 sj |
||
|
||
Tech: A Different Sort Of Virus Thingy
|
|
|
|||||||
|
Tech: A Different Sort Of Virus Thingy |
Share Thread
|
||||||
|
Subject: Tech: A Different Sort Of Virus Thingy From: JohnInKansas Date: 25 Apr 05 - 03:13 AM A rather old report, that I just got around to reading reports: Core Security Technologies reports several bugs in LinkSys Routers. Emphasis in this report is on Wireless ones. The bugs are of buffer overflow type and could allow someone to remotely access and/or control computers connected via the router much the same way as through virus/worm attacks of the computers themselves. Corrections generally require firmware patches, available from LinkSys. This advisory lists a number of affected LinkSys routers. Because it's a fairly old report (April 2003) it's possible that LinkSys will have reports on other affected models, and/or later firmware updates. The report refers to http://www.linksys.com/download/ for US and Canadian users. The International tab at this page will refer others to an appropriate page. You will need to enter the model number of your router to get information on applicable updates. Also reported: "Some Cisco DSL routers have flaws that cause them to crash when their built-in Web servers, which are used to configure the routers, are presented with an improper URL. Unfortunately, the infamous Code Red worm, which was typically thought to affect Microsoft systems only, transmitted exactly this sort of URL, causing many customers' DSL routers to lock up." No specific reference given for checking this out, but users who might be affected should be able to ask Cisco. The CERT report has been moved, but I believe CERT Cisco (http://www.us-cert.gov/cas/techalerts/TA05-026A.html) is the correct link for this particular report. And: The Computer Emergency Response Team (CERT) reports that in some cases an Alcatel network switch has a telnet back door that lets anyone take over the switch or the network to which it is connected: CERT Alcatel (http://www.cert.org/advisories/CA-2002-32.html ). The bug affects all models in the Alcatel OmniSwitch 7000 series of modular network switches. The bug is present because Alcatel developers left an operating-system-debugging interface turned on when the product was shipped. A firmware upgrade solves the problem and is available now from Alcatel customer support. The link given to Alcatel has been "redirected" to the Alcatel homepage, but those who might be affected should be able to find appropriate help at the "support" link from there. The MAIN POINT to be made is that any device connected to your computer can be a target for malicious attack. This includes routers, firewalls, network switches, and any other component under firmware and/or software control. Although malware attacks most frequently are directed at the computer itself, it is essential that all parts of the system be checked for available patches on a regular basis. Particular attention of course should be paid when installing any new component(s). John |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: hesperis Date: 25 Apr 05 - 02:16 PM Thanks for the report. I know a couple of people who use linksys routers. |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: JohnInKansas Date: 25 Apr 05 - 06:34 PM hesperis (and all) - Anyone who uses any router really should check occasionally with the maker for updates. The reports cited are pretty old, and cited the devices listed because people apparently were not aware and weren't getting them patched. All other similar devices should be considered vulnerable unless they've been checked out recently. ANY device attached to your machine that has built in programming (BIOS or firmware, etc) or that requires you to load a "program" or to change parameters in internal memory for the device in order to use it can be a source of holes that vermin can exploit. This includes external firewalls, routers, hubs, links, and even the external "servers" sometimes used to connect printers and othere accessories via a LAN. This does include "server" routers and switches, for those affected. Most who are not brain-dead probably know by now that AV checks for certain kinds of malicious stuff, but separate programs/methods are required for Adware and Spyware because of the different ways they work. For the most part, the article cited just points out that external devices in your system can be exploited similarly, and the AntiVirus and other anticrud programs generally don't check the external devices. Most probably are aware of the "phishing" exploits, where an email just asks you to give them information, usually by pretending to be a trusted "somebody you know." NEW TERM: (Recent reports) A few exploits have popped up recently that are being called "pharming." They've been rare so far, but appear to be increasing in frequency. This "method" places malware on your machine to make it look like you're connecting to a normal place of business, but actually makes the web connection to a fake site. When you do your normal business, including login with your passwords, the fake site immediately uses the info you key in to go to the real site disguised as you and, for example, clean out your bank account. For now, it's probably enough to be aware of the "pharming" term, so that when it becomes more common you'll know it may be reason for concern. SECOND NEW TERM: (Really recent reports) A few exploits in Windows have been seen of what's called "Rootkits." This is an exploit previously seen only in UNIX systems, and has been around for years. It's been found on a few Windows systems, and can be expected to grow. It plants a small program that intercepts "calls to services" and returns "modified" information to the system. An example is when Windows asks what files are on the hard drive, the "rootkit" returns everything except its own files and/or ones it's installed. This makes it extremely difficult to detect, and allows it to hide anything it wants to do from the system. NO EXISTING PROGRAMS in common use can detect it. The only "simple" method of even telling if a Rootkit is present is to compare the complete list of files on the hard drive, made with the normal OS, to the list obtained using a different operating system. Note that the DOS/Command OS is part of the Windows OS, so looking in safe mode or booting from a DOS disk usually won't tell you it's there. For known exploits of Rootkits, the malware has to be placed on the machine as a payload of a virus or worm, by exploiting another Adware/Spyware exploit, by "phishing" or by someone with physical access to the machine, so keeping the normal defenses up to date should be adequate - for now. Expect to hear a lot more about both "pharming" and "rootkit" exploits, - - - probably soon. John |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: GUEST,Jon Date: 25 Apr 05 - 06:43 PM Linksys are part of Cisco. Possibly it was the same bug on both routers? |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: JohnInKansas Date: 25 Apr 05 - 06:48 PM Jon - There were separate reports, but details were skimpy. The point is that there may be a patch available for your hardware regardless of who made it. Check with your maker, regardless of who it is or what model(s) you use. And check again in a few months, to see if they found anything new. John |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: The Fooles Troupe Date: 25 Apr 05 - 08:27 PM John, the 'RootKit' thingy - I'm sure that some years ago there were a few viruses that did similar things (being able to hide themselves from easy detection by WIndows OS), but there were ways to detect them. |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: JohnInKansas Date: 25 Apr 05 - 09:19 PM Foolestroupe - There are ways, and the malware type is (or was) pretty will known 'mongst old timers, perhaps. 'NIX users may or may not be aware of it. The problem is that no existing Windows programs make it easy to detect and/or get rid of them. The methods for getting rid of them were routine "way back when" but people aren't used to working that hard now, and quite a few of the kinds of programs we used to keep handy for editing/replacing root sectors aren't around and/or don't work the same with Windows. The geniuses that work for Mickey have worked very hard at making the "root" files, now longer just in a single sector, "invulnerable," so that now it's very difficult to get into them except with the built in Windows tools, and if they've been fooled, you're in trouble. One or two "Windows cleaners" have already appeared for the rootkit thing(s), but to date they're pretty expensive and aimed at server markets where people can afford them(?). Cheap ones will come, one hopes, if and when enough people need them. It's not a panic situation - - yet. John |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: Stilly River Sage Date: 26 Apr 05 - 12:35 AM Do you suppose a Linksys wireless network card shares any of these vulnerabilities? Being addressable, it's possible, I would think (I use a Netgear wireless router with the Linksys card on the other computer). Good advice about upgrading software. SRS |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: open mike Date: 26 Apr 05 - 01:21 AM i also heard a radio report about some students who discovered that there were some holes in the security of a system calle Blue Tooth. Apparently they could access cell phones and other wireless devices and extract all sorts of information from them from quite a distance away. it is called the blue sniper rofle. http://www.npr.org/templates/story/story.php?storyId=4599106 |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: JohnInKansas Date: 26 Apr 05 - 04:51 AM Stilly - The LinkSys and Netgear components probably are behind your firewall and shouldn't be overly vulnerable, and I haven't heard of any exploits via simple etherlink cards/hubs; but an occasional check with the makers on any component of the system may find updated firmware that either closes a vulnerability or improves performance. With ethernet cards, there have been some PlugNPlay updates that provide better setup, particularly if you should happen to add another computer with a very similar card, or have two of the same kind in one computer. Improved ID resolves conflicts. A couple of specific 3Com cards had a problem where two cards of the same type would sometimes "argue" about their identities; but I think it's been resolved for newer components, and there was a fix via firmware. Even things like CD and DVD burners should be checked occasionally. If you have a DVD burner more than about 4 or 5 years old, there have been changes to the disk standard that may require firmware updates when you get a package of new blanks to the "improved" standard. (For this one, the burn "stalls" at about the same place on each attempt, usually around 600 MB or so.) Better to check "when you have the time" than to make a stack of coasters trying to figure out what happened. Remember that the OEM pipeline means that your "new" computer probably contains at least some components a couple of years (or more) old when you get it, so part of the first-time setup really should be a visit to an appropriate website for each significant component and/or program to see if there are updates. People often check for software updates, but forget that many hardware components can also be updated via firmware. John |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: JohnInKansas Date: 26 Apr 05 - 05:04 AM open mike: There have been several reports of "virus" exploits in cell phones, and there's been quite a lot of discussion about it for a few months now. Early exploits were associated with a single cell-phone OS, but unfortunately it was one that's widely used in a number of phones. At least one virus form exploiting another OS has been found. The usual with these is that the individual phone, or some functions on it, are disabled. You take the phone in and get the OS reloaded. Several sensationalized reports about celebrities (e.g. Paris Hilton) having their cell phones "hacked" have been simply cases where the persons involved "didn't bother" to set a password for access to their messages, phonebook, and account data. If you don't set a password, anyone that knows your phone's account number can "hack" (saracastic euphemism) your account to get your phonebook and harass your friends. Especially if they're famous, they'll get pissed, so you blame it on hackers instead of admitting you were stupid. (They can get the account number by any number of trivially simple methods, since it's essentially public info. A password isn't public.) Past warnings about "incautious" use of wireless "hotspots" have reappeared recently, due to a few newer "exploits" found. (A "hotspot" is a point at which a wireless equipped computer, usually a laptop or pocket device, can tap into someone's wireless network and hitch an illicit "free connection" to the web. There's an active "sport cult" that spends time looking for "open wi-fi" hotspots and marking, with graffiti on the buildings, where they are so that others can use them.) Warnings a month or so ago were specifically directed at Londoners, but recent ones have been more general. Legal wi-fi ports, like the ones found at hotels/motels, bookstores, and coffee shops, can also be compromised by the same or similar methods. If a person, usually with a laptop, mounts a port with a sufficiently strong signal nearby, they can spoof your connection so that you go through their machine where they can read your stuff. Usually they just pass stuff through to the real port to make it look like a legitimate connection; but they can read and/or record your web activity to extract passwords or other personal stuff. Of course the real server can sometimes be hacked to make it install malware on your computer, usually a keystroke logger or a worm that attempts to gather passwords or other specific personal data. The criminal can then get a "dump" of what's been collected the next time you hook up. A Boston College student was found fairly recently with a couple of thousand credit card numbers for students and professors, collected via the wi-fi port at the student union. The school said it was just a prank, but the F.B.I. found a few thousand dollars worth of fraud. I don't think he's gone to trial yet, but he will. Any time you use a potentially insecure connection, you should be careful not to send anything you want to keep secret. If you need to send personal data, you should always use a "hard-wired" connection via a trusted entry point. If "unknown persons" can access the port at the same time you do, they can access you and your data. John |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: GUEST,Jon Date: 26 Apr 05 - 06:10 AM Going by the experience I'm just having, I would advise against upgrading firmware unless you have good reason to do so and preferably have an "escape route". I had recently upgraded my router firmware to resolve an occasional ADSL problem. That went fine but otherwise I have left things alone. Having read this thread, I decided to check on my wireless adapter and decided to upgrade. The upgrade has gone wrong and the adapter is determined it has an IP address of 1.0.0.0 and some of the other fields just contain nonsense. The utility program is refusing to allow me to save any changes. If I'm lucky, I will find a way round it in time but at the moment, I have a piece of junk created by me for no good reason. |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: GUEST,Jon Date: 26 Apr 05 - 07:18 AM I was lucky. It turned out that there was a later utility program (which is Windows only BTW - I would have been in a right mess if I had moved every machine over to linux as the browser config would not communicate until I got some sensible settings in). This reset me back to the factory defaults when I started it up and allowed me to save changes. At least from there I could reconfigure to suit my network and I've got wireless working again. |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: Stilly River Sage Date: 26 Apr 05 - 11:48 AM John, With my old HP, I was able to visit HP's website and upgrade software for that system's components. I presume I'll be able to do the same thing with this HP. I visited with some neighbors last night, and was told of a computer crash they experienced, in which the external 120gig backup drive was affected. It had been pretty full, as much as 80% was in use, but now they can now only see it as a 5 gig drive. I know I've read discussion of that here at Mudcat, but because the descriptive terms are so general, I don't think a search will take me to the thread. I don't know how they went about restoring the computer to the functionality it has now, but there wasn't a backup. Any thoughts on what might be plaguing the system and how to get access to that hard drive data? SRS |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: JohnInKansas Date: 26 Apr 05 - 01:59 PM SRS - HP may or may not have updates for all the stuff in your machine. OEM makers like HP sometimes post major updates, but they install a lot of components made by others, and you may have to visit the component manufacturers site(s) for firmware updates. With WinXP SR2, I'm pretty sure HP sent you to Microsoft for the update. CD and DVD drives, readers and burners, usually require contacting the mfr. A main issue in the above is that things that are NOT IN THE COMPUTER still may have software/firmware that may need updating to fix security issues, and HP is unlikely to have info on things like routers, hubs, etc. that you use with your machine. On the hard drive issue, it's impossible and largely useless to guess without hands-on with the computer and/or knowing a lot of things about it. The machine's OS makes a lot of difference. The format and partitioning of the disk is critical information, and even the manufacturer's name and model number for the drive likely could affect any diagnosis. Most makers of external drives have diagnostic utilities on their web sites, and I'd recommend contacting the maker of the drive involved directly, and putting it in their hands. Any available test programs will usually be found at their "support" pages. If the machine crash was caused by an error in the drive, the OS may have tried to "fix" the drive at reboot. Many current and recent Windows Operating Systems can read disks larger than they can format, and an attempt to "fix" could fail, since it would attempt to restore boot sector and FAT within the parameters of what it can format. TweakUI can hide partitions, and has been known to become corrupted so that individual partitions become inaccessible (can't be easily unhidden). Win2K in particular has had a bug that would sometimes prevent an external USB device from restarting properly after a hibernation cycle or an abnormal shutdown. The bug was supposedly fixed in SP3, and/or by a prior service patch. Sometimes booting without the drive connected, and connecting after the sytem is up would let PnP re-mount the drive correctly. With some drives, for some OS, an overlay file is required, and it may have been corrupted. There are software utilities that claim to be able to recover info from "external storage devices" even in cases where format is corrupted or lost. I don't know of a free one. These are most useful for smaller things like flash cards (camera memories and such) and running one on a 120 GB device likely would take tens of hours. (And you might have to have someplace else to put stuff as it's recovered.) I'd recommend looking pretty thoroughly elsewhere before attempting one of these. Go to the guys who made the drive FIRST on this one. John |
|
Subject: RE: Tech: A Different Sort Of Virus Thingy From: Stilly River Sage Date: 26 Apr 05 - 02:46 PM Thanks, John. You've more or less confirmed what I told them--that it may be a partition thing affecting the computer or the external drive, voluntary or not. The system is a mix of devices, the CPU is a Sony Vaio, uses XP Home, and they haven't installed SP2--claim it slowed the computer so much that they uninstalled it. I've heard that before from others, and I can go back and read some of the SP2 discussion here at Mudcat to see if I can help them resolve that issue. I forgot to ask what firewall they use (or if they use one!) so there is more information necessary to just keep the system afloat. SRS |
| Share Thread: |