Mydooms want work; Sasser writer indicted

This issue's topics: Introduction: * Mydooms want work; Sasser writer indicted; Mac OS X, imlib, DB2 fixes Virus News: * Mydoom spawns quadruplets; seeks antivirus employment * Botnet takedown... * German teenager indicted over Sasser worm Security News: * XP SP2 PC World cover CD this month * Multiple Mac OS X security patches * Critical imlib 1.9.14 update * Fixes available for critical IBM DB2 flaws * Hackers, spam and your PC...

This issue's topics:

Introduction:

* Mydooms want work; Sasser writer indicted; Mac OS X, imlib, DB2 fixes

Virus News:

* Mydoom spawns quadruplets; seeks antivirus employment

* Botnet takedown...

* German teenager indicted over Sasser worm

Security News:

* XP SP2 PC World cover CD this month

* Multiple Mac OS X security patches

* Critical imlib 1.9.14 update

* Fixes available for critical IBM DB2 flaws

* Hackers, spam and your PC...

Introduction:

A really brief intro so this gets to you no later than it already is...

Several new Mydoom variants were released at the end of last week, with the interesting (if pointless) twist that their writer included a request for employment within the antivirus industry within the virus' code. Also, Sven Jaschan has now been formally indicted on computer sabotage charges in Germany for his alleged role in writing and releasing the Sasser worm.

Mac OS X administrators, admins of systems that use the imlib library and DB2 database system administrators should all be polishing up their patching test and rollout skills this week. Also, SOHO users of Windows XP, especially those without broadband connections, may consider an alternative to downloading SP2, and we have links to some interesting coverage of the links between spammers, malware and organized crime.

Virus News:

* Mydoom spawns quadruplets; seeks antivirus employment

At the end of last week four new Mydoom variants were discovered in quick succession, over what was roughly a 24-hour period spanning the 9th and 10th of September. These variants were all very similar, installing themselves to run at each system startup using the same basic method (but different filenames), mass-mailing itself to all e-mail addresses found by searching the Windows Address Book and all files with an extension drawn from a large list of file types. These new variants also download and install a backdoor which allows remote access to its victim's machines.

However, perhaps the most intriguing aspect of this rash of new Mydoom variants is hidden inside them, and never normally exposed. When analysing the viruses, a message the viruses contain no code to actually display is uncovered. 'We searching 4 work in AV industry' may seem plaintive to some, but if the desire is genuine it is sadly ironic that the person or people behind these variants can never use that fact on their résumés. It is widely accepted within the antivirus industry that known virus writers will never be employed in antivirus research or product development. A brief commentary on this is included in the second link to UK-based antivirus developer Sophos, below.

Typical naming confusion means that almost no two antivirus vendors call the same variants by the same names, as should be evident from reading a few of the linked descriptions below...

Computer Associates Virus Information Center

Computer Associates Virus Information Center

Computer Associates Virus Information Center

Computer Associates Virus Information Center

F-Secure Security Information Center

F-Secure Security Information Center

F-Secure Security Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Network Associates Virus Information Library

Network Associates Virus Information Library

Sophos Virus Info

Sophos Virus Info

Symantec Security Response

Symantec Security Response

Symantec Security Response

Symantec Security Response

Symantec Security Response

Trend Micro Virus Information Center

* Botnet takedown...

Telenor, a Norwegian telco, has shut down the central controlling node of a network of 'bots' - computers whose security has been compromised and a botnet agent installed. This botnet reputedly had more than 10,000 member bots, potentially available at the botnet controller's whim to run distributed denial of service (DDoS) attacks or pretty much anything else by uploading further software to the bots.

For more information on the general topic of botnets, please read the 'Hackers, spam and your PC...' item in the security section, and the links provided there.

Telenor takes down 'massive' botnet - theregister.co.uk

* German teenager indicted over Sasser worm

In mid-May we reported that German teenager Sven Jaschan had admitted to writing the Sasser and Netsky worms. Last week prosecutors in Verden, Germany, formally indicted the 18-year-old student on computer sabotage charges related to his alleged involvement in creating the Sasser worm.

German teenager indicted over Sasser worm

Security News:

* XP SP2 PC World cover CD this month

Not to plug one of our own publications [well, not to plug it much], but New Zealand PC World was one of the first computer magazines to carry Microsoft's official "Windows XP Service Pack 2 (with Advanced Security Technologies)" CDs as a cover CD. Other magazines were probably beaten by longer lead-times and the CD is likely to show up all over the place eventually, but why wait? The September issue of New Zealand PC World should be available from discerning bookstores and newsstands.

* Multiple Mac OS X security patches

Apple has released more security updates for Mac OS X 10.2.8, 10.3.4 and 10.3.5. These include patches that address security issues in such components as Apache, OpenSSH, Kerberos, IPSec and the Safari web browser.

Apple Security Updates - apple.com

* critical imlib 1.9.14 update

Internet Security Systems (ISS) report an exploitable buffer overflow vulnerability in imlib 1.9.14 BMP handling when specially malformed BMP format graphics files are processed. Successful exploitation of this vulnerability may allow remote execution of arbitrary code with the privileges of the process calling the vulnerable imlib code. imlib is heavily used in several popular Unix and Linux graphics handling application.

Most distributors have shipped update packages already and the ISS advisory has links to the more popular of these.

imlib BMP image buffer overflow - iss.net

* Fixes available for critical IBM DB2 flaws

Among other vulnerabilities, security researchers at NGS (Next Generation Security) Software report that IBM DB2 8.1 (with FixPak 6 or earlier) and 7.x (with Fixspak 11 or earlier) are vulnerable to remotely exploitable buffer overflows. Successful exploitation of these overflows could lead to execution of arbitrary code with the privileges of the DB2 process. NGS Software has released a very brief advisory (linked below), which includes URLs to the relevant IBM download pages for the latest FixPaks that address these vulnerabilities.

Critical vulnerabilities in IBM's DB2 Universal Database - nextgenss.com

* Hackers, spam and your PC...

Two reporters from USA Today have filed a series of stories providing perhaps the most detailed coverage yet of the dynamics and economics, among other things, of botnets, spamming and the infiltration of the traditionally nerdy/geeky malware scene by organized crime. We have linked to the head story, but don't miss following the links in the 'Related Stories' sidebar.

Are hackers using your PC to spew spam and steal? - usatoday.com

Join the newsletter!

Error: Please check your email address.

More about ApacheAppleCA TechnologiesF-SecureIBM AustraliaInternet Security SystemsISS GroupKasperskyKasperskyLinuxMicrosoftSecurity SystemsSophosSymantecTelenorTrend Micro Australia

Show Comments
[]