Witty worm not so funny; Bagle writer alters recipe

This issue's topics: Introduction: * Unfunny worm; ISS, OpenSSL, Apache, Oracle, Macromedia critical updates Virus News: * Bagle writer alters recipe * Witty worm not so funny; exploits firewall vulnerability Security News: * Critical remote code execution flaw in ISS firewall products fixed * Two possible DoS attacks fixed in OpenSSL updates * Three security flaws fixed in latest Apache 2.0 release * Remote code execution vulnerability fixed in ModSecurity update * Oracle fixes critical severity bug in Application Server Web Cache * Macromedia E-Licensing Client Activation privilege elevation; OS X * ColdFusion MX and JRun 4.0 Web Services update fixes DoS * Fixing security is slowing development of future MS products, OSes

This issue's topics:

Introduction:

* Unfunny worm; ISS, OpenSSL, Apache, Oracle, Macromedia critical updates

Virus News:

* Bagle writer alters recipe

* Witty worm not so funny; exploits firewall vulnerability

Security News:

* Critical remote code execution flaw in ISS firewall products fixed

* Two possible DoS attacks fixed in OpenSSL updates

* Three security flaws fixed in latest Apache 2.0 release

* Remote code execution vulnerability fixed in ModSecurity update

* Oracle fixes critical severity bug in Application Server Web Cache

* Macromedia E-Licensing Client Activation privilege elevation; OS X

* ColdFusion MX and JRun 4.0 Web Services update fixes DoS

* Fixing security is slowing development of future MS products, OSes

Introduction:

If last week was Microsoft patch week, this week sees many other major software vendors shipping important through critical patches and updates.

Of most concern though is the so-called Witty worm. With a nasty 'creeping data death' payload overwriting random disk sectors with random garbage, the effects of being having this worm nibbling away at your machines are anything but funny. Most worrying, of course, is that the vulnerability this worm wiggles through to enter machines is in software specifically designed to protect against just these kinds of things.

Anyway, I'm very late with this (really last week's) issue of this newsletter, so I'll just shut-up now and let you get on with the reading and patching...

Virus News:

* Bagle writer alters recipe

Last week a rash of new Bagle variants was discovered. Earlier in the week three new Bagle variants were discovered over the course of several hours in one day, including the first Bagle variants that added polymorphism and parasitic infection to the family's repertoire. Then, in a similarly short period of time a couple of days later, another four variants were discovered, with much the same functionality as the polymorphic parasitic infecting variant, but adding one further twist.

Bagle.Q and the other variants discovered that day do not include copies of themselves in the e-mails they send, but rather send HTML e-mail messages that exploit a security vulnerability in some e-mail client programs to download a (possibly changed or updated) copy of the virus from a web server. The 'web servers' in fact appear to be machines previously infected with other Bagle variants (or other malware with readily accessible backdoors) that the writer of Bagle.Q had prepared, probably by remotely infecting the machines with the new variants via those backdoors. The new Bagle variants have a trivial HTTP server function that listens on port 81, but the e-mails these variants send do not refer back to the sending machine, but rather to port 81 on a randomly selected IP address from a large list of such addresses carried around in the virus' code.

Most of the machines in the virus' list of IP addresses were fairly quickly isolated from the Internet by their ISPs. They were mostly small business and home user machines with DSL and cable connections.

As is common when a rash of related viruses are discovered in a short period of time, the first of these incidents resulted in much naming confusion and disagreement between vendors. When the first of the second batch was discovered, a concerted effort was made to get the vendors' names back into line. Most antivirus products call the first of that batch of four variants Bagle.Q, but a few had already named it before the effort to synchronize names began, but most of those vendors did get Bagle.R, .S and .T in agreement.

Computer Associates Virus Information Center (38599)

F-Secure Security Information Center (bagle_q)

Kaspersky Lab Virus Encyclopedia (1174186)

Network Associates Virus Information Library (101108)

Sophos Virus Info (w32bagleq)

Symantec Security Response (w32.beagle.o)

Trend Micro Virus Information Center (bagle.q)

* Witty worm not so funny; exploits firewall vulnerability

Named Witty by most antivirus and security vendors, a new worm has been on the prowl since late Saturday afternoon (New Zealand time). What is perhaps most interesting about Witty is that it was released within 48 hours of the public disclosure of the ICQ protocol parsing vulnerability in ISS' Protocol Analysis Module (PAM; see item in the Security section, below). Witty shares several features of the tremendously successful Slammer from January 2003 - it spreads via UDP (so is fast, not having to initiate the three-way handshake needed of TCP connections and not caring about successful or reliable delivery to the target machine), is small (fitting within a single packet) and has been written using very similar techniques (prompting some analysts to speculate it may have been written by the same person).

Unlike Slammer, however, Witty also has a damaging payload. After sending 20,000 copies of itself to randomly selected IP addresses, it writes 64KB of data to a randomly selected location on a hard drive randomly selected from among the first eight such devices in the victim machine. Such low-level disk access is possible because the worm runs with the 'local system' privileges of the compromised BlackICE service. This payload will lead to creeping corruption of the drive contents of victim machines and is the reason that many security analysts are recommending that machines vulnerable to the PAM ICQ parsing vulnerability be removed from the network entirely until they are patched.

Witty is very specifically targeted, perhaps depending on a single version of the vulnerable PAM code - it has been reported to work against v3.6.16 of the iss- pam1.dll file found in BlackICE PC Protection v3.6 ccf in several technical analyses. That file is known to have shipped with version 3.6 of BlackICE products (PC Protection, Agent for Server and Server Protection) that have build levels ending in 'f' (ISS use a three-letter string to denote sub-version build levels). However, ISS has released a security alert that lists several other BlackICE 3.6 build levels it claims the worm can infect, along with the versions and build levels of the RealSecure products that are also vulnerable to the worm. It would thus be prudent of BlackICE and RealSecure administrators to work from the ISS alert in determining their likely exposure to this worm. Although Proventia products suffer from the vulnerability Witty exploits, ISS claims that no Proventia product versions are actually vulnerable to Witty. Despite that, administrators of any ISS products vulnerable to the PAM ICQ parsing flaw would be well-advised to update those products with urgency, as the existence of Witty may be used as a model from which further exploits of other vulnerable ISS products are fashioned.

Note that as traditional (file system-based) antivirus techniques are irrelevant against memory and network only worms such as this (sometimes referred to as 'pure worms' or 'pure network worms'), many of the usual antivirus sources we cite have little, or nothing, about Witty on their web sites.

BlackICE Witty Worm Propagation - iss.net

F-Secure Security Information Center

Witty Worm Analysis - lurhq.com

Network Associates Virus Information Library (101118)

Symantec Security Response (w32.witty.worm)

Trend Micro Virus Information Center (worm_witty.a)

Security News:

* Critical remote code execution flaw in ISS firewall products fixed

Internet Security Systems (ISS) has released updates to several of its products to correct a remotely exploitable vulnerability in its RealSecure, Proventia and BlackICE firewall and related products. Discovered by security researchers at eEye Digital Security, the flaw is in the Protocol Analysis Module (PAM) of the affected products and results from insufficient checks on values assumed to be part of ICQ server responses.

eEye's researchers claimed to have successfully exploited the flaw against BlackICE whereas ISS simply stated 'After examining the nature of this vulnerability, ISS X-Force(TM) believes that exploitation of this issue is possible'. Given this is the flaw being successfully exploited by the Witty worm (see item in Virus section, above), it seems rather beyond doubt now. The warning from eEye's researchers that the flaw could be exploited with a single packet was suggestive of targeting for a fast, Slammer-like worm.

As the current worm outbreak is specifically targeted at BlackICE, systems running vulnerable versions of the BlackICE software should have the latest updates installed as soon as possible. Given the destructive payload of the Witty worm, it is also probably advisable to remove all non-updated BlackICE machines from the network until the affected machines can be updated, preferably via removable media. This includes all machines 'inside' typical corporate LAN style networks that are, themselves, firewalled from the Internet because of the classic situation of infected laptops introducing the infection as staff return to the office after the weekend.

A full list of affected ISS products and the location of updates is available in the ISS alert, linked below.

ISS PAM ICQ Server Response Processing Vulnerability - eeye.com

Vulnerability in ICQ Parsing in ISS Products - iss.net

* Two possible DoS attacks fixed in OpenSSL updates

The OpenSSL developers have reported fixing two possible denial of service (DoS) vulnerabilities in the latest OpenSSL releases. A null-pointer assignment during SSL handshake has been found, which could possibly be exploited to crash the OpenSSL service, resulting in a DoS. The second vulnerability can only be exposed in rare cases where Kerberos ciphersuites are used. Versions 0.9.6c through 0.9.6l inclusive, are vulnerable to the first vulnerability, and versions 0.9.7a through 0.9.7c inclusive are vulnerable to both flaws.

Depending on the version currently in use, upgrading to OpenSSL 0.9.6m or 0.9.7d is recommended. Obtain the source updates from openssl.org or an official mirror, then recompile any OpenSSL applications statically linked to the OpenSSL libraries. Download locations for the official distributions are available in the OpenSSL security Advisory, linked below, and as most Unix, Linux and BSD distributions ship OpenSSL-derived components, update packages for most of these OSes are available from their respective distributors.

OpenSSL Security Advisory [17 March 2004] - openssl.org

* Three security flaws fixed in latest Apache 2.0 release

Aside from the usual minor feature bug fixes and enhancements, the 2.0.49 release of the Apache HTTP Server fixes three security vulnerabilities. Apache HTTP Server 2.0.49 fixes a possible denial of service attack on some platforms due to a race condition in handling short-lived connections, a memory leak in mod_ssl that could produce a denial of service and an issue whereby arbitrary client-supplied strings could be included, unescaped in error log files allowing a subsequent exploitation of certain terminal emulators when the logs were viewed.

As usual, obtaining the source (or patches) and building from scratch is an option, as is, for most popular Unix and Linux distributions, obtaining an update from your vendor or distributor. Further, binary distributions for the more popular OSes are also available from the Apache Software Foundation.

Apache HTTP Server 2.0.49 Released - apache.org

* Remote code execution vulnerability fixed in ModSecurity update

ModSecurity 1.7.5 fixes a remotely exploitable off-by-one buffer overflow in the Apache 2.x version of this intrusion detection module for Apache web servers. According to the discoverer of this vulnerability, Evgeny Legerov from S-Quadra , if the SecFilterScanPost option of ModSecurity is enabled, an exploitable buffer overflow condition exists in the code that scans incoming POST commands.

ModSecurity 1.7.4 remote off-by-one overflow - s-quadra.com

ModSecurity home page

* Oracle fixes critical severity bug in Application Server Web Cache

Oracle has advised of unspecified critical security vulnerabilities in multiple versions and all supported platforms of Application Server Web Cache. Installations of the affected products are said to be vulnerable if Web Cache is running and listening on the Oracle Application Server Web Cache listener port. The vulnerability is said to be independent of the Web server in use. Details of the vulnerable versions and of updates addressing it are available in the Oracle Security Alert linked below.

Vulnerabilities in Oracle Application Server Web Cache - oracle.com (PDF)

* Macromedia E-Licensing Client Activation privilege elevation; OS X

Macromedia has released an update to address a possible privilege elevation flaw in Mac OS X versions of Macromedia MX 2004 products, and Contribute 2. The flaw is due to improper file permissions. A patch has been supplied and a possible workaround is described in the Macromedia Security Bulletin, linked below.

Macromedia security bulletin MPSB04-03

* ColdFusion MX and JRun 4.0 Web Services update fixes DoS

A denial of service (DOS) vulnerability in Macromedia's ColdFusion MX and JRun 4.0 Web Services is fixed in the latest update for these products shipped by Macromedia. The potential DoS is due to improper handling of malformed SOAP requests and exists in all editions of JRun 4.0, ColdFusionMX 6.0, 6.1 and all editions of ColdFusionMX 6.0, 6.1 J2EE.

Macromedia rate the vulnerability as critical to exposed servers. The update is available from the Macromedia Security Bulletin linked below.

Macromedia security bulletin MPSB04-04

* Fixing security is slowing development of future MS products, OSes

Senior Microsoft Vice President, Bob Muglia, has admitted that ongoing work to improve the security of existing Windows OSes and major Microsoft applications that run on them has slowed development of not only the next major OS versions, but of updates for SQL Server and its development tools.

Security concerns hit Microsoft roadmap - silicon.com

Join the newsletter!

Error: Please check your email address.

More about ApacheApache Software FoundationCacheCA TechnologieseEye Digital SecurityF-SecureICQInternet Security SystemsISS GroupKasperskyKasperskyLANLinuxMacromediaMicrosoftOraclePAMSecurity SystemsSophosSymantecTrend Micro AustraliaX-Force

Show Comments
[]