Feds warn of rogue code

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6374839.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com 
June 25, 2001, 3:30 p.m. PT 

A government Internet watchdog warned companies this past weekend of a
new malicious program that spreads to previously compromised PCs and
seemingly prepares the infected machines to launch a denial-of-service
attack, sources said Monday.

The program, known as W32-Leaves.worm, places additional code on the
compromised machines and synchronizes the PCs' internal clocks with
the one at the U.S. Naval Observatory, said Vincent Gullotto, director
of the antivirus research team at security company Network Associates.

"That may indicate that (the worm) is preparing to do something," he
said, but he added that Network Associates has had only three reports
of the infection in the past 48 hours. "The government was primarily
worried that it could be a denial-of-service attack. Based on their
numbers, we decided to give it a medium risk."

On Saturday, the National Infrastructure Protection Center posted an
advisory to its Web site warning companies of the worm. "Leaves" takes
advantage of computers that have been compromised by the illicit
installation of the SubSeven system-administration tool, the NIPC
stated in the advisory. SubSeven is the program most commonly used by
network intruders to control Windows PCs remotely.

"The full impact of this new Leaves infection and appropriate fixes
are currently under investigation," stated the advisory.

Worms--a way to crack the security of thousands of servers at a
time--have become the tool of choice for many online vandals. A worm
is a self-propagating program that will scan until it finds a
vulnerable computer, which it will infect and then start the process
all over.

This year several Linux worms, including Ramen, 1i0n, and Adore have
hit the Net, along with a worm that infects Solaris systems.

While the NIPC did not expand on the Leaves worm's capabilities,
Gullotto said the pesky program was uploading information about
compromised PCs to a central Web site. The site has since been taken
down.

He added that the worm is unlikely to amount to much.

"If we don't hear anything in the next few days, we will downgrade the
threat," Gullotto said, speaking from a conference where antivirus
experts gathered to talk about issues to the industry. "No one here is
very concerned about this."

Rather than warn against impending attack--a tactic that garners
public-relations points for the NIPC--the agency should be telling
security administrators what to do to prevent attacks in the first
place, said Greg Shipley, director of consulting services for security
company Neohapsis.

"Everyone is kind of thinking practical and not thinking strategic,"
he said.

"The first step is to patch their servers and patch in a timely
manner, but that's a tactical problem. The strategic move is to get
these vendors taking some liability for the bugs in their servers."




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.