance of preemptive alerts and antivirus protection at every level, as opposed to relying on desktop antivirus or gateway prevention alone.

According to a report in April from the market analysis institution the Gartner Group, 25% of Internet attacks were from known vulnerabilities in 2003. This points to the increasing danger of virus cross-infection. "Users who do not update their antivirus software can easily become high-risk groups for virus and worm cross-infection," said Yaneza. The latest example, just as the Sasser virus writer was being apprehended, the WORM_DABBER.A spread through computers infected with Sasser. If a PC is infected with WORM_SASSER.A and nothing is done about it, the user may have come out unscathed from Sasser, but a back door left behind by Sasser can also be used by Dabber to infiltrate the system. Network administrators who find the Dabber virus inside the company network can be assured that someone else has also been infected with Sasser.

Worms do more than rapid spread

Trend Micro emphasizes that today's worms do more damage than the earlier worm forms. In addition to spreading across the Internet, worms have also begun destroying files.

The total number of worms announced by TrendLabs in May was slightly less than April (121 compared to 161 in April). However, this does not mean the threat has decreased. Earlier, worms searched address books for targets to spread themselves across the Internet and did very little actual damage (other than clogging up bandwidth). However, the Wallon virus that generated a medium threat virus alert in May, not only achieves large scale email proliferation through address lists, it also automatically executes remote download of virus files and overwrites original Media Player files so that Media Player becomes unusable until it is reinstalled.

Trend Micro points out, "We cannot predict what kinds of attacks worms will use, but what we can be sure of is that email, shared folders and other network resources remain the breeding grounds for worms, and we can anticipate that more severe attacks including file damage will occur in the future."

Deadliness quotient

Security vendors are still divided (at the time of writing) as to how dangerous Zafi-B (W32.Erkez.B@mm - Symantec, W32/Zafi.b@MM - McAfee, W32/Zafi-B - Sophos, PE_ZAFI.B - Trend) worm is. However, they are united in increasing the threat levels for Zafi.B.

The Zafi-B worm, which first appeared on Friday 11, June 2004, spreads itself by peer-to-peer file sharing systems and email using a wide variety of different languages.

The Zafi-B worm can display a message box on screen containing the following Hungarian text:

A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen! 2004, jun, Pécs,(SNAF Team).

The English translation is:

We demand that the government accomodates the homeless, tightens up the penal code and VOTES FOR THE DEATH PENALTY to cut down the increasing crime. Jun. 2004, Pécs (SNAF Team)

The Zafi-B worm is believed to have been written in Hungary, but can send itself via email using a variety of languages. Its predecessor, Zafi-A, displayed a message calling for Hungarian patriotism. Antivirus updates are available for Zafi-B from most major antivirus vendors.

The first ever 64-bit virus

Symantec Security Response experts have analyzed the first known 64-bit malicious threat -- W64.Rugrat.3344. This proof-of-concept virus is not spreading in the wild, according to Symantec. However, it is the first known threat to attack 64-bit Windows executables successfully.

Rugrat does not infect 32-bit executables and will not run on 32-bit Windows platforms. It only targets Win64-bit systems.

W64.Rugrat.3344 exhibits the following characteristics:

• It is a direct-action infector -- a threat that exits memory after execution.
• Written in IA64 (Intel Architecture) assembly code, it infects IA64 executable files excluding .dll files.
• Infects files that are in the same folder as the virus as well as all files within the subfolders.

Symantec does not expect widespread infection or copying of virus code of this worm since there is no broad penetration of 64-bit systems. Most home and business systems deployed today are running on 32-bit platforms and are not affected by this threat.

W64.Rugrat.3344 is a Level 1 threat (Level 5 being the most severe). Symantec Security Response recommends users to update their virus definitions to protect against this threat. q Source: F-Secure