Security Watch

Dutch Hackers Get Tap On Wrists

Also: BrightStor backup flaw patched; selling security online; TomTom offroaded by virus.

According to the Dutch courts, two individuals commandeered millions of computers via their Toxbot worm and used them in a botnet to steal credit card details and conduct DDoS blackmail against e-businesses. Despite the conviction, one man received a two-year sentence and a fine of 9,000 euros, and the other an 18-month sentence and a fine of 4,000 euros.

Somehow, the prosecution says they are pleased with the outcome of the trial, despite the fact that Dutch courts prevent the disclosure of the names of the individuals. Both individuals will be released, having already served sufficient time, according to the courts.

What is ridiculous is that the fine barely comes close to the financial harm these two have caused. Furthermore, either or both could be out tomorrow trying to get jobs in places where they’d have immediate access to computers again. What is to reassure the rest of us that they’ve been stopped? For all you know, they could be doing your company's penetration testing next week!

Something far more serious has to happen to get the government's attention to properly address these criminal acts.

BrightStor Backup Vulnerability
A proof-of-concept exploit has been published in both Python and Perl to exploit the vulnerability in CA BrightStor's ARCserve backup server products. The exploit attempts to attack the server via port 6503 and, if successful, sets up a listening service on port 4444. CA released patches in January.

The exploit can target Windows 2000 SP4 English and Italian, as well as Windows XP Pro RTM and SP1. This indicates that the vulnerability is language- and service pack-specific, and while someone may try to determine the specific codes required to make it work on other languages, chances are such a modification will not be published.

Backup vulnerabilities are extremely popular, particularly in universities and colleges. Expect this to now become part of the Swiss Army knife kits used by bots.

Harnessing the Web To Sell Online Security
Through the use of a suite of products from Sana Security, EarthLink is enhancing its security offerings that it provides to customers. An additional $3 per month gives customers access to a suite of heuristic controls that Sana calls “behavior-based intrusion detection,” which detects malware without signatures or scanning. The services are said to not impact the performance of systems, require no user interaction, and offer 100 percent remediation from exploit attempts.

Sana’s claims are certainly broad and bold. It claims to be able to detect anything that tries to do harm, and then completely removes everything it’s done. Interestingly, Sana doesn't recommend you dump your AV product, stating that AV is good at detecting known things while Sana is there to detect the unknown. It's unclear why that should make a difference to Sana -- if a known piece of malware is doing harm, it should be able to detect it. It appears it may have something to do with the way the Sana products detect the “bad” -- seems it may profile a clean system to determine what is “good,” and then look for things that step outside that profile. After reading all of Sana's literature, I still came away not understanding what the product could do, beyond the company's claims.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

TomTom Shipped Viruses on its Navigation Devices
According to a statement from a TomTom communication “a small, isolated number of TomTom GO 910s, produced between September and November 2006, may be infected with a virus."

You have to love this quote from TomTom: “Appropriate actions have been taken to make sure this is prevented from happening again in the future."

What possible appropriate actions could be taken that shouldn’t have been taken before? Presumably, the infections occurred during Q&A testing prior to boxing the new units. Either that or there was a failure in the image validation process and they were infected when they were manufactured, an even worse possibility. Either way, how could the company allow boxes used to test these devices to be connected to a network where a virus might enter?

The ZDNet story says that TomTom put a statement on its Web site and provided a link to that statement. Unfortunately, it seems TomTom has taken the statement down. Perhaps it realized how dumb it sounded by underplaying the issue. Trying to search TomTom's online help proved futile. Searching for "virus" or "copy.exe" turned up nothing.

This may be a sign of things to come as more and more vendors who have traditionally thought of their devices as independent become connectable. Any malware which enumerates drives and spreads to all files it finds will find TomTom’s drive, or any similarly connected device such as a camera or iPod.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular