Popp goes the story

Nothing terribly serious on the security front this week, but Mac OS X 1.4 users may be interested in the security content in the 10.4.1 update and anyone running significant routing infrastructure exposed to the internet should look at the TCP timestamp issue to see if their products are affected. Multi-platform products Gaim and LISTSERV also have fixes for possible remote code execution vulnerabilities, which are better fixed sooner than later (after exploits are being widely exercised).

This issue's topics:

Introduction:

* Extortion Trojan; TCP timestamp, OS X 1.4, Gaim, LISTSERV updates

Virus News:

* Popp goes the story

Security News:

* MS05-016 exploited in spammed Trojan

* MS05-019 revised - previous snafus to be fixed

* TCP timestamp handling vulnerability in multiple vendors' products

* Apple updates Tiger

* Gaim update fixes remote code execution vulnerabilities

* L-Soft LISTSERV remote code execution fixed

Introduction:

Nothing terribly serious on the security front this week, but Mac OS X 1.4 users may be interested in the security content in the 10.4.1 update and anyone running significant routing infrastructure exposed to the internet should look at the TCP timestamp issue to see if their products are affected. Multi-platform products Gaim and LISTSERV also have fixes for possible remote code execution vulnerabilities, which are better fixed sooner than later (after exploits are being widely exercised).

On the virus front the usual flood of bots continues, but few of these reach the level of newsworthiness usually deemed sufficient for inclusion here. What did catch my eye this week — mainly for its sheer annoyance value at the lack of historical perspective shown in all the coverage it managed to gain — was the story about a trivial data-encrypting, extortion-heralding Trojan. As no major news sources I am aware of made the link, I've taken the liberty of setting the story straight.

Virus News:

* Popp goes the story

Dubbed PGPCoder by the media and the security vendors busily talking it up, and variously known as that, GPcoder, GPcode, Gopper and Racketeer by the AV industry, you could be excused for thinking this was the malicious code story of the week.

The real story here was the loss of plot.

You see, although the damp squib of PGPCoder was almost universally touted as the first malware to encrypt a victim's files and then demand a ransom payment be sent to its author in return for a program that would decrypt the files, it was far from that, at least in terms of time, anyway. In reality, it may be only the second such case, and there are good reasons for that.

Close to fifteen years ago — assuming we can trust the Royal Mail's date stamps, 11 December 1989 to be precise — US citizen Dr Joseph Lewis Popp mailed (yes, as in envelopes and stamps, not email) what quickly became known as the 'AIDS Information diskette' or the 'AIDS Trojan diskette'. Initially this raised a few eyebrows because of what many saw as the 'preposterous' licensing conditions and/or price asked for the software on the diskette. Analysis of the disk's contents soon showed that the program not only quizzed users about their knowledge of AIDS, but installed a counter and time-bomb logic that would, after ninety system restarts scramble the contents of the system boot drive's root directory. About 20,000 such diskettes were posted to European (and a few other non-US) addresses and police later estimated that approximately 1% of recipients ran the program on the disk.

The 'licence agreement' included with the AIDS Information diskette demanded payment of US$189 or US$378, respectively for 365 uses or lifetime usage rights for the program. The licence also indicated the program's owner reserved the right to 'use program mechanisms to ensure termination of the use of the program' and ominously threatened that this mechanism might 'adversely affect other program applications'. The licence fee was supposed to be posted to 'PC Cyborg Corporation' at an address in Panama.

Popp was traced as a likely suspect, arrested in the US, extradited to the UK for trial and eventually declared unfit for trial on the grounds of insanity. He was deemed by the UK courts to be a 'public disgrace' and deported back to the US. Popp was also tried in absentia in Italy, found guilty and sentenced to two years in prison.

Interested readers should search for some of the key names and phrases above for a wealth of additional details about this case, which suggest (among others) that Popp was far from the fruit loop he convinced the UK court-appointed psychiatrists he was, that the up-front costs he sustained in launching the mail-out were well in excess of GBP10,000, and that he planned to use the hoped-for proceeds from this initial run to fund a much larger second mail-out.

Anyway, the main lesson for a would-be mass-distributed file-encrypting Trojan perpetrator to learn from the AIDS Trojan case is that the requirement of getting paid means you are much more easily traceable. Whether modern policing methods and skills are up to the reputedly stiffer technological demands of 'e-crime' or not, old-school skills such as 'follow the money' are typically all that is needed when actual financial fraud or monetary transactions are involved.

None of Popp's estimated thousand or so victims are known to have ever paid up, though there are many well-confirmed cases of scrambled disks as a result of some of the victims running the AIDS Information Disk program and not having run one of the 'antidote' programs subsequently made available by various antivirus researchers in time. PGPCoder is only known to have affected a very small number of folk and has not, as far as can be determined, been widely disseminated.

Yes, there are some differences in the modus operandi of the PGPCoder and Popp cases, but they are largely insignificant and mainly reflect the differences in time-scale that almost instant internet distribution affords (or even requires) compared to the pace of postal distribution. All the 'experts' pronouncing this a 'first' or 'major new threat' or some kind of 'evil development' are clearly out of touch with the history of malware, and more importantly still, its mechanics.

As we have not mentioned the details of PGPCoder, and have done Popp to death, all the following links describe the more recent of the two cases and, as suggested above, anyone wanting even more detail on the Popp case should check with their favourite search engine.

Websense warns of cyber attack that holds files hostage - Computerworld.com

Computer Associates Virus Information Center

F-Secure Security Information Centre

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* MS05-016 exploited in spammed trojan

Why is this in the 'security' section and not the 'virus' section I hear you ask.

Well, we're not really interested in the associated trojan but mainly concerned that an exploit of MS05-016 that was initially only detected by two virus scanners is apparently now in increasingly widespread use. Linked below is an archived mailing list message, posted by your newsletter compiler, describing the event.

Archived Full-Disclosure list message - grok.org.uk

* MS05-019 revised - previous snafus to be fixed

Microsoft has revised the MS05-019 security bulletin. Redmond has disclosed that it will re-issue the bulletin and patches, as appropriate, on June's 'Patch Tuesday'.

The update will address problems introduced in those updates and Windows Server 2003 SP1 which can cause connections across diversely-routed (typically WAN) networks to fail. The specific problem is described in Knowledge Base article 898060 — the second item linked below. That article also describes a workaround for users suffering those problems in the meantime.

Finally, a recently released Security Advisory, the third of these new initiatives from Microsoft, explains that the MS05-019 update also fixes the TCP timestamp vulnerabilities described in the US CERT's Vulnerability Note. The security advisory is the third item linked below

Microsoft Security Bulletin MS05-019

MS05-019 or Windows Server 2003 SP1 may disrupt network connectivity - microsoft.com

Vulnerability in TCP Could Allow Connection Reset - microsoft.com

* TCP timestamp handling vulnerability in multiple vendors' products

US Cert has posted a Vulnerability Note describing a flaw in the handling of TCP timestamp values in multiple vendors' implementations of this core Internet protocol. Of special concern is that long-lasting connections, such as used in the key Border Gateway Protocol (BGP) routing protocol are vulnerable to denial of service attacks via exploiting this vulnerability.

The Vulnerability Note should be checked for details of affected vendors and products, but of particular note are the inclusion of the major BSD-based distributions (Apple is listed as 'Unknown' but it seems likely OS X would be vulnerable), Cisco and Microsoft (though note the item above about MS05-019).

TCP does not validate segments before updating timestamp value - cert.org

* Apple updates Tiger

OS X 10.4.1 includes several security updates, the most serious of which could see a malicious website silently download and install widgets in Safari without triggering the expected Safe Download Validation warning. Brief details of this, and the other security fixes included in the 10.4.1 update, are available from the link below.

About the security content of the Mac OS X 10.4.1 Update - apple.com

* Gaim update fixes remote code execution vulnerabilities

Gaim 1.3.0 was released recently, primarily to fix a couple of buffer overflows that could lead to remote code execution exploits. Popular Linux distributions should have updated packages available now, and the code is available from Gaim's home page.

Gaim Vulnerability pages - gaim.sourceforge.net

Gaim Vulnerability pages - gaim.sourceforge.net

* L-Soft LISTSERV remote code execution fixed

Popular mailing list management software LISTSERV has a vulnerability in its standard web interface that can allow remote code execution. L-SOFT says there is no viable workaround, short of disabling the web interface, so applying the recommended updates is the only realistic solution for most LISTSERV users.

Further details of which versions are affected, availability of updates and installation advice are all available from the L-SOFT security advisory linked below.

L-SOFT Security Advisory 2005-05 - lsoft.com

Join the newsletter!

Error: Please check your email address.

More about AppleCA TechnologiesCERT AustraliaCiscoF-SecureGatewayGatewayLinuxMicrosoftSophosSymantecTrend Micro AustraliaWebsense

Show Comments
[]