Re: Hacker exploits make PC worms deadlier

[InfoSec News <isn () c4i org>]

Forwarded from: Aj Effin Reznor <aj () reznor com>

"InfoSec News was known to say....."
 
> http://www.zdnet.com/zdnn/stories/news/0,4586,2818419,00.html?chkpt=zdnn_nbs_hl
>
> By Wendy McAuliffe
> ZDNet (UK) 
> October 18, 2001 5:20 AM PT

With writing like this, it's no wonder that ZDNet doesn't have links
to author's email addresses on their bylines.  At lease Wired has the
decency to allow their writers to take responsbility for what they
write....
  
> Computer worms are set to become a more deadly combination of
> virus writing and hacker exploits, according to security experts
> at Symantec.

This, as with the title, are FAR off base....  Worm writers are NOT
becoming more deadly, they're merely catching up with exploit gaping
holes embedded in shoddy operating systems...
 
> Code Red and Nimda marked the demise of socially engineered worms,
> by combining a blended threat of proven hacker exploits. Both
> worms attacked the same buffer-overflow vulnerability in
> Microsoft's IIS software, while Nimda additionally incorporated a
> mass-mailing component enabling the virus to propagate on a
> massive scale. Neither of the worms relied on the traditional need
> for an infected computer user to double-click on a malicious
> attachment.

Again with the Counterpane school of thought... Nimda did *NOT* email
itself... Sircam did, Nimda did not.  While it may have created bogus
.eml files on infected machines, it did not utilize email to propegate
itself without user intervention.  Either this is a user-less worm, or
it isn't.  The author seems to be rather confused.

> "Nimda and Code Red have eliminated the need for human
> intervention, by virus writers using what hackers have already
> provided," said Eric Chien, chief researcher at Symantec. "One
> year ago email worms were the big threat, as they spread quickly
> and far--but now a lot more virus writers will be looking at the
> hacker worm."

So a malicious coder is either hacker or virus writer... no crossover
is allowed?

> Chien predicts that by next year, the "blended" threat of computer
> worms could be enough to cause a serious Internet slowdown.
> Antivirus experts at Symantec have already developed an algorithm
> to prove that by removing human interaction from the virus
> equation, every PC connected to the Internet could be affected by
> a single worm within 20 minutes.

EVERY PC?  Or EVERY PC running a MS OS?  Personally, my machines are
either behind firewalls, or hardened.  I know of at least a dozen that
won't be infected.  Mr. Chien needs to put down the glass pipe lest he
starts mentioning the dreaded "Digital Pearl Harbour"!!!
 
> But the trend towards blended virus attacks is blurring the lines
> of responsibility for computer worms. On Wednesday, Microsoft
> launched a verbal attack on security firms and hackers who release
> what it calls virus "blueprints". A study done by Microsoft on
> recent attacks by worms such as Code Red and Nimda found that each
> had been prefaced by the release of so-called exploit code--sample
> programs created by security firms and hackers to exploit software
> flaws.

Yes, I have issue with this, also.  I have yet to see a study from MS,
an actual study, to back this up.  This appears to be yet another slam
against eEye, as they were pointed at for releasing data on the
default.ida exploit.

HOWEVER, it has been proven time and time again that CR (and by
extention, Nimda) do NOT use an entry point remotely close to the one
that eEye described.

So, since they can be exonerated of any wrongdoing or blame
whatsoever, then WHAT could MS be poooooooooossibly talking about?
 
> "Responsibility lies with the people who release the worm, not
> necessarily the people who wrote it," said Chein. The Anna
> Kournikova

Too bad it doesn't lie with journalists, also.

> virus, for example, was written with the help of an existing virus
> toolkit available on the Internet, but Chein argues that the
> script kiddie who unleashed the virus is the person ultimately
> responsible for any damage caused to the networks.

So it's not the guy that shoots the gun, but the guy that loads it?
Yeah, that's going to hold up in a court of law!


To lob another volley, it's interest that Thomas C. "Full Disclosure
is Bad" Greene of the Reg/UK has again posted a story about a newfound
vulnerability (this time Microsoft's digital rights management
implementation) AND linked to exploit code in his story!

Bravo for journalistic integrity!

---

On a side note, my apologies to ISN subscribers who may tire of my
occasional rants.  Procmail me, it won't hurt my feelings.  While
many security minded professionals subscribe, I know there are several
CIO and CTO level types also on the list who may be inclined to
believe a good portion of the fluff out there.  Regardless of wether
or not "information should be free", the truth should be known....


-aj.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.