Alleged worm hacker detained

Two men were arrested overseas on Thursday on charges of unleashing a computer worm that infected networks across the United States nearly two weeks ago, the Federal Bureau of Investigation and Microsoft announced yesterday.

The men, Farid Essebar, 18, of Morocco, and Atilla Ekici, 21, of Turkey, were said to be responsible for the Zotob worm, which hampered computer operations at more than 100 companies, including news organizations like CNN, The New York Times and ABC News. The computers were running a version of Microsoft's Windows operating system, prompting the company's Internet crime investigations unit to collaborate with the F.B.I. to locate the source.

"The swift resolution of this matter is the direct result of effective coordination and serves as a good example of what we can achieve when we work together," Louis M. Reigel III, assistant director of the F.B.I. Cyber Division, said in a news release.

In a conference call with reporters, Mr. Reigel said Mr. Ekici, who went by the online alias Coder, paid Mr. Essebar, operating under the name Diabl0, to create Zotob and another worm, called Mytob. But he would not comment on whether they were part of a broader operation.

"They certainly knew each other via the Internet," Mr. Reigel said, but it was not clear whether they had met in person.

The state news agency in Morocco reported that the motive was financial and that Mr. Essebar acted in league with groups involved in bank card forgery. Some computer worms can be used to compromise computer security and make it easier to steal passwords, identification data and financial records in ways that are hard to trace.

Mr. Reigel declined to specify yesterday whether any data was compromised in the Zotob episode.

The Zotob worm was notable for how quickly it was released after Microsoft's announcement of a flaw in its Windows 2000 operating system. Within days of Microsoft's releasing a security patch in early August, the worm was infecting computers that had not installed the update.

Bradford L. Smith, Microsoft's general counsel, said in an interview yesterday that the company was able to help authorities as the attack was going on by monitoring its path and then charting its trail and dissecting the code behind the worm.

"You learn things in real time that you just cannot reconstruct later," he said.

In the earlier conference call, he was asked why Microsoft's operating systems have been so prone to attack.

"The reality is that any company that has popular products has to recognize that it's a fact of life," he said. "Security remains our highest priority."

You can find a removal tool at: http://www.microsoft.com/security/malwareremove/default.mspx

Serious damage caused by chat and IM

Reports are coming in from threat centers around the country that the Zotob virus continues to spread rapidly, and impact Windows XP computers on consumer and enterprise desktops. Reports have included serious service interruptions at CNN, ABC, the New York Times, and other places.

Dimitri Alperovithch, a research engineer at CipherTrust, says the Zotob virus is spreading faster than any virus he has ever seen. "It's the zombie effect," he says, "the Zotob virus is using zombie PCs that have been taken over by a hacker to spread a virus, very, very effectively." He noted that at one point today, more than 2000 zombies were part of the network that is spreading the virus. Meanwhile, the IMLogic Threat Center this morning reported that both the Zotob and IRCbot worms are using a chat channel to allow hackers to gain access and control of an infected machine. In a statement, the company said, "The rapid spread of these worms is illustrating the special problems posed by threats that can leverage real time data channels like IM."

The statement added that the worms are taking advantage of a Windows 2000, XP and Server 2003 vulnerability caused by a flaw in the Windows operating system which allows hackers to exploit the “plug and play” capability of the Windows system. The vulnerability can be exploited by an infected machine creating a denial of service attack on other vulnerable machines. By leveraging a chat channel, the initiating hacker gains access to a host machine, leveraging it to attack other networked machines.

Once successfully executed, the vulnerability allows a hacker to impact a number of systems, including stealing system info or the most damaging impact of forcing an infected computer into a continual reboot.

Initially rated a "low" risk by security industry threat centers, the rapid propagation of the Zotob and IRCbot worms has motivated providers to increase the risk level.

The worm appears to lay quiet on an infected machine until prompted into action by the hacker. The messaging channel opened up by the worm appears to await direction prior to disrupting system activity or propagating itself on the network.

Worm strikes down Windows 2000 systems

Microsoft in 'emergency response' as worm reported on three continents

WASHINGTON (CNN) -- A fast-moving computer worm Tuesday attacked computer systems using Microsoft operating systems, shutting down computers in the United States, Germany and Asia.

Among those hit were offices on Capitol Hill, which is in the midst of August recess, and media organizations, including CNN, ABC and The New York Times. The Caterpillar Co. in Peoria, Illinois, reportedly also had problems.

A small number of computers in an administrative office at San Francisco International Airport also crashed, but they were not essential to the airport's operation, spokesman Mike McCarron said.

The FBI said the computer problems did not appear to be part of any widespread attack.

While the worm affects primarily Windows 2000, it also can affect some early versions of Microsoft XP, said Johannes Ullrich, chief technology officer of the Sans Institute, a network security firm based in Jacksonville, Florida.

Symptoms include the repeated shutdown and rebooting of a computer.

Microsoft has a downloadable patch on its security homepage, Microsoft.com/security.

The director of Microsoft's security response center, Debbie Fry Wilson, said the computer giant was in an "emergency response" mode. "Right now, we're mobilizing our two war rooms," she told CNN.

"The key thing I want to stress for customers is making sure that they install security updates as quickly as possible," Wilson said.

Although she said that the number of affected computers is unclear, most Windows 2000 customers are business users. And automatic security updates would have protected most home users, she said. Wilson added that "at least 200 million computer users worldwide" have downloaded the patch.

Business software provider AssetMetrix reported in June that Computers running Windows 2000 were on about half of all corporate desks.

Microsoft is working with law enforcement to track down those who unleashed the worm, Wilson said.

Lysa Myers, a virus researcher for the computer security firm McAfee, Inc., said the worm exploits a vulnerability in Microsoft's plug-and-play service. "How it's spreading is it's looking for machines that are unpatched and running itself," she said.

What was causing the damage was unclear, although experts pointed to a new worm called worm-rbot.cbq.

David Perry of Trend Micro, an Internet monitoring firm, said the latest worm may have been derived from the Zotob worm, which was first reported over the weekend.

Ullrich, of the Sans Institute, said Zotob "will connect to a control server to ask for instructions. It scans network neighborhoods and tries to infect them, as well."

Typically, the worm enters a system via a laptop connected to unsecured networks, Ullrich said. "This laptop will infect your systems from the inside."

Several versions of the worm have been released, some as late as Tuesday, he said.

Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later.

The New York Times also was able to bring its systems back up, and "newspaper production will not be affected," spokeswoman Kathy Park said.

The White House said it did not have reports of computer problems.

Improved firewalls and faster patches may have limited the worm's spread, said Jeff Havrila, a technical analyst with the U.S. Computer Emergency Readiness Team, a coalition of public and private groups that combats computer attacks.

He also said it is unclear how long the worm may take to run its course, noting that many people are away on summer vacation and may be affected only when they return.

At any given time there are thousands of computer worms and viruses in existence. Last year, the Sasser worm shut down millions of computers worldwide. A German teenager has been sentenced to 21 months' probation

Windows Vista Virus

Date: August 05, 2005
Source: PC WORLD





An Austrian hacker has earned the dubious distinction of writing what are thought to be the first known viruses for Microsoft's Windows Vista operating system. Written in July, the viruses take advantage of a new command shell, code-named Monad, that is included in the Windows Vista beta code.

The viruses were published last month in a virus-writing tutorial written for an underground hacker group calling itself the Ready Ranger Liberation Front, and take advantage of security vulnerabilities in the new command shell. Unlike the traditional Windows graphical user interface, which relies heavily on the mouse for navigation, command shells allow users to employ powerful text-based commands, much as Windows' predecessor, DOS, did.

Who Done It

The viruses were written by a hacker calling himself "Second Part To Hell," and published on July 21, just days after Monad was publicly released by Microsoft, according to Mikko Hyppönen, chief research officer with Helsinki's F-Secure. Second Part To Hell is the pseudonym of an Austrian-based hacker who also goes by the name Mario, Hyppönen says.

Because of its sophistication, the new command shell offers new opportunities for hackers, Second Part To Hell wrote in the tutorial, a copy of which was obtained by the IDG News Service. "Monad will be like Linux's BASH (Bourne Again Shell)--that means a great number of commands and functions," he wrote. "We will be able to make as huge and complex scripts as we do in Linux."

F-Secure has named the virus family Danom (Monad in reverse). Having examined the code, Hyppönen says that the Danom family is disruptive, but not capable of causing significant damage to Windows users. "These are proof-of-concept viruses," he says, "where virus writers want to break new ground and write the first viruses for a new platform."

Most security experts had not expected to see a Windows Vista virus so soon, Hyppönen says. "The only surprise here is that it came so early," he says. "It's been eight days since the beta of the operating system was out." Monad was released several days prior to the Windows Vista beta.

Email scams that pose as greeting cards

Websense® Security Labs(TM) has received a surge of
email scams that
pose as greeting cards in order to lure users into downloading a Trojan. The Portuguese
HTML emails claim that the card was sent by a friend and includes one of several poems.
Multiple links within the email will direct the user to a website hosting the Trojan.

This Trojan is a password-stealing keylogger.
The Trojan monitors user access to certain
financial websites, and then captures account information. Captured account information
is delivered by email to the attacker's address.

The Trojan will also mine the workstation for email
addresses and will send itself to those
addresses in order to propagate further.
Translation of the email sample:
A person that loves you has sent you a virtual card!

This story is from http://www.websensesecuritylabs.com

Microsoft: Global anti-piracy initiative

Microsoft Corp. (Nasdaq: MSFT - News) today announced the transition of the Windows® Genuine Advantage (WGA) pilot to a version 1.0 launch with worldwide availability. WGA is part of Microsoft's ongoing commitment to protecting its customers from software counterfeiting and to helping support partners through education, engineering, and enforcement of policies and laws. WGA, designed to differentiate the value of genuine Windows-based software from counterfeit software, enables customers to enjoy the capabilities they expect, provides them with confidence that their software is authentic, and delivers ongoing system improvements, including approximately $450 in software offerings available only to genuine users.

According to the Business Software Alliance, unlicensed and pirated software costs software vendors and national economies billions of dollars every year. Customers, businesses and resellers continually ask Microsoft for help in mitigating the threat posed by pirates.

One way to fight counterfeit software is to ensure that users recognize and receive all the benefits of genuine software. Customers who participate in WGA will have easy access to updates, added-value software offerings and other benefits of genuine Microsoft® Windows.

"During the 10-month pilot of WGA, we have been very encouraged by the large number of customers -- more than 40 million in all -- who chose to participate in WGA because they were concerned about piracy and wanted a way to determine whether their Windows software was genuine," said Will Poole, senior vice president of the Windows Client Business at Microsoft. "It also became clear that customers want to take advantage of special offers reserved for genuine users, with the peace of mind that their software will deliver the features, options and performance they need.