[ISN] Another Computing Platform Gets Its First Virus

From: InfoSec News (isnat_private)
Date: Sat Apr 13 2002 - 01:03:10 PDT

  • Next message: InfoSec News: "[ISN] FC: Domain heist: Hoopla.com reportedly stolen via fax to Verisign"

    By Brian McWilliams, Newsbytes
    12 Apr 2002, 1:11 PM CST
    SAPvir, the first virus to infect programs and reports used by the
    high-end SAP R/3 business information system, was posted to an online
    virus library this week.
    Experts said the proof-of-concept code, which does not appear to be
    present in the wild, is the latest effort by virus writers to target
    "exotic" computing platforms.
    The 24-line program, written in SAP's Advanced Business Application
    Programming (ABAP) language, is designed to spread to other programs
    on the local SAP system but does not appear to be destructive or
    network-aware, according to a preliminary analysis of the code by
    Jochen Hein, an independent SAP consultant based in Germany.
    SAP R/3 is an integrated system used by many large corporations for
    functions such as supply-chain management, business intelligence, and
    financials, according to its developer, Germany-based SAP AG.
    Bill Wall, a spokesman for SAP in the U.S., said the company does not
    believe any customers have been infected by the code.
    "What protects our customers is very deep security and very limited
    access to these mission-critical systems. ABAP also requires a skill
    set that goes beyond that of most hackers," said Wall.
    According to its Web site, SAP is the third-largest software company
    in the world.
    The program was posted to VX Heavens, a large online library of
    viruses, on Tuesday. According to the virus site's operator, he
    received an email this week with a link to a Web page containing the
    source code to SAPvir.
    The page, which appears to be operated by Alex Bergonzini of
    Barcelona, Spain, was last modified in October 2001, according to the
    page's header. Bergonzini did not respond to interview requests.
    A copyright notice in the code does not identify its author but
    suggests SAPvir may have been written in 2000.
    While SAPvir may contain bugs that prevent it from working on all SAP
    platforms, according to Hein, the source code could easily be modified
    by programmers who know ABAP to perform more malicious acts.
    "An ABAP program can do anything in the SAP system, including
    modifying data and leaving no trace," said Hein, who noted that a line
    of programming comments in SAPvir states in Spanish, "Here the code of
    destruction or effects of the virus goes."
    While most computer viruses are written for Microsoft's Windows and
    Word applications, in recent months, virus writers have created
    programs that target Microsoft's new .NET platform, Macromedia's Flash
    format, and Adobe's Acrobat software.
    According to Patrick Hinojosa, chief technology officer for anti-virus
    firm Panda Software, SAPvir is "academic" since an attacker would need
    special authorization to plant the code on an SAP system.
    "It looks like it would have to be an inside job," said Hinojosa, who
    added that a person with such rights would already have the ability to
    modify or destroy data without the need for a virus.
    SAPvir is on the Web at
    SAP AG is at http://www.sap.com
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Sat Apr 13 2002 - 03:19:12 PDT