[ISN] Feds warn of rogue code

From: InfoSec News (isnat_private)
Date: Tue Jun 26 2001 - 01:42:44 PDT

  • Next message: William Knowles: "[ISN] WWW.huh?: You Are the First Line of Defense"

    http://news.cnet.com/news/0-1003-200-6374839.html?tag=mn_hd
    
    By Robert Lemos
    Special to CNET News.com 
    June 25, 2001, 3:30 p.m. PT 
    
    A government Internet watchdog warned companies this past weekend of a
    new malicious program that spreads to previously compromised PCs and
    seemingly prepares the infected machines to launch a denial-of-service
    attack, sources said Monday.
    
    The program, known as W32-Leaves.worm, places additional code on the
    compromised machines and synchronizes the PCs' internal clocks with
    the one at the U.S. Naval Observatory, said Vincent Gullotto, director
    of the antivirus research team at security company Network Associates.
    
    "That may indicate that (the worm) is preparing to do something," he
    said, but he added that Network Associates has had only three reports
    of the infection in the past 48 hours. "The government was primarily
    worried that it could be a denial-of-service attack. Based on their
    numbers, we decided to give it a medium risk."
    
    On Saturday, the National Infrastructure Protection Center posted an
    advisory to its Web site warning companies of the worm. "Leaves" takes
    advantage of computers that have been compromised by the illicit
    installation of the SubSeven system-administration tool, the NIPC
    stated in the advisory. SubSeven is the program most commonly used by
    network intruders to control Windows PCs remotely.
    
    "The full impact of this new Leaves infection and appropriate fixes
    are currently under investigation," stated the advisory.
    
    Worms--a way to crack the security of thousands of servers at a
    time--have become the tool of choice for many online vandals. A worm
    is a self-propagating program that will scan until it finds a
    vulnerable computer, which it will infect and then start the process
    all over.
    
    This year several Linux worms, including Ramen, 1i0n, and Adore have
    hit the Net, along with a worm that infects Solaris systems.
    
    While the NIPC did not expand on the Leaves worm's capabilities,
    Gullotto said the pesky program was uploading information about
    compromised PCs to a central Web site. The site has since been taken
    down.
    
    He added that the worm is unlikely to amount to much.
    
    "If we don't hear anything in the next few days, we will downgrade the
    threat," Gullotto said, speaking from a conference where antivirus
    experts gathered to talk about issues to the industry. "No one here is
    very concerned about this."
    
    Rather than warn against impending attack--a tactic that garners
    public-relations points for the NIPC--the agency should be telling
    security administrators what to do to prevent attacks in the first
    place, said Greg Shipley, director of consulting services for security
    company Neohapsis.
    
    "Everyone is kind of thinking practical and not thinking strategic,"
    he said.
    
    "The first step is to patch their servers and patch in a timely
    manner, but that's a tactical problem. The strategic move is to get
    these vendors taking some liability for the bugs in their servers."
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 02:16:39 PDT