Outlook and IrDA patches for Windows, urgent OpenView/NetView patches, really fast worms

Offensive hype?; Beware e-mail bearing antivirus software; Fifteen minutes of fame...; Patch released for serious Outlook security hole; and more

Although not reported in any further details below, a couple of new CodeRed variants, both very closely similar to CodeRed.C (aka CodeRedII) have been identified in the last 48 hours. The first, CodeRed.D, is essentially a copy of CodeRed.C with its "Am I here?" test changed. This means CodeRed.D can infest machines already running CodeRed.C. There is some debate in technical circles whether the second 'variant' should be considered a real variant or not as the only changes in it are in areas that are part of the HTTP GET request that causes the buffer overflow, delivering the worm's code to the vulnerable server. The code that is actually run as a result of the overflow is just the CodeRed.C code. And a final note about CodeRed -- from network monitoring of CodeRed infestation attamepts, it seems that CodeRed.C and CodeRed.D, with their 'drop some file-based code and reboot' approach have all but entirely wiped out active CodeRed.A and CodeRed.B infestations.

Aside from those developments, Microsoft has released a patch for an ActiveX problem in Outlook that was initially reported a month ago. Even if you applied the 'administrative workaround' at the time MS01-038 was released, you should obtain the patch and install it. There is also a patch for a BSOD and system restart problem with IrDA under Windows 2000, and potentially serious remote code execution vulnerabilities in HP OpenView and Tivoli NetView.

On the virus front there is nothing especially significant, but watch for a self-mailing 'antivirus virus' and some hyped claims about a non-spreading JavaScript Trojan Horse. And, in the 'Fifteen minutes to fame...' item, we point you to a couple of interesting discussion papers discussing really fast spread worms -- ones that theoretically make CodeRed look decidedly tardy.

Virus News

Offensive hype?

A simple Trojan Horse that seriously messes up Windows configuration options has been given a rather higher than deserved threat rating on at least one antivirus developer's web page. Known as JS/Offensive (and Trojan.Offensive) this Trojan, apart from its configuration-changing damage, also contains and displays highly offensive comments about Japanese people. However, this JavaScript code, which is embedded in a web page or HTML e-mail message, is not self-spreading and thus not likely to affect many people.

Beware e-mail bearing antivirus software

Four weeks ago we warned you about a parrot screensaver, the following week it was a warning about a game with peaches, and then we pondered what would be next. Well, last week there was nothing of that kind to report, but this week several antivirus vendors have been warning about a self-mailing 'antivirus virus'.

Ignoring the ancient debate about whether an antivirus virus is a bad idea or not (the vast weight of informed opinion is that it is a bad idea), Win32/Allgro (aka Win32/Atrius) uses the common MAPI e-mail interface to send itself to others with a Subject: line of 'New antivirus tool' and a message that reads 'Hey, checkout this new antivirus tool which checks your system for viruses'. It attaches a copy of itself as 'antivirus.exe'. If run, the attachment copies itself to a file and sets that to run at each system start. When run at startup, it searches for various files associated with a few widespread viruses and Trojan Horses and deletes them. Unfortunately, it is rather liberal in its determination that a file is part of a virus or Trojan and may well delete important configuration files for some popular programs.

Several antivirus vendor descriptions: antivirus.com, sophos.com, sarc.com

Fifteen minutes to fame...

'In the future everyone will be famous for fifteen minutes', or so Andy Warhol is (in)famous for predicting. The CodeRed worm has certainly had more than its fifteen minute's worth, at least if fame is reliably measured in media airtime and column inches. A large part of this fame is due to the surprising speed with which it infested a substantial number of machines, variously claimed to be in the 200-400,000 range.

Reflecting on that speed Nicholas Weaver, a computer science student at Berkeley, proposed that infecting a similar number of machines should be fairly easily achieved in the range of eight to fifteen _minutes_, rather than the eighteen-plus hours the 'fixed' version of the original CodeRed took, or the twelve or so hours it took the 'improved' victim-finding approach used by CodeRed.C (aka CodeRedII). In light of Warhol's famous quote about fame, Weaver dubbed such fast spreaders 'Warhol Worms'. Weaver's analysis assumes a few things that are obviously in favour of the worm's distribution, such as the ability of its writer to map a reasonable number of hosts likely to be vulnerable before releasing the worm. However, part of the speed 'improvement' he describes is due to a 'divide and conquer' approach to finding new victims, rather than having each instance of the worm attack the entire Internet address space.

Building on the Warhol Worm analysis, Stuart Staniford and others from Silicon Defense, claim that some minor 'improvements' to Weaver's approach could, theoretically, see a similar number of machines infested in less than thirty _seconds_. Subsequent discussion has shown that some very heavily congested network segments may limit the effectivenmess of such a 'Flash Worm' to perhaps 'only' infesting 90-95% of the total population in such a short timeframe, but that is scarcely consoling.

More details of what we may see in the future are avilable from the full papers discussing these issues (but note the Warhol Worm paper was sporadically unavailable, with the Berkeley server reporting access permission problems, while testing URL availability prior to posting the newsletter this morning).

- Warhol and Flash worm papers

Security News

Patch released for serious Outlook security hole

Five issues back the newsletter reported on a very serious new vulnerability affecting Outlook 98, 2000 and 2002. At the time, Microsoft offered an 'administrative workaround' -- tightening the (pathetic) default security options in Outlook. Now patches for Outlook 2000 and 2002 have been released to address this issue. As Outlook 98 is no longer supported by Microsoft, there is no patch for that version so Outlook 98 users will have to make do with the so-called administrative workaround (which the newsletter compiler recommends as a minimum security measure for Outlook anyway, regardless of the existence of this security hole).

- Microsoft security bulletin

IrDA DoS against Windows 2000

Microsoft has released a patch fixing a newly discovered DoS against Windows 2000. It is possible to overflow a buffer in the code that handles certain packets of the IrDA (Infrared Data Association) protocols. This overflow is believed to not be exploitable for running arbitrary, attacker-supplied code, but it can easily cause an access violation resulting in a BSOD and a system reboot.

Aside from installing the patch from the location below, an effective workaround is to entirely disable the IrDA device(s) on a Windows 2000 machine via the Device Manager. Just disabling IrDA communication is insufficient, as that leaves the port active and 'listening' (or is that 'watching'?) and thus able to receive a packet that can cause the overflow and system crash. The severity of this vulnerability is lessened by the inherently short range and 'line of sight' requirements of infrared communications.

- Microsoft security bulletin

Remote command execution via HP OpenView and Tivoli NetView

These system and network management products have vulnerabilities that leave them open to running remotely specified commands. Either in their default, or commonly encountered user-, configurations OpenView and NetView can be vulnerable to running local commands at the behest of a remote user and doing so as the user under which the SMTP monitoring service runs. Depending on the product and host OS, this is often an administrative user, or at least a user with enhanced security rights.

CERT/CC has released an advisory on this issue, which links to vendor web pages with patches for these problems.

- CERT/CC advisory

Losses due to cybercrime

Further to some recent stories we have covered on the prosecution and sentencing of some 'cyber crimes', we thought you may be interested in the list of some such US convictions maintained by the Computer Crime and Intellectual Property Section (CCIPS) of the US Department of Justice. Note that this list is not presented as a comprehensive list of such cases, but it tallies claimed losses (where available) and the sentences handed out (for cases that are settled).

- CCIPS computer intrusion cases list

Don't believe all that you read

Sage, even boring, advice, but...

It seems that BBC 'technology correspondent' Mark Ward was taken in by the marketing guile of Symantec's UK managing director, Aled Miles. In the 'news' article linked below, Ward has filed what is essentially a thinly disguised advertisement for Symantec's personal firewall software, or for such software in general.

Read for yourselves and see how the FUD factor is laid on thick. For example, the implication that what are really just harmless probes for listening services (and ones that should not be there in the first place anyway) are a major threat is heavily emphasized. It is made to sound all the scarier with the inclusion of some statistics about how often such probes were detected in a survey. Of course, statistics never lie which is why journalists like them and why marketing folk are so keen to supply them... Further, note that harmless probes for the existence of SubSeven servers (at least, 'harmless' on machines that are not running SubSeven on a tested port) are described as attempts to install SubSeven which is quite a different thing and does not come in a form that personal (or any other) firewalls will normally detect or prevent.

The term 'edu-tainment' has already been coined, but what about 'news-vertisement'?

The reality is that personal firewalls are useful for some segments of the population, but not for the reasons expounded in the article.

- News article

Join the newsletter!

Error: Please check your email address.

More about BBC Worldwide AustralasiaCERT AustraliaDepartment of JusticeHPInfrared Data AssociationMicrosoftSageSilicon DefenseSymantecTivoliUS Department of Justice

Show Comments