Drew Smith <dreweastvan.bc.ca> wrote:

> Ok, let's try this again, with a little more time spent on my side. ;)
> Tried to submit this earlier today, but got bounced for attaching the
> worm source to the message. So, this time, I'm attaching a URL instead,
> where you can go get the source if you want to see it.

Still dubious, at best...

Viruses tend to be self-spreading and they are not security exploits
but failures to suitably verify integrity. If you cannot work out
the fundamental differences between such and security flaws, and thus
comprehend why making virus code publicly available is a very bad
idea, then maybe you should not be handling them at all?

> This worm *ripped* through our office today - it's one part flaw in
> Microsoft's security model and one part social engineering; it is a
> NON-MALICIOUS worm, but it effectively proves the concept, and I don't
> foresee more than a week or two before there's a nasty version.

Well, the fact it "deliberately" does something it ought not is
sufficient for most people to consioder it "malicious". It may not
be "seriously damaging" but that is another issue.

> We've been calling it the "cool worm", after the original filename,
> "cool.html".

It is (will be) officially called JS/CoolNow. NAI (McAfee) has added
generic detection of code attempting the exploit:

   http://vil.nai.com/vil/content/v_99356.htm

Symantec (NAV) has picked the, IMNSHO, silly name JS.Menger.worm:

   http://www.sarc.com/avcenter/venc/data/js.menger.worm.html

CA has added detection of various variants as JS/CoolNow:

   http://www3.ca.com/virus/virus.asp?ID=10949

and as it was the first company to send samples to various places it
gets to pick/set the "official" name. Trend has (for now) followed
Symantec's name:

   http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_MENGER.GEN

> I said *ripped*. I meant it. 40 people affected/infected in under 30
> seconds. That's the dangerous part, I didn't even have time to go to
> the other room to let coworkers know what was up.
>
> The worm shows up as an MSN Messenger message that says "Go To
> http://www.masenko-media.net/cool.html NoW !!!". The user, obviously,

There are several minor variants at least insofar as the web site
mentioned in the message. As it depends on centrally hosting its
code, it is easily stopped by getting on the phone and talking with
the abuse folk at the affected web sites/hosting services. (Flushing
any caching proxies you have would help too...)

> clicks the URL, which takes them to the site, where the malicious code
> sits. The code opens the MSN Contacts list, then messages every contact
> with the message "Go To http://www.masenko-media.net/cool.html NoW
> !!!".
>
> Think about that for a second.

It's an Internet Explorer scripting bug whose true significance was
displayed with an example of exactly this exploit a few days ago.

The fix is to install the latest IE security patches -- MS01-005.
Given MS's appalling record for such nasty scripting(-related) flaws
in IE, surely any security-concerned admin would have installed them
the moment they were made available... Better yet, get rid of IE!
It is impossible to use with scripting disabled and enabling its
scripting opens you to far too many far too serious security flaws.

> Anyhow - the worm does nothing nasty, but the source to the (now down)
> masenko-media.net site also mails the hostname and user agent of the
> connecting host to "mmargaewanadoo.nl".

...and different variants are based on different pages thus sending
suitably different messages and posting "acknowledgements" to
different Email addresses (or is it attempting an Email DoS of
different targets??).

(BTW, from a *very* quick look at a couple of these things, I
think this mailing mechanism takes advantage of vulnerable
formmail.pl implementations to do the actual mailing.)

> Looks to me like an experiment that got loose from the lab, but it

Nope -- given the variants showing up at the same time, it was almost
certainly a deliberately malicious attempt to be the first person to
get a worm or virus "out there" that used this latest exploit of an
IE vulnerability.

> demonstrates a *dangerous* flaw.

Unnecessary -- a sample exploit was published several days ago.

> ... Why can a webpage open the contacts
> list in the first place? What other hooks does MSN Messenger provide?
> Can you harvest email addresses from a contact list?

This is the standard MS/scripting/ActiveX shit that goes wrong when
the klutz-brains that pass as programmers in Redmond mess up yet
another security-sensitive interface. If you are really concerned
about such things, why is your site even using IE??

Seriously!

IE has a truly grievous record of similarly gobsmackingly bad holes.
Sane people should not only not be using it **but also** demanding MS
supply details of how to remove all of IE's tentacles from their
machines. (Of course, MS will not do this. Remember the "DoJ
defense" -- "IE *is part of* the OS".) Oh well, perhaps consider
another OS??

> Too many scary implications.

Nah -- run of mill for MS since they added scripting to IE and HTML
to their mail (and other) clients.

This is why Billy Boy plied us with platitudes about "trustworthy
computing" a few days before appointing a *lawyer* to run the effort
to convince Microsoft's big corporate customers, *and especially the
US government* (therefore keeping its lucrative DoD contracts
intact), that Microsoft could finally make its 2-bit OS worthy of
big-time computing needs.

However, it will fail until it fundamentally changes its internal
culture and realizes that a real OS is not just an OS for a
*personal* computer with a few security doo-dads screwed on as an
afterthought.

> Worm source (with a few important lines removed, so that it doesn't
> start popping up *everywhere*), available at:

Please -- anyone who sees any different URLs referenced by variants
of this thing, safely snarf the pages with wget or the view-source:
trick in IE and send copies of the pages to you preferred antivirus
developers. A list of the sample submission addresses for the better
known developers is included here to assist you:

   Command Software <viruscommandcom.com>
   Computer Associates (US) <virusca.com>
   Computer Associates (Vet/IPE) <ipevirusvet.com.au>
   DialogueScience (Dr.Web) <Antivirdials.ru>
   Eset (NOD32) <trnkaeset.sk>
   F-Secure Corp. <samplesf-secure.com>
   Frisk Software <viruslabf-prot.com>
   Kaspersky Labs <newviruskaspersky.com>
   Network Associates (US) <virus_researchnai.com>
   Norman (NVC) <analysisnorman.no>
   Sophos Plc. <supportsophos.com>
   Symantec <avsubmitsymantec.com>
   Trend Micro <virus_doctortrendmicro.com>

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]