Re: [ISN] Hacker exploits make PC worms deadlier

From: InfoSec News (isnat_private)
Date: Mon Oct 22 2001 - 01:20:47 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] Defense Test and Evaluation Professional Institute"

    Forwarded from: Aj Effin Reznor <ajat_private>
    "InfoSec News was known to say....."
    > By Wendy McAuliffe
    > ZDNet (UK) 
    > October 18, 2001 5:20 AM PT
    With writing like this, it's no wonder that ZDNet doesn't have links
    to author's email addresses on their bylines.  At lease Wired has the
    decency to allow their writers to take responsbility for what they
    > Computer worms are set to become a more deadly combination of
    > virus writing and hacker exploits, according to security experts
    > at Symantec.
    This, as with the title, are FAR off base....  Worm writers are NOT
    becoming more deadly, they're merely catching up with exploit gaping
    holes embedded in shoddy operating systems...
    > Code Red and Nimda marked the demise of socially engineered worms,
    > by combining a blended threat of proven hacker exploits. Both
    > worms attacked the same buffer-overflow vulnerability in
    > Microsoft's IIS software, while Nimda additionally incorporated a
    > mass-mailing component enabling the virus to propagate on a
    > massive scale. Neither of the worms relied on the traditional need
    > for an infected computer user to double-click on a malicious
    > attachment.
    Again with the Counterpane school of thought... Nimda did *NOT* email
    itself... Sircam did, Nimda did not.  While it may have created bogus
    .eml files on infected machines, it did not utilize email to propegate
    itself without user intervention.  Either this is a user-less worm, or
    it isn't.  The author seems to be rather confused.
    > "Nimda and Code Red have eliminated the need for human
    > intervention, by virus writers using what hackers have already
    > provided," said Eric Chien, chief researcher at Symantec. "One
    > year ago email worms were the big threat, as they spread quickly
    > and far--but now a lot more virus writers will be looking at the
    > hacker worm."
    So a malicious coder is either hacker or virus writer... no crossover
    is allowed?
    > Chien predicts that by next year, the "blended" threat of computer
    > worms could be enough to cause a serious Internet slowdown.
    > Antivirus experts at Symantec have already developed an algorithm
    > to prove that by removing human interaction from the virus
    > equation, every PC connected to the Internet could be affected by
    > a single worm within 20 minutes.
    EVERY PC?  Or EVERY PC running a MS OS?  Personally, my machines are
    either behind firewalls, or hardened.  I know of at least a dozen that
    won't be infected.  Mr. Chien needs to put down the glass pipe lest he
    starts mentioning the dreaded "Digital Pearl Harbour"!!!
    > But the trend towards blended virus attacks is blurring the lines
    > of responsibility for computer worms. On Wednesday, Microsoft
    > launched a verbal attack on security firms and hackers who release
    > what it calls virus "blueprints". A study done by Microsoft on
    > recent attacks by worms such as Code Red and Nimda found that each
    > had been prefaced by the release of so-called exploit code--sample
    > programs created by security firms and hackers to exploit software
    > flaws.
    Yes, I have issue with this, also.  I have yet to see a study from MS,
    an actual study, to back this up.  This appears to be yet another slam
    against eEye, as they were pointed at for releasing data on the
    default.ida exploit.
    HOWEVER, it has been proven time and time again that CR (and by
    extention, Nimda) do NOT use an entry point remotely close to the one
    that eEye described.
    So, since they can be exonerated of any wrongdoing or blame
    whatsoever, then WHAT could MS be poooooooooossibly talking about?
    > "Responsibility lies with the people who release the worm, not
    > necessarily the people who wrote it," said Chein. The Anna
    > Kournikova
    Too bad it doesn't lie with journalists, also.
    > virus, for example, was written with the help of an existing virus
    > toolkit available on the Internet, but Chein argues that the
    > script kiddie who unleashed the virus is the person ultimately
    > responsible for any damage caused to the networks.
    So it's not the guy that shoots the gun, but the guy that loads it?
    Yeah, that's going to hold up in a court of law!
    To lob another volley, it's interest that Thomas C. "Full Disclosure
    is Bad" Greene of the Reg/UK has again posted a story about a newfound
    vulnerability (this time Microsoft's digital rights management
    implementation) AND linked to exploit code in his story!
    Bravo for journalistic integrity!
    On a side note, my apologies to ISN subscribers who may tire of my
    occasional rants.  Procmail me, it won't hurt my feelings.  While
    many security minded professionals subscribe, I know there are several
    CIO and CTO level types also on the list who may be inclined to
    believe a good portion of the fluff out there.  Regardless of wether
    or not "information should be free", the truth should be known....
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 03:00:18 PDT