Security Watch

A Virus by any Other Name

Just like their biological brethren, the computer kind mutate, too.

• By Russ Cooper
• 12/06/2004

Hacking
Microsoft released the MS04-040 patch for the FRAME/IFRAME buffer overflow that, among other things, provided the Bofra worm (also known as MyDoom.ag and MyDoom.ah) its special sauce. Bofra comes as a fairly benign-looking e-mail, simply a link to some unknown website. The trick is that the link takes you to a previous victim, who now has a malicious Web server serving up a page that invokes the overflow. Not good.

Bofra hasn't taken off or we'd have been hearing a whole lot more about this one. This is what you call a "zero" day: technically speaking, there's an exploit in the wild without a patch. The last time this happened was in the beginning of October last year. It was called QHosts and it was another IE exploit fixed by the off-cycle patch, ironically numbered MS03-040.

Actually, the biggest deal about all this is the naming of Bofra. When it was first seen, the popular consensus among anti-virus vendors was that it was a variant of the MyDoom worms. It was first named MyDoom.ag by most vendors, and the next day another was called MyDoom.ah. Those who didn't think it was a MyDoom variant named it Bofra instead.

Having the same malware named twice isn't unknown, but usually it's corrected fairly quickly (there's no good reason having common naming if it isn't common.) Those that named it Bofra then named new, real variants of MyDoom ".ag" and ".ah". So now there are at least two distinctly different pieces of malware known as MyDoom.ag, and two named MyDoom.ah. Great, eh?

The naming of malware is, at best, a dumb process. On the one hand, you've got virus writers and exploit analysts trying to call it one thing, usually something catchy for the press. On the other hand, you've got umpteen anti-virus companies scrambling to figure out if it's a variant of something they've seen before, and if not, providing a new name based, usually, on something unique in the code or presentation of the malware. The most important thing seems to be not to call it whatever the virus writer might have wanted it called.

Whatever else comes out of Bofra, there's one thing that's for sure: The anti-virus industry needs to realize its approach to naming isn't working. Get it fixed, folks!

A buffer overflow has been found in the Microsoft Windows Internet Naming Service (WINS) server code. WINS was DNS for NetBIOS. The ancient WINS was phased out during Windows 2000 and not available for Windows Server 2003 -- you should double-check and make sure you've dropped it, or have plans to.

Vulnerabilities continue to be found in IMAP servers, and exploits continue to be released. If you're using IMAP, keep in touch with your vendor.

Denial of Service
Lycos Europe released a piece of malware last week, under the guise of a screen saver. The malware repeatedly causes clients to make requests against Web sites listed in spam. According to Lycos, this is to reduce the performance of those spam sites.

How dumb can a company be? Hmmm ... let's imagine a spammer putting up a site that contained an exploit to which the Lycos malware was susceptible. Your next bot, brought to you courtesy of Lycos Europe.

No shortage of stories about thousands of computers failing or being unusable because of some IT problem. In England, it seems government departments in their entirety have failed. There have been no definitive causes reported yet, but "upgrades" is a common term being thrown around in this case. Windows XP SP2 was quickly called into question, but we don't even know if they're running XP.

A town in Arkansas managed to lose six years' worth of data. First, it seems that backups weren't being done successfully. Then it was overwriting its old backups with the new, unsuccessful versions. In six years nobody thought to buy a new tape (thereby, even unintentionally, creating an archival backup.)

Note to reader: back up your data. Do it now and put it in a safe place -- preferably somewhere other than your computer room. If you don't have a backup device, buy a rewritable DVD.

Malicious Code
Mugly.a scored a first: the first malware we've seen that drops a bot and is distributed via spam techniques. This is something that was bound to happen eventually, and we've been fairly lucky that it took this long to happen. Spammers have lists with millions of addresses on them. While most don't go anywhere, it's still a larger pool of initial potential victims than Usenet. That said, e-mail protection against malware is far better than protection for Usenet readers, so maybe this will work out for the best. Time will tell.

New versions of Netsky and Sober continue to be released. With the release of virus code, and the continuing releases of new packer versions of things like Morphine, there seems to be no end to the "me too" crowd.

Wildlist.org, the list of viruses that all anti-virus vendors must catch, received more than 300 new virus samples this month. That was partly due to some late reporting for October, but for the most part it was just a very busy month for new viruses. Remember, however, "new" doesn't mean "different". If a virus is re-packed then compressed using a new encryption scheme, it's considered new. This is only going to get worse before it gets better.

Privacy/Governance
Queen Elizabeth II, in her speech before the U.K. House of Lords, called for a national Identity Card system and a new agency, similar to the U.S. FBI. The card is likely to include some sort of biometric controls, be they retina, fingerprint, or facial identification. This would be backed by a National ID Database. Similar discussions have occurred in Canada.

Philadelphia, Pennsylvania, has signed an agreement that allows it to provide wireless access to the Internet as a municipal service. It's hard enough now to track attackers; this is only going to make it worse. It'll be interesting to see how they set this up; for instance, what security features are made mandatory.