When is a Mydoom variant not a Mydoom variant?

Spammers in the slammer but virus writers being given work to produce antivirus and security software... I guess you win some and you lose some, though there has been a fairly strong backlash against the security industry employing known virus writers (even if they do claim to have 'seen the light' and resumed the path of the ethically righteous). Also in the virus news the last week has been the appearance of a new family of viruses that are clearly closely related to the Mydoom family, but which employ an exploit of a recently announced, still unpatched, IE vulnerability to infect new victim machines.

This issue's topics:

Introduction:

* Zero-day IE attack; ISA/Proxy Server, Samba, MBSA updates; Firefox released

Virus News:

* When is a Mydoom variant not a Mydoom variant?

* AV job for virus writer; H+BEDV distances itself from Securepoint

Security News:

* ISA Server 2000, Proxy Server 2.0 content spoofing flaw fixed

* Unpatched IE hole allows remote compromise

* MBSA update for XP SP2 available

* Advance notification of monthly Microsoft security bulletin releases

* FireFox 1.0 released

* Samba DoS fixed in 3.0.8 update

* Nine years in slammer for spammer

Introduction:

Spammers in the slammer but virus writers being given work to produce antivirus and security software... I guess you win some and you lose some, though there has been a fairly strong backlash against the security industry employing known virus writers (even if they do claim to have 'seen the light' and resumed the path of the ethically righteous). Also in the virus news the last week has been the appearance of a new family of viruses that are clearly closely related to the Mydoom family, but which employ an exploit of a recently announced, still unpatched, IE vulnerability to infect new victim machines.

Windows server admins running ISA Server 2000 and/or Proxy Server 2.0 have an 'important' update to consider applying to their kit, as do Samba users. Windows admins in particular may be looking for a web browser without legions of security flaws, or at least, without the legions of attacks that are so widely reported against IE. Firefox 1.0 has just been released and may just prove to be the ticket if a free, standards compliant, fast, modern browser is what you are looking for.

Virus News:

* When is a Mydoom variant not a Mydoom variant?

'When it's a Bofra' would seem to be one answer...

Several new, closely related mass-mailers were discovered last week.

Although initially classified as Mydoom variants by most antivirus researchers, those same folk now widely agree that this gaggle of new viruses should be classified as the first members of a new family, named Bofra, rather than be bracketed with the Mydoom variants.

To understand this change of heart about the family classification for these viruses, you have to look at the modus operandi of the Mydoom and Bofra families. The reason many researchers initially placed the new viruses in the Mydoom family is that the self-mailing code of the existing Mydoom variants and the mass-mailing code of the Bofra variants was very similar, suggesting that the same source is the base for both e-mail routines. As similarity of replication code is the most important determinant in virus family classification, and most virus analysts are now accustomed to dealing with new Mydoom variants, it was pretty much a no-brainer to classify these new viruses as Mydoom variants.

However, despite this similarity in e-mail generation code, there were also some significant differences in the process used by earlier Mydoom variants and these newer viruses. Members of the Mydoom family are self-mailers (meaning, they send copies of their own executable as attachments to their outgoing e-mail messages) while the Bofra variants simply send a small HTML e-mail message that includes a link back to a simple 'web server' that the virus also provides running on the machine sending the e-mail. In turn, if the recipient of a Bofra e-mail message accesses the linked material on the sending machine's 'web server', the server responds by sending a web page that exploits the recently announced, and still unpatched, buffer overflow in IE's handling of some attributes to certain HTML elements (see the 'Unpatched IE hole allows remote compromise' item in the security news section for more details of this vulnerability).

This difference is deemed a significant alteration in the main replication mechanism that, despite the similarities in the e-mail generation code, the two groups of viruses should be placed in different families. As one vendor's analysts had classified the 'new Mydoom variants' into a separate, new family from the outset, the name those analysts chose - Bofra - was adopted as the name for this new family.

In the few days since the first three Bofra variants were discovered, at least five more variants have been isolated and named by virus analysts. Aside from including a link to a description of one of the first Bofra variants below, in a few cases we have also included a link to some additional explanation of the replication method or discussion of the reasons for renaming from Mydoom to Bofra.

Computer Associates Virus Information Center

F-Secure Security Information Center

F-Secure Security Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* AV job for virus writer; H+BEDV distances itself from Securepoint

Online IT news site The Register has a twofer in its coverage of Czech ISP Zoner hiring well-known virus writer 'Benny', and German antivirus developers H+BEDV (the company behind the AntiVir range of scanners) publicly distancing themselves from Securepoint as a technology partner because of the latter's employment of Sven Jaschan, writer of the Sasser worm and Netsky viruses.

Zoner make much the same justifications for employing Benny as Securepoint did for employing Jaschan and they sound as tired and specious to members of the established antivirus community as they did when first wheeled out years earlier as justification for considering or acting this way.

Anti-virus outfit defends job for VXer - theregister.co.uk

H+BEDV distances itself from SecurePoint - antivir.de

Security News:

* ISA Server 2000, Proxy Server 2.0 content spoofing flaw fixed

Microsoft has released updates for Microsoft Internet Security and Acceleration (ISA) Server 2000 and Microsoft Proxy Server 2.0 that fix a flaw in both products' caching of the results of reverse DNS lookups. A malicious user could exploit this vulnerability to fool users behind ISA Server 2000 or Proxy Server 2.0 web proxies into thinking they were accessing trusted content. This vulnerability is rated as being of 'important' severity by Microsoft.

As Microsoft Small Business Server 2000 and 2003 Premium Edition both include ISA Server 2000, users of either of these products should obtain and install the ISA Server 2000 update. ISA Server 2004 does not suffer this vulnerability.

Note that MBSA does not support the affected products, so cannot be used to test the status of this update on these platforms.

Microsoft Security Bulletin MS04-039

* Unpatched IE hole allows remote compromise

IE has an unpatched vulnerability...

Nothing new there really, not even that exploiting the flaw allows a remote attacker to take full control of the victim machine. We do not normally cover such issues in this newsletter until a patch is available, but we are making an exception this time, not because of the potential seriousness of this vulnerability or even because there is a kit to generate attack code to automatically exploit the flaw, but because this critical, unpatched vulnerability is now being actively exploited.

As described in the 'When is a Mydoom variant not a Mydoom variant?' item in the virus news section, the Bofra family of viruses spread by exploiting this as-yet unpatched vulnerability. The flaw is a buffer overflow in IE's handling of SRC and NAME attributes to FRAME, IFRAME and EMBED elements (although there are suggestions further elements may also provide vulnerable handlers for similar attributes). XP SP2 is immune from this vulnerability, as is IE 6.0 on Windows Server 2003. Disabling scripting in the browser makes it much more difficult for an attacker to successfully manipulate things on a victim machine so as to gain control through attacking this vulnerability, but does not entirely eliminate that possibility.

IE buffer overflow via FRAME, IFRAME, and EMBED elements - cert.org

Microsoft investigating reports of new IE hole - computerworld.com

* MBSA update for XP SP2 available

Back in August we warned readers that XP SP2 required an updated version of MBSA and that those using MBSA and planning to, or who already had, rolled out XP SP2 should check for the MBSA 1.2.1 release. Recalling our own advice early last week, we checked and sure enough, MBSA 1.2.1 has been available for a while now.

If you use MBSA with XP and have not already obtained version 1.2.1, now may be the time to consider it.

MBSA home page - microsoft.com

* Advance notification of monthly Microsoft security bulletin releases

As regular readers should now be aware, the second Tuesday of the month is Microsoft's official 'Patch Tuesday'. Starting this month, Microsoft is now releasing very limited descriptions of the forthcoming patches on the Thursday previous to Patch Tuesday. These advanced notification descriptions will be posted at the URL linked below. Following the posting of the security bulletins foreshadowed on the advance notification page, its content changes to a simple notification of the dates the page will be next updated and the next Patch Tuesday.

Microsoft Security Bulletin Advance Notification - microsoft.com

* FireFox 1.0 released

Firefox certainly has been gaining significant critical acclaim, of late, especially amongst technical writers and journalists increasingly sceptical about IE's security, speed and lack of modern browser features. With the availability of the first official, non-preview release, Firefox should now see even wider adoption and support.

Aucklander Ben Goodger is the lead engineer on the Firefox project and some of his experiences with the project are detailed in a recent Computerworld interview. Also linked below is Goodger's blog entry announcing the release of Firefox 1.0.

Firefox home page - mozilla.org

Firefox launches with a Kiwi boost - computerworld.co.nz

Firefox 1.0: Signed, Sealed, Delivered - mozillazine.org

* Samba DoS fixed in 3.0.8 update

A flaw in Samba 3.0's filename matching routines when processing requests that contain wildcard characters can cause very heavy CPU usage, leading to a denial of service. Samba 3.0.8 has been released, and as well as containing several other bug fixes and functionality enhancements, it addresses this flaw. Patches against 3.0.7 that specifically address this vulnerability have also been released.

Further, most distributors that include Samba have already shipped, or will soon, update packages of the new version, or backports of the patch to their preferred shipping version.

Potential Remote Denial of Service in Samba 3.0.x <= 3.0.7 - samba.org

Samba releases archive - samba.org

* Nine years in slammer for spammer

Although few, if any, are confident the spam tide is turning, the recent conviction of two spammers in Virginia may be a watershed moment if legal moves are to have any effect on the spam problem. Brother and sister Jeremy Jaynes and Jessica DeGroot were convicted on three felony spamming charges. Jaynes received a nine year prison sentence for his leading role in the spamming operation that, at one point, was rated as the eight most prolific in the world. This is the first felony spamming conviction in the US and the hope is that the tough sentence, coupled with more expected when pending charges are heard against several more accused spammers, will act as a deterrent to others.

Convicted spammer gets nine years in slammer - computerworld.com

Join the newsletter!

Error: Please check your email address.

More about Brother International (Aust)CA TechnologiesF-SecureKasperskyKasperskyMBSAMicrosoftSophosSymantecTrend Micro Australia

Show Comments
[]