|
|
symantecTM
|
|
| Symantec AntiVirus Research Center |
|
ISSN 1444-9994
|
|
|
|
| |
|
| |
SARC Home Page
|
July 2001 Newsletter
|
|
| |
|
These are the most reported Viruses, Trojans and Worms to SARC's offices
during the last month.
Top Global Threats
W95.Hybris
W32.Magistr.24876@mm
W95.MTX
Backdoor.Sadmind
Wscript.KakWorm
VBS.Haptime.A@mm
W32.HLLW.Bymer
W32.Badtrans.13312@mm
JS.Seeker
W32.Choke.Worm
Asia
Pacific
W95.Hybris
Backdoor.Sadmind
W32.Magistr.24876@mm
W95.MTX
VBS.Haptime.A@mm
Wscript.KakWorm
W32.HLLW.Bymer
W32.Badtrans.13312@mm
W32.Blebla.B
W32.FunLove.4099
Europe
W95.Hybris
W32.Magistr.24876@mm
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer
W32.Badtrans.13312@mm
JS.Seeker
VBS.Haptime.A@mm
VBS.Tam.A
W32.Choke.Worm
Japan
W95.Hybris
W95.MTX
W32.Magistr.24876@mm
Backdoor.Sadmind
W32.HLLW.Bymer
W97.Melissa.A
VBS.Haptime.A@mm
Happy99.Worm
VBS.Companion
W32.HLLW.Qaz
USA
W95.Hybris
Backdoor.Sadmind
W32.Magistr.24876@mm
Wscript.KakWorm
W32.Badtrans.13312@mm
W32.HLLW.Bymer
W95.MTX
W32.Choke.Worm
JS.Seeker
VBS.VBSWG2.X@mm
|
|
Top 20
Consolidated
Global Threats
|
|
By SecurityPortal
|
|
VBS.LoveLetter Family
W32.Magistr@MM
W32.Funlove
W32.BadTrans.A@MM
W32.Hybris
W32.Ska aka Happy.99
VBS.Kakworm
W32.Navidad
VBS.Haptime@MM
VBS.VBSWG.X@mm
(alias Homepage)
PWSteal.Trojan
W32.Choke.worm
W95.MTX
O97M.Tristate.C
W97M.Marker Family
W97M.Melissa.BG
W97M.Ethan Family
X97M.Divi
X97M.Laroux
VBS.Stages
|
|
Removal Tools
for malicious code are on our web
site
A list of Virus Hoaxes
reported to Symantec
A list of Joke Programs
reported to Symantec.
|
|
|
We continue to see many variations
on VBScript worms but this month I've tried to cover a few different and interesting threats. One for the Mac as
it's rare that we see anything malicious of note targeting the Mac. W32.Leave has stirred a certain amount of interest
and concern. There are reports that there may be many thousands of infections on predominantly home or end user
machines but the major anti-virus vendors are yet to report large numbers of infections.
The US National Infrastructure Protection Agency (NIPC) has put out an advisory which can be read here; http://www.nipc.gov/warnings/advisories/2001/01-014.htm
This month we have a very short version of Eric Chien's paper titled Malicious Threats of Peer-to-Peer Networking,
Eric has also produced a good paper on Microsoft's .Net security issues. I'll carry that next month.
Anyone in Europe interested in attending the annual Virus Bulletin Conference should start thinking about booking
travel and accommodation. The conference is being held at The Hilton Prague, Prague, Czech Republic this year.
Details can be found on the web site at; http://www.virusbtn.com/vb2001/index.html
David Banes.
Editor, sarc@symantec.com |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Worms |
|
| |
|
|
|
| W32.Leave.B.Worm |
Moderate [2]
|
Win32
|
This worm downloads components from Web sites and contains code to accept
commands from IRC. The only differences between this threat and W32.Leave.Worm are the Web sites from which the
components are downloaded, and that this threat is crafted to appear as a security bulletin from Microsoft.
This threat arrives as an email message. The message is written so that it appears to come from Microsoft as a
security bulletin with the following subject.
Subject: Microsoft
Security Bulletin MS01-037
http://www.sarc.com/avcenter/venc/data/w32.leave.b.worm.html
by:SARC, USA
| Mac.Simpsons@mm |
Low [2]
|
Mac
|
Mac.Simpsons@mm is an AppleScript worm that targets the Macintosh platform. It may open Microsoft Outlook Express
or Entourage, and send a copy of itself with the original message to everyone in your address book. The name of
the script is "Simpsons Episodes." This worm does not appear to be particularly malicious, and is similar
to other mass-mailing worms that affect Window's computers such as VBS.LoveLetter. SARC has received very few submissions
of this worm.
http://www.sarc.com/avcenter/venc/data/mac.simpsons@mm.html
by: Ralph Gutierrez
SARC, USA |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Viruses |
|
|
| |
|
|
|
| W95.BlueCorners.2049 |
Minimal [1]
|
Win95
|
This virus is a fairly simple fast infector. It will infect only Windows
9x computers, and it will fail if run on Windows NT computer.
When executed, this virus performs the following actions:
1. It starts by running the host program in a separate process.
2. Next, it infects all .exe files on the same drive as the virus, and on the C drive (if the virus is located
elsewhere.)
NOTES: This virus does not become memory-resident, but it does use a memory location allocated to the operating
system to indicate whether to infect the system or not. This simply means that the virus will only try to infect
files once, after the system has been rebooted.
Some systems may crash randomly, since this memory location is intended for use by the system. This virus also
uses this memory location in such a fashion that if more than 4 logical drives are hooked to the system, then it
will try to infect files every time that it is activated.
3. When it is finished infecting files, this virus checks if the date is one of the following:
January 1
February 14
April 1
May 4
October 1
December 25
If it is, it activates its payload routine, which animates a number of
small blue balls in the four corners of the screen. The payload assumes that the screen resolution is 800x600 so
that , depending on the resolution, the upper right corner, lower right corner and lower left corner balls may
appear elsewhere.
http://www.sarc.com/avcenter/venc/data/w95.bluecorners.2049.html
by: Atli Gudmundsson
SARC, EMEA
|
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Trojans |
|
|
| |
|
|
|
| Backdoor.Bionet.318 |
Minimal [1]
|
Win32
|
Backdoor.Bionet.318 is a malicious backdoor Trojan that behaves similar
to SubSeven, Netbus, and BackOrifice.
The Trojan as the server application that allows a remote user to control and retrieve information from your computer.
Some of the capabilities include searching, retrieving and sending files, stealing passwords, changing the colors
and resolution, playing sounds, and changing the date and time.
When executed for the first time, this program installs itself into the \Windows\System folder using a configurable
name. The following registry key is also added with multiple entries:
HKEY_LOCAL_MACHINE\Software\GCI\BioNet 3
Once the server program is installed, the client program can access the server on a predefined, configurable port.
The remote user can be notified that the server application has been installed on your computer. The server can
send a page using ICQ, send a notification by IRC, or send an email message.
The default server program is packed with UPX, so it may be variable in size, depending on the type and version
of packer used.
The server is executed upon Windows startup. Either the Windows registry, Win.ini, or System.ini is modified to
run the program automatically.
http://www.sarc.com/avcenter/venc/data/backdoor.bionet.318.html
by: Cary Ng
SARC, USA |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Symantec Enterprise Security |
|
|
| |
|
|
|
VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/
Recent Enterprise Security News headlines include:
Attack Program Exploits New Microsoft Bug; Newsbytes
http://enterprisesecurity.symantec.com/content.cfm?articleid=791
No Joke: Email Spoofing on the Rise; National Post
http://enterprisesecurity.symantec.com/content.cfm?articleid=784
Check out our latest feature articles: "Wireless Threats: Hype or Reality?"
http://enterprisesecurity.symantec.com/article.cfm?articleid=778
"The Importance of Layered Security"
http://enterprisesecurity.symantec.com/article.cfm?articleid=767
Get the latest enterprise security news delivered straight to your inbox.Register for Symantec's free Enterprise
Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Malicious Threats of Peer-to-Peer Networking |
|
|
| |
|
|
|
Peer- to-peer networking allows communication between two systems where
each system is considered equal. It is an alternative to the client-server model in which each peer system is both
a server and a client, commonly referred to as a servant.
Recently, peer-to-peer networks have gained momentum with searchable peer-to-peer network file databases, increased
network connectivity, and content popularity.
The malicious threats discussed include how malicious threats can harness such networks and how peer-to-peer networking
provides an additional (potentially unprotected) vector of delivery for malicious code.
New Vector of Delivery
In the past, the primary method of contracting a virus was via a floppy disk. Today, the primary vector of delivery
is using an email attachment.
By using peer-to-peer networking one provides another method of introducing malicious code onto a computer system.
This simple additional vector of delivery is currently the greatest threat of malicious software to peer-to-peer
networking.
Thus, classic peer-to-peer unaware viruses could inadvertently be transmitted via a peer-to-peer network. In addition,
viruses could also take advantage of the regular use of a peer-to-peer network.
For example, viruses could specifically attempt to copy themselves to or infect files within the shared peer-to-peer
space.
The first discovered Gnutella worm, VBS.GWV.A, does this by copying itself to the Gnutella shared directory as
popular filenames. For example, the worm may copy itself into the Gnutella shared directory as 'Pamela Anderson
movie listing.vbs'. Thus, the goal is to trick someone into downloading the file and executing the file believing
the file is actually a Pamela Anderson movie rather than a worm.
Furthermore, viruses could actually harness the existing peer-to-peer network infrastructure to propagate themselves.
For example, a worm could set up a servant on an infected system. Thus, the infected user does not even have to
initially be part of the peer-to-peer network. This servant then could return exact matches for incoming search
queries and those downloading and executing the file will in turn become infected. An example of such a worm is
W32.Gnuman.
Malicious Uses of Peer-to-Peer Networks
However, peer-to-peer software generally is not blocked by the firewall because they make outgoing connections
to centralized directory services or other servants. Outgoing connections generally are not blocked. Once an outgoing
connection is made, the centralized directory service or other servant can pass information to the client.
The majority of current backdoor Trojans do not make such outgoing connections because they would need to connect
to a defined awaiting server, when discovered may lead to the identification of the malicious hacker. Some backdoor
Trojans avoid this scenario by making an outgoing connection to IRC or similar centralized services. W32.PrettyPark
is an example of a worm that creates an outgoing connection to IRC. Once connected hackers could join the same
channel and send remote access commands.
Such methods could be conducted using a peer-to-peer network as well. For example, a malicious threat could register
with the Napster centralized server and pass a specific unique list of files. A hacker then would perform a search
on those specific files and when matched would be able to identify an infected system. A request for a particular
file would signal the infected machine to perform a particular task such as performing a screenshot. Information
and control of the system could then be performed in this manner bypassing the firewall and ensuring initially
anonymity of the hacker.
Detection of Threats
Since, peer-to-peer malicious threats still need to reside on the system current desktop scanning infrastructure
can provide protection against infection.
However, similar to the adoption of gateway and email server scanners, desktop protection may not prove the best
method in the future.
In the future, should peer-to-peer networking become standard in home and corporate computing infrastructures,
network scanning may become more desirable. Such scanning is not trivial since by design peer-to-peer transfer
of data does not pass a centralized server such as an email server.
Systems such as network based IDS (Intrusion Detection System)may prove useful as well as gateway/proxy scanning
to prevent malicious threats from peer-to-peer connections that pass between inside and outside an organization.
However, peer-to-peer networking models such as Freenet will render networking scanning useless since all data
is encrypted. One will not even be able to scan data residing in the data store on ones system. Detection of threats
passed via Freenet type models will only be scanned on the unencrypted file at the desktop just prior to execution.
The issue of encryption only reinforces the necessity for desktop based anti-virus scanning.
Future
Threats such as W32.FunLove which infect network shares demonstrate the difficulty of containment in environments
that utilize central file servers (along with personal shares). A peer-to-peer networking model that incorporates
uploading as well as downloading will only increase the propagation and difficulty of containment of network infectors.
Also, such a model will allow simpler two-way communication of malicious threats. A virus writer may be able to
update their threat via a peer-to-peer network. For example, an infected machine may send out an update to all
other nearby nodes of a peer-to-peer network and so forth.
Summary
Peer-to-peer networks obviously pose a danger as an additional vector of delivery. Their impact on security will
depend significantly on the adoption of peer-to-peer networks in a standard computing environment. If systems use
peer-to-peer networks as email is used today, then they will be a significant method of delivery of malicious code.
In addition, the use of two-way network communication exposes the system to potential remote control and can create
a hole in a firewall and can lead to exporting of private and confidential information.
Thus, today administrators should begin analyzing their networks for peer-to-peer network usage and potentially
configure firewall and systems accordingly to limit or prevent their usage.
Eric Chien
SARC, EMEA |
|
|
| |
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
| |
|
|
|
SARC Glossary for definitions of viruses, Trojans and worms and more.
|
|
|
| |
|
|
|
Contacts and Subscriptions |
|
|
| |
|
|
|
Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow this
link to unsubscribe or change
your subscription type.
Send virus samples to: avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
This is a Symantec Corporation publication,
use of requires permission in advance from Symantec.
All information contained in this newsletter is accurate
and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.
|
|
|
| |
|
|
|
|
|
|
|