Security Watch

Everyone Is Fair Game in Storm Worm Attacks

Plus: A worm solution in search of a problem; spotty Sun Telnet; more

• By Russ Cooper
• 03/19/2007

• http://www.secureworks.com/research/threats/storm-worm
• http://blog.trendmicro.com/worm-war-ii3a-nuwar-vs-stration3f/

Interesting write-up and worth the read. Joe Stewart, the analysis' author, points out that spammers are getting bolder. They've no scruples about attacking anyone who seems to be interfering with their crimes, going after legitimate companies as well as criminals like themselves. Unless some action is taken, this will become a standard component in all malware, and networks will begin to feel constant pain.

Penn State Researchers Develop New Worm-Stopping Technology
Researchers at Penn State have developed what they call Proactive Worm Containment (PWC) as a signature-less way of quarantining systems which have been infected with certain types of worms. The concept is based on looking for high packet-rate processes and determining whether they are legitimate or the effects of a worm. They say they can dramatically reduce the time it takes to mitigate against a given worm outbreak.

This would have been an interesting idea if it had been developed four years ago, back when worms were massively exploiting the world at large. Unfortunately, today, such attacks are extremely rare and counterproductive for the criminals perpetrating them.

Furthermore, the researchers claim they can detect such a worm and stop it so quickly "that only a few dozen infected packets may be sent out to other networks before PWC can quarantine the attack." This would be wonderful if those few dozen packets each carry the potential to cause another system to do the same. SQL Slammer, for example, only needed a few dozen packets to be able to infect a few dozen systems, whereupon each would do the same, exponentially increasing the worm's effect. Even if PWC were in place on all systems, Slammer would still have had as significant an impact as it did in terms of the number of systems it affected. It may not have had the bandwidth consumption characteristics it did, but if it were installing a rootkit instead of merely trying to spread, millions of systems would still have gotten the rootkit.

Unfortunately, the researchers have come up with a solution to a problem we no longer have.

Sun Spots Solaris Vulnerability in Telnetd
Sun Solaris 10 Telnetd can have its authentication bypassed completely, allowing a remote unauthorized criminal to connect as any user recognized by Telnetd as being able to log on. In the default configuration, this does not include root, but root may have been added after the default installation. Patches are available.

Clearly a critical vulnerability if you haven't removed Telnetd. If you must have Telnet, then make sure that you've minimized which accounts can connect, and then apply this patch within the next 30 days.

Cisco IOS: SIP Opens Up to DoS Problems
If a Cisco device is listening on either TCP or UDP 5060, the Session Initiated Protocol (SIP) port, it could be subjected to a DoS due to a vulnerability. Typically, SIP is enabled when the device handles voice traffic, but it may also be enabled even if the device is not. That's because some versions of IOS incorrectly open the SIP ports with a listening service by default. Here are the relevant link details:

• http://www.cisco.com/en/US/products/
  products_security_advisory09186a00807d3715.shtml
• http://www.cisco.com/en/US/products/
  products_security_advisory09186a00807e2484.shtml
• http://www.kb.cert.org/vuls/id/438176

Verify that these ports are not opened if they are not required. Ideally, specifically ACL them to reject connection attempts, in addition to ensuring there is no listening service. If SIP is required, then apply the patch. Note that Cisco Firewall Services Module, PIX Appliances and ASA Appliances are also vulnerable to this SIP issue.