SUBSCRIBER ZONE


Home

Premium Articles
Compsec Publications
Subscriber Zone
Email Updates
Diary Dates
 Compsec Publications:







 Our Conference



Contact Us
Terms & Conditions
Copyright
Privacy Policy

 

aCompsec Online is a
amember of:

Expert Comment

September 2003

August's child is a virus writer

Dr. E. Eugene Schultz, University of California-Berkeley Lab,
editor-in-chief Computers & Security

Blaster, Bugbear.B, Sobig.E, Sobig.F, and MiMail have already caused many problems for organizations around the world; more trouble is undoubtedly in store.

Infections by these worms are a particular concern in that they can lead to compromise of private and sensitive information, possibly resulting in violations of privacy protection and other laws.

Many organizations have, unfortunately, overlooked the threat of virus and worm-related privacy compromise, focusing instead on threats due to unauthorized access by insiders and outsiders.

These organizations would do well to reassess privacy-related risks and threats due to virus and worm infections and to adopt appropriate countermeasures.

Organizations that use “pushed updates” of anti-virus software and deploy virus walls will continue to fare considerably better against virus and worm infections than others. User education, too, does some good, but apparently not enough.

Strangely enough, about a year ago there was a significant lull in virus and worm activity. Many, myself included, hoped this lull was a trend, but we were in fact very, very wrong.

Blaster

On August 11 the long awaited and much predicted worm that exploited a critical vulnerability in the remote procedure call (RPC) protocol in Windows 2000 and XP systems started spreading rapidly on the Internet.

Among its many names are “MSBlaster”, “Blaster”, “LovSan”, “W32/Lovsan”, and “W32.Blaster”. This worm has caused many systems to crash; it slowed many others and filled networks with traffic to the point where they became unusable.

US Universities such as Stanford University and the University of North Carolina at Chapel Hill were particularly hard hit, with thousands of machines becoming infected.

Banks, hospitals, and government agencies also experienced outages and disruption.

Various Blaster variants, one of which attempts to clean Blaster infections and patch the RPC vulnerability that Blaster exploits, surfaced soon after Blaster was originally released.

Symantec estimates that one and a half million systems have become infected by this worm and its variants (such as MSBlaster.B).

Although different versions of Blaster work differently, they all write the Blaster code into a vulnerable machine's system folder, add a Registry entry that causes Blaster to start whenever the infected system reboots, and scan other systems to discover other vulnerable machines to attack.

Sobig

The Sobig.F worm emerged several days after Blaster. Sobig.F, a mail-borne worm that targets Windows systems, arrives as a mail attachment with a subject such as “Re: details”, “Re: Re: My details”, “Re: Approved”, “Re: Your application”, “Re: Thank you!”, and “Thank you!”

The attachment is name “application.zip”, “details.zip”, “document_all.zip”, “document_9446.zip”, “movie0045.zip”, “thank_you.zip”, “wicked_scr.zip”, “your_details.zip”, or “your_document.zip”. If the recipient opens the attachment and that person's system is not running up-to-date anti-virus software, the system becomes infected.

Like Blaster, Sobig.F adds an entry to the infected system's Registry to cause an infected system to start the worm whenever the system boots.

Most significantly, however, Sobig.F creates a mail engine that sends a plethora of mail with infected attachments to other systems using mail addresses it finds in infected systems' address books and other files to falsify names of apparent senders.

Sobig.F has created a huge spam problem because of all the messages it generates and has also confused the user community, which has had a difficult time understanding why messages that they did not create were apparently sent (and often returned for some reason) by them.

Its sibling, Sobig.E has also been doing mischief.

Sending itself from a spoofed address (support@yahoo.com), Sobig.E entices Windows users to open infected attachments by subject lines that appear very credible, such as “Re. Submitted” and “movie.zip”. It also tries to connect to open (unprotected) shares.

Once inside a system, this worm modifies the Registry of each system it infects to cause it to start every time the system boots and also tries to download and run arbitrary files, making this worm able to capture sensitive system information and also to create spam relay servers on infected systems. Additionally, this version of Sobig has a self-update feature that informs Sobig.E’s author of each system that has been infected.