Worm targets major vulnerability in ISS software

By Edmund X. DeJesus, Contributing Writer 22 Mar 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A destructive worm targeting Internet Security Systems (ISS) BlackICE products began circulating Saturday. ISS recommends immediately applying patches it's supplied to prevent infection by Witty-A, unauthorized system access or arbitrary code execution by a remote attacker.

"If a vulnerable system is infected, the Witty worm attempts to propagate by scanning random IP addresses," said an ISS advisory. "The Witty worm is destructive to the target system, and overwrites key hard disk sectors after sending out its payload. The junk data written to disk may impact system stability and cause a "blue screen" to occur upon reboot."

Though rated low-risk by antivirus vendors, Witty-A does pose a threat.

For more information To learn more, see ISS' advisory on the worm. ISS vulnerability advisory. ISS patches.

"It's unlikely that many computers will be patched against this vulnerability at this time," Ken Dunham, director of malicious code at iDefense said in a statement. He recommended disabling affected products until patched and protected and blocking UDP port 4000 traffic where feasible to block Witty.A exploitation packets.

The worm exploits a vulnerability in the Protocol Analysis Module (PAM), which is part of ISS RealSecure, Proventia and BlackICE products for detecting and preventing system intrusion. However, ISS said Proventia products aren't affected by the Witty worm. BlackICE versions 3.5 and below aren't affected by the worm or the vulnerability, according to Chicago-based managed intrusion prevention and protection services provider Lurhq.

This is the second time in less than a month that eEye Digital Security has revealed a major vulnerability in a core module affecting multiple products of rival ISS.

The problem is in the PAM's ICQ response handling routine. ICQ is a popular instant messaging tool, originally developed by ICQ Inc. and now part of America Online. ISS software parses several instant messaging protocols, including ICQ, to detect attacks. An attacker can send a specially crafted SRV_MULTI response containing two embedded response packets directed at the source port of 4000. During the PAM's processing, packet contents will be copied into a 512-byte buffer without any checking. This can cause a buffer overflow that a remote attacker can manipulate to run arbitrary code with system privileges, permitting unauthorized system access.

Since this vulnerability involves the stateless protocol UDP, a single specially crafted datagram can affect every vulnerable host in a network simultaneously. In a test, eEye reports that it was able to compromise a BlackICE installation with maximum security configuration.

The problem affects multiple ISS products, including BlackICE Agent for Server, BlackICE PC Protection, BlackICE Server Protection, RealSecure Desktop, RealSecure Guard, RealSecure Sentry, RealSecure Network, RealSecure Server Sensor, and Proventia A, G, and M Series.

While there is no workaround, ISS suggests blocking ICQ traffic where the ICQ protocol isn't in use by blocking UDP packets with a source port of 4000 at the network perimeter. Because DNS and some other program/protocols use ephemeral UDP ports, including 4000, some side effects may occur.

Just last month, eEye found another serious vulnerability in the PAM's scanning of the Server Message Block (SMB) protocol.

SearchSecurity.com News Writer Shawna McAlearney contributed to this report.

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary