Exploit of broken MS patch is ‘in the wild’

Exploit of broken MS patch is 'in the wild'

By Brian Livingston

I wrote in the Sept. 18 issue of Brian’s Buzz on Windows that a critical Microsoft security patch does not actually close the hole it was intended to correct. Now virus attacks that take advantage of this flaw have appeared “in the wild,” on Web pages that infect Windows PCs without warning.

Unbelievably, Microsoft still doesn’t have an update that corrects the faulty patch – despite the fact that the company acknowledged the error almost one month ago on Sept. 8.

The problem affects the patch found in security bulletin MS03-032 and Knowledge Base article 822925. This patch was designed to correct a problem in Internet Explorer 5.01, 5.5, and 6.0. (IE 6.0 on Windows Server 2003 is vulnerable only if you’ve turned active content “on” to view Web sites that use plug-ins, which includes most large sites. The IE 6.0 default in Server 2003 is “off.”)

Whether or not the MS03-032 patch is installed, the flaw allows an attacker to silently install and run a malicious program on a PC that merely visits an infected Web page.

Articles by Reuters and Silicon.com report that one Web page was using the security hole to take control of AOL Instant Messaging accounts on victims’ PCs. The attacker’s program then changed the AIM password and sent messages to everyone on the victim’s “buddy list” encouraging them to visit the infected Web page. The malicious site has reportedly been taken offline since its discovery.

In addition, security researcher Richard Smith told Reuters that a different kind of Web attack silently changes the victim’s dial-up account so it uses a pricey, pay-per-call number. Each call costs as much as $5 per minute, Smith was quoted as saying.

Despite the existence of these threats in full form on the Web, Microsoft hasn’t released a new security bulletin since Sept. 10. That bulletin was MS03-039 / 824146. It closes an unrelated Remote Procedure Call (RPC) security hole found in Windows NT, 2000, XP, and Server 2003 (but not Windows Me or 9x). This RPC hole is the same type of flaw, although in a different section of code, as the one that was exploited in August by the disastrous Blaster worm. (I described the MS03-039 situation and its fix in the paid version of the Sept. 18 Brian’s Buzz.)

A temporary – and not ideal – workaround
If you believe that you or your end users might visit a questionable Web site that would infect a PC, there is currently no patch to protect you. As I wrote in the last Brian’s Buzz, the only workaround is to disable “active content” from running in IE. In this week’s issue, I’d like to provide more information about that alternative.

One way to disable active content is to change the ActiveX settings in Internet Explorer from “Enable” to “Prompt.” This will ask you to click Yes or No every time a Web page tries to run plug-ins. If you believe the page is legitimate, click Yes, otherwise click No. According to the “frequently asked questions” section of Microsoft’s MS03-032 bulletin, the following steps should be used to do this:

1. In Internet Explorer, select Tools, Internet Options.
2. Click on the Security tab.
3. Highlight the Internet icon and click on the Custom Level button.
4. Scroll through the list to the ActiveX controls and plug-ins section.
5. Under “Run ActiveX controls and plug-ins,” click Prompt.
6. Click OK.
7. Highlight the Local Intranet icon and click on the Custom Level button.
8. Scroll through the list to the “ActiveX controls and plug-ins” section.
9. Under “Run ActiveX controls and plug-ins,” click Prompt.
10. Click OK; then click OK again to return to Internet Explorer.

Because large, commercial Web sites commonly use one or more active plug-ins on every page, you might be clicking Yes a lot if you use the workaround described above.

For this reason, you may want to add sites you regularly visit to the Trusted zone, and allow these sites to run active content without prompting you every time. Microsoft recommends the following steps to accomplish this:

1. In Internet Explorer, select Tools, then Internet Options. Click the Security tab.
2. In the box labeled “Select a Web content zone to specify its current security settings,” click Trusted Sites, then click Sites.
3. If you want to add sites that do not require an encrypted channel, click to clear the “Require server verification (https:) for all sites in this zone” check box.
4. In the box labeled “Add this Web site to the zone,” type the URL of a site that you trust, then click the Add button. Repeat for each site that you want to add to the zone.
5. Click OK twice to accept the changes and return to Internet Explorer.
6. Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is http://windowsupdate.microsoft.com. This is the site that will host the patch, and it requires the use of an ActiveX control to install the patch.

The final point in the steps above is the most ironic of all. The only workaround Microsoft can suggest is to disable active content in IE. But doing so also disables Windows Update – which requires ActiveX to download and install Microsoft’s eventual patch! You’ll need to re-enable active content every time you wish to run Windows Update (or place it in your Trusted zone as explained above).

To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

Don’t believe any e-mail attachments from ‘Microsoft’
Several readers have asked me about e-mail messages that claim to be from Microsoft and bear attachments that claim to be critical patches. Don’t be fooled! These are always hoaxes that use falsified From addresses to distribute viruses or pranks. Microsoft never distributes software patches via e-mail. I wrote about this in more detail in the top story of the May 8 issue of Brian’s Buzz, but it’s worth repeating.

SoBig's silent payload is generating massive damage

The widespread SoBig virus, which I described in the Sept. 4 issue of Brian’s Buzz, has become a huge problem for the Internet. More than 100 million virus-carrying e-mail messages were spread by SoBig.F, the sixth variation of SoBig to emerge this year. But an even more severe problem is that the PCs that were infected by the disease are now running “zombie” programs. These routines silently run as “open proxies” in compromised PCs. As such, they obey directives from the virus’s originators to send vast quantities of spam through whatever Internet connection each machine may have.

I subsequently wrote in my Sept. 22 column in eWeek that the zombie army was also being used to flood anti-spam “block lists,” shutting them down with overwhelming DDoS (distributed denial of service) attacks. I said one block list – Osirusoft, host of SPEWS – had already been knocked out of business. Since that time, the Monkeys.org list has been shut down as well, as announced in a newsgroup posting at Google Groups. In addition, the Blackhole.compu.net list has folded due to spam that was falsified to appear to be coming from it, with a full DDoS attack expected to follow, according to an msnbc.com article. (My thanks to reader James Schmidt for his help on this subject.)

When I was writing my eWeek column, I didn’t have hard figures on the number of PCs that had been compromised, so I wrote, “The rampant SoBig virus has quietly installed zombie programs on thousands of PCs.” That prompted an e-mail from reader Rich Kulawiec, whose own testing clearly suggests that the number is now well over 1 million:

• “SoBig turns the huge numbers of end-user systems connected to broadband DSL/cable/etc. ISPs into an enormous, scalable, distributed, fault-tolerant ‘spamplifier.’ And spammers are, of course, using it – what would be the point in writing and releasing SoBig if they weren’t? 😉

  “Let me show you what I mean. Back on July 26, I did a little analysis of the sendmail logs on a cluster of four little servers. I picked that cluster because (a) the size of the logs made the analysis easy to do and (b) previous experience indicates that trends found there are faithfully reflected in the logs of much larger systems.

  “In particular, I grabbed all the entries where the SMTP input channel was lost. This is a characteristic symptom displayed by certain SMTP engines used by spamware, which (in their attempt to blast as much spam per unit of time as possible) ignore the SMTP protocol and just fire away without waiting for the server side to respond. SoBig includes just such an SMTP engine. I found these numbers of transactions displaying this behavior during 2003:

  2,025		Jan
  2,454		Feb
  3,043		Mar
  8,491		Apr
  55,448		May
  45,843		Jun
  42,144		Jul 1-25

  
  which I can also break down by various ISPs, e.g., for some broadband consumer ISPs here in the US:

  Comcast:
  

  7		Jan
  27		Feb
  32		Mar
  295		Apr
  2,147		May
  2,498		Jun
  1,721		Jul 1-25

  
  ATTbi.com (which is also now Comcast):
  

  14		Jan
  19		Feb
  35		Mar
  417		Apr
  2,335		May
  2,778		Jun
  1,753		Jul 1-25

  
  Verizon:
  

  9		Jan
  121		Feb
  214		Mar
  306		Apr
  1,255		May
  1,076		Jun
  651		Jul 1-25

  
  “… Why did the pace appear to slacken [in July]? Folks finally ran their AV [anti-virus] programs, I think. And some ISPs blocked outbound port 25 traffic in desperation. And I think some redesign of SoBig was going on, leading to the more virulent version we saw released in August.

  “Subsequently, I’ve gone back through the logs on some larger servers as well, and found that over the past six months I’ve got hundreds of thousands of log entries corresponding to almost certainly hijacked systems on every broadband ISP – Charter, RoadRunner, Comcast, Verizon, PacBell: you name it, I’ve got spam attempts from it. (A back-of-the-envelope grade analysis of those logs indicates roughly 320,000 distinct IP addresses are involved. No doubt many more have been similarly hijacked, but they just haven’t had the occasion to try to abuse the particular servers I’m running.)

  “And so do lots of other people: this has all been well-known within the anti-spam community for months, and is frequently discussed on Spam-L (the primary forum for that community). But numerous attempts to get the ISPs responsible for this situation to do something about the amazing quantities of spam coming out of their networks via millions of hijacked systems have been met with auto-acks from ignorebots. (Even though those of us reporting these problems are doing their work for them, by providing them detailed logs – with IP addresses, timestamps, etc. of the abuse emanating from their networks. You’d think they’d be delighted to have someone else pointing them to the exact source of the problem – but apparently not.)

  “So there’s the explanation … for why so many of these ISPs find their IP space listed on various DNSBLs (DNS block lists). Their failure to adequately budget/staff in order to operate their networks properly has made them an operational hazard to the rest of the Internet, which has responded by doing what it can to minimize the ensuing damage.

  “So … please realize that most of the anti-spam block lists would not exist if the ISPs whose networks are the source of the spam would get off their butts and do something. But their failure/refusal to do so, after days and weeks and months and years, has made it necessary for others to defend themselves. And it’s clearly disingenuous for those same ISPs to whine about the impact of blocking: this is a problem entirely of their own making, and it’s entirely their responsibility to solve it. Perhaps it hasn’t dawned on them yet that they are responsible for every data packet that comes out of their networks. And if they’re not ready to discharge that responsibility, then they should not be connected to the Internet.”

Although I have serious concerns about the lax management of some block lists, I agree completely with Kulawiec that the attacks on them represent a serious and unacceptable problem. When all of the anti-spam resources such as these have been driven out of business by the costs of DDoS battles, legitimate companies will have lost many valuable tools to stop spam. Even worse, the spam gangs that are behind the SoBig epidemic will then be free to turn their DDoS weapons against any other Web servers they wish to shut down, including your company’s Web server.

Until there’s a better technical solution, you should make an extra effort to run up-to-date anti-virus tools and clean up any machine that’s infected with the SoBig zombie or any other. And because most of the DDoS attacks are coming from home PCs that are connected to major ISPs, those service providers need to immediately scan their networks and take action to block the attacks.

If you have more information about this, or you wish to send me a tip on any other topic, please visit WindowsSecrets.com/contact.

'Swen' e-mail worm fools users with 'Microsoft' look

Microsoft posted an official notice on Sept. 18 anouncing the “Swen” e-mail worm, also known as W32/Swen@MM. As I described earlier in this newsletter in the Top Story section, above, this worm is one of a series that has tricked intelligent Windows users into running an infected e-mail attachment because the message body looks so much like genuine, Microsoft-branded information.

It should be common knowledge by now that the From line of any e-mail address can be falsified to appear to be coming from anyone. It should also be widely known that the graphics of any company can easily be copied from a Web site and used to make an official-looking message. But the Swen message (shown at left) was quite professional, with a typical Microsoft banner and shaded icons, and this snookered many people. Microsoft posted a page with a larger image, explaining that the Redmond company never sends patches as attachments and always sends messages that are digitally signed.

As a worm, Swen attempts to terminate anti-virus and firewall software, cripples Registry editors so they can’t be run, and does other nasty things. It periodically displays bogus error messages that instruct users to enter their user names and passwords because of a need to “reconfigure” their e-mail software. These passwords are then used to access users’ e-mail accounts. In addition to e-mail, Swen spreads through Kazaa peer-to-peer file-sharing networks, IRC (Internet Relay Chat), and other means. It also sometimes masquerades as a bounce message from qmail server software.

Microsoft has a page describing the worm and linking to other resources. That page describes service packs that would stop the worm in various versions of Outlook, Outlook Express, and so forth. But, surprisingly, the discussion doesn’t mention that an earlier, overall fix is available. According to a Symantec document that I link to below, security bulletin MS01-020 / 290108, released in March 2001, reduces the threat.

Various anti-virus companies describe the worm in different ways and have different tools to combat it or remove it:

• Symantec notes that its anti-virus software automatically detected the worm as “Worm.Automat.AHB.” The company provides a free removal tool.
• Computer Associates calls the worm W32.Swen.A and provides a free cleanup utility.
• Network Associates provides a description and links to a standalone removal tool from AVERT.
• Trend Micro lists the threat as WORM_SWEN.A, provides a System Cleaner, and gives detailed instructions on reversing damage to the Registry caused by the worm.

Free program explains Windows error codes

This week’s new free software answers the question that all of us ask from time to time: What the heck does that Windows error code mean?

Error Messages for Windows (left) is a free program that provides an explanation when you type in a numeric code from a cryptic Windows dialog box. It also displays and prints a list of all the error codes that apply to your particular version of Windows. The latest release, version 2.7, came out on Sept. 23. The program is available from prolific Windows utility developer Gregory Braun as well as Major Geeks, a freeware/shareware library, and other mirror sites.

My thanks to reader Mark Hamilton for sending me this tip. He writes:

• The program opens a small, tabbed window in which you can enter an error code on the first tab and get a result, or go to the second tab and peruse the entire list of codes.

  I can’t tell you how many years I’ve personally searched for something like this so I could figure out what the heck was wrong. Needless to say, this thing’s priceless.

I’m sending Mark a gift certificate for a free book, CD, or DVD of his choice for being the first to send me a tip I printed.

Would you like fries with that?

One of the funniest animations I’ve seen has recently come along to help us have a wacky day.

A voice very much like Jack Nicholson’s provides the audio track for a Jack-in-the-Box talking head in this clever claymation video. The dialog that results is hilarious but in no way kid stuff, although it’s fairly clean (a couple of minor exceptions are bleeped out). You may wish to turn your PC speakers down so the whole office doesn’t get the drift.

The production is by Jamie Clay, a compositor who uses Discreet.com’s 3D Studio Max rendering software. His home page explains that he temporarily had to stop hosting this .wmv file, not because the hamburger chain complained, but because he’d used someone’s toy car in the stop-action animation without their approval! The 1:20 video, entitled “Fry Day (Out)” is now hosted by Daryl Dulong, a staff member of the University of Rochester whose site has lots of other cool parodies as well. Fry Day page

My thanks to reader Herb Hizer for this multimedia tip.

Geek-proof cup warmer turns itself on and off
I don’t know what it is about cup warmers, but my Sept. 18 review of them has generated more reader e-mails than almost any other subject that’s ever been featured in Brian’s Buzz.

For that issue, I tried my darndest to find a warming pad that would keep coffee or tea piping hot and then automatically shut off so the remaining liquid wouldn’t turn into brown tar by the end of the day. My searching was all to no avail. But then reader Steven Buschman pointed me to the Mr. Coffee Mug Warmer (above right). This $15.60 item not only turns itself off after 30 minutes, but the weight of the cup turns the warming element on and off when your drink is put down and picked up. Buschman says:

• “I can’t vouch for the store, but what I can say is that I’ve been using the Mr. Coffee warmer for about 10 years. The single most important attribute is auto-shutoff. This is a must for clueless software guys (like myself).

  “However, for coffee, I must tell you that my mug warmer has fallen out of favor.

  “For the past few years I’ve been using a dual-use insulated mug [pictured at right, about $24.99] – the Avantro One Mug 2.0. (Yes, there is a release 3.0 [and 4.0] – I haven’t upgraded yet.) Its advantage are myriad:

  “1. For a coffee purist, keeping your coffee hot with a mug warmer is somewhat of a faux pas – it tends to burn the coffee.

  “2. A mug warmer is useless if you forget to put your coffee cup on it. Do not underestimate the failure rate here. And once coffee gets cold, you need to toss it – nuking coffee is a mortal sin. (I’m not so dogmatic about nuking tea.)

  “3. The Avantro mug can be used at home with its removable base (less likely to spill, also a high failure rate) and in the car on the way to the office. It really does keep coffee hot for two to three hours.

  “4. An insulated mug doesn’t need to be put in the dishwasher each day – fewer dishes to wash.”

There you have it – the last word on the subject. Cup warmers are out, energy-efficient mugs are in. And who has time to put things in a dishwasher with all these Windows patches we need to install lately?

See you next issue.