In case you haven't already heard, the big IT security news this week has been the explosive outbreak and spread of the e-mail worm BadTrans.B. This is a variant of a worm that made no significant impact earlier this year, and as is usually way with these things, some measure of 'luck' was necessary for it to take off. Other than BadTrans though, things have been very quiet on both the virus and security fronts with the only other issue of note worth reporting here being the serious flaw discovered in WU-FTPD -- the FTP server that is very widely used across most Linux distributions. As it will have been a quiet week (unless you were dealing with BadTrans!), some light reading around the FBI's reputed new spy tool, Magic Lantern, is included.
BadTrans on the rampage
In the 20 April, 2001 issue of this newsletter, we mentioned in passing an e-mail worm named Win32/BadTrans. It made so little impact that we did not even mention anything about how it worked or what it did. This week a second variant has not only been discovered, but managed to strike a lucky break and has become extremely widespread.
Despite not employing any fundamentally 'superior' code or spread mechanisms relative to its forebear, Win32/BadTrans.B has really exploded, starting last weekend when it infected the helpdesk of the very large UK ISP, BTopenworld. Because BadTrans monitors its victim's e-mail in-box, running on an ISP's helpdesk during a weekend gave it the e-mail addresses of a significant number of potential new victims. Further, the virus sends copies of itself as apparent replies to messages in its victims' in-boxes, normally using the current victim's e-mail address as the From: address in its messages. This potentially exacerbates things at the intended new victim's end, because if they are 'expecting' a reply to their message, they will be less suspicious, and this would normally be the case with e-mail sent to a helpdesk.
Aside from the e-mail trickery of monitoring in-boxes and replying to unread messages therein, BadTrans.B also exploits the old 'incorrect MIME header' vulnerability in Internet Explorer (originally warned of in the issue of this newsletter the week before we mentioned BadTrans.B's progenitor). That vulnerability causes specially formed HTML e-mail messages to have attachments automatically decoded and executed by the simple act of reading a message in Outlook and Outlook Express (and in the latter e-mail client, even just previewing such a message causes such attachments to be executed). Because home and small business users are less likely to use mail servers that strip arbitrary attachments (as so many large corporate e-mail servers are now configured to do) and because such users are less likely to keep their applications and systems patched (despite the inclusion of Windows Update in Windows 98 and later versions), these users have been especially badly hit by BadTrans.B.
To get some feel for the severity of this outbreak, look at the MessageLabs virus statistics linked below. The first URL takes you to the 'last 24 hour' chart and the second link to the 'whole of November' chart. Note that SirCam has regularly been the highest featuring virus of late, and in just over 4 days (when this was written), BadTrans.B has eclipsed the number of SirCam detections for the whole of the month. You should note when looking at MessageLabs' statistics that although it has customers all round the world, MessageLabs' clientele is quite heavily UK and European biased, so its statistics may be more 'spectacular' than those from other online monitoring points that have different biases. This is not top say that BadTrans.B is only a UK or European problem though -- many, many cases have been reported outside of the UK and Europe, including many in New Zealand, but the 'eye of the storm' has been somewhat centred in Europe.
Note that if you are yet to apply the security patch that fixes the vulnerability BadTrans uses, you have to be very careful about the options you use, depending on the installation of IE you have and the patch/upgrade path you take. This is described in the Microsoft security bulletin. In general, you will be better off upgrading to at least IE 5.5 or 6.0 and applying all subsequent service packs and/or patches.
Although some earlier versions of IE can be patched to avoid this vulnerability, there are several newer, serious vulnerabilities that have been uncovered since IE 6.0 was released, so Microsoft has only provided patches for IE 5.5 and 6.0 under its usual 'current and previous version' rule.
Finally, regardless of your IE version, you really should put Outlook and Outlook Express in the 'Restricted Sites' security zone _and_ tighten the settings on that zone so as to disable all scripting, ActiveX and file download activity. Well-behaved e-mail messages should never need to do any of those things, so disable them so 'badly behaved' e-mail cannot!
Various antivirus vendor descriptions:
BTopenwoe emails virus to customers - The Register
Magic Lantern hocus pocus
Several media reports this week have mentioned that the FBI is developing something called Magic Lantern -- a 'virus' that installs a key-logger on suspects' computers so the FBI can capture passwords to encrypted files and the like. What has been described does not, in fact, sound at all virus-like (no self-replication) but may fall into the realm of Trojan Horses. Some reports suggest that Magic Lantern may be installed via remotely exploitable security vulnerabilities, having acquaintances of the suspect who are cooperating with the FBI e-mail Magic Lantern to the suspects and so on. Many complex legal issues surround these ideas and the question of whether or not antivirus developers would cooperate with the FBI by deliberately not detecting Magic Lantern has been raised. Links to some news articles touching on these issues are included for your further reading.
FBI snoop tool old hat for hackers - CNET.com
FBI software cracks encryption wall - MSNBC.com
AV vendors split over FBI Trojan snoops - The Register
WU-FTPD updates for multiple platforms
The popular Unix and Linux FTP daemon from Washington University, WU-FTPD, has been found vulnerable to a remotely exploitable bug that may allow running of arbitrary code. Such code would run with the privileges of the daemon process, usually root. This vulnerability is the result of an unfortunate combination of bugs and failures to handle unexpected (or 'exceptional') conditions. Researchers who uncovered the vulnerability were working with the WU-FTPD developers and multiple system vendors to ensure that all affected versions were properly patched, updated RPMs ready and the like, but Red Hat Linux prematurely released an announcement of the availability of its fix for the problem earlier this week, prompting the public disclosure of the vulnerability by CORE Security Technologies.
Several vendors other than Red Hat have already posted RPMs and source code patches against the official v2.6.1 source tree are available from the WU-FTPD site (link below).