IDGNet Virus & Security Watch Friday 10 October 2003

This issue's topics: Introduction: * IE patch, Swen variants on loose, hacking stories galore Virus News: * Minor Swen variants allude to Italian ISP * AVAR 2003 Conference in Sydney * Are virus writers the cyber-terrorists of the future? Security News: * Yet another cumulative patch for IE * Script security update for Windows Media player * Source code of Half-Life 2 stolen through unpatched IE flaws? * Hacker blocks (shipping) port court told... * ViewSonic ex-employee faces hacking charges * US courts to hand down tougher sentences for hacking, computer crime

This issue's topics:

Introduction:

* IE patch, Swen variants on loose, hacking stories galore

Virus News:

* Minor Swen variants allude to Italian ISP

* AVAR 2003 Conference in Sydney

* Are virus writers the cyber-terrorists of the future?

Security News:

* Yet another cumulative patch for IE

* Script security update for Windows Media player

* Source code of Half-Life 2 stolen through unpatched IE flaws?

* Hacker blocks (shipping) port court told...

* ViewSonic ex-employee faces hacking charges

* US courts to hand down tougher sentences for hacking, computer crime

Introduction:

Microsoft has released the long-awaited (well, in the security world, being exposed to a well-publicized remote arbitrary code execution bug for three weeks is a long time) updated patch for the Object Data Type bug that was only partly fixed in MS03-032. This is an absolutely critical patch for all IE users as this bug has been actively exploited since, if not before, MS03-032 was released. Also, Microsoft has sneakily shipped a critical Windows Media Player patched without releasing a matching security bulletin - is the behaviour we should expect of the new (well, self-appointed!) doyen of 'trusted computing'?

In virus news, a couple of new Swen variants hit the net yesterday, but so far don't seem to have travelled far (though your newsletter compiler has received several samples apparently from naturally infected machines). Anyway, several scanners need to be updated to detect these variants, and others are issuing updates to correctly identify the variants by name despite that their current Swen detection code reliably detects the new variants as well as the original.

Aside from these news items, we make another mention of the AVAR conference in Sydney in early November - the conference keynote speaker has been announced; see the item for details. The rest of this issue is taken up with a plethora of hacking stories and court cases or news relating to hacking and virus writing (well, five - does that make a plethora?).

Virus News:

* Minor Swen variants allude to Italian ISP

Two trivial variants of Swen were discovered yesterday (Thursday, 9 October), apparently spreading in the wild. Both variants were created by simply editing some of the sub-strings in the virus' code that are randomly selected for creating various parts of Swen's e-mail messages and then compressing the modified executable with the popular runtime executable compressor UPX. As the text message changes are in 'non-code' parts of the virus and many virus scanners have UPX unpacking routines, the Swen.B and Swen.C variants appear no different from Swen.A to several widely used virus scanners. However, specific identification of these variants is being added to some scanners that already detect them generically and the scanners that do not detect these variants are being updated so as to detect them.

The text changes alter some of the message parts that, in Swen.A, refer to Microsoft and its activities, and replace them with references to the large Italian ISP Tiscali. (We have only included links to vendor pages that have been updated to mention these variants - non-inclusion does not necessarily mean that product does not detect these variants.)

Computer Associates Virus Information Center -37268

Computer Associates Virus Information Center -37271

F-Secure Security Information Center

Network Associates Virus Information Library

* AVAR 2003 Conference in Sydney

As already announced in this newsletter, AVAR (the Association of AntiVirus Asia Researchers) is holding its 2003 conference in Sydney from 5 - 7 November. Aside from possibly offering a good excuse for a business trip to Sydney during The Rugby World Cup (although the post-pool knock-out games that weekend are in Melbourne and Brisbane), this may be the best opportunity ever to meet the top researchers, and the senior product managers, from all the antivirus developers with significant market interests in the Asia/Pacific region.

And, if that is not enough to entice you, the venue is one of Australasia's top hotels - the Westin Hotel, Sydney and the opening keynote will be presented by Richard Clarke, former White House Advisor to three US Presidents, including most recently Special Advisor to the President for Cyber Security.

AVAR 2003 Conference home page - aavar.org

* Are virus writers the cyber-terrorists of the future?

For a little lighter reading, a gushing Reuters report of the comments of the chief wonk at the UK's National Hi-Tech Crime Unit (NHTCU) on the links between virus writers and international cyber-terror is suitably debunked in an op-ed piece from famously tongue-in-cheek The Register...

Virus writers probed for terror ties - reuters.com

Warning: virus terrorism stories may contain nuts - theregister.co.uk

Security News:

* Yet another cumulative patch for IE

Last week our first two virus-section items related to active exploitation of variants of the Object Data Type vulnerability not covered by the MS03-032 cumulative IE patch. Despite the MS03-032 security bulletin describing the Object Data Type flaw, the patch only fixed one of several methods known to allow its exploitation. This latest cumulative IE patch addresses two other methods of exploiting this vulnerability.

Microsoft quite rightly rates this a critical severity patch, allowing as it does, the remote execution of arbitrary code. Aside from this, and as we have already said, this vulnerability is being actively exploited on the Internet as we write and has been for several weeks now. All users of machines with affected versions of IE installed should install this patch immediately, even if they do not use IE for their web browsing.

Microsoft Security Bulletin MS03-040

* Script security update for Windows Media player

Although _not_ covered in a security bulletin, a serious security flaw in Windows Media Player's (WMP) handling of script commands in URLs has been fixed. Updated for the various supported versions of WMP are available in the Microsoft KnowledgeBase article linked below, as is a description of the altered behaviour and enhanced security controls available in the updated versions of WMP. In short, Microsoft has, by default, disabled scripting support in one of three areas of possible concern - the other areas can be specifically disabled through new registry values described in the KB article.

Demonstration exploits of the original WMP URL Script Command behaviour have already been published. As is the case with so many apparently 'minor' IE vulnerabilities, this vulnerability can be combined with other 'trivial, so as yet unpatched' flaws to yield a much greater value compromise (consider the Half-Life 2 item below!). Users of WMP (and recall, WMP is likely to be the default media player in a typical Internet Explorer configuration) should obtain the appropriate update and install it.

Update for WMP URL Script Command Behavior - microsoft.com

* Source code of Half-Life 2 stolen through unpatched IE flaws?

Valve Corp, the software developers behind the highly popular Half-Life and much anticipated Half-Life 2 games has admitted, apparently through its founder Gabe Newell, that a copy of the source code of the as yet unfinished Half-Life 2 has been stolen from the company's servers.

Although the details are sketchy, Newell's admission suggests that a deliberate series of steps were followed, starting with comprising his own machine via an unknown (at the time) vulnerability in Internet Explorer to plant a keylogger on his machine. With the information gained from the keylogger, and possibly by using a backdoor installed on his machine, the attackers eventually managed to obtain remote access to the unreleased game's source code, and other related tools such as level editors on or shortly before 19 September. The code has been widely traded on IRC since then and Newell's statement confirms that code is the stolen Half-Life 2 source.

Others have speculated that the initial compromise may be yet another case of exploitation of the Object Data Type vulnerability, one variant of which was patched in MS03-032, but two other forms were left unpatched until the release of MS03-040 a few days ago. Exploits of the Object Data Type bug were certainly seen in use for installing keyloggers and remote access Trojans.

Popular computer game code stolen by hackers - computerworld.com

* Hacker blocks (shipping) port court told...

Hackers attacking network ports is expected, but a recent UK case has a shipping port as one of the victims. British teenager Aaron Caffrey, 19, has been charged under the UK's Computer Misuse Act for his alleged role in downing the Internet systems of the Port of Houston, Texas.

Caffrey is said to have been seeking revenge against what he saw as disrespectful comments about his American girlfriend's home country, made in an IRC chat session. In retaliation, he started a ping flood DoS attack against the South African who made those comments, using the Port of Houston's servers as an intermediary to hide his real location.

The trial is ongoing, but more details can be read in The Register's article, linked below.

Teenager accused of 'electronic sabotage' against port - theregister.co.uk

* ViewSonic ex-employee faces hacking charges

As if another reminder were needed, the case of a disgruntled former employee breaking into his former employer's network and wreaking havoc shows that not only should dismissed employee's accounts be locked or removed (or at least their passwords changed), but the passwords of those they worked with should also be changed.

This is especially so of privileged users, as seen in the case of Andrew Garcia, a former network administrator for monitor manufacturer ViewSonic. Garcia reputedly had acquired the passwords of other privileged users, so after his employment was terminated and his own accounts locked, he logged into ViewSonic's network through those other accounts and deleted files, causing a system outage and data loss.

Former ViewSonic admin faces five years inside for hack - silicon.com

* US courts to hand down tougher sentences for hacking, computer crime

On the back of all this news of recent, apparently successful hack attacks, perhaps some small solace can be derived from news that US federal judges have been issued tougher sentencing guidelines for computer crime offences. The US Congress ordered the changes last year following increasing concern that the sentences handed down under earlier sentencing guides did not reflect the seriousness of recent computer crimes. New giudelines developed by the US Sentencing Commission are to come into effect from 1 November. The linked Washington Post article carries further details and commentary on the perceived likelihood that stiffer sentencing guidelines will have any effect on those committing such crimes.

Hackers to Face Tougher Sentences - washingtonpost.com

Join the newsletter!

Error: Please check your email address.

More about Andrew Corporation (Australia)CA TechnologiesF-SecureMicrosoftReuters AustraliaTiscali

Show Comments
[]