Computer Knowledge Newsletter – August 1998 Issue

In This Issue:

Virus News

Macintosh Viruses Coming Back. Proving that even virus writers are “market driven” it’s interesting to note that with the Macintosh taking another stab at generating market share, all of a sudden we see a number of new Macintosh viruses.

The old standby MDEF has shown up again in a new variant that is supposed to be able to change itself to evade detection. Also, new variants of the AutoStart Worm are being reported.

As with PC viruses, if you run a computer you should have anti-virus software; AND, you should keep it up to date.

Back Orifice. Much as been made of a network administration utility called Back Orifice (a play on Microsoft’s Back Office) published by the group Cult of the Dead Cow (cDc). After discussion, most anti-virus companies have classified this program as a Trojan and have added detection of it to their AV programs. Technically, Back Orifice is not a Trojan as it does exactly what it says it does; however, the fact that it installs silently, can’t be easily detected once run, and potentially allows a remote user to take complete control of your computer without your permission when it is installed the AV companies felt users should be able to be warned when on a user’s system.

BO is distributed as several programs and documentation. It was released early August 1998. The programs run on Win95/98 only right now (an NT version is promised). Indications are BO can be attached to other executables in the same style as viruses. When run, BO silently installs itself (you can’t even see it in the task list) and, when the computer is connected to a TCP/IP network (e.g., the internet) it sits in the background and just listens. What it’s listening for are commands starting with *!*QWTY? from a remote computer. The commands themselves are encrypted. When a command is received BO is capable of many things; some benign, others quite destructive and/or intrusive. A short list includes: computer info, list disk contents, file manipulation (including updating itself!), compressing & decompressing files, get and send cached passwords, terminate processes, display messages, access the registry, plus store and send keyboard input while users are logging into other services. BO even supports HTTP protocols and emulates a web server so others can access the user’s computer using a web browser. If that’s not enough, BO can expand its abilities using plug-ins (which, of course, it can be commanded to download to itself).

As evil as I’ve made Back Orifice sound, it has legitimate uses for network maintenance and even functions in a manner similar, although much more extensively, to various remote control utilities (e.g., Carbon Copy). The main difference is that they make themselves known while BO completely hides itself.

You probably want to know if Back Orifice is on your system so keep your AV software up to date and make certain detection of programs like it is turned on (e.g., Dr. Solomon’s, as one example, does not detect such programs out of the box; you have to turn detection on if you want it). cDc claims 35,000 downloads in the first week of release.

Microsoft has released a security bulletin on BO that fairly well dismisses the program. The cDc have released a point-by-point rebuttal of Microsoft’s bulletin. For a bit of entertainment, take a look at: Link

General Security

Human Security. You’ve got your firewalls in place. You have set up web proxies. Everything is regularly backed up. You’re security is set and you can relax, right? Not really. There is still the human factor.

Consider this approach reported in PC Week and summarized here.

A bank had three firewalls and hired a security consultant to break in. The consultant first located general info about the bank on the internet (address, officers, etc.). Next he convinced an executive’s secretary to give out the executive’s ID number by posing as a human resources employee. Using that ID, he next talked human resources into reading him a list of new employees and their IDs. Finally, he called the new employees posing as an IS employee and bluffed several of them into giving him their log-on and password. Bingo, instant access; firewalls notwithstanding.

The human factor cannot be ignored in security; it’s often the weak link. Yet, often managers only concentrate on the technology. And, unfortunately, there is no checklist one can follow; a certain amount of common sense needs to be followed. In the example above, no employee should have given out their log-on ID or password to someone calling them. Also, the secretary should not have given out the executive’s employee number; particularly to someone from human resources since they issued it!

E-mail Security Concerns. This was the month for E-mail security concerns. Netscape and Microsoft led off with Eudora bringing up a fast third. All of the problems revolved around much the same thing: an old ploy where someone can overrun a buffer and, in so doing, possibly insert a pointer and then executable code into the computer.

In simple terms, think of memory as a long line of little boxes, each containing an instruction, some data, or a pointer to either instructions or data. Further understand that the computer’s brain, as powerful as it is, usually only does one thing at a time. Because of this it has to switch between tasks when running a program. When it does this switch certain information gets pushed onto a stack (a line of those boxes), a portion of a task performed and its information pushed onto a stack, and then the original stack is used to continue the original task. This switching takes place constantly. Now, consider the possibility of interrupting this process and inserting rogue code into the computer and replacing pointers to real code on one of the stacks with pointers to the rogue code. That’s effectively what these E-mail attacks could, in theory, do. The programs allowed a long string to be used for attachment names; too long a string. Properly formatted, the string could overlay the memory boxes that held the attachment name and a stack of pointers. The new pointers would then point back into the string where, instead of an attachment name, would be executable code that the computer would run. It’s an old problem.

Please note the theoretical nature of the above discussion. It is very difficult to actually perform the actions described above and, outside of a laboratory demonstration, nobody can come up with examples of it ever happening with any of the E-mail programs affected. It’s also relatively easy to counter this threat and all affected programs have issued updates or update patches. If you’re worried, please update your program(s).

JScript Vulnerability in IE4. Microsoft has issued a bulletin and patch for a security vulnerability in their IE browser. The security problem is similar to others described in this issue: an abnormally long string overrunning a buffer and causing problems. This problem affects the JScript Scripting Engine version 3.1 which handles JScripts on web pages. A malicious person could, in theory, use a long string to either kill the browser or run arbitrary code in the string.

A patch and more information is available from Microsoft at: Link

Information of Interest

GPS Week Number Rollover (WNRO). If Y2K didn’t have you searching for software bugs, 22 Aug 1999 presents another opportunity for GPS users. The Global Positioning System is a series of satellites that users on the Earth can use to determine their accurate location through triangulation. The system broadcasts time as a GPS week number along with a time offset into each GPS week. In order to save money, the US Government used a 10-bit number for the GPS week number so week numbers range from 0 to 1023. Week zero started on 6 Jan 1980, and week 1023 will end on 21 Aug 1999. The following week will reset back to 0; the Week Number Rollover event (WNRO). This event takes place every 20 years; just long enough for one generation of programmers to be replaced with another who may not have heard of the WNRO.

WNRO creates two basic types of problems: A GPS receiver may be confused during the event and produce gross position errors when pre- and post-WNRO dates are used in calculations. Also, receivers that calculate on a “weeks since 1980” basis may generate date calculation errors. The first problem should be transient as the entire constellation updates (although some reports indicate it could take a week or so for everything to become synchronized). The second problem is corrected by a hardware/software update.

Contact your vendor if you use GPS-based equipment.

New Spammer Ploy. Have you started seeing spam that claims to be legal, citing references such as: “This message is sent in compliance of the new E-mail bill: SECTION 301 Paragraph (a)(2)(c) of s. 1618″”? The problem is that while the referenced law is proposed, it has not yet passed Congress or been signed by the President.

Indeed, there is even some possibility the law may not even make it out of Congress (at least not in its present form). Antispam forces dislike the bill because it effectively makes spam legal; stating there are only certain cases where it is not legal. Antispammers fear the law will have the opposite of that desired.

FY2000. When you’re planning your Y2K tests don’t forget that in some countries and states you may have to test earlier because while the date changes on January first their fiscal years may start earlier.

As an example, Afghanistan starts fiscal year 2000 on 20 March 1999. Further, on 1 April 1999 Canada, Japan, Britain, Qatar, South Africa, and New York state (and maybe others) all start FY2000. Again, not a crisis; just something to take into account if your software uses fiscal years.

Euro Font. With the Euro coming into the world, you not only have to make certain your software supports it, you have to be able to display the Euro symbol on your screen. You can get full information on the Euro display in Microsoft operating systems from: Link

In closing: The world got a little bit more dangerous this month. Watch your back!