Blaster variant writers busted

ISSN 1353-4858 September 2003

Incorporating E-Commerce, Internet and Telecommunications Security

Coming next month

Detailed MS Blaster & Nachi Analysis Sobig VIrus Analysis

Editor: Sarah Hilley Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, California University, Berkeley Lab; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Editoral Office: Elsevier Advanced Technology, PO Box 150 Kidlington, Oxford OX5 1AS, UK Tel: +44-(0)1865-843645 Fax: +44-(0)1865-843971 E-mail: [email protected]

Sobig family set to get bigger and badder Sobig.g, the likely successor to Sobig.f, will not be as easily foiled as the last variant, experts warn. The Sobig.f virus was stopped in its tracks from delivering its traditional family virus payload. But Sobig.g will probably have a new improved technique to get around any blocking measures. Sobig.f ‘s attempts to download a Trojan on 22 August from a number of IP addresses, which were encrypted in the virus code, were cut short. The master servers of the specified IP addresses were shut down by ISPs in time before the programmed date

for download by the infected Sobig.f machines. To wriggle out of this safety net in the future, “There will likely be more hacked ‘master’ servers in the next version, spread across many countries, and not enough time to have them all shut down,” said Joe Stewart, a security researcher at Lurhq, who has written research papers on the Sobig family. The successive releases of Sobig show how the author seems to learn from his/her mistakes.

Subscription Enquiries: Orders and Payments: For customers residing in the Americas (North, South and Central America) Elsevier Customer Support Department PO Box 945, New York NY 10010 USA Tel: (+1) 212-633-3730 [Toll free number for North American customers: 1-888-4ES-INFO (437-4636)] Fax: (+1) 212-633-3680 E-mail: [email protected] For customers in the rest of the World: Elsevier Customer Support Department PO Box 211, 1000 AE Amsterdam, The Netherlands Tel: (+31) 20-3853757 Fax: (+31) 20-4853432 E-mail: [email protected] To order from our website: www.compseconline.com

News Analysis Sobig family set to get bigger and badder

1

Blaster variant writers busted

2

News In Brief

2,3

Wireless Security Next Generation Wireless Security Tools

4

Black Hat Report Black Hat Conference: Not just Hackers

5

Cryptography Advances Unravelling Crypto Developments

7

Continued on page 2...

Subscription Price for one year: (12 issues) US$736/
657 including first class airmail delivery subject to our prevailing exchange rate Price valid to end of 2003

Contents

Web Services Threats & Solutions to Web Services Security

8

Blaster variant writers busted Authorities have closed in on two script kiddies for releasing variants of MS Blaster. A US teenager and a 24-year old Romanian are both accused of sending out versions B and F respectively. The virus authors who spawned the most serious worms, the original MS Blaster and Nachi, from the critical MS RPC DCOM flaw have yet to be caught. 18-year-old, Jeffrey Lee Parson from Minnesota, US barely touched the original worm code to allegedly infect 7000 computers with his variant. 7000 computers is a

drop in the ocean compared to the hundreds of thousands hit by the original Blaster. Dan Dumitri Ciobanu is suspected of unleashing MS Blaster.F on a Romanian university according to security vendor, Bitdefender. As of yet, noone has been brought to justice for the most damaging viruses. Microsoft and the US Department of Homeland Security warned about the imminent dangers of the RPC DCOM flaw. But big companies still got caught out by Blaster and Nachi. Continued on page 3...

Spyware Spyware & Adware: the Risks Facing Businesses

12

Spam Industry sinks teeth into spam

15

Incident Response Incident Response

17

Vulnerability Analysis The Big Picture on Big Flaws

19

Events

20

news ...Continued from page 1 (bottom)

MS Blaster MS Blaster hit computers on 11 August and spread via the Internet instead of email. Although MS Blaster was bad it could have been much worse. It basically installs the msblast.exe file and causes machines to independently reboot. "Clean-up is easy," said Dr. Gene Schultz at University of CaliforniaBerkeley Lab.` "The impact is similar to either CodeRed or Nimda in that it doesn't really damage the machines, although Code Red and Nimda left a backdoor. This isn't leaving a backdoor," said Russ Cooper, Chief Scientist at security vendor, TruSecure. Instead of hurting machine users, Blaster focused on targeting Microsoft with a denial-of-service attack on the Windows Update site on August 15. Microsoft was ready and waiting and had removed the DNS record for windowsupdate.com. So far there have been five Blaster variants.

Various factors contributed to letting the worm inside firewalls including roving laptops brought into the corporate network, patches not working and failure to install patches. See page 19 for a further analysis on the RPC DCOM vulnerability and why companies got infected.

Nachi The wannabe, pacifist worm, Nachi or Welchia went to work on Monday 18 August. Nachi, bizarrely, tries to clean MS Blaster from machines and install the Microsoft patch for the vulnerability. But instead of helping, Nachi only exacerbated the situation by causing more aggravation, clogging up networks with extra traffic and inflicting denial of service. As well as exploiting the RPC DCOM flaw, Nachi also targeted a WebDAV flaw (MS03-007) on machines running Microsoft IIS 5.0 using this exploit. Nachi has come third in the August viral chart according to Sophos logged calls.

Others

Virus Victims: Tip of the Iceberg MS Blaster • Bank of Nordea, Norway • Houston Fire Department, US

Nachia • UK, Sussex Police • US Navy • Yorkhill Hospital, Glasgow, Scotland • Air Canada

Autorooter, the first RPC DCOM worm to arrive, focused on Russia and barely caused a ruffle. Released in early August before MS Blaster, Autorooter can't self replicate and is spammed in Russia and other ex-USSR countries. Autorooter installs a Trojan allowing the attacker to manipulate the victim machine. Raleka is another worm that exploits the DCOM RPC vulnerability, discovered on 26 August.

In Brief SCO DOSED BY OPEN SOURCE ADVOCATE The second denial-ofservice (DoS) attack against SCO only stopped after protests from the Open Source Initiative (OSI) President, Eric S. Raymond. The attacker is reportedly an open source advocate. Raymond said: “he is one of us”, reported Linux Today. SCO is claiming that some companies running certain Linux versions are breaching copyright and is now selling licences to protect organizations from running unauthorized Linux.

AMAZON CRACK DOWN ON SPOOFING Amazon is suing 11 online marketers for sending emails appearing to come from Amazon.com. David Zapolsky, VP and Amazon Associate General Counsel said: "Spoofing is a problem faced by any company with a trusted domain name that uses email to communicate with its customers. It's not just spam; it's consumer fraud". So far Amazon has reached a settlement with Cyebye.com, banning it from sending emails using the Amazon brand without authorization. Cyebye.com also agreed to pay $10,000 in damages to New York state and keep records of all emails for the next two years.

SYMANTEC BUNDLES SPYWARE DETECTION Symantec's latest anti-virus product, Norton Antivirus 2004, will scan for keystroke logging programs and spyware.

MS MAY TRY TO AUTOMATE PATCHING Reports say in the advent of MS Blaster, Microsoft are considering automation of patching. Mike Nash, corporate VP of Microsoft's security business said the company is "looking very seriously" at automatic patch downloads as reported in the Washington Post. GIANTS JOIN TO FIGHT ID THEFT Microsoft, eBay, Amazon and Visa among others have set up the Coalition on Online Identity Theft. The plans include the release of education programmes for the general public and the promotion of technical guidelines for combatting ID theft. GOOGLE CAN’T LINK TO COPYCAT KAZAA SITES Google has been ordered to remove links to sites offering unofficial copies of the peer-to-peer program Kazaa. Ironically, Kazaa used the copyright law, the Digital Millennium Copyright Act to get other imitator P2P sites removed from the search engine.

3