IDGNet Virus & Security Watch Friday 8th November 2002

This issue's topics: Introduction: * Braid worm, Roron hype?, IE scripting holes, cordless keyboards and cyberterror Virus News: * Braid worm weaves way through web * Roron worth roaring about? Security News: * IE remote code execution exploit published * Ever wondered about the range of cordless keyboards? * Cyberterrorism threats debunked

This issue's topics:

Introduction:

* Braid worm, Roron hype?, IE scripting holes, cordless keyboards and cyberterror

Virus News:

* Braid worm weaves way through web

* Roron worth roaring about?

Security News:

* IE remote code execution exploit published

* Ever wondered about the range of cordless keyboards?

* Cyberterrorism threats debunked

Introduction:

It has been a slow week all round, although a couple of minor though interesting virus-related events cropped up at the end of the week. The first was the Braid worm which, apart from sending endless copies of itself to addresses in its victims' address lists, tries to infect their machines with the FunLove virus (which is anything but fun or lovable).

Mid-week, Russian antivirus giant Kaspersky Labs distributed a press release obviously written by someone with an overactive hyperbole gland. Full of scary scenarios all set in the wonderful (or is that wondrous?) world of 'what if', it would have been a superb parody of the atrocious AV press releases of yore had it not been intended to be taken seriously. Before the virus writers achieved enough 'success' with their 'creations' that they themselves scared most computer users into rushing out and buying antivirus software, snake-oil such as can be distilled by the barrel from this latest Kaspersky production, was standard fare in press releases from many AV companies. Fortunately, most of those companies either chose to stop insulting our intelligence or were purchased by those that had. Perhaps Kaspersky Labs should take note...

Unbelievably, on the security front no major bugs were revealed nor major patches released, though there is some potential concern over a 'proof of concept' exploit of some existing serious IE security flaws. Sensible IE users will have to reconsider leaving scripting enabled for anything but the most trusted of web sites. There is also an argument that 'sensible IE users are ex-IE users' and adherents that line of reasoning may take more heart from this latest exploit which demonstrates how HTML that should be restricted to the Internet can run arbitrary code in IE's Local Computer zone which by default has no meaningful security restrictions.

The other security links are a news article on the unexpected range of a cordless keyboard and an op-ed piece from The Washington Monthly. The latter analyses, and finds wanting, many of the assumptions behind the commonly repeated media soundbite descriptions of the cyberterrroism threat.

Virus News:

* Braid worm weaves way through web

Unlike our other virus story this week, the Braid (aka Brid, Bridex) worm has actually been see more than a handful of times. Braid is nothing special in the worm department, being a typical executable mass-mailer, but it also deliberately drops a W32/FunLove infection. FunLove is known to be very troublesome for most companies to remove from their systems should their LANs get infested, but as it is an old virus and well-known to all virus scanners for a long time now, should Braid get lucky and get past perimeter defences, desktop virus scanners should prevent FunLove getting established (but Braid will likely still run).

All major antivirus products have now been updated to detect Braid.

Computer Associates Virus Information Center - Braid worm

F-Secure Security Information Center - Braid worm

Kaspersky Lab Virus Encyclopedia - Braid worm

Network Associates Virus Information Library - Braid worm

Sophos Virus Info - Braid worm

Symantec Security Response - Braid worm

Trend Micro Virus Information Center - Braid worm

* Roron worth roaring about?

Russian antivirus developer Kaspersky Labs made a thundering press release this week proclaiming the imminent collapse of the Internet should Roron, the latest worm detected by the company's products, actually get a toehold. According to the press release Roron 'carries a very impressive armory of extremely dangerous payload and backdoor functions'. A cynic may be excused for smelling a hint of, well, if not envy, at least gratitude there.

Roron is potentially a nasty piece of work, but no more so than dozens of other go-nowhere malware seen by virus analysts in AV company labs around the globe every week.

Writing on Thursday morning, NZ time, Kaspersky Labs' dire warning claimed that Roron has already 'been credited with infecting computers in many regions including the U.S.A., Russia and a slew of European countries'. This does not gel with the fact that, as of this writing late Friday morning (NZ), only two instances of any of the several Roron variants are recorded on MessageLabs' Threatlist page. Roron's early spread seems likely to be centred in Europe, given its Bulgarian origins, and as regular readers will recall, MessageLabs' large corporate userbase is somewhat biased toward European companies, so the disparity between Kaspersky's claims and MessageLabs' statistics is telling. Other online prevalence statistics also show vanishingly small numbers of, or no, Roron detections.

Can our readers make a sentence from the words 'in', 'teacup', 'storm', 'a'?

Network Worm "Roron" - Red Alert! - kaspersky.com

MessageLabs Threatlist - Roron worm

Computer Associates Virus Information Center - Roron worm

F-Secure Security Information Center - Roron worm

Kaspersky Lab Virus Encyclopedia - Roron worm

Network Associates Virus Information Library - Roron worm

Sophos Virus Info - Roron worm

Symantec Security Response - Roron worm

Trend Micro Virus Information Center - Roron worm

Security News:

* IE remote code execution exploit published

Although there are no security patches from Microsoft this week, one of the Redmond giant's more notoriously buggy products, IE, may be about to come under greater attack. An exploit that runs arbitrary code in IE's local security zone was published this morning. Although this exploit 'only' combines several of the known vulnerabilities listed at the 'Unpatched IE security holes' page (linked below) it does so in a way that may conveniently supply virus and worm writers and script kiddies with an easily followed 'recipe'. Such malcontents could take the 'proof of concept' exploit and modify it slightly to reek much more damage or mischief than that done by example code. As the example, and thus any malicious code derived from it depends on scripting to be able to do its work, IE users are again strongly advised to consider disabling scripting in the Internet zone and to be very choosy about which domains they trust enough to place in the Restricted Sites zone (assuming they leave scripting enabled in that zone).

For more on unpatched security holes in IE see the 'Unpatched IE security holes' page.

Unpatched IE security holes - pivx.com

* Ever wondered about the range of cordless keyboards?

Norwegian newspaper Aftenposten reports that two residents of Stavanger, in buildings approximately 150m apart discovered one of their HewlettPackard cordless keyboard receivers can receive what is being typed on the other's keyboard. The men, who coincidentally work together which helped in discovering who the mystery typist was, were surprised at the discovery as the keyboard is supposed to have a functional working range of about 20m. As one said 'If HP can't find a decent explanation for this I don't dare use this keyboard'. The whole story, in English, is linked below.

Cordless keyboard wrote on neighbor's computer - aftenposten.no

* Cyberterrorism threats debunked

The Washington Monthly has published an excellent expose of the shallow thinking and empty catchphrases of the 'cyberterrorism' soundbites so often heard in post-September 11 political rhetoric. Written by Washington Monthly editor Joshua Green, the article takes a considered view of just how crucial infrastructure systems, often painted as a mere mouse-click away from total control by the world's elite hackers, are actually run.

The Myth of Cyberterrorism - washingtonmonthly.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesF-SecureHPKasperskyKasperskyMessageLabsMicrosoftSophosSymantecTrend Micro Australia

Show Comments
[]