Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

BlackWorm Attacks!

The BlackWorm / Nyxem infections that have attracted so much recent attention were set to activate their malicious payload on the third of February (last Friday), and then on the third of every subsequent month. The early indications are that the impact is not as great as was initially feared, with isolated incidents where large numbers of systems were affected. Although the issue attracted little mainstream media attention until after the payload was scheduled to launch, the widespread technical coverage has been slammed as sensationalism by observers who noted the distinct lack of widespread outages.

The massive notification efforts which followed cooperation by numerous industry and government groups is likely to have been responsible for limiting the rate of spread from the worm. More information about infection / payload activation is expected to come to light this week, and it may take some time before the full impact is understood.

Already, the city of Milan has had to prevent the use of almost 150 servers and 10,000 end user systems due to an infection by BlackWorm which could not be removed in time. At the same time as BlackWorm was scheduled to activate, it was announced that a Russian stock exchange was forced offline for a few hours due to a computer virus / worm infection of unspecified type. This incident has led some to claim that the increased focus on BlackWorm has led to a loss of attent ion on more critical infections and threats.

Prior to February third, F-Secure, via the ISC, reported that some systems infected with the BlackWorm email worm had already started activating their malicious payloads, resulting in the mass deletion of critical data files. The problem appeared to be infected systems that had their system time set incorrectly. What this suggests is that by not allowing a system date to change over to the third of any month it is a possible defence mechanism against the infection, if no other tools are at hand. It also indicates that the payload will be activating at various times over the next few weeks, as systems with different time settings reach the third of February.

The ISC ran an analysis of the malicious payload, which suggests that the destruction of data on networked drives is not necessarily a given, despite the initial claims by Information Security vendors. Their test showed that while networked systems became infected, it required pre-infection across all systems before data destruction became a problem for the networked devices. This suggests that if networked storage devices are not being used to boot from, then it is possible that data on those devices will be safe from the destructive payload BlackWorm brings. Other system administrators have reported that the ISC's findings are only temporary, the worm will eventually propagate to the remaining systems and the destructive payload will be activated.

Moving away from BlackWorm, Netcraft have released their Internet server statistics for February, which show the leading web server applications, Apache and IIS, continuing to add to their marketshare at the cost of lesser known server technologies. Microsoft's IIS has crept up to just over 25% of the market share, while the market-leading Apache continues with more than 66% of the market share.

Netcraft have also noted that US registrar and hosting provider, GoDaddy, has taken the lead in terms of the most number of site hosted globally, taking over from Germany-based provider 1 & 1 Internet AG. This represents the first time that 1 & 1 have been displaced from their top position, and it caps an impressive 12 month growth for GoDaddy, which has been suggested is the result of their Superbowl ads from January 2005. Already, their 2006 Superbowl ad has drawn negative attention, even though it is unlikely to be shown during the game.

One of the leading news stories of the moment is about a Danish newspaper that published a dozen caricatures of the Islamic prophet Mohammed, which is considered offensive to followers of the Islamic faith. Amongst the outcry and replication of the images, a number of websites which are hosting copies have been attacked via distributed Denial of Service attacks, or straight forward website defacement, such as the site of the Danish paper that originally published the images.

Observation of Brazilian hacker / website defacement networks has shown a number of hackers who are advocating defacement not only of Danish sites, but an extension to US and Israeli sites as well (although those countries have no involvement in the caricature fracas). The majority of attacks are believed to have originated from Pakistan, Turkey and other Muslim majority countries with an active website defacement community. Although the issue is now a couple of months old, it has gained significant mindshare recently, and is spreading rapidly through community channels and networks online.

Computer Security vendor, Symantec, have announced an all-in-one security product, dubbed Genesis, which is designed to integrate Anti-Virus, Internet Security and new security products to provide a single point solution (and thus single point of failure) for end user security.

Initial response to the announcement has been muted, with a fair number of vocal opponents claiming that it will be a terrible implementation, even if the idea is reasonable. They base this argument off previous experience with Symantec software, and the resource usage / update slowness / introduced vulnerabilities that have been encountered. Privacy advocates are concerned about the idea that the software will report back to Symantec regularly about the condition and nature of threats the system is facing, and have voiced concerns about the level of trust in Symantec software, following the recent disclosure that some Symantec software installed and used a 'rootkit' as part of normal operation.

The features of Genesis are reported to include: Anti-Virus, anti-spam, anti-spyware, intrusion prevention, firewall, PC optimization and maintenance elements, transaction security tools and online/offline backup capabilities. Some of these tools are integrated from previous company acquisitions, and bring their own security concerns - particularly the backup capabilities which are based on Veritas software which has had some very serious security issues recently.

It was reported that the website forums on the AMD Internet site were recently infected with a variant of the WMF vulnerability that was causing trouble earlier in the year. The issue appears to have been resolved, and it is not known for how long the vulnerability was present on the site. Readers who have visited the AMD forums in the last month and who have not applied MS06-001 should consider that they may have been infected. Some security commentators have taken this opportunity to remind people that web forum vulnerabilities are an ongoing problem, and the WMF vulnerability is just the latest exploit to be spread through this vector.

The recently disclosed vulnerability affecting Oracle database servers is still attracting attention, with the security researcher who disclosed the issue releasing a modified advisory to address reported problems with his original workaround. With the continued silence from Oracle on the issue, except for claims that the workaround is damaging to their clients, the researcher was prompted to explain the history of the vulnerability, claiming that it was originally reported to Oracle in 2001 but was never properly patched in subsequent patch releases.

It has been less than a month since Steve Jobs announced the release of the first Macintosh machines with Intel chips, and already hackers are hard at work getting the latest version of OS X to run on generic Intel hardware. Software images of the OS X 10.4.4 backup disks supplied with the machines have already appeared on software distribution sites, and it is estimated that it will be less than a month before the goal of running it on commodity hardware will be achieved.

More details about the recent FBI and law enforcement raids on a high level piracy group have been reported via Reuters. The group, known as RISCISO, was apparently led by a 26 year old Perth man who is now facing extradition to the United States and up to 5 years in prison, a $250,000 USD fine and restitution if found guilty. With sixty members, nineteen of whom have been arrested, the group is alleged to have pirated software worth over $6 million USD, using servers spread globally. It was reported that the copy-breaching activities were mainly for the 'thrill', rather than any commercial gain, and the eventual compromise of the group was due to an informant.

Staying with law enforcement related news, and two new cases have been reported of suspected privacy data theft and inadvertent credit card exposure. Honeywell International disclosed that Social Security and financial records for 19,000 people who were company employees in 2003 had been leaked onto at least one website, which was quickly taken down. As the company is currently unsure as to the source of the leak, it is possible that the data will reappear in other locations. In the second case, a number of newspapers in the American North East were shipped to distributors with numbers for nearly 250,000 credit cards of subscribers. The numbers were printed on the routing slips, which had been taken from paper sources earmarked for recycling. It appears that waste paper from the financial department had been incorrectly set aside for recycling.

Finally, in what appears to be a very fortuitous piece of timing, the Whitehouse claims that key email messages sent and received by the Vice President and the Executive Office of the President during 2003 can not be found, although they are meant to have been archived. The AP (via Yahoo!) article which claims this, also claims that the messages never made it to the archiving system in the first place. The messages are being sought as key evidence in the trial of Lewis Libby over the disclosure of identity of the CIA agent Valerie Plume, and are being sought to aid Libby's defence.

6 February 2006

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.