In-Depth

In Brief

Sober.V Spreads, Apple Fixes 20 OS X Vulnerabilities, Mytob Tops Virus List

• By Mathew Schwartz
• 05/11/2005

Sober.V Spreads

Have you been seeing an increase in e-mails with subject lines purporting that your e-mail has been blocked?

Blame Sober.V, a fast-spreading worm written in either English or German (the giveaway: look for subject lines reading “WM Ticket Verlosung.”) The e-mail purports to offer free tickets to the World Cup Finals in Germany in 2006.

According to antivirus vendor Panda Software, Sober.V is now “the most-frequently detected malicious code in the world.” As is typical, various virus companies have named the malware slightly differently. For example, Kaspersky Labs calls it Sober.p. Either way, it’s a variant of the Sober worm.

The worm goes “native”—forwarding an e-mail in either English and German—depending upon the recipient’s e-mail address. The e-mail contents are randomly selected from a preset series of options. The worm spreads as a zip file attached to those e-mails. “The worm is activated when the user launches the attachment,” notes Kaspersky. “It will cause a fake error message to be displayed (‘CRC not complete’) and then copy itself to the system directory, naming the copies as if they are system services. It also creates copies of itself in other files, and registers these files in the system registry.” Next, the worm fishes for addresses in a variety of file types, including PowerPoint presentations, then e-mails itself to those addresses.

So far, the United States, Germany, and Australia have borne the brunt of this Sober variant’s attack. Of course, it all comes down to users opening the attachment. “Sober.V demonstrates once again how social engineering techniques can be used as an effective means for rapidly propagating malicious code,” notes Luis Corrons, director of PandaLabs at Panda Software. “Without any great technical innovation, simply by choosing the right subject at the right time, this technique has helped cause an epidemic of considerable proportions.”

Apple Fixes 20 OS X Vulnerabilities

Apple patched 20 vulnerabilities, some rated “highly critical” by vulnerability information provider Secunia. Most vulnerabilities affect OS X version 10.3.9 and OS X Server version 10.3.9. The vulnerabilities could allow a remote attacker to bypass security, spoof identity, and access a user’s system.

Apple patched various facets of the operating systems, including Apache, AppKit, AppleScript, Bluetooth, Directory Services, Finder, Help Viewer, LDAP, Server Admin, Terminal, and VPN.

In Apache, the htdigest program was vulnerable to a buffer overflow. Apple says if the program was used in a CGI application “to manage user access control to a Web server,” then an attacker could use it to compromise a system remotely.

AppKit was patched against a TIFF file problem: malformed TIFF files could be used to overwrite the heap and create an integer overflow, which could execute arbitrary code. The fix now tests for the file size a particular image would need, then verifies it’s within parameters.

Before the patch, AppleScripts distributed via a hyperlink may not have displayed their code correctly when viewed before being compiled and run. The fix blocks characters from the hyperlink that could be used to trick a user.

Bluetooth functionality was the focus of two fixes. The first eliminates a problem whereby others could get access, via Bluetooth, to more than just a user’s designated directory for sharing files via that technology. The second fix deactivates the out-of-the-box setting for sharing files via Bluetooth. On all previous versions of OS X, all Bluetooth functionality is active and enabled out of the box, which is a security risk. By contrast, “new users of a system must now enable Bluetooth file exchange before it is allowed.”

The Help Viewer got a JavaScript-related fix. Previously, the Help Viewer could be used to load a JavaScript file for a remote site without normal security restrictions. The fix only allows the Help Viewer to load “registered pages.”

The LDAP fix eliminates a problem whereby passwords might be stored in plaintext on a non-Macintosh OS X server. The problem was related to LDAP servers with a disabled or unsupported "ldap_extended_operation" when new accounts were created using Workgroup Manager. Note that "this issue does not occur when using the Apple supplied Open Directory server," reports Apple. Even so, "for servers not supporting 'ldap_extended_operation,' this update now stores new passwords in the hashed form."

Server Admin on OS X Server gets a permission fix. For example, if the HTTP proxy service is enabled—it’s off by default—but external access controls aren’t set, then users not on the server’s network can access the server. “This update adds a user interface component to Server Admin which allows the HTTP proxy to be restricted to local networks,” says Apple.

Finally, Apple fixed some VPN functionality. A system—either desktop or server—configured as a VPN server was susceptible to a buffer overflow, which a local user could exploit to gain root privileges. Even so, the vulnerability is not remotely exploitable.

Mytob Advances to Top of Virus List

Kaspersky Labs released its April 2005 list of the top 20 viruses, worms, and other malware. One worm in particular, Mytob.c, led the list with about one-third of all infections. Netskey variants accounted for almost another third of all reported infections, followed by the e-mail worms LovGate.w, Win32.Zafi.b, and Zafi.d.

“Our top 20 shows the event we’ve long been expecting has finally come to pass: the leading position is now occupied by Mytob,” says Kaspersky. The worm “is based on the Mydoom.a source code, and spreads via e-mail, but also incorporates the ability to replicate via the LSASS vulnerability.” That replication ability may make it difficult to stop fast-spreading infections of the worm.

To counter it, Kaspersky recommends security managers patch any still-existing LSASS vulnerabilities, and also scan all major mail nodes to delete the worm in transit.

Even so, expect it to stick around. “There’s no question that this family of worms will continue to appear over and over again in our statistics,” says Kaspersky. “Mytob’s authors remain active, and at the end of April were releasing a new modification of Mytob every two days. The new versions don’t differ significantly from each other; however, usually a different packing program is used in an attempt to prevent detection by the majority of antivirus scanners.”

While Mytob went from unknown to the top of the list in only a month, other malware has been noticeably less effective. For example, some variants of Sober and Bagle failed to take off, thanks to “errors in the program code,” says Kaspersky, as well as antivirus companies’ efforts.

Notably, the incidence of spyware and Trojan software on the top-20 list fell slightly, which Kaspersky attributes to a shift in tactics. “It seems that the authors of such programs are now concentrating not on volume, but on specific targets: either attacking clients of a particular bank, or sending their creations to addresses in one domain only.”