Sanctum Sanctorum Mark III

With the recent surge in mass email "worms" that spoof sender addresses, I (and many others, of course) have been seeing a ton of messages like:

 Your email could not be delivered because it contained the virus 
   [mass-email virus or worm here] and has been blocked by the [brandname here] 
   oh-so-31337 antivirus gateway about which you can get more information at 
   [slimeball website here]. 

Ok, look: When I test security-related systems, one area I examine is automated response mechanisms. Auto blocking, responsive probes, fingering, whois lookups, email responses, even logging: things an attacker can use with light-weight effort to create larger effects. The accelerant effect, which used to be the key to major DDoS efforts (now it's more doable with botnets), is still key to making someone's life hell. Calling 10 pizza joints and ordering 5 pizzas from each to the victim's house. Sending 1000 small packets to a sucker subnet and getting 200,000 much larger responses sent to the victim. Beating the crap out of victim's DNS server because one 64byte UDP packet spoofed to look like it came from victim and sent to sucker's network generates several DNS requests from sucker to victim for each one little packet you have to send to the sucker...

The idea is simple: attacker does X effort and gets X times Y effect on victim. SO, given a nice long antivirus response, and simple, scripted SMTP attacks that inject, over and over, spoofed letters reporting to be from [victim], with simple, small antivirus triggers (like the EICAR test signature-trigger, even)... one can merrily have a disproportionate impact.

Not to mention that it makes these fricking worm outbreaks that much more of a pain in the ass.

Antivirus vendors, take heed:
Only internal users should be notified when their own, outbound mail is blocked for having a virus. Oh, and the local admins can get the info from the console if someone wonders whether a letter went missing. There are millions of emails PER HOUR being spoofed by worms now; no need to make things worse by sending along your "blocked!" message to some poor person who is already a victim because their address has been used by some slimy mass mailing worm.

Or does your marketing department consider these messages to be good advertising? Hint: If so, it's spam.

"The rabbi also said that if the police do not use pig fat in buses, tens of thousands of ultra-Orthodox Jews will arm themselves with spray guns filled with liquid lard, which they will spray on terrorists whenever the need arises."

Oh. Kay.

http://www.maarivintl.com/dev/index.cfm?fuseaction=article&xCache=%7Bts%20%272004%2D02%2D14%2005%3A59%3A22%27%7D&articleID=2833

NO, really.

I had not thought things were desperate enough that the ridiculous had become reasonable.
Either:
1) Maariv got owned/bamboozled/scammed, or
2) A fringe piece has been reported as mainstream, or
3) Papal[1] -- er, Rabbinical -- dispensation goes a loooong way.

Dang. It reminds me of the "Israeli army coats rubber bullets with pork" disinformaton campaign from a few years ago. But... it's reported in mainstream Israeli press. Desperation or farce?

[1] Papal, not Paypal, you geek, you.

A number of co-workers and clients have been struggling this year to come up with a way to wish people "Season's Greetings" or the like, and also to celebrate with appropriate symbols to everyone. I'm more of a "give everyone the ability and space to make their own proper statements" type, myself. However, in light of this apparent need for a truly multicultural celebratory event, I've come up with:

( Multicultural December Solstice-ish seasonal event celebration instructions. )

It's sure to please or offend all in equal portions.
[edited 13:18]

In true Al Franken style, I'm thinking of writing a book called, "Crappy, Insecure Network Security Products, and the Asswipes that Sell them to Clueless Suckers Working Jobs for which they are Unqualified, an unbiased look at the information security marketplace."

Based entirely on personal experience, I'm sure it would sell well.

Well? Where is it? I make a joke about the hole being so blatantly unpatched still despite all the noise, that someone ought to write a worm to patch it, and within 48 hours this happens.

Add to it that, when MS0-026 came out, it was obviously a problem calling for a worm. Loudly. When I wrote up the advisory for a client's internal service delivery (ops) staff, we said the patch timeline should be: ASAP for critical infra and border hosts, Aug 1 for all servers and as many laptops as you can get, and Aug 8 to wrap up desktops and everything else. On Aug 11, the worm showed up.

Now I wonder when the prediction about an MS03-030/MS03-026 combo hole worm will come out. If it does, it will be veri nasti.

Shameful to say, I had to pull up a timezone map to figure out that... at 7AM Central time US, tomorrow, NZ will see the MSBlaster worm kicking off its flood at the windowsupdate.com website.

Upshot: companies with "just a few" infected hosts will see those hosts pound TCP SYN traffic at port 80 on windowsupdate.com as fast as they can. A single host can flood out a 100M ethernet segment, and ergo, just about any company's ourbound Internet capacity.

If you hadn't found all the infected hosts in your enterprise... you'll sure find them now.

Clever trick #1 that a number of people have discussed: The worm uses DNS to look up windowsupdate.com (which is, after all, dynamically load-balanced geographically with variable IP)... so no escape for MS -- Mr. Worm will find them yet! The clever trick is that companies with their own *internal* DNS can set up *.windowsupdate.com to resolve to 127.0.0.1. Infected hosts will just beat on themselves, causing no disruption.

The wave of worms activating their DoS mode will be highly reminiscent of the Y2K watch on new year's eve. Let's hope it's as uneventful.

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot.html

Yeah, that turned out to be... nothing but an older lolol pseudo-worm with a new sploit and scanner loosely cooked into the package using a VB program. Waste of time in many senses.

But, it's a step in the [your adjective here] direction.

Tick... tick... tick...

Well, finally someone had to say it. It's like a bad fantasy story about a prophecy soon to come true. In discussing whether it would be feasible to make a worm... H. D. Moore essentially flat out said how a really nasty worm would work with some choice quotes thrown in for fun. Ok, yes, yes, it's a full disclosure list, and we all already knew that a multivector worm is more likely to get behind a corporate firewall (see, for example, Nimda)... but somehow putting it in print seems a weirdly necessary step on the road to wormage. "Necessary," as in, "someone had to do it." I almost think he must have felt compelled to just . . . SAY IT.

Someone also tossed in some nice offset info for the masses. Yes, fun, fun for everyone.

It's a dance with an obvious end; all are caught up in it and to everyone's horror, it's going straight to the most extreme conclusion, with a packed audience of the horrified and enthralled looking on.

Meanwhile, it turns out the "other" major Microsoft patch (for MS03-030) cannot be applied automatically via a commercial patch update system or via SMS. Oh, GEE... THANKS, MS! I'm sure your large customers are just HAPPY to have to hand-patch 4500+ desktops. Yoooobetcha!

Ok, ok... MS DID cave in and make a "special version" for at least one client. Er, ok... so, um, what (anticompetitive?) purpose did the non-automatable one serve?

Note to self:

When attempting to run fiber down 2 stories in an exterior wall containing vents, fans, electrical conduit, electrical hookup, plugs, switches, and window framing... don't.