Security Watch

Cracker: Real or virtual?

The fine line separating a real cracker and completely automated attack tools is blurring rapidly. Today's worms can spread and break open networks in a manner similar to a human intruder. And this is evident from the attack mechanisms of the Gaobot (W32.Gaobot.AZT) worm. This worm is a variant of the earlier W32.Gaobot.WO (Symantec).

W32.Gaobot.AZT uses the same attack strategy as an attacker on the network armed with a weak password cracking tool. This worm exploits weak passwords on shared folders in the network. Multiple vulnerabilities like the DCOM RPC vulnerability are used by the worm to spread. The worm allows black hat hackers to utilize a predetermined IRC channel for accessing the infected PC. The worm affects only Windows 2000/NT/XP operating systems. Other Windows versions are unaffected.

Although W32.Gaobot.AZT has not been accorded a top threat rating by any anti-virus vendor or security advisory, it is still a pointer towards future threats that might arise. Worms are increasing in complexity and the amount of damage they can inflict. With capabilities like password crackers in-built, these worms can do damage of magnitudes much larger than other automated cracking tools like auto-rooters. Another threat is the free availability of worm code and tool writing kits that allows even non programmers to increase damage levels by making easy alterations. This makes possible threats of a scale that would have been unimaginable earlier.

McAfee's list of top 10 malicious threats

McAfee has announced the top 10 malicious threats identified by McAfee AVERT, the company's anti-virus and vulnerability emergency response team. This covers threats affecting both enterprise and home users worldwide in the first half of 2004.

According to the report, mass mailers are still the predominant method by which virus writers impact enterprises, whereas Potentially Unwanted Programs (PUPs) like spyware/adware related malware account for 60 percent of the malicious threats tracked, significantly impacting consumer and home users. Based on reports, McAfee AVERT also anticipates phishing schemes will continue to increase throughout the remainder of 2004 due to general lack of consumer awareness.

Overall, McAfee says that computer virus attacks reaching a medium risk assessment or higher have dramatically increased in the first half of 2004, compared to all of last year. By the end of the first quarter of 2004 alone, there were more viruses reaching a medium assessment or higher than in all of 2003 with over 21 medium or higher viruses in the first quarter of 2004 compared to 20 medium or higher viruses in all of 2003. In the first half of 2004, 50 new computer viruses were unleashed everyday.

The top 10 threats in the first half of 2004 all fall into one of the following three key areas: email-borne virus threats, malware threats delivered by spam, and spyware/adware threats. Listed in order of significance, the top threats are:

• Exploit-MhtRedir.gen
• VBS/Psyme
• Adware-Gator
• Adware-180Solutions
• Adware-Cydoor
• Adware-BetterInet
• W32/Netsky.d@MM
• W32/Netsky.p@MM
• W32/Netsky.q@MM
• W32/Mydoom.a@MM

The recent war between the Bagle and Netsky authors caused a tremendous increase in the number of virus attacks seen this year. In the first six months of this year, the Bagle and Netsky viruses have been reported in 215 countries. Today, there are still three Bagle variants and three Netsky variants that are rated as a medium threat by McAfee AVERT. Let's take a closer look at the major threats.

Mass Mailers still lead: Mass mailers consist of standalone programs that send themselves out in the form of an e-mail attachment to e-mail addresses that are harvested from infected computers. This results in a large number of machines getting infected within a short period. In addition, worms that carry viruses and backdoors inside them, or which have additional features such as local network spreading, or password or data stealing, have become more popular. Overall, enterprises tend to be more affected than consumers by e-mail-borne viruses, because corporate employees are less likely to use free software applications that happen to also deliver spyware or adware.

Spyware/ adware threats continue to climb: Today's adware is more often categorized as surveillance-driven spyware, programs that are dropped onto a user's system and installed without their knowledge. In addition, spam that is encoded with exploit capabilities to also install spyware has become an increasing issue among consumers. McAfee AVERT's top two listed threats, MhtRedir and Psyme, are of this class. Overall, consumers are more affected by spyware/adware threats and less by e-mail-borne threats because most consumers use Internet Service Providers that proactively scan and clean e-mail viruses before being delivered to the consumer.

Phishing and identity theft become an increasing concern: Phishing attacks use spoofed e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers and social security numbers. According to Gartner, 92 percent of phishing attacks occurred just within the last year. McAfee says that phishing schemes and identity theft will continue to be a problem among the consumer community until further education and widespread acceptance of proactive protection occurs.

PDA virus

The first Trojan for PDAs has been reported by Sophos. Christened Brador (Troj/Brador-A), the virus installs backdoors on PDAs running the PocketPC operating system.

This comes in the wake of Cabir, a worm affecting Symbian OS and Duts, a PocketPC virus, both of the proof of concept variety. Brador's differing factor is that it contains a deadly payload. This virus affects only PocketPC based PDAs that use the ARM processor. The virus spreads through Web downloads. When the Trojan is run, it copies itself in the folder \windows\startup on the infected computer (to which the PDA is connected) as svchost.exe. It then continually tries to send an e-mail to the virus author with the infected PDA's IP address. After this Brador opens TCP port 2989, making the infected PDA open for access to attackers.

Brador virus is also known as Backdoor.WinCE.Brador.a, Backdoor.Brador.A, Brador, WINCE_BRADOR.A, and WinCE/BackDoor-CHK. The good news is that major anti-virus vendors have reported only low spread of the virus.

The latest Beagle flavor W32.Beagle.AO@mm, the latest variant of the Beagle worm combines the mass mailing functions with backdoor capabilities. This just serves to illustrate how deadly viruses can be when their code is freely available for others to modify them into deadlier versions.

According to Symantec, the W32.Beagle.AO@mm is a mass mailing worm that uses its own SMTP engine to spread. The email attachment is a Mitglieder-like downloader that brings the worm from external sources. The worm also has a backdoor functionality, opening UDP and TCP port 80. This worm affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, and Windows XP. Other systems are not affected by the virus. Symantec has accorded a threat rating of three to the worm, five being the most severe.

The worm is also known as W32/Bagle.aq@MM (McAfee), WORM_BAGLE.AC (Trend) and Win32.Bagle.AG (Computer Associates). Most of the major anti-virus vendors have issued updates for the latest Beagle mutant.

CA raises Mydoom.O worm to high threat Computer Associates has raised the threat level for the Mydoom.O worm to high, based on extremely intensive activity levels and exponential growth.

Mydoom.O uniquely uses search engines and websites as it seeks to find new targets, and the sheer volume of such traffic effectively causes denial of service attacks. CA reports more than 1,000 samples from enterprise customers on Mydoom.O, which is abusing the following sites with intense search activity:

search.lycos.com; altavista.com; search.yahoo.com; google.com