[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Computer Security -- Year in Review 2001



PureBytes Links

Trading Reference Links

Because many traders are online for hours each day,
computer security is of great interest. This 
year-in-review may help put matters in perspective. 

- Mark Jurik

================================================

EDITORIAL

SECURITY YEAR IN REVIEW: 2001

by Rik Farrow
http://www.watchguard.com/products/advisorycouncil.asp

Copyright 2001 WatchGuard Technologies, Incorporated.

=================================================

If I were writing about wine vintages, I would have to say that 2001
was an exceptional year. Instead, I am summarizing what was an
incredibly bad year for software companies and their customers. More
systems were infected this year with more aggressive worms and viruses
than ever before.

And it's not over yet. When I was writing this article, two companies
who claimed that their products were secure against a specific form of
attack, the buffer overflow, have announced patches against buffer
overflow attacks: Microsoft and Oracle. The big lesson of this year is
to install vendor patches as soon as you possibly can. However, let's
start at the beginning.

January started slowly, with a buffer overflow vulnerability in
Microsoft's PowerPoint application. If you opened a malicious
PowerPoint presentation that you downloaded, or was emailed to you, an
attacker could take over your system. In May, another buffer overflow
vulnerability was discovered in Microsoft's Windows Media Player that
could result in your system being exploited with music and video
accompaniment. Also, a new way of executing macros within Microsoft
Office (when reading Rich Text Formatted documents) was published the
same month.

On the UNIX front, CERT (the Computer Emergency Response Team)
announced multiple BIND (the UNIX/Linux DNS server software)
vulnerabilities. BIND vulnerabilities are nothing new for anyone who
has been paying attention to security for the past several years. What
was particularly unpleasant about these BIND vulnerabilities was that
BIND is open source. One of the advantages of open source software is
that many people take the time to review the code and look for
problems just like this--but they missed this one.

In December, by contrast, open source software appeared more secure
when CERT announced vulnerabilities in the UNIX login program used by
network services. Only the versions of login included in commercial
versions of UNIX, such as Solaris, HP/UX, and AIX, were vulnerable.
The open source versions of login used by Linux and BSD versions of
UNIX did not have the same problem.


VIRUSES

2001 was also a record year for viruses. SirCam, which started slowly,
turned out to be the number one virus found in 2001. The secret of
SirCam's success was that it was not particularly virulent or active--
its slow growth approach made it less noticeable than many of the
other viruses in 2001. SirCam's nastiest feature is that it included
random files from an infected system whenever it emailed a new copy of
itself.

BadTrans, which showed up November 24, utilized a bug in Internet
Explorer that had been patched months before by Microsoft. BadTrans's
biggest feature was its ability to launch its payload as soon as an
email message was opened. Most viruses require some user interaction,
such as double-clicking on an attachment (remember AnnaKournikova?).
BadTrans also installed a keystroke logger, the same type of tool that
permitted an attacker to enter Microsoft's internal networks the
summer of 2000.


WORMS

The real 'highlight' of 2001 were the worms. Worms are programs that
spread themselves to computers and execute without the intervention of
users (e.g. reading an email and clicking on an attachment).

The Lion worm, which preferred Linux systems, showed up early in the
year and used older vulnerabilities that should have been patched. The
timing of the Lion worm suggested that it was politically inspired. A
Chinese jet crashed after colliding with a US spy plane right before
the worm was released. The Lion worm contacted a Web site in China and
sent UNIX configuration files to that site, which seemed to confirm
the worm's Chinese origin.

But the next worm dwarfed any previous attack. Code Red's victims of
choice were IIS servers. Microsoft actually released a patch for the
exploit used by Code Red an entire month before Code Red appeared--but
as it turned out, hundreds of thousands of sites had not applied the
patch. Code Red used a vulnerability in the Indexing Server (auxiliary
code for the IIS Web server) to patch a running version of IIS and
turn it into a worm. Code Red dedicated 99 threads (like running 99
programs at once) to scanning and infecting more IIS servers. In
installations of IIS using US English, one thread was reserved for a
Denial of Service attack against the IP address of whitehouse.gov.
Analysis of Code Red, before the DoS attack began, allowed the
administrators of whitehouse.gov to change the server's IP address and
avoid this attack.

Two other versions of Code Red appeared. The second version, a minor
variant of the first, added an improved system for choosing IP
addresses to scan. The next version, often called Code Red version 2,
added the installation of a rootkit. This program was named root.exe
and would be installed on the victimized IIS server. The rootkit would
permit remote execution of code that could be used by another worm.

Nimda showed up in September, with more than five variants. All Nimda
variants used old, "should-have-been" patched holes in IIS and Outlook
to infect systems. Nimda also used open file shares to propagate. If a
Nimda worm discovered the rootkit left by Code Red version 2, it would
utilize it as well. Nimda was particularly successful in terrorizing
internal networks because it used email to gain entry to the internal
network; this allowed it to attack Web servers that were protected
from external attacks by firewalls.


LESSONS LEARNED

During an interview prior to the release of XP, Jim Allchin, group
vice president of Microsoft's Platforms Group, had described XP as
"dramatically more secure", as well as stating that XP had been
"automatically reviewed [for] places where there could be buffer
overflow, and those have been removed in Windows XP". On December 20,
Microsoft released a patch for Windows XP (also Windows Me and 98)
that involves a buffer overflow in the Universal Plug and Play
service. This bug permits exploitation of the victim system, even if
protected with the free firewall included with XP.

But not XP systems protected by properly configured Fireboxes or
SOHOs. Many of the attacks seen this year could have been blocked or
weakened through the use of correct firewall configuration. In
particular, preventing outgoing access from Web servers to other Web
servers stopped the spread of worms like Nimda and Code Red. Also, the
Firebox's SMTP proxy can remove attachments used by worms like
BadTrans--if you take the time to configure the Firebox properly.

The single biggest lesson of 2001 was to patch systems. Notice that in
every attack mentioned above, a patch existed before the attack began. If
system administrators and users had installed these patches, attacks
like Code Red, Nimda and BadTrans would have failed completely. SirCam
would have been just another virus signature, had enough people been
using virus-scanning software that had been recently updated.

Someday, we may actually be able to run operating systems that will be
secure enough to protect us from buggy software. Obviously, that day
has yet to arrive, so it is up to us to stay current with patches and
to use security tools, like firewalls and virus scanners, to defend
ourselves. ##

------------------------------------------------------
Copyright 2001 WatchGuard Technologies, Incorporated. All
Rights Reserved. WatchGuard, LiveSecurity, Firebox and
ServerLock are trademarks or registered trademarks of
WatchGuard Technologies, Inc. in the United States and
other countries.

======================================================