The IT world seems to have survived the arrival of the real new millenium without a hitch... And, after a suitable break we're back to cataloguing (and commenting upon) issues of interest and importance from the realms of computer virus and security. Due to the length of the break and the activity during it, the first couple of Virus & Security Watch newsletters this year will cover a small backlog of important
updates issued while we were away plus, of course, the most topical of the past week or so.
This week we note that while the newsletter was away, the Hybris worm seems to have become particularly widespread and briefly recap some of its most salient features. And while talking about viruses and worms, we mention the hype surrounding the recent Davinia non-event, clear up the
confusion and errors surrounding the recent reporting of a "new" Melissa variant and touch on the Ramen worm for Linux.
On the security front, Microsoft rounded out its Security Bulletin count for the year 2000 to exactly 100, releasing four bulletins between the issuance of our final newsletter of 2000 and New Years Eve. We will focus on several NT/Windows 2000 server updates from that period.
Finally, there have been several issues surrounding other vendors' software, much of which is widely used in large web servers. Issues with InterBase and Oracle databases, and the popular PHP server scripting - to mention a few - will be in this and next week's issue.
Melissa rides again
Late last week, there was intense IT media coverage of a "new" Melissa macro virus variant. Fortunately, the interest -- like the outbreak itself -- was brief. Unfortuantely, nearly everything written and said about the incident was wrong or seriously misleading.
The facts are simply that an approximately year-old variant (W97M/Melissa.W) had been seen at several sites (mainly in Europe and mainly in the UK at that). Being a year old means it is ancient history in antivirus terms. The "problem" was that the virus was in a document in Macintosh Word 2001 format and several popular virus scanners had not been updated to handle this file format. Many macro viruses do not work when infected documents are opened in the Macintosh versions of Word,
but Melissa.W does. Its mass-mailing payload does not, but the parasitic infection part of its code does work, so Melissa.W will infect a Mac Word 98 or 2001 installation and then infect most documents created or edited there.
However, the Word 2001 file format was subtly, and unintentionally, changed. Microsoft was apparently unaware of this until some antivirus researchers pointed this out, and Microsoft responded that it had
changed the compiler used to build the product between the Office 98 and 2001 versions. The file format was supposed to be the same but a field in one of the many data structures changed from a DWORD (four bytes) to a WORD (two bytes). Due to the nature of this field, the change did not affect interoperability between Word vrsions and it went undetected during pre-release testing.
Unfortunately, that field is crucial to several antivirus products for finding the compiled versions of any macros that may be present in a document file. Products dependent on that field were thus prevented from finding viruses in Word 2001 documents. First, it seems Macintoshes are less likely to have antivirus software installed and kept up to date than PCs -- this is partly because of a naive belief on the part of system administrators that "viruses are a PC problem". That is a problem in itself, but with Melissa it is compounded.
When a Melissa-infected document is opened in a clean Word environment that supports its mass- mailing feature (a Windows 9x/ME/2000 or NT machine with Outlook 98 or later installed and configured for use), the document that is sent out as the e-mail attachment is that initially infective document. Thus, when a Mac Word 2001 document, infected with Melissa arrived at a Windows machine it would have been missed by that machine's antivirus software if that software was one of the products affected by the change in the Word 2001 file format. If the user allowed the macros to run, copies of the Word 2001 document would be sent to the addresses selected from the user's address books and the whole cycle would be able to repeat so long as a copy of the document reached a user
without antivirus software or with antivirus software that was affected by the file format change.
There were many other errors in the reports of this virus. There was much confusion as to which variant it was with Melissa.W and Melissa.X (or Melissa-X) being widely reported, and some reports even claimed it was one of the Assilem variants, which was most odd as the Assilem viruses are not mass-mailers. Also, to the extent that Macintosh issues were mentioned at all, many of the reports said (or strongly implied) that thie was only an issue for users of Macintosh versions of word, which was 180 degrees out of kilter. Confusion and error over the fact that this was an old variant and the problem was really a failure of virus scanners to properly handle the new Word 2001 format were buried, but more commonly completely missing, from these reports.
Some interesting statistics on macro viruses in e-mailed Word 2001 documents are available from the MessageLabs site below.
-- MessageLabs report on Word 2001 viruses
Two weeks ago, Spanish antivirus vendor Panda Software, made a press release describing a terrible new e-mail worm that spread from a web page. The reports glossed over the fact that in having the web site closed down (the responsible thing to do) the company had eliminated the threat and went on to describe the ruination the file deleting payload of the worm could do to affected systems.
Panda did not supply samples of the worm to other antivirus developers so they could issue updates to their own products. This did not happen despite Panda's membership in two semi-formal groups setup to engender just this kind of cross-vendor cooperatin over perceived "crisis" events such as the outbreak of new mass-mailing viruses, which Davinia most definitely was. Panda's memebrship in both those groups was suspended for a one week period as other members of the antivirus research
community expressed their dissatisfaction in Panda's handling of this issue.
Hybris infections on the rise
We reported back in mid-November that reports of infections of the Hybris worm were increasing. Well, they kept increasing after that and continued to do so right through the holiday period. Hybris is a very
complex program and with its ability to update its functionality and add new functions through several network-aware processes, it has proven too much for many people. For example, it is common to hear people talking about "the Snow White virus" and "the spiral virus". In reality, these are references to two features of Hybris -- some of the e-mail messages its sends itself out as feature a short stroy about Snow White (presented in English, French, Spanish or Portuguese depending on the language setting of the machine it sends the message from) and some copies of the virus have a plug-in that displays an annoying (and very difficult for naive users to stop) rotating spiral that "covers" much of the screen.
My tone probably suggests to regular readers that I see a problem in this. Well, I do. The problem is that both those features are ephemeral. Due to its updatable plugins, those features of the virus are
variable at best and neither is guaranteed to be part of any given infection. It is also not uncommon to see lists of the e-mail Subject: lines Hybris uses -- the bad news there is that plugins which send the
virus out with new Subject: lines can be (and are being) written all the time, and there is at least one plugin that will send the message with a blank Subject: line. There is nothing wrong with e-mail administrators filtering out messages arriving at their mail servers based on the known, identifiable Hybris Subject: lines, but if you do this please be aware that it is not protection per se -- it is just a simple method of preventing some instances of the virus reaching your users.
Ramen worm strikes many Linux systems
And now for something completely different... The CERT Coordination Center announced last week that it had been informed of several Linux systems had been compromised by the Ramen worm. Analysis of recovered samples of the worm kit showed that it attempted to exploit three well-known (and long-since patched) vulnerabilities in services commonly installed in popular Linux distributions. More details and links can be found at CERT's web site.
Windows Media Server 4.01 & 4.1 update
Microsoft has released an update for Windows Media Server (WMS) versions 4.01 and 4.1 to patch the “Severed Windows Media Server Connection” vulnerability. This vulnerability is a resurce leak which means an attacker could send a specially crafted sequence of packets across the network to an unpatched WMS machine eventually causing serious performance degradation. Details and patch availability information from the usual place:
Indexing Services ActiveX control allows file reading
An ActiveX control installed with Index Server 2.0 (from the NT 4.0 Option Pack) and with Indexing Services 3.0 (Windows 2000) is incorrectly marked safe for scripting. This means Internet Explorer 4.0
and later users surfing the web or reading HTML e-mail on a machine with the indexing services installed can have details (or even contents) of their local file systems divulged through a scripting attack involving use of the faulty ActiveX control. The last time I could check, patches had only been made available for Indexing Services 3.0 (most Microsoft sites have had sporadic connectivity due to DNS problems the last few days).
"Configure Your Server" wizard update
The "Configure Your Server" tool sets a blank password for the Directory Service Restore Mode if it is used to promote a newly installed server to domain controller status. An attacker with physical access to the server could boot it into Recovery Console or Directory Service Restore Mode and access the system without a password. More details are available from the usual place.
"Web Form Submission" DoS on IIS
Maintainers of IIS 4.0 and 5.0 systems with FrontPage Server Extensions should install the following updates as soon as practicable if they have not already. The IIS service can be crashed by a remote user submitting a suitably crafted form submission to the server. A simple script to repeatedly do this could create an effective DoS against a vulnerable server.
InterBase backdoor account
The CERT Coordination Center released an advisory on 10 January, pointing out the discovery of a hard-coded backdoor username and password in the popular InterBase database product. The former Inprise (Borland) product was recently released as an open-source project and this backdoor was found during code review of that project. All Borland/Inprise Interbase 4.x and 5.x, open source Interbase 6.0 and 6.01 and open source Firebird 0.9-3 and earlier versions of the database are affected by this.
This was not a bug but a "design feature", deliberately introduced by the original developers of the product.
The backdoor account and password cannot be modified through any user interfaces, so now they are known, any accessible database should be considered compromisable. Users of affected software versions that are networked should ensure that remote access to the database port (the default is port 3050 but this is configurable) is blocked by appropriate firewalling. Patches are available -- see the CERT advisory for details.