Drew Smith <drewat_private> wrote: > Ok, let's try this again, with a little more time spent on my side. ;) > Tried to submit this earlier today, but got bounced for attaching the > worm source to the message. So, this time, I'm attaching a URL instead, > where you can go get the source if you want to see it. Still dubious, at best... Viruses tend to be self-spreading and they are not security exploits but failures to suitably verify integrity. If you cannot work out the fundamental differences between such and security flaws, and thus comprehend why making virus code publicly available is a very bad idea, then maybe you should not be handling them at all? > This worm *ripped* through our office today - it's one part flaw in > Microsoft's security model and one part social engineering; it is a > NON-MALICIOUS worm, but it effectively proves the concept, and I don't > foresee more than a week or two before there's a nasty version. Well, the fact it "deliberately" does something it ought not is sufficient for most people to consioder it "malicious". It may not be "seriously damaging" but that is another issue. > We've been calling it the "cool worm", after the original filename, > "cool.html". It is (will be) officially called JS/CoolNow. NAI (McAfee) has added generic detection of code attempting the exploit: http://vil.nai.com/vil/content/v_99356.htm Symantec (NAV) has picked the, IMNSHO, silly name JS.Menger.worm: http://www.sarc.com/avcenter/venc/data/js.menger.worm.html CA has added detection of various variants as JS/CoolNow: http://www3.ca.com/virus/virus.asp?ID=10949 and as it was the first company to send samples to various places it gets to pick/set the "official" name. Trend has (for now) followed Symantec's name: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_MENGER.GEN > I said *ripped*. I meant it. 40 people affected/infected in under 30 > seconds. That's the dangerous part, I didn't even have time to go to > the other room to let coworkers know what was up. > > The worm shows up as an MSN Messenger message that says "Go To > http://www.masenko-media.net/cool.html NoW !!!". The user, obviously, There are several minor variants at least insofar as the web site mentioned in the message. As it depends on centrally hosting its code, it is easily stopped by getting on the phone and talking with the abuse folk at the affected web sites/hosting services. (Flushing any caching proxies you have would help too...) > clicks the URL, which takes them to the site, where the malicious code > sits. The code opens the MSN Contacts list, then messages every contact > with the message "Go To http://www.masenko-media.net/cool.html NoW > !!!". > > Think about that for a second. It's an Internet Explorer scripting bug whose true significance was displayed with an example of exactly this exploit a few days ago. The fix is to install the latest IE security patches -- MS01-005. Given MS's appalling record for such nasty scripting(-related) flaws in IE, surely any security-concerned admin would have installed them the moment they were made available... Better yet, get rid of IE! It is impossible to use with scripting disabled and enabling its scripting opens you to far too many far too serious security flaws. > Anyhow - the worm does nothing nasty, but the source to the (now down) > masenko-media.net site also mails the hostname and user agent of the > connecting host to "mmargaeat_private". ...and different variants are based on different pages thus sending suitably different messages and posting "acknowledgements" to different Email addresses (or is it attempting an Email DoS of different targets??). (BTW, from a *very* quick look at a couple of these things, I think this mailing mechanism takes advantage of vulnerable formmail.pl implementations to do the actual mailing.) > Looks to me like an experiment that got loose from the lab, but it Nope -- given the variants showing up at the same time, it was almost certainly a deliberately malicious attempt to be the first person to get a worm or virus "out there" that used this latest exploit of an IE vulnerability. > demonstrates a *dangerous* flaw. Unnecessary -- a sample exploit was published several days ago. > ... Why can a webpage open the contacts > list in the first place? What other hooks does MSN Messenger provide? > Can you harvest email addresses from a contact list? This is the standard MS/scripting/ActiveX shit that goes wrong when the klutz-brains that pass as programmers in Redmond mess up yet another security-sensitive interface. If you are really concerned about such things, why is your site even using IE?? Seriously! IE has a truly grievous record of similarly gobsmackingly bad holes. Sane people should not only not be using it **but also** demanding MS supply details of how to remove all of IE's tentacles from their machines. (Of course, MS will not do this. Remember the "DoJ defense" -- "IE *is part of* the OS".) Oh well, perhaps consider another OS?? > Too many scary implications. Nah -- run of mill for MS since they added scripting to IE and HTML to their mail (and other) clients. This is why Billy Boy plied us with platitudes about "trustworthy computing" a few days before appointing a *lawyer* to run the effort to convince Microsoft's big corporate customers, *and especially the US government* (therefore keeping its lucrative DoD contracts intact), that Microsoft could finally make its 2-bit OS worthy of big-time computing needs. However, it will fail until it fundamentally changes its internal culture and realizes that a real OS is not just an OS for a *personal* computer with a few security doo-dads screwed on as an afterthought. > Worm source (with a few important lines removed, so that it doesn't > start popping up *everywhere*), available at: Please -- anyone who sees any different URLs referenced by variants of this thing, safely snarf the pages with wget or the view-source: trick in IE and send copies of the pages to you preferred antivirus developers. A list of the sample submission addresses for the better known developers is included here to assist you: Command Software <virusat_private> Computer Associates (US) <virusat_private> Computer Associates (Vet/IPE) <ipevirusat_private> DialogueScience (Dr.Web) <Antivirat_private> Eset (NOD32) <trnkaat_private> F-Secure Corp. <samples@f-secure.com> Frisk Software <viruslab@f-prot.com> Kaspersky Labs <newvirusat_private> Network Associates (US) <virus_researchat_private> Norman (NVC) <analysisat_private> Sophos Plc. <supportat_private> Symantec <avsubmitat_private> Trend Micro <virus_doctorat_private> -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 09:10:51 PST