The rapid spread and equally rapid reengineering of some recent worms may be explained in large part by a raging war of words among the creators of the Bagle, MyDoom, and NetSky worms. At the end of February and beginning of March, there was a brief period when new versions of these worms were appearing every few hours.
It turns out that hidden in the Bagle’s worm code is a nasty message attacking NetSky’s creator. According to a brief report in IT Vibe, MyDoom also contains text attacking the person or people behind NetSky. News.com also has a report on this battle among the worm authors.
If this war continues or even starts a trend, this could be a bad year for IT professionals facing feuding malware coders battling each other to see who can produce the fastest-spreading and most destructive worms and viruses. At least one variant of NetSky already attempts to remove any Bagle version it finds on an infected computer, so this is more than just a war of words.
Antivirus software can provide false security
A guest author on United Kingdom-based Vnunet.com has looked at the recent surge of warnings from antivirus companies concerning the spate of NetSky and Bagle versions, and calls most of the warnings “total rubbish.” Nick Scales, chief executive of Avecho, says that all the blame assigned to users for the spread of malware is misplaced because, instead of pushing more powerful antivirus software, companies should focus on reminding users to never open any attachments they aren’t expecting.
That may seem like a pretty obvious idea but, judging by the rapid spread of simple worms such as NetSky, Bagle, and MyDoom, which don’t take advantage of any new “holes” in operating systems or browsers, it's advice that a lot of people are ignoring.
Scales blames antivirus companies for a great deal of the current wave of malware, saying that they give users a false sense of security by making it seem that they don't have to worry about the attachments they open as long as they keep antivirus software up to date.
Expecting antivirus software to completely protect users is, of course, silly. These days, many viruses and worms appear, spread to thousands or even millions of machines, and die a natural death in a few hours, far faster than antivirus software updates can be distributed (except maybe some automated corporate antivirus systems). While huge online mail services such as Yahoo probably get some antivirus updates before a piece of malware becomes really widespread, most businesses and home users update their antivirus software only on a weekly or even monthly basis.
You can hardly blame antivirus companies if they fail to teach users how easy it really is to stop the spread of most malware. After all, they don’t make money because people are careful; rather, they profit from carelessness (and helping users overcome their carelessness). But, at some point, people will have to wise up and stop opening attachments they aren’t expecting in order to curb the spread of viruses and worms. And antivirus vendors who want to be known as “security” firms should bear some responsibility to start reinforcing that message.
I tell my clients to merely avoid the use of attachments as much as possible and not to open any attachments that they aren't expecting (even if they come from trusted sources). It's amazing how much these simple steps can keep systems free from a very large percentage of viruses and worms.
Also watch for…
- Mandrake Corporate Server 2.x and Linux 9.x have moderately severe libxml2 vulnerabilities (CAN-2004-0110). Updates are available.
- Mandrake Linux 9.x has a moderately severe pwlib vulnerability (CAN-2004-0097), which can result in a denial of service event. An update is available.
- Debian has released a fix for libxml and libxml2 vulnerabilities found in Debian GNU/Linux 3.0.
- OpenLinux Server 3.x and Workstation 3.x have a vulnerability in gnugp that can lead to ID spoofing and possible disclosure of confidential files (CAN-2003-0971). Users should update to version 3.1.1 for both the server and workstation versions. SCO has also issued an update addressing three tcpdump DoS vulnerabilities, namely CAN-2003-0989, CAN-2004-0055, and CAN-2004-0057.
- According to TheInquirer.net, eEye Digital Security reports finding a serious vulnerability in Apple’s QuickTime Player. The company apparently notified Apple of the threat on Feb. 18. As of this writing, no fix was available from Apple for the vulnerability, which can allow an attacker to run arbitrary code on any machine running QuickTime Player.
- eEye also recently published a report about some serious vulnerabilities in several versions of the ISS RealSecure/BlackICE Server Message Block packet handling. If you run BlackICE, RealSecure, or Preventa, you should look over the report to see if you're running a vulnerable version.
- Adobe’s Acrobat Reader, which few people seem to update very often even though it's free, has an XML Forms Data Buffer Overrun vulnerability in an older version (5.1) that can give a remote attacker access to the system. This vulnerability isn’t found in the current version, so users should consider updating.
- As part of the company’s move to harden its software, Microsoft reports that it will release a major upgrade to Windows XP. The Internet Connection Firewall (ICF) is being renamed "Windows Firewall." Service Pack 2 will turn on the firewall by default, and there will be a number of changes to the way the firewall works.
One big change will be in the way Windows XP manages the opening and closing of ports, an action previously handled by applications (or at least should have been, but it often wasn’t done properly).
Once installed, SP2 will enable administrators (and only those with administrator-level privileges) to create a white list for approved applications to automate port management. Any application that doesn’t use stateful filtering but does need to open firewall ports should be placed on the white list.
Some other important changes will reduce the impact of buffer overruns and other common vulnerabilities without any increased management chores. Many of the changes in Windows XP SP2 will also affect developers, so Microsoft has already released some details about the upcoming upgrade. (See MSDN Security Developer Center for more details.)
- Watch out for F-Secure! According to TerraNet, the Finland-based security firm’s London office inadvertently sent a virus to thousands of the firm’s British clients. Fortunately, it was NetSky.B, a version already old enough at the time of the mistake that F-Secure’s clients were mostly protected against it. Again, remember to open only those attachments you are expecting—no matter who they come from!