Open Letter To Anti-Virus Software Companies - A Response

The wife and I just got back from Thanksgiving Vacation with my folks a little bit ago, so I was checking out what I missed since Wednesday (yes, almost five days with no internet!!). Take a look at what I found on the Internet Storm Center’s diary for the 23rd…

http://isc.sans.org/diary.php?date=2004-11-23

quote:

Open Letter To Anti-Virus Software Companies - A Response

On November 5, 2004, Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator, sent us an "Open Letter To Anti-Virus Software Companies" that we thought was interesting enough to publish:

http://isc.sans.org/diary.php?date=2004-11-05

Our favorite CTO, Johannes Ullrich, stepped into the fray in the November 8th diary:

http://isc.sans.org/diary.php?date=2004-11-08

Yesterday, we received the following response from members of the USCERT's CME (Common Malware Enumeration) initiative. While we don't have any policy about providing "equal time", we thought that their response was also interesting enough to publish:

------------------begin letter------------------

As members of US-CERT’s Common Malware Enumeration (CME) initiative, we would like to respond to Mr. Chris Mosby’s “Open Letter to the Anti-Virus Software Companies” and let Mr. Mosby and the rest of your readers know that we recognize that there are challenges surrounding the “Virus Name Game.” US-CERT and leading security vendors are working together to solve these challenges.

As you may be aware, US-CERT sponsors the Common Vulnerabilities and Exposures list (CVE), which has addressed similar challenges in the vulnerability space (http://www.us-cert.gov/cve/). By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants mentioned below, hopes to address many of the challenges that the anti-malware community currently faces with respect to identifying malware through the CME initiative.

As a “neutral third party” in the marketplace, US-CERT will coordinate with security vendors to implement a CME malware identification scheme. Limited operational capability is expected 1Q05; this phase will concentrate on the most important threats, including the recent Beagle/Bagle variants. The role of US-CERT will be to assign a CME identifier (e.g., CME-1234567) to each new, unique threat and to include additional incident response information when available. As our experience with CVE shows, once all parties adopt a neutral, shared identification method, effective information sharing can happen faster and with more accuracy, making it easier to distinguish between very similar threats. In this manner, US-CERT believes that an effective structure can be built to improve what is currently the chaotic world of malware identification.

As mentioned both in Mr. Mosby’s letter and the response posted on November 8th, there are significant obstacles to effective malware enumeration, including the large volume of malware and the fact that deconfliction can be difficult and time-consuming. The CVE experience confirms that strong industry support and involvement is required to meet these challenges. To this end, US-CERT is working with some of the key industry players, including McAfee, Symantec, TrendMicro, and Microsoft. In addition, US-CERT plans to meet with other stakeholders to explore how they can contribute and participate. To date, all parties have shown a strong willingness to work together toward the goal of improving the malware information resources available to AV software users, first responders, and malware analysts – anyone who depends on accurate, concise information about malware. Solving the virus naming problem is a challenging process, but a goal shared across the industry.

We certainly welcome observations such as Mr. Mosby’s. From our point of view, the question is not “why should we have CME IDs” but “how do we make CME IDs work?”

Desiree Beck, CME Technical Leader
US-CERT

Andy Purdy, Acting Director NCSD
Department of Homeland Security

Larry Hale, Deputy Director NCSD
Department of Homeland Security

Jimmy Kuo
McAfee Fellow - McAfee, Inc.

Matthew Braverman, Program Manager
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team

Mady Marinescu, Development Lead
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team

Randy Treit, Program Manager
Microsoft Corporation
Security Business and Technology Unit - Antivirus Team

Vincent Weafer, Senior Director, Symantec Security Response
Symantec Corporation

Oscar Chang, Executive Vice President
Trend Micro, Incorporated

Joe Hartmann, Director North American
Anti-virus Research Group
Trend Micro, Incorporated
-------------------end letter-------------------

All I can say is….WOW!!

Sober.I Worm - MEDIUM RISK by Secunia

Looks like Friday is virus day again. Keep and eye on your antivirus vendor's website, this has already reached Medium risk at Trend Micro and McAfee and it looks like it is spreading fast.

Sober.I Worm - MEDIUM RISK by Secunia: "The Sober worm family is proliferic in email generation and this new variant has been declared as MEDIUM RISK by Secunia, and it is reported to be spreading in the France, Germany, and Australia.

Sober.I Worm - MEDIUM RISK by Secunia
http://secunia.com/virus_information/13463/win32.sober.i/
http://vil.nai.com/vil/content/v_130130.htm
http://www.sarc.com/avcenter/venc/data/w32.sober.i@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.I
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40797
http://www.f-secure.com/v-descs/sober_i.shtml
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=54761&sind=0 "

Boycott Marvel Comics and all of its subsidiaries. Sign the Petition

From The Pulse:

Marvel Comics filed suit against NCSoft and Cryptic Studios concerning their creation, gaming sensation City of Heroes on November 10th. The suit alleged COH allowed "players to design characters that are virtual copies of its own superheroes, including 'The Incredible Hulk.'" Wired.com is now reporting Marvel's complaint also singled out City of Heroes' icon Statesman as "strikingly similar to Captain America" and that "... defendants have created, marketed, distributed and provided a host environment for a game that 'brings the world of comic books alive,' not by the creation of new or original characters but, instead, by directly, contributorily and vicariously infringing upon Marvel copyrights and trademarks."

Wired.com also has information from Marvel lawyers taken from the lawsuit. Wired.com reports:

"Considering that defendants own no comic characters themselves, it stands to reason that the comic books to which they refer are those that depict the characters of Marvel and others," wrote Marvel's attorneys in the complaint. "Defendants' Creation Engine facilitates and, indeed, encourages players to create and utilize heroes that are nearly identical in name, appearance and characteristics to characters belonging to Marvel."

"'Statesman,' a character strikingly similar to Marvel's Captain America (right down to the trademark large white star on his chest and shield), prominently appears on the front of the City of Heroes box and guides the user through the 'creation' process," argues Marvel's complaint. "Defendants' infringement is so brazen that their only attempt to disguise 'Statesman' is to give him a helmet that is nearly identical to the trademark helmet worn by 'Magneto,' another of Marvel's X-Men characters."

Read more details at Wired.com.

Shame on you Marvel!!

Boycott Marvel Comics and all of its subsidiaries. Sign the Petition

Open Letter to Anti-Virus Software Companies

As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus.

Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know.

The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.

Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could. When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the
Internet Storm Center, Secunia’s Virus Information page, VGrep Online, MyITforum’s Security message boards,and AntiVirus e-mail list.

This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.

While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.

Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.

Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers in the dark again. For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak.
With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.

I think I can speak for everyone in the security community when I say; “dealing with it” is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected.
We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.

However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to accomplish this and keep your customers better informed about how they are protected.

Thank you for your time and attention,
Chris Mosby
SMS Administrator
MyITforum Security Message Board Moderator.

Secunia - Virus Information - BAGLE.AF

Secunia - Virus Information - BAGLE.AF

This one is spreading significantly.

This is a mass-mailing worm with the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* attachment can be a password-protected zip file, with the password included in the message body.
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
* uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.

Microsoft Security Bulletin Summary for July, 2004

Of these, two are Critical.

Microsoft Security Bulletin Summary for July, 2004

MS04-024: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) rated as: IMPORTANT http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx

MS04-023: Vulnerability in HTML Help Could Allow Code Execution (840315):
MS04-023
rated as: CRITICAL
http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx

MS04-022: Vulnerability in Task Scheduler Could Allow Code Execution
(841873)
rated as: CRITICAL
http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx

MS04-021: Security Update for IIS 4.0 (841373) rated as: IMPORTANT http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx

MS04-020: Vulnerability in POSIX Could Allow Code Execution (841872) rated as: IMPORTANT http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx

MS04-019: Vulnerability in Utility Manager Could Allow Code Execution
(842526)
rated as: IMPORTANT
http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx

MS04-018: Cumulative Security Update for Outlook Express (823353) rated as: MODERATE http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx

New Lovgate worm versions - complex and highly destructive

Check out this information on the latest versions of the Lovgate Worm

New Lovgate worm versions - complex and highly destructive

US-CERT Cyber Security Alert SA04-184A -- Important Internet Explorer Update Available

Be careful using Internet Explorer until it is fully patched by Microsoft.

US-CERT Cyber Security Alert SA04-184A -- Important Internet Explorer Update Available

The Origin of Hanford Man

I finally got time to write this up, hopefully you enjoy it.

The Origin of Hanford Man

Mental Drippings

This is got to be one of the funniest things I have ever read. Not for the faint of heart... ;)

The Mosby name has finally made the web!! Look for updates soon....

http://www.mosby.org

For those of you that have not heard, a network scanning virus came out this weekend that exploits MS04-011. There are several variants of this virus now (A-D so far) and almost all of them are of medium to high risk and are spreading heavily in the wild. Rumors are saying that this was written by the writer(s) of Netsky.

Cleaning tools can be found here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720 (A and B only)
http://www.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html (A-C)
http://vil.nai.com/vil/stinger/ (A-C, plus a bunch of other viruses)

Here is what we have so far:

Information from Microsoft (covers A and B):
http://www.microsoft.com/security/incident/sasser.asp

Sasser.A

Summary (from McAfee’s website)

Virus Characteristics:

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)]
The worm spreads with the file name: avserve.exe . Unlike many recent worms, this virus does not spread via email. No user intervention is required to become infected or propagate the virus further. The worm works by instructing vulnerable systems to download and execute the viral code.
Symptoms

The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.
A file named win.log is created on the root of the C: drive. This file contains the IP address of the localhost.
Copies of the worm are created in the Windows System directory as #_up.exe.
Examples
• c:\WINDOWS\system32\11583_up.exe
• c:\WINDOWS\system32\16913_up.exe
• c:\WINDOWS\system32\29739_up.exe
A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs. The following Window may be displayed:


Method Of Infection

This worm spreads by exploiting a recent Microsoft vulnerability, spreading from machine to machine with no user intervention required.
This worm scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE. It creates a remote shell on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it. This FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as aforementioned) from the infected host. The infected host accepts this FTP traffic on TCP port 5554.
The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445

Thorough analysis of the Sasser worm by eEye Digital Security
http://www.eeye.com/html/Research/Advisories/AD20040501.html

Symantec-Level 3
http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html


McAfee-Medium Risk
http://vil.nai.com/vil/content/v_125007.htm


Trend Micro-Medium Risk
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A


Sasser.B

Symantec-Level 4
http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html


McAfee-Medium Risk
http://vil.nai.com/vil/content/v_125008.htm

Trend Micro-High Risk
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B


Sasser.C
W32.Sasser.C.Worm is a minor variant of W32.Sasser.B.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems. This particular variant spawns 1024 threads for the infection routine, where as previous variant W32.Sasser.B.Worm uses 128 threads.

Symantec-Level 2
http://www.sarc.com/avcenter/venc/data/w32.sasser.c.worm.html

McAfee-Low Risk
http://vil.nai.com/vil/content/v_125009.htm

Trend Micro-Low Risk
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.C


Sasser.D (This one is pretty new)

Summary from McAfee’s website:
AVERT has received a new variant of W32/Sasser.worm . Analysis is currently ongoing - description will be updated once complete.
The previous variants of this self-executing worm spread by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].
This variant of the worm is intended to spread with the following file name:
• SKYNETAVE.EXE
Unlike many recent worms, this virus does not spread via email. No user intervention is required to become infected or propagate the virus further. The worm works by instructing vulnerable systems to download and execute the viral code.

McAfee-Low Risk
http://vil.nai.com/vil/content/v_125012.htm

Trend Micro-Low Risk
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.D

Star Trek and Kirk fans, must see site for today:

Khaaan.com

:)

Ok boys and girls, there are two new viruses that came out early this morning, so make sure your anti-virus software is up to date! Below is a link about info on one of them.

New Virus-W32.Netsky.D@mm-Medium Risk

I have become increasingly concerned with jobs going overseas. A friend of my mine recently set up this website to address this issue.

Consumers Against OffShoring

Welcome to my new blog! Look for more updates in the future.