E-Musings Mon Immorata

Hit Me Baby One More Time Part II One user's bad experience

In April 1999, I fell victim to the (dreaded) WinCIH virus. However, I was up and running a day later beacuse frequent backups had ensured that only my programs were affected. In June 2000, a company-wide CIH attack caused the dotcom project I was then working on to be delayed by 60 days! In both cases, there was no information security (infosec) policy. I have since developed my own which consists of 5 Rules:

1. Choose an antivirus that includes a POP mail scanner
2. Buy and install the product
3. Keep it updated; possibly in real-time (auto update)
4. Ensure that every developer-recommended update/security patch is downloaded and installed
5. Install any third-party tools that provide additional security (like MicroEye ZipOut)
6. Periodically use an Web-based scanner like Housecall for a double-check
7. Disable Windows Scripting Host
8. Don't preview email or open any attachments; use an online drive to exchange files
9. Stay aware ALWAYS
10. Stay abreast with viral and infosec happenings (the Web is a data goldmine)

Which is why when my company suffered a Homepage.vbs virus attack last week, I was safe. Homepage.vbs is an annoying worm that actually tries to drive traffic to 4 porn sites. And so far does'nt do any other damage; other than cause you near-terminal embarassment! Getting back to our sad tale, do you know that of the 140-odd user folders on the company email server, mine was the only one free of any viruses! My company uses a script to shut down the mail server ever night, backup its data and restart the server. But nobody thought of adding Trend Micro's ScanMail for Exchange service to the restart routine. So after successfully blocking all mail attachments for one day, that same night the server went back to its usual promiscious state. And an infected email crept through. Luckily, a casual scan coaught the worm. That day a thorough scan using ScanMail found 225 emails infected by Homepage.vbs. Plus another 1,000 messages infected with other viruses! And we suffered beacuse of complacency. Don't laugh because it could happen to you or your company real soon too. More dangerous is the Sadmind/IIS worm. This one is real cute. It uses Sun's Solaris OS to infect Internet Information Server. The worm uses a known vulnerability in both OSes to turn a Solaris server into a robot that silently sniffs out IIS sites and defaces their home pages. The only way to find out the how did or whom to is to check the log files. By exploiting a buffer-overflow bug in a Solstice component, Sadmind/IIS gains root-level control of the Solaris server. Machines infected run a script which takes advantage of Unicode, a well-known vulnerability. The worm begins by probing Port 80 on a random Class B set of IP addresses. It looks for the signature of other Solaris or IIS web servers. And when it finds another vulnerable Solaris machine, it uploads ROOT.EXE, its attack tool to infect the target server. The worm defaces the home page, usually INDEX.HTML file, with this text "fuck USA Government. fuck PoizonBOx. contact:sysadmcn@yahoo.com.cn." After defacing the IIS system, the worm also deface its Solaris host's index page with the same message. The defaced page has a black background with the text in red. Luckily, the worm doesn't destroy any other data. Please read the CERT Advisory CA-2001-11 for details including links to software patches for Solaris and IIS. And on that note I bid thee farewell for this week. Be good and if you can't be good, be careful.