Security Watch

Open source viruses

Virus authors traditionally wrote their virus code, compiled it and released the virus into the wild, where they went forth, multiplied and caused misery to one and all. The source code of the virus usually remained a closely guarded secret with the author. Not any more. The author of mass-mailing worm Bagle began distributing its source code on he Internet on Sunday, 4th of July 2004.

Once infected with Bagle, a PC will download a Trojan that turns the infected computer into one soldier in the worm author's army of zombie PCs, which can be used to distribute malicious code, spam and to launch distributed denial-of-service attacks. The first Bagle worm appeared in January 2004, and over 25 variants appeared in the following months.

Now the task of copycat virus writers is simplified. The code is complete with the author's comments explaining the purpose behind each part of the code. Modifying the code to create newer variants is therefore much easier. In fact, the author has released two variants of Bagle along with the source code, effectively demonstrating how it can be done.

The author's motives for releasing the code are not difficult to decipher. In the past, a few virus authors who were caught were convicted based on the evidence of the virus source code being present on their PCs. Possession of source code was used as proof of authoriship. Unfortunately this argument will no longer hold water. Now if anyone is caught with the Bagle source code on his PC, the code’s downloadability is an escape root.

Another worrying development is that the virus source code is entirely written in Assembler--a powerful low level programming language that is difficult to learn and master. With the availability of high level languages such as C, few people code entirely in Assembler any more. This means that the virus author is a serious programmer, not just a teenage kid with extra time on his hands. Further exploits can thus be expected from this source.

Courtesy: Peter Theobald, CEO, IT Secure

W32.Beagle.AB

Symantec Security Response has identified a new variant of the Beagle worm -- W32.Beagle.AB@mm. Symantec upgraded this threat to a Level 3 due to increased submission rates from both corporate and consumer customers.

W32.Beagle.AB@mm is a mass-mailing worm that opens a backdoor on TCP port 1234 and uses its own SMTP engine to spread through e-mail. The source code is embedded in the worm and may arrive in an e-mail or in an attached message. If a machine becomes infected with W32.Beagle.AB@mm, it will allow the attacker to have remote, unauthorized access to the machine. Due to the ability of the remote user to perform so many different actions on the server system, including installation of applications. Due to this threat, Symantec recommends that compromised systems be reinstalled. The threat also creates a mass mailing of itself, which may clog mail servers and downgrade system performance.

Symantec Security Response recommends that IT administrators filter attachments not on a list of approved types at the e-mail gateway and apply the Outlook e-mail Security Update (Q262631) in order to block user access to certain attachment types. This update also notifies the user of applications attempting to access the Outlook address book.

Spyware - a hidden threat

Trend Micro has released a whitepaper on how spyware is increasingly becoming a major threat to enterprise security.The major types of spyware as identified by Trend Micro are the following.

Adware

Adware is a type of spyware program that transmits a user's personal information to advertisers who then use the data to send targeted ads to the user. Although it is seemingly harmless, it gathers personal information for marketing purposes, including the user's age, sex, location, buying preferences, and surfing habits. In some cases, it even compromises the user's Web surfing experience by hijacking Web pages and displaying other marketing content.

Dialers

These types of programs permanently change dial-up settings on a computer to connect a modem to a remote location, resulting in expensive long-distance charges and exposure to other spyware programs.

Joke programs

Joke programs are applications created and distributed for amusement reasons only. In general, these programs are harmless. However, they can be annoying and distracting. Worst case scenario: an offensive joke opens in a corporate environment and leads to a liability lawsuit.

Remote access tools

These are tools created to enable remote administration for legitimate purposes. There is no proper notification or visibility to inform the user that the remote access tools are being installed. It can be used for malicious intent to obtain confidential corporate information from a remote system-without being tracked.

Hacking tools

These are tools commonly used by network administrators to test the weakness of their corporate systems. However, if these tools fall into the wrong hands, they could be used illegally to access confidential corporate systems and steal data.

Password cracking applications

IT administrators use these applications to test the weakness of passwords within their organization. They can also be used for the malicious purpose to get users' passwords without their knowledge.

Other

There are a variety of other spyware programs that are not as common or widespread. Nonetheless, they still present a serious threat, and Trend MicroTM anti-spyware technology is designed to detect and clean these spyware-related programs.

The whitepaper can be found at,http://www.trendmicro.com/en/security/white-papers/overview.htm

IIS 5 web server compromises

According to US-CERT (http://www.us-cert.gov/current/current_activity.html), there is activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and end-user systems that visit these sites.

Compromised sites append JavaScript to the bottom of web pages. Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

This JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system.

This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript.

Microsoft has released an important security update for Internet Explorer (IE). This update reduces the impact of attacks against several vulnerabilities in IE.

For additional information,

please refer to TA04-184A (http://www.us-cert.gov/cas/ techalerts/TA04-184A.html) and VU#713878 (http://www. kb.cert.org/vuls/id/713878).