Morris Worm - two decades later - little has changed

It was November 1988 and I was an undergrad at Colorado State University when the Morris Worm started hitting computers on campus. I remember the excitement in the Physics lounge as we started to discuss and reverse engineer the virus.

The worm infected BSD based operating systems by exploiting buffer overruns using the gets function call in the utilities fingerd and sendmail. The worm collected host, network and user information and then, in turn, used this information to infect other servers using TCP or SMTP and the buffer overrun defects in sendmail and/or fingerd.

The detection of the virus started with strange files showing up in /usr/tmp directories, strange entries in /var/log/ files, but most notably was the vast number of processes running when one issued a top command.

Shortly after discovery, UC Berkley had created a patch for sendmail and made suggestions to limit the spread of the Morris Worm. Oddly enough the Morris Worm exploited a debug option (e.g. -d) in sendmail, used by many system admins (and users) to test mail configurations.

So here we are twenty years later and I am still disappointed to find my colleagues using unbounded string copy functions like gets, strcpy, strcat, etc. I recently worked with a networking group to close a security exploit in one of their communications libraries that, you guessed it did a blind copy of a buffer passed in from the user (doh!) and caused the daemons using the library to crash and dump the stack.

Therefore I have written on the whiteboard by my desk:

Use of the function strcpy is a clear indication to anyone reading your code that you are willing to walk forever to find nothing (e.g. a NULL).

As a footnote: Whatever happened to that Morris guy who created the Morris Worm? Well, Robert T. Morris was represented by the law firm Bonnor and O'Connell; tried and convicted of violating the 1986 Computer Fraud and Abuse act and eventually sentenced to three years probation and fined 10,000 USD. Shed no tears, R. T. Morris is an associate professor at MIT (the exact same university where he created the worm).

The SEC strikes back on Pump-and-Dump

As I described in Where have you gone Aleksey Kamardin the Pump-and-Dump trading fraud appears on the rise. Well the long arm of the SEC has gotten just a bit longer in an attempt to halt this overseas attach on our trading systems.

The Securities and Exchange Commission announced March 7 it has won an emergency court order to freeze assets in a Latvian-based bank's trading account that was being used in a high-tech market manipulation scheme.

More on this can be found at Security Watch.

What are you willing to pay for online security?

According to Trend Micro there are black market al a carte menus available for hackers to buy/sell our personal information. Here's what some are willing to pay for our 'private parts':

• Trojan program to steal online account info: $980-4900
• Credit Card number w/ PIN: $490
• Billing data (SSN, address, birth date, etc): $78-294
• Drivers license: $147
• Birth Record: $147
• SSN card: $98
• Credit card number w/ security code and expir-date: $6-24
• PayPal account uname and pwd: $6

What can we do and what are we willing to pay to fight this?

Here's a simple recommendation; If we aren't willing to use a crypto-card, or random password generator when doing online banking or accessing retirement accounts, we're part of the problem, not the solution.

Anything I have to do that absolutely, positively has to be secure involves an RSA secure ID. This little gem of device forces me to use a different, pseudo-random password every time I log on. It also makes it easier for me to remember my password, and not compromise security by writing down on a sticky note some reminder.

If we continue to ignore the price hackers are willing to pay for our private parts, we will continue to be a part of the problem, not a solution. Insist on the best of security when doing online banking. Ask your bank and retirement services to provide the best.

Dynamic Code Obfuscation

Yet another way for malicious software to spawn, spread and infect.

According to Finjan, Dynamic Code Obfuscation (DCO) also known as Dynamic Code Mutation is "A method for hackers to place malicious software onto computers, keeping the code hidden from antivirus software. Infected computers contain software with a unique set of functions and parameter names. Since the code exists differently on each infected machine, antivirus vendors cannot issue a single virus signature to disrupt the malicious code."

What does this mean in practical terms? Let's pretend I wanted to write a virus (I don't but play along) I would write something like the following (I'll use C to do this, but it appears that Java Script/Java is the leading language for self obfuscation):



void malicious_function_that_will_delete_files(void)
{
// do something evil...
}

int main(void)
{
malicious_function_that_will_delete_files();
return 0;
}



Now if I wanted to defeat this 'virus' I would need an antivirus (AV) vendor like Symantic - Norton Antivirus or McCafee VirusScan Plus or AVG Anti Virus to create a definition file and have it uploaded, in the latest online update, to my antivirus software database, and tell the AV software to scan files for the character string malicious_function_that_will_delete_files();.

Now, no self respecting virus author (oxymoron?) would write a virus like this because an AV product would be able to easily scan a file for the telltale signature of malicious_function_that_will_delete_files(); and quarantine the program.

What DCO brings to the table is the ability for the software to mutate, like a real virus, in an attempt to avoid detection. Imagine that the same 'virus' written above could mutate into:


void ed83ff2005016de843553f10e65ce617()
{
// do something evil
}

int main(void)
{
ed83ff2005016de843553f10e65ce617()
return 0;
}


and ship this new version, through your infected computer, to another computer on your network.

The AV is now defeated with an outdated definition file because the AV is looking for the character string malicious_function_that_will_delete_files(); and now has to also scan files for ed83ff2005016de843553f10e65ce617();

What is needed, and is available, is behavioural code analysis antivirus software. However, the cost of running this new type of behavioural analysis is speed. It takes CPU cycles and delays packets being sent out over the wire. Will most 'normal' users notice this? Perhaps not. Those of us who make a living writing high performance, low latency networked applications will feel the impact.

Do we need better antivirus software, better desktop operating systems or better hardware (routers, switches, etc)?

Hackers! What a waste!

I keep seeing errors, in my FreeBSD/Apache webserver log (/var/log/httpd-errors), of the type: POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 401 517. According to NSFOCUS these are a Microsoft FrontPage 2000 Server Extensions Buffer Overflow Vulnerability attacks on my webserver. Really? this exploit is nearly six years old. Guess old habits die hard? Thanks again Micro$oft for enabling so many hackers and criminals. Will Vista be any better?

Where have you gone Aleksey Kamardin?

The Security and Exchange Commission filed a complaint against Florida college student Aleksey Kamardin charging him with fraudulent trading activities, commonly referred to as pump-and-dump. In the complaint it states that Mr. Kamardin made about $83k. The St. Petersburg Times states Kamardin made about $15k in three hours trading St. Petersburg-based Cyber Defense Systems Inc. (CYDF). To pull this off Kamardin, with help from others hacked into online trading accounts and used these accounts to trade illegally. The money transferred into and out of many accounts in the US, Russia and Latvia.

This is not the most recent SEC investigation into pump-and-dump trading. Most recently, in December 2006, the SEC filed a complaint against the Estonian Evgeny Gashichev for activities with his own company Grand Logistic.

Kamardin has since fled (the country?) and some believe he is hiding in Russia.

So what are the online brokerage firms doing to prevent this? How are they making their client accounts more safe?