Computer Knowledge Newsletter – March 2002 Issue

In This Issue:

• SNMP Vulnerabilities
• PHP Vulnerability
• Gator Digital Wallet Vulnerability
• MS Security (Cumulative Patch for Internet Explorer; Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files; Java Applet Can Redirect Browser Traffic; Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run; Unchecked Buffer in Windows Shell Could Lead to Code Execution; XMLHTTP Control Can Allow Access to Local Files)
• NASDA Hacking
• Standing up to Microsoft
• Trojans (Troj/ICQBomb-A)
• File Infectors (W32/CTX-A)
• Macro Viruses (WM97/Ded-T; WM97/Ethan-EO; WM97/Marker-HW; WM97/Onex-G; WM97/Panggil-C; WM97/WMVG-C)
• Worms (JS/Coolnow-A; VBS/Britney-A; VBS/LoveLet-DO; VBS/Numgame-A; W32/Alcaul-E; W32/Bezilom-A; W32/FBound-C; W32/Gibe-A; W32/Maldal-I; W32/MyLife-A; W32/Sharp-A; W32/Yaha-A; W32/Yarner)

Administrivia

The world of the future will revolve around software. If you’ve wanted to write software but could not get started, consider this E-book: “Software Secrets Exposed!” — “The Ultimate How-To Guide for Building Your Own Software Empire” by Ben Prater. The book does not teach you a specific programming language but it does teach you program design and subsequent marketing techniques. Take the link here to get to the book’s site (you’ll be redirected). Be advised in advance, the writing style is pure hype but the techniques outlined in the book are valid and useful.

[No longer supported]

General Security

SNMP Vulnerabilities. There have been a number of known vulnerabilities in SNMP, version 1 that 12 February the Computer Emergency Response Team (CERT) decided to highlight in a bulletin. The vulnerabilities could result in denial of service attacks and/or unstable behavior. The CERT bulletin gave the standard “fixes” for the noted vulnerabilities. So, since everything is known and already generally fixable, what’s new and why did the CERT act now? The PROTOS test suite. Prior to the development of this test suite the vulnerabilities were theoretical and unexploited. The PROTOS test suite, developed at Oulu University (Oulu, Finland) made the theoretical real. This gives hackers the tools they need to exploit the vulnerabilities on a silver platter. So, CERT felt it was important to issue a notice to get everyone to test and fix their systems against any such exploits.

There are some tools available to help in this process should you need them.

• The SANS Institute has released SNMPing for checking port 161. Write to [email protected] for information.
• Foundstone has released SNScan for ports 160, 161, 391, and 1993. For more info… http://www.foundstone.com/knowledge/free_tools.html [link no longer active]
• Qualys has indicated they will perform free network scans for SNMP-enabled services and devices.

PHP Vulnerability. The end of February a PHP vulnerability was made known. The vulnerability would allow an attacker to use a POST request to allow remote access to the Web server. Under normal circumstances the attacker would then have access as user “nobody” which is the user level most scripts run at. However, if CGIWRAP was also being used the attacker would be running at the user’s security level.

If you have a Web site that uses PHP you would do well to make certain your Web provider has implemented the PHP security fixes and, in the meantime has disabled the file upload feature of PHP as a workaround fix.

Gator Digital Wallet Vulnerability. It is reported that an ActiveX plug-in in the Gator Digital Wallet can be used to create a remote access backdoor into a user’s computer. If you use this product you might contact them to confirm and see if an update is available.

MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at:

http://www.microsoft.com/security/default.asp

• Cumulative Patch for Internet Explorer (11 February 2002 version) http://www.microsoft.com/technet/security/bulletin/MS02-005.mspx Now and again, for those who have not kept up, Microsoft issues a cumulative patch to fix vulnerabilities. This patch eliminates all prior vulnerabilities for IE 5.01, 5.5 and 6 along with six new vulnerabilities:
  • A buffer overrun associated with HTML code that incorporates a document within a Web page. This one could allow malicious code to run.
  • A GetObject scripting function vulnerability. This one could all local files to be read by a remote user.
  • A File Download dialog name display vulnerability. This one could misrepresent a file name about to be downloaded tricking you into running or saving an unsafe file.
  • A file open vulnerability. This one can trick IE into opening a potentially unsafe file type on your system.
  • Script running vulnerability. This one can allow a script to run even if scripting has been disabled on the system.
  • A variation of the previous Frame Domain Verification vulnerability. This one allows two browser windows to pass information between them so a remote site can read files on your local system.
• Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files. http://www.microsoft.com/technet/security/bulletin/MS02-009.mspx Through this vulnerability and under specific circumstances it would be possible for an intruder to view files on your local machine and even to view Web content from sites you’ve visited; including obtaining passwords and credit card info from forms. A patch is available.
• Java Applet Can Redirect Browser Traffic. http://www.microsoft.com/technet/security/bulletin/MS02-013.mspx There is a flaw in Microsoft VM which runs JAVA applets. The flaw could allow a malicious Java applet to re-direct Web traffic to a destination specified by an attacker; without your knowing traffic has been taken over. This could allow an attacker to obtain sensitive data from you. A patch is available.
• Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run. A patch is now available for this vulnerability listed last month… http://www.microsoft.com/technet/security/bulletin/MS02-006.mspx
• Unchecked Buffer in Windows Shell Could Lead to Code Execution. http://www.microsoft.com/technet/security/bulletin/MS02-014.mspx You know the Windows Shell as the Desktop; but the Shell does more than just display the Desktop. An unchecked buffer allows an attack to take place via the portion of the Shell which tracks application removal. An attack would be rare, but possible and might cause the Shell to crash or allow the attacker’s code to run. A patch is available.
• XMLHTTP Control Can Allow Access to Local Files. http://www.microsoft.com/technet/security/bulletin/MS02-008.mspx The XMLHTTP ActiveX control used by the Microsoft XML Core Services has a flaw which, under limited circumstances, can read files on your local computer. Only reading is possible and the attacker would need to know the full pathname to the file. A patch is available.

General Interest

NASDA Hacking. An employee of one of two firms working for the National Space Development Agency of Japan hacked into the NASDA computers to get information on the other company recently. As is often the case, he was found out when he bragged in public and NASDA heard about it. What did they do? Unfortunately, not much; the proverbial slap on the wrist. Moral: Protect your data as some government agencies won’t do it for you.

Standing up to Microsoft. Someone has finally decided to stand up to Microsoft on the issue of security. It’s reported that the Chief Information Officer of the U.S. Air Force (John Gilligan) has told Microsoft that the Air Force will stop using Microsoft software unless Microsoft improves security in its products. We can only hope that more large accounts take the same stand as this appears to be the only way Microsoft might take security seriously. If more customers demand security, vendors will provide it. Of course, be aware that means you will have to jump through more hoops to use your software — but that’s the tradeoff.

Virus News

There are a number of new viruses described this month. They are listed below.

Here’s what we might learn from these various attacks:

• Don’t forget our virus tutorial site.
• More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:
  • http://www.sophos.com/virusinfo/analyses/
  • http://www.datafellows.com/v-descs/

Trojans. These important new Trojans appeared recently:

• Troj/ICQBomb-A. As the name implies, this Trojan allows an ICQ account to be bombed with as many copies of a message as an attacker wants to send.

File Infectors. These important new file infectors have been reported recently:

• W32/CTX-A. A polymorphic Windows file virus. It sits and does nothing for six months and then, when the current day/hour are the same as the day/hour of infection the virus activates and changes the Desktop background color.

Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:

• WM97/Ded-T. A Ded variant. This polymorphic virus may delete the NORMAL.DOT file Word uses for its master document settings.
• WM97/Ethan-EO. Yet another in a long string of Ethan Word macro virus variants. It will typically change the document properties so the Title becomes Ethan Frome.
• WM97/Marker-HW. Yet another Marker variant. This one is of Marker-C but is corrupted (but will work).
• WM97/Onex-G. A Word macro virus that repeatedly changes the document window size one in eight times the virus is executed.
• WM97/Panggil-C. The Word macro virus resets user information to include Grunge-X as well as possibly setting the document password to GRUNGE. The Tools|Macro menu item is also disabled along with a message saying GRUNGE is blocking your system. You might also see (Monday and Friday) the message “The Sun Is Gone But I Have I Light (1967-1994)” when Word exits. The virus creates \WINDOWS\OSGRUNGE and keeps track of infections in GRUNGE1.INI in that folder. The file ENGINE.DLL is also created in your Word directory; this file is not the virus.
• WM97/WMVG-C. A Word macro virus created using the WMVG macro creation kit. It drops a VBScrip which re-infects word.

Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:

• JS/Coolnow-A. A worm that takes advantage of an Internet Explorer vulnerability and copies itself via MSN Messenger. The worm is part of an HTML page that, when viewed by a vulnerable browser, will send a message to all MSN Messenger contacts asking them to view the infected page. There are no local changes made by the worm. The Microsoft security patch can be obtained from… http://www.microsoft.com/technet/security/bulletin/ms02-005.mspx
• VBS/Britney-A. An E-mail work that spreads via Outlook and IRC. It’s main file is \WINDOWS\BRITNEY.CHM. That file is attached to all outgoing messages which basically indicate the file contains pictures of the popular star. The worm required ActiveX and if it is not enabled, puts up a message asking you to “Enable ActiveX To See Britny Pictures”. Drives through E: are searched for the file MIRC.INI. If found, a SCRIPT.INI file is created. This file is used by IRC to send the worm to other IRC users.
• VBS/LoveLet-DO. A LoveLetter variant that arrives in an E-mail message with the subject indicating the message is about US Presidential and FBI secrets. The attachment is a file with a random name. If run, the worm attempts to download MACROMEDIA32.ZIP, LINUX321.ZIP, and LINUX322.ZIP which are (despite the names) a text file and two graphics. The first is copied to \WINDOWS\IMPORTANT_NOTE.TXT and the registry is changed to run this on system start. The worm also copies itself to \WINDOWS\RELOAD.VBS and LINUX32.VBS and sets the registry to run one on system start. The two graphic files are copied to \WINDOWS\LOGOS.SYS and LOGOW.SYS so they become the Windows opening and closing graphics. It also copies itself to a file with the extension of .GIF.VBS or .JPG.VBS in the System directory and this is the file that is mailed out. Finally, on 17 September the worm displays a message box with the message “Dedicated to my best brother=>Christiam Julian(C.J.G.S.) Att. TEGIF (M.H.M. Team)” (TEGIF is any random letter combination).
• VBS/Numgame-A. An E-mail worm that arrives in a message asking if you are the Valentine of the sender and suggesting that you play the attached guess-the-number game. The attached file is either GUESSGAME.HTML or GUESSGAME.VBE. The HTML file starts an ActiveX application that creates and runs GUESSGAME.VBE. The VBE file copies itself to the \WINDOWS\SYSTEM folder and then sends itself to the Outlook address book. The system date will then be reset to a date in either April or August of 1981 (or not changed in some cases). The registry is then changed to disable the checking of system files that Windows performs. Once that is done the worm tries to erase all files on all drives. As a precaution, it also creates an AUTOEXEC.BAT that deletes files with the extensions .SYS, .DLL, .OCX, .CPL, .DAT, .COM, .EXE, .CAB, .INI, .INF, .VXD, .DRV, .DOC, .XLS, .MDB, .PPT, .MP3, .JPG, .TXT, .HTM, .HTML, .HTA, .ASP, and .ASPX from a number of system folders. Finally, the worm actually plays a guess-the-number game (1 to 100) with you.
• W32/Alcaul-E. A complex combination worm and virus. The basic worm is created as \WINDOWS\SYSTEM\INET.EXE. But, it arrives as an E-mail offering “sex and other stuffs” and four attached files: SEXSOUND.EXE, WWW.ECSTASYRUS.COM, SYRA.SCR, and README.TXT. Each of the first three files are the worm and the last is a simple text file. If executed, the worm creates the above INET.EXE file and then tries mail itself to the Outlook address book. It also attempts to spread via IRC through a SCRIPT.INI file if IRC is found on the system. In yet another twist, the worm also can infect Word documents. It does this through an infected embedded object which replaces the original contents. If an infected document is then opened a macro copies the document to \WINDOWS\NORMAL.DOC, creates \WINDOWS\START MENU\PROGRAMS\STARTUP\WINWORD.REG, and WINWORD.BAT in the same folder. On the next system start, WINWORD.BAT will run WINWORD.REG which changes the Word registry security settings. The worm then overwrites .TXT, WRI, and .PDF files with itself and displays a message using Office Assistant: “Whew!! Wassup,doc? You have so many document files in your hard drive.. Better remove some..?”.
• W32/Bezilom-A. A worm that spreads via floppy disks (if present). The saved file is a scrap object with three embedded files: two executables and one JPG image. One of the EXE files is copied to \WINDOWS\MARIS.DOC.EXE as a hidden file and the registry is set to run that file on system start. The other EXE creates \PROGRAM FILES\MACROSOFTBL\MACROSOFTBL.EXE and sets the registry to run this file on system start. With both programs running Windows appears as if no programs can be started (MARIA.DOC.EXE does this). The worm also tries to copy itself to a floppy disk in drive A: and, failing that, copies itself to a randomly-named file in C:\ and changes AUTOEXEC.BAT so it runs that file on system start. The program MACROSOFTBL.EXE presents itself as an anti-virus program with messages telling you where to send money to buy a full version which will remove the worm.
• W32/FBound-C. An E-mail worm that arrives in a mail with “Important” as the subject and “PATCH.EXE” as an attachment. The body is blank. It sends itself to all addresses in the Outlook Address Book. (Mail addresses ending in .JP for Japan will have a different subject taken from a list in the worm.) There is no destructive payload and no files are dropped — it simply sends itself out each time you run it.
• W32/Gibe-A. An E-mail worm that arrives as the attached file Q216309.EXE in a message that advertises itself as a security update coming from Microsoft. The message is quite convincing unless you know that Microsoft does not send out such notices! If run, a number of files are created on your system: \WINDOWS\Q216309.EXE, \WINDOWS\SYSTEM\VTNMSCCD.DLL, \WINDOWS\BCTOOL.EXE, WINNETW.EXE, GFXACC.EXE, and 02_N803.DAT, all in \WINDOWS. The first is a direct copy of the worm. The .DAT file tracks E-mails sent. GFXACC.EXE opens port 12387 for remote access to your computer. The other two .EXE files try to send out the infected E-mail. A number of registry entries are made to track the worm and make certain it runs on system start.
• W32/Maldal-I. An E-mail work that has one of a number of subject lines programmed into the worm (most start with “Fwd:”). The attached file is usually PROGRAM.EXE. The worm, if run, harvests E-mail addresses from the Outlook address book and web pages found on the local hard drive. It tries to trick you the next time it runs by displaying the message: “Sorry you have not registered Please contact us”. The registry is changed to run the worm on system start (although not all copies referenced may have been created). As a payload, the worm displays a black screen with the text “ZaCker Is N YoUr MaChiNe” five minutes after first running.
• W32/MyLife-A. An E-mail worm with the attachment “MY LIFE.SCR” and a juvenile looking message indicating it’s a picture you should look at. If you do, the worm will copy itself to \WINDOWS\SYSTEM\MY LIFE.SCR and change the registry so it runs on system start. The worm mails itself to the Outlook address book and then displays a painting of a young girl.
• W32/Sharp-A. An E-mail worm that arrives as an EXE file attached to the message. The message implies the EXE file will make Windows both faster and more secure and that it’s a Windows update. The file name is MS02-010.EXE. If executed, the worm drops and executes SHARP.VBS in the current folder. In then sends itself to all Outlook addressees. Sharp-A also looks for the MS .NET runtime. If found it also drops WINDOWS\CS.EXE which then infects other .EXE files with Sharp-A. The worm tracks itself by entering the viral file name into the registry.
• W32/Yaha-A. An E-mail worm with its own SMTP server that arrives as the attachment VALENTIN.SCR to a message about melting your heart with the attached Valentine. If run, the worm is a screen saver but, in the background, it copies itself to \RECYCLED\MSMDM.EXE and MSSCRA.EXE. The registry is changed so MSMDM.EXE runs before any other .EXE file. The worm harvests E-mail addresses from the address book and all .HT* files found on the computer. These are stored in the files SCREENDBACK.DLL and SCREEND.DLL. The worm uses its own (or one of several listed in the worm) SMTP server to send itself to these addresses.
• W32/Yarner. A worm with its own SMTP routines to send E-mail itself to Outlook address book entries. The E-mail poses as a German Trojan newsletter update with the attached file YAWSETUP.EXE. If you run the file NOTEPAD.EXE gets renamed to NOTEDPAD.EXE and the worm then copies itself to NOTEPAD.EXE. It also copies itself to a randomly-named .EXE file in the Windows folder and creates a registry key to run that file on system start. Ultimately, the worm will attempt to delete all files from the hard drive.

In closing: We have only two things to worry about. One is that things will never get back to normal. The second is that they already have.