month we return to the regular format newsletter covering theats for all platforms, although as usual they are
mostly Windows threats. W32.Nimda is covered in detail as this worm appeared after we posted last months newsletter
and is still on a high threat rating. W32.Klez has a payload that 'empties' files by setting their size to zero
bytes and we are seeing an increase in the number of reports of Klez in the US and EMEA.
We have a great article on firewalls from Andy Norton, a Symantec Senior Regional Product Manager and finally a
reminder that AVAR (Association of anti Virus Asia Researchers ) has their anti-virus conference on 4th-5th December
in Hong Kong. There are speakers from many well known anti-virus vendors as well as private and government sectors.
Details are available on the AVAR web site at http://www.aavar.org/.
As a Vice President of AVAR I'll be there and welcome the opportunity to have a chat about current and emerging
IT threats with you.
|Viruses, Worms & Trojans
|W32.Nimda.A@mm is a mass-mailing worm that utilizes multiple methods to spread itself. The name
of the virus came from the reversed spelling of "admin". The worm sends itself out by email, searches
for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers,
and is a virus infecting both local files and files on remote network shares.
The worm uses the Unicode Web Traversal exploit. A patch for computers running Windows NT 4.0 Service Packs 5 and
6a or Windows 2000 Gold or Service Pack 1 and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading
or previewing the file. Information and a patch for this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
If you visit a compromised Web server, you will be prompted to download an .eml (Outlook Express) email file, which
contains the worm as an attachment. You can disable "File Download" in your Internet Explorer internet
security zones to prevent this compromise.
Also, the worm will create open network shares on the infected computer, allowing access to the system. During
this process the worm creates the guest account with Administrator privileges. Symantec Security Response has posted
a tool to remove infections caused by W32.Nimda.A@mm. Please
go here to download the tool.
NOTE: Microsoft has released a cumulative roll up for IIS 4.0 on NT 4.0 SP5 and later as well as all security patches
released to date for IIS 5.0. This can be found at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.
Microsoft has provided information regarding this virus at the following website: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/nimda.asp
Symantec Security Response, EMEA
| W32.Nimda.E@mm is an new version of W32.Nimda.A@mm that contains bug-fixes and other modifications,
which are designed to prevent detection of this variant by antivirus programs.
This worm is similar in functionality to W32.Nimda.A@mm. Differences include the modification of file names used
by the worm.
The attachment received has been changed to: Sample.exe
The dropped .dll file is now: Httpodbc.dll
The worm now copies itself to the Windows folder as Csrss.exe instead of Mmc.exe
In addition, the author has introduced new bugs in the code. Specifically, the worm may reinfect files causing
multiply infected files. Such files can become corrupted and may need to be deleted instead of repaired.
NOTE: Norton AntiVirus already detects Infected HTML files as W32.Nimda.A@mm (html).
Symantec Security Response, EMEA
|W32.Klez.A@mm and W32.Klez.D@mm
|W32.Klez.A@mm is a mass-mailing email worm. It attempts to copy itself into folders on both
local and network drives.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when
you open or even preview the message. Information and a patch for the vulnerability can be found at
The worm also inserts the virus W32.ElKern.3326. W32.ElKern.3326 can also infect W32.Klez.A@mm.
Every other month starting in January (January, March, May, and so on), if the date is the 13th of the month, the
payload is executed. This causes files on local and mapped drives to become zero bytes in length
W32.Klez.D@mm is a modified variant of W32.Klez.A@mm. Most of the functionality remains the same. The virus that
W32.Klez.A@mm carried, W32.Elkern.3326, is also carried and inserted on the system by this variant. The payload
of the D variant is by far more destructive than of the A variant. After 5 hours there is almost a 100% chance
that it will be activated.
Atli Gudmundsson, Eric Chien and Neal Hindocha (.D variant)
Symantec Security Response, EMEA
|W32.Finaldo.B@mm is a simple Win32 polymorphic virus that infects Portable Executable (PE) files.
It searches for files that have the extensions .scr, .ocx, or .exe, and it inserts itself at the end of the file.
It drops a file into the Windows temporary files folder named Finaldoom.exe or Finaldoom.dll. This file is compressed
using the UPX compression utility.
This virus is written in C++. Because the virus is polymorphic, each file that it infects creates a different file,
which it attempts to send using MAPI. The virus waits 30 minutes before it sends itself. The file is encoded within
a MIME email message that will have an attachment named ".exe". This email message makes use of the preview
feature to allow it to run the executable when the email message is viewed.
Symantec Security Response, USA
|Enterprise Security News Clips
& Exploit News
|Whenever the subject of Internet security arises, one word is sure to come up - 'firewall'.
Just mentioning a firewall can make a computer network sound like a fortress, as if there was an impregnable barrier
to every kind of threat. The truth is, most firewalls are not foolproof. In fact, firewalls need to be permeable
to enable organizations to conduct business so how can organizations allow this access and still remain secure?
It's a complex problem but thankfully the solutions are relatively straightforward. There are four key point for
organizations to consider:
1. Organizations mistakenly believe firewalls protect them from ALL security threats which they do not. Ten
years ago a firewall was the only solution for managing risk for many organizations. This has created an inaccurate
perception that firewalls are the answer to internet based security risks which is not in-line with reality. The
type of threats are now more sophisticated and integrated beyond the scope of firewall security. Technology has
also moved on making other forms of security a wise investment.
2. Often firewall configuration does not reflect the business requirements of an organization. If little thought
has gone into how a
firewall will act, then rules can be added to the firewall which may allow unsafe services and traffic to pass
through, creating unnecessary security risks for the organization.
3. Older, circuit level firewalls lack the power to enable organizations to protect networks from some of the
newer security threats.
The primary function of a circuit level firewall is to police the type of traffic travelling from one network to
another and decide whether to pass or deny the traffic based on the rules it has as a reference point. For example,
if a firewall was a traffic policeman it would pullover and stop (deny) a car travelling above a certain speed
or in the wrong direction. It wont however, natively look for and stop (deny) a car filled with illegal weapons
if the vehicle is obeying the speed limit and travelling in the right direction as the car would be complying with
the rules (i.e. allowed). Executives should look closely at their current security technologies in the light of
the latest integrated threats which pose more of an 'illegal weapons' style of threat that would not be stopped
by these older style firewalls.
4. Many companies are so confident about their firewalls that they ignore other weak points within their network.
This is a symptom of
building security based on trust. Semi-trusted or trusted networks by definition have less or no security measures.
Executives need to consider an element of accountability as well as trust when reviewing their security policies
in order to prevent an attack on their system through a back door exploitation or social engineering. Unfortunately,
new vulnerabilities in software applications and operating systems are discovered every day. The new hacking techniques
and integrated viruses such as Nimda and Code Red, not only evade a network's front door - the firewall - but also
the back door, window and catflap.
There are six common problems organizations face today when deploying firewalls:
a· They don't analyse enough data. Although firewalls mostly use circuit level routing state information
that comes over the network, it is far more effective to use a technology called an Application Proxy Firewall,
which checks the actual payload contained within each packet of data. As per the earlier car example, it will look
inside the car to see if it is carrying illegal weapons. Products that are built from the ground up to be an Application
Proxy Firewall are proven to be far more secure, faster, and easier to manage and integrate with a company's network.
b· They don't monitor the operating system closely enough. An effective firewall must keep a continuous
scheduled check on the operating system and any application software. This would include a mechanism to turn off
services that are running on the machine and/or are started up by an unauthorized person. Most operating systems
have a variety of protocol ports open which are not necessarily needed for communications from a firewall perspective,
these in turn would also be disabled by this mechanism.
c· They don't enable remote management. Any security manager with more than a handful of firewalls installed
in remote offices knows that centralized management is almost essential. This is an important shift in the current
generation of firewall technology, giving administrators a bird's eye view of outlying security barriers.
d· They don't scale smoothly. Because older firewalls were often developed for smaller networks, they
may not be appropriate for complex systems. It's vital that firewall infrastructure scales well, allowing remote
offices to use smaller firewall appliances while head office uses a large server. It should also be integrated
together and managed from a single console.
e· Some are simply too slow. The addition of greater processing power in the latest firewalls makes a
big contribution to security. This is partly because Application Proxy Firewall technology requires more processing
power, and also because security is more thorough when firewalls use 'best fit' rules to monitor data packets rather
than the older approach of using 'first fit' rules which may not be as accurate or secure.
f. They don't integrate with other security technologies. Advanced Application Gateways like Symantec Enterprise
Firewall, offer the ability to integrate, content management, strong authentication, command filtering, application
payload defences, intrusion detection, mail scanning, virus protection, active content scanning, vulnerability
management, and virtual private networks. A firewall can bring powerful benefits as the control point for all of
these complimentary technologies.
Even if all these issues were addressed, a firewall would still not be enough on its own. It's important for managers
to be aware of the weak points in their system by using security management software and 'reconnaissance' programs
to check the network for vulnerabilities. Symantec provides these solutions through products such as: Enterprise
Security Manager, NetRecon, Intruder Alert, Netprowler, Vulnerability Assessment and Intrusion Detection.
Perhaps most important of all, and often the most neglected, is the simple challenge of risk management. Senior
executives - preferably those at the very top - need to appoint one of their own to take charge of security issues
and lead a vulnerability assessment of the organization's systems. This supports the next step - a clear information
technology security policy that defines the responsibilities of each employee. This should also include policies
and processes, which evaluate the entire network, including assets and vulnerabilities. The plan should be reconsidered
as the network and business changes - whether to take advantage of e-or m-commerce (m-commerce using mobile, hand-held
computers) or simply to enhance the use of the network for sales, service and marketing. Companies that offer comprehensive
Internet Security Services such as Symantec's can also provide valuable assistance in these areas.
Although it all seems a little daunting, internet security can be simplified to four important steps:
Assess. Secure your infrastructure through vulnerability assessment and a good security policy.
Protect. Keep unauthorized users and hackers out by using firewalls effectively plus keep malicious code
out with up-to-date anti-virus on all levels of the network (gateway, server and client).
Enable. Make sure you have secure Internet communications with mobile employees, remote operations, suppliers,
customers and other businesses.
Manage. Manage and administer security easily and effectively for users by implementing file encryption,
server administration tools and single sign-on solutions.
Senior Product Manager, Symantec APAC