The first half of this year has proven to be one of the worst in recent memory for malicious code distribution. According to Symantec Corp., the first half of 2004 saw 26 category three and four malicious code warnings compared to just 16 for all of 2003.
Though the past month has been one warning after another, with five releases of the Bagle worm in just six days, it was not as bad as Q1, said Oliver Friedrichs, senior manager with Symantec Security Response in Redwood, Calif. He called Q1 a “very significant” period.
Trojans, often the less frequently seen sibling of worms and viruses, have also made a bit of a comeback. McAfee Inc. recently rated Download.Ject, or Scob, as the top threat of the year.
Download.Ject attacks were attributed to a Russian criminal hacking group called the Hangup Team.
Companies that failed to apply a recent software patch for Microsoft’s IIS Version 5.0 Web server fell victim to the attacks, in which hackers modified the configuration of IIS servers, allowing malicious code to be appended to every HTML document served from the compromised Web sites. None of the security companies would divulge which companies were hit, but Friedrichs did say they were sites that were “fairly well trafficked.”
Two vulnerabilities in Windows and Internet Explorer enabled attackers to silently run the malicious code on machines that visited the compromised sites, redirecting the customers to now-dormant Web sites controlled by the hackers. While the user was on the Web site, a Trojan horse program was downloaded and installed on the customer’s system and captured sensitive information, such as account numbers.
The original fix to the IE vulnerability, one that disabled an Active X control known as adodb.stream, has been replaced by an out-of-cycle fix MS04-025 (microsoft.com/technet/security/bulletin/MS04-025.mspx).
Sam Curry, vice-president of product management for Computer Associates Inc.’s eTrust, said it is difficult to protect machines against all Active X exploits because the operating system can’t tell whether an individual clicked on something on a Web page or malicious code is asking the browser to download a piece of software unbeknownst to the user. Creating this “malicious mobile code protection” is complex, he said. It involves monitoring and controlling what is being asked of the browser. Several security vendors do have technology to monitor Active X controls and shut them off.
But Friedrichs said this is of limited use. “It is certainly safer to turn those technologies off…(however) in a lot of cases it is difficult to even use the Internet today…without having those technologies enabled.”
Much of this will be fixed with the release of Windows XP Service Pack 2, slated for release in August. “We are all sort of waiting for it,” Curry said.
Even Mydoom, one of the year’s first releases in January, has made an ominous comeback. Two versions were released in succession in late July, the O version (or M as some called it) being of particular interest to those who follow malicious code development. Symantec rated it a four of five on its severity chart. It has never given out a five.
The worm briefly hammered the Internet’s major search engines, causing slowdowns as it trolled to find new e-mail addresses to infect. As usual, social engineering (carrying subject headings that prey on loneliness, boredom, et cetera.) was used to lure recipients. — With files from IDG News Service