IDGNet Virus & Security Watch Friday 24 May 2002

This issue's topics: Introduction: * Two worms, the ANZ and viruses, debploit and IMail patches Virus News: * At least two MS SQL worms on the rampage * First KaZaA worm * ANZ online banking virus policy causes stir Security News: * Patch for 'debploit' finally released * Update for IMail fixes remote code execution buffer overflow * Cross site scripting explained (again) * German computer magazine foils biometric security sensors

This issue's topics:


* Two worms, the ANZ and viruses, debploit and IMail patches

Virus News:

* At least two MS SQL worms on the rampage

* First KaZaA worm

* ANZ online banking virus policy causes stir

Security News:

* Patch for 'debploit' finally released

* Update for IMail fixes remote code execution buffer overflow

* Cross site scripting explained (again)

* German computer magazine foils biometric security sensors


Two worms have grabbed a deal of media attention this week, although for quite different reasons. One was the first designed specifically to work on the KaZaA peer-to-peer network, although was not the first peer-to-peer worm. The other was seen by some as possibly being 'the next CodeRed' but there are, apparently, not enough machines on the Internet vulnerable to its charms for it to live up to such expectations. And the ANZ's online banking policy and its coverage of virus made it into the local news...

On the security front, Microsoft has finally released a patch for the 'debploit' vulnerability first mentioned in this newsletter more than a month ago. Also, the popular Windows mail server IMail has been patched to fix a remotely exploitable buffer overflow. We round out the newsletter with more ways to defeat simple biometric security systems and some good resources on cross site scripting problems which. Because the latter are still far more common in production web sites than they should be, you may find these documents useful starting point for your own web developers.

Virus News:

* At least two MS SQL worms on the rampage

During the last few weeks there was a steady, but low, level of reports of NT and Windows 2000 web servers being defaced or of the machines being 'trashed' by having many files deleted. These reports all mentioned one or more of the appearance of a 'rochester.bat' file, popup messages on the attacked machines mentioning the University of Rochester and/or web page defacements also mentioning the University of Rochester. These reports coincided with a noticeable upswing of Port 1433 - traditionally associated with MS SQL Server - activity.

Then, from 20-21 May there was a huge leap in the number of Port 1433 scans detected around the world. Soon thereafter the code of two worms dependent on the weak (actually null) sa user password under a default MS SQL Server installation was captured. Known variously as SQLSpida, SQLsnake, SQLSpider, Digispid and probably others, these worms implement essentially the same functionality, but with one using an executable as the main driving program and the other a standalone JavaScript program.

In short, the main worm program scans the network for machines running MS SQL Server on its default port and with a blank (or null) SQL 'system administrator' (or 'sa') user password. If it successfully connects to such a machine, depending on the variant it either creates a new user or enables the Guest user and, either way, adds that user to the Administrators and Domain Admins groups. Then it attempts to map to the administrative share of the target host and, if successful, it copies itself and a host of 'helper' programs and files to the Windows system directory on the newly compromised machine and launches that copy of itself on the new host. Various system information and a dump of the local user database is e-mailed to an address presumably accessible to the person who wrote, or initially distributed, the worm.

Both versions set a non-null sa user password, preventing that host's re-infection and the JavaScript (.B) variant of the worm also sets itself to run at system startup. The analysts at are suggesting today that Port 1433 scans have levelled off, indicating that this worm has reached its saturation point. Antivirus and IDS developers have all updated their identification databases to detect various parts of this worm or its actions on the network.

Of course, properly firewalling SQL Servers from the Internet where possible and enforcing best practices regarding password selection entirely prevent this worm affecting your installation. Preventing Microsoft Networking (NetBIOS) connectivity to the Internet also limits your possible exposure.

The more astute of you will now be asking, so why did they lead with 'At least two MS SQL worms...'? Well, neither of the SQLSpida variants fits the description of the 'rochester' incidents described at the beginning of the article. It seems, in the cases those have

New worm targets Microsoft's SQL Server -

SQLsnake Code Analysis -

MSSQL Worm (sqlsnake) on the rise -

Computer Associates Virus Information Center - JScript/SQLSpida.B

F-Secure Security Information Center - SQLSpida

Kaspersky Lab Virus Encyclopedia - Worm.SQLSpida.a-b

Network Associates Virus Information Library - JS/SQLSpida.a.worm

Network Associates Virus Information Library - JS/SQLSpida.b.worm

Sophos Virus Info - w32sqlspidera

Sophos Virus Info - jssqlspiderb

Symantec Security Response

Trend Micro Virus Information Center - JS_SQLSPIDA.B

Trend Micro Virus Information Center - TROJ_SQLSPIDA.B

Trend Micro Virus Information Center - BAT_SQLSPIDA.B

* First KaZaA worm

Discovery of Benjamin, the first worm exploiting the KaZaA network, was announced a few hours after last week's newsletter was distributed. Despite the media attention earlier this week, peer-to-peer (P2P) networking worms are not an entirely new, with a couple that targeted Gnutella last year already in the bag. Unlike one of the Gnutella worms, Benjamin only works on machines with the P2P network software already installed and simply makes a large number of copies of itself in the KaZaA file sharing directory. These copies are padded to varying lengths and given names indicative of material the worm's writer presumably feels are high-probability search hits. One user infected by the worm reported over 3.6 GB of disk space consumed by the worm's copies.

As has been seen before, one of the miscreants who wrote the worm has tried to justify his actions. In a news report, linked below, Paul Komoszki is reported to have claimed it was an 'experiment' and that it was targeted at the illegal exchange of child pornography and copyrighted music on the KaZaA network. Someone should explain to Komoszki that two wrongs don't make a right...

Its Creator Says Kazaa Benjamin Worm Means Well -

Computer Associates Virus Information Center - Win32.Benjamin

F-Secure Security Information Center - Benjamin

Kaspersky Lab Virus Encyclopedia - Worm.Kazaa.Benjamin

Network Associates Virus Information Library - W32/Benjamin.worm

Sophos Virus Info - w32Benjamina

Symantec Security Response - w32.benjamin.worm

Trend Micro Virus Information Center - WORM_BENJAMIN.A

* ANZ online banking virus policy causes stir

Rival banks, banking specialists and some customers of the ANZ have all criticized the bank's inclusion of a clause placing liability for damage caused to the bank by viruses it contracts through customers of its online banking service. The ANZ says it is reviewing the policy.

ANZ stung by reaction to virus liability clause --

Security News:

* Patch for 'debploit' finally released

More than a month ago we warned our readers of the release of a tool exploiting a flaw in NT and Windows 2000 that allows any user to run any code under the system security context because of lack of proper authentication of use of the Windows debugger interface. That flaw, named 'debploit' by the writer of the published exploit, has now been patched and all users of affected systems should obtain and install the patch as soon as practicable.

This patch release has again raised questions over the timeliness of Microsoft's fixing and shipping of critical security patches. It seems that this flaw was, in fact, not reported to Microsoft in early April when the debploit utility was publicized, but back in early January this year by Auckland security researcher Zsolt Pardi. A news story alluding to that angle of the story, plus the usual link to the Microsoft security bulletin (and patches) is provided. Note that this vulnerability affects NT 4.0 and Windows 2000 but not Windows XP.

Microsoft Security Bulletin MS02-024

* Update for IMail fixes remote code execution buffer overflow

An update has been released to fix a remotely exploitable buffer overflow in the LDAP component of Ipswitch's popular IMail Server v7.x. The LDAP server component of IMail allows remote access to the IMail directory and overlong authentication data fed to the LDAP service as part of the associated user authentication process can overflow a buffer in the Ipswitch code.

Patches & Upgrades -

* Cross site scripting explained (again)

Although mainly not documented in this newsletter due to the low level of applicability of each alert, the last few months have seen huge numbers of cross site scripting (CSS, XSS) exploits discovered, published and patched. Despite being an 'old' issue, XSS seems to keep coming back to bite the developers of web applications and designers of web sites. In the last week or so a couple of useful resources describing XSS issues which should help application and web site designers become aware of and design around the problems have been released. The Cross Site Scripting FAQ by 'zeno' at and a white paper from iDEFENSE Labs on the development of XSS attacks to date and their likely future development are linked below. Both are advised reading for the security experts in your company and possibly for your web developers and designers (who are often completely overlooked from a security perspective despite usually being the only people in your company who directly expose their own code to the roug

h and tumble of the Internet).

The Cross Site Scripting FAQ -

The Evolution of Cross-Site Scripting Attacks - iDEFENSE Labs

* German computer magazine foils biometric security sensors

Further to last week's report of a fingerprint reader being beaten with a simple gelatine impression created from images of latent fingerprints, German computer magazine c't has published the results of a longer and more comprehensive series of tests it made on similar devices, face recognition and iris scanners.

Suffice it to say, the results were not at all encouraging. The magazine's English translation is linked below. For those without the time to read the full report, in short they found tricks as simple as breathing on capacitive fingerprint readers could 'reactivate' latent prints left on the readers' sensor surfaces, that latent prints from other surfaces could be lifted with adhesive tape and used to fool such device and simply replaying a short video clip on a laptop whose screen was held in front of the camera could fool some face recognition systems. Admittedly the systems tested were aimed at the (cheaper) home user market, but the ease with which so many different systems were fooled is quite disconcerting.

Biometric Access Protection Devices Put to the Test - c't online

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ANZ Banking GroupCA TechnologiesCreatorF-SecureGnutellaIpswitchKasperskyKasperskyKaZaAMicrosoftSophosSymantecTrend Micro Australia

Show Comments