symantecTM

symantec security response

ISSN 1444-9994

December 2001 Newsletter

These are the most common Viruses, Trojans and Worms reported to Symantec Security Response during the last month.

Top Global Threats
W32.Badtrans.B@mm
JS.Exception.Exploit
W95.Hybris.worm
W32.Magistr.39921@mm
W32.Sircam.Worm@mm
W32.Nimda.A@mm
W32.Aliz.Worm
VBS.Haptime.A@mm
Trojan Horse
W32.Magistr.24876@mm


Asia Pacific
JS.Exception.Exploit
W32.Badtrans.B@mm
W32.Magistr.39921@mm
W95.Hybris.worm
W32.Sircam.Worm@mm
W32.Nimda.A@mm
VBS.Haptime.A@mm
W32.Klez.A@mm
W95.MTX
Trojan Horse

Europe, Middle East
& Africa
W32.Badtrans.B@mm
JS.Exception.Exploit
W95.Hybris
W32.Magistr.39921@mm
W32.Nimda.A@mm
W32.Sircam.Worm@mm
W32.Aliz.Worm
VBS.Haptime.A@mm
Trojan Horse
W95.MTX


Japan
W32.Badtrans.B@mm
W32.Aliz.Worm
W95.Hybris
JS.Exception.Exploit
W32.Sircam.Worm@mm
W32.Nimda.A@mm
W32.Klez.A@mm
W95.MTX
Trojan Horse
W32.HLLW.Bymer


The Americas
W95.Hybris
JS.Exception.Exploit
W32.Sircam.Worm@mm
W32.Magistr.39921@mm
Backdoor.Trojan
W32.Magistr.24876@mm
VBS.Haptime.A@mm
W32.Annoying.Worm
W32.HLLW.Hai
W32.Nimda.A@mm



Removal Tools for malicious code are on our web site


A list of Virus Hoaxes
reported to Symantec


A list of Joke Programs
reported to Symantec.


Glossary for definitions of viruses, Trojans and worms and more.





Use this form to unsubscribe

First name:

Last name:

Email address:

Every year I try and summarize the previous twelve months and speculate about the coming twelve. I'm usually right about the previous year. It's difficult to predict new types of threat. For example Code Red, which re-wrote the rules about modern worms took everyone by surprise. It is reasonable to look at the previous year's virus activities, the changes and adoption of new technology and then make some educated guesses about the next twelve months virus activity.

Having just attended the annual AVAR Conference (see report below) and spent a lot of time listening and talking to many people in the industry I think it's safe to say that we'll see more of the same types of threats. This means many more Win32 worms and viruses using traditional virus like techniques integrated with vulnerability exploits and DoS 'features'.

There may well be a rapid adoption of wireless networking and if there is we will see vulnerabilities exposed and exploited. I'll repeat what I've said many times, that is if you want to use wireless, run a VPN (Virtual Private Network) over it to secure the data or use applications that have data encryption build in.

One other prediction I have is that Microsoft will, by the end of the year, have made substantial moves towards securing many of their operating systems and software application platforms. Products like Windows, Internet Information Server (IIS), Internet Explorer (IE), Outlook and Outlook Express will all be more secure, either in anticipation of or as a result of new vulnerabilities being discovered.

We usually list the years most common, or top ten threats. This year we have some worldwide statistics on some of the more prevalent threats that appeared and then a look at those threats in the Asia Pacific region. Finally we'll focus on one particular country, Australia. We will be posting a global and regional top ten list for 2001 on our web site soon.

For those celebrating Christmas and the New Year we wish you a happy holidays and seasons greetings until the next newsletter, January 2002. Finally I'd like to thank the editorial team here in Sydney, Australia, the web publishing team in California, the localization teams in South America, Asia Pacific and Europe and all those who contributed to the Symantec Security Response Newsletter in 2001.

Best Regards

David Banes.
Editor, securitynews@symantec.com

Reported Numbers* of Some of the
Common Threats in 2001

  Worldwide APAC Australia
W32.Goner.A@mm 1352 40 12
W32.Sircam.Worm@mm 42946 3143 568
W32.Magistr.39921@mm 20530 1180 370
W32.Magistr.24876@mm 13791 1520 265
W32.Magistr.corrupt 7126 548 125

Total

41447 3248 760
       
W32.Nimda.enc 7285 693 48
W32.Nimda.A@mm(html) 5606 193 36
W32.Nimda.A@mm (dr) 5280 420 26
W32.Nimda.A@mm (dll) 4917 532 32
W32.Nimda.enc(dr) 3977 56 12
W32.Nimda.A@mm 1328 66 22
W32.Nimda.E@mm (dr) 1184 145 9
W32.Nimda.E@mm 1082 84 5

Total

30659 2189 190
       
W32.Badtrans.B@mm 24791 1220 499
W32.Badtrans.13312@mm 3482 548 48
W32.Badtrans@mm.enc 838 32 23

Total

29111 1800 570
       
Trojan.VirtualRoot
(dropped by CodeRedII)
3011 362 25
CodeRed Worm 709 43 3

Total

3720 405 28
       
W32.Aliz.Worm 3693 77 17
VBS.SST@mm 2312 89 0
Backdoor.Sadmind.Dr 1419 156 7
W32.Naked@mm 17 0 0
       
*Reported to Symantec Security response via The Digital Immune System during 2001

 

Association of anti Virus Asia Researchers (AVAR)
2001 Conference Report

There where about 120 delegates for this years conference held in Hong Kong, that was fewer than last year in Japan but a good number considering the difference in market sizes.. There was a noticeable presence from Chinese and Japanese Police and government Security organizations as well as a interest from vendors and journalists from all parts of the globe.

The opening Keynote Speech from Bontchev was very interesting. He advocated more anti-virus researcher training and greater cooperation between researchers. AVAR's theme for the conference was education and the organization took the opportunity to announce the intention to launch a global anti-virus certification scheme called AVI - Anti-Virus institute. AVAR plan to offer several levels of certification from Engineer to Researcher. If you would like more information please contact an AVAR member in your region, a members list is available at http://www.aavar.org/ .

Trends Eva Chen Day 2 Keynote Speech was very candid about the current and new threats and the industries ability to maintain levels of protection and rapid response times. She was stating very publicly what many of us inside the industry have been saying to each other, that is we are all concerned about a worrying trend of more complicated, more frequent attacks to deal with.

Jan Hruska covered the controversial topic of creating viruses using virus construction toolkits for the sole purpose of testing that your anti-virus product does actually detect samples generated by these toolkits. Of course you then delete the samples. There are very good arguments for both sides of this discussion and they will no doubt be continuing until next years conference, to be held in Seoul, South Korea.

David Banes
Vice President, AVAR.

 
Viruses, Worms & Trojans
W32.Goner.A@mm

High [4]

Win32

W32.Goner.A@mm is a mass-mailing worm that is written in Visual Basic. The worm has been compressed using a known Portable Executable (PE) file compressor. The worm can spread its infection using the ICQ network as well as by email using Microsoft Outlook. If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks. The IRC channel used for controlling the worm is currently blocked, preventing this functionality.

Removal Tool
Symantec Security Response has posted a removal tool to assist in eradicating this worm. Please go here to read the instructions and download the removal tool.
http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.a@mm.html

Neal Hindocha
Symantec Security Response, EMEA
 
W32.Badtrans.B@mm

Medium [3]

Win32

W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes.
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html

Peter Ferrie
Symantec Security Response, APAC
 
W32.Updater.gen@mm

Low [2]

Win32

W32.Updater.gen@mm is a simple mass-mailing worm. It sends itself to all recipients in an affected user's Microsoft Outlook address book. It also creates a script that propagates itself to all local and network mapped drives.
http://securityresponse.symantec.com/avcenter/venc/data/w32.updater.gen@mm.html

Douglas Knowles
Symantec Security Response, USA
 
W32.Zacker@mm

Low [2]

Win32

W32.Zacker@mm is a mass-mailing worm. It copies itself to the \Windows folder as Luckey.exe and to the \Windows\System folder as Dallah.exe. If W32.Zacker@mm is executed, it mails itself to all recipients in your address book, as the attachment LucKey.exe. It copies itself to the hard drive as \Windows\Luckey.exe and \Windows\System\Dallah.exe. Finally, it creates many copies of itself as the following file names:

Sharoon ####.exe
Bush ####.exe
ZA-Union ####.exe
BinLadin ####.exe

where #### is a number from 1 to 9999.
http://www.sarc.com/avcenter/venc/data/w32.zacker@mm.html

Douglas Knowles
Symantec Security Response, USA
 
Security Advisories
 
 
Enterprise Security News Clips
VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:

Arrested 'Goner' Creators Left Obvious Online Trail;
Newsbytes
http://enterprisesecurity.symantec.com/content.cfm?articleid=968

Record-Breaking Year for Security Incidents Expected;
Computerworld
http://enterprisesecurity.symantec.com/content.cfm?articleid=954

Cybercrime Pact to Target Terrorists;
Agence France Presse
http://enterprisesecurity.symantec.com/content.cfm?articleid=953

Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
 
Vulnerability & Exploit News
Living with Intrusion Detection Systems (IDS).    
Intrusion Detection systems have a widespread impact on an organization. If ever there was a technology where the cost of ownership ought to be calculated before purchase, it is Intrusion Detection.

The options available to organizations have defaulted into two methodologies, detection at both the host and the network. Both types of technology have their own strengths and weaknesses, on paper network based would seem to be a good option.

One agent is able to monitor multiple devices, is it invisible to users, can respond in real time and captures events unbeknown to the instigators of the unauthorized action. Even in a demonstration environment network based intrusion detection looks great, where, the customer is invited to use the latest and greatest vulnerability scanner to launch attacks, only to see the network based IDS raise the alarms, with pagers, SNMP Alerts, emails and TCP resets.

In reality, network based intrusion detection is quite a different proposition. Firstly network based intrusion detection effectiveness, relies on a number of things, beyond the ability to see and respond to a packet, which in today's encrypted and switched networks is not always easy to do. They are then bound by four criteria.

1. The speed of a network,
2. The utilization of said network,
3. The number of devices protected on that network
4. The number of symptoms of intrusion, scanned for.

All of these impact one another, so, the higher one criteria the lesser the others need to be. The other unfortunate problem, here, is that network based intrusion detection, doesn't help you calculate these criteria. It doesn't tell you when its too busy to cope with the amount of traffic, letting unchecked packets through, it doesn't help you choose which signatures are relevant to the devices it is protecting. In fact, you might as well of left yours and everyone's else's heads firmly in the sand, if after the purchase of IDS, your are still not able to guarantee, all packets are scanned for all relevant symptoms of intrusion. Surely this was the justification for purchasing IDS in the first place. The other issue, that plagues the majority of network based intrusion detection, is that the alarms, which, so impressed everyone during the demonstration, continue, wrongly so, in the production environment. False Positives are one of the main issues with static signature based Intrusion Detection Systems.

Host Based, has different attributes. Firstly, the host agent has to support the Host on which it will reside, many companies have sensitive info on Netware, Unix, Linux, and Windows platforms, Host based IDS needs to support each platform, to be useful. Secondly, there is the process of installing the agent Software on each device, which can take time if the environment does not support remote installation. After installation the agent is able to monitor user activity, file changes, application, registry and operating system logs again for symptoms of intrusion. Host based offers, a scalable financial investment, as you only pay for the hosts you want to monitor, as it resides on the host, it unaffected by encrypted traffic or network topology, it also is able verify attacks before alerting. And supports a scaling incident response. For example, your organization would respond differently if responses of a 200-type or 400-type were returned by your web server following a request of cmd.exe/c+dir arriving at it.

Host based or network based is not a choice you need make, when selecting IDS, unfortunately security incidents are almost always caused by methods that are not solely detected by one or the other form of Intrusion Detection. Effective intrusion requires the use of both technologies.

The critical success factors in achieving effective intrusion detection are:

1: Have an incident management and response policy and capability. Intrusion detection will alert you of symptoms of intrusion, it is up to you to investigate and restore. Costing a 3rd party specialist for Incident Management and response will give you a much better understanding of the Cost of Ownership.

2. Plan the deployment carefully select network monitoring points, share the load between Network Agents and between Network and Host Agents.

3.Select countermeasures and escalation procedure. Decide how and when the IDS technology will integrate with the Incident management and response plan, keep the agents optimized with the latest updates and monitor effectiveness, against policy, making changes as required.

Andy Norton
Product Manager, SymantecAsia Pacific
 
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter.html Send virus samples to: avsubmit@symantec.com

Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics discussed as of the date of this document. The information contained in this message is provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder(s). (c) Copyright 2001 Symantec Corporation. All rights reserved. Materials may not be published in other documents without the express, written permission of Symantec Corporation.