Home page logo

isn logo Information Security News mailing list archives

Re: Hacker exploits make PC worms deadlier
From: InfoSec News <isn () c4i org>
Date: Mon, 22 Oct 2001 03:20:47 -0500 (CDT)

Forwarded from: Aj Effin Reznor <aj () reznor com>

"InfoSec News was known to say....."

By Wendy McAuliffe
ZDNet (UK) 
October 18, 2001 5:20 AM PT

With writing like this, it's no wonder that ZDNet doesn't have links
to author's email addresses on their bylines.  At lease Wired has the
decency to allow their writers to take responsbility for what they
Computer worms are set to become a more deadly combination of
virus writing and hacker exploits, according to security experts
at Symantec.

This, as with the title, are FAR off base....  Worm writers are NOT
becoming more deadly, they're merely catching up with exploit gaping
holes embedded in shoddy operating systems...
Code Red and Nimda marked the demise of socially engineered worms,
by combining a blended threat of proven hacker exploits. Both
worms attacked the same buffer-overflow vulnerability in
Microsoft's IIS software, while Nimda additionally incorporated a
mass-mailing component enabling the virus to propagate on a
massive scale. Neither of the worms relied on the traditional need
for an infected computer user to double-click on a malicious

Again with the Counterpane school of thought... Nimda did *NOT* email
itself... Sircam did, Nimda did not.  While it may have created bogus
.eml files on infected machines, it did not utilize email to propegate
itself without user intervention.  Either this is a user-less worm, or
it isn't.  The author seems to be rather confused.

"Nimda and Code Red have eliminated the need for human
intervention, by virus writers using what hackers have already
provided," said Eric Chien, chief researcher at Symantec. "One
year ago email worms were the big threat, as they spread quickly
and far--but now a lot more virus writers will be looking at the
hacker worm."

So a malicious coder is either hacker or virus writer... no crossover
is allowed?

Chien predicts that by next year, the "blended" threat of computer
worms could be enough to cause a serious Internet slowdown.
Antivirus experts at Symantec have already developed an algorithm
to prove that by removing human interaction from the virus
equation, every PC connected to the Internet could be affected by
a single worm within 20 minutes.

EVERY PC?  Or EVERY PC running a MS OS?  Personally, my machines are
either behind firewalls, or hardened.  I know of at least a dozen that
won't be infected.  Mr. Chien needs to put down the glass pipe lest he
starts mentioning the dreaded "Digital Pearl Harbour"!!!
But the trend towards blended virus attacks is blurring the lines
of responsibility for computer worms. On Wednesday, Microsoft
launched a verbal attack on security firms and hackers who release
what it calls virus "blueprints". A study done by Microsoft on
recent attacks by worms such as Code Red and Nimda found that each
had been prefaced by the release of so-called exploit code--sample
programs created by security firms and hackers to exploit software

Yes, I have issue with this, also.  I have yet to see a study from MS,
an actual study, to back this up.  This appears to be yet another slam
against eEye, as they were pointed at for releasing data on the
default.ida exploit.

HOWEVER, it has been proven time and time again that CR (and by
extention, Nimda) do NOT use an entry point remotely close to the one
that eEye described.

So, since they can be exonerated of any wrongdoing or blame
whatsoever, then WHAT could MS be poooooooooossibly talking about?
"Responsibility lies with the people who release the worm, not
necessarily the people who wrote it," said Chein. The Anna

Too bad it doesn't lie with journalists, also.

virus, for example, was written with the help of an existing virus
toolkit available on the Internet, but Chein argues that the
script kiddie who unleashed the virus is the person ultimately
responsible for any damage caused to the networks.

So it's not the guy that shoots the gun, but the guy that loads it?
Yeah, that's going to hold up in a court of law!

To lob another volley, it's interest that Thomas C. "Full Disclosure
is Bad" Greene of the Reg/UK has again posted a story about a newfound
vulnerability (this time Microsoft's digital rights management
implementation) AND linked to exploit code in his story!

Bravo for journalistic integrity!


On a side note, my apologies to ISN subscribers who may tire of my
occasional rants.  Procmail me, it won't hurt my feelings.  While
many security minded professionals subscribe, I know there are several
CIO and CTO level types also on the list who may be inclined to
believe a good portion of the fluff out there.  Regardless of wether
or not "information should be free", the truth should be known....


ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]