The first virus to take advantage of NTFS Additional Data Streams (ADMs) was reported this week. This, in turn, rekindled an older discussion of the ability to "hide" things in such streams, as many of the standard utilities and command shell internal commands do not handle ADMs at all (and those that do often only do so partially). There is, for example, no standard utility or feature in the GUI to locate ADMs or even to indicate whether there may be any on a disk. Despite some ill-considered commentary to the contrary, there is little of immediate concern from the discovery of the first virus to use ADMs.
Security patches abound in the Unix realm, particularly when something as near-universal as glibc is found to have a security hole. Other than that, we keep whittling away the recent backlog of Microsoft Windows and NT security updates.
First virus using NTFS file streams discovered
Kaspersky Lab, makers of the Anti-Virus Toolkit Pro (AVP) antivirus product, distributed a rather breathless press release earlier this week announcing the first "stream companion" virus. Variously known as W2K/Stream, WNT/Stream and W32/Stream by different antivirus developers, it is true that this virus is the first to explicitly use the "Additional Data Stream" (ADS) feature of NTFS.
Although ADS is available in earlier NTFS implementations, the Stream virus only works under Windows 2000 because of an OS version test in its code. When the virus infects a file, it copies the host file into an ADS it attaches to the host file, then overwrites the main body of the file with the virus' code. When an infected program is run, the virus attempts to find and infect further programs then launches the original host program from the ADS it was copied to.
Currently, no virus scanners check the contents of ADS as these cannot be directly loaded and executed and no viruses or other malware were using. Correct programmatic disinfection of the W2K/Stream virus will require updated antivirus engines, as current products have no way of retrieving the original executable code from the ADS. Detection of the virus itself is trivial, as the virus code is in the primary file stream. Fortunately, the Stream virus has not been reported from the wild.
NTFS stream virus hooey
Coincidence seems an unlikely explanation of the timing of the SANS "flash alert" describing "virus scanner inadequacies with NTFS". However, although the alert was released the day after the Kaspersky Lab press release describing the first stream virus (see previous item) and its authors admit to having sat on the alert for "over three months", the alert makes no mention of the W2K/Stream virus. It does go to extreme lengths to posit a situation whereby a current virus scanner that is not ADS aware may be tricked into causing problems for users of the scanner.
The combination of conditions the alert describes as required to render one's scanner "destructive" are very unlikely in the real world. In fact, it seems the authors of the alert are unaware of the typical use
of the products they implicitly criticize. For example, one of the required conditions is setting your scanner to delete or move (often called "quarantine" in the scanner) infected files. While such options
are available in most scanners, very few users normally run their systems with those options set. They do not use these options for precisely the reason that many viruses cannot be adequately disinfected,
and having your scanner delete or move files infected with such viruses is likely to result in a worse short-term situation than leaving the machine "functional but infected".
While a multitude of other errors and misinterpretations in the SANS report amused many antivirus developers, it is perhaps unfortunate that a group with the profile of SANS can get so much, so wrong.
More old Trojans hyped into news...
Further to the item about the Pokemon Trojan in the previous newsletter, last Friday some of the media and the FBI were all hot under the collar about what turned out to be two more old Trojans. Aside from some over-excited reporting from Asia earlier in the day, the FBI's crack "anti-cybercrime" National Infrastructure Protection Center (NIPC) saw fit to post a press release.
Despite the concern expressed by those reported in the media, samples of the alleged new and dangerous programs were not supplied to antivirus developers for analysis. Finnish security product developer F-Secure eventually obtained such samples, only to discover they were already known and detected by most current virus scanners.
Java VM update for IE/Windows OSes
A security flaw in the Windows Java VM that shipped with IE versions 4.x and 5.x (and thus as part of several Microsoft OSes) has been patched. This vulnerability allows an applet to establish network communication with a site other than that hosting the applet -- a serious breach of one of the fundamental tenets of the Java VM security sandbox.
In combination with an earlier IE exploit, this flaw allows an applet similar to BrownOrifice (reported in the 17 & 25 August newsletters) to be written for IE. The first two URLs below link to the update for that
earlier exploit, should you wish to check that specifically, but the update instructions for this most recent vulnerability explain how to update to make sure you have both patches (if you need them both).
Microsoft Security Bulletin and FAQ:
IPX network protocol update for Windows 9x
The Windows 9x NWLink implementation of the SPX/IPX network protocol has a flaw, in that it will respond to "IPX ping" packets with a broadcast address. This allows for a potential broadcast storm. Apart from possibly briefly consuming significant network bandwidth, such a storm may cause some affected machine to crash, potentially losing unsaved work and requiring a reboot.
As IPX is seldom routed over public networks, the risk of a remotely launched attack of this type having an effect is low. However, users on DSL networks may be vulnerable to such an attack from other, malicious, users on the same network. (Few ISPs have, or enable, dial-up IPX so this is nowhere near as great a risk as for DSL-style ISP connectivity.) Administrators who cannot trust their local users are advised to install this update on their Windows 9x client machines.
NT 4.0 update from Microsoft
Although tagged as fixing the "Invalid URL" vulnerability this update should be considered by all NT 4.0 users. The only situation Microsoft has identified where this bug can be exploited leads to a denial of
service attack against NT 4.0 Server if it is running IIS v4.0 and a specially crafted form of invalid URL is requested. IIS v5.0 handles these invalid URLs differently, so is not vulnerable to the attack.
It is important to note that the buggy code is actually in NT 4.0, not IIS. For that reason, Microsoft recommends all NT 4.0 users consider installing the patch. NT 4.0 Servers running IIS 4.0 should have the update installed.
Windows Media Service update
A specially created form of invalid request packet can induce a race condition in the Media Server Unicast Service. This race condition may mean a subsequent request packet (even a valid one) causes the server to fail, disrupting any existing sessions and preventing any new ones from being started. Should this happen, the restarting the Unicast Service corrects the problem.
This flaw is present in both v4.0 and v4.1 of Media Services. The update applies to v4.1 and Microsoft recommends users of Media Services v4.0 to upgrade to v4.1 then apply the patch.
Windows 2000 privilege escalation update
Microsoft has released an update for the "Named Pipe Impersonation" vulnerability on Windows 2000. A malicious person with interactive login access to any user (even Guest) can take advantage of the predictability of the names the Service Control Manager uses to create named pipes for system services. A user who can login interactively and run an arbitrary program would be able to impersonate the user the exploited service runs as. For most system services this means LocalSystem privileges become available -- enough to allow the user to add themselves to the local administrators group, say.
"locale" subsystem vulnerability in multiple Unixes
A local root exploit has been found involving the locale subsystem. Technically, the problem is in the glibc library and involves the use of format strings, user-specified environment variables and SUID programs. It affects most popular Unix and Unix-like OSes that implement the locale subsystem. Several Linux vendors have already posted patches or package updates, but their haste in doing so, and thus blindsiding an attempt to make a co-ordinated release of the vulnerability information
across all affected Unix vendors, has drawn some comment from the security community.
Unix/Linux system administrators are advised to check the vulnerability of their OS with their vendor.
RSA Security yields software patent early
Two weeks prior to the natural expiration of its patent on the RSA encryption algorithm, RSA Security has released the algorithm to the public domain. Capitalizing on growing interest in the patent's imminent expiration on 20 September, the company announced it was waiving its rights to enforce the patent for any developmental use of the RSA algorithm occurring after 6 September.