[588] in Security FYI
[IS&T Security-FYI] Newsletter, August 30, 2007: Special Issue
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Thu Aug 30 16:37:22 2007
Mime-Version: 1.0 (Apple Message framework v752.3)
To: ist-security-fyi@MIT.EDU
Message-Id: <17D79B91-EE99-4832-8570-41E0536CF84E@mit.edu>
From: Monique Yeaton <myeaton@MIT.EDU>
Date: Thu, 30 Aug 2007 16:33:59 -0400
Cc: itss@MIT.EDU
Content-Type: multipart/mixed; boundary="===============1101424870=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1101424870==
Content-Type: multipart/alternative; boundary=Apple-Mail-2--254558370
--Apple-Mail-2--254558370
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
The past couple months have seen the number of malware attacks and
vulnerability exploits substantially rise. It's not just the number
of malware attacks increasing but also the speed in which
vulnerabilities are being exploited. This special issue of Security
FYI will be the first in a series of issues discussing some of the
more recent malware attacks.
In this issue: Storm Worm
What is Storm worm?
Storm worm has been around since last January, when it began
infecting thousands of computers using an email with the subject
line: "230 dead as storm batters Europe." It later developed into
postcard spam with subject lines such as "You've received a postcard
from a family member!", invitations to Independence Day events
around the holiday, and invitations to join various "clubs."
The most recent form of attack was done spoofing YouTube. A spam
message invites recipients to see themselves in a YouTube video, but
the included link directs them to a website that downloads a package
of malware.
The Storm worm currently represents about 30% of all spam. From what
I have read, the malware it downloads doesn't affect Mac computers,
it only affects computers running Microsoft operating systems and
especially those running Microsoft Internet Explorer.
How does it spread?
Whatever the email subject line used, the attackers count on a user's
lack of concern with clicking on links or attachments in emails
coming from a dubious source. Seven years after the "I Love You"
attacks, users are still clicking at will hoping to read news, a
postcard, watch a video, or join an event. Many of these invitations
require that you click on a link that leads to an infected website.
Storm uses both image spam and spam with attachments to download the
malware. Both types have their benefits for spammers. Image spam
easily bypasses spam filters and, with some attachments, infected
attachments are difficult to discern from legitimate ones.
A recent trick used by Storm is attacking networks that are scanning
for malware and vulnerabilities with a massive distributed denial-of-
service (DDos) attack. It is actually attacking computers that are
trying to weed the Storm worm out. This puts universities at high
risk because of the placement of their scanners on a non-private
network, thereby making them visible to the Internet at large.
Earlier in August, researchers at SecureWorks discovered that the
Storm worm authors have taken their full attention off of email-based
attacks and have started creating more malicious Web pages.
What happens if infected?
The spam worked exceedingly well, helping the attackers build up a
massive botnet. A compromised machine becomes merged into that botnet
(a network of "zombie" computers run by host machines). Rather than
there being one host of a centralized network of infected machines,
there are multiple hosts. None of these hosts has a full list of the
entire botnet, making it difficult to gauge the true extend of the
zombie network. As the machine becomes part of this network, the
attacks continue to grow as more and more machines are "recruited" to
send out spam, often without the knowledge of the computer's owner or
user.
Researchers at SecureWorks and Postini have said they think the Storm
worm authors are cultivating such an enormous botnet to do more than
send out increasing amounts of spam. They now estimate there are 1.7
million infected PCs within the Storm worm botnet. All of the bots
are set up to launch denial-of-service attacks and that's exactly
what they're anticipating. DoS attacks are designed to pound
computers with countless questions that flood its ability to respond,
effectively taking the machine down.
What's being done about it?
The problem security researches are facing is that the tactics of the
Storm worm spam change constantly using varying subject lines, "from"
and "to" names, and type of email (either image-based, or with
attachments or embedded links).
Anti-malware vendors are rolling out special updates for latest
versions of Storm but must do so every few days as the worm mutates.
According to F-secure and others, the malware code is modified every
30 minutes, undermining standard signature-based AV's ability to
block this threat. Additional ways to reduce risk can be done through
spam filtering and URL filtering. However, a complete solution to the
problem may still be a long way off.
Are you at risk at MIT?
The email servers at MIT block most of the spam at the border.
However, because about 97% of email is spam, there is a great
likelihood that some spam will still come through. The higher your
spam threshold, the more likely spam will get through. If set lower,
more spam will be caught, however, you also risk legitimate email
from being blocked as well. See spam filtering: <http://web.mit.edu/
ist/services/email/nospam/ >
Because the malware can download from infected Web pages as well,
spam filtering or avoiding dubious-looking email will not prevent
infection. Stay away from dangerous sites such as those for
downloading free software tools. Users can't count on search engines
to protect them.
Prevention is the best medicine. Keep Windows and your antivirus,
firewall, and other security software up-to-date. Those precautions
will reduce the chances of infection.
To learn more about virus protection, firewall protection and
software updates at MIT:
IT Security Web page: <http://web.mit.edu/ist/topics/security/>
To read more about the Storm worm:
Information Week: <http://www.informationweek.com/shared/
printableArticle.jhtml?articleID=201800635>
Security Focus: <http://www.securityfocus.com/news/11482>
PC World: <http://www.pcworld.com/article/id,136465-c,worms/
article.html>
How to tell if your computer is a zombie:
PC World: <http://www.pcworld.com/article/id,134988/article.html>
To read more about botnets:
Security Focus: <http://www.securityfocus.com/news/11473/1>
Monique
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
--Apple-Mail-2--254558370
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1
<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><DIV><BR></DIV><DIV>The past =
couple months have seen the number of malware attacks and vulnerability =
exploits substantially rise. It's not just the number of malware attacks =
increasing but also the speed in which vulnerabilities are being =
exploited. This special issue of Security FYI will be the first in a =
series of issues discussing some of the more recent malware =
attacks.</DIV><DIV><BR></DIV><DIV><B>In this issue: Storm =
Worm</B></DIV><DIV><BR></DIV><DIV><B>What is Storm =
worm?</B></DIV><DIV>Storm worm has been around since last January, when =
it began infecting thousands of computers using an email with the =
subject line: "230 dead as storm batters Europe." It later developed =
into postcard spam with subject lines such as "You've received a =
postcard from a family member!",=A0 invitations to Independence Day =
events around the holiday, and invitations to join various =
"clubs."=A0</DIV><DIV><BR></DIV><DIV>The most recent form of attack was =
done spoofing YouTube. A spam message invites recipients to see =
themselves in a YouTube video, but the included link directs them to a =
website that downloads a package of =
malware.</DIV><DIV><BR></DIV><DIV>The Storm worm currently represents =
about 30% of all spam. =46rom what I have read, the malware it downloads =
doesn't affect Mac computers, it only affects computers running =
Microsoft operating systems and especially those running Microsoft =
Internet Explorer.</DIV><DIV><BR></DIV><DIV><B>How does it =
spread?</B></DIV><DIV>Whatever the email subject line used, the =
attackers count on a user's lack of concern with clicking on links or =
attachments in emails coming from a dubious source. Seven years after =
the "I Love You" attacks, users are still clicking at will hoping to =
read news, a postcard, watch a video, or join an event. Many of these =
invitations require that you click on a link that leads to an infected =
website.</DIV><DIV><BR></DIV><DIV>Storm uses both image spam and spam =
with attachments to download the malware. Both types have their benefits =
for spammers. Image spam easily bypasses spam filters and, with some =
attachments, infected=A0attachments are difficult to discern from =
legitimate ones.=A0</DIV><DIV><BR></DIV><DIV>A recent trick used by =
Storm is attacking networks that are scanning for malware and =
vulnerabilities with a massive distributed denial-of-service (DDos) =
attack. It is actually attacking computers that are trying to weed the =
Storm worm out. This puts universities at high risk because of the =
placement of their scanners on a non-private network, thereby making =
them visible to the Internet at large.</DIV><DIV><BR></DIV><DIV>Earlier =
in August, researchers at SecureWorks discovered that the Storm worm =
authors have taken their full attention off of email-based attacks and =
have started creating more malicious Web =
pages.</DIV><DIV><BR></DIV><DIV><B>What happens if =
infected?</B></DIV><DIV>The spam worked exceedingly well, helping the =
attackers build up a massive botnet. A compromised machine becomes =
merged into that botnet (a network of "zombie" computers run by host =
machines). Rather than there being one host of a centralized network of =
infected machines, there are multiple hosts. None of these hosts has a =
full list of the entire botnet, making it difficult to gauge the true =
extend of the zombie network. As the machine becomes part of this =
network, the attacks continue to grow as more and more machines are =
"recruited" to send out spam, often without the knowledge of the =
computer's owner or user.=A0</DIV><DIV><BR></DIV><DIV>Researchers at =
SecureWorks and Postini have said they think the Storm worm authors are =
cultivating such an enormous botnet to do more than send out increasing =
amounts of spam. They now estimate there are 1.7 million infected PCs =
within the Storm worm botnet. All of the bots are set up to launch =
denial-of-service attacks and that's exactly what they're anticipating. =
DoS attacks are designed to pound computers with countless questions =
that flood its ability to respond, effectively taking the machine =
down.=A0</DIV><DIV><BR></DIV><DIV><B>What's being done about =
it?</B></DIV><DIV>The problem security researches are facing is that the =
tactics of the Storm worm spam change constantly using varying subject =
lines, "from" and "to" names, and type of email (either image-based, or =
with attachments or embedded =
links).=A0</DIV><DIV><BR></DIV><DIV>Anti-malware vendors are rolling out =
special updates for latest versions of Storm but must do so every few =
days as the worm mutates. According to F-secure and others, the malware =
code is modified every 30 minutes, undermining standard signature-based =
AV's ability to block this threat. Additional ways to reduce risk can be =
done through spam filtering and URL filtering. However, a complete =
solution to the problem may still be a long way =
off.</DIV><DIV><BR></DIV><DIV><B>Are you at risk at =
MIT?</B></DIV><DIV>The email servers at MIT block most of the spam at =
the border. However, because about 97% of email is spam, there is a =
great likelihood that some spam will still come through. The higher your =
spam threshold, the more likely spam will get through. If set lower, =
more spam will be caught, however, you also risk legitimate email from =
being blocked as well. See spam filtering: <<A =
href=3D"http://web.mit.edu/ist/services/email/nospam/ =
">http://web.mit.edu/ist/services/email/nospam/ =
</A>></DIV><DIV><BR></DIV><DIV>Because the malware can download from =
infected Web pages as well, spam filtering or avoiding dubious-looking =
email will not prevent infection. Stay away from dangerous sites such as =
those for downloading free software tools. Users can't count on search =
engines to protect them.=A0</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Prevention is the best =
medicine. Keep Windows and your antivirus, firewall, and other security =
software up-to-date. Those precautions will reduce the chances of =
infection.</DIV><DIV><BR></DIV><DIV>To learn more about virus =
protection, firewall protection and software updates at =
MIT:</DIV><DIV><BR></DIV><DIV>IT Security Web page: <<A =
href=3D"http://web.mit.edu/ist/topics/security/">http://web.mit.edu/ist/to=
pics/security/</A>></DIV><DIV><BR></DIV><DIV>To read more about the =
Storm worm:</DIV><DIV><BR></DIV><DIV>Information Week: <<A =
href=3D"http://www.informationweek.com/shared/printableArticle.jhtml?artic=
leID=3D201800635">http://www.informationweek.com/shared/printableArticle.j=
html?articleID=3D201800635</A>></DIV><DIV><BR></DIV><DIV>Security =
Focus: <<A =
href=3D"http://www.securityfocus.com/news/11482">http://www.securityfocus.=
com/news/11482</A>></DIV><DIV><BR></DIV><DIV>PC World: <<A =
href=3D"http://www.pcworld.com/article/id,136465-c,worms/article.html">htt=
p://www.pcworld.com/article/id,136465-c,worms/article.html</A>></DIV><D=
IV><BR></DIV><DIV>How to tell if your computer is a =
zombie:</DIV><DIV><BR></DIV><DIV>PC World: <<A =
href=3D"http://www.pcworld.com/article/id,134988/article.html">http://www.=
pcworld.com/article/id,134988/article.html</A>></DIV><DIV><BR></DIV><DI=
V>To read more about botnets:</DIV><DIV><BR></DIV><DIV>Security Focus: =
<<A =
href=3D"http://www.securityfocus.com/news/11473/1">http://www.securityfocu=
s.com/news/11473/1</A>></DIV><DIV><BR></DIV><DIV><BR></DIV><DIV><BR></D=
IV>Monique<BR><DIV> <SPAN class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><SPAN =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 14px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><SPAN =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><SPAN =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><DIV =
style=3D"font-size: 12px; "><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 12px; "><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 12px; =
">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D</SPAN></SPAN></DIV><DIV style=3D"font-size: 12px; "><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 12px; "><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 12px; ">Monique =
Yeaton</SPAN></SPAN></DIV><DIV style=3D"font-size: 12px; "><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 12px; "><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 12px; ">IT Security =
Awareness Consultant</SPAN></SPAN></DIV><DIV style=3D"font-size: 12px; =
"><SPAN class=3D"Apple-style-span" style=3D"font-size: 12px; "><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 12px; ">MIT Information =
Services & Technology (IS&T)</SPAN></SPAN></DIV><DIV =
style=3D"font-size: 12px; "><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 12px; "><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 12px; ">(617) 253-2715</SPAN></SPAN></DIV><DIV =
style=3D"font-size: 12px; "><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 12px; "><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 12px; "><A =
href=3D"http://web.mit.edu/ist/security">http://web.mit.edu/ist/security</=
A></SPAN></SPAN></DIV><DIV style=3D"font-size: 12px; "><BR =
class=3D"khtml-block-placeholder"></DIV><BR =
class=3D"Apple-interchange-newline"></SPAN></SPAN></SPAN></SPAN> =
</DIV><BR></BODY></HTML>=
--Apple-Mail-2--254558370--
--===============1101424870==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1101424870==--
