In This Issue:
- Form Spam
- Viruses Worse?
- Safe Computing Tips
- Morpheus Hole
- Secret Updates
- MS Security (Malformed Network Request Can Cause Office v. X for Mac to Fail; Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution; Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run)
- MS Support Cycle
- Opt Out
- Flash Memory Cards
- Keep Your Copying Right
- Trojans (Troj/Msstake-A)
- File Infectors (W32/ElKern-B)
- Macro Viruses (Variants; WM97/VBS/W32/Comical-A; WM97/Dig-C; WM97/Falcon-A; WM97/Fifteen-A; WM97/Jedi-P; WM97/Marker-KC)
- Worms (W32/Klez-E/F/G; W32/Maldal-F; W32/MyParty-A; W32/Rexli-A; W32/Tariprox-B)
The world of the future will revolve around software. If you’ve wanted to write software but could not get started, consider this E-book: “Software Secrets Exposed!” — “The Ultimate How-To Guide for Building Your Own Software Empire” by Ben Prater. The book does not teach you a specific programming language but it does teach you program design and subsequent marketing techniques. Take the link here to get to the book’s site (you’ll be redirected). Be advised in advance, the writing style is pure hype but the techniques outlined in the book are valid and useful.
[No longer supported]
New acronyms/definitions added to CKNOW.COM this past month.
- [Removed. CKnow no longer catalogs acronyms/definitions]
Examination of current listings are now complete through the letter “J”.
Below is the result of your feedback form. It was submitted by
(email@example.com) on Friday, January 18, 2002 at 23:10:01
…don’t despair; this is not something you asked for. It is, instead, an example of a form exploit that takes advantage of a widely-used form submission script that has a big hole in it. Form mail scripts usually accept input in the form of a URL structured as follows…
…where everything before the question mark is the URL and everything to the right of the question mark is an input to the script. One of the variables fed to a mail script is the mailing address to send the results of the form to. An unsecured script allows any address in this field; a secure script will only allow one address or limit the sending to a specific domain. The exploit comes when someone finds an unsecured script and sets up a program to feed the script’s URL with addresses to spam and a message to spam with via the variables which can be easily determined by examining the source of a Web page that calls that script.
If you don’t fill in Web forms you can safely apply a filter to your incoming E-mail to send all mail with “Below is the result of your feedback form.” in the body of the message to the bit bucket and avoid all this spam.
Viruses Worse? It’s reported that McAfee.com says viruses will be worse in 2002 than they were in 2001. We’ll have to see, but remember, this is the company that predicted what amounted to the end of the world of computing with the Michaelangelo Virus some time back and told everyone that shareware was riddled with viruses while marketing its product using the shareware marketing method. Stay alert and don’t get scared; and, most certainly, don’t fall for hype. [And, in a related story, mi2g software reported that the number of new virus types (not virus variants) in 2001 was 245; down from the 413 they reported in 2000.]
- Passwords. Make them hard to guess and keep them private. Change them regularly. Include numbers in passwords in order to avoid dictionary attacks and, if the password is case-sensitive make use of that by changing case for part of the password.
- Don’t give your E-mail privileges to anyone else for any reason. If you do then you run the serious risk of have any control over your E-mail taken away from you. It’s bad enough that mail addresses can be forged; but, these can be proven to not come from you via log entries. If you give away your access then those “bad” E-mails just might be able to be traced directly to you via those same logs.
- Backup. Backup. Backup!
Morpheus Hole. Morpheus is the program that has taken over from Napster in the file swapping world. A hole has been discovered, however, that puts your personal information at risk. The odd thing is that while experts have found they can obtain random lists of users of the system nobody is quite certain how; they know there is a hole but not what the hole is! Stay tuned and use Morpheus at your own risk.
…(by the way, you might want to bookmark this URL as Microsoft sometimes changes the agreement and you’re bound by those changes). In particular, note the wording about XP Internet-Based Services Components:
You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer.
In other words, you agree to let Microsoft check your computer and automatically upload changes to it. As currently worded, this is without your permission or knowledge. Should this bother you? Perhaps, particularly if you closely control your computer’s configuration (most likely to happen in a corporate environment).
But, that’s not all. The EULA also allows Microsoft to upload changes to their and other vendor’s Digital Rights Management technology software (read copy protection). That’s right, if Microsoft distributes DRM software for a vendor that vendor can request Microsoft to upload changes to it on their behalf. Should this bother you? Yes. DRM software has the ability to lock you out of items you might have purchased. It also has the ability to transmit information back to the vendor. Frankly, this opens up a rather large potential security hole.
Microsoft says systems for doing all this are still being worked out and they intend to give users control over the process. But, we’ll just have to believe them saying that for now. And, of course, they have this stellar security record…
- Malformed Network Request Can Cause Office v. X for Mac to Fail.
A patch is available. See…
An anti-piracy mechanism built into Office v. X for the Macintosh can be exploited in order to cause versions of Office on a network to shut down. Office periodically checks for multiple product identifiers (PID) running on the same network. If found, the product shuts down. It’s possible to fool this system and cause the PID Checker to fail and Office to shut down.
- Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution.
A patch is available. See…
The implementation of Telnet, which provides remote shell capabilities, in Windows 2000 and Interix 2.2 has unchecked buffers that could be exploited. The exploit could cause the Telnet Server to fail or allow unauthorized code to run on the computer.
- Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run.
A patch is under development. See…
Simple Network Management Protocol (SNMP) is a protocol for managing network devices over the Internet. While included with all versions of Windows it is usually not installed or running in the default installation. A buffer overrun condition has been present in the system for a long time and was only recently discovered. As usual with a buffer overrun, the potential exists for an attacker to disable or cause hostile code to run on the attacked computer. A patch is being developed and until available, if SNMP is running on your computer it would be a good idea to disable it until patched. Blocking ports 161 and 162 will also help counter any external attacks. (Note: Cisco routers are also vulnerable and will need to be patched.)
Opt Out. Many ad serving sites have an opt out feature whereby you go to a particular URL and a cookie set on your system that prevents some or all of the ads from that system to be shown and/or tracking of you via those ads is prevented. Finding that link on all the sites has been a royal PITA…until now. One site has linked all the opt out pages onto one page! Go to…
…and have fun opting out. [I only checked out this page on the site; given the name you might (or might not) want to just stay on that page :-).]
Flash Memory Cards. If you have to mail flash memory cards you might just want to switch to a courier or some other method of sending the cards. Some mail is now going through electron beam sterilization because of the anthrax threat. The problem is that this procedure can, in some cases, damage flash memory cards (and credit “smart” cards that have the embedded chip). Those precious vacation pictures you want to send to someone on a flash card just might turn to garbage if you mail them.
Keep Your Copying Right. In the past, the Supreme Court gave you permission to make copies of TV programs and records onto tape for your own use. The Digital Millennium Copyright Act (DMCA) will take much of that away from you with regard to digital recordings. Representative Rick Boucher (D-Va.) is attempting to amend that act in order to protect rights you had before DMCA. Please consider giving him your support.
Spam. We’re getting closer to possibly controlling spam; at least some of it. Courts have now upheld spam control laws passed in both Washington State and California. While these are fairly toothless laws relative to the reality of the computer E-mail system, this is a step in the right direction.
FILExt. In a complete surprise to me I picked up the 26 Feb. issue of PC Magazine and discovered that they had selected my file extension site (http://filext.com/) as one of their “Best 100 Undiscovered Sites.” No notice or anything; just a big surprise! Now, it turns out you can help keep the site on the list. Go to the PC Magazine site and cast a vote in favor of FILExt (you do have to register with them)…
http://www.pcmag.com/article/0,2997,s=25087&a=22087,00.asp [No longer voting.]
There are a number of new viruses described this month. They are listed below.
Here’s what we might learn from these various attacks:
- Don’t open attachments out of curiosity. KNOW what’s in them.
- Keep your system security updates up to date.
- Watch your attachment names carefully; some attachments are now masquerading as Web addresses (notably with .COM extensions).
- Don’t forget our virus tutorial site.
- More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:
- Troj/Msstake-A. A backdoor dropped by W32/MyParty-A. It allows remote access to your computer by others.
- W32/ElKern-B. A file virus with the capability to store itself in file cavities. It changes its method of operation depending on the operating system. Windows 98 and Me users will find the file WQK.EXE in the \WINDOWS\SYSTEM folder and a registry entry to run that file on system start. Windows 2000 and XP users will find the file WQK.DLL in the \WINDOWS\SYSTEM folder and a registry entry to run that file on system start. This virus is dropped by the worm W32/Klez-E.
- Variants. The following variants have been observed but generally carry no payload: XM97/Divi-AQ, XM97/Laroux-OM
- WM97/VBS/W32/Comical-A. An E-mail virus/worm in three parts. The infected E-mail attachment is a Word DOC file: COMICAL_STORY.DOC. The message indicates you should view the document for a comical story. The macro virus in the DOC file displays a dialog box indicating the file has problems. Clicking OK will cause the virus to drop the script C:\TWIN.VBS which is then executed. The script will harvest E-mail addresses from the address book and write them to C:\BACKUP.WIN. The script also recreates the macro virus in the file \WINDOWS\NETINFO.DOC. Finally, the script drops the file \WINDOWS\AVW32.EXE and executes it. This EXE file will access both files, sending NETINFO.DOC to every address in BACKUP.WIN. The registry is also changed so this beast runs at system start.
- WM97/Dig-C. A Dig-A variant which uses the file ~WRR000^.TMP in the Temporary folder during replication. It displays a message in Russian characters.
- WM97/Falcon-A. A Word macro virus that replicates, but with errors. It disables the Visual Basic Editor and the File|Templates menu item. Access to the VB Editor will result in both an error box and a box that indicates macro editing has been disabled to protect against viruses.
- WM97/Fifteen-A. This Word macro virus password protects infected documents on the 15th or 30th of the month. The password is “>>xvx<<” (without the quotes). It also changes the Help|About menu item.
- WM97/Jedi-P. A Word macro virus which resets the Word user details to:
- UserName: O.B.1. Canobi
- UserInitials: OBC
- UserAddress: BOOGZI BARBERS … Food Buster!!!
- WM97/Marker-KC. Yet another Marker-C variant that tries to FTP user info to the Codebreakers site and tacks that info onto the end of the macro as well.
- W32/Klez-E. An E-mail worm that drops and runs the W32/ElKern-B virus. The worm also uses its own E-mail server to mail itself to entries in you address book. The subject will vary and could be random. There may or may not be message text and the attached file will have one of the following extensions: .PIF, .SCR, .EXE or .BAT. But, that’s not all it does. It also tries to disable some anti-virus programs and also tries to exploit the Outlook and Outlook Express MIME vulnerability that by now I hope everyone has fixed:
Klez-E also spreads via network shares. It resides in the \WINDOWS\SYSTEM folder in a randomly named file; the registry is set to run that file on system start.
- W32/Klez-F. See above for Klez-E. The variant will create .RAR archives on remote shares and add itself to them. The names are taken from a list in the worm.
- W32/Klez-G. See above for Klez-E. There are only minor differences.
- W32/Maldal-F. An Outlook E-mail worm that sends itself to the Outlook address book. The subject will wish you a Happy New Year and the attached file is CHRISTMAS.EXE. The body is a New Year greeting. The worm stores CHRISTMAS.EXE in the \WINDOWS folder and sets the registry to run that on system start. To prevent your interference with it, the worm disables the keyboard. It also renames the computer to Zacker and resets the browser’s start page.
- W32/MyParty-A. A sneaky worm in that it masquerades as a Web site. It’s E-mail has the subject “new photos from my party!” and the message text indicates should should go to the “attached web page” to see amazing pictures of a party. The attached file is named WWW.MYPARTY.YAHOO.COM. Note that in this case this is NOT a URL but an actual file with the extension .COM; an executable extension. Click on it and MyParty will send itself to the Windows Address book using its own mailer. Don’t be fooled by the name of the file; it’s perfectly legal as a file; and executable. This worm also drops a Trojan: Troj/Msstake-A.
- W32/Rexli-A. An E-mail worm that, if executed, will display an error message about loading the file LINKI.EXE (usually). In the meantime, the worm tries to mail itself to the Outlook address book. The E-mail will have the subject “Cool linki” and LINKI.EXE as an attachment. The message body is non-English. The worm also copies itself to \WINDOWS\SYSTEM\LINKI.EXE and REXEC.EXE. It then searches for .VBS files and replaces them with a script to run the worm. In addition to E-mail, the worm also attempts to spread via mIRC via the SCRIPT.INI file. The worm counts the number of times it runs and at 100 it deletes various system files that may make your system unstable.
- W32/Tariprox-B. A worm that uses a proxy connection to attach itself to out-going E-mail messages by monitoring traffic on port 25 (the port E-mail typically uses). The arriving infected attachment will appear to be personal as the file will be named [your E-mail name].DOC.PIF. If run, the worm drops \WINDOWS\MMOPLIB.EXE and changes the registry so the file is run at system start. It also changes and/or replaces the HOSTS file on the computer; the HOSTS file maps IP addresses to machine names and is used to more quickly connect (a DNS lookup is avoided if the HOSTS file is used). (The file HOSTS.SAM, if it exists, will be left and Windows will use the worm-created HOSTS instead.) The specific entry the worm makes is to map the SMTP mail server to the IP address 127.0.0.1 which is the local machine loop-back address. When the E-mail client (Outlook Express is what the worm is optimized for) attempts to use port 25 to sent E-mail through a SMTP server the IP address of that server is given back as 127.0.0.1 which is really the worm. The worm then connects to the real SMTP server and inserts its own data as needed to spread itself. A bug in the worm might prevent new E-mails from being downloaded if the same machine is used to serve both incoming and outgoing mail. Other programs that use the HOSTS file to map IP addresses may be affected by this worm. The worm may be sent in unpacked (about 40KB) or packed (about 21KB) form.
In closing: If this newsletter or my sites help you, please tell others about them.