IIS attacks and bugs and the worms that turned

Worm generator kit 'enhanced'; Magistr worm a fizzer?; Widespread hacker attacks against vulnerable IIS systems and a patch against IIS 5.0 denial of service

Of course the big security news of the last week had to be the FBI's NIPC releasing an advisory that Russian and Ukrainian hackers had been systematically hacking IIS e-commerce and e-banking web sites for months, stealing credit card data stored on those sites then attempting to extort payment from the site owners or administrators. Some of this credit card data was apparently sold or used by the hackers themselves for fraudulent purchase of goods from other sites. Of course, as anyone with a modest history in this area knows, such large-scale attacks are seldom due to the hackers exploiting previously unknown security vulnerabilities and this was the case in these attacks. The vulnerabilities the FBI found being exploited in the attacks they have documented are all "old", well-known, and well-publicized. In short, there is no excuse for sites to be vulnerable to such attacks and laziness or incompetence would be the main explanations for these sites being exposed to the possibility of such attacks.

Fortunately, the only Microsoft security vulnerability covered in this week's newsletter is not one that allows a remote compromise of the sort necessary for the kinds of attacks the NIPC reported. We also report on a couple more Windows worm developments.

Finally, please note that due to serious routing problems in parts of North America this morning, the newsletter compiler has not able to run the usual last-minute checks on the validity of many of the URLs included in this issue of the newsletter. We apologize in advance should any of them have mysteriously moved in the last day or two.

Virus News

Worm generator kit "enhanced"

There as been quite a deal of media attention paid to the Argentinian virus writer "[K]" (formerly known as "Kalamar") and his release last weekend of an "enhanced" version of his "VBS Worm Generator" kit. The previous release of this kit was used by a Dutch non-programmer going by the handle "OnTheFly" to create the VBS/SVBWG.J (or "Anna Kournikova") e-mail worm that made such a splash a few weeks back.

Unfortunately, much of this reporting has been rather sensationalized, reporting [K]'s own evaluation of the "improvements" he has made to this dubious "tool". Antivirus researchers were long-aware of the stream of VBSWG kits over the last few months -- it is very buggy and Kalamar (and more recently [K]) has been releasing updates that try to iron out some of the problems it has.

For example, after VBSWG.J was widely reported as being created with v1.50b of the VBSWG kit, about a dozen "new" VBSWG-generated "worms" showed up in antivirus researchers' mailboxes. Most were submitted by customers who received or found them in various places (many were posted to Usenet newsgroups in attempts to have them spread far and wide). However, ost of those "new worms" do not actually work, failing to even run because of VBS compiler errors. These errors are entirely die to the poor quality of code the VBSWG generator produces.

It was also widely reported that no antivirus software detected any of the worms generated with the new version of the kit. That was simply false from the get-go. Although several of the more popular scanners did not detect the "creations" of the new kit (as you would expect from known-virus scanners -- thy seldom detect "unknown" viruses), most had updates out within a day or two that did.

Aside from the general attention this development garnered, some of the online media outlets not only described the updated worm generator in rather glowing terms (again, often largely repeating [K]'s own opinion of his handiwork from the help file or his web page), but included hot-links to the kit from their articles. This deplorble behaviour should not be tolerated and you are commended to complain vigorously to any sites you notice engaging in such activities. Alan Paller from SANS said in the introduction to a recent SANS newsletter:

By announcing the Russian and Ukrainian extortion attacks the FBI has caused an extraordinary change in the opinions held by journalists and business folks. One journalist from a major business publication told me that he used to think of web attackers like the human spiders who climb up the sides of buildings. Now he thinks of them as criminals who need to be stopped. Similar conclusions have been voiced by other journalists. As they make the transition, they are likely to bring their readers with them and give improved security a boost.

Is it too much to hope that these same journalist may simlilarly be encouraged to stop lionizing the efforts of miscreants such as [K] and other recent "high profile" virus writers?

Instead of reporting that the Mayor of Sneek was talking of offerring OnTheFly an IT position, they should have reported that OnTheFly himself admitted he was not an IT expert and had no programming ability. Instead of lauding [K] for the "enhancements" to his worm generator, focus on the additional misery that its use can so easily inflict on others or remind readers that OnTheFly is awaiting trial because he chose to use [K]'s tool.

- News article

Magistr worm a fizzer?

Although not hyped as much as some, it seems some antivirus companies were trying to wind up the pressure on journalists to report the Win32/Magistr worm (also variously known as I-Worm.Magistr, W32.Magistr and PE_MAGISTR). Although this is a complex beast compared to most of the recent worms to make the news, it was also clearly not going anywhere. By the time the newsletter compiler saw or heard the first media reports of this "terrible new threat", he had long-since decided it was almost certainly a non-event.

Sure the virus was polymorphic, and the really geeky could maybe get excited about a new mechanism it used to generate its random numbers for seeding the polymorphic generator. And yes, it had some "really nasty" payloads -- just like the BIOS-trashing one from CIH and Kriz. But the bottom line was, despite being detected very early in its life and detection updates being distributed quickly, the real-time reporting statistics available from some of the large e-mail ASPs that provide e-mail virus scanning clearly showed that Magistr was not spreading.

Despite all this, the NZ representatives of at least one major antivirus vendor warned the media that Magistr was "spreading across Europe and expected to hit New Zealand today". Hello! Earth calling whacked-out PR zombies at [removed to protect the idiotic]. E-mail worms travel at "Internet speed". If the Internet ran on soggy bits of string with lots of knots in them, it might just take half a day for a mass-mailing worm to make it from Europe to NZ. However, with those nice pure copper cables and flash glass-fibres everywhere, it takes a few seconds.

Now, it takes the antivirus developers several hours to analyse a virus as complex as Magistr and to add reliable detection of it to their scanner (and I know for a fact the researchers at the developer whose NZ PR generated the above report worked on it for substantially longer than that). It also takes several more hours for the details of a new virus to make it from the researchers to the marketing and PR departments and be written up into a sufficiently scary sounding but not too inaccurate warning. And, it takes several more hours for the press release to be widely distributed (even if done so via e-mail) then on-reported.

Given these timing considerations, does anyone else see a small problem in the aforementioned warning?

(Or is your newsletter compiler getting too old and cynical?)

Next time you see or hear a news report that warns a mass-mailing virus is due to hit NZ "at some point in the future" ask yourself who will attain what benefit from this news story. Wonder whether the cogs and wheels that eventually brought that warning to your attention were really the best mechanism to get such a warning to whowever really needs to know that information (sometimes, just very occasionally, such a warning may be justifiable and useful, but that will be a lot rarer than than you see and hear now). If the likely answer to the foregoing is that a mass media news story is not a good or efficient way to get that information to those who need it, wonder what its real intention is.

- News article: [removed to protect the gullible]

Security News

Widespread hacker attacks against vulnerable IIS systems

The FBI's National Infrastructure Protection Center (NIPC) released an update to an earlier advisory, warning that it has investigated many cases of hacker break-ins to e-commerce sites running IIS. The attackers are exploiting old, well-known and long-patched security holes in IIS. Of course, that doesn't help any given server if the patches are not applied -- as Scott Culp, Security Program Manager of Microsoft's Security Response Center said in a recent e-mail message to a security community mailing list "If you haven't applied the patches for these vulnerabilities, please take the time to do it immediately."

One of the vulnerabilities reportedly being exploited is the veritably geriatric (in security terms) "ODBC Data Access with RDS" vulnerability, originally reported and fixed in July 1998. As the Microsoft security

bulletin MS99-025 says "This vulnerability originally was reported in Microsoft Security Bulletin MS98-004, issued July 17, 1998. It was re-released on July 19, 1999, to remind customers of the need to address the vulnerability." It seems some folk just never learn...

Finally, in an effort to ease testing of systems for the installation of the proper patches and updates, the non-profit Center for Internet Security (CIS) has released PatchWork -- a tool that tests IIS servers

for the holes known to be used in this apparently ongoing spate of attacks. It can be downloaded for free from the CIS web page below.

- NIPC advisory

- Microsoft "companion article"

- CIS "PatchWork" tool

Patch against IIS 5.0 denial of service

The WebDAV extensions to the HTTP protocol, installed by default with IIS 5.0, render their hosting server vulnerable to a trvial denial of service attack. The attack is due to the incorrect handling of specially malformed WebDAV URLs. A deliberately crafted stream of such malformed URL requests could easily be submitted to a vulnerable server, causing a CPU exhaustion denial of service. When such URLs stopped being submitted the machine would recover and return to normal service.

This attack was publicly disclosed just after the previous newsletter was put to bed (Isn't that alays the way? What is it with Fridays and the release of security vulnerabilities and viruses?) and Microsoft

quckly released a security bulletin advising of a workaround to prevent an IIS server being vulnerable (disable WebDAV!). For those sites that need WebDAV, the Microsoft security bulletin has been updated and a patch is now available to remove this vulnerability.

As the exploit was publicized, it is advisable that all IIS servers running WebDAV be patched. Microsoft also advises its customers that IIS 5.0 (and hence WebDAV) may be installed on machines they do not consider to be IIS servers, such as Exchange 2000 servers -- check your machines carefully...

- Microsoft Security Bulletin

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about FBIMicrosoftNIPCScott Corporation

Show Comments