Users of the Kazaa file-sharing network were today warned about the second virus in as many months to infect users.
The worm tricks users into downloading it by masquerading as appealing media files such as popular MP3s of films. Once it has infected a user's machine it makes 150 copies of itself in the Kazaa shared files directory in a bid to lure other victims.
Wary users may be able to spot the worm: all the files it pretends to be in the Kazaa directory are 19k in size, which may seem suspicious.
"This backdoor is the second virus to successfully attack the popular network in less then two months," said Bogdan Dragu, virus researcher at security firm BitDefender. "Following this trend, peer-to-peer file-swapping networks could soon become a paradise for any virus writer."
News source: vnunet
The worm tricks users into downloading it by masquerading as appealing media files such as popular MP3s of films. Once it has infected a user's machine it makes 150 copies of itself in the Kazaa shared files directory in a bid to lure other victims.
Wary users may be able to spot the worm: all the files it pretends to be in the Kazaa directory are 19k in size, which may seem suspicious.
"This backdoor is the second virus to successfully attack the popular network in less then two months," said Bogdan Dragu, virus researcher at security firm BitDefender. "Following this trend, peer-to-peer file-swapping networks could soon become a paradise for any virus writer."
News source: vnunet
The June 2002 Netcraft Web Server Survey is out;
http://www.netcraft.com/survey/
Top Developers
Developer May 2002 Percent June 2002 Percent Change
Apache 21120388 56.21 23154909 59.67 3.46
Microsoft 11902821 31.68 11239613 28.96 -2.72
Zeus 849089 2.26 799173 2.06 -0.20
iPlanet 824245 2.19 687004 1.77 -0.42
Active Sites
Developer May 2002 Percent June 2002 Percent Change
Apache 10411000 65.11 10964734 64.42 -0.69
Microsoft 4121697 25.78 4243719 24.93 -0.85
iPlanet 247051 1.55 281681 1.66 0.11
Zeus 214498 1.34 227857 1.34 0.00
Around the Net
Web more vulnerable to attack now than at any time previously.
The publication of serious vulnerabilities in Microsoft-IIS and Apache
over the last three weeks has created a situation where a majority of
internet sites are likely to be accessible to remote exploit. On 11th
June, Microsoft released a trio of advisories, the most serious of
which referred to a [2]HTR buffer overflow that could be used to
remotely compromise machines running Microsoft-IIS.
Although Netcraft can not explicitly test for the vulnerability
without prior permission from the sites, around half of the
Microsoft-IIS sites on the internet have .[3]htr mapping enabled,
which indicates that the site is likely to be vulnerable to the
attack, and indeed that some number will already be under the control
of an external attacker.
On the 17th June it was [4]reported that many versions of the Apache
web server were vulnerable to a buffer overflow through flawed
functionality affecting its "Chunked Encoding" mechanism. If
exploited, this could lead to a remote system compromise and exploits
are already known to have been been developed for Windows, FreeBSD and
OpenBSD. There is an active debate on whether exploits are possible
for Linux and Solaris.
Apache administrators have reacted quite quickly to the problem, and
within a week of first publication, well over 6 million sites have
been upgraded to Apache/1.3.26, issued by the Apache project in
response to the problem. However, this still leaves around 14 Million
potentially vulnerable Apache sites.
With over half of the internet's web servers potentially vulnerable,
conditions are ripe for an epidemic of attacks against both
Microsoft-IIS and Apache based sites, and the first [5]worm,
targeting sites running Apache on FreeBSD, has been spotted this
weekend.
Although potentially very disruptive, worms have a positive aspect, in
that they draw the administrators attention to vulnerable servers, and
once patched the server is usually no longer available as a platform
for more insidious activity. Last year, immediately prior to the Code
Red worm, Netcraft was finding that around 1 in six ecommerce sites
running Microsoft-IIS taking a security test from Netcraft for the
first time had already been successfully compromised, and had a
backdoor giving an external attacker control over the machine. The
clear up from Code Red had the positive effect of flushing the
majority of these backdoors out of the internet.
Additionally, Microsoft has yesterday announced [6]details of some
severe vulnerabilities in its Commerce Server software which give
remote attackers the ability to execute arbitrary code on the server.
There are around 36,000 sites using Commerce Server [or Site Server,
its predecessor] including a significant number of ecommerce sites and
banks.
It is noteworthy that the vulnerabilities are equally applicable to
SSL sites, and that in particular, most intrusion detection (IDS)
facilities will not flag attacks implemented over SSL because the
traffic is encrypted. This can provide a false sense of confidence to
administrators, and, symmetrically, a suitable means of a stealthy
attack.
Everyone is encouraged to test their networks for vulnerabilities;
details on Netcraft's own security testing services are available
[1]here.
References
1. http://www.netcraft.com/security/
2. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-028.asp
3. http://www.netcraft.com/security/public-advisories/htr.html
4. http://httpd.apache.org/info/security_bulletin_20020620.txt
5. http://dammit.lt/apache-worm
6. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-033.asp
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.