Were You Caught Out?
It didn't take long for the worms and exploits to begin circulating following Microsoft's monthly security patch release. One of the earliest vulnerabilities to be exploited was the Plug and Play vulnerability in Windows 2000, which was patched with MS05-039. By the weekend following the patch release (i.e. last weekend), early versions of a worm called Zotob were circulating. Bearing a strong naming similarity with the Mytob family of worms, analysis suggests that Zotob is a Mytob derivative, replacing the Mydoom code with code specific to the Plug and Play vulnerability. Rapid evolution has already seen the original Zotob worm pick up a mass emailing component, which provided it with two infection vectors, through email and through the Windows 2000 Plug and Play vulnerability. The email infection vector allows it to target all versions of Windows from Windows 98, onwards, which were otherwise invulnerable to the Plug and Play issue.
Zotob creates an IRC connection on the compromised system, effectively turning the computer into a remote-controlled 'bot', part of a hacker's network. Users might find that they are unable to view webpages, as they are being redirected to the local loopback address (127.0.0.1), and access to sites such as eBay, PayPal, Amazon, Anti-Virus vendors, and Microsoft Update might be blocked.
By mid last week, Zobot had also seen the arrival of a number of competing worms, including IRC bots (IRCBot-ES), which have a much easier infection mechanism once a network has been compromised.
Microsoft's patch for the Print Spooler vulnerability, a part of the recent security patch release, appears to have re-activated the service on machines that it has previously been disabled on. A number of reports from end users indicates that the spoolsv.exe file is trying to contact systems other than the one it is hosted on, and that this behaviour occurs following the application of the Microsoft patch.
Following the initial rush of blood, and claims that the sky was falling, which accompanied the release of Microsoft's security patches, it appears that the panic level has returned to normal, with the Zotob worm appearing to have infected the majority of naturally vulnerable Windows 2000 hosts, and no apparent forthcoming worms for the remaining vulnerabilities. Detailed exploit code has been distributed for a number of the other vulnerabilities, with Internet Explorer's vulnerabilities drawing special attention. In addition, other product suppliers are beginning to find that they are also vulnerable. A range of Cisco products which are based on the Windows Operating System have been announced to be vulnerable to at least a Denial of Service as a result of the current crop of worms. Operators of Cisco equipment should contact Cisco to ensure that the products being used are suitably protected.
Even though the infection rate appears to be stabilising, a number of companies have disclosed that they were compromised by the worms. This list includes Daimler-Chrysler and General Motors (Holden), where multiple plant infections cost tens of millions of dollars worth of lost productivity just within the vehicle manufacturers. At least a hundred million dollars worth of lost productivity would have resulted as these major manufacturers would have been unable to properly handle deliveries and incoming products from external suppliers. Media agencies such as the American networks ABC and CNN were also affected, with newspapers The New York Times, and The Financial Times also falling victim to infections. Other reports suggest that Disney, AMEX, Cingular, AOL, GE, Caterpillar, and UPS were also affected. Numerous other companies will have also been affected and would have lost significant productivity due to their internal Information Technology system downtime. Even more worryingly is the inappropriate action being taken by system administrators in their efforts to either mitigate or clean up the effects of the worms. Some organisations withheld the clean up process for 24 hours after the infections took hold, while others ignored the significant public reporting before recommending inappropriate actions (such as no Internet usage, when the primary worms spread independent of websites visited) prior to attempting mitigation procedures, three days after the initial mass infections.
Although IT is generally regarded as a cost centre for businesses, it is worms like this which can drive home the point that IT has become an essential part of most modern businesses. Again, Windows users are extremely lucky that the worm developers were generally incompetent in their development of this worm. In their rush to release first, the Turkish hackers who created Zotob took a number of shortcuts. If Zotob, and the related worms, had a more robust means of determining the next set of targets (it only infects the local subnet), then it could have spread much faster. If it had a properly developed payload, it would not have forced Windows 2000 machines to continually reboot, instead it would have destroyed data, or sent it out to the remote hackers. There was some evidence that they were monitoring the end infections, but they did not really capitalise on this information. If a worm could only send out 100 copies a second, but could potentially infect 1% of the total Internet address space, it would saturate the Internet in a matter of minutes, rather than the ongoing efforts that the current worms are engaged in, when the vulnerable targets are probably much more than 1% of the total Internet address space.
Some observers are likening this latest mass worm threat to Windows, and the continued usage of that plaftorm by most users, to the unfortunately named 'Battered Wife Syndrome'. The syndrome is characterised by a person who, subject to ongoing physical and mental abuse from a partner, becomes unable to take independent action to remove themselves from the situation. The victim tends not to seek advice or assistance from others, or even fight back against the abuser, and can even convince themselves that they are the problem. They also believe the statements from their abuser that they (the abuser) have changed, and will not do it again.
The observers that have drawn the parallel with this syndrome point out that Microsoft has abused its monopoly position, generally lied to users about security, and have a long record of security problems which have caused significant losses for end users. They point to the unethical business practices, responsibility-avoiding EULAs, accusations of piracy (and associated audits), and continued promises that 'things will be better, next time' as being ongoing examples of Microsoft's abuse of their situation, while still keeping most of their end users on the Windows Operating System.
Defenders of Microsoft have countered with pointing out the increased efforts being taken by Microsoft with respect to the security of their products.
The online crime of the moment, Identity theft and Internet fraud, has attracted some more attention from the mainstream media. The ABC Four Corners program, broadcast Monday 15 August 2005, briefly investigated the CardSystems 40 million credit card breach, and the disclosure of identity information by sub-contracted IT support staff in India. Regular readers of our online column would have already been aware of these breaches, a number of weeks (and months) ago, when they originally happened. The broadcast of the program has had some wide reaching effects. One of the firms which was identified for selling this information, Nasscom, has claimed that it was set up, and are stating that they will work with Australian law enforcement agencies. The damage control spin being applied by the company includes pointing to the fact that no formal complaints have been filed, and that India is not the only country which is responsible for identity theft breaches. Also following up on an Identity theft issue, an AOL employee who sold 90 million AOL screen names and email addresses and then sold them to spammers, has been jailed for 15 months, and fined $83,000 USD, which is three times what he earned from the sale of the information.
Identity thefts continue to be reported in the United States, with more than 30,000 USAF Officers being notified that they may have had their data compromised following a hacker breaching the Assignment Management System (AMS), which contained a significant amount of personal information. The USAF does not believe that there was any sensitive information stolen, but are notifying the personnel involved as a matter of course. According to the reporting, the breach was the result of a legitimate logon that had been copied. The breach was initially identified between May and June, and an exceedingly high level of activity was noticed in the account that had been compromised, which led to the investigation.
Following news from a couple of weeks ago, when the veracity of the MD5 signature on some speed camera images was called into question during a court case, a paper has been released at the Crypto 2005 conference which details an improved attack against the SHA-1 hashing algorithm implementation. One of the issues that faces hashing algorithms is a phenomenon known as a 'collision'. Because a hashing algorithm creates output of a fixed length (128 bits in the case of MD5), and there are only a finite number of options for each bit, it can be deduced that two different original inputs will exist that will output the same hash when passed through the algorithm. This is known as a collision. Cryptography researchers continually research for improved methods to break and improve existing cryptography functions, and a group of Chinese-led researchers has discovered a method which reduces the theoretical effort required to create a collision of SHA-1 hashes to slightly more than the sixty-third power of two operations. A brute force attack, which basically checks for each and every possible hash that could exist, should take around the eightieth power of two operations to discover. The reduction of almost twenty powers of two in terms of operations for discovering a collision means that an implementation is feasible with modern consumer personal computer power (most likely in a clustered configuration).
According to reporting from The Register, last week, the United Kingdom has brought its Information Technology procurement procedures in line with those in use by the European Union. This move will mean that government tenders can not mandate which processor platform is to be used by contractors in delivering a required outcome. The root of this issue can be taken back to the ongoing litigation between AMD and Intel, where AMD is claiming that Intel has abused its monopoly position to effectively suppress competition. The new acquisition procedures must now use generic technical terms to reference the requirements being sought in government contracts.
There was some crazy news from the United States of America last week. Following a decision to provide students with Dell Laptops, the Henrico Country Schools in Virginia, USA, offered the superseded Apple iBook laptops for sale at $50 USD each. Although they were fairly recent models (12" screen, 500MHz G3), 1,000 laptops were being sold at this price, when the approximate market price is $200 - $300 USD. News of the extreme bargain attracted several thousand interested people, who stampeded when it was quickly obvious that there were more bargain hunters than computers. In the ensuing melee, it was reported that one person was assaulting others with a fold up chair, a lady soiled herself (fear or excitement?), a stroller was crushed, an ankle was broken, people were pushed to the ground, and someone tried to drive through the crowd in a car. Police in riot gear were required to return some semblance of order to the large crowd.
22 August 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.