Dear Friends,

As you may have noticed during the past weeks, we had serious problems in coming to your mailboxes. It wasn't for Internet disruptions or for some security incident here; it was just an extended vacation for some members of our crew and too much work for the others. We tried to compensate with our virus alerts and my personal advice is to subscribe to that list too: you don't know when you will be in need, so why not get informed about newest dangers before they hit your machine? Believe me, they are not spamming you.
The button below is for those who don't like us anymore; just click and let the message go:


OOPS!!! I've almost forgotten: there is a minor anti-virus producer that has included our security newsletter in the SPAM category denying the access to such file. We invite them to consult a SPAM definition and reconsider their decision. And maybe the huge "Unsubscribe" button above will witness for our intentions.

LAST WEEK IN BRIEF

The past period was one of our busiest. As far as we remember, we had never such a new year start. Lots of topics to discuss or just to signal here. We have decided not to bother you with older outbreaks but just to signal you those that are still in the wild. It is a wise decision as we have lots of information for you about the most impressive outbreak of 2003: Slammer. Enjoy your reading!

- Win32.Yahaa.J, K, E - common unwanted guests in your Inbox
- Win32.Lirva.A and B - malware dedicated to Avril Lavigne
- Win32.Sobig.A@mm - The Big Boss is watching you!
- 2003's most serious outbreak: Win32.Worm.SQLExp.Slammer.A
- Ethernet security leak - a very old story finally revealed
- Buffer overflow in WinRAR may lead to arbitrary code execution via network
- phpLinks flaw allow remote users use your server to send e-mails

We don't know how it happens to others, but our daily messages ratio, among invitations to free casinos and free mortgage and other freebies, contain at least a dozen Yahaa samples. The virus is a classic one, easy to identify: it comes from a fake sender and the subject is randomly chosen from a long list of choices - list that you can find on our web site (hint: at the end of this paragraph). The attachment is also randomly named and the options are on a shorter list. Once you got infected (OOPS!) the virus modifies two registry keys in order to be executed every time you start the Explorer and every time you start your session. The second action is closing several anti-virus routines stopping their services. After this, it starts its spreading routine sending messages to your contacts. No other payload, no other action except it creates in the Windows directory a file named zEsT.txt with a very curious message. These stand for the J version. The K version is a little bit more studied, with longer lists and different message bodies and also has a new payload on May 22 and March 25, when it displays a message box with the title "You are my Best Friend"
and the text "Happy Birthday Dear", and swaps mouse's buttons.
We invite you to get more information from:
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=116 and
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=117 .

We continue this virus section with another virus in the wild: Win32.Lirva.A and B. This is a new virus in the series dedicated to celebrities, this time using dedicated code (not a virus generator as before). This is an Internet worm that is spreading trough mail, mirc, ICQ and Kazaa network, but comes as a message with the subject randomly chosen from a list (as Fw: or Re:); it uses several different message bodies, two pretending to come as Microsoft patches and the third as an invitation to apply to Avril Lavigne's fan clubs. The virus actions are extremely interesting: first it copies itself in the system folder, modifies registry keys in order to be run at restart, creates a temporary file "avril-ii.inf" beginning with:"2002 (c) Otto von Gutenberg/Made in .::]|KaZAkHstaN|[::...." and explaining that it is a dangerous virus and sending greetings to some known malware authors, and the action continues. The virus kills the processes belonging to known antivirus products and send itself trough e-mail using the victim's e-mail settings and the addresses from all .DBX, .MBX, .WAB, .HTML, .EML, .HTM, .TBB, .SHTML, .NCH, .IDX files. If it finds KaZaA installed, it creates copies of its body under the names it used for attachments. It tries also to infect shares, so it is a hard to get rid of creature. The most important action is that it contains a password stealer and the collected information is sent to
otto_psws@smtp.ru. If the current day is 7, 11, 24 the payload of the worm triggers. The payload consists of opening an internet page: http://www.avril-lavigne.com and displaying an interesting graphic effect. Pretty tricky:
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=118

We come now over one of the most active viruses at this moment: Win32.Sobig.A, an executable mass-mailer worm that is really bugging people. It is very easy to identify as it comes from big@boss.com. The attachments are .pif files and the body is either empty or contains the string: "Attached file:". Once executed the infected attachment, the worm copies itself in Startup folders and modifies a registry key in order to be run at system start. After this, the malicious action begins: it searches on all the fixed drives for files with extensions: .TXT, .EML, .HTM, .HTML, .DBX, and .WAB, collects e-mail addresses from them and sends itself as shown before. It also tries to connect to network shares, and copy itself to remote computer in the directories and also downloads a file containing a link to an executable PE file that downloads into the Windows directory with the name dwn.dat and runs. For more information please visit:
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=120

Finally, we introduce you to our attraction: Win32.Worm.SQLExp.Slammer.A. It is the major outbreak of 2003 till now and lots of pages are already dedicated to this hot subject. We won't make too much noise here (because, as you could imagine, we dedicate an entire article to it a little bit further) but mention in brief what is all about. Slammer is an Internet worm that spreads using a known (and patched) exploit of MS SQL Server. We hate telling you these, but we remember of telling about the patch released by Microsoft sometimes last summer. We suspect that either we have very few readers or our readers enjoy our style but ignore the content. The worm uses only the Internet to spread benefiting from the stack overflow we have signaled at its time to be executed. After its code is executed it generates random IP numbers based on GetTickCount function and sends itself to those addresses using UDP port 1434. If it founds a vulnerable server, it takes it; but also, due to the fact that its body of 376 bytes is continuously sent over the Net, it leads to terrible traffic slowdown generating a Denial of Service situation. From our reports, the worm succeeded in getting down about 200 000 servers. BitDefender has released as usually a free antidote, even though there is not very high damage, the primary function being this of suffocating the Internet. More details are to be found at:
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=122

Slammer has had its leading part in all security news media. However, there are several rumors circulating about huge vulnerabilities at basic networking level and some other flaws that could be dangerous; it is our duty to signal them. We know this won't bother you!

We start with what we consider the most important flaw reported this year: the Ethernet affair. It would be very unfair for our readers to hide the fact that many basic protocols and software this whole Internet relies on are vulnerable. At the time they were written not so many security concerns were taken into consideration. We did our best to inform you every time we had enough and reliable information, as we are doing now, in this case more extensively. Ethernet drivers are padding small Ethernet packets with previously transmitted and other sensitive data rather than the nulls called for in the Ethernet standard. This has been a rumor for more than nine years but has been revealed by @stake only now. The standard size for Ethernet packets is between 46 to 1500 bytes but some high-level protocols call for shorter packets, and the IEEE 802.3 (Ethernet) standard says these should be padded with nulls to meet the minimum size requirements. The researchers revealed that some network interface card device drivers don't generate nulls, using instead old pieces of data to fill in, without regard of what kind of information is contained in those fragments. It seems that the easiest way to exploit this is to send ICMP echo commands to a machine running a vulnerable driver, which will then return bits of kernel memory data to pad the reply. These fragments could be recomposed using a packet sniffer; don't do this at home! CERT has released an advisory and has told that some other link layer networking protocols may be affected in a similar way, without providing examples. Moreover, this exploit could be used in networked environments to escalate privileges and access sensitive information. A question that has been proposed as workaround was to use encrypted data; it is a possibility but we are skeptical. The most annoying thing is that some vendors, even notified, have something more urgent to do than test their products against this flaw and eventually fix it. We hope to hear soon that this has been solved.

back to top

The next issue is important as it involves a product many people are using very often: WinRAR. The popular archive extractor has been reported vulnerable to a buffer overflow that may allow remote code execution. Practically, if the archive contains a file extension longer than 256 bytes, a buffer overflow in winrar.exe will be triggered. The situation is generated when archive contents are listed in the ListView Control Window. The overflow could be used to crash the WinRAR application (bad joke!) but also to execute arbitrary code within the victim's level of rights. And so a new version of WinRAR is available (3.11) at:
http://www.rarlab.com/download.htm .

Have you ever wondered how a new virus is released over the Net? The author must be very wise in order to avoid leaving traces that could lead to him. Usually virus authors as well as spammers are using e-mail relaying, with servers that are vulnerable to this kind of action. And, believe us, they are lots. This week a new vulnerability allowing such relaying caught our attention: phpLinks presents an access control error easy to abuse in this direction. It seems that the "email_confirmation.php" script in the /include/ directory can be directly accessed by a remote user. Thus, a file used to send notifications to newly signed users could be exploited using just a maliciously constructed URL. Unfortunately the vendor couldn't provide at this moment a solution but they are working on it. Meanwhile, a workaround would be (if you are using Apache) to create a ".htaccess" file containing a "Deny from all" statement in the '/include/' directory to prevent remote exploitation.

These would be the incredible news for this week. We should also mention that Sun has patched its iPlanet Web Server against two tough vulnerabilities that could lead to remote root access and arbitrary code execution and the patched version (4.1 SP 12) is available at:
http://wwws.sun.com/software/download/products/WebSvr4.1sp12.html

And don't forget: till next week stay secure! See ya!

VERY IMPORTANT ANNOUNCEMENT !!!

Get rid of your doubts when facing a suspect file! Just send them to virus_submission@bitdefender.com and we'll analyze them for you! GUARANTEED 24 hours response!

OUR AD:

A new generation of our security products is about to come in the wild. What's so exciting about? New technologies inside, reliability and speed, less resources consumption and brand new features. We invite you to keep an eye on us and beta test them as hard as you like! Who knows, maybe a special price will be awaiting you! Monitor daily the URL:
http://www.bitdefender.com/html/beta_products.php

back to top

OPS AND COMMENTS

Slammer: The Virus - The Story - The Dark Side

It is my pleasure and honor to have your attention again. I have an important announcement regarding the column here: as I deal with new extended tasks this year, my signature will be seen only from time to time in this section. Thanks you for a long and excellent collaboration; without your constant support many articles wouldn't come out.
Back to virus business, I must confess that this Slammer explosion amazed me, even though there were some signs. Do you remember JS.Spida, the script that was looking for MS SQL Servers with default passwords? It succeeded to hit more than 18 000 servers worldwide. It was a surprise to see how many people have left their servers with basic default configuration. That time the virus circulation was promptly restricted. However many admins forgot to patch their servers and this is how Slammer could come out.
As you have seen in the virus description, it uses a stack overflow in MS SQL Server in order to be executed, it uses the SQL port to spread and has many "features" inspired by CodeRed and Slapper. The worm hit the Internet early Saturday morning and the infection developed faster than for any other virus. Due to the fact it succeeded to find many vulnerable hosts and, inspired by Slammer, it opened many connections in the same time, using an UDP port to spread, the effects were immediate and huge.
Let's talk about the effects: in crude numbers, over 200 000 servers were hit. The Internet activity was paralyzed in some area and ISP-s had a very difficult weekend. I was informed that even Monday some of them couldn't function properly. The immediate effects were to be seen in South Korea where many people couldn't use not only the Internet but also the ATM-s; in the same situation were large numbers of US Citizens, American Express and Bank of America being the most affected. Moreover, military.com family was incredibly hit and during all Sunday almost anyone could register a .mil domain or even modify existing .mil domains. This has forced US Secretary of Defense, Donald Rumsfeld to freeze the .mil database and military.com and to force the employees to reanalyze each and every record. As a "funny" aspect: Microsoft itself has failed in applying its own patches and was vulnerable to Slammer; some of its servers were hit but the infection was limited. To conclude, almost every admin, ISP employee and Internet maintenance people worked from Sat till yesterday.
The source? There have been many speculations. I will present only the most interesting ones: it seems that the virus was launched using a server from Northern Korea or Hong Kong. The Northern Korean Minstry of Telecommunications has announced that this is not a surprise since many virus authors or spammers are using their servers for their actions. The source code reveals that a group of hackers from Hong Kong could be at the origin (I won't mention their name here in order not to give them free publicity). However, there is no direct evidence, only speculations. The US people have linked the outbreak to some Al Quaeda announcements that if a war against Iraq or some other Arab country begins, in less than 24 hours they can take down 80% of the servers involved in military actions. However, there is no evidence of cyber terrorism whatsoever.
I am preoccupied about several hypotheses that started to confirm: the theory of "Warhol" worm that could paralyze the Net within 15 minutes seems not so science-fiction but highly probability. The only solution to such threat would be proactive defense; we are working on such protection and we'll let you know when it's ready.
I end this column with good news: unlike CodeRed and Nimda that are still active, Slammer's propagation has been drastically reduced. An advantage is the fact that MS SQL Server installation are much fewer than IIS ones. Slammer is teaching us a hard lesson: no matter how sophisticated is the software you use, no matter how expensive your protection, human indolence and lack of knowledge make all these possible.

Remember!
You can express yourself anytime at: authors@bitdefender.com.
My door is open to all your thoughts.
(Respectfully brought to you by Horatiu Bandoiu, always your friend in the BitDefender Team)

To subscribe to this letter, visit
http://www.bitdefender.com/html/newsletter.php or send a
message to newsletter-request@bitdefender.com, with an empty body and the subject 'subscribe'.

To unsubscribe to this letter, visit
http://www.bitdefender.com/html/newsletter.php or send a
message to newsletter-request@bitdefender.com, with an empty body and the subject 'unsubscribe'.