Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New MSN Messenger Worm

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 14 Feb 2002 20:30:21 +1200
Drew Smith <drew () eastvan bc ca> wrote:


      Ok, let's try this again, with a little more time spent on my side. ;) 
Tried to submit this earlier today, but got bounced for attaching the
worm source to the message.  So, this time, I'm attaching a URL instead,
where you can go get the source if you want to see it.


Still dubious, at best...

Viruses tend to be self-spreading and they are not security exploits 
but failures to suitably verify integrity.  If you cannot work out 
the fundamental differences between such and security flaws, and thus 
comprehend why making virus code publicly available is a very bad 
idea, then maybe you should not be handling them at all?


      This worm *ripped* through our office today - it's one part flaw in
Microsoft's security model and one part social engineering; it is a
NON-MALICIOUS worm, but it effectively proves the concept, and I don't
foresee more than a week or two before there's a nasty version.  


Well, the fact it "deliberately" does something it ought not is 
sufficient for most people to consioder it "malicious".  It may not 
be "seriously damaging" but that is another issue.


      We've been calling it the "cool worm", after the original filename,
"cool.html".


It is (will be) officially called JS/CoolNow.  NAI (McAfee) has added 
generic detection of code attempting the exploit:

   http://vil.nai.com/vil/content/v_99356.htm

Symantec (NAV) has picked the, IMNSHO, silly name JS.Menger.worm:

   http://www.sarc.com/avcenter/venc/data/js.menger.worm.html

CA has added detection of various variants as JS/CoolNow:

   http://www3.ca.com/virus/virus.asp?ID=10949

and as it was the first company to send samples to various places it 
gets to pick/set the "official" name.  Trend has (for now) followed 
Symantec's name:

   http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_MENGER.GEN


      I said *ripped*.  I meant it.  40 people affected/infected in under 30
seconds.  That's the dangerous part, I didn't even have time to go to
the other room to let coworkers know what was up.

      The worm shows up as an MSN Messenger message that says "Go To
http://www.masenko-media.net/cool.html NoW !!!".  The user, obviously,


There are several minor variants at least insofar as the web site 
mentioned in the message.  As it depends on centrally hosting its 
code, it is easily stopped by getting on the phone and talking with 
the abuse folk at the affected web sites/hosting services.  (Flushing 
any caching proxies you have would help too...)


clicks the URL, which takes them to the site, where the malicious code
sits.  The code opens the MSN Contacts list, then messages every contact
with the message "Go To http://www.masenko-media.net/cool.html NoW
!!!".  

      Think about that for a second.


It's an Internet Explorer scripting bug whose true significance was 
displayed with an example of exactly this exploit a few days ago.

The fix is to install the latest IE security patches -- MS01-005.  
Given MS's appalling record for such nasty scripting(-related) flaws 
in IE, surely any security-concerned admin would have installed them 
the moment they were made available...  Better yet, get rid of IE!
It is impossible to use with scripting disabled and enabling its 
scripting opens you to far too many far too serious security flaws.


      Anyhow - the worm does nothing nasty, but the source to the (now down)
masenko-media.net site also mails the hostname and user agent of the
connecting host to "mmargae () wanadoo nl".


...and different variants are based on different pages thus sending
suitably different messages and posting "acknowledgements" to
different Email addresses (or is it attempting an Email DoS of 
different targets??).

(BTW, from a *very* quick look at a couple of these things, I 
think this mailing mechanism takes advantage of vulnerable 
formmail.pl implementations to do the actual mailing.)


      Looks to me like an experiment that got loose from the lab, but it


Nope -- given the variants showing up at the same time, it was almost 
certainly a deliberately malicious attempt to be the first person to 
get a worm or virus "out there" that used this latest  exploit of an 
IE vulnerability.


demonstrates a *dangerous* flaw.  


Unnecessary -- a sample exploit was published several days ago.


...  Why can a webpage open the contacts
list in the first place?  What other hooks does MSN Messenger provide? 
Can you harvest email addresses from a contact list? 


This is the standard MS/scripting/ActiveX shit that goes wrong when 
the klutz-brains that pass as programmers in Redmond mess up yet 
another security-sensitive interface.  If you are really concerned 
about such things, why is your site even using IE??

Seriously!

IE has a truly grievous record of similarly gobsmackingly bad holes.
Sane people should not only not be using it **but also** demanding MS
supply details of how to remove all of IE's tentacles from their
machines.  (Of course, MS will not do this.  Remember the "DoJ 
defense" -- "IE *is part of* the OS".)  Oh well, perhaps consider 
another OS??


      Too many scary implications.


Nah -- run of mill for MS since they added scripting to IE and HTML 
to their mail (and other) clients.

This is why Billy Boy plied us with platitudes about "trustworthy 
computing" a few days before appointing a *lawyer* to run the effort 
to convince Microsoft's big corporate customers, *and especially the 
US government* (therefore keeping its lucrative DoD contracts 
intact), that Microsoft could finally make its 2-bit OS worthy of 
big-time computing needs.

However, it will fail until it fundamentally changes its internal 
culture and realizes that a real OS is not just an OS for a 
*personal* computer with a few security doo-dads screwed on as an 
afterthought.


      Worm source (with a few important lines removed, so that it doesn't
start popping up *everywhere*), available at:


Please -- anyone who sees any different URLs referenced by variants 
of this thing, safely snarf the pages with wget or the view-source: 
trick in IE and send copies of the pages to you preferred antivirus 
developers.  A list of the sample submission addresses for the better 
known developers is included here to assist you:

   Command Software               <virus () commandcom com>
   Computer Associates (US)       <virus () ca com>
   Computer Associates (Vet/IPE)  <ipevirus () vet com au>
   DialogueScience (Dr.Web)       <Antivir () dials ru>
   Eset (NOD32)                   <trnka () eset sk>
   F-Secure Corp.                 <samples () f-secure com>
   Frisk Software                 <viruslab () f-prot com>
   Kaspersky Labs                 <newvirus () kaspersky com>
   Network Associates (US)        <virus_research () nai com>
   Norman (NVC)                   <analysis () norman no>
   Sophos Plc.                    <support () sophos com>
   Symantec                       <avsubmit () symantec com>
   Trend Micro                    <virus_doctor () trendmicro com>


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: