Mutant son of MyDoom plans three-pronged attack

By John Leyden

Published Thursday 3rd June 2004 14:27 GMT

Virus writers have used code from the infamous Mydoom worm to create a potentially dangerous new Internet worm which uses multiple methods to spread.

Plexus-A spreads using three different methods: infected email attachments, file-sharing networks and Windows vulnerabilities (the LSASS vulnerability used by Sasser and the RPC DCOM flaw used by Blaster). The as yet unknown virus authors used MyDoom source code as the basis for creating Plexus, according to an analysis of the worm by Russian AV firm Kaspersky Labs.

David Emm, senior technology consultant at Kaspersky Labs, said that the multiple spreading methods is helping Plexus to infect more machines. No worm since Nimda has used as many methods to spread, according to Emm. Kaspersky rates Plexus as a moderate risk. It is spreading - but nothing like as fast as Sasser or Blaster - and the main concern about the worm stems from the fact it creates a backdoor for hackers on infected machines. These compromised machines could be used for spam runs or as a platform for DDoS attacks. However the motives of the virus authors behind the worm remain unclear.

Plexus-A chooses from five different email message headers in an attempt to bamboozle users. Each message has a different header, body and attachment name. The only characteristic which does not change is the file size: 16208 bytes when compressed with FSG and 57856 when uncompressed. Mac and Linux users are - as usual - immune but Plexus is a menace for Windows users.

Upon execution Plexus-A copies itself to the Windows system registry under the name upu.exe, which runs every time a machine is rebooted after infection. Plexus sends copies of itself to email addresses harvested from the hard drives of infected machines.

The worm is among the first to specifically target users of Kaspersky Labs' AV software. Plexus' payload includes attempts to prevent downloads of Kaspersky Anti-Virus database updates. Plexus also scans the Net for systems vulnerable to the flaws it exploits. The worm opens a backdoor onto infected machines on port 1250, making it possible for files to be remotely uploaded to and from the victim machine. The open port leaves the victim machine vulnerable to further attacks, Kaspersky Labs warns.

Users are advised patch Windows boxes, update anti-virus signature files and use firewalls to shelter against Plexus and similar irritants that are doubtless just around the corner. Is there no end to this viral madness? ®

 New Worm Exploits Multiple Windows Flaws

A new worm that may be double the trouble was spotted in the wild Thursday by several anti-virus firms.

Dubbed Plexus, by Moscow-based Kaspersky Labs, and Explet.a, by Symantec, the worm uses multiple methods to infect PCs, including exploiting a pair of vulnerabilities in Windows.

"The worm's payload threatens systems worldwide," said Kaspersky Labs in an e-mailed statement.

Although its payload can arrive in the more traditional manner as an executable file attachment to an e-mail message, Plexus/Explet can also infect systems without any human intervention by exploiting 2003's RPC DCOM vulnerability--the one that MSBlast used last August--and this year's LSASS vulnerability, the route that Sasser took in late April and early May.

Both vulnerabilities can be exploited by attackers without requiring any user action. Like its MSBlast and Sasser predecessors, Plexus/Explet scans for unpatched systems--fixes for both vulnerabilities are available via Microsoft's Windows Update service Web site--and inserts its code unseen.

"The interesting thing about this worm is that it combines multiple vulnerabilities," said Vincent Gullotto, the vice president of Network Associates' AVERT research team. Network Associates has trapped a sample of the worm, but has not yet assigned it a name.

"We're only going to see more of this as we go forward," said Gullotto. "Hackers are trying to use multiple opportunities to infect systems, use as many different avenues as possible."

"This is a perfect example of a blended threat," added Brian Dunphy, the director of Symantec's managed securities services group. "It's primarily a mass-mailer from what we've seen so far, but like worms such as Nimda, it exploits multiple vulnerabilities within Windows."

Nimda, a worm that debuted in 2001, exploited multiple vulnerabilities simultaneously, as well as backdoors left by the even older Code Red. It was "the mother of all proof-of-concept viruses," according to Network Associates' Gullotto. But malicious code that tries to take advantage of more than one vulnerability in Windows is still "relatively uncommon," he added.

Plexus/Explet can also arrive as one of five different .exe file attachments in messages using one of five different subject lines, and uses a third method to spread through shared network folders and the KaZaa file-sharing network. When using that tactic, the worm may be tucked into a file named "Shrek_2.exe," an attempt to entice users to open the file thinking it's a digital copy of the popular animated film that opened recently.

The worm also specifically targets Kaspersky Labs' anti-virus software by disabling its automatic update capabilities. "Plexus replaces the contents of a folder in the system registry: until this folder is deleted from infected machines, users will need to download updates manually," warned Alexey Zernov of Kaspersky.

Although Symantec wasn't able to confirm, Kaspersky Labs claimed that its analysis revealed that some of the code in Plexus/Explet is re-used source code from the destructive MyDoom worm of earlier this year.

"But I wouldn't be surprised if that's the case," said Dunphy. "It's very common for viruses to share code these days."

Currently, Plexus/Explet is rated as a "moderate" threat by Kaspersky and a "2" by Symantec, using its 1 through 5 scale. But because the worm opens a backdoor via TCP port 1250, then reports back when it infects a system, both security firms are watching the worm closely.

"If it does go wide scale," said Dunphy, "the backdoor could be used to plant additional code, to essentially upgrade the worm."

In other security news, Symantec upped its threat level for the Korgo.f worm on Wednesday from a 2 to a 3, citing a dramatic spike in submissions yesterday from both corporate and consumer customers.

The Korgo family, which also exploits the LSASS vulnerability within Windows, first appeared last week, when three variations debuted. Since then, four new copy-cats, including Korgo.f and, the most recent, Korgo.g, have been detected.

"The changes between the variations are very, very subtle," said Symantec's Dunphy.

Although the number of Korgo.f submissions Symantec received began to plateau late Wednesday, the security firm is keeping the threat level at "3" for the time being.

Korgo.g, which first appeared Wednesday, is also on the radar of several anti-virus firms. Symantec rated this version as a 2, but Gullotto of Network Associates said "we're watching this one closely."

The success of worms such as Plexus/Explet and Korgo are additional proof--as if it's needed--that not everyone is patching vulnerabilities in Microsoft's Windows.

"Clearly, not everyone's patched," said Gullotto. "And with next Tuesday being the scheduled day for Microsoft to release June's [security bulletins], there will undoubtedly be more things that people will have to patch."

 First 64-bit Windows Virus Hits

Security firms on Thursday reported that they had discovered the first virus that targets PCs running 64-bit versions of Microsoft's Windows operating system.

Both Symantec and Network Associates have captured samples of Rugrat.3344, a virus that uses Thread Local Storage structures within the operating system to execute itself, "an unusual method of executing code," according to Symantec.

Anti-virus firms were quick to point out that Rugrat is not spreading, but is actually what's called a "proof-of-concept virus," malware designed to demonstrate vulnerabilities and the ability to mount an attack. It doesn't spread from machine to machine, like a true worm.

Rugrat infects IA64 (Intel Architecture 64) executables, and also infects files in the same folder that contain the virus, as well as that folder's associated subfolders.

Both Symantec and Network Associates suspect that the author of Rugrat is the same individual who crafted other proof-of-concept viruses in the Chiton family. Six variations of Chiton have been discovered so far, each which demonstrates a new vulnerability within Windows.

The Chiton series includes groundbreaking viruses such as Gemini, which was the first to run two instances of itself simultaneously to prevent elimination, and OU812, the first to use the language .dll support in Microsoft Visual Basic files to execute the code.

Because 64-bit Windows is relatively scarce, both Symantec and Network Associates ranked Rugrat as a low-level threat. Symantec, for instance, pegged it as a "1" in its 1 through 5 scale, while Network Associates labeled it as "Low."

Rugrat cannot infect 32-bit versions of Windows, such as XP, 2000, NT, or 9x, but Symantec did warn that it could infect 32-bit systems using 64-bit simulation software.

 Not just free software under threat

By Team Register

Published Tuesday 1st June 2004 14:13 GMT

Letter

Dear Editor,

In my speech about the danger of software idea patents, I explained how these patents obstruct all software developers, restrict all computer users, retard software progress, and tie up e-commerce in unnecessary bureaucracy.

Your article describes a very different speech from the one I gave, one that emphasizes primarily how patents would hurt free software. They would indeed, but in persuading a public that mostly doesn't advocate free software, I cannot pin much hope on that argument. I therefore mentioned free software only briefly in the speech.

During that brief mention I refuted a claim that politicians that favor patents say about software idea patents and free software: "They can't be that damaging for free software, since there is still plenty of free software in the US." I explained the fallacy by applying the same argument to AIDS in Africa--"AIDS can't be that damaging for humans, since there are still plenty of people in Africa". That example, clearly wrong, makes the flaw visible. Whether there is any similarity between AIDS and patents is irrelevant to this exercise in logic, and I never said there was one.

Preventing software idea patents in Europe is of tremendous importance to anyone that hopes to develop or use software there. I hope to call the public's attention to how these patents would affect their work.

You can serve your readers best by doing likewise.

Sincerely,

Richard Stallman President, Free Software Foundation

 Comparison of Linux code with MINIX code

A message I received from Alexey Toptygin

"Around the middle of April, I was contacted by a friend of mine who asked me if I wanted to do some code analysis on a consultancy basis for his boss, Ken Brown. I ended up doing about 10 hours of work, comparing early versions of Linux and Minix, looking for copied code.

My results are here. To summarize, my analysis found no evidence whatsoever that any code was copied one way or the other. (I realize that Minix predates Linux, but I did the comparison bidirectionally for the sake of objectivity).

While I was working on this in my spare time, Ken kept pestering me to hurry up and finish. He told me he had a paper awaiting publication, and that my analysis was the last bit of data he needed. I sent the final results (which are, exactly as given to Ken Brown, at the above URL) to him on May 17th.

When I called him to ask if he had any questions about the analysis methods or results, and to ask if he would like to have it repeated with other source comparison tools, I was in for a bit of a shock. Apparently, Ken was expecting me to find gobs of copied source code. He spent most of the conversation trying to convince me that I must have made a mistake, since it was clearly impossible for one person to write an OS and 'code theft' had to have occured.

So, I guess what I want to say is, pay no attention to this man; to the best of my knowledge he is talking out of his ass. I apologise for any inconvenience I may have caused you by participating (however indirectly) in Ken's pet project.

Please feel free to reproduce this email and the contents of my analysis webpage."

--Alexey Toptygin

 Zimbabwe blocks emails

By John Oates

Published Tuesday 1st June 2004 12:55 GMT

Robert Mugabe's government is trying to force Zimbabwean ISPs to block politically sensitive emails. So far ISPs claim to be resisting such moves.

The move is important because the Web has become the only uncensored source of information now that opposition newspapers and other media have been closed down.

The Zimbabwean government wants ISPs to block emails considered "politically sensitive, objectionable, unauthorised or obscene". The law also mentions "anti-national activities". ISPs must also provide government officials with information to help track down the authors.

Internet providers say it is impossible for them to police all traffic they carry and don't have the storage capacity to keep all emails sent. Even Mugabe's security staff are unlikely to have time to read all of everyone's email.

But some subscribers have already received messages explaining that an email was blocked for containing "sensitive information".

An anomymous source from a Zimbabwean ISP told the BBC it believed the proposal was illegal. He said ISPs would happily cooperate in cases of crimes such as terrorism but that is was not their job to police the Internet.

Mugabe railed against the Internet as a tool of imperialist oppressors at the end of last year. He accused Britain, Canada and the US of using the Net to: "challenge our sovereignty through hostile and malicious broadcasts calculated to foment instability and destroy the state through divisions".

Late last year the government arrested 14 people accused of forwarding or circulating an email deemed to be offensive to Mugabe.

Reporters without Borders regards Zimbabwe as by far the worst threat to press freedom in southern Africa.

Zimbabwe's phone system, once one of Africa's finest, has suffered with the rest of the country but Internet use is high. In 2002 the CIA estimated it had 100,000 Internet users.®

 Federal agency faulted for weak security

By Kevin Poulsen, SecurityFocus

Published Monday 31st May 2004 21:04 GMT

The federal agency that insures US bank deposits suffers from network security holes that make it vulnerable to cyber thieves and saboteurs, a report by congressional investigators concluded Friday (May 28).

Though the Federal Deposit Insurance Corporation (FDIC) has made significant progress in shoring up cybersecurity in recent years, broad vulnerabilities were found in an audit conducted late last year, according to the report by the General Accounting Office, Congress's investigative arm.

The FDIC was formed in the 1930s in an effort to restore confidence in the US banking system during the Great Depression. Today it insures $3.3tn in deposits at over 9,000 financial institutions, and last year processed more than 2.6m financial transactions.

According to the GAO, access control lists on the FDIC's network could be modified by anyone with access to the network - some 6,300 people, including contractors. "With the ability to read, copy, or modify these files, an intruder could disable or disrupt network operations by taking control of sensitive and critical network resources."

Other lapses include inadequate controls on network connections to off-site locations, failures to secure known software vulnerabilities, and intrusion detection systems that were not fully implemented. "As a result, there are weaknesses in FDIC's monitoring program that could result in significant breaches to its computer security environment," the report reads. Additionally, some employees were inadvertently granted access to systems that house sensitive financial management information without any need for that access.

As a result of the vulnerabilities, "critical FDIC financial and sensitive personnel and bank examination information was at risk of unauthorized disclosure, disruption of operations, or loss of assets - possibly without detection," the GAO found.

In a written response, FDIC deputy chair Steven App acknowledged the security issues, and vowed to bolster cyber security at the agency. "[T]he FDIC remains committed to improving every aspect of our corporate-wide security program."

Copyright © 2004,

 Though AMD's choice to market an Athlon 64 3800+ is questionable, it's certainly a very good CPU albeit at a "very high end" price. But in many ways, the 3800+ seems almost an orphan. Speaking of the FX-53, it would have been good if AMD had named the new version FX-53a or something similar, to more clearly separate the socket 939 variant from the 940. The company has served no real purpose but to make their CPU lineup more confusing and needlessly stratify an industry that already offers too many only-slightly-different variants for its own good.

 At the Sagebrush Saloon 02.06.04

Hosted by Henrietta Bowman

Lower the flag to half-mast. Bugler, sound taps...do I hear the haunting strains of the Navy Hymn? America, shed a tear...for you have lost a hero this day, one of a dying breed and one we can sore afford to loose.

The Associated Press reports, "Adm. Thomas H. Moorer, a Pearl Harbor veteran who became chairman of the Joint Chiefs of Staff during the Vietnam War, died Thursday. He was 91."

Moorer was controversial, but he always spoke the truth. He was well-known for his outspoken critisism of the Carter/Clinton Panama Canal giveaway to the Chinese and its inherent dangers. He was a foremost critic of the official story of TWA Flight 800, calling it a missile shoot-down.

But the thing I will always respect the admiral for was his unceasing support and belief in the crew of the USS Liberty when Israel attacked her because she was in the wrong place at the wrong time and possibly, the top-of-the-line intelligence ship saw the cold blooded massacre of Egyptian POWs by the Israelis at El Arish.

--Henrietta

 Seven years jail, $150,000 fine if you don’t tell the world your email and home address

By Kieren McCarthy

Posted: 05/02/2004 at 22:13 GMT

Stay up to date wherever you are, with The Register Mobile

If you don’t tell the world your email, home address and telephone number you could face a seven-year jail sentence and a $150,000 fine under new legislation that the US Congress is trying to push past today.

Senator Lamar Smith of Texas - chairman of the Courts, the Internet and Intellectual Property Subcommittee of the House Judiciary Committee - yesterday produced from nowhere extensions to the 1946 Trademark Act that would make giving false contact information for a domain name a civil and criminal offence.

His bill (HR 3754) was discussed today at 10am Washington time in his Subcommittee. It was live here.

No you’re not dreaming, this is what the Bill proposes. Mr Smith’s attempt to “provide additional civil and criminal remedies for domain name fraud” may be laudable, but his approach is as unthinking and blinkered as the Intellectual Property lobbyists that have his ear.

The extensions to the Trademark Act would make the provision of misleading contact details when registering a domain an offence. Not only that but a “willful” offence - which in American law means three-times normal payout. Also, anyone “acting in concert with the violator” or “maintaining or renewing such registration” would also be guilty. In the case of a trademark infringement on the domain “the maximum imprisonment otherwise provided by law for a felony offense shall be increased by 7 years”.

The intention for this legislation is clearly peer-to-peer sharing networks, but by making the provision so wide, it is pulling in millions of normal Internet users and businesses. Not to mention registrars.

While the provision of nonsense registration details has proved an irritation - particularly to IP lawyers - many millions of people do not provide their full details because it is freely available to anyone on the Internet and so intrudes on their privacy. Domain name details are also regularly farmed by spammers.

Minding the farm

In fact, the entire WHOIS issue has been controversial for years; and only recently have new systems been introduced to make Internet domains fully functional yet not wide open to abuse. One example is the extra password people have to type in to get at WHOIS information, which cuts down automated email farming.

However, Mr Smith - who can be neatly summed up by pointing to the fact that he introduced the Clean Airwaves Act banning eight profanities from being broadcast, and that he proudly describes himself as a fifth-generation Texan - sees everything from the IP lawyers' point of view.

In fact, invited to speak at the American Intellectual Property Law Association in November last year, he told the assembled: “The gravity of intellectual property crimes are too often dismissed by those who believe they have a right to work created and owned by others. We’re going to do our best to bring IP crime to the forefront of the Congressional agenda and focus attention on it in a new way.”

He went on: “There are billions of illegal file downloads every week on peer-to-peer networks. The result is lost jobs, lost sales to businesses and lost royalties to artists and copyright owners. One way to reduce this illegal activity is through the court system. Most people agree that stealing is wrong. We can all agree that it is wrong to walk into a record store, put a CD in your pocket, and walk out. It’s just as wrong to illegally download a song from the Internet. But many people do not recognize that these actions are one and the same.”

There is much more along this vein, but you get the idea. Smith also introduced the cybercrime legislation that was whisked through with the “Patriot” Act, which hugely expanded the authorities’ ability to wire and electronic tap individuals. He also boasts that he was given the “Cyber Champion Award” by the Business Software Alliance - a concept of such ridiculousness that it is hard not to smile.

Congressman Smith is however an influential man in Washington and his attempts to introduce such legislation and provide IP lawyers with exactly what they want should be taken seriously.

Hogging the conversation

The arguments for and against accurate and accessible WHOIS information were concisely covered by Milton Mueller in his book on ICANN “Ruling the Root” back in 2002. This quote from it (p.237) should provide food for thought.

“Just how radical a shift in the balance of power the intellectual property agenda for WHOIS represents was illustrated by an amusing exchange on a public email list between Judy Henslee, the US trademark manager for Harley-Davidson motorcycles, and an intellectual property lawyer, John Berryhill. Ms. Henslee was complaining about the limitations of the current WHOIS protocol on the INTA email list, and she concluded, ‘The ability to produce (or at the very least, purchase) accurate lists of all domains owned by a single person or entity would be extremely helpful to the trademark owner.’

“Mr Berryhill replied: “Dear Ms. Henslee, I was sitting on my back porch this evening, and someone drove by riding a Harley Davidson motorcycle with a defective exhaust system. My community has strictly enforced noise and smog ordnances, and this person was clearly in violation of the law. I shouted at the rider, whereupon he rode across and damaged my lawn. I would like to bring a trespass against him, but I could not identify him. However, I can identify the make, model, year and colour of the hog. I went to your Web site, and I noticed that Harley Davidson does not include a readily accessible database of warranty registrations or, indeed, any other information that will assist me to identify the violator.

"As you surely can appreciate based on your comments concerning the WHOIS database, your provision of this information would certainly help in bringing this lawbreaker to justice, as well as anyone who uses a Harley Davidson product to violate the law. As I’m sure you’re aware, despite the fine reputation enjoyed by Harley, and my own admiration for your machines, there is an element of the subculture associated with your company’s product which has been known to demonstrate a pattern of unlawful behaviour such as gang activity and drug transportation. Many of them may own more than one motorcycle. So, I’m sure there is considerable demand for this data.

"Since there doesn’t appear to be a convenient database, is there some way that I can arrange to purchase the names, postal addresses, email addresses, and telephone and fax numbers of people who own Harley Davidson motorcycles? If I send the description to you, will you help me identify the owner?" ®

 Got a ticket? Get a record. EU-US data handover deal leaks

By John Lettice

Posted: 03/02/2004 at 16:19 GMT

Stay up to date wherever you are, with The Register Mobile

Statewatch has obtained a copy of the draft agreement on the transfer of EU airlines' passenger records to the US Department of Homeland Security. The text gives full details of the deal struck between the European Commission and the DHS, and leaves the strong impression that the Commission, rather than protecting (the ostensible purpose of the EU-US discussions) the personal data of its citizens, is an accomplice in its export.

Statewatch also notes that the Commission's intention to make a statement of "adequacy" for the agreement under the 1995 Data Protection Directive leaves the European Parliament with limited scope for intervention. It can only do so if it takes the view that the draft implementing measure "would exceed the implementing powers provided for in the basic instrument." Which would seem a fairly reasonable view to take, but the point is that the default is that the deal will go ahead, unless Parliament stands up and shouts.

The draft agreement (text here) gives a full list of the PNR (Passenger Name Record) fields required, and is (perhaps unintentionally) revealing regarding the DHS' pursuit of broader personal data. "Additional personal information sought as a direct result of PNR data will be obtained from sources outside the government only through lawful channels [well that's good to know...], and only for legitimate counter-terrorism or law enforcement purposes." The simple statement of "law enforcement purposes" here flags potential mission-creep; the rider specifying international crime only which the Commission had inserted seems to have fallen off already.

The document goes on to give credit card transaction information and email records as examples of the kinds of further information that might be sought on the basis of a PNR. This information will, it tells us, be obtained via US "lawful process", following "US statutory requirement" or "other processes as authorized by law." Us law, we presume.

So the data you have to give the airline in order to fly will be passed to the US authorities, and may be used as a trigger for further research by the US authorities into your habits. The deal makes reference to the possibility of the EU adopting a similar system, and as and when that happens we expect the two sides to resist the notion of pooling their databanks for, oh, a couple of minutes? Note also that the current enthusiasm for profiling, the idea being to identify possible threats from people who aren't known, and have no record, absolutely requires broad data capture, use and retention. Course we've got to compile records on people who're innocent - otherwise, how could we confirm they're innocent?

And anyway, innocent people have nothing to hide. Or they soon won't have... ®