Again, aside from a widespread virus outbreak, it has been a fairly quiet week. Your newsletter's compiler has been attending an antivirus conference in Hong Kong and on Tuesday, several speakers expressed the opinion that it seemed the days of the 'dumb' mass mailer were over. Observing that although we still see many 'dumb' mailers, none of the recent ones have 'taken off' and the only mass mailers that have been at all 'successful' of late have exploited security vulnerabilities that allow them to automatically run when their messages are read (or even previewed in Outlook Express). However, on Wednesday many at the conference awoke (or were awoken) to the news that Goner was spreading rapidly, quickly reaching a rate close to that of LoveLetter according to the gatherers of some of the prevalence statistics.
On the security side, the first Microsoft security patch for a couple of weeks has been released to fix a script-handling error in Outlook Web Access for Exchange 5.5. Administrators of web servers running Macromedia's JRun should also check the recent security bulletins covering several flaws in that product that have security exposures. Finally, as personal firewalls become more popular, and even in corporate settings, their users should be aware that the security and hacker community have been busy poking holes in such products. Although none of the problems with outbound filtering, described in the story below, are known to have been used in existing malware, it seems unlikely they will not be used in future malware. Users of such products should avail themselves of the details and reconsider the value of such products in their current deployments.
Going, going, Goner
Almost as if to prove recent optimism that 'dumb' e-mail worms were largely a thing of the past, Win32/Goner.A@mm struck with a vengeance on Wednesday. Goner is a dumb e-mail worm -- it uses none of the various tricks that recent e-mail worms have used to aid their success and it depends on Outlook to do its mailing. Nimda, BadTrans and others have used browser security holes to automatically run when an e-mail message carrying them is read and most vaguely 'successful' recent e-mail worms have done their own emailing, meaning they could run on networked machines regardless of the installed e-mail client.
Goner arrives at a potential new victim's machine as an attachment to an e-mail message with a Subject: line of 'Hi' and a brief, chatty message recommending the attached screen saver to the reader. The attachment is named 'Gone.scr' and is really a compiled Visual Basic executable. If run, this first displays a bogus error message then copies itself to the Windows system directory, makes registry entries to run that copy at subsequent system starts and deletes program files from several common antivirus and personal firewall applications. If this file deletion fails, methods appropriate to the host operating system are used to have the files deleted during the next startup. Should the host run ICQ, Goner can distribute itself across the ICQ network, and if mIRC is installed it is configured, via mIRC's scripting language, to act as an agent in a DDoS network (machines running DDoS agents are often referred to as 'zombies').
Despite the lack of sophistication of its approach, Goner quickly established itself during the latter half of last week, and by Friday it was being seen in numbers unprecedented since LoveLetter. Some details of the rise (and fall) of Goner can be seen in the report on the MessageLabs page linked below. Note when looking at the MessageLabs statistics that the users of their e-mail scanning service are predominantly mid-sized and larger corporate sites.
Should you have to clean machines infected by Goner, be very careful to check that any antivirus and personal firewall software thought to be installed on the machine is working properly.
As final, late-breaking news, note that the writers of Goner have confessed and are in custody. The Israeli police announced on Saturday afternoon that four 15 and 16 year-olds were being held and could face thre eto five years prison if convicted.
MessageLabs report on Goner's prevalence
Israeli youths confess to Internet attack - SF Gate News
Outlook Web Access scripting bug
Outlook Web Access (OWA) in Exchange 5.5 has been found to be vulnerable to potential scripting attacks via scripts embedded in HTML messages read by Internet Explorer through the OWA service. This flaw does not affect OWA in Exchange 2000. The effect of exploiting this vulnerability is that an attacker would be able to perform some actions in the OWA server with the permissions and identity of the e-mail user. Fortunately, such a script would not have access to the user's address book nor to any resources on the local machine.
Microsoft rates this vulnerability as being of moderate severity for Internet and intranet servers and is non-applicable to client systems.
Note: Since the original version was posted, Microsoft has updated the security bulletin to include the important information that the patch only installs properly if you have Internet Explorer 5.0 or later installed on the server. As the affected version of OWA will be installled on NT 4.0 servers and best practice prevents use of corporate servers for client application use such as web browsing, it is quite likely that host servers affected by this OWA bug will only have IE 4.0x installed. In such cases, before applying the OWA patch, the server must be upgraded to IE to a recent version _first_ -- a process that will require more downtime and reboots than just applying the patch.
Multiple JRun flaws in Macromedia Allaire
Macromedia has published security bulletins describing three vulnerabilities in various versions of JRun. The bulletins describe workarounds and/or patches to avoid or remove these vulnerabilities, which affect all platforms. Effects of these vulnerabilities are varied, ranging from the ability to break out of the web root through exposing .jsp file contents to the client, rather than running the script on the server.
Macromedia security bulletin:
Inadequate outbound filtering in personal firewalls
One of the reasons commonly given for using personal firewalls is that they offer detection of network aware malware that is not yet detected by known virus and known Trojan scanners -- the technology used by all popular virus and Trojan scanners. Of course, to do this, a personal firewall has to intercept all outbound network traffic from all applications and identify whether the application is one that is 'authorized' to talk on the network. A recent posting to the Bugtraq mailing list demonstrated yet another method of bypassing outbound filtering.
'Yet another' because a month or so back a couple of methods of beating outbound filtering were publicized. Links to all these are provided below. As this type of information becomes more well-known it is likely we will see malware writers incorporating such methods into their programs, as we have previously seen them add methods to disable on-access virus scanners and personal firewalls. If you employ personal firewalls because they can block otherwise unknown, network aware malware, you should now be re-evaluating that decision, as it is only a matter of time before the value of personal firewalls for meeting this end is significantly reduced.
Beating outbound filtering of personal firewalls: