|
| This is a variant of W32/Sdbot.worm which bears strong resemblance to the many other members of this rapidly growing family. It is detected as W32/Sdbot.worm.gen.j with the specified engine and DATs, and bears the following characteristics: - propagates to machines vulnerable to the following exploits:
- propagates to machines with poorly secured network shares (weak username/password combinations)
- propagates to MySQL and Microsoft SQL servers that are poorly secured (again weak username/password combinations)
- propagates to remote machines (it generates random IPs) by attempting to copy itself to a number of shares
- provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is availble to the hacker)
The ISC has some good commentary on protecting your networks. I for one agree with him totally. SANS - Internet Storm Center - Handlers Diary January 28th 2005 Updated January 28th 2005 14:55 UTC (Handler: Matt Fearnow) Corporatations at large:
For most reading this, I’m preaching to the choir. The Beagle/Bagle variant, patches and mysql bot are all just examples of even if we don’t know what we are protecting, we should be doing better. With the addition of IPS devices, application filtering firewalls, etc.. etc.. there really should be no excuse of why some of this stuff continues to spread around the networks at large. You can’t continue to use just one piece of the technology, you have to …? Defense in Depth
With that said, there are various things that companies can do, and very soon will be required to do to further protect these assets. VISA and MasterCard have both released requirements that companies will have to follow in order to process credit cards in the future. I think that we are finally on to something. It doesn’t matter how many times I’ve said to “x” company in the past that they need to do “y” now maybe they will start taking this advice more seriously than they would have previously done.
For some of us, protecting these networks is our day job, and allows us to continue to still be employed. So you might say that it is job security. But in the end we also get held responsible for what may or may not happen to these networks.
In the end I love what I do, and I can say that the work I do I take with pride. I often view the networks that I’m employed to protect, as my own, and treat them as such. And when something happens to them, I take a look back and learn from the mistakes I’ve made to better protect them.
Visa CISP information:
http://tinyurl.com/4ph6h
MasterCard SDP information:
https://sdp.mastercardintl.com/
The views expressed here are those of the handler on duty, and do not necessarily reflect the views of the ISC.
This one almost slipped under the radar with all the Bagles running around. Taking a look at the description, let’s hope that it stays that way. It looks a lot more advanced than past variants, but is currently rated at Low risk and so far this has not been seen in the wild. http://secunia.com/virus_information/14934/mydoom.an/ http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYDOOM%2EAN http://www.f-secure.com/v-descs/mydoom_an.shtml Info from Trend Micro’s site: Upon execution, this mass-mailing worm drops a copy of itself in the Windows folder as SERVICES.EXE. This worm propagates via email. It looks for target email addresses from the Local Settings\Temporary Internet Files subfolders. Users are advised to be wary of email messages containing the following details. A sample email of this worm looks like this: From: "Evan Gomez"
Subject: Christmas Greeting Card Waiting For You
Body: New Year Postcard from Chris
Attachment: Clyde_nude.pif It prevents the user from accessing antivirus and security-related Web sites. It terminates certain antivirus processes.
This covers the three new variants that have come out the last few days.
Symantec Security Response - W32.Beagle@mm Removal Tool
Symantec
Symantec Security Response
http://securityresponse.symantec.com
W32.Beagle@mm Removal Tool
Discovered on: January 19, 2004
Last Updated on: January 28, 2005 11:45:33 AM GMT
Removal tool link: http://securityresponse.symantec.com/avcenter/FxBeagle.exe
Symantec Security Response has developed a removal tool to clean infections of the following Beagle variants:
* W32.Beagle.A@mm
* W32.Beagle.B@mm
* W32.Beagle.C@mm
* W32.Beagle.E@mm
* W32.Beagle.F@mm
* W32.Beagle.G@mm
* W32.Beagle.H@mm
* W32.Beagle.I@mm
* W32.Beagle.J@mm
* W32.Beagle.K@mm
* W32.Beagle.U@mm
* W32.Beagle.W@mm
* W32.Beagle.X@mm
* W32.Beagle.Y@mm
* W32.Beagle.Z@mm
* W32.Beagle.AB@mm
* W32.Beagle.AC@mm
* W32.Beagle.AG@mm
* W32.Beagle.AO@mm
* W32.Beagle.AR@mm
* W32.Beagle.AU@mm
* W32.Beagle.AV@mm
* W32.Beagle.AW@mm
* W32.Beagle.AY@mm
* W32.Beagle.AZ@mm
* W32.Beagle.BA@mm
If you have happened to see the main page of my blog, you may have noticed the picture of the superhero on the front, The Incomparable Hanford Man. Until now, the true origin of this courageous force against Evil was unknown. Now the City of Heroes archives have been opened and we can catch a glimpse of what really drives Hanford Man on his never-ending quest for justice. The answers can be found here: The Origin of Hanford Man 
Secunia Virus Information has issued a MEDIUM RISK alert for: Bagle.BA Learn More About Bagle.BA Online At Secunia: http://secunia.com/virus_information/14931/
Starting with this mornings edition, I will have a column called “Over the Horizon” that will be published in the Windows Secrets.com paid newsletter, that comes out twice a month. The newsletter itself is geared more towards home users, CIO’s, and beginning IT admins. The kind of people that need to know what is going on in the world of Windows, but don’t necessarily need the level of detail that you see in other IT publications. My new column, will focus on unpatched exploits and vulnerabilities, and how to protect yourself against them until a patch is available. I have included the introduction to my first post below, in case you wanted to check it out.  
OVER THE HORIZON — protect yourself against unpatched exploits
Prevent yourself from becoming an Internet statistic
By Chris Mosby
The Internet can be a dangerous place in this day and age. It reminds me of the Old West, with bandits and highwaymen ready to rob your stagecoach at any moment. If you were lucky, the Marshall would come along in the nick of time and save you. At least that was how it worked in the movies.
Today, navigating the Internet isn't any different. There are hackers and spammers waiting around every virtual corner of the Web. You might have a "Marshall" to help you, in the form of anti-virus or firewall software. But this won't help you if there are unpatched holes in your browser or operating system, which allow hackers to quietly take over your PC.
This column is designed to minimize your risk to unpatched vulnerabilities. In each issue, I'll show you simple steps you can take to plug holes we're tracking until an official fix becomes available.
A big thanks to Rod Trent for recommending me to write the column, it is greatly appreciated!!
Email me with any comments or suggestions about my blog.
Just more evidence that this variant is spreading as the day goes on. | Discovered on: January 26, 2005 | | Last Updated on: January 27, 2005 04:38:32 PM |
W32.Beagle.AZ@mm is a mass-mailing worm that also spreads through file-sharing networks. The email will have a variable subject and attachment name. The attachment will have a .com, .cpl, .exe, or .scr file extension. Note: Virus definitions version 70126ax (extended version: 20050126.050) or greater are required to detect this threat.
SANS - Internet Storm Center - Another MySQL Bot update Handlers Diary January 27th 2005
Updated January 27th 2005 15:49 UTC (Handler: Deb Hale)
* MySQL Bot
MySQL Bot
A "bot", exploiting vulnerable MySQL installs on Windows systems, has been spotted. It infected a few thousand systems so far. Like typical for bots, infected systems will connect to an IRC server. The IRC server will instruct them to scan various /8 networks for other vulnerable mysql servers.
Infection Method
The bot uses the "MySQL UDF Dynamic Library Exploit". In order to launch the exploit, the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password.
Once connected, the bot will create a table called 'bla' using the database 'mysql'. The 'mysql' database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named 'line'.
Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called 'app_result.dll' using 'select * from bla into dumpfile "app_result.dll"'. The 'bla' table is dropped once the file is created.
In order to execute the 'app_result.dll', the bot creates a mysql function called 'app_result' which uses the 'app_result.dll' file saved earlier. This function is executed, and as a result the bot is loaded and run.
Post Infection Behavior
The bot will now try to connect to one out of a number of IRC servers:
dummylandingzone.dyndns.org -> no such name landingzone.dynamic-ip.us -> 212.105.105.214
dummylandingzone.dns2go.com -> 63.64.164.91
dummylandingzone.hn.org -> 212.105.105.214
dummylandingzone.dynu.com -> 212.105.105.214
zmoker.dns2go.com -> 63.64.164.91
landingzone.dynu.com -> 212.105.105.214
landingzone.ath.cx -> 212.105.105.214
dummylandingzone.ipupdater.com -> 212.105.105.214
The bot will connect to the IRC server on port 5002 or 5003. At this point, the IRC servers appear busy and unable to accept new connections. Note that dynamic DNS services are used. The IP addresses will likely change. Last time we where able to connect, about 8,500 hosts where connected to the IRC server.
The bot will connect to a channel called '#rampenstampen' using the key 'gratisporn'. The topic of the channel is set to '!adv.start mysql 80 10 0 132.x.x.x -a -r -s'. This will instruct the bot to scan random ips in '132.0.0.0/8' for mysql server. Throughout our observation, the topic was changed regularly. To be scanned networks included 10.0.0.0/8, likely an attempt to infect other mysql servers within a local network that is otherwise protected by a firewall.
So far, the bot has been identified as a version of 'Wootbot'. It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such).
Mitigation
This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:
Strong Password: Select a strong password, in particular for the 'root' account.
Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.
Detection
The port 3306 scanning should be quite obvious. If an infected host is not able to connect to the IRC server, you will still see port 5002 and 5003 connection attempts to the hosts shown above. If you have query logging configured on your DNS server, you will see lookups for the hostnames shown above. Note that the IPs will likely change over time.
Credits
Thanks to Evan for providing the sample of Spoolcll.exe (md5sum 18d3fe6ebabc4bed7008a9d3cb3713b9), our malware list, in particular Joe Stewart of LURHQ (http://www.lurhq.com ), our handlers, and the members of the Whirlpool forum (http://forums.whirlpool.net.au/forum-replies.cfm?t=291921 ).
--------
Johannes Ullrich (filling in for Deb Hale)
With two new Bagle variants in as many days, and one of them rated Medium risk by Secunia, it looks like we need to sort out virus names again.
This is what I have gathered so far, if anyone sees something different, let me know. Threat level ratings are for the antivirus vendor’s website, unless otherwise noted, and can change at any time.
Symantec
W32.Beagle.AY@mm (level 2)
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ay@mm.html
W32.Beagle.AZ@mm (level 2, part of Secunia’s Medium alert)
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.az@mm.html
McAfee
W32/Bagle.bj@MM (Medium, part of Secunia’s Medium alert)
http://vil.nai.com/vil/content/v_131351.htm
W32/Bagle.bk@MM (Low)
http://vil.nai.com/vil/content/v_131352.htm
Trend Micro
WORM_BAGLE.AY (Low)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EAY
WORM_BAGLE.AZ (Medium, part of Secunia’s Medium alert)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EAZ
F-Secure
Bagle.AY (Level 2, part of Secunia’s Medium Alert)
http://www.f-secure.com/v-descs/bagle_ay.shtml
Bagle.AX (None)
http://www.f-secure.com/v-descs/bagle_ax.shtml
Computer Associates
Win32.Bagle.AT (Low)
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41539
Win32.Bagle.AU (Low, part of Secunia’s Medium Alert)
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41543
Panda Software
Bagle.BK (Low, part of Secunia’s Medium Alert)
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=58283&sind=0
Bagle.BL (Low)
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=58299&sind=0
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis UPDATE: Possible MySQL Bot
We called this a worm earlier. However, after running a sample, it turns out that this is actually a bot. It will not start to scan until instructed to do so via IRC. The control server is at landingzone.dynamic-ip.us, which currently resolves to 212.105.105.214.
The bot is looking for mysql servers, and infecting Windows systems. The exact infection mechanism is not clear right now.
I am not sure which variant this is for, looks like Secunia has a mixture of the two in this alert. Secunia Virus Information has issued a MEDIUM RISK alert for: Bagle.BK Learn More About Bagle.BK Online At Secunia:
http://secunia.com/virus_information/14901/
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis: Possible MySQL Worm UPDATE: Possible MySQL Worm
We have reports about a possible MySQL worm. Right now, it appears to be hunting for Windows systems running MySQL. We have no deteails so far, and would creatly appreciate input (in particular code samples). Some discussion about this worm can be found here:
http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=3 We do observe a significant rise in port 3306 scanning, which is likely caused by infected systems. http://isc.sans.org/port_details.php?port=3306&tarax=1
(at the time of this writing, about 4,000 distinct source IPs scanned where observed, up from about 500 during the prior days)
The worm creates a file called 'Spoolcll.exe' and has so far been named 'MySpooler'.
You should not expose any MySQL servers to unsolicitated connections. If you run MySQL, make sure you block port 3306. MySQL can run without networking enabled, as long as you only connect to it from the local host (e.g. if a web server and mysql run on the same system, which is common for small website). In order to turn off networking, start mysql with the --skip-networking option. You will however need networking if you use replication.
Like allways: If you have to connect from remote systems to your mysql server, tunnel via ssh if possible. Other mitigation options are to enforce SSL encrypted connections (available in mysql 4.0 and later), limit access to certain hosts via firewall rules, and restrict access via mysql's access controls. And as always: Defense in depth. Implement as many of these options as possible, don't rely on one option by itself. If possible, run mysql in a chroot jail (this may require some adjustments to your applications).
While we are still waiting to see what kind of threat yesterday’s Bagle variant is going to shape up to be, another new Bagle variant has been reported by several antivirus vendors this morning.
Though very similar to the last variant, it is already being rated at Medium risk by Trend Micro. Looks like it is going to be an interesting day.
AV links so far:
http://www.sarc.com/avcenter/venc/data/w32.beagle.az@mm.html
http://vil.nai.com/vil/content/v_131352.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EAZ (Medium risk)
http://www.f-secure.com/v-descs/bagle_ay.shtml
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=58283&sind=0
Quote from Trend Micro’s website:
As of January 27, 2005 1:42 AM PST (Pacific Standard Time/GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AZ. TrendLabs has received several infection reports indicating that this malware is spreading in US, China, and Japan.
This WORM_BAGLE variant arrives on a system as an email attachment. It sends copies of itself to all email addresses it gathers from files with certain extensions but skips those addresses that contain particular strings.
McAfee has raised the threat level of the Bagle variant that came out yesterday to Medium risk. -- Update 27th January 2005 12:50 PST -- Due to increased prevalence the risk assessment of this threat has been raised to medium. The 4423 DATs will be released early to address this threat. In the meantime, the following EXTRA.DAT packages are available.
EXTRA.DAT
SUPER EXTRA.DAT
Now Symantec has a description of the new Bagle variant, looks like this is spreading. Symantec Security Response - W32.Beagle.AY@mm W32.Beagle.AY@mm
Category 2
Discovered on: January 26, 2005
Last Updated on: January 26, 2005 01:24:44 PM
W32.Beagle.AY@mm is a mass-mailing worm that also spreads through file-sharing networks. The email will have a variable subject and attachment name. The attachment will have a .com, .cpl, .exe, or .scr file extension.
I wonder if the new Bagle is a sign of something bad… F-Secure : News from the Lab One particular outbreak a year ago Posted by Sami @ 08:25 GMT
Today is the anniversary of the Mydoom.A outbreak - the worst email outbreak in the history.
This incident, which started on January 26th 2004, bypassed even the Sobig.F epidemic of 2003. At its worst, a major part of all email traffic globally was caused by Mydoom.A. The worm generated over 100 million emails just during the first day of the outbreak.
Mydoom performed a denial-of-service attack on www.sco.com between February 1st and 12th, 2004. This attack, which was arguably the largest DDoS case in history, kept the target website down for weeks.
We first warned about the Mydoom worm on January 26th, at 23:05 GMT by issuing a Radar Level 2 Alert. About four minutes later we shipped detection for the worm. The Radar Level was raised to Radar Level 1 three hours later. This is the highest level we have.
Following Mydoom.A there was the infamous virus war between the Mydoom, Bagle and Netsky.
Looks like F-Secure has joined the party… F-Secure : News from the Lab New Bagle found Posted by Katrin @ 18:58 GMT
We received a new polymorphic Bagle variant - Bagle.AX. We are currently working on it. More information will follow.
The description for this network-aware worm just showed up on Symantec’s website and is currently at level 2, but there are two things that disturb me about it.
1. There already is a fix tool for it (someone out there must have already been hit by it).
2. The amount of Windows and application vulnerabilities that it uses to propagate.
I have included most of the description below, go to the link below for the full description.
Symantec Security Response - W32.Gaobot.CEZ
W32.Gaobot Removal Tool
Description from Symantec’s site
W32.Gaobot.CEZ is a network-aware worm that has back door capabilities and can be controlled through IRC channels. It attempts to lower security settings by blocking access to security-related Web sites and terminating processes. It spreads by exploiting vulnerabilities.
Note: Virus definitions released January 25, 2005 detect this threat as W32.HLLW.Gaobot.
When W32.Gaobot.CEZ is executed, it performs the following actions:
- Copies itself as %system%\ethernet.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Adds the value:
"Ethernet Drivers" = "ethernet.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
so that it is executed every time Windows starts.
- The back door component connects to a remote IRC server using TCP port 8000 on the following domain:
ultimate.rizzla.net
- Awaits commands from a remote attacker.
- Allows the attacker to perform the following actions on the compromised computer:
- Overwrites %System%\drivers\etc\hosts with the following lines:
- Attempts to spread to other computers by exploiting the following vulnerabilities:
- Attempts to spread by authenticating to MSSQL Servers and network shares using a predetermined list of usernames and passwords.
- Attempts to terminate processes with the following names: Check full description on Symantec’s site…
More information on new Bagle variant from McAfee Virus Characteristics:
This is a mass-mailing worm with the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
Mail Propagation
The details are as follows:
From : (address is spoofed)
Subject :
* Delivery service mail
* Delivery by mail
* Registration is accepted
* Is delivered mail
* You are made active
Body Text:
* Thanks for use of our software.
* Before use read the help
Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)
* wsd01
* viupd02
* siupd02
* guupd02
* zupd02
* upd02
* Jol03
For more details, see the full description:W32/Bagle.bj@MM
I just caught new Bagle descriptions on McAfee and Trend Micro’s sites, but they have no info as of yet on threat level, so be on the lookout. I will post more information as it becomes available. W32/Bagle.bj@MM (McAfee) WORM_BAGLE.AY (Trend Micro)
TechWeb | Broadband provider bundles Mozilla Firefox | Speakeasy ISP Bundles Mozilla Firefox Speakeasy ISP Bundles Mozilla Firefox
By TechWeb News
Broadband services provider Speakeasy is bundling a customized version of Mozilla Firefox 1.0 in its self-install kits for residential customers, the ISP said Tuesday.
Dubbed the Mozilla Firefox: Speakeasy Edition, the browser downloads quickly and imports subscribers' existing favorites, passwords and other settings, the company said. The ISP plans to offer updates in the future, it said.
Future features will include VoIP and business utilities as well as improved network performance, Speakeasy said. The Firefox browser, which embeds Google search engine capability, features increased security and easy file downloading.
Speakeasy said it provides service in most metropolitan areas in the United States.
McAfee has W32/Mydoom.av@MM rated at Low risk, as well as just about every other AV vendor. Hopefully things will stay that way. Here is some information from McAfee’s description: Virus Characteristics:
|
A new variant of W32/Mydoom has been discovered. This variant is proactively detected as W32/Mydoom.gen@MM by McAfee products running the 4390 DATs or greater (release date: Sep 8th 2004). This variant bears the following characteristics: - mails itself to target email addresses harvested from the victim machine
- constructs outgoing messages using its own SMTP engine
- spoofs the From: address on outgoing messages
- attempts to propagate through popular P2P networks by copying itself with enticing filenames
- terminates various processes (AV and security related)
- modifies the local HOSTS file to disable the updating of security products
|