News
Security Roundup
- By Scott Bekker
- 03/09/2001
The
National Infrastructure
Protection Center (NIPC) and the
FBI have
been investigating the activities of organized hackers they believe originated
in Eastern Europe and Russia. The hackers have been able to obtain American
credit card numbers through e-commerce sites, then attempt to ransom the
numbers back to their owners or credit card companies or threaten to publish
the numbers on the Internet.
The hackers penetrated holes in Microsoft Windows NT
systems, and the vulnerabilities have been known since as early as 1998. Many
users, however, did not patch their systems and thus became victims.
The virus of the week is the W32/Naked@MM, or Naked Wife
virus. The Naked Wife virus consists of a file attached to an e-mail message
with the subject “Fw: Naked Wife” and the message “My wife never look like
that! ;-)”. When run, NakedWife.exe copies itself to a Temp directory and
displays a window entitled “Flash” and purports to be a property of JibJab
Media. After attempting to delete all .BMP, .COM, .DLL, .EXE, .INI, and .LOG
files in the Windows and Windows\System directories, the “Flash” window informs
the user that they’ve been the victim of a ruse.
It would seem obvious that this is a virus – after all, how
many strangers send pictures of their naked wives to their entire address
books?
Another recent virus uses an open mail relay to deliver a
.EXE file. CERT, Carnegie Mellon University’s network security clearinghouse,
reports on the Hybris Worm. The worm is a piece of malicious code that
propagates through e-mail messages and newsgroup postings and targets Windows
machines. The user must execute an attachment in order to become infected.
The worm infects the Windows networking library WSOCK32.DLL
file, subverting normal e-mail behavior, and sends a copy of itself any time an
infected user sends an e-mail message. The e-mail message containing the virus
masquerades as a pornographic story.
As Sophos Anti-Virus’ Graham Cluley said, “Think with your
head, not your groin.”
Finally, a bug in Microsoft Internet Explorer. A newly
divulged IE vulnerability could allow a hacker to run code of his choice, if a
user visits the hacker’s Web site or opens an HTML e-mail from the hacker.
The IE security architecture provides a caching mechanism
that is used to store content that needs to be downloaded and processed on the
user’s local machine. A vulnerability exists because it is possible for a Web
page or HTML e-mail to learn the physical location of cached content. With this
information, a hacker could cause the cached content to be opened in the Local
Computer Zone. This would enable him to launch compiled HTML help (.CHM) files
that contain shortcuts to executables, thereby enabling him to run the
executables.
A patch for IE 5.01 SP1 is available at www.microsoft.com/windows/ie/download/critical/q279328/default.asp,
and for IE 5.5 SP1 at www.microsoft.com/windows/ie/download/critical/q286045/default.asp.
- Isaac Slepner
About the Author
Scott Bekker is editor in chief of Redmond Channel Partner magazine.