Aside from being another week with no Microsoft security bulletins, patches or revised patches, we saw a silly Trojan Horse program get its fifteen minutes of (undeserved) fame and some critical security patches for remotely exploitable bugs in the popular Unix System V-derived login, and in SSHD. Also, a couple of e-mail worms are bubbling under but showing signs they may just be viable enough to cause an outbreak...
As the 'holiday season' approaches, the newsletter goes into abatement for a few weeks. Next week's issue will be the last for the year and the first issue of 2002 will be on 7 January.
Gokar e-mail worm may be ramping up
While this issue was being written on Thursday evening, it looked as if Win32/Gokar.A@mm may be shaping up to be this week's Goner. A mass mailing worm, Gokar arrives in a message with a Subject: line randomly selected from a long-ish list in the virus' code and a short message body also randomly selected from a list in the code.
If such messages, bearing executable attachments are not warning enough that something is amiss with these messages, the attachment names should be enough to put sane users off running them. The copy of the virus is included in an attachment with a 'nonsense' name created by repeating a short, randomly-created string three times, adding a randomly generated eleven digit number, repeating the random string again and an extension of .exe, .scr, .pif, .com or .bat.
Apart from the usual links to antivirus developers' descriptions of the virus, links to MessageLabs' detection statistics and Gokar incident report are included so the curious can track Hokar's progress (or the lack thereof!). Not that geographical location really matters much with such (potentially) fast-spreading e-mail worms, but personal reports to the newsletter compiler from other antivirus researchers suggest that the early incidents of Gokar have mainly originated in the Asia/Pacific region, including New Zealand. Most virus scanners have been updated to detect Gokar.
Bogus lantern fails to light...
Earlier this week we saw a text book attempt by a malware writer trying to cash in on recent media publicity about a rumoured or suspected virus or Trojan, or on a hoax. The Win32/Danshcl.A Trojan Horse was the result -- a very simplistic Trojan that deletes several system files and directories, and creates some folders on the desktop. It also displays a series of vacuous messages claiming, among other things, that its writer is an Argentinean teenager. At least to those who do not see the achievement as being in any way 'cool' or 'clever', these messages also suggest its writer is rather juvenile for his alleged age.
Some of the messages displayed by Danschl also claim that it is the FBI's (probably mythical) 'Magic Lantern' spy program, mentioned a couple of weeks ago in this newsletter. Because of that, the Trojan was not, of course, named 'Magic Lantern' or anything like it, apart from by one antivirus developer that saw fit to attempt to make some publicity from it by calling it 'Malantern' and issuing a press release about it.
Zacker spreading slowly?
A few samples of another new e-mail worm, Win32/Zacker.A@mm, have been reported from the field in the last few days, but this one seems unlikely to get far. Like Gokar, described elsewhere in this newsletter, Zacker depends on Outlook and send itself to all addresses in the victim's Outlook address book. However, before sending itself by e-mail, Zacker creates a huge number of copies of itself on the victim's hard drive, often depleting free space so much as to slow the machine to an unusable degree. This is likely to draw the victim's attention to Zacker's presence long before Zacker gets a chance to mail itself.
Possible privilege escalation via System V login in various Unixes
The CERT Coordination Center has warned of a buffer overflow vulnerability in the argument parsing of System V-derived login programs that can lead to privilege escalation in some circumstances. Normally, for system logins, login is called with the privileges of the user requesting the login, so exploitation of this buffer overflow should be 'harmless' in such cases.
However, several applications that are traditionally (or must be) run with greater privileges also call login to authenticate users. Two common examples are telnetd and rlogind, which usually run as root. As both are normally available for remote login across the network, they can be remotely exploited for root access by an attacker who had no prior access to the system. An exploit is known to exist for this
vulnerability and it may be in circulation.
Administrators of Unix and Unix-like OSes should check the CERT/CC advisory for more details, and particularly the vendor information appendix for the availability of patches for vulnerable systems.
More SSH bugs, exploits and scanning -- various Unixes, Linux
For the last several weeks, there has been much scanning for SSHD servers vulnerable to the CRC32 compensation attack. Further, several popular distributions have been found vulnerable to various additional exploitable vulnerabilities. Even if you have recently patched your SSHD, it is advisable to check with your vendor(s) in case they have further updates available for this package.