[ISN] Are you the Klez monster?

From: InfoSec News (isnat_private)
Date: Mon May 20 2002 - 03:21:38 PDT

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - May 17th 2002"

    By Robert Lemos 
    Staff Writer, CNET News.com
    May 17, 2002, 1:05 PM PT
    It may only be a matter of time before you're accused of spreading the 
    Klez virus. 
    A month after it started spreading, the Klez.h worm isn't slowing 
    down, said antivirus experts on Friday. Moreover, the worm's technique 
    of forging the address of the sender on each infected e-mail message 
    is creating a flood of warnings from gateway antivirus software 
    informing the wrong people that they are infected. 
    "A lot of traffic is being multiplied by the response mechanisms and 
    refusal mechanisms," said Fred Cohen, security practitioner in 
    residence at the University of New Haven. 
    In many cases, antivirus software protecting a company's e-mail 
    gateways is sending out a response to each infected e-mail 
    inadvertently sent out by a victim--but that warning is going to the 
    wrong person. "So, in effect, you're getting twice the fun you would 
    normally get," Cohen said. 
    Apart from magnifying the amount of spam produced by the virus, the 
    incorrect identification of those who are infected is also responsible 
    for hindering efforts to fight the spread of the worm, said Cohen. 
    Faked addresses
    The Klez.h variant, which appeared in mid-April, infects PCs whose 
    users open the attachment to an infected e-mail. Confusing matters, 
    the e-mail will have a random "from" address, selected from various 
    sources on the original victim's hard drive. And it pairs this bogus 
    sender's address with one of more than 120 different subject lines. 
    When a user opens the attachment, the virus starts up its own e-mail 
    engine and mass mails itself to e-mail addresses found in various 
    files on the PC, using a source address culled from those addresses. 
    Klez.h can also send out a random file from the PC as an attachment, 
    along with the e-mail that carries the worm, potentially passing 
    confidential information. 
    In some instances, the worm also drops one of several other viruses, 
    including the destructive CIH, and tries to remove any active 
    antivirus software from the system. 
    Overall, the Klez.h variant has been extremely successful. 
    "The spread has been really steady," said John Harrington, director of 
    U.S. marketing for e-mail service provider MessageLabs. "We've seen 
    20,000 again today (Friday), and there's no indication that this is 
    dying down." 
    While the worm has not spread as quickly as, say, the LoveLetter 
    virus - of which MessageLabs received one copy for every 23 legitimate 
    e-mails during the virus' peak in May 2000--it does make up one out of 
    nearly every 170 e-mails, Harrington said. 
    In fact, the steady spread--rather than a firestorm of e-mails—may 
    actually be part of the reason for the worm's success, said 
    Harrington. The Klez.h variant did manage to top the charts of 
    computer viruses in April. 
    "It kind of cruises below the radar screen," Harrington said. 
    "Everyone had heard of LoveLetter. But if you go into a computer shop 
    and ask people if they've heard of Klez, they'll shake their heads." 
    Hard to track
    The Klez variant's ability to spoof the source of infected e-mail 
    makes it nearly impossible to track down the infected users who sent 
    the virus. 
    "The whole spoofing thing adds a dimension to it that is a little 
    different," said Vincent Gullotto, vice president of Network 
    Associates' antivirus emergency response team. "It's definitely 
    possible that the false addresses are slowing response." 
    Network Associates still receives more than 50 reports a day of the 
    worm from customers, and some corporate clients are seeing more than 
    20,000 messages carrying the virus at their e-mail gateways. 
    The response to Klez--that uninfected users are being told they sent a 
    virus--shows the holes in the system, added Gullotto. 
    In addition, some out-of-the-office auto-reply mechanisms may be going 
    haywire as a result of an infected user sending an e-mail with a 
    random source and receiver who are both away. 
    "I am sure there are some auto-reply wars that have been going on," 
    Gullotto said. "There has been a lot of mail that is going around that 
    is caused by this." 
    Until system administrators disable antivirus notification on the 
    e-mail gateway servers, the confusion will only continue. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon May 20 2002 - 06:09:53 PDT