Windows Security Issues Just Won’t Go Away

It will be years before all the holes in the Windows operating system will be plugged.

When the Windows XP Service Pack 2 is released this summer, new Windows PCs will begin shipping with security switched on by default for the first time. But, according to antivirus experts at Symantec Corporation, it will take five or six years before such basic protections are common on the installed base of PCs.

In addition, Microsoft’s decision to move from weekly to monthly software patches has raised the stakes for those who ignore security bulletins and updates, according to eEye Digital Security Inc. (www.eeye.com/html/), the company that discovered the recent vulnerability in a Windows security and authentication component. Once any vulnerability is discovered, waiting too long to apply a software patch leaves systems exposed to infection by subsequent worms or viruses that take advantage of the software hole that would have been fixed by the patch.

Analysts believe that the Sasser worm outbreak highlighted this issue of vulnerability management. The worm took advantage of the flaw disclosed by Microsoft on April 13, and a large majority of those infected were believed to be home users who had failed to remove the risk. Attackers are getting quicker and more efficient at taking advantage of new flaws -- last year's damaging Blaster took about a month to hit the Internet after the flaw it exploited was first announced, while Sasser took less than three weeks. To proactively block attacks like this, users can quickly modify settings for software- or hardware-based firewalls installed on end-user systems.

Unlike viruses or Trojans that require action by users to introduce them to their PCs, the fast-spreading worms need no user interaction to spread and don’t travel through e-mails or attachments. They work instead by instructing any vulnerable Internet-connected system to download and execute a copy of the malicious code. Five variants of the original Sasser worm surfaced immediately, and a Windows PC connected to the Internet could become infected in just two minutes. The SANS Institute’s Internet Storm Center (www.incidents.org/), which monitors malicious activity on the Internet, estimates that several hundred thousand machines were quickly infected worldwide. The Sasser.E.Worm can run on (but not infect) Windows 95/98/Me computers. So although these operating systems are not infected, they can still be used to infect vulnerable Windows 2000 and XP systems that they are able to connect to, either on a network or through the Internet.

More Netsky via E-Mail

Also floating around is what appears to be yet another variant of the tenacious Netsky e-mail virus that has been infecting systems worldwide since February. The latest variant, W32/Netsky-AC, even poses as a cure for Sasser, appearing to be an e-mail from an antivirus company with an attachment to fix Sasser. If a user is tricked into clicking on the attached file, the virus is activated and sends copies of itself to names found in the victim’s computer, with forged return addresses. Previous versions were attached to messages that appeared to come from Internet Support Providers like HAL-PC, not the true sender. These messages should be deleted immediately without opening. HAL-PC support would never send such messages to all users.

The original Netsky virus tried to uninstall other viruses. But the behavior in the new variants has changed to remote-access components and DoS (denial-of-service) attacks. Unlike earlier variants, the new Netsky strains open “back doors” on machines they infect, prompting the belief by virus experts that they may be the work of a different virus author. The latest Netsky variants open a back door on TCP Port 6789 that could be used to receive instructions or malicious code from the worm author. It exploits another known vulnerability affecting Internet Explorer involving an incorrect MIME Header (MS01-020), which allows the automatic execution of email attachments while an email is read or previewed. Unknown to many users, Microsoft Outlook settings are shared with Windows Explorer and these settings must be modified to prevent the execution of the attachments in the preview pane. See “Protecting Microsoft Outlook against Viruses” at www.slipstick.com/outlook/antivirus.htm#protect.

Netsky-AC was the 30th version of the mass-mailing e-mail worm to be released since Netsky-A appeared in February. Like earlier versions of Netsky, the AC variant uses e-mail messages and infected file attachments to spread from computer to computer. Computer security experts say that analysis of the Sasser and Netsky code reveals many similarities between the two worms. However, the fact that Sasser contains code from Netsky doesn’t mean the same person or persons created both viruses. An author’s message buried in the Netsky-K worm promised to be “the last version,” after which the author would publish the worm’s code on the Internet. Many more variants followed that release, and the code is believed to be widely available within virus-writing circles, so Sasser could be the work of anybody with access to that code. The exploit code for the LSASS vulnerability was also circulated widely on the Internet in the days before Sasser’s release. Changes to the code in the Sasser.C and Sasser.D variants of the worm seem designed to increase the number of infections, but those changes work only on Windows XP systems and cause Sasser to crash on computers running Windows 2000.

The spread of Internet worms like Sasser can be stopped more quickly than e-mail worms, since the latter continue to thrive as long as they find new ways to trick e-mail users. Despite the release of new variants, the rate of new Sasser infections began falling and the number of infected machines appeared to be dropping as users applied patches to vulnerable Windows systems or blocked the ports that Sasser uses to spread. Sasser’s spread was also slowed because it relied on Port 445, which has long been a target of malicious threats, such as Agobot, a prolific Trojan program. As a result, users may have blocked access to Port 445 long before Sasser appeared. But new Sasser versions may be on the way that could use different communications ports to spread.

Like other viruses, including Blaster, Sasser will linger on the Internet for a long time. Many people won’t realize they’re infected with Sasser for months, and those infected machines will continue to try to infect others. Such unprotected PCs are increasingly being used to spread other worms and junk e-mail, usually without the PC owner's knowledge. A recent Symantec survey found that a system, on average, receives a Blaster-generated packet of data within one second of connecting to the Internet.

Many Home Computers at Risk

Experts believe that many of the infected machines are probably home computers connected to the Internet with broadband connections that are already infected with other viruses, including a malicious program called Phatbot that has also been modified to take advantage of the same LSASS vulnerability. Based on data generated from its Windows Update, Microsoft revealed that the various flavors of the Blaster worm had infected at least 8 million PCs since it first appeared in August. A major problem contributing to the ongoing spread of Blaster and similar worms is that new PCs are still shipped with the flaws that allow them to spread. When a PC buyer finds an older bargain PC, it has an unpatched Windows operating system. Then they must go online with a broadband or dial-up connection to get the security updates, and that’s when worms attack and infect the vulnerable machines before they can be patched. Or worse – they may not realize that they even need the updates.

Bagle (or Beagle) is another worm family that have been plaguing e-mail users. New versions of Bagle as well as Mydoom (with keylogging capabilities) and Netsky have been surfacing frequently since January, prompting a frenzy of activity among antivirus researchers to identify and develop antidotes for each new variant. Experts are at a loss to explain the recent proliferation of worms, though they believe an apparent “war” between the authors of the Bagle and Netsky worms is the motivation for the release of many of the variants.

A flurry of e-mail viruses and Trojans continue to appear daily, and many of them exploit backdoors installed by previous worms like MyDoom. A few are destructive and seek out files to delete. News that the virus writer may have been arrested or that the worldwide infection rate has declined doesn’t render the silent unpatched or infected PCs safe. Only constant vigilance to apply patches, update virus software and manage firewall settings can help. Free removal tools are offered by many companies, including the following:

Network Associates (Mcafee) “Stinger” Tool -- vil.nai.com/vil/stinger. This standalone tool includes removal for many of the most widespread viruses. It is an excellent utility, and McAfee adds new viruses to it as needed, so you should return to the web site to get updated versions of Stinger.

Symantec (Norton) Removal Tools -- securityresponse.symantec.com/avcenter/tools.list.html. These single purpose tools were developed to automatically conduct what would otherwise be extensive and tedious manual removal tasks. If your system has become infected, these tools can aid you in repairing the damage of specific worms or viruses. Their web site lists removal tools chronologically and alphabetically by name, and includes tutorials for manual removal of many other viruses.

F-Secure Removal Tools -- www.f-secure.com/download-purchase/tools.shtml. F-Secure offers a free DOS version of its scanner and many standalone removal tools.

Bitdefender Removal Tools -- www.bitdefender.com/html/free_tools.php.

Trend Micro's Damage Cleanup Engine -- www.trendmicro.com/download/dcs.asp. This is another good tool for cleaning systems, but requires that you download and unzip their current virus patterns to the directory where you save the system cleaner BEFORE running the system cleaner installation.

Remember that the stand-alone utilities offered to detect and remove specific viruses are not a substitute for full anti-virus protection. Free full antivirus programs available include these:

AVG -- www.grisoft.com/us/us_dwnl_free.php -- AVG 6.0 Free Edition can be used without any limitations for the life of the product. There are automatic or manual updates for the virus signatures.

Avast Home Edition -- www.avast.com/i_idt_1016.html -- Avast! 4 Home Edition, a free antivirus software for home noncommercial use, scans for viruses, worms and Trojans on disk, CDs, in E-mail, IM and P2P. Incremental updates of the virus database (twice a week) are small, fast and reliable.

AntiVir Personal Edition -- www.free-av.com/ -- This program offers protection against computer viruses for individual and private use on a single PC-workstation, and includes an Internet-update wizard.

Check the HAL-PC home page regularly for the latest information concerning vulnerabilities and updates affecting Windows as well as other Microsoft components (Office, Outlook, Internet Explorer). Visit www.hal-pc.org/support/ for help documents or new bulletins.