Open source viruses
Virus authors traditionally wrote their virus code, compiled it and released
the virus into the wild, where they went forth, multiplied and caused misery
to one and all. The source code of the virus usually remained a closely guarded
secret with the author. Not any more. The author of mass-mailing worm Bagle
began distributing its source code on he Internet on Sunday, 4th of July 2004.
Once infected with Bagle, a PC will download a Trojan that turns the infected
computer into one soldier in the worm author's army of zombie PCs, which can
be used to distribute malicious code, spam and to launch distributed denial-of-service
attacks. The first Bagle worm appeared in January 2004, and over 25 variants
appeared in the following months.
Now the task of copycat virus writers is simplified. The code is complete with
the author's comments explaining the purpose behind each part of the code. Modifying
the code to create newer variants is therefore much easier. In fact, the author
has released two variants of Bagle along with the source code, effectively demonstrating
how it can be done.
The author's motives for releasing the code are not difficult to decipher. In
the past, a few virus authors who were caught were convicted based on the evidence
of the virus source code being present on their PCs. Possession of source code
was used as proof of authoriship. Unfortunately this argument will no longer
hold water. Now if anyone is caught with the Bagle source code on his PC, the
codes downloadability is an escape root.
Another worrying development is that the virus source code is entirely written
in Assembler--a powerful low level programming language that is difficult to
learn and master. With the availability of high level languages such as C, few
people code entirely in Assembler any more. This means that the virus author
is a serious programmer, not just a teenage kid with extra time on his hands.
Further exploits can thus be expected from this source.
Courtesy: Peter Theobald, CEO, IT Secure
Symantec Security Response has identified a new variant of the Beagle worm --
W32.Beagle.AB@mm. Symantec upgraded this threat to a Level 3 due to increased
submission rates from both corporate and consumer customers.
W32.Beagle.AB@mm is a mass-mailing worm that opens a backdoor on TCP port 1234
and uses its own SMTP engine to spread through e-mail. The source code is embedded
in the worm and may arrive in an e-mail or in an attached message. If a machine
becomes infected with W32.Beagle.AB@mm, it will allow the attacker to have remote,
unauthorized access to the machine. Due to the ability of the remote user to
perform so many different actions on the server system, including installation
of applications. Due to this threat, Symantec recommends that compromised systems
be reinstalled. The threat also creates a mass mailing of itself, which may
clog mail servers and downgrade system performance.
Symantec Security Response recommends that IT administrators filter attachments
not on a list of approved types at the e-mail gateway and apply the Outlook
e-mail Security Update (Q262631) in order to block user access to certain attachment
types. This update also notifies the user of applications attempting to access
the Outlook address book.
Spyware - a hidden threat
Trend Micro has released a whitepaper on how spyware is increasingly becoming
a major threat to enterprise security.The major types of spyware as identified
by Trend Micro are the following.
Adware is a type of spyware program that transmits a user's personal information
to advertisers who then use the data to send targeted ads to the user. Although
it is seemingly harmless, it gathers personal information for marketing purposes,
including the user's age, sex, location, buying preferences, and surfing habits.
In some cases, it even compromises the user's Web surfing experience by hijacking
Web pages and displaying other marketing content.
These types of programs permanently change dial-up settings on a computer to
connect a modem to a remote location, resulting in expensive long-distance charges
and exposure to other spyware programs.
Joke programs are applications created and distributed for amusement reasons
only. In general, these programs are harmless. However, they can be annoying
and distracting. Worst case scenario: an offensive joke opens in a corporate
environment and leads to a liability lawsuit.
Remote access tools
These are tools created to enable remote administration for legitimate purposes.
There is no proper notification or visibility to inform the user that the remote
access tools are being installed. It can be used for malicious intent to obtain
confidential corporate information from a remote system-without being tracked.
These are tools commonly used by network administrators to test the weakness
of their corporate systems. However, if these tools fall into the wrong hands,
they could be used illegally to access confidential corporate systems and steal
Password cracking applications
IT administrators use these applications to test the weakness of passwords within
their organization. They can also be used for the malicious purpose to get users'
passwords without their knowledge.
There are a variety of other spyware programs that are not as common or widespread.
Nonetheless, they still present a serious threat, and Trend MicroTM anti-spyware
technology is designed to detect and clean these spyware-related programs.
The whitepaper can be found at,http://www.trendmicro.com/en/security/white-papers/overview.htm
IIS 5 web server compromises
According to US-CERT (http://www.us-cert.gov/current/current_activity.html),
there is activity affecting compromised web sites running Microsoft's Internet
Information Server (IIS) 5 and end-user systems that visit these sites.
the bottom of pages delivered by their web server.
may contain malicious code that can affect the end-user's system.
This activity is another example of why end users must exercise caution when
this activity from affecting an end-user's system, but may also degrade the
Microsoft has released an important security update for Internet
Explorer (IE). This update reduces the impact of attacks against several vulnerabilities
For additional information,
please refer to TA04-184A (http://www.us-cert.gov/cas/
techalerts/TA04-184A.html) and VU#713878 (http://www. kb.cert.org/vuls/id/713878).