This is Not an Email From the FBI
With a number of anti-virus companies and IT news sites calling it the biggest email based threat of 2005, new variants of the Sober email worm started hitting email inboxes in the last several days. Although the worm has employed various social engineering methods in an attempt to get victims to execute the email attachments, the current versions appear to have been fairly well thought out. With infected emails claiming to be from the FBI, CIA or the German BKA, and related to investigations into the victim's Internet usage habits, the Sober creators appear to have identified a method which is likely to result in a greater number of compromised systems.
The effectiveness of the worm was so great that the FBI was prompted to place information on their website to deny that the emails were originating from them. As per previous variants of the Sober worm, the included malware attempts to install a spam-engine, collect email addresses stored on the system, disable the firewall and any other protective software, modify the local HOSTS file to prevent access to Windows and other security update sites, and open network ports to allow remote control of the system via IRC.
As anti-virus companies scrambled to catch up with the emerging variants, some security commentators were warning that the worms were evolving too quickly for anti-virus vendors to keep up with. Basic user education to consider .zip file attachments to be malicious and not to be opened, would prevent a significant number of infection cases.
With the spread of the worm being so rapid, it has been considered by some that the creators have used existing botnets to increase the rate of spread of the worm, in addition to the improved social engineering efforts. The attempt to play on people's fear of authority, especially with various Homeland Security agencies, laws and increased tensions, is considered to be the key to the increased spread of this particular Sober variant.
The past week also saw the release of the SANS Top 20 vulnerabilities list for 2005. A new feature of this year's listing was a major focus on cross platform threats and application vulnerabilities, as compared to Operating System vulnerabilities. With a breakdown of five Windows, two Unix, ten cross platform application, and three networking hardware vulnerabilities, the list seems to cover most of the significant Information threats to surface in 2005.
Some of the inclusions have been a little contentious, such as inclusion of a generic warning for OS X, but no specific breakdown of any applicable direct threat. In subsequent discussion, a SANS representative indicated that the inclusion was based on the increasing number of poorly administered OS X systems that they are observing.
The other vulnerabilities covered included issues with Windows Services that were exploited by worms such as Zotob, and issues with Cisco networking hardware that related to Mike Lynn's presentation at the Black Hat / Defcon 2005 Briefings and Conference. Recent threats to the ISAKMP implementations by a number of networking vendors also rated a mention, along with SANS' personal bugbear, the Domain Name System (DNS) also made the list.
Emerging too late to make the Top 20 list is a vulnerability which affects Internet Explorer on most versions of Windows (except Windows 2003 Server in Enhanced Security mode). Derived from an earlier Denial of Service bug that would cause the browser to crash upon trying to open a new window via a JavaScript call in the body tag for a web page, the new vulnerability has been designed to allow for execution of code by a remote hacker.
In a move which upset Microsoft, the security researcher who discovered the extended vulnerability released the code publicly, including complete source code to a working exploit, and did not notify Microsoft ahead of time. While the developed proof of concept code only launched calc.exe, it was reported that variants of the code were in circulation which could provide a reverse shell, which allows the attacker to gain access to the command line. It is possible that these later reports were based on a misunderstanding of the comments in exploit code, which mentioned establishing a shell.
Microsoft is yet to issue a patch, but has acknowledged the presence of the vulnerability and has provided suggestions to users who would like to protect their online activities (basically, disable JavaScript). The root cause is believed by many to be a design error in Internet Explorer, which would require significant overhaul of the codebase in order to fix the issue. It is more likely, however, that an incremental patch will be developed which will disable that particular instance of calling a new window using JavaScript.
This latest Internet Explorer vulnerability was joined by reports of an issue which can see Internet Explorer opening unexpected applications to handle various tasks. While more correctly a Windows 'pathing' issue which has been known about for some time, the discovery that Internet Explorer will open a folder / file / application on the Desktop named notepad.exe as a priority over the Windows default Notepad application has seen some increased attention to the filetypes and applications that can be abused in this manner. Several Registry modifications were soon provided, along with links to the MSDN reference on the issue, which forces Internet Explorer to look in specific locations if it needs to open Notepad, or equivalent.
While the discussion surrounding the discovery quickly returned a working solution along with a reference to Microsoft documents, it prompted discussion on the behaviour of Internet Explorer and Windows in those situations, along with an explanation of why some core System applications sometimes appear to magically reappear after their manual deletion (dllcache).
A practical example of finding applications which have pathing problems was provided by a contributor who suggested making a copy of the calculator (calc.exe), renaming it to 'program.exe', and placing it in the root level of the Windows partition (C:\program.exe). This would then allow users to identify applications that are potentially vulnerable to abuse by having appropriately named files placed at higher levels of the Directory structure. The symptom encountered would be unexpected copies of calc.exe opening up on the screen.
28 November 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.