Clock ticking on worm attack code

Experts are warning that hackers have yet to activate the payload of the Conficker virus.

The worm is spreading through low security networks, memory sticks, and PCs without current security updates.

The malicious program – also known as Downadup or Kido – was first discovered in October 2008.

Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs.

Speaking to the BBC, F-Secure’s chief research officer, Mikko Hypponen, said there was still a real risk to users.

“Total infections appear to be peaking. That said, a full count is hard, because we also don’t know how many machines are being cleaned. But we estimate there are still more than 9m infected PCs world wide.

“It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights.

“But they haven’t done that yet, maybe they’re scared. That’s good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect.”

Experts say users should have up-to-date anti-virus software and install Microsoft’s MS08-067 patch. The patch is known as KB958644.

Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.

“Microsoft did a good job of updating people’s home computers, but the virus continues to infect business who have ignored the patch update.

“A shortage of IT staff during the holiday break didn’t help and rolling out a patch over a large number of computers isn’t easy.

“What’s more, if your users are using weak passwords – 12345, QWERTY, etc – then the virus can crack them in short order,” he added.

“But as the virus can be spread with USB memory sticks, even having the Windows patch won’t keep you safe. You need anti-virus software for that.”

Method
According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers’ files. On the face of it, tracing this one site is almost impossible.

Variant
Speaking to the BBC, Kaspersky Lab’s security analyst Eddy Willems said that a new strain of the worm was complicating matters.

“There was a new variant released less than two weeks ago and that’s the one causing most of the problems,” said Mr Willems

“The replication methods are quite good. It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.

“Of course, the real problem is that people haven’t patched their software,” he added.

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.
Read more »

Microsoft warns of SQL attack

Just days after patching a critical flaw in its Internet Explorer browser, Microsoft is now warning users of a serious bug in its SQL Server database software.

Microsoft issued a security advisory late Monday, saying that the bug could be exploited to run unauthorized software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.

Attack code that exploits the bug has been published, but Microsoft said that it has not yet seen this code used in online attacks. Database servers could be attacked using this flaw if the criminals somehow found a way to log onto the system, and Web applications that suffered from relatively common SQL injection bugs could be used as stepping stones to attack the back-end database, Microsoft said.

Desktop users running the Microsoft SQL Server 2000 Desktop Engine or SQL Server 2005 Express could be at risk in some circumstances, Microsoft said.

The bug lies in a stored procedure called “sp_replwritetovarbin,” which is used by Microsoft’s software when it replicates database transactions. It was publicly disclosed on December 9 by SEC Consult Vulnerability Lab, which said it had notified Microsoft of the issue in April.

“Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue,” Microsoft said in its advisory.

This is the third serious bug in Microsoft’s software to be disclosed in the past month, but it is unlikely to be used in widespread attacks, according to Marc Maiffret, director of professional services, with The DigiTrust Group, a security consulting firm. “It is rather low risk given other vulnerabilities that exist,” he said via instant message. “There are a lot of better ways to currently compromise windows systems.”

After seeing the Internet Explorer flaw used in a growing number of online attacks, Microsoft rushed out an emergency patch for the issue last Wednesday. The company says it has also seen “limited and targeted attacks” exploiting a serious bug in the WordPad Text Converter for Word 97 files. As with the SQL bug, this WordPad converter vulnerability has not been patched, but is a prime candidate to be fixed in Microsoft’s upcoming January 13 security updates.

Read more »

Experts accuse Bush Administration of foot-dragging on DNS security hole

Despite a recent high-profile vulnerability that showed the net could be hacked in minutes, the domain name system — a key internet infrastructure — continues to suffer from a serious security weakness, thanks to bureaucratic inertia at the U.S. government agency in charge, security experts say.

If the complicated politics of internet governance continue to get in the way of upgrading the security of the net’s core technology, the internet could turn into a carnival house of mirrors, where no URL or e-mail address could be trusted to be genuine, according to Bill Woodcock, research director at the nonprofit Packet Clearing House.

“The National Telecommunications and Information Administration, an agency of the Department of Commerce, is the show-stopper here,” Woodcock said.

At issue is the trustworthiness of the domain name system, or DNS, which serves as the internet’s phone book, translating queries such as wikipedia.org into the numeric IP address where the site’s server lives.

Just weeks ago, security researcher Dan Kaminsky announced he’d discovered a way for hackers to feed fake info into DNS listings, which would allow hackers to redirect web traffic at will — for example, routing every person attempting to log in to the Bank of America to a fake site controlled by the attacker.

Kaminsky quietly worked with large tech companies to build patches for the net’s name servers to make the attack more difficult. But security experts, and even the NTIA, say those patches are just temporary fixes; the only known complete fix is DNSSEC — a set of security extensions for name servers.

Those extensions cryptographically sign DNS records, ensuring their authenticity like a wax seal on an letter. The push for DNSSEC has been ramping up over the last few years, with four regions — including Sweden (.SE) and Puerto Rico (.PR) — already securing their own domains with DNSSEC. Four of the largest top-level domains — .org, .gov, .uk and .mil, are not far behind.

But because DNS servers work in a giant hierarchy, deploying DNSSEC successfully also requires having someone trustworthy sign the so-called “root file” with a public-private key. Otherwise, an attacker can undermine the entire system at the root level, like cutting down a tree at the trunk. That’s where the politics comes in. The DNS root is controlled by the Commerce Department’s NTIA, which thus far has refused to implement DNSSEC.

The NTIA brokers the contracts that divide the governance and top-level operations of the internet between the nonprofit ICANN and the for-profit VeriSign, which also runs the .com domain.

“They’re the only department of the government that isn’t on board with securing the Domain Name System, and unfortunately, they’re also the ones who Commerce deputized to oversee ICANN,” Woodcock said.

“The biggest difference is that once the root is signed and the public key is out, it will be put in every operating system and will be on all CDs from Apple, Microsoft, SUSE, Freebsd, etc,” says Russ Mundy, principal networking scientist at Sparta, Inc, which has been developing open-source DNSSEC tools for years with government funding, He says the top-level key is “the only one you have to have, to go down the tree.”

A European networking group known as RIPE called in June 2007 for the root to be signed, with Swedish and British representatives echoing the call in October. But NTIA is not moving quickly enough to sign the root, given the looming threat, even after the final technical problems have been resolved, according to Woodcock and others.

“A few years ago, there were still technical hurdles to actually signing and using DNSSEC, but in the past few years, a lot of software tools, both commercial and open-source, have come out, and now it’s a completely solved problem,” Woodcock said. “All that’s left is the far less tractable, purely political problem.”

“Arguing over who gets to hold the cryptographic keys in the long run [should] wait until we’re not facing a critical threat,” Woodcock said.

But the NTIA insists it is moving at just the right pace.

“We are committed to taking no action that would have the potential to adversely affect the operational stability of the DNS,” says spokesman Bart Forbes. “While there is increasing pressure to secure the DNS, NTIA must work with all stakeholders and consider all possible solutions.”

Olaf Kolkman, a Dutch networking export, says there’s no time to waste. The only way for DNSSEC to work is for the top-level zone file — which lists the specifics for top-level domains like .gov — to be signed by a trusted authority.

“Currently DNSSEC is the only mechanism known to protect against the Kaminsky attack,” Kolkman said. “It is not clear that other solutions will provide the same level of protection as DNSSEC.”

Without such extensions, a hacker eager for trade secrets could hijack the DNS listing for Apple’s e-mail server and insert the number for a server he controls instead. He could then keep a copy of every message sent to the company and forward them all. No one would likely to be any wiser until a human looked closely at the mail headers.

Still, even DNSSEC’s most fervent backers admit that signing the root won’t instantly secure the net. Installing the extensions internet-wide will be costly and time-intensive, but proponents say that getting the root signed will turbocharge the process.

The Internet Assigned Numbers Authority — which coordinates the internet — has been prototyping a system to sign the root-zone file for the last year, but they can’t do the same for the internet’s top servers without approval from the Department of Commerce.

That’s where the rub is, according to Kolkman.

“Then the issue becomes political because there seems to be the perception that the introduction of a key guardian changes the current policies,” Kolkman said

That could also simplify how top-level zone files are created, according to Richard Lamb, a technical expert at IANA. Currently companies that manage top-level domains like .com submit changes to ICANN, which then sends them to NTIA for approval, before they’re forwarded to VeriSign. VeriSign actually edits the root file and publishes it to the 13 root servers around the world.

“We would want to bring the editing, creation and signing of the root zone file here,” to IANA, Lamb said, noting that VeriSign would likely still control distribution of the file to the root servers, and there would be a public consultation process that the change was right for the net.

But changing that system could be perceived as reducing U.S. control over the net — a touchy geopolitical issue. ICANN is often considered by Washington politicians to be akin to the United Nations, and its push to control the root-zone file could push the U.S. to give more control to VeriSign, experts say.

VeriSign did not respond to a request for comment, but its CTO said earlier this year that it was creating its own root-zone file-signing test bed.

The root-zone file, which contains entries for the 300 or so top-level domains such as .gov and .com, changes almost every day, but the number of changes to the file will likely increase radically in the near future, since ICANN decided in June to allow an explosion of new top-level domain names.

Woodcock isn’t buying the assurances of NTIA that it is simply moving deliberatively.

“If the root isn’t signed, then no amount of work that responsible individuals and companies do to protect their domains will be effective,” Woodcock said. “You have to follow the chain of signatures down from the root to the top-level domain to the user’s domain. If all three pieces aren’t there, the user isn’t protected.”

Read more »

Yahoo search to ‘battle spyware’

Yahoo is introducing new technology to its search engine which will warn users if they are about to click on a website that hosts viruses, spyware and spam.

SearchScan uses security firm McAfee’s SiteAdvisor technology to warn users about “potentially risky sites”.

The service, which is switched on by default, produces an on-screen alert.

“Our goal is to protect users by allowing them to make a more informed decision about the sites they visit,” said Yahoo’s Priyank Garg.

Rival firm Google introduced similar technology in 2006.

Yahoo’s service will warn users about three types of risk:

• Browser exploits: Sites that can harm a user’s computer or install malware simply by visiting the site. Any such sites or pages included in McAfee’s data will be removed from search results automatically.
• Dangerous downloads: SearchScan will display warnings next to search results for sites that offer potentially dangerous software, such as viruses, spyware or adware.
• Unsolicited e-mail: SearchScan will alert users to scanned sites that send unsolicited e-mails or inappropriately share e-mail addresses with third parties.

Viruses, spyware and adware programs are often “hidden” inside innocuous-looking programs such as screensavers and toolbars.

Industry analysts IDC estimate that 67% of all computers have some form of spyware installed without a user’s knowledge.

Read more »

Nielsen to offer copyright protection system for the web

Nielsen, best-known for its rankings of TV programming, said Wednesday it is developing a system that would police Web sites for copyrighted material, and notify site owners and content providers when video has been posted without authorization.

Nielsen is developing the system with Digimarc, a provider of digital watermarking technology. The service, which the companies plan to start rolling out in the second quarter of next year, would tap into technology Nielson currently uses in the services it sells to advertisers and TV networks.

The system would first be used for policing the use of TV programs, clips of which are often posted on user-generated content sites, such as YouTube, which is owned by Google. Much of that content is uploaded without authorization or compensation to the content provider, which has led to tension between Internet companies and Hollywood studios. These tensions reached a peak in March whenViacom filed a $1 billion lawsuit against Google, accusing the company of massive copyright infringement.

The Nielsen/Digimarc system would be offered as a way to quickly discover unauthorized content on sites. To do that, the system would leverage Nielsen’s existing watermark technology, which is used on more than 95% of TV programming distributed today. The watermarks are used by the meters installed in people’s home to identify the programs they watch. Nielsen sells data from people’s viewing habits to TV networks and advertisers.

Besides watermarking, Nielsen also tags over-the-air TV programs intercepted by 700 installations across the nation. For those programs without watermarks, Nielsen creates a digital signature based on unique patterns in the audio signal.

Nielsen’s watermarks and digital signatures are stored in a database that would be used in the copyright-protection system. When a clip is posted on a Web site, the system would search for the watermark. If one doesn’t exist, then the system would create a digital signature. In either case, the identifier would be compared to what’s in the database to find a match. Once the program is identified, the Nielsen system could notify site operators and content providers when a clip is being shown without authorization.

While the system wouldn’t automatically delete unauthorized material, Web site owners could configure their systems to take that step. “The purpose of this system is not to be a policeman on the Internet, but to provide a system where the content provider can have confidence and knowledge of where their programming is being distributed,” Dave Harkness, senior VP of strategy and business development at Nielsen, told InformationWeek. “They also can develop a business relationship with the content distributor, which in this case is the Web site.”

Nielsen is confident it can convince many TV producers to buy into the system, since the company already has relationships with most of these businesses. Convincing Web sites may be more difficult, since many already have some kind of copyright-protection system in place or are developing one. Google, for example, is developing a system for YouTube. In general, most sites take down unauthorized content as soon as the owners notify them.

Nielsen believes it can turn many sites into customers by offering a system that’s ready to plug into their infrastructure, saving them the cost of building a copyright-protection system themselves, Harkness said. Besides generating revenue from the service, Nielson could also use it to track the use of video on the Web and sell the gathered data to advertisers.

If Nielsen launches its service it will have competitors, albeit smaller businesses. Those companies that provide services for policing the use of copyrighted content online include Audible Magic, Vobile, and BayTSP.

Read more »