Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Of Killbits and BlackWorm

S?nnet Beskerming Security researchers have achieved another remarkable success in the last few days. Over the weekend, news started appearing via US-CERT, the ISC and SecurityFocus, of a problem with Internet Explorer's method for deactivating vulnerable ActiveX components. Basically, the 'killbit' method used by Microsoft to disable the calling of certain ActiveX controls could be bypassed through the use of a malicious web page. S?nnet Beskerming provided this information to the S?nnet Alert mailing list subscribers in mid September 2005, along with updated releases as more information came to hand, more than four months before it was noticed by other agencies.

ActiveX controls can be malicious due to their ability to hook into the underlying Operating System and can be commanded fully by the remote attacker, providing an easy means to compromise a system without the need to download additional files.

An 'average' computer worm infection might result in the victim's computer being controlled through IRC to send spam and have various pieces of malware installed to capture logins and passwords, and is probably the most significant threat to face Windows PC users. Recently, a new worm has emerged, originally dubbed 'Nyxem', but now commonly known as 'BlackWorm', which uses standard mechanisms to spread and infect systems, but which possesses a payload which will cause major problems for infected users.

Designed to delete or modify DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP files on all available (including network) drives, the worm activates this nasty capability on the third of February, and repeats on the third of every subsequent month. While this sort of activity will be distressing for users who are infected on standalone systems, businesses that are infected could face a catastrophic outcome if the worm manages to penetrate their network.

The nasty payload has seen a massive coordination effort from security companies, malware researchers and ISPs to identify and notify infected clients. For such a destructive worm, the global rate of infection is still in the low hundreds of thousands (at the time of writing), although the counter being used to track infections shows over 4 million, due to a suspected Denial of Service attempt from one or more individuals.

The ISP which hosts the counter has been supplying logs to the coordination effort, and it has provided an unique look at the nature of the infection spread. While less than a thousand Australian systems have been infected, countries such as Malaysia (over 7,000), Mexico (over 2,000), China (over 2,000), Greece (over 4,000), Turkey (over 15,000), and the United States (over 15,000) have been hit worse. Italy, Peru and India appear to have been worst hit, with over 22,000, 54,000 and 80,000 infections, respectively. It is possible to surmise that some countries with smaller online populations which have high infection levels are involved with the original outbreak, and others which have a number of significant infection clusters (such as Government departments uniformly infected).

With the increased reporting on the worm, the active efforts from anti-malware providers, and the coordinated effort to identify, notify and quarantine infected systems, the spread of BlackWorm is expected to slow significantly. Should the coordinated notification effort be ceased, there is a fair chance that infection rates will rise, and there is a question of resource effectiveness should multiple new worms / malware threats arrive which have similar malicious payloads, or which do not report as easily to a single central location.

BlackWorm isn't the only new oddity to appear via email over the last couple of weeks, with numerous reports being seen of empty emails. These appear in inboxes as completely empty emails, with no sender, no subject, and no body. As there is no content to check against, some spam filtering software will not prevent the transmission of these empty messages, and they have been an interesting addition to many email inboxes. The first of these empty messages started to appear in late 2005, and it is believed that it might be the result of misconfigured, or otherwise poorly created, automated spamming software.

It has been another bad week for identity theft / loss of privacy data cases, with several moderate sized data losses. Notre Dame University discovered that a system which had been used to manage fundraising efforts had been compromised, exposing the credit card details and Social Security Numbers of numerous donors. While the compromise alone is a problem, it may have been actively compromised since November without being identified.

A three month period where compromise may have taken place almost appears reasonable, as Kansas State University found recently. They discovered that a system that was being used to handle applications for Student Housing had been actively compromised for more than four years. This exposed Social Security Numbers and other sensitive information about applicants.

Identity theft cases didn't just affect American Universities, with more than 350,000 people in the states of Oregon and Washington having their medical histories stolen following a car break in. The records were being stored on backup tapes and disks, and were being stored in the vehicle as part of the affected company's disaster recovery planning. While the tape data was encrypted, the much easier to read disk data was not. In addition to patient personal data, specific medical and insurance data was part of the record. Almost 250,000 of the patient records also had Social Security Numbers recorded, and some even had financial information.

Sick people and students can take comfort in knowing that almost 250,000 customers and financial advisors linked to Ameriprise Financial (a financial services company spun off from American Express) had their records stolen when a laptop containing the data was stolen from an Ameriprise employee's car in December 2005. Ameriprise considers it unlikely that the theft was targeting the information, and the subsequent risk of exposure is low. The US state of Rhode Island is also facing difficulties after more than 50,000 credit card details were discovered on a Russian site. Details which had been stolen from an online Government services gateway.

As part of plans to improve the laws related to Computer and electronic data security in the United Kingdom, the proposed revised Police and Justice Bill seems to have erred too far on the side of caution. In what is believed to have been an attempt to make possession of certain software tools the equivalent to being in possession of a safecracking set, the proposed laws include elements designed to stop the development, distribution and possession of 'hacker tools'. What is a 'hacker tool' is not explained, but should the relevant section of the proposal make it into law, then it will make a lot of System Administrators, Networking Administrators and Security Researchers very worried.

Complaints are being seen from UK researchers who claim that this will prevent them from understanding how the hackers are attacking their systems, and what the capabilities are that the tools provide to the hacker. Network and system defences will become reactionary, forced to respond to attack, rather than researched vulnerabilities. A lot of the tools in use by hackers and legitimate users are the same, it is just a matter of permission and ownership of the systems they are being used on.

A number of countries are currently evaluating the possibility of establishing national ID card systems, including the UK and Australia. Supporters of both sides of the argument have been quite vocal with publicizing their opinions, and an interesting voice has been added to the mix in the argument over the UK's proposed ID card. The Register has reported on the UK's IT trade association, Intellect, which has come out with a fairly pointed press release which calls on the Government to pay more attention to components of the IT services and product delivery chain which have routinely suffered in the past.

One interpretation of the report is that it is a damning accusation that the Government is to blame for the recent spate of public IT expenditure failures, and risks the same happening with the ID card implementation. This statement also comes after the industry has borne most of the public condemnation for previous failures.

What was surprising about Apple's recent announcement of Intel based Macintosh systems being available for purchase now was that it was less than 12 months since the initial announcement of the shift to Intel (although the rumoured Marklar OS X Intel version was confirmed as having existed for several years), and a lot earlier than anyone expected, given that the initial announcement was that the systems would be available in 2006. A number of review sites have already received their systems and have been putting them through their paces.

Early results suggest that the initial round of system delivery is not comprised of production machines, given the relatively poor internal hardware layout when compared to pretty much any production Macintosh from the first Mac. Difficulties have been reported by reviewers who have attempted to install Microsoft Windows for a dual boot experience, reporting that the Windows boot media isn't responding to the various boot methods available to the machines.

30 January 2006

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.