A Virus by any Other Name
Just like their biological brethren, the computer kind mutate, too.
Microsoft released the MS04-040 patch for the FRAME/IFRAME
buffer overflow that, among other things, provided the Bofra
worm (also known as MyDoom.ag and MyDoom.ah) its special sauce. Bofra comes
as a fairly benign-looking e-mail, simply a link to some unknown website. The
trick is that the link takes you to a previous victim, who now has a malicious
Web server serving up a page that invokes the overflow. Not good.
Bofra hasn't taken off or we'd have been hearing a whole lot more about this
one. This is what you call a "zero" day: technically speaking, there's
an exploit in the wild without a patch. The last time this happened was in the
beginning of October last year. It was called QHosts and it was another IE exploit
fixed by the off-cycle patch, ironically numbered MS03-040.
Actually, the biggest deal about all this is the naming of Bofra. When it was
first seen, the popular consensus among anti-virus vendors was that it was a
variant of the MyDoom worms. It was first named MyDoom.ag by most vendors, and
the next day another was called MyDoom.ah. Those who didn't think it was a MyDoom
variant named it Bofra instead.
Having the same malware named twice isn't unknown, but usually it's corrected
fairly quickly (there's no good reason having common naming if it isn't common.)
Those that named it Bofra then named new, real variants of MyDoom ".ag"
and ".ah". So now there are at least two distinctly different pieces
of malware known as MyDoom.ag, and two named MyDoom.ah. Great, eh?
The naming of malware is, at best, a dumb process. On the one hand, you've
got virus writers and exploit analysts trying to call it one thing, usually
something catchy for the press. On the other hand, you've got umpteen anti-virus
companies scrambling to figure out if it's a variant of something they've seen
before, and if not, providing a new name based, usually, on something unique
in the code or presentation of the malware. The most important thing seems to
be not to call it whatever the virus writer might have wanted it called.
Whatever else comes out of Bofra, there's one thing that's for sure: The anti-virus
industry needs to realize its approach to naming isn't working. Get it fixed,
A buffer overflow has been found in the Microsoft Windows
Internet Naming Service (WINS) server code. WINS was DNS for NetBIOS.
The ancient WINS was phased out during Windows 2000 and not available for Windows
Server 2003 -- you should double-check and make sure you've dropped it, or have
Vulnerabilities continue to be found in IMAP servers,
and exploits continue to be released. If you're using IMAP, keep in touch with
Denial of Service
Lycos Europe released a piece of malware last week,
under the guise of a screen saver. The malware repeatedly causes clients to
make requests against Web sites listed in spam. According to Lycos, this is
to reduce the performance of those spam sites.
How dumb can a company be? Hmmm ... let's imagine a spammer putting up a site
that contained an exploit to which the Lycos malware was susceptible. Your next
bot, brought to you courtesy of Lycos Europe.
No shortage of stories about thousands of computers failing or being unusable
because of some IT problem. In England, it seems government
departments in their entirety have failed. There have been no definitive causes
reported yet, but "upgrades" is a common term being thrown around
in this case. Windows XP SP2 was quickly called into question, but we don't
even know if they're running XP.
A town in Arkansas managed to lose six years' worth
of data. First, it seems that backups weren't being done successfully. Then
it was overwriting its old backups with the new, unsuccessful versions. In six
years nobody thought to buy a new tape (thereby, even unintentionally, creating
an archival backup.)
Note to reader: back up your data. Do it now and put it in a safe place --
preferably somewhere other than your computer room. If you don't have a backup
device, buy a rewritable DVD.
Mugly.a scored a first: the first malware we've seen
that drops a bot and is distributed via spam techniques. This is something that
was bound to happen eventually, and we've been fairly lucky that it took this
long to happen. Spammers have lists with millions of addresses on them. While
most don't go anywhere, it's still a larger pool of initial potential victims
than Usenet. That said, e-mail protection against malware is far better than
protection for Usenet readers, so maybe this will work out for the best. Time
New versions of Netsky and Sober
continue to be released. With the release of virus code, and the continuing
releases of new packer versions of things like Morphine,
there seems to be no end to the "me too" crowd.
the list of viruses that all anti-virus vendors must catch, received more than
300 new virus samples this month. That was partly due to some late reporting
for October, but for the most part it was just a very busy month for new viruses.
Remember, however, "new" doesn't mean "different". If a
virus is re-packed then compressed using a new encryption scheme, it's considered
new. This is only going to get worse before it gets better.
Queen Elizabeth II, in her speech before the U.K.
House of Lords, called for a national Identity Card system
and a new agency, similar to the U.S. FBI. The card is likely to include some
sort of biometric controls, be they retina, fingerprint, or facial identification.
This would be backed by a National ID Database. Similar discussions have occurred
Philadelphia, Pennsylvania, has signed an agreement
that allows it to provide wireless access to the Internet as a municipal service.
It's hard enough now to track attackers; this is only going to make it worse.
It'll be interesting to see how they set this up; for instance, what security
features are made mandatory.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.