Brian Krebs on Computer Security
Posted at 12:48 PM ET, 08/18/2005
Workaround for Unpatched IE Flaw
A few news outlets have called attention to an unpatched, critical flaw tied to Microsoft's Internet Explorer Web browser that could let bad guys take over vulnerable Windows machines if they browse a site controlled by potential attackers.
The stories note that Microsoft is investigating the reported vulnerability. Meanwhile, computer code showing exactly how to take advantage of the flaw was published online today. The problem resides in a file installed by Microsoft's Visual Studio .Net, but the vulnerable component is also installed by other applications, such as Microsoft Office 2000, and certain software drivers for the latest ATI computer graphics cards.
The easiest way to avoid falling victim to this flaw is simply to use another browser, like Firefox, Netscape or Opera. If you absolutely must use IE, the folks over at the SANS Internet Storm Center have a (non-Microsoft approved) "patch" that will effectively disable the vulnerable portion of the code.
UPDATE, 4 p.m. ET: The SANS Internet Storm Center has moved to "code yellow" over this latest flaw, explaining their rationale this way: "We moved to Yellow as we feel widespread malicious use of this vulnerability is imminent, and the workarounds shown here provide sufficient countermeasures to be applied quickly." It's worth noting that it's a fairly big deal when these guys move to yellow; their chief tech guy Johannes Ullrich says the Storm Center does in fact have a "code red" icon but has never used it. Ullrich says it's mainly just for giggles really, because their definition of "code red" is a condition in which the Internet would be in such a sorry state that you probably wouldn't be able to get to their site to check it anyway (think widespread exploitation of a certain Cisco vulnerability, for example.)
UPDATE, 4:50 p.m. ET: Microsoft has put out an advisory on this problem, with its own, somewhat more technical suggestions on how affected users could fix IE until an official patch is available. Microsoft said it is working on a fix for the problem, which it said it may issue outside of its regular, second-Tuesday-of-the-month patch release cycle, as it did last month to fix another IE problem.
The company also used the advisory to scold the security researchers who today posted instructions showing everyone how to exploit the flaw:
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."
By Brian Krebs | Permalink* | Comments (0) | TrackBack (3)
Posted at 11:00 AM ET, 08/18/2005
SoBig.F's Second Anniversary
Two years ago today, Internet users felt the brunt of a leap forward in virus-spreading technology as e-mail inboxes around the world were flooded with copies of "Sobig.F."
At the time it was the single fastest-spreading virus ever -- Sobig.F infected more than a million PCs in the first days and accounted for one of every 17 e-mails sent at its peak. The virus was especially overwhelming for Web users still reeling from the Blaster worm, which had begun clobbering Microsoft Windows systems just one week earlier.
While Sobig.F was the sixth iteration of the virus, its author(s) had tweaked each successive variant, incorporating lessons learned from prior attacks. The "F" version proved itself far more efficient at scraping e-mail addresses from infected machines, and it fixed a bug that limited the spread of Sobig.D and Sobig.E by including a mechanism that allowed it to send seven e-mail copies of itself at once. Sobig also broke new ground in "spoofing" itself, or exploiting a victim's e-mail address so that virus-laden e-mails appeared to have come from someone the recipient knew.
Like previous versions, Sobig.F was a "multi-stage" virus that would later update infected computers with software that allowed attackers to use them to forward spam. Security experts worked around the clock to decrypt how Sobig.F told infected machines where to download virus updates, timed to take effect just three days after the variant emerged on the Internet. Investigators were able to unscramble the code and shut down all but one of the update servers before that time, with the final remaining server shuttered a short while later, all but killing further spread of the worm.
Still, estimates of the damage caused by Sobig.F quickly soared into the tens of millions of dollars, and Microsoft later would offer a $250,000 bounty for information leading to the arrest and conviction of those behind Sobig. An anonymous author took a stab at figuring who wrote Sobig, but the Russian spam artist fingered in the report vehemently denied responsibility, and no one has ever been formally charged.
Sobig.F laid the foundation for flurry of similar e-mail attacks that would borrow from its techniques, including the highly successful Mydoom, NetSky and Bagle e-mail worms. While security software's ability to filter out and detect such threats has improved somewhat, too many computer users neglect to keep their software updated with the latest virus and worm definitions. Too many others unnecessarily fall prey to phishing scams and e-mail viruses.
The Sobigs of the Internet can only be defeated if everyone takes responsibility for computer security.
By Brian Krebs | Permalink* | Comments (0) | TrackBack (0)
Posted at 05:55 PM ET, 08/17/2005
Latest Worms Duke It Out
It appears that the numerous variants of the Zotob worm that have emerged over the past couple of days may have been salvos in a new worm war between rival online crime groups, according to analysis by Finnish antivirus company F-Secure Corp.
The three worm variants -- dubbed "Bozori," "Zotob," and "IRCBot" -- all exploit a security flaw in Windows that Microsoft issued a patch for last week, and each tries to supplant the other on infected machines, said Mikko Hypponen, chief research officer at F-Secure. Hypponen said it appears that three different virus-writing groups are behind the 11 different versions the company has detected since Sunday.
"This is the worm war of spring 2004 all over again," Hypponen said. "Only now it's king of the bot hill."
Hyponnen is referring to the battle between the author(s) of the Bagle, Mydoom and Netsky worms, which contained within their code plain-text messages insulting rival virus-gang members. The worms also tried to uninstall each other from victimized machines, which rival groups used to relay spam, attack other machines and host phishing scams.
The battle between the Bagle and Mydoom worms continues to this day, with several new variants of each released nearly every month, and their authors remain at large. The Netsky worm also tried to uninstall Bagle and Mydoom, but its original author -- a German teen named Sven Jaschan -- recently pleaded guilty to creating Netsky and the Sasser worm. Jaschan was setenced to a mere 22 months' probation, even though the effects of his activities are still being felt around the world: Netsky variants accounted for 25 percent of all virus reports in the first half of 2005, according to Internet security firm Sophos. The company said Netsky and Sasser combined are were responsible for 70 percent of virus infections in 2004.
blogs.washingtonpost.com |
