Mydoom-related viruses everywhere; critical Linux kernel

This issue's topics: Introduction: * Mydoom-related viruses everywhere; critical Linux kernel, metamail updates Virus News: * Netsky is falling taking Mydoom with it... * New Nachi variants also add a Mydoom twist * And a new Mydoom... * ICQ worm on lookout for sensitive information * Virus accidentally distributed via antivirus vendor mailing list Security News: * Microsoft releases 'Windows Security Update CD' * metamail update fixes multiple remote code execution flaws * Another critical Linux kernel vulnerability in mremap * Microsoft mouthpiece says releasing patches bad for security

This issue's topics:

Introduction:

* Mydoom-related viruses everywhere; critical Linux kernel, metamail updates

Virus News:

* Netsky is falling taking Mydoom with it...

* New Nachi variants also add a Mydoom twist

* And a new Mydoom...

* ICQ worm on lookout for sensitive information

* Virus accidentally distributed via antivirus vendor mailing list

Security News:

* Microsoft releases 'Windows Security Update CD'

* metamail update fixes multiple remote code execution flaws

* Another critical Linux kernel vulnerability in mremap

* Microsoft mouthpiece says releasing patches bad for security

Introduction:

I am very sorry for the non-appearance of the newsletter last week, but sudden deaths and illness in the family more than slightly messed up the tail-end of my week and the weekend. As a result of not covering a couple of items last week and the boom in mass-mailing viruses we have seen continuing from last year into this, we have something of a bumper issue of virus new for you this week...

The big news is that Mydoom's impact on the virus scene continues. Several pieces of malware have already tried to take advantage of Mydoom's backdoor to spread themselves to machines Mydoom had successfully infected and in the last couple of weeks we have seen more of this kind of activity. For a virus writer, knowing you can get on a machine through another virus' or Trojan's backdoor means that the likelihood of detection is very low - if the victim was running antivirus or other software that could detect your new creation, it should have detected the older malware you are exploiting to gain entry. If you can gain entry then such 'protective' software is unlikely to be present.

On the security front, two critical Linux-centred vulnerabilities - one in the kernel and one in a very widely used mail and Usenet news handling component - have been patched and should be considered high severity flaws for fixing. The availability of a Windows Security Update CD should be especially good news, particularly for SOHO users facing (re-)building a Windows machine and the subsequent many-hour Windows Update session over slow modem connections.

Virus News:

* Netsky is falling taking Mydoom with it...

Three variants of this new family of mass-mailers have been released in the last 10 days or so. Netsky.A has not been at all successful - it appears that most of the copies of the original member of this family that have been seen were part of an initial 'seeding run'; a deliberate spamming of the virus in an attempt to get it established in the wild so it can start spreading itself. The .B and .C variants seem to have been much more successful. As of this writing, MessageLabs claims to have stopped around three and half million Netsky.B e-mails in the last six days (these being the first six days of its run) and early yesterday the UK e-mail ASP issued a 'high-level' advisory for the spread of Netsky.C after stopping more than ten thousand copies in the first seven hours after detecting their first sample of this new variant.

There are minor variations in the behaviour of the three variants, but all act much the same, typically arriving as an attachment to an e-mail message with a spoofed From: address and with a short message randomly selected from among a large list of such messages carried around in the virus' code. The Netsky executable also copies itself to all folders whose names contain the string 'shar' (or similar - this varies among the family members) it finds on all local and network-mapped (but not CD) drives. This should see it spread through P2P networks whose client software commonly uses a folder with 'share' or 'sharing' in its name as the default folder to share over those networks.

All three variants to date also include an 'antivirus' function, albeit a very limited one. All remove the registry entries that Mydoom.A and Mydoom.B create to have themselves run at system startup and a few other configuration changes, that are known to be the work of several common viruses, are also reversed but the details vary slightly among the Netsky variants. Netsky may attach itself to its outgoing e-mail messages either in a ZIP'ed form or as an executable file possibly with an obfuscated extension (.PIF, .SCR, .CMD, etc).

MessageLabs Netsky.B virus details - messagelabs.com

Computer Associates Virus Information Center (38395)

Computer Associates Virus Information Center (38332)

Computer Associates Virus Information Center (38406)

F-Secure Security Information Center (moodown)

F-Secure Security Information Center (netsky_b)

F-Secure Security Information Center (netsky_c)

Kaspersky Lab Virus Encyclopedia (991404)

Network Associates Virus Information Library (101027)

Network Associates Virus Information Library (101034)

Network Associates Virus Information Library (101048)

Sophos Virus Info (netsky_a)

Sophos Virus Info (netsky_b)

Sophos Virus Info (netsky_c)

Symantec Security Response (netsky)

Symantec Security Response (netsky.b)

Symantec Security Response (netsky.c)

Trend Micro Virus Information Center (netsky.a)

Trend Micro Virus Information Center (netsky.b)

Trend Micro Virus Information Center (netsky.c)

* New Nachi variants also add a Mydoom twist

Two new Nachi variants have been discovered. As well as exhibiting all of the 'standard' Nachi functions (spreading via the RPC DCOM vulnerability used by Blaster and via a WebDAV vulnerability, installing the RPC DCOM patches, etc), Nachi.C and Nachi.D add trying to spread to new victim machines via the Mydoom backdoor on TCP port 3127 and removing the Mydoom.A, Mydoom.B, Doomjuice.A and Doomjuice.B worms.

Computer Associates Virus Information Center (38383)

F-Secure Security Information Center (welchi_b)

Kaspersky Lab Virus Encyclopedia (949424)

Network Associates Virus Information Library (101025)

Sophos Virus Info (nachic)

Symantec Security Response (welchia.c)

Symantec Security Response (welchia.d)

Trend Micro Virus Information Center

* And a new Mydoom...

As if all the Mydoom news of late were not enough, a new variant has been released. Mydoom.F extends the length of the DDoS attack and randomly selects a www.microsoft.com or an RIAA (Recording Industry Association of America) site as the target of the attack. Another variation from the earlier Mydoom variants is that the backdoor listens on just one port (TCP 1080) rather than on one of a range of higher numbered ports. Like its forbears, Mydoom.F is a prolific mass-mailer.

Computer Associates Virus Information Center (38355)

F-Secure Security Information Center (mydoom_f)

Network Associates Virus Information Library (101038)

Sophos Virus Info (mydoom_f)

Symantec Security Response (mydoom.f)

Trend Micro Virus Information Center (mydoom.f)

* ICQ worm on lookout for sensitive information

Bizex spread briefly via ICQ messages directing their recipients to a web page that in turn included code to exploit two Windows vulnerabilities (one in Internet Explorer and one in the handling of compiled HTML help, or .CHM, files). As well as further replicating by spamming ICQ messages directing the victims ICQ contacts to the booby-trapped web pages, Bizex installs a keylogger that watches for processes (such as web browser windows) whose names include various financial institutions and certain VeriSign services. Keystrokes directed to such windows are recorded and FTP'ed to a remote server.

Computer Associates Virus Information Center (38393)

F-Secure Security Information Center (bizex)

Kaspersky Lab Virus Encyclopedia (1029528)

Network Associates Virus Information Library (101044)

Sophos Virus Info (bizexa)

Symantec Security Response (bizex)

Trend Micro Virus Information Center (bizex.a)

* Virus accidentally distributed via antivirus vendor mailing list

F-Secure, makers of antivirus and other security software, has apologized to members of one of the company's UK mailing lists who accidentally received a copy of the Netsky.B virus (see virus story above) via the list. vnunet reported the gaff and the apology. It seems that misconfiguration of the mailing list, which is said to be 'external' to F-Secure's normal virus scanning checks, allowed someone other than approved F-Secure staff to post a message to the list server and have it distributed to the mailing list.

Security vendor mass-mails worm to clients - vnunet.com

Security News:

* Microsoft releases 'Windows Security Update CD'

Acknowledging that, especially for dial-up Internet users, getting a freshly installed Windows machine 'safe' to put on the Internet is no mean feat these days, Microsoft has released the 'Windows Security Update CD'. The CD is available entirely free of charge (there is not even a shipping fee!) but of course you do have to provide a mailing address. The Windows Security Upgrade CD includes Microsoft Windows 98, 98SE, ME, 2000 and XP critical updates released up to October 2003, plus information to help you protect your PC. Free trial versions of antivirus and personal firewall software are also included.

Microsoft says to allow 2-4 weeks for delivery, but also notes it will not start shipping the CD (at least in the Asia/Pacific region) until early March 2004.

Order the Windows Security Update CD (Asia/Pacific) - microsoft.com

* metamail update fixes multiple remote code execution flaws

metamail, an implementation of MIME (Multipurpose Internet Mail Extensions) functionality commonly used in popular Linux distributions and several popular message handling applications (including content and virus scanning e-mail gateways) has been shown to suffer from many format string and buffer overflow vulnerabilities. The worst of these can be remotely exploited to execute arbitrary code of an attacker's choosing and proof of concept messages that trigger these flaws are now publicly available.

These vulnerabilities were discovered by Ulf Harnhammar who has provided unofficial patches (it appears that metamail was not officially supported anymore, despite being widely used). The major Linux distributions that include metamail have coordinated a patch release and most have now shipped update packages to fix these problems.

Archived Bugtraq list message - securityfocus.com

* Another critical Linux kernel vulnerability in mremap

Paul Starzetz from the Polish iSEC Security Research group recently announced the discovery of another exploitable memory management flaw in the Linux kernel mremap(2) system call code. As with the earlier vulnerability, careful exploitation of this could result in local privilege escalation, even to full superuser privileges. Most Linux distributors have already shipped update packages - check with the usual suspects depending on your versions and builds...

Linux kernel do_mremap VMA limit local privilege escalation - isec.pl

* Microsoft mouthpiece says releasing patches bad for security

Although surely not the intended message of his presentation, Microsoft's David Aucsmith, Security Architect and Chief Technology Officer of its Security Business Unit, effectively said that releasing patches was bad for security in a speech to the e-Crime Congress in London. Aucsmith also claimed (to much subsequent derision in the security community) that Microsoft's software has only once suffered a zero-day attack - that is, an attack involving the exploitation of a previously unknown vulnerability.

Aucsmith also claimed (again, to some derision in the security research community) that most vulnerability exploits developed by reverse engineering the patches. Critical commentary has pointed out that often 'underground' or 'black hat' hackers have, and use, exploits for unpatched vulnerabilities months, and in some cases even years, before the vendors become aware of the vulnerabilities and issue patches. In such cases, once a patch is released the exploit's value to the hard-core black-hat hackers is greatly diminished and many of them release their previously secret exploits, either to gain kudos or increase the use of that exploit to provide a higher noise level under which they hope to slip with their next unknown exploits.

We have linked to a news report of Aucsmith's comments which has been widely discussed in the security community.

Businesses are under attack, says MS security head - infoworld.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureICQKasperskyKasperskyLinuxMessageLabsMicrosoftRecording Industry Association of AmericaSophosSymantecTechnologyTrend Micro AustraliaVeriSign Australia

Show Comments
[]