Security Watch
Malware Not Taking Hold
Heads shake to as why but nod to the results.
Malicious
Code
W32.Maslan.A@mm is a new mass-mailing malware
that also happens to use RPC. It may account for the spike in RPC
traffic I saw, although most seem to believe it hasn't developed legs.
It's interesting to see how many new pieces of malware are not getting anywhere.
It's difficult to figure out why, as no single thing seems to account for it.
It would be nice to believe that home users are getting more savvy about suspicious
e-mails, but there's no reason—other than hope—to believe this is
the case.
The use of more and improved heuristics could explain the situation, as most
anti-virus products certainly are doing a better job of catching suspect stuff
via heuristics.
Heuristics, which vary by anti-virus
vendor, are intended to use artificial intelligence to look for
signs that something may be malware. Generally they're not simple
tests—for example, does a reference to the Filesystem Scripting
Object exist?—but instead elaborate test sequences that result in
an object being deemed unsafe. Once suspected, the object is then
treated like known malware. Most installations, however, don't turn
on heuristics by default.
ISPs are another possible contributor
to the trend. Numerous large ISPs, like AOL, Earthlink, Cable Vision
and NetZero have implemented more stringent security offerings for
their customers. As large segments of the home user market become
more protected, it stands to reason that malware won't spread as
much.
On the other hand, the significant increase in the volume of unique pieces
of malware should have made it more likely for some of it to make serious inroads.
This hasn't happened, and we're scratching our heads to figure out why. Let's
hope it lasts, whatever the reason.
Two new versions of cell-phone virus Cabir
were announced. Expect to see these become a more significant issue
next year, as there are significantly more cell-phones than PCs.
So far the limiter has been the fact that these viruses only spread
to one other phone each time the phone is turned on.
Hacking
Due to the way Apple has implemented Bash,
a shell used in Mac OS X, it's possible to create a local root exploit
if practically any Adobe product is installed. The Adobe products
install with scripts that are suid (Set User ID to) root, and don't
verify what they are processing, so you can use them to do pretty
much anything you want.
A rather annoying vulnerability has been found in the new Windows
XP SP2 popup blocker, which would allow a site to bypass
its capabilities. If popups continue to be a popular mechanism,
it wouldn't surprise me if we see sites switch to this new method.
It's not so much that the popup blocker is vulnerable, as it doesn't
attempt to prevent this new method from being used.
Denial of Service
Both Savis and Level
3, two of the larger Internet Service Providers in the U.S.,
were cited as having some problems last Wednesday, with between
40 percent and 80 percent packet loss. There was some speculation
that it may have had something to do with a fire in Chicago.
I experienced a significant increase in TCP135
traffic around the same time. The spike I saw was about three times
higher than normal, with a corresponding drop in TCP139 and 445
traffic. TCP135 is the RPC End Point Mapper port, a historically
common port for worms. What I saw were attacks against random IP
addresses. The spike was seen by other monitor points also, but
no explanation has yet been made. We're watching for something new
using that port.
Privacy/Governance
The Peer-to-Peer program Imesh installs
a Web proxy from a company called Marketscore.
The Marketscore caching Web proxy is touted as being an Internet
accelerator. They also state "that we receive and gather additional
data about you to develop anonymous market research reports that
help Internet companies and others understand consumer preferences
and purchase dynamics." They say they strip all personal information.
The thing I'm troubled by is the fact that they install their own Trusted Root
Certificate. As such, they're able to monitor your SSL traffic. When you establish
a connection with an SSL site, such as your bank, with the Marketscore tool
installed, you actually trust the certificate of Marketscore, and not your bank.
They establish the SSL session to the bank between the Marketscore proxy and
the bank. This makes them privy to all the communications you believe are encrypted
between you and your choice of SSL sites.
In my opinion, this is a practice which shouldn't be tolerated by a piece of
software which is installed as part of another product's installation.
Last week the U.S. Congress approved the Intelligence
Reform Bill. It now awaits approval by the president, although
there may be additional changes to it when the House reconvenes
next Jan. 4.
Among the potential outcomes from the bill is the possibility of
a National ID card for U.S. citizens.
If that happens, designating someone a terrorist becomes easier.
Once designated as a terrorist, there is no need for probable cause
or a warrant, and wire-tapping becomes easier. Some organizations,
like the ACLU, believe there are insufficient counter-checks to
ensure abuses don't occur. Under the Patriot Act, some ISPs and
companies have been forced to turn over computer equipment and backups
without being able to consult a lawyer. This bill is seen by some
as extending the powers of the Patriot Act, and making it more powerful.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.