Another Computing Platform Gets Its First Virus

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/175855.html

By Brian McWilliams, Newsbytes
BARCELONA, SPAIN,
12 Apr 2002, 1:11 PM CST
 
SAPvir, the first virus to infect programs and reports used by the
high-end SAP R/3 business information system, was posted to an online
virus library this week.

Experts said the proof-of-concept code, which does not appear to be
present in the wild, is the latest effort by virus writers to target
"exotic" computing platforms.
 
The 24-line program, written in SAP's Advanced Business Application
Programming (ABAP) language, is designed to spread to other programs
on the local SAP system but does not appear to be destructive or
network-aware, according to a preliminary analysis of the code by
Jochen Hein, an independent SAP consultant based in Germany.

SAP R/3 is an integrated system used by many large corporations for
functions such as supply-chain management, business intelligence, and
financials, according to its developer, Germany-based SAP AG.

Bill Wall, a spokesman for SAP in the U.S., said the company does not
believe any customers have been infected by the code.

"What protects our customers is very deep security and very limited
access to these mission-critical systems. ABAP also requires a skill
set that goes beyond that of most hackers," said Wall.

According to its Web site, SAP is the third-largest software company
in the world.

The program was posted to VX Heavens, a large online library of
viruses, on Tuesday. According to the virus site's operator, he
received an email this week with a link to a Web page containing the
source code to SAPvir.

The page, which appears to be operated by Alex Bergonzini of
Barcelona, Spain, was last modified in October 2001, according to the
page's header. Bergonzini did not respond to interview requests.

A copyright notice in the code does not identify its author but
suggests SAPvir may have been written in 2000.

While SAPvir may contain bugs that prevent it from working on all SAP
platforms, according to Hein, the source code could easily be modified
by programmers who know ABAP to perform more malicious acts.

"An ABAP program can do anything in the SAP system, including
modifying data and leaving no trace," said Hein, who noted that a line
of programming comments in SAPvir states in Spanish, "Here the code of
destruction or effects of the virus goes."

While most computer viruses are written for Microsoft's Windows and
Word applications, in recent months, virus writers have created
programs that target Microsoft's new .NET platform, Macromedia's Flash
format, and Adobe's Acrobat software.

According to Patrick Hinojosa, chief technology officer for anti-virus
firm Panda Software, SAPvir is "academic" since an attacker would need
special authorization to plant the code on an SAP system.

"It looks like it would have to be an inside job," said Hinojosa, who
added that a person with such rights would already have the ability to
modify or destroy data without the need for a virus.

SAPvir is on the Web at
http://www.geocities.com/cbergalex/sap/sapvir.htm

SAP AG is at http://www.sap.com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.