In This Issue:
- Cisco Bug
- Protect Assets During a Layoff
- MS Security (Malformed Word Document Could Enable Macro to Run Automatically; NetMeeting Desktop Sharing Vulnerability; Outlook View Control Exposes Unsafe Functionality)
- Record High Virus Attacks
- Form W8888
- Identity Theft
- Trojans (Troj/Newsflood; Troj/PsychwardB; Troj/Slack)
- Macro Viruses (Variants; WM97/Ded-P; WM97/Gogaru; WM97/Marker-CS; WM97/Marker-GO/P/R; WM97/Myna-AS; WM97/Proverb-S; WM97/Ramz-A; WM97/Twopey-A; WM97/Wrench-P; XM97/Laroux-OD)
- Worms (VBS/Niloj-A; W32/Leave-A; W32/Linong; W32/Marijuana)
Administrivia
The Listbot service is moving to a paid format. Since I don’t want to institute mandatory subscription fees I’ve moved the newsletter to a list server maintained by my web hosting company: pair.com. The list name is “CKnews” from the service “pairlist.net.”
Note: Signup mail talks about this being a mailing list you can post to and contain instructions for doing so. Ignore them. I’m setting up the list as an announcement list (i.e., newsletter) only, so you will not be able to post to the list. It also says a password will be periodically mailed. It won’t. I just can’t seem to suppress all the verbiage. 🙁
Thank you for your patience.
General Security
Cisco Bug. The end of June the Computer Emergency Response Team (CERT) warned of a bug in Cisco routers. This bug is fairly serious and could allow hackers to disrupt or intercept Internet traffic. The bug affects Cisco routers/switches running IOS, the company’s operating software. It is part of the Web-server portion of the software; a server which allows remote control by administrators. Visit the Cisco Web site for more information, a software upgrade, and a workaround. There are no reports of an exploit.
Protect Assets During a Layoff. OK, your company has to lay some people off; some of these are even in the computer department and might hold the “keys to the kingdom” for your network and systems. What to do? Here are some things to consider (some obvious, some not):
- Change passwords.
- Delete sensitive accounts.
- Review all access controls.
- Change phone numbers in the modem pool (or at least reassign them so those that attached to sensitive computers no longer do).
- Say what you are going to do, but don’t give too much notice. Too much notice gives people time to plant time bombs and do other damage.
- NEVER tell people there will be a layoff and then leave systems unattended.
- Consider changing access controls before the layoff (to prevent the planting of hostile code) and then again after since the people might have learned the new access controls and be able to exploit them.
Keep in mind that in 90% of the cases you should have no problems at all. Be honest and people will be honest back. You take the actions above to protect yourself from the 10% who will try to retaliate. And, you have to ask yourself if you can really know who they are…
MS Security. Microsoft has issued a a number of new security bulletins this past month. Please see all current alerts at:
http://www.microsoft.com/security/default.asp
- Malformed Word Document Could Enable Macro to Run Automatically. Normally, Word scans a document for macros and either asks you if you want to run them or, if you’ve selected allowing trusted macros to run, to run automatically. The vulnerability allows an untrusted macro to run. This macro could perform any actions, including changing the security settings in Word. A patch is available. For more info see: http://www.microsoft.com/technet/security/bulletin/ms01-034.mspx
- NetMeeting Desktop Sharing Vulnerability. This is a variation of a previously-reported vulnerability. For more info see: http://www.microsoft.com/technet/security/bulletin/ms00-077.mspx
- Outlook View Control Exposes Unsafe Functionality. There is a security problem with the ActiveX control in Outlook which lets Outlook mail folders be viewed via web pages. Designed to simply passively display information, the control actually has a function that could enable an attacker to manipulate Outlook data (i.e., change your calendar, etc.) or, through a script, run arbitrary code on your computer. This could even be done through a hostile web page. A patch is being developed but, in the meantime, disable ActiveX controls in the Internet Zone. For more info:
http://www.microsoft.com/technet/security/bulletin/MS01-038.mspx
General Interest
Record High Virus Attacks. A Japanese study has determined that virus infection there during January through May of 2001 was three times higher than during the same period in 2000. The three main offenders were Hybris, MTX, and Magistr.
Form W8888. Yet another social engineering trick has popped up. This time you are sent a form supposedly from the U.S. Government. You are to fill it out and send it back by fax to a number given (supposedly the government office). A careful look at the document, however, reveals it’s simply trying to collect important information with which to steal your identity! For example, the form asks for your mother’s maiden name. Why would any government agency need to know that? More importantly (and this would be the clear giveaway) the form asks for your father’s maiden name! Don’t fall for such schemes. After someone steals your identity you must be on the alert for the rest of your life.
In a related scam, you are sent a notice that a particular company will process your tax refund for you (the one that the government is going to send you this year without your doing anything!). Just send them $12.95 for this service.
Please don’t fall for these sorts of things.
Identity Theft. One of the basic security measures you can take to help identify and fight identity theft is to periodically check your credit report(s). This is cheap insurance and should be done about once a year. Details on how to do this are at the Web site for each of the three large credit-reporting bureaus:
- Experian (http://www.experian.com/) or (800) 311-4769
- Equifax (http://www.equifax.com/) or (800) 685-1111
- Transunion (http://www.transunion.com/) or (800) 916-8800
Virus News
There are a number of new viruses described this month. They are listed below.
Don’t forget our virus tutorial site.
More complete descriptions of most of these viruses can be found at the Sophos or F-Secure web sites:
http://www.sophos.com/virusinfo/analyses/
http://www.datafellows.com/v-descs/
Trojans. These important new Trojans appeared recently:
- Troj/Newsflood. A Trojan that connects to news.hispeed.ch and posts child porn messages to one or more of a variety of newsgroups. There is no common “From” or “Subject” header.
- Troj/PsychwardB. A backdoor Trojan that allows others to access your computer when the Trojan is active. It stores a copy of itself in the Windows directory and sets the registry so it runs on system start.
- Troj/Slack. A Trojan that, when active, establishes a connection with a specific IRC (chat) channel and accepts commands from that channel. These commands allow the Trojan to be used in distributed denial-of-service attacks. The Trojan resides in the Windows directory and runs on system start via a registry setting. Via the Internet, the Trojan periodically attempts to update itself via a specific Web site.
Macro Viruses. A number of macro viruses have been announced this past month. Below is a summary of the more important ones:
- Variants. The following variants have been observed but generally carry no payload: WM97/Myna-AT, WM97/Thus-EQ
- WM97/Ded-P. A polymorphic virus infecting Word documents.
- WM97/Gogaru. A beast that actually resides on a remote server and is called by a template embedded into an RTF file. This takes advantage of a Word bug that allows such access without question. A patch is available to fix this bug and should be applied. For more info see: http://www.microsoft.com/technet/security/bulletin/MS01-028.mspx
- WM97/Marker-CS. A Marker variant. It’s payload tries to fill the Windows directory with up to 999999991 files named AA?AA.DOC (? = a number from 1 to 999999991).
- WM97/Marker-GO/P/R. Marker-C variants that, while corrupted, still try to FTP user info to the Codebreakers Web site. This info is also added to the macro.
- WM97/Myna-AS. A Myna variant which activates when the computer’s clock shows the number of minutes past the hour to be the same as the date (e.g., 5 minutes past on the 5th of the month). When activated the virus adds 10 pentagons in random colors/sizes to the document.
- WM97/Proverb-S. A Proverb variant that displays messages in Russian either via a message box or the Office Assistant.
- WM97/Ramz-A. A minor Word macro virus. It contains Portuguese text (AntiMacro – By Pacheco) which is not displayed.
- WM97/Twopey-A. A Word macro virus. It modifies the Summary Information and disables the Visual Basic Editor.
- WM97/Wrench-P. A Word macro virus that interferes with your ability to change fonts or print a document (the Office Assistant displays instead). Attempts to look at viral code bring a VBA error. One text copy of the code is in the file ASCII.VXD in the root directory.
- XM97/Laroux-OD. A Laroux variant. This one uses PERSONAL.XLS in XLSTART to replicate.
Worms. A number of worms have been announced this past month. Below is a summary of the more important ones:
- VBS/Niloj-A. A VBScript worm. It copies itself to the file !!JOLIN_CAUGHT_NAKED!!!!.JPG.VBS residing in both the Windows and System directory. The worm tries to distribute itself via mIRC (chat) or Outlook.
- W32/Leave-A. A worm which depends on the SubSeven Trojan already being established and running on the affected computer. The worm installs itself as the file REGSV.EXE in the Windows System directory and sets the registry to cause it to run at system start. When run, the worm checks to see if the computer is logged into the Internet. If so, the file BIN.DLL will be requested from remote servers (since disabled).
- W32/Linong. A worm that uses Outlook to spread. It is found in the files PCPOWER.EXE in the Windows directory and MYLINONG.EXE in the Windows System directory. The System directory is also loaded with MYLINONG.VBS; another copy of the worm. A third copy is also loaded into the System directory; this one with a name chosen from a list in the worm itself. When activated, the worm sends itself to all addresses in the Outlook address book. The attachment has a random name. The worm also creates hundreds of empty directories and sets the registry so it runs on system start.
- W32/Marijuana. An E-mail worm that sends itself to your Outlook address book. It resides in the file SYSTEM32.EXE in the Windows directory and sets the registry to run on system start. In addition, the worm puts a marijuana leaf icon in the system tray (which displays a legalize marijuana statement) and sets your home page to “http://my.marijuana.com”. Additionally, the Windows registered owner becomes “Im A Pot Head!” from the organization “Stoner’s Pot Palace”. At 4:20pm each day the worm causes your computer to remind you “It’s 4:20, Time to toke up :)”.
In closing: DON’T FORGET that we’re changing from the Listbot service to Pairlist to manage the mailing list for the newsletter.