Security Watch

New Malware Threat Emerging

BOFRA! Excuse me, but that was my Internet Explorer.

Malicious Code
More MyDoom and Bagle variants were released last week. The worst of these got a new name -- BOFRA -- although it appears to be just another MyDoom variant. This one has potential to change the face of malware. It includes its own Web server, which serves up a page which exploits the IE IFRAME buffer overflow described in the "Hacking" section below.

The e-mail received by a victim has some simple social engineering and a link to the last victim's system. Luckily, these variants haven't yet "gotten legs," or taken off in any significant numbers.

The importance is this: Browser vulnerabilities may be plenty, but exploitation of them typically requires a Web site. Any time malware attempted to use a Web site to propagate, the site was quickly identified and taken down. If every infected computer becomes another malicious Web site, it won't be possible to take them all down. This definitely changes the landscape of browser vulnerabilities.

Take note that these MyDoom variants have been using port 1639, not standard HTTP port 80, for its Web server. That at least makes it easier to distinguish malicious links. Don't expect that to last, however.

It looks as if bot writers are taking things to another level. Bots are malicious code that, when executed, look somewhere to get their instructions, typically an Internet Relay Chat (IRC) server. Like any protocol, IRC has rules about how to function. It appears now that bot developers are deploying their own custom-written IRC servers to give instructions to their bot-herds. It's believed this is being done to make it more difficult for others to eavesdrop on the bot instruction channel.

On Nov. 3, a vulnerability in the way Internet Explorer deals with IFRAME information was published, together with exploit code. On Nov. 8, variants of the MyDoom worm began being released which exploit this vulnerability. See the Malicious Code section for more information. Patches are still unavailable, although Windows XP SP2 isn't vulnerable.

A buffer overflow was found in the Linux XChat tool, a graphical IRC tool. Anyone connecting to a malicious Socks-5 proxy with it could be exploited to run code of the attacker's choice. A new version has been released.

Microsoft's "Patch Tuesday" was rather quiet this month, with only a single patch being released for ISA Server and Proxy Server (MS04-039). The vulnerability patched involved an interesting design choice. These proxies, when asked for a Web page for the first time, would do a forward DNS lookup -- for example, find the domain name record for the site, obtain from that its IP address (, then perform an inverse DNS lookup based on the IP address (e.g., look up 11 in

Subsequent lookups would be based on the inverse record. The inverse record should provide, but can actually provide any value it wants. As such, it's possible to convince ISA/Proxy Server that actually points to If exploited, the visitor would believe they were at, when in fact they were at

Denial of Service
The U.K.'s National Infrastructure Security Co-ordination Center announced two vulnerabilities in DNS implementations by numerous vendors. The vulnerability could result in a Denial of Service attack.

Basically, a DNS client could request information from a DNS server, resulting in the client sending a second request. The second request would actually be a response, and so a response loop would be created. The two vulnerabilities are variations on this same theme. Curiously, Microsoft's DNS is not listed as being affected one way or another.

Human Factors
AOL announced Nov. 1 that it will be providing full anti-virus protection (from McAfee) for all its customers. They're doing this for free; they had previously been offering the service for a premium.

Let's hope this becomes the norm for ISPs. AOL and the National Cyber Security Alliance released a survey, just three days prior to the AOL announcement, describing a dismal state of affairs among home users and their systems. It may be easy to discount the survey as being self-serving, but we all know that attacks are being launched from unsuspecting home users. If comprehensive security becomes part of standard ISP offerings, we may finally begin to get a handle on many of our security woes.

The Department of Homeland Security finally dropped the Threat Advisory level to Yellow, or "Elevated," for New York City, northern New Jersey and Washington, DC. It had been at "High" since Aug. 1.

More university hacking announcements. It never ceases to amaze me how some institutions continue to believe they must have open, largely unprotected networks. The cesspools of the Internet are getting worse, and attacks are both more brazen and profit-oriented. Among other effects, teachers and students lose the study work and course materials. One of these days that will cause enough grief to force admins at those schools to say "Enough!"

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular