[SECURITY-L] CAIS-Alerta: Propagacao de codigo malicioso e atualizacao de aplicativos antivirus (IN-2003-01)

Sex Jul 4 13:48:36 -03 2003

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Propagacao de codigo malicioso e atualizacao de
 aplicativos antivirus (IN-2003-01)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Fri, 4 Jul 2003 13:42:09 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----

Prezados,

O CAIS esta' repassando o CERT Incident Note IN-2003-01, Malicious Code
Propagation and Antivirus Software Updates, que apresenta algumas
consideracoes sobre a propagacao de codigos maliciosos e tambem sobre o
uso dos aplicativos antivirus.

De acordo com o CERT/CC, constatou-se um aumento na velocidade de
propagacao dos recentes virus e worms, ao mesmo tempo em que se nota que
os usuarios contaminados em sua maioria, tem a incorreta nocao que o
software antivirus e' suficiente para protege-los de quaisquer ataques de
codigo malicioso.

Com relacao aos antivirus, uma das consideracoes apresentadas no documento
do CERT/CC ressalta que sempre havera' um intervalo de tempo entre o
inicio da propagacao do codigo malicioso e a instalacao da respectiva
vacina no antivirus do usuario. Embora a industria de antivirus esteja
trabalhando para reduzir este intervalo, aumentando a confiabilidade das
vacinas e do processo de atualizacao dos antivirus, ele ainda e'
suficiente para viabilizar a rapida proliferacao dos codigos maliciosos.

Para ilustrar a gravidade da propagacao de virus e worms recentemente na
Internet, segue a lista de alertas publicados pelo CAIS em 2003
relacionados ao assunto:

	. Alerta do CAIS ALR-27062003a
	  Propagação do vírus Sobig.E
	  http://www.rnp.br/cais/alertas/2003/cais-alr-27062003a.html

	. Alerta do CAIS ALR-27062003
	  Atividade gerada pelo Stumbler (Trojan 55808)
	  http://www.rnp.br/cais/alertas/2003/cais-alr-27062003.html

	. Alerta do CAIS ALR-06062003
	  Propagação do worm W32.BugBear.B
	  http://www.rnp.br/cais/alertas/2003/cais-alr-06062003.html

	. AUSCERT AL-2003.07
	  Propagação do Worm Fizzer
	  http://www.rnp.br/cais/alertas/2003/Auscert200307.html

	. Alertas do CAIS ALR-11032003
	  Nova versão do worm CodeRed
	  http://www.rnp.br/cais/alertas/2003/CAIS-ALR-11032003.html

	. Alertas do CAIS ALR-10032003
	  Novo worm conhecido como "Deloder"
	  http://www.rnp.br/cais/alertas/2003/CAIS-ALR-10032003.html

	. Cert Advisory CA-2003-04
	  MS-SQL Worm (Slammer)
	  http://www.rnp.br/cais/alertas/2003/CA200304.html

Maiores informacoes podem ser encontradas em:

        http://www.cert.org/incident_notes/IN-2003-01.html

Motivado pelo referido Incident Note do CERT/CC e com base em seu
trabalho preventivo, o CAIS relembra que as melhores praticas de uso do
email incluem:

. Nao abrir arquivos anexados a emails sem antes analisa´-los com um antivirus.

. Certificar-se da autenticidade do endereco de origem do email

. Nao fazer download, instalar ou executar arquivos obtidos de fontes nao
  confiaveis.

. Manter os antivirus sempre atualizados, com frequencia diaria ou de
  forma automatica.

Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

CERT® Incident Note IN-2003-01

The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

Malicious Code Propagation and Antivirus Software Updates
Release Date: July 2, 2003

Recent reports to the CERT/CC have highlighted two chronic problems:

    * The speed at which viruses are spreading is increasing. This echoes
the trend toward faster propagation rates seen in the past few years in
self-propagating malicious code (i.e., worms). Beginning with the Code Red
worm (CA-2001-19, CA-2001-23) in 2001 up through the Slammer worm
(CA-2003-04) earlier this year, we have seen worm propagation times drop
from hours to minutes.

      A similar trend from weeks to hours has emerged in the virus (i.e.,
non-self-propagating malicious code) arena. The effectiveness of antivirus
software suffers as a result. Several recent malicious code incidents
involving variants of W32/BugBear and W32/Sobig have achieved widespread
propagation at rates significantly faster than many previous viruses. This
increased speed is, unfortunately, also faster than many antivirus
signatures can be identified and updated, regardless of the update method
(including automated signature updates). The CERT/CC has received reports
of successful W32/Sobig.E compromises from users whose signatures were up
to date for the prior versions of W32/Sobig.

      Signature-based antivirus software is not the only type of antivirus
software at risk: antivirus software that uses heuristics to determine
malicious behavior may be circumvented by malicious code that employ new
techniques. They should not be unconditionally trusted either, as they may
not always block malicious code from executing. Additionally, we are aware
of instances where corrupted antivirus software updates have caused the
software to be disabled without the user's knowledge.
    * In a number of the reports, users who were compromised may have been
under the incorrect impression that merely having antivirus software
installed was enough to protect them from all malicious code attacks. This
is simply a mistaken assumption, and users must always exercise caution
when handling email attachments or other code or data from untrustworthy
sources.

In general, it is important to remember that while antivirus software
vendors continue to improve the speed and reliability of their signature
update mechanisms, there will always be some window of time when a system
does not contain signatures to detect a particular worm or virus. Several
recent research papers that have placed estimates on the magnitude of
"worst-case scenario" malicious code propagation rates also illustrate the
risk to systems during the window of time before signatures are
available.[1][2]
Solutions
Apply "defense in-depth"

As mentioned above, it is not sufficient to rely solely on antivirus
software for complete protection. Therefore, we recommend users apply a
strategy of "defense in-depth" (where several layers of security or access
controls are used) when considering ways to protect their computers from
attackers. Although it may not be practical for all users, another way of
achieving defense in-depth is to use diverse software and operating
systems when possible. Some additional ways of improving security beyond
the use of antivirus software follow.

In addition to following the steps outlined in this section, the CERT/CC
encourages home users to review the "Home Network Security" and "Home
Computer Security" documents.
Run and maintain an antivirus product

While an up-to-date antivirus software package cannot protect against all
malicious code, for most users it remains the best first-line of defense
against malicious code attacks.

Most antivirus software vendors release frequently updated information,
tools, or virus databases to help detect and recover from malicious code,
including W32/Bugbear.B and W32/Sobig.E. Therefore, it is important that
users keep their antivirus software up to date. The CERT/CC maintains a
partial list of antivirus vendors.

Many antivirus packages support automatic updates of virus definitions.
The CERT/CC recommends using these automatic updates when available.
Do not run programs of unknown origin

Never download, install, or run a program unless you know it to be
authored by a person or company that you trust. Email users should be wary
of unexpected attachments, while users of Internet Relay Chat (IRC),
Instant Messaging (IM), and file-sharing services should be particularly
wary of following links or running software sent to them by other users,
as these are commonly used methods among intruders attempting to build
networks of distributed denial-of-service (DDoS) agents.
Disable or secure file shares

Best practice dictates a policy of least privilege. For example, if a
Windows computer is not intended to be a server (i.e., share files or
printers with others), "File and Printer Sharing for Microsoft Networks"
should be disabled.

For computers that export shares, ensure that user authentication is
required and that each account has a well-chosen password. Furthermore,
consider using a firewall to control which computer can access these
shares.

By default, Windows NT, 2000, and XP create certain hidden and
administrative shares. See the HOW TO: Create and Delete Hidden or
Administrative Shares on Client Computers for further guidelines on
managing these shares.
Deploy a firewall

The CERT/CC also recommends using a firewall product, such as a network
appliance or a personal firewall software package. In some situations,
these products may be able to alert users to the fact that their machine
has been compromised. Furthermore, they have the ability to block
intruders from accessing backdoors over the network. However, no firewall
can detect or stop all attacks, so it is important to continue to follow
safe computing practices.
Recovering from a system compromise

If you believe a system under your administrative control has been
compromised, please follow the steps outlined in

    Steps for Recovering from a UNIX or NT System Compromise

References

   1. Paxson, V., Staniford, S., Weaver, N. "How to 0wn the Internet in
Your Spare Time"
http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html
   2. Moore, D., Paxson, V., Savage, S., Shannon, S., Staniford, S.,
Weaver, N. "The Spread of the Sapphire/Slammer Worm"
http://www.cs.berkeley.edu/~nweaver/sapphire/

Authors: Chad Dougherty and Allen Householder
This document is available from:
http://www.cert.org/incident_notes/IN-2003-01.html
CERT/CC Contact Information

Email: cert em cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
    CERT Coordination Center
    Software Engineering Institute
    Carnegie Mellon University
    Pittsburgh PA 15213-3890
    U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from

      http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information

CERT publications and other security information are available from our
web site

      http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins, send
email to majordomo em cert.org. Please include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent
and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied as
to any matter including, but not limited to, warranty of fitness for a
particular purpose or merchantability, exclusivity or results obtained
from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement.
Conditions for use, disclaimers, and sponsorship information