Two of the most used operating systems in North America have been ravaged by worms over the past two weeks, again illustrating that neither the open-source nor the PC worlds are safe from virus writers.
The Slapper worm, which is currently affecting Linux, attacks on open secure socket layer (SSL), which is actually intended to help stop virus attacks. But vulnerabilities in SSL are not uncommon. In fact, there seems to be a little magic involved here as well.
“(Slapper is) using a trick to cause the program code to be run, called a buffer overflow. It’s a very potent kind of attack,” explained David Gamey, senior security consultant at IBM security and privacy services in Toronto. “That program brings its own source code in behind it and compiles itself.”
The Slapper worm has four or five variants, and is spreading more rapidly than initially expected. Some reports have indicated that the worm has already travelled to 12 different countries.
To simplify – or complicate – matters, depending on how you look at it, the Slapper worm has already been fixed. But, it’s up to the systems administrator “to be on the ball enough to realize they’re running open SSL and pull down the fix before they’re hit with an attack,” said Larry Karnis, senior consultant at Application Enhancements in Brampton, Ont.
Meanwhile, on the Windows side, the Bugbear virus is also making its way into systems. The mass e-mail-type virus is taking advantage of a flaw that has existed within the Microsoft Outlook browser since March 2001. Once the infected e-mail is opened by the user, the virus runs itself and copies all of the user’s contacts, and mails itself to them. It uses “social engineering,” whereby it gets the user to open the e-mail by using a common subject line to open it, such as “hello,” Gamey said.
Once opened, the virus inserts a key logging program and searches for sensitive information and passwords, and to boot, Gamey said the worm will periodically awaken and look for antivirus software or a firewall and destroy it.
Bugbear has been making a lot of news over the last week, especially overseas where it is spreading rapidly.
A patch is available at http://support.microsoft.com/default.asp .
Symantec Corp. announced last week that it was upgrading Bugbear to a level four virus on a scale of one to five, with five being the most serious. Symantec pointed to a rapid increase in reports of the virus from customers, from 157 submissions last Tuesday to more than 2,000 by the next morning.
In a statement, F-Secure Corp. indicated that incidents of the Bugbear infection had surpassed incidents of infection by the Klez virus, which had been the most widely circulated virus of 2002.
But reports of new infections are higher in Europe and Asia than in North America, according to Chris Wraight, technology consultant at antivirus software maker Sophos PLC. Bugbear is a far less formidable threat than predecessors like Klez, Wraight said.
“We’re still looking at infections in the thousands. At this point with (the Klez virus) we were talking about millions of infections,” Wraight said.
Leading antivirus software vendors have posted updated virus definitions covering the Bugbear worm. Antivirus software vendors are encouraging customers whose computers have not yet been infected to update their antivirus software.
Customers whose computers have been infected need to remove all files related to the virus from their machines and are encouraged to update any passwords that might have been exposed to the virus, according to F-Secure.
Over the past year, other notable viruses such as Code Red, Nimda and I love You, all proved extremely harmful. Users who are looking for a sure-fire way to avoid the latest two from affecting them should consider that “the first line of defence is not mindlessly opening up unknown attachments,” Application Enhancements’ Karnis said.
– With files from IDG News Service