Computer Knowledge Newsletter – March 2001 Issue

In This Issue:


Computer Knowledge now has a web store for T-shirts and mugs. Please take a look at our store at:

[Store taken down due to lack of interest.]

Thank you.

General Security

NT E-Banking and E-Commerce Attacks. The National Infrastructure Protection Center (NIPC) has been coordinating investigations into the largest criminal Internet attack so far. Apparently, Eastern European crackers have been systematically exploiting known Windows NT vulnerabilities for over a year. More than 40 sites have been exploited and over a million credit cards exposed. 40 victims in 20 states have been identified. Sadly, the vulnerabilities were discovered by Microsoft as early as 1998 with patches issued to fix them. This shows the importance of always finding out about and applying operating system patches! The NIPC has issued an updated Advisory 01-003 at [Link 404] regarding the vulnerabilities being exploited. Steve Gibson has also developed a small program that tests for the vulnerabilities. If you are running Windows NT or 2000 check out Link for details.

Top Ten. There are lots of threats out there; just what are the top ten Internet threats? The January 2001 issue of Info Security Magazine reports them as follows:

  • Super-user vulnerabilities: The holy grail of hackers is the super-user who has ultimate access to anything.
  • Disgruntled employees: As an “authorized” user an unhappy employee can wreck havoc.
  • Buffer overflows: Still the exploit of choice for hackers to get to that super-user level.
  • Kernel attacks/loadable kernel modules: An attack the involves replacing portions of the operating system with attack software.
  • Application security flaws: In a word–bugs. Sometimes bad bugs.
  • CGI-script exploits: Script programming languages can do lots of things and in the hands of poor programmers can leave lots of holes for exploitation.
  • Password sniffing: Getting a password is like finding gold.
  • Human error: Social engineering lets hackers pose as employees, maybe of the IT shop, and con info out of other employees.
  • Virus/Trojan horse: Programs that pose as valuable software but do damage or install themselves awaiting outside commands.
  • Denial of service: Use of zombie computers to flood a target in order to shut it down.

Now, be honest, how many of those did you think of before reading the article?

BiblioFind Hacked., owner of the BiblioFind site that looks for old books, has confirmed that hackers have stolen customer records for BiblioFind, including credit card information. Card issuers and authorities have been notified. If you’ve had any dealings with BiblioFind you might want to contact them and be certain to carefully watch your credit card bills (even consider asking for current card(s) to be replaced with new numbers.

Palm Passwords Don’t Protect. If you have a Palm PDA with password-protected data on it be advised that anyone with developer tools can enter the operating system via a trapdoor and browse through any data “protected” with a password. Since the developer tools are not hard to obtain that basically means that nothing on a Palm is presently protected should the Palm be stolen. (Note, also, that Handspring’s Visor and Sony’s Clie both use the Palm OS.) The newest version (4.0) is expected to close this loophole.

Satellite Control Hacked. Software able to control satellites was obtained from the Naval Research Laboratory in Washington. The penetration happened on last Christmas Eve and Federal officials are on the case. The system was not a classified system and the version obtained was an old version. The code was found on a Swedish computer and some believe it was obtained through a German source.

MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at: Link

  • IE can Divulge Location of Cached Content. By obfuscating the location of cached contents, the IE security architecture can be used to restrict access to authorized users. This vulnerability allows HTML code to determine the cache physical location. Knowing this, the code could then run compiled HTML help (.CHM) files and, through them, links to executable code running in the Local Computer Zone. This, in turn, could make the local machine vulnerable to attacks. A patch is available. For further information see: Link
  • Outlook, Outlook Express Vcard Handler Contains Unchecked Buffer. Outlook has an unchecked buffer in its vCard processor. A malformed vCard could be used to attack the mail client on the receiving machine and cause it to fail or, potentially, cause undesired code to run on that machine. This cannot happen automatically; it only happens if the vCard is opened. A patch is available. For further information see: Link
  • Windows 2000 Event Viewer Contains Unchecked Buffer. Malformed event data could cause the viewer to fail or allow undesired code to run. While less serious than other buffer overrun vulnerabilities, it should be patched and a patch is available. For further information see: Link

General Interest

Home Page Hijacking. The latest bid to capture you and your shopping habits is the increasingly aggressive tactic of hijacking your browser’s home page (the page the shows up when you start the browser). More frequently new software you install, attachments to E-mail you open, or even Web pages you visit will reset your home page. At best, this is rude; at worst, it can cause security problems. Some companies have even been using a bug in IE5 (a patch is available, see the Microsoft patch site) to automatically reset the home page setting without your approval (the bug actually allows the remote site to install software into your startup folder!). Even with permission, the changes are often masked as come-on questions; e.g., “Do you like freebies?” with a “yes” answer resetting your home page without telling you that’s what happened.

Visa Guidelines. Visa USA has basically given its vendors until 1 May to comply with the security guidelines it issued last year. If you run a network you could take a lesson from their guidelines:

  • Maintain a properly configured network firewall
  • Keep security and virus patches up-to-date
  • Encrypt stored data and files sent across networks
  • Restrict data access on a “need-to-know” basis
  • Assign unique IDs to every person with access to data
  • Avoid using vendor-supplied defaults for passwords
  • Maintain a security policy for employees and contractors
  • Restrict physical access to cardholder information

UCITA Ready. It appears some license agreements are becoming UCITA-ready. That’s getting scary. (For those that don’t remember, UCITA is the new law being proposed at state level that would essentially validate most anything a company wants to put into a shrink-wrap agreement; effectively stripping your rights away to nothing.) Here are some examples being reported…see how you like them:

  • InstallShield 6 initial release: “You grant to InstallShield the right to, with or without notice, monitor your Internet-accessible activities for the purpose of verifying [software] performance and/or your compliance with the terms hereof, including, but not limited to the remote monitoring and verification of your implementation, use, and duplication of the [software].” (Since removed, I understand, after InstallShield was challenged about the wording. But, read it again and be very scared; they can watch you work.)
  • Cybernet Systems’ Netmax: “Cybernet may terminate this License at any time by delivering notice to you, and you may terminate this License at any time by destroying or erasing all copies of the Software.” (All this without any compensation; so, they’ve got your money and can then take the software back.)
  • Network Associates VirusScan 5.15: “The customer shall not disclose the results of any benchmark test to any third party without Network Associates’ prior written approval.”…and…”The customer will not publish reviews of the product without prior consent from Network Associates.” (There goes Freedom of Speech.)

UCITA is making the rounds in various states right now. Only two states have approved it so far (Maryland and Virginia), but others may follow if you don’t make your concerns known.

Virus News

There are a number of new viruses described this month.

Don’t forget our virus tutorial site.

More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites: Link Link

Trojans. These important new Trojans appeared recently:

  • SubSeven2.2. A new version of this remote access Trojan. Through this program anyone on the net can control most anything on your system. This can include monitoring keystrokes and taking screen shots. It even advertises your computer as open to attack via chat systems or even via E-mail. The Trojan can sniff networks and participate in denial of service attacks. Plus, it has an open architecture through plug-ins.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

  • Variants. The following variants have been observed but generally carry no payload: WM97/Ded-N, WM97/Myna-AI, WM97/Myna-AJ, WM97/Myna-AK
  • WM97/Cham-A. A Word macro virus that used Outlook to spread. The virus basically spreads. It saves a copy of itself to a DOC file with the rootname being your username to the My Documents folder. The document is attached to E-mails sent out to your entire address book. The subject of the E-mail is your username followed by “Curriculum Vitae”. The virus also changes its codes each time it infects the NORMAL.DOT template as an attempt to defeat scanners.
  • WM97/Ded-M. A Word macro virus created by combining WM97/Ded-B and WM97/Class.
  • WM97/E4. The virus creates the file C:\START.EXE on the 20th of any month and then runs it. That file is a copy of Joke/Win-Wobble.
  • WM97/Marker-GL. A minor Marker variant.
  • WM97/Metys-K. A minor Metys-D variant.
  • WM97/Metys-O. A new virus that is a combination of WM97/Class-D and WM97/Metys-I.
  • WM97/Pizdec-A. A Word macro virus with the obvious active function named “Virus”. A message box containing gibberish will appear on various Help, File, and Tools options. It also appears with any attempt to view the source code. A different message box appears after seven days.
  • WM97/WMVG-A. A “construction kit” virus that displays a dialog box on the 27th of any month. The box is titled “ERAP PARIN”. It also drops a Visual Basic script for reinfection purposes.
  • XM97/Barisada-O. A minor Barisada variant the stores it’s macros in RMC.XLS. The questions in the dialog box typical of this virus family pop up 24 April between 2pm and 3pm. This virus can clear all cells in the current worksheet.
  • XM97/Divi-AE. A Divi variant that infects spreadsheets as they are opened or closed through the file BASE5874.XLS in the Excel template folder. The flag variable IVID is used to determine is a spreadsheet is already infected.
  • XM97/Squared-A. A simple Excel virus that simply spreads via the file NT².XLS (NT<squared>.XLS) in XLSTART.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

  • VBS/Carnival-A. An E-mail worm that comes with the subject “Next Week: Brazilian Carnival” and the attachment BRAZILIAN_CARNIVAL.JPG.VBS. If run, it copies itself to the TEMP directory and then sends itself to the Outlook address book.
  • VBS/Cuartel-A. A network worm that copies itself to the Windows Temp folder as file NAV.EXE#.VBS (# represents 74 spaces). The registry is changed to run that file. The file itself displays a porno image and disables IE proxy settings. Associations are removed for .XLS, .DOC, and .MDB files. The worm also attempts to overwrite remote-machine files with extensions .BTR, .PST, .XLS, .MDB, .JPG, .PAB and .WAB.
  • VBS/Kakworm-Z. A Kakworm variant that arrives as a script in the signature of an incoming message. It will affect your system if you use Outlook Express and don’t have the security fixes from Microsoft installed. If not updated, and one of the Microsoft IE-based products is used to open or preview an infected message the worm drops BAP.HTA into the Windows Start-up folder so it runs at system start. This, in turn, causes the file BAP.HTM to be written to the Windows directory and set to be used as the default signature on messages sent. The IE home page is also changed to the advertising site WWW.IGNIFUGE.COM.
  • VBS/LoveLet-CG. A LoveLetter variant. The worm comes in the attachment IMPORTANT-COMPANY-NEWS.HTM.VBS. Should you execute it three files will drop into the drive’s root directory: MSKERNEL32.VBS, WIN32DLL.VBS, and IMPORTANT-COMPANY-NEWS.HTM.VBS. The worm will then forward itself to your Outlook address book. The subject will be “IMPORTANT CORPORATE NEWS” and the text talks about “vital company news released today.”
  • VBS/Malpoc-A. Arrives as the E-mail attachment READ_ME_LEGAL_NOTICE.PDF.VBS. If run, the worm will try to reply to all inbox messages using the original subject and body text. It also attaches itself to the outgoing message.
  • VBS/SST-B. An SST-A (Anna Kournikova) variant that will likely be restricted to the German-speaking community (the worm is in German). The worm spreads by copying itself to a file in the Windows folder (NEUE TARIFE.TXT.VBS). The worm tries to spread via Outlook, mIRC, and Pirch.
  • VBS/Vierika-A. An E-mail worm that arrives as the attachment VIERIKA.JPG.VBS. If run, the script changes the IE home page and alters security settings. On the redirected site is an HTML page that will create VIERIKA.JPG.VBS in the C-drive root and attempt to spread itself to your Outlook address book with that file as an attachment.
  • W32/GnutellaMan. The worm attacks users of the Gnutella file-sharing network. The worm announces itself as a useful EXE file when searches are made and reports itself using the name of the search with .EXE appended (e.g., a search for “top tunes” will be reported back as a success with the file “top tunes.exe”). When downloaded and run the receiving user is infected and has the file GSPOT.EXE added to the Windows Start-up directory. (This is purported to be the first peer-to-peer “virus”.)
  • W32/Magistr-A. A polymorphic beast that spreads via both E-mail and file infection. This one uses more than just the address book to find addresses to transmit itself to; it looks in mail boxes and other files. The worm sets the system to run it on every boot via both WIN.INI and the registry. The E-mail sent out is generated randomly and so has no definite subject or text to identify it.
  • W32/Myba-A. An E-mail worm that arrives in a message touting it to be an animated baby picture in the attached file MYBABYPIC.EXE. If run, the picture turns out to be a porno animation of a baby boy and the worm copies itself to the System folder under the names WINKERNEL32.EXE, WIN32DLL.EXE, COMMAND.EXE, CMD.EXE and MYBABYPIC.EXE. The registry is also changed so the worm runs at each system start. The worm also changes many files on your system. All files with extensions .C, .CPP, .CSS, .H, .HTA, .JS, .JSE, .PAS, .PBL, .SCT, and .WSH are overwritten and the name is changed so the extension is .EXE. Picture files with .JPG and .JPEG extensions are overwritten with .EXE added to the filename. Files with extensions .MP2, MP3, and M3U are copied with .EXE added to the filename and then the originals are marked hidden.
  • W32/Naked. The file NAKEDWIFE.EXE is sent as an attachment to your Outlook address book. The message has the subject “Fw:Naked Wife” and body “> My wife never look like that! ;-)”. If you were careless enough to run the attachment an image that looks like a video player is displayed while the worm is deleting important system files from the Windows folder and its subdirectories.

In closing: PLEASE, keep your operating system and programs up to date with all of the latest security patches.