SANS NewsBites - Volume: V, Issue: 33

*************************************************************************
SANS NewsBites                     August 20, 2003                    Volume: V, Issue: 33
*************************************************************************

NEWS ABOUT BLASTER

  "Good" Worm Gets Rid of Blaster
  Blaster Worm Code Flawed
  Blaster Variants and the RpcSpybot Trojan are Spreading
  Worm's Publicity May Raise Security Awareness
  Blaster Hits Scandinavian Bank
  Blaster Infected Unprotected PC Within Minutes
  Blaster Emphasizes Patching Problems

TOP OF THE NEWS

  Sobig.F Rears its Ugly Head
  Microsoft to Beta Test Automated Patch System
  Cyber Incident Reporting Guidelines for Financial Institutions
  Disaster Recovery Plans Serve NY Companies Well in Blackout

THE REST OF THE WEEK'S NEWS

  Microsoft Denies Flaw In Windows Update Patch Management
  Woman Kidnapped, Forced to Cooperate in Computer Equipment Theft
  Microsoft.com Hit with DDoS
  GNU Project FTP Server Breached
  NIST Releases Security Metrics Guide
  Graduate Student Expelled for Computer Intrusions
  Team Defeats Fingerprint Scanner, Says Biometric Identifiers Should Not be Used Alone
  Canadian ATMs Rigged for Debit Card Info Theft
  Acxiom Hacker Charged
  Energy IT Leaders to Discuss Real-Time Process Control System Security


*************** Sponsored by VeriSign - The Value of Trust ************
Get the strongest server security-128-bit SSL encryption! Download
VeriSign's FREE guide, "Securing Your Web Site for Business" and learn
everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security.
Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n20400138280057000
***********************************************************************

NEWS ABOUT BLASTER

"Good" Worm Gets Rid of Blaster (18 August 2003)

A "good" worm designed to fix computers infected with the Blaster worm is spreading across the Internet. The worm, alternately called Blast.D, Welchia and Nachi, deletes Blaster and then applies an appropriate patch to each infected computer it finds. It then scans for other infected machines to fix from the machines it has repaired, consuming resources. The worm is designed to retire January 1, 2004. Conventional wisdom holds that "good" worms are not a good idea because they are illegal under current computer crime law.
-http://www.washingtonpost.com/ac2/wp-dyn/A9531-2003Aug18?language=printer
-http://www.computerworld.com/printthis/2003/0,4814,84126,00.html
-http://news.com.com/2102-1002_3-5065117.html?tag=ni_print
[Editor's Note (Schneier): "Good" worms aren't just a bad thing because they're illegal; they're a bad thing because they don't work particularly well, and just perpetuate the problem. (Northcutt): If you accept the theory that a lot of the worm activity you have seen to date is aimed at testing for potential information warfare attacks, then this had to happen. Code Red may have been testing Internet scale infection; Nimda may have been testing multiple vectors for infection; Slammer may have been testing rapid infection; "Good" worm may have been testing countermeasures. The bottom line is simple: if your computers are not actively protected, you have nearly a 100% chance of being used by whatever future worm comes your way. (Grefer): No matter how well intended, there are lot of folks who do not appreciate such electronic trespassing. ]

Blaster Worm Code Flawed (12/15/16 August 2003)

A flaw in the code of the Blaster worm may be Microsoft's "saving grace." The code instructs computers still infected with Blaster to begin a denial-of-service attack against Microsoft's patch site; however, the address in the code is incorrect. While Microsoft had routinely redirected visitors who made that same error to the correct site, the company has disabled that feature in an effort to stave off the attack. Many experts feel that while Blaster was not well written or conceived, future worms that exploit the vulnerability could be more powerful and dangerous.
-http://www.infoworld.com/article/03/08/12/HNmoreworms_1.html
-http://www.miami.com/mld/miamiherald/business/6545246.htm?template=
contentModules/printstory.jsp
-http://www.computerworld.com/printthis/2003/0,4814,84077,00.html
-http://zdnet.com.com/2102-1105_2-5064433.html?tag=printthis
[Editor's Note (Schultz): Both Mr. Coope and Mr. Toulouse are missing the main point here. I suppose they can debate the merits (or lack thereof) of the specific mechanisms of Microsoft's patch management program all they want; the real issue is that there are so many security vulnerabilities in Microsoft products that the IT community is so overwhelmed that it has chosen a path of least resistance, accepting an inferior solution (namely, Windows Update) or, worse yet, allowing vulnerabilities to go unpatched, as in the case of the many systems that succumbed to MSBlaster. ]

Blaster Variants and the RpcSpybot Trojan are Spreading (13/14 August 2003)

Two variants of the Blaster worm, Blaster.B and Blaster.C have been detected in Asia. Because of their similarity to the original worm, anti-virus scanners should detect them. In addition, a Trojan named RpcSpybot-A that exploits the same Windows vulnerability that Blaster exploits has been spreading. RpcSpybot creates a backdoor on systems it infects.
-http://www.pcworld.com/news/article/0,aid,112002,00.asp
-http://www.theregister.co.uk/content/56/32326.html

Worm's Publicity May Raise Security Awareness (14 August 2003)

Some in the security community have pointed out there is a "silver lining" to the Blaster worm; incidents like Blaster and Code Red raise awareness of the need to address computer security. Because of the immense publicity Blaster has generated, home users are more likely to visit Microsoft's windows Update (
-http://windowsupdate.microsoft.com)
and download patches.
-http://www.securityfocus.com/news/6728
Editors' Note (Multiple): This has not been true of previous worms and it is not likely to be true of Blaster. ]

Blaster Hits Scandinavian Bank (15 August 2003)

Blaster wormed its way into servers at all 440 offices of Scandinavia's Nordea bank; the bank was forced to close at least 70 of its branches in Finland.
-http://www.helsinki-hs.net/news.asp?id=20030815IE4
-http://www.silicon.com/news/500013/1/5618.html

Blaster Infected Unprotected PC Within Minutes (13 August 2003)

In an effort to gauge how fast computers were becoming infected with Blaster, a security company put an "unprotected" PC on the Internet. At one point, the machine became infected in 5 1/2 minutes; later in the day, it took only 27 seconds. Among the entities hit by Blaster are the Maryland Motor Vehicle Administration, the Federal Reserve Bank of Atlanta (GA) and German automaker BMW.
-http://newsvote.bbc.co.uk/mpapps/pagetools/print/
news.bbc.co.uk/2/hi/technology/3147147.stm

Blaster Emphasizes Patching Problems (12 August 2003)

The rapid spread of the Blaster worm highlights the problems inherent in the present state of patching methods. Home users are less likely than business users to patch their computers. Still, companies need time to test patches before installing them, which itself can be a time-consuming process. Patching needs to be part of a more in-depth security plan that includes securing internal networks in addition to perimeter defense.
-http://news.com.com/2102-1002_3-5062832.html?tag=ni_print



************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT! "Outsmart Web Application Attackers"- FREE 15-day WebInspect
Download
http://www.sans.org/cgi-bin/sanspromo/NB213
(2) Got SecureCRT? Get VShell server for UNIX today. Download a free
trial.
http://www.sans.org/cgi-bin/sanspromo/NB214
(3) Get your free Permeo Application Security white paper today!
http://www.sans.org/cgi-bin/sanspromo/NB215
***********************************************************************

TOP OF THE NEWS

THE REST OF THE WEEK'S NEWS

Sobig.F Rears its Ugly Head (19 August 2003)

"Sobig.F" is spreading quickly world-wide. It is a new strain of one of the most virulent mass-mailing network-aware worms, one that first appeared around the beginning of 2003.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=13100651
-http://www.cbsnews.com/stories/2003/08/19/tech/main569191.shtml

Microsoft to Beta Test Automated Patch System (18 August 2003)

Next month, Microsoft will begin beta testing Microsoft Installer 3.0, an automated patch installation system for Microsoft Office, Excel and SQL Server. A similar product for Windows operating system is expected to follow.
-http://www.washingtonpost.com/wp-dyn/articles/A11579-2003Aug18.html
-http://www.vnunet.com/News/1143057


***********************************************************************
SANS announces the 2003 SANS e-Symposium focusing on Enterprise
Infrastructure Protection on October 7, 2003. It will feature
real-world, from-the-trenches talks from by practitioners who have
tackled the difficult problems of corporate infrastructure security.
It's not too late to submit a talk for review; the Call for
Participation is open through Friday, August 22.
Details: http://www.sans.org/esymposium2003
***********************************************************************

Cyber Incident Reporting Guidelines for Financial Institutions (12/13 August 2003)

The Federal Deposit Insurance Corporation (FDIC), together with the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Federal Reserve Board, have proposed guidelines for financial institutions to follow in the event of security breaches that could lead to identity theft. Under the guidelines, financial institutions would notify customers by e-mail, telephone or regular mail in the event of such a breach. Regulators will need "to determine what constitutes an actual security breach" before the guidelines go into effect, which will not be until at least early next year.
-http://www.washingtonpost.com/ac2/wp-dyn/A51690-2003Aug12?language=printer
-http://www.usatoday.com/tech/news/techpolicy/2003-08-12-idtheft_x.htm

Disaster Recovery Plans Serve NY Companies Well in Blackout (14/15 August 2003)

IT departments in New York City found that disaster recovery plans had prepared them to handle last week's blackout with relative aplomb. Diesel generators took over when main power sources failed. The New York Stock Exchange said no trading data were lost. Some businesses moved workers to facilities with electricity and PCs, furnished by their disaster recovery service providers. Businesses credit steps taken after September 11, 2001 for their ability to manage the blackout's effects.
-http://news.com.com/2100-1011_3-5064213.html?tag=lh
-http://www.computerworld.com/printthis/2003/0,4814,84079,00.html
[Editor's Note (Shpantzer): Many businesses can't afford the professional contracts with continuity companies. At a bare minimum they should have reliable Uninterruptible Power Supplies for critical servers and hardware racks so that they can at least shut down gracefully and smooth over some of the dirty power that comes before and after blackouts (brownouts and greyouts). This is not a substitute for a full, hot backup site, but it will help mitigate data corruption and hardware damage until the power companies get the grid back up. ]


==end==
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/