On TV.com: KIM KARDASHIAN is hot hot hot

Search:
Go!


Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories


Click Here
advertisement

Security Watch : Don't get burned by viruses and hackers.
How you can foil virus writers
E-mail to a friend
Send us feedback
By Robert Vamosi 
Senior associate editor, CNET Reviews
March 22, 2004

Like it or not, we're hot and heavy into the first active virus season of 2004. If the past is any indication, it should last until May, then resume again in early August. Despite the sheer number of medium-threat viruses on the loose this year, however--we've seen about 36 low- to medium-level threats since January 18, 2004--virus writers seem to be burning through their bag of new tricks with only limited success. Indeed, none of the recent crop of Bagle, Netsky, and MyDoom variants has risen above a medium threat level. Still, the season isn't over yet; we may have seen only the beginnings of a bad year. Fortunately, there are ways you and I can defeat these buggers before they attack, but first, let me detail the history of one recent annoyance: Bagle.

New Bagle flavors cause minor indigestion
Since the first of the year, at least 20 variations of the Bagle virus, most created by the same author, have hit the Internet. Bagle versions b through g simply open a backdoor port, allowing the virus author access to infected computers, which could lead to big security problems. Versions h through o add greetz, code written to other virus writers; these versions appear to be part of a gang war on the Internet.

We've seen about 36 low- to medium-level threats since January 18, 2004.
Version n protects infected ZIP file attachments with a password that appears in plain text within the body of the infected e-mail message. After antivirus vendors caught on to this trick, variants n, o, and p placed the password within an image file--a trick first used by antispammers to keep spam robots from reading coded e-mail addresses on the Internet. Variant p compressed the virus with the much rarer RAR file format, and again, antivirus vendors responded quickly. Of these Bagle variants, only n was particularly successful.

On the other hand, Bagle.q, which appeared on March 18, 2004, opened a new can of worms. Bagle variations q through t are unique in that some of their e-mail targets don't have to open the attached file to become infected. Vulnerable systems include those Windows systems not yet updated with the cumulative patch for Internet Explorer (MS03-040) released last October.

On these vulnerable systems, simply previewing e-mail infected with Bagle.q, r, s, or t will launch the script necessary for infection--no user action required. The flaw that allows this shenanigan lies within Internet Explorer, which handles all HTML operations for Outlook, and the flaw will automatically activate the script that downloads the virus from one of 600 hard-coded Internet Protocols (IPs).

What's interesting is that all 600 of these particular IPs appear to be home computers using ADSL connections, according to the antivirus vendor F-Secure. In fact, these zombie machines have all been infected with Trojan horses delivered by earlier versions of Bagle.

Two new Trojan horses ride in
In January 2004, the viruses Bagle and MyDoom both began using a new Trojan horse called Mitglieder. This Trojan horse creates a network of peer-to-peer-connected machines that can forward e-mail to even more computers and create open proxies, which can then relay spam anonymously. Mitglieder also allows the virus writer to instigate a distributed denial-of-service attack on a chosen target. MyDoom, for example attacked SCO Linux, Microsoft, and RIAA sites.

I know it's a hassle, but you really must update and patch your Windows system whenever Microsoft says that you should.
Now virus writers have another choice: Agobot/Phatbot (free registration required for this site). This Trojan horse is more compact but includes more capabilities, which prompted a warning on March 17, 2004, from US-CERT. Among other malicious tasks, Agobot/Phatbot builds networks of infected PCs very quickly, steals passwords from AOL accounts, sniffs for PayPal cookies, and harvests e-mail addresses from HTML files for the purposes of spamming those addresses. A detailed analysis can be found on the Lurhq site.

Agobot/Phatbot takes advantage of several recent Microsoft vulnerabilities, including RPC/DCOM (MS03-026) (a vulnerability made famous last August by MSBlast), a buffer overrun in RPSS (MS03-039), a buffer overrun in Workstation Service (MS03-049), and WebDAV (MS03-007). However, by installing the above patches from Microsoft, you can mitigate the effects of Agobot/Phatbot.

It's patch now or pay later
I know it's a hassle, but you really must update and patch your Windows system whenever Microsoft says that you should. I also know that some Microsoft patches have been known to break functionality in third-party apps or remove your Favorites from Internet Explorer, but these are trivial problems compared to the hours of frustration you'd spend cleaning up after some new virus. You may want to wait a few days after Microsoft makes a new patch available just to see if it causes any installation grief; Microsoft has been known to patch its patches. But don't wait too long. With virus writers playing around with new tricks every day, it's better to spend a few minutes on prevention now.


Security Center
Top antivirus apps
From CNET Reviews
Top antispyware apps
From CNET Reviews
Virus and security alert forums
From CNET Message Boards




3/15/04
Don't be duped by hackers without computers
Your company has a firewall, but criminal hackers often access internal networks without a computer. Learn the subtleties of social engineering attacks and how to protect yourself.

3/10/04
Could you get caught in a virus gang war?
More than two-dozen viruses have circulated the Net in recent weeks. What gives? Gangs of virus writers are trying to outdo one another and protect their turf. Robert has the story.

3/3/04
Antivirus software must be free
One big reason viruses are still rampant on the Net: too many people don't use antivirus software. The only way to get them to change their ways is to make that software free.

More commentary


More commentary
Buzz Report
Molly Wood
Taking a bite out of hype.
Security Watch
Robert Vamosi
Don't get burned by viruses and hackers.
Fully Equipped
David Carnoy
The electronics you lust for.
On Call
Kent German
Solutions for your wireless woes.
Driving It
Wayne Cunningham
What's hot and what's not in car tech.

Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: World News | Fantasy Football | Amy Winehouse | Baseball | E3 | Batman | Firefox 3 | iPhone 3G
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use