In This Issue:
- Some Security Considerations
- Microsoft Hacked Big Time
- Wireless Tracking
- MS Security (ActiveX Parameter Validation Vulnerability; HyperTerminal Buffer Overflow Vulnerability; VM File Reading Vulnerability)
- New Mouse
- Macro Viruses (WM97/Angel2000; WM97/Bablas-AS; WM97/Blaster-D; WM97/Class-FB; WM97/Killdll-B; WM97/Marker-BR; WM97/Marker-FQ; WM97/Myna-Z; WM97/Story-Y; WM97/Thus-BP; WM97/Vesn-A; WM97/Wrench-F; XM97/Barisada-G; XM97/Divi-W)
- Worms (W32/Hybris-B; W32/Navidad; W32/Sonic; VBS/Scary; VBS/777-B; VBS/LoveLet-BT)
Some Security Considerations. Do you run a web site or control any security assets? If so, you should periodically run a basic security check on these assets. Some of the things to look for are actually basic issues from physical security. Consider:
- Human risks are probably still the most significant challenge a security manager has to consider. When you consider that threats can come from the inside or outside you should also consider that insiders have a head start.
- Further consider security training. Social engineering threats are common. You’d be surprised how many password are given out by employees just by someone saying they are from the computer shop and asking for the password over the phone.
- Web sites can provide information for attacks or social engineering. Contact information is often posted and sometimes system information is put into the headers on web pages; and, these headers can be read as part of the page source code.
- Make certain all software is properly installed and all security patches obtained and installed. Even with this, there are common errors that are often not caught. Look in copies of this newsletter for “buffer overflow” for the most obvious example.
- Completely test, particularly for security problems, all software written in-house. Make certain you understand everything it does; particularly when data is input in the wrong locations and/or in the wrong form. For example, if you truncate long IDs you might allow the wrong user to access data (SmithJohn might also be allowed for SmithJohnathan).
- If you update underlying software, consider retesting everything. It’s not uncommon for operating system changes to introduce new holes that might now become available for exploitation.
- Know what others are doing with your site. There are many services the exchange links and/or place ads on your site. While not necessarily a direct threat you might not want some of the advertisers your site is being served. Check to see if you can limit the type of advertising fed to your web site.
- Consider having backup sites customers can use if you have a business-intensive site. Down time is noticed and customers don’t care if it’s caused by systems being down or denial-of-service attacks. On a similar line make certain your provider has the bandwidth and machine capability to serve your needs; particularly directly after an advertising campaign.
- Privacy is important to users. Keep that in mind. Consider not just having an enforced policy but helping the users by not allowing them to have easy-to-guess passwords, as one example. This will also help stem the tide of identity theft.
- Be aware of who is looking at your web site(s). Get a good log analysis program and use it. Maybe you can spot trends before they become problems.
Microsoft Hacked Big Time. During October (14-25 Oct by the latest estimate) hackers were able to access Microsoft’s computer network and gain access to product and operating system source code (Microsoft confirms source code access but indicates they know none was changed). The hacking was noticed when security at Microsoft noticed passwords being sent from Redmond to St. Petersburg, Russia. First indications are that the hackers were able to gain entrance through use of the E-mail Trojan QAZ which attacked an employee’s home computer that was also, at times, connected to the Microsoft network. This Trojan opened a back door through which the hackers could enter and move around the network.
Wireless Tracking. You may not realize it but the US government has dictated that within the next few years all cell phones must have some form of location signal so that 911 calls can be traced to the caller’s location just as they presently are with landline phones. Not a bad thing, obviously. But, think of the side effects because the phone vendors already are (they’re not going to invest all that money without thinking about some of the paybacks).
So, what can they do? Well, maybe you frequent a particular store. If so, that store might arrange to obtain your location and when you are within a short distance of the store give you a call with a special offer relating to the product(s) you purchase there most often. Or, consider the case where you are ill. You might wear a biomedical monitoring device that immediately calls your doctor when certain conditions occur; your doctor knows where you are and can summon an ambulance if needed (this one is actually fairly close to being real).
But, all this data can also be stored. Think about a court case (maybe a divorce) where the opposing lawyer can get his/her hands on data about exactly where you were when you called your spouse with that excuse…
As in all things, there are good and bad applications of technology. Take advantage of the former and watch out for the latter.
MS Security. Microsoft has issued a few new security bulletins this past month. Below is a summary (this is only a summary for Windows 95/98/2000; it does not always include NT–see the Microsoft web site for a complete listing):
- ActiveX Parameter Validation Vulnerability. This is a Windows 2000 vulnerability which could allow a malicious users to run code on your computer due to an unchecked buffer problem. A patch is available.
- HyperTerminal Buffer Overflow Vulnerability. The HyperTerminal program that ships with Win98, 98SE, ME, NT, and Windows 2000 has a flaw that could allow a malicious user to execute code on another user’s system via an unchecked buffer. A patch is available.
- VM File Reading Vulnerability. A new vulnerability has been found in the Microsoft Virtual Machine (subject of a previous report). The vulnerability could allow a Java applet to operate outside the sandbox. A patch is available (if you have not applied the previous patch this one will cure both vulnerabilities).
For all of these items and more please take a look at:
New Mouse. I don’t often gush over new toys but really have to in this case. My original Microsoft mouse was getting fairly dirty and I had to clean the mouse ball fairly often. While easy enough to do it still was a pain. Visiting Costco one day I spotted one of the newer Microsoft IntelliMouse Optical mice and decided to try it. I’ve been delighted. (There are several versions of this mouse; this one is one of the smaller versions with four buttons and a scroll wheel.) First, the mouse works on most any surface; I can even run it on my leg if I want to. This is because it requires no physical contact; the mouse determines changes in position by “watching” changes in the surface it’s moving over (so there is no mouse ball to clean!). Running the IntelliMouse software I’ve set the left and right side buttons to cut and paste respectively. Did not know if this would work well, but after a short time I can’t even think about Control-C or Control-V any longer. If you need a new mouse (or just a new toy to play with) you might want to consider an optical mouse. (It even shuts down the LED when you turn the mouse over so you don’t have to worry about your eyes.)
Static. We’ve had some 30-degree nights lately which means the heater has been on more often than usual. That means dry air with the resulting static buildup as one moves around. The problem? Static can be death to sensitive computer equipment. The quick discharge of static can cause transient currents that, under certain circumstances, can fry digital circuits. What to do? Before you handle any digital circuits (chips, boards, etc.) be absolutely certain you are grounded. At a minimum, before touching circuit components first touch bare metal on the computer’s case. For better safety, obtain a grounding strap. One part of this will have a clip you clip to the case; the other part is a strap that goes around your wrist. This keeps static from building up as you move around in the dry air. In areas where static is very bad, consider a grounding pad that sits next to the computer; you tap it before touching the computer in order to drain off any static charge before handling the keyboard or mouse.
Don’t forget our virus tutorial site.
More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:
- WM97/Angel2000. A Word macro virus that overwrites procedures in the Normal template with its own procedures. The virus also disables macro security settings and permanently removes the Macro and Customize Menu items from the Tool menu, preventing other users from attempting to modify macro security settings. Word will shut down during December if infected with this virus. Three registry entries are set to point to (presumably) the author of the virus (Avenging Angel at www.sti.edu.ph) in the Philippines.
- WM97/Bablas-AS. A Word macro virus. Attempts to access Tools|Macros or Tools|Templates will result in a message box containing “You are my dream.” The Help|About menu item will display a message box containing “Qun katawon walataqun kalaler. I MISS YOU!”
- WM97/Blaster-D. A Word macro virus that, on the 27th of any month, will try to hide desktop icons and the taskbar.
- WM97/Class-FB. A Word macro virus that is actually a combination of Class-B and Panther.
- WM97/Killdll-B. A Word macro virus that deletes the first *.DLL file in the System subdirectory. Depending on the file deleted this might cause Windows to behave badly immediately or prevent restarting later. (You do have a backup of critical files don’t you?)
- WM97/Marker-BR. A Marker variant that drops PHIE.HTML in the Windows folder and sets it as your wallpaper. The file is a poem on yellow background.
- WM97/Marker-FQ. A Marker variant that roughly 33% of the time will try to change file properties to: Title=Ethan Frome, Author=EW/KN/CB, and Keywords=Ethan.
- WM97/Myna-Z. A Myna variant. It is buggy and displays error messages when it attempts to copy itself.
- WM97/Story-Y. This is a merger of two Word macro viruses: WM97/Story-A and WM97/Pri.
- WM97/Thus-BP. A Thus variant that on the 13th and 26th of the month might display several dialog boxes. One will caution you to not take any action until “…your computer tells you!” and then asks you for your name. When you answer the virus will chide you: “Do you know, you’re the greatest stupid lamer? If no please call WWW.MICROSOFT.COM”. September and December the virus also attempts to close Windows.
- WM97/Vesn-A. A Word macro virus. It changes the directory into which templates and NORMAL.DOT are stored. Directory name “\normal” is added to the existing path name.
- WM97/Wrench-F. A Word macro virus that affects the Visual Basic Editor. When you run the VBE the virus activates the Office Assistant with a message entitled “Skyline MV” and text that says: “You thought you got rid of me, but I’m Still here, better and stronger!”.
- XM97/Barisada-G. A Barisada Excel macro virus variant. Between 2pm and 3pm on 24 April the virus presents a series of dialog boxes with questions. If you answer incorrectly the virus will delete data from all infected worksheets. (Answer “Barisada” and “No” to be OK.)
- XM97/Divi-W. A Divi variant that resides in the file ODR.XLS in the XLSTART directory.
- W32/Hybris-B. An E-mail worm that modifies WSOCK32.DLL such that outgoing messages contain the worm as an attachment.
- W32/Navidad. An E-mail worm contained in the attachment NAVIDAD.EXE. If you run NAVIDAD a dialog containing “UL” will display and new E-mail messages will be read and the worm sent to the senders. The worm copies itself as WINSVRC.VXD and WINSVRC.EXE and sets the system so these run on system boot. The worm also installs itself into the system tray and displays non-English greetings when clicked.
- W32/Sonic. An E-mail worm that updates itself via web downloads. The carrying E-mail has the subject “Choose Your Poison” and the mail has the attachment GIRLS.EXE (a variant uses LOVERS.EXE). GIRLS.EXE displays “GIRLS.EXE est pas une application Win32 valide.” then copies itself into the System directory as GDI32.EXE. This file is set to run at system start. After ten minutes the worm contacts a Geocities site looking for LASTVERSION.TXT which, if found, controls the subsequent download of an updated version of the worm. It also downloads and installs EMSMTP.DLL which helps it send E-mail. Finally, the worm listens on port 1973 for commands that allow certain uploading/downloading and monitoring tasks.
- VBS/Scary. An E-mail worm that uses Outlook. The E-mail subject is “The Secret of Life” and the attachment (with the worm) is the file SECRET.HTM. The HTML page contains a VBS script that will start if your browser security is set improperly or if you say OK to the dialog that pops up asking if ActiveX should be activated for the embedded script (if you say no the worm does not work properly). If allowed to operate the worm sends copies of itself to your Outlook address book. The worm drops itself into the Startup directory so it runs on each system boot. The worm then displays a message box with the text “Hello user, I am a cyber-genie who will give you the answer to the secret of life” and an input box asking for your name (default is “Bozo”). Whatever entered is saved to the file GODZILLA in the System directory. This is followed by a number of non-functional messages. Finally, the worm attempts to fill all floppy and hard drives with garbage files. The file WINGEN.DLL in the System directory indicates the worm has already run on the system.
- VBS/777-B. A 777 worm variant with the LoveLetter code as a payload. The transmitting E-mail has the subject “I HATE YOU” and the attachment with the worm is MY-FAREWELL-2-NEWSGROUPS.TXT.VBS (note the double extension trick). An HTML file and mIRC script is dropped as the mechanism to spread the worm from your system. The rest of the worm acts like LoveLetter because of the attached code. See LoveLetter in the Virus Tutorial.
- VBS/LoveLet-BT. A corrupted variant of LoveLet-AS. The worm continues to replicate none-the-less.
In closing: Computer Knowledge wishes you and yours the very best during the upcoming holiday season!