Witty Worm

March 8, 2008 – 3:09 PM

A new worm has been discovered exploiting the ISS/PAM ICQ module vulnerability. The worm payload is contained in a single 1025-byte UDP packet with a fixed source port of 4000 and a random destination port. Only the first 470 bytes of the payload are the working code of the worm; the remainder appears to be the contents of the memory immediately past where the worm code overflows the stack. The ISS PAM module will inspect the packet regardless of whether there is a service listening on the destination port. If the packet is inspected by a vulnerable version of BlackICE or RealSecure, the packet payload will be executed. This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist – unfortunately it will take all the affected systems with it. Rather than simply executing a “format C:” or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread.

BlackICE versions 3.5 and below are not affected by the worm or the vulnerability. Version 3.6ccf may be the only BlackICE version on which the worm functions but this is not guaranteed since we are unable to verify that each prior version does not use the affected dll. The worm will not affect version 3.6ccg, the latest version as of this writing.

The affected versions of RealSecure are unclear at this time. It is safe to say that the worm code is fully dependent on version 3.6.16 of the iss-pam1.dll, so any ISS product using that version of the DLL will probably be affected.

The dependence on the DLL version lies in the way the worm obtains the addresses for the Windows API calls. It relies on the the imported functions from the iss-pam1.dll file being at a specific address. When the DLL is recompiled between shipped revisions, these offsets are subject to change. A change in the offsets will cause the worm to call the wrong function or execute invalid code. Systems vulnerable to the exploit but not running the specific version of the DLL the worm relies on may experience crashes of the BlackICE or RealSecure software.

The worm’s functionality is as follows:

    1) Generates a random IP address
    2) Sends the worm payload
    3) Repeats steps 1-2 20,000 times
    4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
    5) Seeks to a random point on the disk
    6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
    7) Closes the disk
    8) Starts the process over from step 1

The act of writing directly to the drive will cause certain filesystem corruption. Any infected machine will likely have its operating system and partition data destroyed along with most files on the physical drives, depending on how long the worm runs on the machine. Snort Signature
The following signature will detect the worm traffic:

alert udp any 4000 -> any any (msg:”ISS PAM/Witty Worm Shellcode”; content:”|65 74 51 68 73 6f 63 6b 54 53|”; depth:246; classtype:misc-attack; reference:www.lurhq.com/witty.html; sid:1000078; rev:1;)

http://www.lurhq.com/witty.html

Problems updating AVG?

March 8, 2008 – 3:08 PM

Navigate to your AVG install directory and rename your existing url.ini file to url.iniold.Copy the following and paste into notepad and save it as url.ini. Put this new file into your AVG install directory. You’ll now have 3 options to select from with www.grisoft.com being the default.[SERVER_NAME]
1=free.grisoft.cz
2=ftp.grisoft.com
3=www.grisoft.com

[SERVER_URL]
1=http://free.grisoft.cz/softw/60/fe
2=ftp.grisoft.com/pub/softw/60/fe/
3=http://www.grisoft.com/softw/60/fe/
Actual URL=3

The *Only* Sure Way To Stop Spam (Langa)

March 8, 2008 – 3:07 PM

With the holiday season here, the level of spam is going through the roof. This reader has correctly identified the one and only way to stop spam for good— and it’s not a filter, not legislation, and not anything exotic at all:

“Hi Fred! I hear more and more news about stopping spam; Filters, programs, and legislation. I read about Yahoo’s idea to use message authentication to stop unwanted email. I am concerned that the laws are completely un-enforceable, either due to loopholes or simply the capabilities of the technology. I am worried that additional security / authentication will increase cost and decrease performance. Too much security and authentication will stifle the medium.

IMHO, there is one way guaranteed to stop spam. We need to get the public to STOP BUYING THE CRAP IT ADVERTISES!

Spam is so cheap to send, one paying customer covers the advertiser’s cost for millions of emails. If we could just get everyone to ignore it, and not buy anything from the spammers, it really would go away. As soon as it is not profitable, it will cease to exist.

We need a public service campaign that starts out “Let’s face it, 100% of the stuff offered by spam-mail is utter CRAP. There is no miracle weight loss formula. No herbal remedy is going to make this part longer or that part fuller…”

Advocate that people make a simple personal rule “If it was advertised in an [unasked-for] email, don’t buy it.” Period. Ever. If it really sounds like a product you can’t live without or it’s a great deal, search for it on Yahoo [or Google]. If the maker is actually trying to sell the product, they’ll have a web presence [and you can buy it there, rather than in reply to the spam mail]. Just my 2 cents. Take care!

—Matt Lavigne”

Matt is right. Spam exists because it works, simple as that. Some percentage of people *do* respond to spam offers, and that’s more than enough to keep the spammers in business.

When you get spammail, just delete it. Don’t reply to be “removed” from their list. (It doesn’t work.) Don’t send back a fake “bounce” or “bad address” message. (It only helps spammers make their mailings more cost efficient.) In fact don’t do anything: Just delete the email, preferably unread. That— and only that— ensures that the spammer has just wasted a little money on you.

If enough people do this— if enough people force spammers to waste a little money— then the economics of spam will change, and it will no longer be lucrative. When spammers no longer can make easy money by spamming, they’ll stop and move on to the next scam.

Good spam filters can help you sort the spam for easy deletion. Good legislation can help apply pressure to the spammers where they live. But the ultimate solution to spam is to make it unprofitable.

Do your part to help drive the spammers out of business. Take the pledge: Never, ever, buy *anything* you see spamvertised!

HijackThis And CWShredder Have Moved

March 8, 2008 – 3:06 PM

Heads up for those who link to or recommend HijackThis, CWShredder, the Coolwebsearch Chronicles, or to any other file at http://www.spywareinfo.com/~merijn/. Merijn has his own web site now, located at http://www.merijn.org/. All of his files can now be found there.

Here are the most common files accessed on his site.

http://www.merijn.org/files/hijackthis.zip
http://www.merijn.org/files/cwshredder.zip
http://www.merijn.org/cwschronicles.html
http://www.merijn.org/htlogtutorial.html

Open Letter To Dell Inc. From The Security Community

March 8, 2008 – 3:05 PM

For Immediate Release. Please distribute as you see fit

December 2, 2003 — We in the antispyware, antivirus and security communities would like to express our disappointment with the new technical support policy in place at Dell Inc. Dell’s new support policy does a disservice to its customers and puts everyone on the internet at risk, including non-Dell customers, by discouraging the removal of malicious software.

Dell’s new policy came to light in a recent issue of the Lockergnome Windows Fanatics newsletter. This policy forbids Dell technical support persons from providing assistance to customers in removing infections of unwanted commercial parasites. This policy forbids providing removal instructions or recommending a spyware removal program. The policy even forbids mentioning informational web sites that can provide information about the spyware and how to remove it.

According to a Dell employee, the only acceptable response to a customer infected with spyware is to refer them to their Internet Service Provider (ISP).

A spyware-infected computer is not a problem for the ISP. This is a problem for the company that sold the customer an agreement for technical support along with their PC. Dell should honor that agreement, not pass the buck to overworked ISPs who correctly will refer people back to the PC vendor.

Dell claims that removing spyware may violate the license agreement of other software that may have installed the spyware and cites this as the reason for the new policy. Perhaps Dell Inc. is unaware that many spyware programs and most other commercial parasites are classified and targeted as viruses by industry-leading antivirus software.

Will Dell forbid employees from recommending an antivirus program? Will Dell prohibit their techs from suggesting a firewall because it might be used to block a spyware program from sending user data to its vendor? How far does this policy go before common sense prevails?

Countless thousands of people become infected with all manner of commercial parasites every day. Most of these parasites have no license agreement and exploit security flaws to install themselves. How can you violate a license that doesn’t exist? The parasites that do include a license agreement may not disclose the undesired effects they have on the user’s computer and may provide no means of removing it.

It is ironic that Dell Inc. would institute a policy forbidding advice about how to remove spyware. Dell itself includes an antispyware product on all Dell PCs that ship with a built-in DVD player.

According to Pacman’s Portal, “it seems that after Dell found out certain applications being installed from DVDs would report back information about what customers were watching, they decided to implement an anti-spyware service.” Specifically, an application called DVDSentry disables the spyware that may come with some DVD player software.

How can Dell justify a policy of withholding information from spyware-infected customers when they distribute an antispyware product themselves?

It is inappropriate for Dell to make decisions based on a license that might exist, associated with software that might be present, which might forbid removing the parasite causing problems for Dell’s customers. Dell is not associated with this software or their vendors, has no knowledge of what may or may not be in the license or even if a license exists at all.

It is understandable that Dell does not want to provide manual instructions on removing commercial parasites. Few people are qualified to provide proper spyware removal instructions today. It is probably not possible to give that sort of advice over the telephone. You need log files, links to specialized removal software and, most importantly, you need experience in removing these parasites manually.

What is not understandable and certainly not acceptable is that Dell requires its technicians to withhold information from paying customers. It is irresponsible to refuse to help a paying customer remove a parasite infection by pointing them to a site that can help them. That infected customer might infect someone else and Dell would be directly responsible for any damage that caused.

We call upon paying customers of Dell Inc. to contact Dell and ask them to retract this policy. One day it may be you asking for help and being told “Sorry, removing the virus popping up pornographic ads in front of your children might violate the license of other software”.

Dell Inc. should be more concerned for their paying customers than for persons who would distribute spyware and viruses. We call upon Dell Inc. to retract this misguided policy and allow their support technicians to refer infected customers to web sites that can help them.

Respectfully,

Mike Healan, SpywareInfo
www.spywareinfo.com

Tom Wilson, TomCoyote
www.tomcoyote.org

Bill Webb, CounterExploitation
www.cexx.org

Kevin McAleavey, Privacy Software Corp
www.nsclean.com

Mike Cashman
www.mjc1.com

Paul Wilders, Wilders Security Organization
www.wilders.org
www.wilderssecurity.com

A. Porter, SpywareGuide
www.spywareguide.com

J.Hertsens, XBlock
www.xblock.com

This letter is available in PDF format at http://www.spywareinfo.com/articles/dell/support_letter.pdf