New Malware Threat Emerging
BOFRA! Excuse me, but that was my Internet Explorer.
were released last week. The worst of these got a new name -- BOFRA
-- although it appears to be just another MyDoom variant. This one has potential
to change the face of malware. It includes its own Web server, which serves
up a page which exploits the IE IFRAME buffer overflow described in the "Hacking"
The e-mail received by a victim has some simple social engineering and a link
to the last victim's system. Luckily, these variants haven't yet "gotten
legs," or taken off in any significant numbers.
The importance is this: Browser vulnerabilities may be plenty, but exploitation
of them typically requires a Web site. Any time malware attempted to use a Web
site to propagate, the site was quickly identified and taken down. If every
infected computer becomes another malicious Web site, it won't be possible to
take them all down. This definitely changes the landscape of browser vulnerabilities.
Take note that these MyDoom variants have been using port 1639, not standard
HTTP port 80, for its Web server. That at least makes it easier to distinguish
malicious links. Don't expect that to last, however.
It looks as if bot writers are taking things to another level. Bots
are malicious code that, when executed, look somewhere to get their instructions,
typically an Internet Relay Chat (IRC) server. Like
any protocol, IRC has rules about how to function. It appears now that bot developers
are deploying their own custom-written IRC servers to give instructions to their
bot-herds. It's believed this is being done to make it more difficult for others
to eavesdrop on the bot instruction channel.
On Nov. 3, a vulnerability in the way Internet Explorer
deals with IFRAME information was published, together
with exploit code. On Nov. 8, variants of the MyDoom
worm began being released which exploit this vulnerability. See the Malicious
Code section for more information. Patches are still unavailable, although
Windows XP SP2 isn't vulnerable.
A buffer overflow was found in the Linux XChat tool,
a graphical IRC tool. Anyone connecting to a malicious Socks-5 proxy with it
could be exploited to run code of the attacker's choice. A new version has been
Microsoft's "Patch Tuesday" was rather
quiet this month, with only a single patch being released for ISA
Server and Proxy Server (MS04-039). The vulnerability
patched involved an interesting design choice. These proxies, when asked for
a Web page for the first time, would do a forward DNS lookup -- for example,
find the domain name record for the site www.ntbugtraq.com,
obtain from that its IP address (126.96.36.199), then perform an inverse DNS
lookup based on the IP address (e.g., look up 11 in 151.176.207.in-addr.arpa).
Subsequent lookups would be based on the inverse record. The inverse record
should provide www.ntbugtraq.com, but
can actually provide any value it wants. As such, it's possible to convince
ISA/Proxy Server that 188.8.131.52 actually points to www.microsoft.com.
If exploited, the visitor would believe they were at www.microsoft.com,
when in fact they were at www.ntbugtraq.com.
Denial of Service
The U.K.'s National Infrastructure Security Co-ordination
Center announced two vulnerabilities in DNS
implementations by numerous vendors. The vulnerability could result in a Denial
of Service attack.
Basically, a DNS client could request information from a DNS server, resulting
in the client sending a second request. The second request would actually be
a response, and so a response loop would be created. The two vulnerabilities
are variations on this same theme. Curiously, Microsoft's DNS is not listed
as being affected one way or another.
AOL announced Nov. 1 that it will be providing full
anti-virus protection (from McAfee) for all its customers.
They're doing this for free; they had previously been offering the service for
Let's hope this becomes the norm for ISPs. AOL and the National Cyber Security
Alliance released a survey, just three days prior to the AOL announcement, describing
a dismal state of affairs among home users and their systems. It may be easy
to discount the survey as being self-serving, but we all know that attacks are
being launched from unsuspecting home users. If comprehensive security becomes
part of standard ISP offerings, we may finally begin to get a handle on many
of our security woes.
The Department of Homeland Security finally dropped
the Threat Advisory level
to Yellow, or "Elevated," for New York City, northern New Jersey and
Washington, DC. It had been at "High" since Aug. 1.
More university hacking announcements. It never ceases
to amaze me how some institutions continue to believe they must have open, largely
unprotected networks. The cesspools of the Internet are getting worse, and attacks
are both more brazen and profit-oriented. Among other effects, teachers and
students lose the study work and course materials. One of these days that will
cause enough grief to force admins at those schools to say "Enough!"
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.