poised to attack .net

2
ISSN 1361-3723 February 2002 Microsoft’s .NET is not avail- able yet but the first virus has already been activated. .NET is Microsoft’s platform for building and deploying Web services. The virus is called W32/Donut and it was created in the Czech Republic. W32/Donut is a ‘proof-of-concept virus’ that was sent to various anti-virus vendors, as confirmed by a Sophos spokesman. The Czech author Benny has also created Lindose, the first virus to target Linux and I-Worm.Universe which managed to penetrate FBI and Microsoft computer systems. Windows XP Professional is Microsoft’s first operating sys- tem release that will include support for the .NET Framework. It is also the main feature of Microsoft’s Visual Studio, the .NET developer toolkit. The Donut virus has an impact if a user is running .NET software on Windows 2000 or XP. But according to anti-virus expert McAfee.com Corp., even users running .NET applications are in mini- mal danger of infection. Donut is incapable of auto- matic distribution and the virus must be mailed to a user or downloaded from a website. The 8K file must be saved to the hard drive, which then enables the virus to check for .NET exe- cutables to attack. The program does not have a detrimental effect on an infected PC, it merely spreads to other .NET files and a dialogue box appears with the message, “This cell has been infected by dotNETvirus” said Craig Schumagar from McAfee’s Anti-virus Emergency Response Team (AVERT) Labs. The virus is a ‘proof-of-con- cept’ type of program, letting Microsoft know that attackers are awaiting its new set of soft- ware and Web services, accord- ing to Schmugar.“It does not do a whole lot right now, but we will see a different type of virus down the road because of this,” Schumgar said. “This is forward looking, but it lets people know there will be attacks.” ECMA International, a European Standards body approved two main constituents of the .NET Framework. Win32 assembly language and some Microsoft Intermediate Language were used to write the Donut virus as reported on AVERT’s website. Donut attacks other .NET exe- cutables using the .exe extension but doesn’t reside in memory. Microsoft didn’t instantly respond to calls for comment on the virus. Virus News Poised to attack .NET 1 Macromedia Shockwave - a new victim 2 New virus tactics 2 PCs hit by ‘high risk’ virus 2 UK Alliance to combat viruses, hackers and product vulnerabilities 2 2001 closes with double security incidents 3 E-Commerce News Risky games 3 Internet News Hacker identity hidden by ISP 3 Root server security questioned 3 Hacking News Solaris under attack 4 Teenage DVD hacker indicted 4 World of Hell issues warning to Internet community 4 Italian police arrest hacker group 4 Product News Should software vendors be responsi- ble for security vulnerabilities? 4 Is Oracle’s security ‘unbreakable’ 5 Government News U.S. Government sets up cybercrime unit in Washington 5 Cyber-security needs attention now and not later 5 UK government scheme axed due to security crisis 5 Reports Windows XP security under study 6 Web attacks 6 E-shoppers still concerned about security 7 Security a priority 7 After 2001, where are we now in Anti-Virus Safety 8 U.S First Amendment on Europe’s bargaining table 9 Web Review Counterfeit and Fraud 11 Feature Information Security -The Great Balancing Act 12 DRM: Whose Rights are They Anyway? 14 Is the Game Finally Up For Cyber-Criminals? 15 ShockwaveWriter What Company Managers should Know about InfoSec 18 Stop Press 20 VIRUS NEWS Poised to Attack .NET Publishers of Network Security Computers & Security Computer Fraud & Security Computer Law & Security Report Information Security Technical Report Editor: Sarah Hilley American Editor: CHARLES CRESSON WOOD Baseline Software, Sausalito, California, USA Australasian Editor: BILL J. CAELLI Queensland University of Technology, Australia European Editor: KEN WONG Insight Consulting, London, UK Editorial Advisors: Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P.Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Silvano Ongetta, Italy; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand. Correspondents: Frank Rees, Melbourne, Australia; John Sterlicchi, California, USA; Paul Gannon, Brussels, Belgium. Editoral Office: Elsevier Advanced Technology, PO Box 150 Kidlington, Oxford OX5 1AS, UK Tel: +44-(0)1865-843645 Fax: +44-(0)1865-843971 E-mail: [email protected] Subscription Price for one year: (12 issues) (£442)*US$732/¥89,700/675.00 including first class airmail delivery subject to our prevailing exchange rate * Sterling prices are quoted as a reference/guide only. If you wish to pay in sterling you will be charged at the current daily rate of exchange at the time of purchase. Price valid to end of 2002 Subscription Enquiries: Orders and Payments: For customers residing in the Americas (North, South and Central America) Elsevier Science Customer Support Department PO Box 945, New York NY 10010 USA Tel: (+1) 212-633-3730 [Toll free number for North American customers: 1-888-4ES-INFO (437-4636)] Fax: (+1) 212-633-3680 E-mail: [email protected] For customers in the rest of the World: Elsevier Science Customer Support Department PO Box 211, 1000 AE Amsterdam, The Netherlands Tel: (+31) 20-3853757 Fax: (+31) 20-4853432 E-mail: [email protected] To order from our website: www.compseconline.com "I have witnessed the defac- ing scene become more and more ignorant over the years. In the end no one cares that you rooted their system but, if you make them think and wonder, then they won't forget you" See page 4.

Post on 19-Sep-2016

218 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Poised to Attack .NET

ISSN 1361-3723

February 2002

Microsoft’s .NET is not avail-able yet but the first virus hasalready been activated. .NETis Microsoft’s platform forbuilding and deploying Webservices.The virus is called W32/Donutand it was created in the CzechRepublic. W32/Donut is a‘proof-of-concept virus’ that was sent to various anti-virusvendors, as confirmed by aSophos spokesman. The Czechauthor Benny has also createdLindose, the first virus to targetLinux and I-Worm.Universewhich managed to penetrateFBI and Microsoft computersystems.

Windows XP Professional isMicrosoft’s first operating sys-tem release that will includesupport for the .NETFramework. It is also the mainfeature of Microsoft’s VisualStudio, the .NET developertoolkit. The Donut virus hasan impact if a user is running.NET software on Windows2000 or XP. But according toanti-virus expert McAfee.comCorp., even users running.NET applications are in mini-mal danger of infection.

Donut is incapable of auto-matic distribution and the virusmust be mailed to a user ordownloaded from a website.The 8K file must be saved to thehard drive, which then enables

the virus to check for .NET exe-cutables to attack.

The program does not havea detrimental effect on an infected PC, it merely spreadsto other .NET files and a dialogue box appears with themessage, “This cell has beeninfected by dotNETvirus” said Craig Schumagar from McAfee’s Anti-virusEmergency Response Team(AVERT) Labs.

The virus is a ‘proof-of-con-cept’ type of program, lettingMicrosoft know that attackersare awaiting its new set of soft-ware and Web services, accord-ing to Schmugar.“It does notdo a whole lot right now, butwe will see a different type ofvirus down the road because ofthis,” Schumgar said. “This isforward looking, but it letspeople know there will beattacks.”

ECMA International, aEuropean Standards bodyapproved two main constituentsof the .NET Framework.

Win32 assembly languageand some MicrosoftIntermediate Language wereused to write the Donut virus asreported on AVERT’s website.Donut attacks other .NET exe-cutables using the .exe extensionbut doesn’t reside in memory.

Microsoft didn’t instantlyrespond to calls for commenton the virus.

Virus NewsPoised to attack .NET 1Macromedia Shockwave - a new victim 2New virus tactics 2PCs hit by ‘high risk’ virus 2UK Alliance to combat viruses, hackersand product vulnerabilities 22001 closes with double security incidents 3

E-Commerce NewsRisky games 3

Internet NewsHacker identity hidden by ISP 3Root server security questioned 3

Hacking NewsSolaris under attack 4Teenage DVD hacker indicted 4World of Hell issues warning toInternet community 4Italian police arrest hacker group 4

Product NewsShould software vendors be responsi-ble for security vulnerabilities? 4Is Oracle’s security ‘unbreakable’ 5

Government NewsU.S. Government sets up cybercrimeunit in Washington 5Cyber-security needs attention nowand not later 5UK government scheme axed due tosecurity crisis 5

ReportsWindows XP security under study 6Web attacks 6E-shoppers still concerned about security 7Security a priority 7After 2001, where are we now in Anti-Virus Safety 8U.S First Amendment on Europe’s bargaining table 9

Web ReviewCounterfeit and Fraud 11

FeatureInformation Security -The GreatBalancing Act 12DRM: Whose Rights are They Anyway? 14Is the Game Finally Up For Cyber-Criminals? 15

ShockwaveWriterWhat Company Managers shouldKnow about InfoSec 18

Stop Press 20

VIRUS NEWS

Poised to Attack .NET

Publishers of Network Security

Computers & Security Computer Fraud & Security

Computer Law &Security Report

Information SecurityTechnical Report

Editor: Sarah Hilley

American Editor: CHARLES CRESSON WOODBaseline Software, Sausalito, California, USAAustralasian Editor: BILL J. CAELLIQueensland University of Technology, AustraliaEuropean Editor: KEN WONGInsight Consulting, London, UK

Editorial Advisors: Chris Amery, UK; Jan Eloff,South Africa; Hans Gliss, Germany; David Herson,UK; P.Kraaibeek, Germany; Wayne Madsen,Virginia, USA; Belden Menkus, Tennessee, USA;Bill Murray, Connecticut, USA; Silvano Ongetta,Italy; Donn B. Parker, California, USA; PeterSommer, UK; Mark Tantam, UK; PeterThingsted, Denmark; Hank Wolfe, New Zealand.

Correspondents: Frank Rees, Melbourne,Australia; John Sterlicchi, California, USA;Paul Gannon, Brussels, Belgium.

Editoral Office:Elsevier Advanced Technology, PO Box 150 Kidlington,Oxford OX5 1AS, UKTel: +44-(0)1865-843645Fax: +44-(0)1865-843971E-mail: [email protected]

Subscription Price for one year:(12 issues) (£442)*US$732/¥89,700/�675.00 including first class airmail delivery subject to our prevailing exchange rate* Sterling prices are quoted as areference/guide only. If you wish to pay in sterling you will be charged at the currentdaily rate of exchange at the time of purchase.

Price valid to end of 2002

Subscription Enquiries:Orders and Payments:

For customers residing in the Americas(North, South and Central America)

Elsevier Science Customer Support DepartmentPO Box 945, New York NY 10010 USATel: (+1) 212-633-3730[Toll free number for North American customers:1-888-4ES-INFO (437-4636)]Fax: (+1) 212-633-3680E-mail: [email protected]

For customers in the rest of the World:Elsevier Science Customer Support DepartmentPO Box 211, 1000 AE Amsterdam, The NetherlandsTel: (+31) 20-3853757 Fax: (+31) 20-4853432E-mail: [email protected]

To order from our website:www.compseconline.com

"I have witnessed the defac-ing scene become more andmore ignorant over theyears. In the end no onecares that you rooted theirsystem but, if you makethem think and wonder,then they won't forget you"See page 4.

Page 2: Poised to Attack .NET

news

MacromediaShockwave – anew victim?

SWScript.LFM is the name of the first virus that can strike the multimediaformat Macromedia Shockwave.Kaspersky Labs, a data-securitydeveloper, has reported themalignant program.

Fortunately, it has been con-cluded that the virus LFM (inits current form) is not a majorthreat to Internet users. But, thefact that it is possible is worthnoting as more effective mali-cious programs infecting SMFfiles may arise in the future.LFM requires important con-ditions in order to spread:

• A computer must be installedwith a full program versionthat executes MacromediaShockwave files.

• The SMF files must bemanually downloaded tostart it up.

• SMF files must be located inthe same directory as thevirus-carrying file.

New Virus Tactics

There will be new virus typesthis year warn anti-virusexperts. Firms are advised thatthe new viruses will targetapplications and devices thathave not been affected to date.

Code will be hackedthrough security holes com-bined with a viral payload pos-ing the major threat for 2002,predicts Eric Chien, head ofSymantec Security Responsefor Europe. This techniqueenables viruses to infect manymachines rapidly and wasemployed by Code Red andNimda, according to Chien.Regularly updating securitypolicies and speedily usingsoftware patches can reducethe likelihood of attack, headvised.

Chien also added that virus-es will target new angles suchas:

• Instant messaging technolo-gies

• New operating systems suchas Windows XP

• Mobile devices• P2P applications

But mass mailing viruseswill still pose the most aggres-sive threat as they have donefor the past three years accord-ing to Alex Shipp fromMessageLabs.

PCs hit by ‘highrisk’ virus

A JavaScript virus distrib-uted by mass mailing hasbeen attacking WindowsPCs. The virus, namedGigger is able to spread viaMicrosoft Outlook andInternet Relay Chat pro-grams.

Gigger has been allocated a‘high risk’ rating. Giggerarrives as an email with theinnocent subject title‘Outlook Express Update’.The attachment with theemail is ‘Mmsn_offline.htm’and if this is opened, Giggerproceeds to infect all .HTMLfiles on the local drive.Subsequently the virus scansany network drives andspreads into the start menu ofthese drives as ‘Msoe.hta’.

Gigger will then try todelete all files on the localdrive and adds a line to the

Autoexec.bat file causing theC: drive to be reformatted ifthe computer is restarted.

Gigger has been classifiedwith a ‘high risk rating’because of its danger to sys-tems and its infectionspreading mechanisms.

Most anti-virus firmsalready have a patch andantidote available.

INDUSTRY NEWS

UK Alliance tocombat viruses,hackers and product vulnerabilities

The Security Alliance forInternet and NewTechnologies (Saint) aims todistribute the latest informa-tion on hacker attacks andresolve issues.

“Our objective is to build asecure environment wherethe industry can talk aboutsecurity issues”, said TimConway, policy director atthe CSSA. “We want an envi-ronment where we canaddress these matters, remedythem and ensure the usercommunity can implementfixes”. Saint is also keen tolead in devising IT security

2

ISSN: 1361-3723/02/$20.00 © 2002 Elsevier Science Ltd. All rights reserved.This journal and the individual contributions contained in it are protected under copyright by Elsevier ScienceLtd, and the following terms and conditions apply to their use:PhotocopyingSingle photocopies of single articles may be made for personal use as allowed by national copyright laws.Permission of the publisher and payment of a fee is required for all other photocopying, including multiple orsystematic copying, copying for advertising or promotional purposes, resale, and all forms of document deliv-ery. Special rates are available for educational institutions that wish to make photocopies for non-profit edu-cational classroom use.Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800,Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail:[email protected] may also contact Rights & Permissions directly through Elsevier’s home page(http://www.elsevier.nl), selecting first ‘Customer Support’, then ‘General Information’, then ‘PermissionsQuery Form’.In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc.,222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UKthrough the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road,London W1P 0LP, UK; phone: (+44) 207 436 5931; fax: (+44) 207 436 3986. Other countries may have alocal reprographic rights agency for payments.Derivative WorksSubscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal

circulation within their institutions. Permission of the publisher is required for resale or distribution outsidethe institution.Permission of the publisher is required for all other derivative works, including compilations and translations.Electronic Storage or UsagePermission of the publisher is required to store or use electronically any material contained in this journal,including any article or part of an article. Contact the publisher at the address indicated.Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system ortransmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, with-out prior written permission of the publisher.Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax ande-mail addresses noted above.NoticeNo responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a mat-ter of products liability, negligence or otherwise, or from any use or operation of any methods, products,instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, inparticular, independent verification of diagnoses and drug dosages should be made.Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this pub-lication does not constitute a guarantee or endorsement of the quality or value of such product or of theclaims made of it by its manufacturer.

02065Printed by Mayfield Press (Oxford) Ltd

Compiled below is a virus-summary for the year 2001(September - December)(percentage by occurrence)

I-Worm.BadtransII 40.8I-Worm.Sircam 15.6I-Worm.Hybris 6.4I-Worm.Aliz 3.1I-Worm.Nimda 2.7I-Worm.Magistr 2.3Trojan.PSW.Gip 2.0I-Worm.HappyTime 0.5JS.Trojan.Seeker 0.4I-Worm.Klez 0.3