IDGNet Virus & Security Watch Friday 22 August 2003

This issue's topics: Introduction: * Worms, anti-worms, IE cumulative patch and OS X realpath patch Virus News: * Anti-worm worm raises concern, causes problems * Sobig.F fastest spreading mass-mail virus ever Security News: * Critical vulnerabilities fixed in new IE cumulative update * Important patch for Microsoft Data Access Components * MS02-040 revised * MS03-030 revised * Off-by-one realpath error afflicts Mac OS X too

This issue's topics:


* Worms, anti-worms, IE cumulative patch and OS X realpath patch

Virus News:

* Anti-worm worm raises concern, causes problems

* Sobig.F fastest spreading mass-mail virus ever

Security News:

* Critical vulnerabilities fixed in new IE cumulative update

* Important patch for Microsoft Data Access Components

* MS02-040 revised

* MS03-030 revised

* Off-by-one realpath error afflicts Mac OS X too


A hugely busy week this week, so please excuse me if I rush a bit...

Again, the stories of the week are virus-related rather than security-centric. The ongoing saga of malware spreading via or otherwise exploiting the DCOM RPC hole that saw the Blaster virus the story of the week last week seemed likely to continue the theme this week, but come Tuesday afternoon and the new Sobig variant discovered that morning was rapidly looking to become a very big, 'big thing', and by week's end it has eclipsed all kinds of records for being the fastest spreading mass- mailing virus ever.

Another self-spreading beast also caught brief attention earlier in the week - an 'anti-worm worm' was released onto the Internet in a vain and misguided attempt to track down and wipe out Blaster.

And it's not that the security scene has been entirely quiet... Two important to very critical Microsoft security patches have been released in the last few days and the security bulletins associated with two others revised. Also, Apple as posted patches for its version of the 'off-by-one' flaw in the BSD 'realpath' function.

Virus News:

* Anti-worm worm raises concern, causes problems

It is widely held in the antivirus industry that an 'anti-virus virus' or 'anti-worm worm' is a fundamentally poor idea unless implemented with comprehensive controls guaranteed to prevent its 'escape' to places it should not be. It is further held that in general, to ethically implement such a 'good' virus or worm the necessary controls would likely be so restrictive that the proposed viral or wormy functionality would be unnecessary as the controls would effectively dilute the 'virus' or 'worm' to a controlled patch management system. Unfortunately, some others in the broader security industry have a rather more liberal view of such things and often raise the idea that it would be 'cool' or 'clever' or even 'desirable' to write and release such beasts in the wake of really widespread outbreaks so as to more rapidly bring them under control.

This week we saw again why the antivirus folks are right, and the IT industry's equivalent of the Wild West's vigilante gunslingers wrong on this issue. Variously known as Nachi, Welchi, Welchia and as a variant of Blaster/LovSan/MsBlast, this worm was apparently designed to spread via the same DCOM RPC exploit of machines not patched against the vulnerabilities announced in MS03-026 then install that patch and reboot the machine (to finally install the updated files). If it accesses a machine through the DCOM RPC exploit, it downloads a language-specific version of the patch installer and runs it. The worm also looks for more targets to spread to and sets itself to run at each startup. Nachi also tries to detect the Blaster worm and if present, removes it from memory and its startup entry from the registry. If the date is 1 January 2004 or later, Nachi removes itself from the system.

On the surface, this probably seems like a good thing, but let's consider some issues that became apparent during this worm's rampage. First, the worm itself adds to the network congestion caused partly by worm it is hunting down, and by other's legitimate attempts to track and kill that worm and patch systems they are authorized to maintain. Second, as there is no control over, or coordination between, the anti-worms, local network segments hosting many vulnerable machines could easily become completely flooded with the anti-worm's traffic. In fact, precisely this happened to Air Canada, which had systems slowed to a crawl due to Nachi's traffic. This resulted in manual issuing of tickets and many passenger processing delays.

Third, the patching worm may obscure coordinated attempts to clean up machines that had been vulnerable to the DCOM RPC attack. Blaster and Nachi were not the only things spreading via this vulnerability, but once Nachi had patched machines it found, administrators looking for 'trouble spots' to deal with first may have overlooked Nachi'ed machines because they had the patch installed. Although Nachi should remove any Blaster infections from such machines, other nasties could have slipped onto those machines before Nachi closed the hole left by the vulnerability and those machines may have continued their nefarious acts longer because, when they were eventually checked (perhaps via remote network administration methods) they were found patched and were lowered on the priority list. For example, aside from a few other worms and viruses, several IRC bot net agents and at least one warez bot have been found to have been modified to spread via the RPC DCOM exploit and Nachi blissfully ignores these, should they already be on one of its target machines.

Worm clogs networks; Air Canada in chaos -

Computer Associates Virus Information Center - 36372

F-Secure Security Information Center - welchi

Kaspersky Lab Virus Encyclopedia - 65727

Network Associates Virus Information Library - 100559

Sophos Virus Info - w32nachia

Symantec Security Response - w32.welchia.worm

Trend Micro Virus Information Center - worm_msblast.d

* Sobig.F fastest spreading mass-mail virus ever

At the height of its spread, MessageLabs was seeing one in seventeen messages processed through its e-mail servers carrying the latest variant of this largely 'successful' mass-mailing virus family, Win32/Sobig.F. In just three days the UK-based e-mail ASP has seen over three-quarters of a million messages infected with the virus and in those three days it has been responsible for more than twice as many detections as Win32/Mimail - the next most common virus detected in August, which has been on the loose since the first day of the month.

Sobig.F is not particularly different from its recent predecessors apart from one twist - it runs its SMTP sending routine in multiple threads, meaning it can send many messages simultaneously, rather than sending its messages one-by-one. This appears to be a very successful technique, with many large e-mail servers groaning under the strain of the increased load caused by all Sobig's 100KB messages, the extra overhead of virus scanning all these messages and so on,

Further, the sheer number of messages Sobig sends has exacerbated some problems commonly seen a much smaller scale with 'typical' mass-mailers. For example, the common practice of e-mail gateway virus scanners to send a warning message back to the sender of a virus-carrying message is quite anti-social for viruses such as Sobig (and most other recent mass-mailers) which forges all its sender information. Virus scanners responding to such messages inevitably send their 'helpful advice' to folk whose e-mail addresses happen to have been on an infected machine, rather than to the sender of the infection-carrying message. Many recipients of such messages freak out when they receive one such message, but even the much hardier souls start calling their IT department, ISP, computer vendor and/or service contractors when they receive dozens or hundreds of such messages and similar numbers of messages carrying the virus and accompanied by the usual warning from their local virus scanner. This mess is bound to continue through the weekend and over into early next week.

MessageLabs Threat List -

Computer Associates Virus Information Center - 36376

F-Secure Security Information Center - sobig_f

Kaspersky Lab Virus Encyclopedia - 65735

Network Associates Virus Information Library - v_100561

Sophos Virus Info - w32sobigf

Symantec Security Response - w32.sobig.f@mm

Trend Micro Virus Information Center - worm_sobig.f

Security News:

* Critical vulnerabilities fixed in new IE cumulative update

Microsoft's latest cumulative update for Internet Explorer contains patches for two newly disclosed security vulnerabilities, sets the 'kill-bit' on an ActiveX control whose functionality is no longer supported and has been found suffer from a critical severity vulnerability, updates an earlier fix (from MS03-020) to ensure it works in all language versions and fixes a denial of service or browser crash bug in handling certain malformed HTML.

One of the vulnerabilities in IE is quite rightly rated as being of critical severity, as it provides much the same functionality as an earlier vulnerability that has been very widely used by several 'successful' mass-mailing viruses. This vulnerability is a flaw in the cross-domain security restrictions in IE and results in material supplied from the Internet being run as if it were from the My Computer security zone (which has almost no restrictions in default installations of IE on most OSes). It is highly likely that arbitrary code of an attackers choosing could be delivered to the victim's machine and executed on it through simply browsing to a malicious web page and even probably from viewing an HTML e-mail message. The other security vulnerability directly in IE is rated by Microsoft as being 'important', however, it is unclear to this reporter from reading the description that this issue is much different from the previously discussed one. Regardless, as Microsoft rates the overall patch as 'critical', one would hope that all users of affected products will obtain and install it as soon as practicable (though the Blaster worm incident and its follow-ons suggest that may not be soon enough any more).

Installing the patch also sets the kill bit on the Windows Reporting Tool ActiveX control BR549.DLL. The Windows Reporting Tool is no longer supported and as this ActiveX control has been shown to suffer a critical severity vulnerability (about which no details have been released). The kill bit prevents the control from being loaded by IE or for new copies to be introduced through 'rogue' downloads. Two other important changes are also included in this patch - one a revision to an earlier patch so that patch works properly in some non-English language versions and the other fixes a trivially exploited denial of service caused by poor handling of a specific type of malformed HTML code that has been widely distributed in the security research community for some time.

As with all other recent IE cumulative updates, note carefully the caveats in the security bulletin about HTML Help being disabled if this update is applied to systems that have not already installed the updated HTML Help controls.

Finally, security bulletins and proof-of-concept exploits of these vulnerabilities have been posted various places, and given these allow remote execution of arbitrary code expect to see them built into viruses and/or worms. As with the recent MS03-026 situation, now PoC exploits are available showing how to exploit these holes, it's quite likely only a matter of time before something more serious based on these exploits is released.

Microsoft Security Bulletin MS03-032

* Important patch for Microsoft Data Access Components

Rated as 'important', Microsoft has released a patch for Microsoft Data Access Components (MDAC) versions 2.5, 2.6 and 2.7. MDAC 2.8, included with Windows Server 2003, does not contain this vulnerability. Although MDAC is not a standard OS component on earlier versions of Windows, it is installed as a necessary sub-component of many products and it would be rare for a 'typical' Windows machine to not have it installed. A tool to assist in determining the version of MDAC on any given system is described in, and available from, a KnowledgeBase article linked from the security bulletin below.

MDAC 2.8 is also supported on Windows 98, ME, 2000, XP and NT 4.0 and can be downloaded separately from Microsoft's web site. Alternately, a patch for the other supported versions may be obtained from the links in the security bulletin linked below.

Microsoft Security Bulletin MS03-032

* MS02-040 revised

Microsoft has revised this security bulletin from last year, having realized that the supposed vulnerability in SQL 'OpenRowSet' command was actually a flaw in an underlying Microsoft Data Access Components (MDAC) component. This security bulletin has thus been revised directing users to not bother with installing the patch associated with it but to install the MS03-033 patch, described above, instead.

Microsoft Security Bulletin MS02-040

* MS03-030 revised

After releasing this DirectX security patch, Microsoft claims it received many requests to support further versions of DirectX than those covered by the original patch versions. As stated the bulletin 'has been updated to provide information about a new patch, which is intended for customers using Windows 98, Windows 98 SE, Windows Millennium Edition, or Windows 2000 who have upgraded to Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, or 8.1b'. If that is you and you had issues with the original patches supplied with this bulletin, you should read the revised version.

Microsoft Security Bulletin MS03-030

* Off-by-one realpath error afflicts Mac OS X too

Apple has posted patches for Mac OS X 10.2.6 Server and Client to fix OS X's version of the remotely exploitable off-by-one error in the BSD OSes announced a couple of weeks ago. Apple sits on the fence as to whether the vulnerability is actually exploitable on its platform, but the fact it released patches suggests it probably is. Whether the root privilege-gaining vulnerability is remotely exploitable on this platform is also unknown, but the OS X function with the faulty code inherited from BSD is 'fb_realpath()'.

Security Update2003-08-14 v.1.0 (Server) -

Security Update2003-08-14 v.1.0 (Client) -

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Air CanadaAppleCA TechnologiesF-SecureKasperskyKasperskyMessageLabsMicrosoftSophosSymantecTrend Micro AustraliaWest

Show Comments