New Worm Installs Sniffer 491
fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T :
More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users.
The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea).
F-Secure has a copy of the sound file generated by the message."
If only the worm installed a Swiffer (Score:5, Funny)
A sniffer would still be helpful... (Score:5, Funny)
"It is time to empty the litter box."
or
"Please do your laundry."
or
"Are you really sure you want to eat that leftover pizza?"
or
"For the love of god, please try deodorant. Any deodorant."
Of course, there are also downsides, like your stash of coke always vanishing.
Re:A sniffer would still be helpful... (Score:5, Funny)
we could use this one at my work...
Re:A sniffer would still be helpful... (Score:3, Funny)
The tools are there, use them.
Re:A sniffer would still be helpful... (Score:3, Informative)
If I forget, Mrs. Underfoot lets me know by leaving a present in the middle of the floor. Believe me, I rarely forget.
"Please do your laundry."
Done on an as-needed basis. I'll run out, and live off the least-wrinkled shirts until the weekend.
"Are you really sure you want to eat that leftover pizza?"
Of-fricken-course! Pizza is the only food I've ever had that's even better microwaved than fresh.
"For the love of god, please try deodorant. Any deodorant."
Wh
Re:HACKED BY CHINESE (Score:5, Informative)
More technical details (Score:5, Informative)
Network Propagation and Exploits
This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. Read more on this vulnerability from the following link:
It also takes advantage of the Buffer Overflow in SQL Server 2000 vulnerability. Read more on this vulnerability from the following link:
This worm also exploits the IIS5/WEBDAV buffer overrun vulnerability affecting Windows NT platforms, which enables arbitrary codes to execute on the server. The following link offers more information from Microsoft about this vulnerability:
It also exploits the Windows LSASS vulnerability. This is a buffer overrun vulnerability that allows remote code execution. Once successfully exploited, a remote attacker is able to gain full control of the affected system. For more information about this vulnerability, refer to the following Microsoft Web site:
This worm spreads via network shares, using NetBEUI functions to get available lists of user names and passwords. It then searches for and lists down the following shared folders, where it drops a copy of itself using the gathered information:- Admin$\system32
- C$\windows\system32
- C$\winnt\system32
- Ipc$
Trend Micro reports that the worm runs on Windows 95, 98, ME, NT, 2000, and XP. But notice that they report that the worm as not in the wild. So... where is it? Did they get a prerelease?Re:More technical details (Score:3, Funny)
Re:More technical details (Score:5, Funny)
yep! (Score:5, Informative)
Do you really think there are 55,000 viruses in the wild?
Yea yea, I worked for symantec for a couple of years.
Re:yep! (Score:5, Interesting)
Not that they'd need to do it at this point, but talk about your perpetual business model...
Re:yep! (Score:5, Interesting)
Imagine the publicity if an anti-virus software vendor were able to prove that a virus was produced by one of its competitors.
Re:yep! (Score:3, Interesting)
Re:yep! (Score:3, Insightful)
Re:More technical details (Score:3)
Re:More technical details (Score:3, Informative)
use the postal service's bandwidth
Re:More technical details (Score:3, Interesting)
Doing proactive fixes like this should be better the reatively fixing holes as they appear so it would be interesting to know how well this latest feature works.
Also I never really understood why there are always so many buffer overrun problems in software, I know it's a bit more complex then
while(readdata() && bufferlimit--){}
but still...
DEP info (Score:3, Informative)
By default, software-enforced DEP only protects limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
--
I'm guessing MS runs its own software NX because it knows what memory these system binaries should and shouldnt be using. So even if it worked for DCOM/RPC it probably wouldn't work with the SQL server hole.
Hardware DEP is a whole different story.
Short and sweet thread on DEP here. [broadbandreports.com]
Actually, you can enable software DEP for all programs. There's a b
Re:More technical details (Score:3, Informative)
How much longer? (Score:5, Interesting)
Re:How much longer? (Score:4, Insightful)
uIP already exists... (Score:5, Informative)
New worms... (Score:5, Interesting)
http://www.vnunet.com/news/1158043 [vnunet.com]
The arnus worm speaks [zdnet.com] to infected users.
I don't know if I should laugh or cry. I just know I'm getting calls in the next few days because someone's computer says "How are you...".
Encrypt! (Score:5, Informative)
If you haven't already, it's time to get serious about encryption.
Re:Encrypt! (Score:5, Interesting)
Not that I'm against encryption or anything. But it won't necessarily stop your passwords from being stolen.
Re:Encrypt! (Score:3, Insightful)
The upshot is that all of those people who normally ignore virus alerts because they run Linux [Slashdot audience] need to confirm they encrypt everything and then go about ignoring these
Re:Encrypt! (Score:5, Interesting)
I stopped using it when I got my mac, because built in AES-128 is just easier than mucking about with encrypted disk drivers and suchlike. I don't have that much to keep secure anyway...just some receipts, beer recipes and incriminating photos
Beating keystroke loggers (Score:5, Informative)
Cumbersome, but it's something I do on untrusted computers like the ones in web cafés.
Re:Beating keystroke loggers (Score:4, Insightful)
Re:Encrypt! (Score:5, Informative)
> Sunday and it will still have been intercepted
> before it ever reaches your encryption software.
Indeed. But there's that nice Squirrelmail plugin that lets you use a virtual keyboard to enter your password
Rainer
A few points (Score:5, Interesting)
2. I love the fact that this worm drops itself as BLING.EXE
3. This worm uses carnivore network sniffer and checks for the following strings
As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.
4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm
- It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
- It attempts to steal CD keys for some games.
- It installs a network sniffer
- It has an interface with 26 commands that the bad guys can use on an 0wned box
- It can log keystrokes
It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.I'm still waiting for the really bad one...
Re:A few points (Score:5, Interesting)
A really bad one would look for Excel/Word files and modify a couple of data entries in a huge list of numbers.
Kind of like someone breaking into the house, leaving something obnoxious under the fridge that starts smelling bad really gradually over a period of few months.
Imagine the look on the PHB's face when 6 months down the line he realizes while doing some entires in the sheet that the p/e ratio is negative!
Re:A few points (Score:5, Funny)
the bad one (Score:5, Insightful)
If a document contains a person's name, email it to them.
I can see it now, salary spreadsheets and confidential memos flying around to the very people who are not allowed to see them...
Re:A few points (Score:5, Interesting)
They wait 'till you go to an HTTPS site and then they log your keystrokes. It's about cash money for the villains, and not doing anything to get caught.
Re:A few points (Score:4, Interesting)
Saw a graduate student reduced to sobbing over that last one...her teacher was a real prick and wouldn't take anything late for any reason and she had not been educated on the importance of multiple backups. It was 2 am the day before it was due and no amount of Norton Disk Doctor was going to save her (luckily, she'd been on a machine the day before and just shut it down, we had 13 of 20 pages autosaved). I had to call him the next day, and he didn't believe me. I wound up refering him to the head of academic computing, who essentially told the guy that this was the worst virus he'd ever seen and it would be utterly heartless not to give the girl an extension. Dr. Wolf was the MAN.
All of these spread via diskettes and public terminals. Be glad nobody's applied these concepts to an internet worm. We'd be fucked.
Re:A few points (Score:3, Interesting)
It attacked PC's via a hole in BlackICE firewall.
After reproducing for a little while, it began randomly overwriting sectors on the HD. Eventually your OS (and probably a lot of data) would be fubar.
URL: http://www.f-secure.com/v-descs/witty.shtml [f-secure.com]
Re:A few points (Score:4, Insightful)
Yeah, it would have been hell to type it all over again, but it would have beat having to rewrite it from scratch.
Re:A few points (Score:3, Interesting)
Re:A few points (Score:5, Funny)
Re:A few points (Score:3, Insightful)
This was part of my argument for the ridiculousness of a developer making an app delete a user's home directory when a pirated key is found.
1. user buys shareware. one of the honest 1%, if statistics can be believed.
2. user loses unique use of the shareware key to worm/keygen
3. shareware key spreads, and is labelled a pirate version
4. original user updates their shareware app, shareware app nukes their home folder.
Re:A few points (Score:4, Funny)
That's unpossible, isn't it?
I'm still waiting... (Score:3, Interesting)
Oh no (Score:4, Funny)
Oh no, I have said too much!
Damn you autopr0n, why, why did you have to die!!!
Re:Oh no (Score:4, Funny)
Thank you antifoidulus! I no longer feel so alone!
Easily avoided (Score:3, Funny)
Squawker (Score:5, Interesting)
Proper switches will defeat the sniffer (Score:5, Informative)
Re:Proper switches will defeat the sniffer (Score:3, Informative)
All home routers I've seen (dlink, linksys, smc, belkin) do route, but only between the outside and the inside. On the inside, the 4 ports are on a regular hub, so no routing. This is appropriate for the normal usage pattern, 4 computers connected through the router to the evel internet. The sniffer would work fine. If the thing can sniff bank-account passwords from victims' home computers, it should give the author more
Re:Proper switches will defeat the sniffer (Score:5, Informative)
Hubs are collapsed ethernet busses: Every attached device can see every ethernet frame sent by any other attached device.
Switches work on a higher layer: They inspect the frames and send only broadcast frames to all devices. For the rest of the frames, they maintain a table of MAC-layer addresses of all devices attached to the switch ports. Targeted frames only get sent to the port to which the target device is connected.
Routers work on an even higher level: They inspect IP packets and do with them about the same as what switches do with ethernet frames. Routers are generally more flexible about the rules regarding the packet flow than switches. It is not uncommon for routers to have the ability to perform switch-like ethernet level functions as well, but conceptually routing and switching are two different beasts.
At least cheap home switches can be tricked into passing frames to the "wrong" ports in several ways. One method is to flood the MAC-address-to-port table. Most switches then fall back into hub mode. Generally speaking, non-manageable switches and switches without clearly-defined reactions to MAC flooding are not security devices. You should assume that an attacker can read your packets on a switched network.
Proper switches cannot always defeat a sniffer (Score:5, Informative)
Re:Proper switches will defeat the sniffer (Score:3, Informative)
Switches don't route, they switch: they're a layer 2 device.
I have a AU$25 switch that *is* a switch. I've tested it (not hard to test: I used tcpdump). Noone seems to be building hubs anymore because it's become so damn cheap to build a switch.
Also the "switching" nature of a switch is more for performance reasons rather than security. A switch can store the packets in a small buffer the
Non-malicious worms (Score:5, Insightful)
I often wonder the same thing. With all the different worms that infect unpatced Windows machines, why hasn't someone wrote one that effectively deletes everything on the machine just short of rendering itself unable to propogate?
Re:Non-malicious worms (Score:4, Informative)
Is it just me.... (Score:5, Funny)
Re:Is it just me.... (Score:5, Funny)
Hackers Vs RIAA (Score:3, Funny)
Re:Hackers Vs RIAA (Score:3, Insightful)
I don't know about you.... (Score:4, Funny)
Re:I don't know about you.... (Score:3, Funny)
Scary (Score:4, Insightful)
Re:Scary (Score:3, Insightful)
The only thing that Linux has got going for itself right now is security through obscurity. If Linux ever becomes popular as a desktop platform, I'm willing to bet my life that we'll start seeing worms targeting it, too.
Re:Scary (Score:3, Insightful)
Compare this to windows, which has no easy way to disable dcom, rpc, and such.
Re:Scary (Score:4, Insightful)
In fact, the average user either got a copy of Windows with their computer and never upgraded it, or they pirated a version of Windows and are not able to download updates. They always say the same thing too. "Oh, I'm just one computer out on the net! They'd never notice my computer out there!"
That's why I think Internet usage should require a license. If you connect to it without knowing what you're doing, you're putting everyone in danger. Potentially at least as much danger as broadcasting on a ham radio without knowing what you're doing.
Re:Scary (Score:3, Funny)
You just participated in a living language. Screw the pedants and their rules.
I dont even get the purpose.... (Score:4, Interesting)
Then the evil person doesnt have to deal with all the encryption mumbo-jumbo.
Re:I dont even get the purpose.... (Score:3, Informative)
What if someone made a worm that just........ (Score:5, Interesting)
Re:What if someone made a worm that just........ (Score:5, Insightful)
Would people get pissed? HELL YES.
I recall one particularly annoying weekend when my computer DVD player stopped working. Something screwed up or something - whatever it was, the damn video was not being decoded properly.
Tried everything I could think of. New Drive, New Drivers, endless newsgroup searching, blah blah blah to no avail.
Then it occured to me that between the time that my DVD player last worked and then did not, I had installed Win2k SP4.
So just as a test I went and uninstalled the bastard, everything worked FINE after that - with the original HW/SW configuration.
So now I'm not installing SP4 because it BREAKS MY SYSTEM - not because I'm unaware of it, or too stupid to install it.
I don't need nor want some dumbass "I'm smarter than you, and doing this for your own good" 1337 prick trying to install SP4 for me.
Re:What if someone made a worm that just........ (Score:3, Insightful)
A worm like this would only be able to get into computers that are unprotected, so assuming you're a security concious fellow, you wouldn't have to worry about it. Now, if your computer was vulnerable, wouldn't it be better that your computer gets patched (and possibly screws up your dvd player) than having an unprotected machine waiting to get hosed by some hacker?
I'm actu
I installed my sniffer on a computer once... (Score:4, Funny)
Use of switches? (Score:3, Insightful)
Re:Use of switches? (Score:3, Interesting)
Packet sniffers are not a good thing to have just running, but an auto-propogating one is even worse, and should not be taken lightly.
One reason I quit fixing Windows (Score:4, Interesting)
I've been telling my old 'customers' that I'm retired. I then tell them that I will give them support for free for life if they buy a Mac.
This is usually met with, 'Wha? Really?"
Yup. I'm enjoying the stories of crazy Windows happenings, virus mystery, and constant crashing (Yeah, XP is ok, but not when you have 127 viruses, trojans, spyware and keyloggers all vying for a clock cycle and outgoing port.)
And I'm especially loving not working on Windows boxes.
Re:One reason I quit fixing Windows (Score:4, Insightful)
Your argument against OSX hold against linux/BSD/whatever open source OS. As soon as the number of users reaches critical mass, it becomes "profitable" for virus writes. More so as zombie macines are being used as bulk mailers. And you can bet the farm that in a few years, those zombies will be used for much more stuff than simple spamming. How about al-qaeda brute-forcing entry to a big bank by using 100.000 PCs to crack the password, and then simply start transfering tiny amounts of cash around. It would take days before someone noticed, and by then practically impossible to restore from backup.
IMHO, the real evil on the net still has to rise. The virii and script kddies you see today are just the scouts of the first reconaissance divisions of the army of the black lord.
What's new about that? (Score:4, Informative)
What's new about that?
Network sniffers installed on compromised machines is the ENTIRE REASON DMZs were invented - so the network sniffer can only sniff the DMZ, not the LAN behind the second packet-filtering router/bridge.
DMZs have been standard practice for over a decade. If there's anything new about this, it's just that it's the first time a worm in the wild has been identified as installing a sniffer.
But that's hardly surprising. The explosion of professionally-engineered worms is quite recent, as is consumer-level deployment of multi-machine LANs behind firewall+NAT appliances. (I'd expect packet-sniffing cracks aimed at businesses to be more targeted rather than worm-style scatterguns, if only to reduce their chances of discovery.) Seems to me the time became ripe JUST NOW for general deployment of a sniffer-installing Microsoft-exploiting worm.
Re:What's new about that? (Score:3, Informative)
Servers on the DMZ provide services to the rest of the net, and thus are hosts that can be attacked through vulnerabilities in their service-providing protocols. This made such servers the likely points of compromise. Putting them on a DMZ that is isolated from
oh no (Score:4, Funny)
We could all be doooooooomed!
SSL for everything (Score:5, Interesting)
And regarding another thing, how come so many services require a certificate (such as SSL with email, imap, pop, etc) rather than auto-negotiating it like SSH does?
Re:SSL for everything (Score:3, Informative)
The idea is that you can verify the certificate belongs to who it says it belongs to (like www.yourbank.com), without exchanging any other communication (such as SSH's fingerprints) - you just verify the site's signature from Verisign (or whomever). SSH relies on you confirming the fingerprint the first time you connect.
You can generate your own SSL certs if you don't c
Re:SSL for everything (Score:3, Informative)
as for services--I don't believe any of the SSH clients can run as a service.. I'd be very surprised if there isn't some software out there that could do that though--would be a good project
Question (Score:3, Informative)
Seems like a fairly simple exploit.
A machine on one of our networks.... (Score:5, Interesting)
I think I must have got hit by an early-adopter version.
Re:A machine on one of our networks.... (Score:3, Funny)
*envy*
You got selected to be a beta tester of a virus! That is so 1337 man
Worms are just like any other software (Score:5, Interesting)
And it's the same with worms. Rather than hand-coding them in assembly to get them in under 1000 bytes (or whatever) they can now be developed with good tools, useful libraries, and they can have all kinds of extra functionality built in. So expect worms with more features as we go along.
It's time to really start thinking about security-by-design. VM systems like Java, or capability-based systems like EROS [eros-os.org] are the way we are going to finally squish these worms. I'm so tired of helping relatives with anti-virus software. There shouldn't be anti-virus software. Operating systems shouldn't allow viruses and worms to exist. Security problems like this are not an inherent part of software.
Re:Worms are just like any other software (Score:4, Funny)
So all I have to do is wait a couple more years! Then I will buy a naked machine, connect it to the internet, and in minutes a full OS will be installed by a worm! The best part is that it will probably be more up to date than the Windows machines spreading this garbage.
Maybe I should patch emacs to propagate itself and get the jump on the script kiddies ;)
Comment removed (Score:5, Funny)
Re:Need one that does some damage (Score:4, Funny)
Heck, I'm still waiting for the one that uses the infected PC's existing saved emails to attach itself to and forward itself with. It'll be "funny" when major corporate executives start having their private, confidential, Microsoft(r) Outlook(tm) corporate emails spewed out to random people on the internet along with the virus...corporate budget planning emails, deal negotiations...it's all there...
SSL wouldn't help with a key stroke logger (Score:3, Insightful)
Mmmm, cos that would prevent the key stroke logger from working. It's probably more dangerous if you are using SSL, as you will have that warm fuzzy feeling that all is well, and you'll tap away all your privatest things.
Bad encryption is worse than no encryption.
Many unswitched networks still exist (Score:3, Informative)
Every mid-level enthusiast home network I've known was just running a dumb hub, and I'm also familiar with a university that ran hubs per floor in the dorms (you couldn't get floor 8's data on floor 9, but as for everyone on floor 9...). This worm still has a plenty big playground.
As usual these useless virus alerts lack info. (Score:5, Insightful)
What windows vulnerabilities is it using?
is it an email attachment? what is the attachement called
For christ sake...
Love, Zaq
Re:As usual these useless virus alerts lack info. (Score:3, Informative)
Why did it take this long? (Score:5, Insightful)
Request for virus writers: (Score:3, Funny)
Propogation:
Scan random IP addresses, use multiple Windows exploits, etc. This part has been done a thousand times before, no need to reinvent the wheel.
Payload:
1. The worm itself
2. Grub for Dos [yginfo.net]
3. The contents of a network install disk [redhat.com]
Behavior:
1. Upon infection, the worm will install Grub for Dos, and copy the contents of the network boot disk into c:\boot, but will not modify the boot.ini file.
2. The worm process will run in the background, and attempt to propogate itself.
3. At a predefined interval, the worm will pop up a window that says: "Your computer has been infected by the so-and-so worm. To install Linux and prevent this from ever happening again, click OK." (This worm should be socially responsible. We don't want to force Linux on the masses, just gently persuade them using Windows lack of security as a tool.)
4. Continue to propogate as long as the user clicks "Cancel".
5. When the user clicks "OK":
5a. ping a mirror list [redhat.com] to find the fastest mirror
5b. write a kickstart [linuxdevcenter.com] to the boot directory to use that mirror.
5c. modify the boot.ini file to boot Grub.
5d. Reboot the machine, and it shall be cleansed!
Not the first talking virus (Score:4, Interesting)
The Lobotomy Virus! (Score:4, Funny)
AMAZING. The first virus that has the capacity to destroy not only the victim's computer, but his BRAIN as well. I swear, these guys need to start hiring professional comedians to do their dirty work, or we're all screwed.
PromiscDetect (Score:5, Informative)
If you're using Linux, just run and look for the string "PROMISC".
If, however, you're using Windows, you need to get a utility called PromicDetect [ntsecurity.nu]. Run it from a command prompt. If it indicates the Directed, Multicast and Broadcast filters are active, then you're probably OK.
Source: Computerworld [computerworld.com]
Comment removed (Score:5, Informative)
Re:Best AntiVirus? Help... (Score:3, Informative)
Re:A question... (Score:3, Informative)