Lock IT Down: New generation of attacks pose increasing security challenges

New worm, virus, and security vulnerabilities are analyzed for potential attacks on enterprise networks

Two of the latest virus threats have risen above the nuisance level: Swen/Gibe-f and the Qhosts Trojan. Swen can be well blocked using prudent business practices. Since it directs users to download an attachment claiming to be a security patch, Swen should be effective only against the most naive of users. But corporate networks are also becoming infected, indicating inadequate control over users and/or poor use training.

Also, according to a new Symantec report, the viruses in recent months are more sophisticated than the majority of earlier attacks. They also follow more closely on the heels of the disclosure of the vulnerability, which increases the pressure on administrators to get fixes in place quickly. If the number of virus reports you've seen lately seems high, you're right. Symantec confirms this by saying that it has recorded 994 unique new viruses and worms for Windows systems in just the first half of 2003, up from 445 for the same period last year (2002).

Details: Swen and Qhosts
The security firm, Sophos, suggests that Swen and similar virus attacks can be thwarted by using a program to block e-mail attachments at the server. Of course, Sophos just happens to sell such a product, MailMonitor for SMTP. Nevertheless, it is a good suggestion. Since Swen and some other new viruses spread mostly through KaaZa, businesses should remove any peer-to-peer file sharing software. This is good advice in general, since these P2P apps are often used to share pornography or illegal music files and have little legitimate business use. Computer Associates also has a detailed report on Swen.

The Qhosts Trojan, which infects systems through a malicious banner ad, takes advantage of a faulty security patch, or at least one that failed to plug all the holes. Microsoft Security Bulletin MS03-032 addressed a threat to Internet Explorer based on an Open Type vulnerability. Unfortunately, on September 8, Microsoft amended the August 20 bulletin to indicate that the included patch didn't fix all of the similar vulnerabilities found in Internet Explorer. On October 3, Microsoft released an updated patch (MS03-040) that should block the hole Qhosts is exploiting. Other malware is still actively penetrating systems that didn't get the patch provided in MS03-032.

The Qhosts Trojan redirects searches away from Google and other popular search engines to other servers. It also redirects all DNS requests to a new server, including those that might have been handled locally, causing significant problems on some systems. The apparent motive is to profit from the number of visits or click-throughs.

CERT Vulnerability Note VU#865940 details the Qhosts threat and says that it isn't aware of any complete workaround for this vulnerability. IE, Outlook, and Outlook Express, along with any other program using the WebBrowser ActiveX control or MSHTML (the HTML rendering engine in IE), are vulnerable. At least the newer versions of Outlook and Outlook Express open e-mail in the Restricted sites zone, which disables ActiveX by default.

The patch provided with MS03-032 prevents HTML applications from executing in some, but not all, instances. CERT says it has confirmed reports of HTML applications executing when the requisite HTML is generated by data binding. Although the cumulative patch in MS03-040 may fix this problem, this is the fifth patch this yearthat addresses similar problems in IE, following MS03-004, MS03-015, MS03-020, and MS03-032. So, although the patch is necessary, it probably shouldn't be viewed as the final word on this type of flaw in IE.

In addition, eEye Digital Security says this hole is actually a data tag vulnerability. eEye also discovered an Open Type vulnerability earlier, and similar vulnerabilities have existed in IE for several years. The only real workaround is either to disable versions of IE later than 5, along with Outlook and Outlook Express, or to disable support for Active Scripting.

New generation of threats
A hallmark of many of the latest generation of Trojans and viruses is that they actually have a commercial motive. Some direct users to pornographic or other sites hosting ads on a pay-per-visit basis. Obviously, redirecting users to these sites can result in increased income. The development and spread of these threats may be more than mere vandalism. Once the profit motive is added into the mixture, attacks are likely to become more serious—and, if the term is appropriate in this context, more professional.

Symantec released its semi-annual Internet Security Threat Reporton October 1. There's no good news for administrators in the report, which is based, in large part, on data from 20,000 sensors buried in the company's global DeepSight threat analysis system. The most important and worrisome part of the report is the analysis showing that most new virus attacks are targeting vulnerabilities known about for less than one year, and nearly 40 percent take advantage of software flaws that have been known for less than six months.

This is a major concern because it used to take a long time for virus and worm writers to develop and spread new attacks. Each year, the SANS/FBI analysis of the top most exploited vulnerabilities has been full of attacks on holes more than a year old, often taking advantage of exploits that have been known for as long as two years.

Shorter time periods between the announcement of a flaw and the launch of an exploit means that already overburdened administrators must react even more quickly to plug holes, either with workarounds or by applying patches.

Blended threats, which use a combination of vulnerabilities and new malicious code to exploit them, now account for 60 percent of all significant attacks, a 20-percent increase over last year.

Slammer and Blaster both spread around the world in a matter of a few hours, and Blaster hit servers less than 30 days after the vulnerability was announced.

So far this year, the overall attacks on corporate systems have increased by 19 percent, accounting for an average of 38 attacks per week per corporation for the subscribers to DeepSight.

Symantec also reports an overall increase of 12 percent in newly discovered vulnerabilities, 80 percent of which can be remotely exploited. The number of moderate threats increased by 21 percent, and high-risk vulnerabilities went up by 6 percent in 2003. Symantec considered about 70 percent of the new vulnerabilities to be easy to exploit, often because downloadable exploit code was readily available or not even needed.

Final word
Other than indicating that the general threat level is increasing and that administrators need to be proactive in blocking attacks, there is little practical application for the report from Symantec. It emphasizes only the standard advice about prompt patching, turning off unneeded services, carefully configuring your firewall, and not opening attachments.

Also watch out for…
Microsoft, which is constantly criticized for the number of patches required to maintain its software and for the fact that the patches are sometimes less than completely tested before release, is apparently changing its strategy for securing Windows systems. According to a report, Microsoft will focus instead on securing the perimeter with better firewall configurations and improved use of antivirus software. You may recall that Microsoft recently sent shockwaves through the antivirus industry when it announced the acquisition of a European antivirus software vendor. Although Microsoft will continue to try to produce better code and release patches on a timely basis, it seems to have recognized the fact that many managers are unwilling or simply unable to apply all the patches; hence, their systems remain vulnerable to known holes in applications and operating systems.

Editor's Picks