Computer Knowledge Newsletter – October 1999 Issue

In This Issue:

Virus News

Melissa Redo. Several variants of the original Melissa virus have started to circulate. Most scanners will catch them; some will require updating. The variants are not as benign as the original virus. In addition to sending itself to people in your address book the virus will now attempt to erase all files on what are typically network drive letters in one variant and some local critical files in another variant. Because of the past outbreak and the fact that many users have updated their scanners these variants are not getting particularly far but, as always, if you get an E-mail with an attachment you were not expecting, even from someone you know, be particularly careful.

Badass Worm. Sorry, I don’t name these things! This one is named after the file that one finds attached to the sending E-mail message (BADASS.EXE). If you are silly enough to run the attachment it sets up Outlook to send itself to your address book but before doing so pops up an offensive question on your computer and gives you yes/no buttons to answer. As you head toward the NO button, however, it moves out of the way and you can never get to it. When you get tired and click YES the worm sends itself out.

NT/Infis.4608 Virus. Yet another first here: a virus that emulates a Windows NT system driver. When an infected file is run under NT 4.0 the file INF.SYS is created in the …system32\drivers directory along with a registry entry that causes this file to be executed on each system start. Running in this form INF.SYS has the ability to then attach itself to every executable file subsequently run. It’s not a perfect virus (i.e., it’s somewhat buggy) and has no known destructive payload; but, like others before it, it can become a template for subsequent “better” attacks of this form.

FreeLinks. An encrypted VB Script virus that spreads via E-mail, network drives, and IRC client scripts. Via E-mail the virus spreads as an attachment that must be run. When run a .URL file is created that points to an adult website. Worse, however, the registry is changed so a VBS file runs on every boot. The VBS file checks for IRC activity and, if found, a script is created that sends the virus to other users on the IRC channel when they join. The virus also copies itself to shared network drives in an attempt to spread. (Another new virus, W2KM_IRCJACK.A, also attempts to hijack IRC and send itself to others.)

Word97/2000 Suppl.A Worm. Yet another E-mail attachment you have to run; in this case a Word document with a Trojan inside. When opened, the document macros copies the document to a file named anthrax.ini in the Windows directory. It then extracts 6712 bytes from that file. These bytes are really a compressed file that is then decompressed to dll.tmp. The worm then establishes a wininit.ini file in the Windows\System directory. This file will execute on the next reboot. It renames wsock32.dll to wsock33.dll and then dll.tmp to wsock32.dll. Suppl.A is now in a position to monitor outgoing E-mail and send itself to others. It is polite and keeps a record of the outgoing mail in anthrax.hst. Finally, about a week after the infection, Suppl.A searches drives for various document, text, database, and archive files and sets the file size of each to zero; effectively wiping out the data in any of those files.

General Security

Y2K Malicious Fixes. In the August issue of the newsletter I wrote about the possibility of back doors and other malicious code being placed into Y2K fixes and that you should monitor and audit this work carefully. Did not expect it to happen so quickly, but on October 1st Reuters reported that “malicious changes to computer code under the guide of Year 2000 software fixes have begun to surface in some U.S. work undertaken by foreign contractors.” The report is credited to Michael Vatis, the top cybercop at the Federal Bureau of Investigation. Subsequent reports credited to the Central Intelligence Agency (although they won’t confirm the information) implicate India and Israel as being the countries most likely to be involved. Work done by contractors in Ireland, Pakistan, and the Philippines is reported to be least likely affected; though all work should be considered suspect. (There have not been many such reports, but it’s early…)

Security Myths. The September 1999 issue of Info Security News Magazine reports the top ten common security myths (in no particular order):

  • If I have a firewall my network can’t be hacked. Truth: Nope. There are many ways into a network, including ways behind the firewall.
  • Passwords are a good way of protecting systems from misuse or attack. Truth: They are easily broken and often left out in the open.
  • Single sign-on is adequate security on my private network. Truth: Single sign-on is a convenience, not security.
  • Most security breaches are from outside the company. Truth: History shows internal breaches are most common.
  • Hackers are just geeks out to show that they can break into networks. Truth: Hackers hire themselves out–like by your competitor.
  • My home PC is safe from attach by hackers. Truth: Not if you are connected to a network–see related article this issue.
  • Servers on internal networks are safe from attack. Truth: Most are simply password-protected.
  • People on my private network can be trusted. Truth: Depends. Have you ever fired anyone?
  • Intrusion Detection Systems provide another layer of security. Truth: Actually, these systems “detect,” not protect.
  • Our company won’t get hacked–hackers don’t attack companies like ours. Truth: If you’re alive, someone out there wants info on you or your company.

Personal Internet Security. Many people don’t understand that no matter how you connect to the internet you can still be vulnerable; even if it’s a dial-up connection where the IP address changes on each connection. Steve Gibson, a software utility writer from the early Apple II days onward has taken an interest in computer security. He’s placed a very interesting tutorial and on-line test program onto his web site. It’s well worth a visit. Go to: Link

and navigate to ShieldsUP!. You might just be surprised how vulnerable you are.

More IE Holes. There were several Microsoft security alerts regarding IE issued in the past month or so. I’m frankly getting tired of repeating the fact that IE has security holes that need to be patch. So, for now, I’ll just give you a URL you can go to and read all about them:

[Link 404]

Each of the FAQ/bulletins listed there will have links to the appropriate fixes. You might even want to bookmark that URL and just return there now and again to see what new hole has been found.

Items of Interest

FSISAC. The Financial Services Information Sharing and Analysis Center has been established by the US Government and the financial services industry. It will be an information clearinghouse for computer security and computer system vulnerabilities. FSISAC will be managed by industry and will rely on voluntary reports of incidents; primarily from banks and other financial sources. Member companies will be able to submit alerts (anonymously) and receive real-time alerts in return. The system will also receive data from other sources and distribute alerts to those sources.

In closing: Keep your security software up to date. It keeps getting more and more important.