Tag Archives: Sasser

KL’s Airport Gets Infected

image

If there’s one place you hope you won’t get infected by a computer virus, it’s an airport.

It’s not just that the virus may fiddle with your departure times; it’s the wider possibility that the virus may have infected more sensitive parts of the airport: ticketing, say, or—heaven forbid—flight control.

Kuala Lumpur International Airport—Malaysia’s main international airport—was on Friday infected by the W32.Downadup worm, which exploits a vulnerability in Windows Microsoft patched back in October. The worm, according to Symantec, does a number of things, creating an http server on the compromised computer, deletes restore points, downloads other file and then starts spreading itself to other computers.

image

Enlargement of the photo above. The notification says Symantec Antivirus has found the worm, but has not been able to clean or quarantine the file.

KL airport clearly isn’t keeping a tight rein on its security. The virus alert pictured above is at least 12 hours old and the vulnerability it exploits had been patched up a month before. Says Graham Cluley of UK-based security software company Sophos: “What’s disturbing to me is that over a month later, the airport hasn’t applied what was declared to be an extremely critical patch, and one which is being exploited by malware in the wild.”

What’s more worrying is that this isn’t the first time. It’s the first time I’ve noticed an infection on their departures/arrivals board, but one traveller spotted something similar a year and a half ago, with a Symantec Antivirus message popping up on one of the monitors. I saw a Symantec Antivirus message on one monitor that said it had “encountered a problem and needs to close”, suggesting that the worm had succeeded in disabling the airport’s own antivirus defences:

image

So how serious is all this? Cluely says: “Well, it’s obviously a nuisance to many people, and maybe could cause some disruption.. but I think this is just the most “visible” sign of what may be a more widespread infection inside the airport.  I would be more concerned if ticketing and other computer systems were affected by the same attack.”

He points to computer viruses affecting other airports in recent years: In 2003, Continental Airlines checkin desks were knocked out by the Slammer worm. A year later, Sasser was blamed for leaving 300,000 Australian commuters stranded, and BA flights were also delayed.

For me, the bottom line about airports and air travel is confidence. As a traveler I need to feel confident that the people deciding which planes I fly and when are on top of basic security issues. And that doesn’t mean just frisking me at the gate. It also means keeping the computer systems that run the airport safe. This is probably just sloppy computer habits but what if it wasn’t? What if it was a worm preparing for a much more targeted threat, aimed specifically at air traffic?

(I’ve asked KL International Airport and Symantec for comment.)

More On Korgo

More on the phishing worm I mentioned in a previous post.

Mikko H. Hypponen of F-Secure has passed on a little more information. He says it’s “pretty big, but still far away from outbreaks like Sasser or Mydoom”. So far “at least 50,000 machines are infected worldwide, possibly more”. He says Korgo does “specifically target at least three online banking systems, but I don’t want to go into details”. But since it also “collects anything typed at the computer keyword, it basically targets any bank where users can access their account without a one-time password”. That would mean a lot of data to shovel back to scam HQ; I’m assuming it limits keylogging to when the user is browsing, but Mikko doesn’t say more on that.

He points out that while this is the first automatic — in other words, it doesn’t use email or other methods to get around — worm to do this bank website keylogging, it’s not the first virus. In fact, the same Russian hacker group he believes is responsible for this worm, the HangUP Team, were also believed to be behind Webber and Banker, two other bank-related viruses.

Mikko also reminds us of the history of bank-related viruses, including the Bugbear.B worm, which contained a long list of target banks, and collected cached passwords. Which I suppose raises the old question: Does a phisher have to involve some sort of social engineering to be a phisher? Given that the guys doing this kind of thing all seem to be members of the same gang, does it matter what name we give it?

Are The Worm Wars Over?

German police on Friday arrested two men: an 18-year old man in Rotenburg in connection with the Sasser worm, and a 21-year old who confessed to creating a bot called Agobot or Phatbot.

A lot of folk believe the gang responsible for the Sasser worm may also be responsible for the Netsky worms, which have been infecting computer users for most of this year. Sophos’ Graham Cluley, for example, says, “If you scrutinize the most recent Netsky worm, you can see that the author embedded a taunt to anti-virus companies, bragging that he also wrote the Sasser worm. If this is the case, this could be one of the most significant cybercrime arrests of all time.”

Cluely goes on to say: “All these worms have been highly disruptive and complex, suggesting that the author isn’t working alone. Seizing this man’s computers could provide the vital clues that will bring down the infamous ‘Skynet’ virus-writing gang. We would not be surprised if more arrests follow in due course.”

What I’m interested in are claims that the people behind these attacks were not just doing it for fun, but for money, by setting up chains of zombie computers and then selling the connections to spammers and fraudsters. Could this also shed light on the Russian and Eastern European underworld, or are the groups not connected?

How Bad Was Sasser?

Just how bad was Sasser? Here’s a list, courtesy of F-Secure, of places and companies affected by the worm:

  • County hospital in Lund, Sweden (5000 computers and X-ray equipment offline)
  • European Commission in Brussels (1200 machines offline)
  • Coastguard in UK (19 regional offices offline)
  • British Airways in UK (flights delayed)
  • Westpac Bank in Australia (offices and call centers closed)
  • Post Office systems in Taiwan (1600 machines offline, 400 offices affected)
  • Heathrow airport in UK (computers at one terminal offline)
  • Public courts in Cantabria, Spain
  • Hong Kong government systems
  • State hospital of Hong Kong
  • Suntrust Bank in USA
  • American Express in USA
  • Nova University in USA

In other words, quite a lot. Part of the problem is that it hit at the weekend — probably deliberately. Very few institutions keep their tech support at full levels then — some don’t have any at all. That, or they use weekends to perform upgrades, which leaves systems even more vulnerable.

The Australian Financial Review quoted David Morgan, chief executive of Westpac Bank, as saying that the bank was in the midst of installing the three-week old patch which would have protected it against Sasser when the worm hit. “The perpetrators of the virus moved more quickly than us . . . and caused that disruption to our network,” David Morgan was quoted as saying. Result: 800 computers knocked offline and staff forced back to pen and paper for nearly two days.

The Sasser Worm

Four years after LoveLetter, there’s a new worm out, and it looks bad.

Panda Software says Sasser “has positioned itself as one of the quickest-spreading and virulent ones”. Already two variants of the worm are out, according to F-Secure.

Panda says the worm uses a trick that “means practically all Microsoft systems will be affected, making millions of computers exposed to infection by this worm virus”. This is because the worm — or its variants, it’s not quite clear to me which — use the same computer port as Windows uses to share folders and printers over the Internet. So, “large companies which have remote users that go on line via virtual networks or which work with laptops without corporate firewall protection may go online on Monday and find themselves affected by the virus even though they have the patch installed and the antivirus upgraded”, Panda warns.

Sasser makes use of a vulnerability that is about 26 days old. It can spread and execute without the user doing anything. Panda sees the worm moving faster than Blaster: Blaster affected 2.5% of computers in the first few hours of its attack, while Sasser.B is nearing 3% in just 24 hours.

If infected, the computer will restart every time the user tries to go on line, change the registry and put a file, avserve.exe, in the Windows folder or, in some cases, put a warning in a Windows menu warning of problems with LSA Shell or errors in Isass.exe. It doesn’t seem to actually do any damage to computers, or to prep itself to download something worse. But who knows?

Solution? Install Microsoft updates as soon as possible and upgrade your antivirus protection. If you think you’re infected, use the Microsoft scanning tool to check. Then again, as F-Secure points out helpfully, if you are infected, you might not make it to that page before your machine is rebooted again. If you are infected, use F-Secure’s Free F-Sasser Tool to clean the worm from your machine. You also need to install the Windows patches to prevent you from getting reinfected.

Not everyone is worried about it: F-Secure believe many larger companies have already installed the updates necessary to be protected, and says the situation is still “relatively calm”. That said, eWeek has pointed out that an early version of the Microsoft patch for this vulnerability itself caused some Windows 2000 systems to lock up. Oh, and the Microsoft website about Sasser misspells ‘Bulletin’ making me wonder for a second whether it wasn’t itself a phishing site. Tsk, tsk.