Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #33

August 20, 2003


"Good" Worm Gets Rid of Blaster
Blaster Worm Code Flawed
Blaster Variants and the RpcSpybot Trojan are Spreading
Worm's Publicity May Raise Security Awareness
Blaster Hits Scandinavian Bank
Blaster Infected Unprotected PC Within Minutes
Blaster Emphasizes Patching Problems


Sobig.F Rears its Ugly Head
Microsoft to Beta Test Automated Patch System
Cyber Incident Reporting Guidelines for Financial Institutions
Disaster Recovery Plans Serve NY Companies Well in Blackout


Microsoft Denies Flaw In Windows Update Patch Management
Woman Kidnapped, Forced to Cooperate in Computer Equipment Theft Hit with DDoS
GNU Project FTP Server Breached
NIST Releases Security Metrics Guide
Graduate Student Expelled for Computer Intrusions
Team Defeats Fingerprint Scanner, Says Biometric Identifiers Should Not be Used Alone
Canadian ATMs Rigged for Debit Card Info Theft
Acxiom Hacker Charged
Energy IT Leaders to Discuss Real-Time Process Control System Security

*************** Sponsored by VeriSign - The Value of Trust ************
Get the strongest server security-128-bit SSL encryption! Download
VeriSign's FREE guide, "Securing Your Web Site for Business" and learn
everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security.
Click here!


"Good" Worm Gets Rid of Blaster (18 August 2003)

A "good" worm designed to fix computers infected with the Blaster worm is spreading across the Internet. The worm, alternately called Blast.D, Welchia and Nachi, deletes Blaster and then applies an appropriate patch to each infected computer it finds. It then scans for other infected machines to fix from the machines it has repaired, consuming resources. The worm is designed to retire January 1, 2004. Conventional wisdom holds that "good" worms are not a good idea because they are illegal under current computer crime law.
[Editor's Note (Schneier): "Good" worms aren't just a bad thing because they're illegal; they're a bad thing because they don't work particularly well, and just perpetuate the problem. (Northcutt): If you accept the theory that a lot of the worm activity you have seen to date is aimed at testing for potential information warfare attacks, then this had to happen. Code Red may have been testing Internet scale infection; Nimda may have been testing multiple vectors for infection; Slammer may have been testing rapid infection; "Good" worm may have been testing countermeasures. The bottom line is simple: if your computers are not actively protected, you have nearly a 100% chance of being used by whatever future worm comes your way. (Grefer): No matter how well intended, there are lot of folks who do not appreciate such electronic trespassing. ]

Blaster Worm Code Flawed (12/15/16 August 2003)

A flaw in the code of the Blaster worm may be Microsoft's "saving grace." The code instructs computers still infected with Blaster to begin a denial-of-service attack against Microsoft's patch site; however, the address in the code is incorrect. While Microsoft had routinely redirected visitors who made that same error to the correct site, the company has disabled that feature in an effort to stave off the attack. Many experts feel that while Blaster was not well written or conceived, future worms that exploit the vulnerability could be more powerful and dangerous.
[Editor's Note (Schultz): Both Mr. Coope and Mr. Toulouse are missing the main point here. I suppose they can debate the merits (or lack thereof) of the specific mechanisms of Microsoft's patch management program all they want; the real issue is that there are so many security vulnerabilities in Microsoft products that the IT community is so overwhelmed that it has chosen a path of least resistance, accepting an inferior solution (namely, Windows Update) or, worse yet, allowing vulnerabilities to go unpatched, as in the case of the many systems that succumbed to MSBlaster. ]

Blaster Variants and the RpcSpybot Trojan are Spreading (13/14 August 2003)

Two variants of the Blaster worm, Blaster.B and Blaster.C have been detected in Asia. Because of their similarity to the original worm, anti-virus scanners should detect them. In addition, a Trojan named RpcSpybot-A that exploits the same Windows vulnerability that Blaster exploits has been spreading. RpcSpybot creates a backdoor on systems it infects.

Worm's Publicity May Raise Security Awareness (14 August 2003)

Some in the security community have pointed out there is a "silver lining" to the Blaster worm; incidents like Blaster and Code Red raise awareness of the need to address computer security. Because of the immense publicity Blaster has generated, home users are more likely to visit Microsoft's windows Update (
and download patches.
Editors' Note (Multiple): This has not been true of previous worms and it is not likely to be true of Blaster. ]

Blaster Hits Scandinavian Bank (15 August 2003)

Blaster wormed its way into servers at all 440 offices of Scandinavia's Nordea bank; the bank was forced to close at least 70 of its branches in Finland.

Blaster Infected Unprotected PC Within Minutes (13 August 2003)

In an effort to gauge how fast computers were becoming infected with Blaster, a security company put an "unprotected" PC on the Internet. At one point, the machine became infected in 5 1/2 minutes; later in the day, it took only 27 seconds. Among the entities hit by Blaster are the Maryland Motor Vehicle Administration, the Federal Reserve Bank of Atlanta (GA) and German automaker BMW.

Blaster Emphasizes Patching Problems (12 August 2003)

The rapid spread of the Blaster worm highlights the problems inherent in the present state of patching methods. Home users are less likely than business users to patch their computers. Still, companies need time to test patches before installing them, which itself can be a time-consuming process. Patching needs to be part of a more in-depth security plan that includes securing internal networks in addition to perimeter defense.


Sobig.F Rears its Ugly Head (19 August 2003)

"Sobig.F" is spreading quickly world-wide. It is a new strain of one of the most virulent mass-mailing network-aware worms, one that first appeared around the beginning of 2003.

Microsoft to Beta Test Automated Patch System (18 August 2003)

Next month, Microsoft will begin beta testing Microsoft Installer 3.0, an automated patch installation system for Microsoft Office, Excel and SQL Server. A similar product for Windows operating system is expected to follow.

Cyber Incident Reporting Guidelines for Financial Institutions (12/13 August 2003)

The Federal Deposit Insurance Corporation (FDIC), together with the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Federal Reserve Board, have proposed guidelines for financial institutions to follow in the event of security breaches that could lead to identity theft. Under the guidelines, financial institutions would notify customers by e-mail, telephone or regular mail in the event of such a breach. Regulators will need "to determine what constitutes an actual security breach" before the guidelines go into effect, which will not be until at least early next year.

Disaster Recovery Plans Serve NY Companies Well in Blackout (14/15 August 2003)

IT departments in New York City found that disaster recovery plans had prepared them to handle last week's blackout with relative aplomb. Diesel generators took over when main power sources failed. The New York Stock Exchange said no trading data were lost. Some businesses moved workers to facilities with electricity and PCs, furnished by their disaster recovery service providers. Businesses credit steps taken after September 11, 2001 for their ability to manage the blackout's effects.
[Editor's Note (Shpantzer): Many businesses can't afford the professional contracts with continuity companies. At a bare minimum they should have reliable Uninterruptible Power Supplies for critical servers and hardware racks so that they can at least shut down gracefully and smooth over some of the dirty power that comes before and after blackouts (brownouts and greyouts). This is not a substitute for a full, hot backup site, but it will help mitigate data corruption and hardware damage until the power companies get the grid back up. ]

Microsoft Denies Flaw In Windows Update Patch Management (18 August 2003)

Russ Cooper says there is a serious flaw in the way Microsoft's Windows Update patch management program works. The program uses registry keys to check whether or not a patch has been installed on a system; however, some systems could have the registry keys the program checks for without actually having the patch installed. Thus, customers could be falsely assured of the security of their systems. Microsoft security program manager Stephen Toulouse takes exception to Cooper's claim, maintaining that Windows Update looks for file versions along with registry keys.
[Editor's Note (Schneier): The point isn't whether the system can be spoofed -- well, it is, but not entirely -- the point is that sysops are bogging down in patches and can't keep up. ]

Woman Kidnapped, Forced to Cooperate in Computer Equipment Theft (15 August 2003)

A UK woman was reportedly abducted and forced by her captors to help them steal 500,000 (nearly US$800,000) worth of computer equipment from her employer. Police are urging companies to examine their physical security in light of this incident.
- Hit with DDoS (15 August 2003) was the target of a distributed denial-of-service (DDoS) attack on Thursday; the site remained unavailable for two hours, followed by another two hours of intermittent disruption. A Microsoft spokesman says the attack was not related to either the Blaster worm or the vulnerability it exploits.

GNU Project FTP Server Breached (13/14 August 2003)

Someone apparently inserted a Trojan horse program into the GNU Project's FTP server in March of this year, though the intrusion was not discovered until July. The breach was conducted through the use of a root shell exploit called ptrace. The Free Software Foundation (FSF) said that the attacker used the intrusion to collect passwords and launch other attacks, but does not believe that software was compromised. FSF has spent the last few weeks examining source code on the server to verify its integrity. CERT/CC has also issued an advisory.
[Editor's Note (Ranum): The implications of trusting the integrity of software in its development process are staggering. It's one huge chink in our armor that we have successfully ignored for the last decade. ]

NIST Releases Security Metrics Guide (13 August 2003)

The National Institute of Standards and Technology (NIST) has released its Security Metrics Guide for IT Systems. The document, which is available on-line, offers agencies "guidance for developing and using metrics" to comply with laws that require securing and evaluating IT systems, such as the Clinger-Cohen Act and the Federal Information Security Management Act (FISMA).

Graduate Student Expelled for Computer Intrusions (13 August 2003)

The University of Michigan has expelled graduate student Ning Ma based on allegations that he broke into a computer system where he forged e-mail messages and accessed copies of exams. Ma is a Chinese citizen in the US on a student visa; his expulsion revokes that visa.

Team Defeats Fingerprint Scanner, Says Biometric Identifiers Should Not be Used Alone (13 August 2003)

Two members of the Chaos Computer Club say they have devised a new method for defeating fingerprint scanners. They claim their method, which involves the use of a latex copy of a fingerprint, works not just under laboratory conditions. The Club members say that the use of a single biometric identifier on passports and the like would not be adequate; a better solution is to use a smart card along with biometrics, or two biometric identifiers.

Canadian ATMs Rigged for Debit Card Info Theft (12 August 2003)

Waterloo (Ontario, Canada) police have discovered five ATMs in the area that were compromised by thieves determined to steal banking customers' debit card information and PIN numbers. The thieves' method involved placing a false front on the ATM painted to look like the real thing, and a camera above the machine to capture PIN numbers. There have been no arrests yet.

Acxiom Hacker Charged (11/12/15 August 2003)

Daniel Baas, a 24-year-old from Milford, Ohio, has been arrested in connection with an electronic break-in to an Acxiom Corp. database. Baas allegedly broke into Acxiom's system in December, 2002 and downloaded customer information without permission. Baas was charged with computer fraud in US District Court in Cincinnati; if found guilty, he could face up to five years in prison and a $250,000 fine. Acxiom last week acknowledged that there had been a security breach and that the perpetrator was an employee of an Acxiom client. Acxiom concedes it did not know of the breach until informed by Ohio law enforcement officers.

Energy IT Leaders to Discuss Real-Time Process Control System Security (August 2003)

IT leaders in the energy industry plan to meet in Washington, DC this summer to discuss security for real-time process control systems like Supervisory Control and Data Acquisition (SCADA) systems. Currently available security solutions consume a significant portion of the systems' resources, particularly bandwidth.

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit