Tag Archives: Computer worms

Korgo Clarified

More on Korgo; I wish I could say it was the last. But the good news is that it does not seem to be the all-in-one ‘phishing worm’ F-Secure said it was.

F-Secure has clarified the situation over the Internet worm Korgo, which seems to answer some of the questions in my earlier posting. Korgo does not include a keylogger, nor any code to steal banking info. But, F-Secure says, “it seems that the Hangup Team (virus group behind the worm) is actively installing a keylogging trojan known as Padodor to the infected computers.” This is done via a backdoor left by Korgo.

Padodor collects anything typed to any web forms, and specifically logs bank logins for users of some international banks. Padodor is not the same as Padobot, which is one of the aliases of Korgo. Bottom line, according to F-Secure: “Not all machines infected by Korgo have Padobot, and Padobot can be found on machines which are not infected by Korgo.” (In fact, I may be wrong but I think F-Secure mean Padodor here: “Not all machines infected by Korgo have Padodor, and Padodor can be found on machines which are not infected by Korgo.” No?

The thing here is that a worm does the distribution work, infecting computers. Then there’s the bot, or trojan, that is the payload. This is the bit that does the money-generating work. That can either be loaded onto computers as part of the original worm, or else it can be loaded later via the backdoor left by the original worm. So here F-Secure has mistakenly assumed the keylogging bit was part of Korgo, which it wasn’t.

The Sasser Worm

Four years after LoveLetter, there’s a new worm out, and it looks bad.

Panda Software says Sasser “has positioned itself as one of the quickest-spreading and virulent ones”. Already two variants of the worm are out, according to F-Secure.

Panda says the worm uses a trick that “means practically all Microsoft systems will be affected, making millions of computers exposed to infection by this worm virus”. This is because the worm — or its variants, it’s not quite clear to me which — use the same computer port as Windows uses to share folders and printers over the Internet. So, “large companies which have remote users that go on line via virtual networks or which work with laptops without corporate firewall protection may go online on Monday and find themselves affected by the virus even though they have the patch installed and the antivirus upgraded”, Panda warns.

Sasser makes use of a vulnerability that is about 26 days old. It can spread and execute without the user doing anything. Panda sees the worm moving faster than Blaster: Blaster affected 2.5% of computers in the first few hours of its attack, while Sasser.B is nearing 3% in just 24 hours.

If infected, the computer will restart every time the user tries to go on line, change the registry and put a file, avserve.exe, in the Windows folder or, in some cases, put a warning in a Windows menu warning of problems with LSA Shell or errors in Isass.exe. It doesn’t seem to actually do any damage to computers, or to prep itself to download something worse. But who knows?

Solution? Install Microsoft updates as soon as possible and upgrade your antivirus protection. If you think you’re infected, use the Microsoft scanning tool to check. Then again, as F-Secure points out helpfully, if you are infected, you might not make it to that page before your machine is rebooted again. If you are infected, use F-Secure’s Free F-Sasser Tool to clean the worm from your machine. You also need to install the Windows patches to prevent you from getting reinfected.

Not everyone is worried about it: F-Secure believe many larger companies have already installed the updates necessary to be protected, and says the situation is still “relatively calm”. That said, eWeek has pointed out that an early version of the Microsoft patch for this vulnerability itself caused some Windows 2000 systems to lock up. Oh, and the Microsoft website about Sasser misspells ‘Bulletin’ making me wonder for a second whether it wasn’t itself a phishing site. Tsk, tsk.

Keeping Out The Worms

Can we really keep out worms?

An interesting piece from Information Security Magazine takes a look at a range of “antiworm” products which promise to contain worms by weeding out bad traffic. Among them: Mirage Networks, ForeScout, Check Point Software Technologies, Silicon Defense and IBM.

They use different approaches, from looking for unfulfilled Address Resolution Protocol requests, to anomaly detection, while others automatically isolate compromised hosts, the article says. Others redirect worm traffic to a quarantined area to buy time to isolate the worm and keep systems available. Others try to limit the spread of a virush by ‘throttling it’, i.e. limit the number of Internet connections an infected computer can have.

Interesting article, but in the end we don’t know exactly what the next worm will do, so aren’t we back at square one, of always being wise after the event, like all anti-virus software? Or am I missing something?

The Lingering Damage Of Worms

Worms cause a lot of problems, long after we’ve forgotten about them.

Sandvine Incorporated, a network hardware provider, says that worm attacks are hitting internet service provider networks, “degrading the broadband experience for home Internet users and imposing anywhere from thousands to millions (of dollars) in unplanned network and customer support costs directly related to thwarting attacks”. This includes “the cost of specialised tactical response teams, swamping of customer support resources, inflated transit costs and perhaps most damaging over the long term, a loss of brand equity that aggravates the industry-wide problem of customer churn.”

Interestingly, Sandvine also point to another type of expensive worm activity: “persistent, low-level attack traffic caused by remnants of previous worms that tenaciously cling-on to residential subscriber PCs”. The bottom line: On any given day, approximately 5 per cent of home users are “infected by some kind of worm and either actively propagating it or generating malicious traffic”.

This lingering damage doesn’t surprise me. My understanding out here in dial-up land is that many users don’t have the bandwidth to download patches or updates, and don’t have the money to subscribe to anti-virus services, but they still stay online unless their ISP cracks down on them. That’s a lot of people connecting their infected computers to the Internet and pumping out viruses and worms we thought we’d seen the last of.

Happy Birthday, SoBig

A press release from email security folks MessageLabs points out that tomorrow is the first anniversary of the SoBig.A worm’s debut. SoBig.A (the A bit means it was the first of a stream of worms that were somehow based on the SoBig worm) wasn’t just any kind of worm, MessageLabs point out. SoBig.A was unique in being the first virus to use convergence techniques to create maximum havoc.

Basically this means SoBig.A didn’t just do one thing. It incorporated both spamming and virus writing techniques — infecting hundreds of thousands of computers worldwide, installing open proxies on compromised machines, which were then used to disseminate spam — unknown to the users. To date, MessageLabs has intercepted 727,102 copies of the worm in 183 countries, and it continues to spread.

SoBig was so successful it’s now into version F, the most prolific virus to date. The SoBig family, MessageLabs say, has also served as the model for other viruses using convergence techniques, such as the Fizzer worm. MessageLabs predicts that this style of virus writing will be extensive during 2004.

Needless to say, this all helps blur the boundary between spammers, scammers, virus writers (and, probably, the Mob). Says David Banes, MessageLabs’ Technical Director Asia Pacific: “The success of SoBig has served as an inspiration to cyber criminals, and demonstrates what can be achieved when they work together.”

News: Wanted, Dead Or Alive: Virus Writers

 Microsoft is a mite upset, and is offering $500,000 reward to inform on the virus writers responsible for the Blaster and Sobig worms. (In August, if you recall, the Blaster-A worm infected many unprotected home and business computers, attempted to launch a denial of service attack against a critical Microsoft security update website, and, most importantly, mocked Microsoft chairman Bill Gates. The worm exploited a critical security hole in versions of Microsoft Windows. Just days later the Sobig-F worm, which spread on the Windows platform, bombarded email users around the world, clogging up email servers.)
 
Sophos, the anti-virus people, had this to say: “It’s no surprise to hear that they are fed up with this situation and prepared to offer a reward for the capture of these virus writers,” said Graham Cluley, senior technology consultant for Sophos.  “There must be people out there in the computer underground who know who is responsible for the creation of these malicious worms. Offering a total of $500,000 will be a great temptation for someone to break their silence – and do all legitimate users of the Internet a favour.”

Update: Another Blaster Suspect Arrested

 Another Blaster suspect has been arrested. Prosecutors refused to release any information about the suspect, not even the youth’s gender or home state, AP reported. The variant the juvenile allegedly created was known as “RPCSDBOT.”
 
No one yet knows who created the main version. Collectively, different versions of the virus-like worm, alternately called “LovSan” or “Blaster,” hit more than a million computers. It’s interesting the two detainees both appear to be Americans. But it doesn’t mean the author of the original was, nor does it mean their motives were the same.
 

Update: It Isn’t Over Until The Fat Lady Starts Writing Viruses

 Fridrik Skulason’s open letter draws attention to another point: that while Sobig.F was scheduled to die out on Sept. 10, we might just have been lucky this time. He compares the two recent attacks — Sobig and Blaster — and concludes that if the guy or guys who write the next version of Sobig look closely, they may combin the two and create a real monster:
 
“With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while – until the next similar worm appears. And this is the scary part. Sobig.F didn’t really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblaster (Lovsan). Now imagine a worm combining the distribution method of Msblaster with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.
 
“Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen.”

News: Two Young Fellas Nabbed For The TK Worm

 Two young Brits have been charged in connection with the TK Worm (also known as Troj/TKBot-A), which appeared last year and caused an estimated £5.5 million worth of damage. Jordan Bradley, 20, of Bates Avenue, Darlington, and Andrew Harvey, 22, of Scardale Way, Durham, are believed by the National High Tech Crime Unit (NHTCU) to be members of a hacking group known as the “Thr34t-Krew” which launched the Trojan horse designed to break into internet-connected computers.
 
It’s something of a roll for law enforcement folks. Recently, two other young men were named in connection with variants of
the Blaster internet worm.  Jeffrey Lee Parson was arrested by the FBI in late August, and a Romanian man is believed to be assisting police with their enquiries.  Meanwhile Simon Vallor, who served nine months in prison for creating three viruses, was released yesterday.

Update: Blaster B Suspect Is About To Be Arrested

 There must be at least one frightened teenager out there today. AP reports that U.S. investigators have identified a teenager as one author of a version of the Blaster worm and plan to arrest him early Friday (U.S. time). A witness reportedly saw the teen testing the infection and called authorities, an official said. The worm and its variants infected more than 500,000 computers worldwide.
 
The “Blaster.B” version of the infection, which began spreading Aug. 13, was remarkably similar to the original Blaster worm that first struck two days earlier; experts said the author made few changes, renaming the infecting-file from “msblast” to an anatomical reference. Can’t help feeling sorry for the kid. He is going down.