|
|
Every year I try and summarize the previous twelve months and speculate about the coming twelve.
I'm usually right about the previous year. It's difficult to predict new types of threat. For example Code Red,
which re-wrote the rules about modern worms took everyone by surprise. It is reasonable to look at the previous
year's virus activities, the changes and adoption of new technology and then make some educated guesses about the
next twelve months virus activity.
Having just attended the annual AVAR Conference (see report below) and spent a lot of time listening and talking
to many people in the industry I think it's safe to say that we'll see more of the same types of threats. This
means many more Win32 worms and viruses using traditional virus like techniques integrated with vulnerability exploits
and DoS 'features'.
There may well be a rapid adoption of wireless networking and if there is we will see vulnerabilities exposed and
exploited. I'll repeat what I've said many times, that is if you want to use wireless, run a VPN (Virtual Private
Network) over it to secure the data or use applications that have data encryption build in.
One other prediction I have is that Microsoft will, by the end of the year, have made substantial moves towards
securing many of their operating systems and software application platforms. Products like Windows, Internet Information
Server (IIS), Internet Explorer (IE), Outlook and Outlook Express will all be more secure, either in anticipation
of or as a result of new vulnerabilities being discovered.
We usually list the years most common, or top ten threats. This year we have some worldwide statistics on some
of the more prevalent threats that appeared and then a look at those threats in the Asia Pacific region. Finally
we'll focus on one particular country, Australia. We will be posting a global and regional top ten list for 2001
on our web site soon.
For those celebrating Christmas and the New Year we wish you a happy holidays and seasons greetings until the next
newsletter, January 2002. Finally I'd like to thank the editorial team here in Sydney, Australia, the web publishing
team in California, the localization teams in South America, Asia Pacific and Europe and all those who contributed
to the Symantec Security Response Newsletter in 2001.
Best Regards
David Banes.
Editor, securitynews@symantec.com |
|
Reported Numbers* of Some of the
Common Threats in 2001
| |
Worldwide |
APAC |
Australia |
| W32.Goner.A@mm |
1352 |
40 |
12 |
| W32.Sircam.Worm@mm |
42946 |
3143 |
568 |
| W32.Magistr.39921@mm |
20530 |
1180 |
370 |
| W32.Magistr.24876@mm |
13791 |
1520 |
265 |
| W32.Magistr.corrupt |
7126 |
548 |
125 |
|
Total
|
41447 |
3248 |
760 |
| |
|
|
|
| W32.Nimda.enc |
7285 |
693 |
48 |
| W32.Nimda.A@mm(html) |
5606 |
193 |
36 |
| W32.Nimda.A@mm (dr) |
5280 |
420 |
26 |
| W32.Nimda.A@mm (dll) |
4917 |
532 |
32 |
| W32.Nimda.enc(dr) |
3977 |
56 |
12 |
| W32.Nimda.A@mm |
1328 |
66 |
22 |
| W32.Nimda.E@mm (dr) |
1184 |
145 |
9 |
| W32.Nimda.E@mm |
1082 |
84 |
5 |
|
Total
|
30659 |
2189 |
190 |
| |
|
|
|
| W32.Badtrans.B@mm |
24791 |
1220 |
499 |
| W32.Badtrans.13312@mm |
3482 |
548 |
48 |
| W32.Badtrans@mm.enc |
838 |
32 |
23 |
|
Total
|
29111 |
1800 |
570 |
| |
|
|
|
Trojan.VirtualRoot
(dropped by CodeRedII) |
3011 |
362 |
25 |
| CodeRed Worm |
709 |
43 |
3 |
|
Total
|
3720 |
405 |
28 |
| |
|
|
|
| W32.Aliz.Worm |
3693 |
77 |
17 |
| VBS.SST@mm |
2312 |
89 |
0 |
| Backdoor.Sadmind.Dr |
1419 |
156 |
7 |
| W32.Naked@mm |
17 |
0 |
0 |
| |
|
|
|
*Reported to Symantec Security response via The Digital Immune System during 2001
|
|
Association
of anti Virus Asia Researchers (AVAR)
2001 Conference Report
There where about
120 delegates for this years conference held in Hong Kong, that was fewer than last year in Japan but a good number
considering the difference in market sizes.. There was a noticeable presence from Chinese and Japanese Police and
government Security organizations as well as a interest from vendors and journalists from all parts of the globe.
The opening Keynote Speech from Bontchev was very interesting. He advocated more anti-virus researcher training
and greater cooperation between researchers. AVAR's theme for the conference was education and the organization
took the opportunity to announce the intention to launch a global anti-virus certification scheme called AVI -
Anti-Virus institute. AVAR plan to offer several levels of certification from Engineer to Researcher. If you would
like more information please contact an AVAR member in your region, a members list is available at http://www.aavar.org/
.
Trends Eva Chen Day 2 Keynote Speech was very candid about the current and new threats and the industries ability
to maintain levels of protection and rapid response times. She was stating very publicly what many of us inside
the industry have been saying to each other, that is we are all concerned about a worrying trend of more complicated,
more frequent attacks to deal with.
Jan Hruska covered the controversial topic of creating viruses using virus construction toolkits for the sole purpose
of testing that your anti-virus product does actually detect samples generated by these toolkits. Of course you
then delete the samples. There are very good arguments for both sides of this discussion and they will no doubt
be continuing until next years conference, to be held in Seoul, South Korea.
David Banes
Vice President, AVAR.
|
|
| |
| Viruses, Worms & Trojans |
| W32.Goner.A@mm |
High [4]
|
Win32
|
|
W32.Goner.A@mm is a mass-mailing worm that is written in Visual Basic. The worm has been compressed
using a known Portable Executable (PE) file compressor. The worm can spread its infection using the ICQ network
as well as by email using Microsoft Outlook. If IRC is installed, this worm can also insert mIRC scripts that will
enable the computer to be used in Denial of Service (DOS) attacks. The IRC channel used for controlling the worm
is currently blocked, preventing this functionality.
Removal Tool
Symantec Security Response has posted a removal tool to assist in eradicating this worm. Please go here to read
the instructions and download the removal
tool.
http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.a@mm.html
Neal Hindocha
Symantec Security Response, EMEA |
| |
| W32.Badtrans.B@mm |
Medium [3]
|
Win32
|
|
W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also
creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes.
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html
Peter Ferrie
Symantec Security Response, APAC |
| |
| W32.Updater.gen@mm |
Low [2]
|
Win32
|
|
W32.Updater.gen@mm is a simple mass-mailing worm. It sends itself to all recipients in an affected
user's Microsoft Outlook address book. It also creates a script that propagates itself to all local and network
mapped drives.
http://securityresponse.symantec.com/avcenter/venc/data/w32.updater.gen@mm.html
Douglas Knowles
Symantec Security Response, USA |
| |
| W32.Zacker@mm |
Low [2]
|
Win32
|
|
W32.Zacker@mm is a mass-mailing worm. It copies itself to the \Windows folder as Luckey.exe
and to the \Windows\System folder as Dallah.exe. If W32.Zacker@mm is executed, it mails itself to all recipients
in your address book, as the attachment LucKey.exe. It copies itself to the hard drive as \Windows\Luckey.exe and
\Windows\System\Dallah.exe. Finally, it creates many copies of itself as the following file names:
Sharoon ####.exe
Bush ####.exe
ZA-Union ####.exe
BinLadin ####.exe
where #### is a number from 1 to 9999.
http://www.sarc.com/avcenter/venc/data/w32.zacker@mm.html
Douglas Knowles
Symantec Security Response, USA |
| |
|
| Security
Advisories |
|
|
| Enterprise Security News Clips |
VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/
Recent Enterprise Security News headlines include:
Arrested 'Goner' Creators Left Obvious Online Trail;
Newsbytes
http://enterprisesecurity.symantec.com/content.cfm?articleid=968
Record-Breaking Year for Security Incidents Expected;
Computerworld
http://enterprisesecurity.symantec.com/content.cfm?articleid=954
Cybercrime Pact to Target Terrorists;
Agence France Presse
http://enterprisesecurity.symantec.com/content.cfm?articleid=953
Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise
Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm |
| |
|
| Vulnerability
& Exploit News |
| Living with Intrusion Detection Systems (IDS). |
|
|
|
Intrusion Detection systems have a widespread impact on an organization. If ever there was a
technology where the cost of ownership ought to be calculated before purchase, it is Intrusion Detection.
The options available to organizations have defaulted into two methodologies, detection at both the host and the
network. Both types of technology have their own strengths and weaknesses, on paper network based would seem to
be a good option.
One agent is able to monitor multiple devices, is it invisible to users, can respond in real time and captures
events unbeknown to the instigators of the unauthorized action. Even in a demonstration environment network based
intrusion detection looks great, where, the customer is invited to use the latest and greatest vulnerability scanner
to launch attacks, only to see the network based IDS raise the alarms, with pagers, SNMP Alerts, emails and TCP
resets.
In reality, network based intrusion detection is quite a different proposition. Firstly network based intrusion
detection effectiveness, relies on a number of things, beyond the ability to see and respond to a packet, which
in today's encrypted and switched networks is not always easy to do. They are then bound by four criteria.
1. The speed of a network,
2. The utilization of said network,
3. The number of devices protected on that network
4. The number of symptoms of intrusion, scanned for.
All of these impact one another, so, the higher one criteria the lesser the others need to be. The other unfortunate
problem, here, is that network based intrusion detection, doesn't help you calculate these criteria. It doesn't
tell you when its too busy to cope with the amount of traffic, letting unchecked packets through, it doesn't help
you choose which signatures are relevant to the devices it is protecting. In fact, you might as well of left yours
and everyone's else's heads firmly in the sand, if after the purchase of IDS, your are still not able to guarantee,
all packets are scanned for all relevant symptoms of intrusion. Surely this was the justification for purchasing
IDS in the first place. The other issue, that plagues the majority of network based intrusion detection, is that
the alarms, which, so impressed everyone during the demonstration, continue, wrongly so, in the production environment.
False Positives are one of the main issues with static signature based Intrusion Detection Systems.
Host Based, has different attributes. Firstly, the host agent has to support the Host on which it will reside,
many companies have sensitive info on Netware, Unix, Linux, and Windows platforms, Host based IDS needs to support
each platform, to be useful. Secondly, there is the process of installing the agent Software on each device, which
can take time if the environment does not support remote installation. After installation the agent is able to
monitor user activity, file changes, application, registry and operating system logs again for symptoms of intrusion.
Host based offers, a scalable financial investment, as you only pay for the hosts you want to monitor, as it resides
on the host, it unaffected by encrypted traffic or network topology, it also is able verify attacks before alerting.
And supports a scaling incident response. For example, your organization would respond differently if responses
of a 200-type or 400-type were returned by your web server following a request of cmd.exe/c+dir arriving at it.
Host based or network based is not a choice you need make, when selecting IDS, unfortunately security incidents
are almost always caused by methods that are not solely detected by one or the other form of Intrusion Detection.
Effective intrusion requires the use of both technologies.
The critical success factors in achieving effective intrusion detection are:
1: Have an incident management and response policy and capability. Intrusion detection will alert you of symptoms
of intrusion, it is up to you to investigate and restore. Costing a 3rd party specialist for Incident Management
and response will give you a much better understanding of the Cost of Ownership.
2. Plan the deployment carefully select network monitoring points, share the load between Network Agents and between
Network and Host Agents.
3.Select countermeasures and escalation procedure. Decide how and when the IDS technology will integrate with the
Incident management and response plan, keep the agents optimized with the latest updates and monitor effectiveness,
against policy, making changes as required.
Andy Norton
Product Manager, SymantecAsia Pacific |
| |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please.
Follow this
link to subscribe or unsubscribe
http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com
|
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2001 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|