Skip to main content

Posts

Showing posts from 2004

If it's on your image, you must patch it

Patches were released and risk assessment on Microsoft Internet Explorer vulnerabilities was requested. I'm sorry to report that risk assessment of this particular type is rather simple. I can describe it in three steps. (1) The risk of the vulnerability being exploited is real, and high. The nature of the vulnerability itself doesn't much factor into the assessment. What matters most is how many systems do you have running the software with the vulnerability, and how important are those systems. If history is any guide, these vulnerabilities will be exploited by dozens, hundreds, or even thousands of variants of malware, over the next days, weeks, and months. Recently announced vulnerabilities affecting the Microsoft Internet Explorer can be used to install and execute software on the system, when that system has accessed a malicious or benevolent-but-compromised web site. Vulnerabilities like this one have been exploited by literally hundreds of bits of malware i...

Slow Scanners & Sniffer worms

The discovery of the W32/Sdbot-UJ worm, which employed the technique of network sniffing, has shone a bit of light on a dark corner of the worm universe. W32/Sdbot-UJ has sometimes been reported as the first worm to perform network sniffing, but almost certainly it was not. It may have been the first such to be captured and analyzed by an AntiVirus vendor, I don't know. This worm employs a technique thought for years by some security professionals to be used by "slow scanners". I say "thought to be used" because it turns out this particular class of worms is difficult to study and not perceived universally as much of a threat. Some professionals even dispute whether Slow Scanners exist, yet. (Everyone seems to agree that if they don't, they will soon enough.) Slow Scanner worms are not widely reported in the media, partly because they are not as flashy as the worms that hit millions of machines in a day and whose propagation efforts are so aggressiv...

Exploit Chaining: Virus, Worm, and Malware Evolution

All y'all might be interested in these articles. I've slogged through hundreds in the last week of evenings, and these are some of the most interesting. The first few regard using Internet Explorer features and defects for installation of trojans. With last Tuesday's release of several new Windows and IE vulnerabilities, it became clear that it was possible to chain together remote-non-root exploits and local-root-exploits, to gain Administrator access on a Windows system remotely, though indirectly. It seemed to me at the time that this would be somewhat complicated and we probably wouldn't see these types of exploits until the universe had harvested the low-hanging-fruit of remote-root exploits. After reading up a bunch this week (someday there will be pop music bemoaning the lonely nights spent with google...) I'm revising that opinion. There already exist documented examples of complex MSIE-exploit-chaining malware in the world, so we can expect to see mo...

Virus naming & The Public Good

This appears to be a case where publicity about a particularly nasty worm has suffered because it was named something different by all the major antivirus vendors. Gaobot, which appears to be the Symantec name for this family of worms, isn't even in the title of this document. Microsoft machines and NDemon/Phatbot/Agobot Worms -- 19 Apr 2004 [Updated: 2004.04.27] It would be helpful to their customers if the AntiVirus vendors would agree to a common naming convention, and certain other standards related to identity of malware threats. A checksum should be provided with all descriptions, as well as standardized means to reference the known capabilities of threats. This probably won't happen unless an open source project, perhaps related to ClamAV finds itself so strong that the weaker AntiVirus companies suddenly find it to their advantage to play along. It's more likely that Microsoft will kill off the weaker AntiVirus vendors before that happens. The stronger An...