Feds escape Bugbear bite

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2003/0602/web-virus-06-06-03.asp

By Rutrell Yasin 
June 6, 2003

The variant of the Bugbear computer worm that started to spread
throughout the Internet on June 5 doesn't appear to have adversely
impacted federal agencies, according to initial reports from
cybersecurity experts.

Hit by a wave of fast-spreading, Internet-borne viruses over the past
few years, agencies, like many corporations, have moved to shore up
virus protection and cyberdefenses, agency security officers and
security experts noted.

Bugbear is an Internet mass-mailing worm. Once activated on a
computer, the worm e-mails itself to addresses found on the local
system. The sender address in a message can be spoofed, or forged, and
so is not a direct indication of an infected user. Bugbear spreads
using network shares and by mailing itself using the default Simple
Mail Transfer Protocol engine. Users will know that they have been
infected by the presence of a non-standard .EXE file in the startup
folder, virus experts said.

"We have not seen any of our government customers infected," said
Peter Stapleton, product marketing manager at NetSec Inc., which
provides security services for nine cabinet-level departments
including the departments of Agriculture, Justice and the Treasury.

"We've advised all of our clients they should not allow executable
files through the e-mail server," Stapleton said.

Blocking executable content at the e-mail gateway has become a
standard policy of many agencies over the past two to three years,
said Jimmy Kuo, a member of Network Associates Inc.'s AntiVirus
Emergency Response Team (AVERT). As a result, Network Associates'
government clients, such as the Defense Information Systems Agency and
the Department of Veterans Affairs, weren't infected with the Bugbear
variant.

Veterans Affairs cybersecurity chief Bruce Brody confirmed Kuo's
claims, noting that Bugbear's impact was "negligible." He added, "Our
antivirus defenses are robust."

The Department of Defense also viewed Bugbear as a low-level threat.  
"The Joint Task Force-Computer Network Operations, in coordination
with the Department of Defense Computer Emergency Virus Response Team,
assesses viruses and their potential impact to DOD systems," according
to a JTF-CNO spokesman in a statement e-mailed to FCW. The DOD works
closely with industry partners and virus protection vendors to ensure
that the agency stays up to date on antivirus signatures and that they
are deployed across DOD's global information network. "Because we
continuously and rapidly take such proactive measures, the JTF-CNO and
the DOD CERT have assessed the impact of the named viruses as low
threat and note no significant impact to date," the DOD spokesman
said.

The Bugbear variant was still spreading through the Internet on
Friday, prompting virus protection teams at Network Associates and
Symantec Corp. to classify the worm as a high risk.

Symantec Security Response analysts had tracked 1,002 submissions of
the variant, known as W32.Bugbear.B, by Friday, said Vincent Weafer,
senior director of Symantec Security Response. Symantec analysts don't
think the worm's spread has peaked yet. By comparison, the original
Bugbear worm was discovered on Sept. 30, 2002 and peaked in its fifth
day with 6,888 submissions.

Dan Caterinicchia and Judi Hasson contributed to this story.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.