It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


SCI/TECH: Emerging Internet Threats 4/26/2004

page: 1
<<   2 >>

log in


posted on Apr, 26 2004 @ 06:41 PM
It looks like another busy week for IT professionals and more worries for home users. There have been new variants of the widely distributed “Netsky,” “Bagle,” and “Phatbot/Agobot/Gaobot” worms detected in the wild, code to exploit some recently revealed flaws in Microsoft products has been released, and internet monitoring systems hint at a possible new variant of the destructive “Witty” worm.

Exploit Targets Windows SSL Vulnerability

Microsoft SSL Vulnerability
About a week after Microsoft acknowledged and released patches for multiple vulnerabilities in its operating systems, code to exploit the security flaws has been released onto the Internet. It is only a matter of time before an automated tool or worm that attacks un-patched systems.

Working exploits have been released for a Windows SSL vulnerability which leaves servers open to a denial of service (DoS). Code for the exploit, known as SSL Bomb, was released last Wednesday, just a day after the vulnerability was described in Microsoft's recent security updates. Malformed SSL packets can force Windows 2000 and Windows XP machines to stop accepting SSL connections, and cause Windows Server 2003 to reboot.

New Worm Variants
This version harvests email addresses off local and network drives when the computer is infected and sends copies of itself to those addresses. The sender, subject line, and attachment name can vary, but it is always a .ZIP attachment.

Bagle (a.k.a Beagle)
Mass mailing worm that harvests email addresses from an infected host and also attempts to spread by placing infected files with tempting names in the folders used by peer-to-peer file sharing programs. This worm also opens TCP port 2535 to allow unauthorized access to the infected machine across the Internet.

The latest in this family of worms spreads through open network shares, by exploiting multiple Windows vulnerabilities, and backdoors opened by other worms such as Bagle and Mydoom. Once installed it serves “zombie” computer with the worm’s author can use to send spam or launch attacks. This worm can also disable many antivirus, firewall, and security programs.

Possible new version of “Witty” worm
Organizations which monitor port scanning activity on the Internet have noted increased scanning on TCP port 4000 which may indicate experiments on a new variant of this worm. “Witty” was released March 2004 and was unique in several respects. It was targeted at security software by Internet Security Systems. It was destructive, eventually trashing the computers it infected, thus limiting its ability to spread. And, it set records for rapid dispersal, probably because it was originally distributed using a system of “zombie” computers that had been previously infected by other worm.
ATSNN – Witty

More Information

The Register
Microsoft SSL Vulnerability
Symantec Security Response
Internet Storm Center

[Edited on 4-26-2004 by Valhall]

posted on Apr, 26 2004 @ 06:44 PM
with all these attacks of worms an so forth it makes me wonder if the real worm we should be worring about lays in the hands of the updates! DUN DUN DUN!

posted on Apr, 26 2004 @ 07:37 PM
I actually got an infected email today. Our IT scoured it clean, but it was infected. It was from a hotmail account.

posted on Apr, 27 2004 @ 06:35 AM
Viruses make the internet less fun. I am sick of these viruses attacking our system. I say we should double our efforts to find these garage hackers then kill them.

I think making a virus designed to infect thousands of systems should be punishable by death. I mean this seriously.
These viruses just boil my kettle.

posted on Apr, 27 2004 @ 09:11 AM
My co-workers suspect that the worms and viruses are all sponsored by anti-virus companies to drum up business or the US government to foster paranoia. Those are interesting ideas which I cannot prove wrong. Personally, I think that the autthors of this type of code are just sociopaths who have not progressed to torturing animals, etc.

posted on Apr, 27 2004 @ 09:16 AM

Originally posted by Spectre
My co-workers suspect that the worms and viruses are all sponsored by anti-virus companies to drum up business or the US government to foster paranoia.

The trouble with this scenario is that the virus companies aren't the only source of geeks/information specialists. If they were doing it, the sysadmins around the world would know about it already.

It's not THAT hard for any of us with the skills to backtrack email/viruses and see where it came from.

Most were from unemployed Russian programmers/former Communist bloc programmers who were following on the Kevin Mitnick/Cult of the Dead Cow model: Get known as a virus coder and then reform and go "legit" and get jobs with lots of money thrown at you.

... at least, this was the logic they were going by a few years ago. There are currently virus toolkits and just about any 8 year old can create one.

posted on Apr, 27 2004 @ 11:31 AM
I work in IT and I personaly get around 3 to 400 emails a day, I proably get sent at the least 8 viruses of 4 different types everyday.

Heres a sneaky one to look out for,:
Mail Delivery (failure "your Email")
If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:

Now it links to a SRC Attachment so even if you just click the link your $%#^@. Just a heads up for ya

posted on Apr, 27 2004 @ 01:32 PM

Originally posted by Byrd
The trouble with this scenario is that the virus companies aren't the only source of geeks/information specialists. If they were doing it, the sysadmins around the world would know about it already.

They may not be directly involved in creating the viri, but they sure as heck work hard to generate an unnecessary amount of fear in order to sell their wares. It is in their interest to have everyone ultra afraid. Fear drives consumption in many areas of western economies.

posted on Apr, 28 2004 @ 02:06 AM
Earlier than I expected, a new Phatbot worm that makes use of the LSASS vulnerability was released into the wild. Infections are few thus far, under 50. More information below-

PhatBot exploiting LSASS?
The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11.
Internet Storm Center

I will post more details as they come to light.

[edit] Symantec has discovered an executable tool to take control of servers running MS IIS using the same vulnerability.
Hacktool LsasSBA

The patch to protect Windows servers is described here: Microsoft Security Bulletin MS04-011

[Edited on 28-4-2004 by Spectre]

posted on Apr, 28 2004 @ 10:10 AM
Another incident reported

IT staff at the University of Mississippi have shut down their network due to excessive traffic generated by a new worm.

"We've been preparing for the big one for a while," Senior Helpdesk Consultant Robby Seitz said."This may be it." Seitz is a microcomputer consultant for the IT helpdesk in Weir Hall.


posted on May, 1 2004 @ 10:33 AM
Someone has made use of the SSL exploit code released this past week and created a worm that infects Microsoft operating systems that have not been patched. The worm exploits the vulnerability designated by Microsoft as MS04-011. It scans random Internet addresses for computers running Windows XP or Windows 2000 with the flaw in an attempt to spread. The worm's operation is so CPU intensive that an infected computer is almost unusable and can, under some circumstances, even crash.

Sasser Worm
ISC is aware of the LSASS Sasser worm. This worm is spreading through the MS04-011 (LSASS) vulnerability. According to AV companies, this worm will generate traffic on ports 445, 5554 and 9996.
Internet Storm Center - Sasser Worm

F-Secure on 'Sasser'
Sophos - Sasser
Symantec - W32.Sasser.worm

posted on May, 1 2004 @ 10:38 AM

Originally posted by Qraz A.K.A. MIlfort
Viruses make the internet less fun. I am sick of these viruses attacking our system. I say we should double our efforts to find these garage hackers then kill them.

I think making a virus designed to infect thousands of systems should be punishable by death. I mean this seriously.
These viruses just boil my kettle.

garage hackers ???

Hardly ....most of this stuff either comes from the government or from groups like the mafia and other underground organized crime to hide and distract the fact that there using the internet for criminal activities.

posted on May, 1 2004 @ 04:49 PM
Here are a few more sources and updates.

Since 00:10 (GMT -5) May 1st, we have recorded hundreds of scans that seem to originate from computers infected with 'Sasser." My home computer has recorded 28 scans via my cable connection! The infections appear evenly distributed from Europe, Asia, and the Americas. My favorite is the computer from "" If your server is going to be infected, that sounds like a nice place to be!

Secunia - Sasser

LURHQ Threat Intelligence Group

ISC - Sasser Worm Update

posted on May, 3 2004 @ 05:39 AM
New Worms Hit Hard
It seems more authors of malicious software are jumping on the bandwagon and exploiting the recently revealed flaw in three Microsoft operating systems.

The "Sasser" worm, in its A, B, & C versions, grows more troublesome as it evolves. Some antivirus vendors have raised it's threat level as it rapidly spreads around the globe. Infection rates may actually increase as machines that were switched off over the weekend are brought online, and laptops that were taken home are re-coonected to corporate LANs, behind Internet firewalls.

Apparently many machines have gone unprotected even though the patch to prevent infection can be downloaded free from Microsoft. Microsoft has also opened a toll-free number to assist users of their software who might be infected. The major antivirus companies are offering free worm removal tools as well.

The "Gaobot" worm variants have added the new attack to their bag of tricks and are actively exploiting systems.

Microsoft Security Support

Internet Storm Center Incident Tracking

posted on May, 3 2004 @ 07:41 AM
First, if you've kept up with your MS Windows updates, there isn't much to worry about.

Second, if you have a firewall, block port 445 to incoming traffic (although this port is usually closed by default). This will protect your network connected to the internet.

Third, keep you AV products up to date.

Following these three simple rules should keep most PC's safe.

Here's more information from WatchGuard's Live Security service:

About the Virus
Beginning Friday evening a new worm called Sasser (technically known as W32/Sasser.worm) began spreading on the Internet. Like previous worms (such as Slammer, and to some extent, CodeRed and Nimda), Sasser relies on exploiting a recent flaw in Microsoft Windows to spread. If the worm finds a computer vulnerable to the specific Windows flaw, it infects that PC without any user interaction. Worms like Sasser that require no user interaction tend to spread wildly.

What It Does
Unlike most worms, Sasser does not rely on email to spread. Instead, the worm attempts to connect to random victims on TCP port 445 and exploits a Microsoft Windows vulnerability we described in an April 13 alert (specifically MS04-011). Its name arises from the fact that it exploits a buffer overflow in LSASS (Local Security Authority Server Service) .

If the exploit is successful, the worm downloads a copy of itself to your machine and adds the file "avserve.exe" to the default Windows directory. The worm also adjusts the registry to ensure that it can restart the next time you reboot. In fact, using a special Windows API, AbortSystemShutdown, Sasser makes it difficult to restart or shut down your PC.

Finally, Sasser installs an FTP server on your computer, running on TCP port 5554 so that your machine can deliver the worm to others.

Once installed on a victim machine, Sasser repeats the entire process by randomly scanning IP addresses on port 445, searching for exploitable machines. Out of the randomly scanned IPs, 50% are totally random, 25% have the same first octet as your IP address and the last 25% have the same first two octets as your IP address. This helps Sasser to spread efficiently both on the Internet and within your local network.

What you can do
Make sure you've installed all of the Microsoft patches that we recommended in our April 13 alert! With these patches installed, Sasser cannot find a direct path into your network. Take extra precautions to protect your network from your mobile users or visiting customers. If this worm can sneak its way onto an unpatched Microsoft network, it will be difficult to contain.

posted on May, 4 2004 @ 08:52 AM
There are still quite a few unpatched and unprotected computers on the Internet because the "Sasser" worm (A/B/C/D models) and other worms that exploit the Microsoft flaw discovered in April are still spreading, causing network congestion and knocking some sites down completely. Companies that reply on SSL (the feature vulnerable to the attack) for secure web transactions cannot block the port on which the worms spread, and often, corporate IT policies prevent staff from quickly applying the software fixes that patch the security hole.

Some important updated information can be found at The Internet Storm Center

The Sasser worm outbreak that began early Saturday morning continues. There have been at least 4 distinct variants noted so far. The primary difference between the first 3 was in the name of the file installed and increasing the number of scanning threads from 100 to 1000. The fourth variant, Sasser.d, which started appearing this morning also added a component to use pings (ICMP echo requests)

"Sasser.D" addes a new ability to scan for systems to infect using Internet "pings." It generates this ICMP traffic so rapidly that having a network with multiple infected machines attached can bring the LAN's performance to its knees.
Symantec - Sasser.D

posted on May, 4 2004 @ 08:57 AM
Many won't bother with the security measures available

Either, they think they are immune or they aren't aware security problems exist. Or, they don't think they need to bother
The sead thing is, with Microsoft, you can sign up for email alerts as fixes and updates become available. Anti-virus software, the same.

posted on May, 4 2004 @ 09:03 AM

Originally posted by DontTreadOnMe
The sead thing is, with Microsoft, you can sign up for email alerts as fixes and updates become available. Anti-virus software, the same.

Another sad point of this is that the new verisions of the Micosoft OS's offer the Automatic Windows Update Service. You can set it to check for updates once a day or once a month. I will even download and install them for you.

If you want to know the honest truth, there is no logical reason not to keep your system patched. That's why the have the W.U.S. built in, to do it for you.

Maybe it's an education thing, maybe it should be manditory that the service be configured when you install the OS. I don't know. All I know is there is no reason not to keep updated on the patches.

posted on May, 4 2004 @ 09:12 AM
I'm fortunate that my company allows us to very rapidly test and implement hotfixes, patches, and service packs, but in large companies with really tight policies on modifying server platforms aren't so fortunate. Their IT staff get bogged down with quality assurance procedures and paperwork and can't get vulnerable machines patched quickly enough so the servers get infected with viruses and worms. How's that for logic?
I'm all for having good, establish company policies and procedures, but this "corporate intertia" slowing down vital fixes has to be addressed. One of these days someone is going to get around to the idea that companies must exercise some "due diligence" or be held liable for helping worms to spread.

[edit] There isn't a lot of new information in this article in The Register, I just love their style of reporting.

[Edited on 4-5-2004 by Spectre]

posted on May, 6 2004 @ 11:50 PM
Patches, (or patch d'jour lately it sems).

What are your favorite Programs for Patch Deployment
over a network?

Right now we're using something called GFI languard.
Some of the guys are having a bit of a time with it's idosyncrasies, but it's working pretty well for us.

We DO have a mix of Win OS's, NT4, W2K, XP. That was part of the problem of getting up to speed.

new topics

top topics

<<   2 >>

log in