Digital Choke Daynotes

 Tuesday morning, November 9, 2004       mail    link   the story

Important Virus Alert (with more updates below): You should be aware of the prevalence of emails that will infect your (unpatched) computer by just clicking on an link in the email. Some anti-virus vendors are calling it a MyDoom variant, others are calling it "Bofra". The exploit used was publicized late last week; it started becoming widespread yesterday (Monday). One alert about this problem is here: http://www.sophos.com/virusinfo/articles/bofra.html .

One version will purport to be a purchase verification from PayPal, another will tempt you with an "adult" link. Note that the infection is not from an email attachment, but via a link in the email.

If you click on the link in the email message, it will connect to the infected computer that sent you the email and try the "IFRAME" exploit to install itself on your computer. Your computer will send out email to harvested addresses from your computer. Anyone who clicks on your email link will become similarly infected.

Anti-virus companies have new updates available today. Although today is "Microsoft Patch Tuesday", initial reports don't indicate an included fix from Microsoft yet. If you are using Windows XP with SP2, you are not vulnerable. If you are using any other version of Windows, you are vulnerable, even if you use alternate browsers or email clients.

So, protection is:

- keep your computer patched (especially install Windows XP with SP2)

- keep your anti-virus current

- be very wary of any email message with a link in it. If the message was unsolicited, even if it came from someone you know, be careful about clicking on links.

 Tuesday evening, November 9, 2004       mail    link   the story

More info on the MyDoom/Bothra virus -- my understanding of how it works.

Someone asked if your firewall or NAT (Network Address Translation) would block this problem:

When you click on the link in the bad email, you initiate a 'session' to that web page (on the infected computer). It's just a port 80 request to a web server on port 1639 on the infected computer. Your firewall will not block that request -- you started the request.

The request will then be passed to the infected computer. That computer will attempt to give you a web page (via their port 1639 web server) send you the virus through the IFRAME vulnerability. Your computer will accept the request, since the session was initiated by you. (Same process: when you click on any link, you get the data back because you requested it.)

If your computer is vulnerable to the IFRAME exploit, the virus/worm will be installed on your computer. That will start up several processes; among them is the port 1639 web server that the virus uses, along with an SMTP (mail) engine that is used to send out copies to any email address found on your computer. You (if you are paying attention) will start to notice increased activity on your Internet connection.

Even with a firewall, you will be able to click on the link and connect to the infected computer. The resultant incoming request (and infection) will come via your port 80 (sent to you via the infected computer's port 1639).

If you become infected, you could block sending out further infections (people clicking on the link in the emails you send out) by blocking outbound port 1639. That is something that the corporate folks are doing, but the home user will not have that blocked. Unless they watch the lights on their modem (dialup or broadband), they won't know they are sending out that data.

NAT just does a translation of your local/private address to the public one. Any request for data that you initiate (with a link click) will be seen at the receiving computer as your public address, and the sender will send it back to your public address. Your NAT will translate that back to your private address, so your computer on your private network will get it. The NAT keeps track of who requested the info, so the returned info doesn't go to someone else on your private network.

So, firewall blocking will not protect you, unless you specifically go in and block port 1639. That might give you some initial protection, but it would be easy for a variant to pick another port. NAT will not protect you, since you initiated the request by clicking on the link.

Notice that the link you get in the email is an http://<ip address of infected computer>:1639/index.htm . The addition of the ":1639" in the link points to the web browser running on that port (normally you would go to port 80, so www.yoursitename.com:80 is the same as www.yoursitename.com.

The buffer overflow downloads the worm, executes it, which runs additional commands to get more parts of the worm. Common technique for buffer overflows. Once you can force a download/install of a program (or any other command), you "0wn" the computer.

This "email malware" is harder one to catch with the mail/spam scanners, since it doesn't have an executable attachment. (Here at our "major local government agency", we block all incoming executables.) But other sensing techniques (message 'word' analysis) may not find this one. And the home users are the likely targets.

As mentioned before, I believe that the purpose of most viruses is to let spammers use an infected computer as a mail relay. They just need to do port scans of IP addresses looking for viral ports. The resultant list will be used by the mail spammers for mail relaying, making it harder to catch/block known spamming servers.

There are some viruses whose purpose is to send back captured (financial/passwords) information, but the destination (collection) site is usually shut down in a few days. Mail relays are harder to get shut down, since they are usually on user's computers.

Other items on the spam/virus front:

Good News: Convicted spammer Jeremy Jaynes must pay $1 million in bail for sending as many as 15 million junk e-mails a day and bilking recipients of millions of dollars. The prosecutors say that he has been moving a lot of his proceeds (their estimate of $US 24 million) offshore, so they claim he is a 'flight risk'. He's currently in custody; has not made bail yet.

Bad News: The "Troj/Delf-HA" trojan horse will use an infected computer to send out cell phone (SMS messaging) spam via a Russian text messaging service. Now you can get spam on your cell phone ... and pay for it!

Links to these stories can be found on your favorite news sites (Google News, etc).

 Thursday, November 11, 2004       mail    link   the story

Today we (in the United States) honor our military forces, present and past -- it is Veteran's Day.

(thanks to fellow Daynoter Dan Bowman for the picture.)

 Friday, November 12, 2004       mail    link   the story

Ah...the day after a holiday. Commute traffic was light, things were quiet at the office, and I was able to get out a bit early to beat most of the Friday night traffic.

Spent most of the day working with BindView, which is an auditing program for network stuff. I just installed the new version a few days ago, and am building up the complement of auditing reports I need.

There was a report at the Internet Storm Center site that a security firm (Finjam Software) claiming that they have found some vulnerabilities with XP SP2. They didn't offer much proof, and Microsoft (who Finjan did give the details to) doesn't think the problems are as serious as Finjan claims. Although the computer press is reporting this, there is some that are saying that Finjan is doing more promoting of their security products than finding problems. We'll see how that one turns out.

Been "Home Alone" for a few days. Pam went off to Idaho to help Stacy through a spinal tap. The doctors are still trying to figure out her problems with dizzyness and other problems. During the tap, they found that the pressure of the spinal fluid was higher than normal, which is a side effect of the Metacycline that she was taking. She has been off of that for about 1 1/2 weeks, and the symptoms are reduced. The drug takes a bit of time to work itself out of the body. We won't know the results of the tap for about a week, but the current theory is that the Metacycline was probably causing the problem.

So, home alone for a couple of days while Pam helps out in Idaho. She'll be back tomorrow night. So it's a bit quieter than usual around here. Watched "Oceans 11" tonight on TBS; it was enjoyable to see that one again.

The plan for tomorrow is a bit of cleaning up (the usual stuff; it's not that messy here with Pam gone). I bought some bulbs (flower, not light) Lowe's tonight; so will try planting those tomorrow if the weather holds. That will be a first for me, so the results might be interesting. Actually, I bought some light bulbs too, so will have to make sure that I plant the right ones. I suspect that planting the light bulbs would not be a bright idea.

Heh.