Fw: [Unpatched] The Bizex worm

From: Thor Larholm (thor_at_PIVX.COM)
Date: 02/25/04

  • Next message: Marc Maiffret: "EEYE: RealSecure/BlackICE Server Message Block (SMB) Processing Overflow"
    Date:         Tue, 24 Feb 2004 19:11:51 -0800
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    We have all talked about how most viruses and worms that actually spread
    in the wild could have been written so much better by any one of us. I
    guess someone stepped forward and took the bait.

    Everything indicates that Bizex is a worm which was created as a hired
    job. It's primary purpose was to collect banking information and create
    an armie of zombie machines. To accomplish this, it exploited a range of
    vulnerabilities, the latest of which was published as recently as
    February 19th on the Bugtraq mailing list.

    The antivirus companies are finally starting to update their signatures,
    hours after Bizex has already infected between 50.000 and 100.000
    machines (Kaspersky). Luckily, the main distribution sites have now been
    shut down which has halted the spread but left us with an armie of
    zombie machines waiting for new instructions on port 1534.

    New variants of Bizex are expected in the near future.

    Locking down the My Computer zone prevented Bizex from infecting a
    Windows system, a feature which is implemented as a demonstratory fix in
    the currently available Qwik-Fix beta ( www.qwik-fix.net ) and which
    Microsoft is also implementing in the upcomming Windows XP Service Pack
    2, slated for release around June.

    More information about Bizex can be found at

    http://www.kaspersky.com/news.html?id=4277566
    http://www.viruslist.com/eng/viruslist.html?id=1029528
    http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h
    tml
    http://www.sophos.com/virusinfo/analyses/w32bizexa.html
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101044

    Regards

    Thor Larholm
    Senior Security Researcher
    PivX Solutions
    24 Corporate Plaza #180
    Newport Beach, CA 92660
    http://www.pivx.com
    thor@pivx.com
    Phone: +1 (949) 231-8496
    PGP: 0x5A276569
    6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

    PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
    Qwik-Fix <http://www.qwik-fix.net>

    -----Original Message-----
    From: Thor Larholm
    Sent: Tuesday, February 24, 2004 5:31 PM
    To: Thor Larholm
    Subject: [Unpatched] The Bizex worm

    Dear Unpatched subscriber,

    Today a new worm was discovered in the wild, called Bizex. Employing a
    multilayered attack, spread and infection approach it spreads through
    several vulnerabilities and exploits in multiple technologies such as
    email attachments, ICQ instant messaging and HTTP web pages. Some of
    these vulnerabilities are without patches from the vendor, raising the
    level of potential damage.

    Kaspersky is currently labelling this a global epidemic with more than
    50.000 infections just among ICQ users.

    Likewise, implementing multiple layers of defense can help mitigate the
    threat posed by multilayered worms such as Bizek. The currently
    available BETA version of Qwik-Fix completely protects against the Bizek
    worm by mitigating the impact of several vulnerabilities it relies on.
    You can download Qwik-Fix at

    http://www.qwik-fix.net/

    Symantec has labelled this worm W32.Bizex.worm, but has not yet
    published any details about it.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h
    tml

    PivX Solutions are currently researching the potential impact of Bizex
    as well as its data gathering intentions. Some of the vulnerabilities
    this worm is exploiting in its effort to spread are:

    Microsoft Java virtual machine class loader
    ICQ SCM local file planting
    Microsoft Help CHM vulnerabilities
    ADODB Stream
    Internet Explorer Shell Folders

    Interestingly, the shell folder vulnerability was only recently
    categorized as being a serious threat on February 19 in a post to the
    Bugtraq mailing list. This once again demonstrates how malicious
    criminals are more rapidly exploiting vulnerabilities as they are being
    announced.

    Our initial analysis has shown that this worm is trying to collect
    credit card details from unsuspecting users, masquerading itself as a
    statement from banks and online trading sites, such as Wells Fargo,
    E*TRADE, American Express, e-gold, Verisign and LLoydsTSB.

    It has been linked to websites that are anonymously registered to
    russian individuals, is appareantly created using Microsoft Visual
    Studio and installs a backdoor on compromised machines to be used by
    professional spammers.

    Kaspersky has released more details at

    http://www.kaspersky.com/news.html?id=4277566

    We will keep you updated as more information is uncovered.

    Regards

    Thor Larholm
    Senior Security Researcher
    PivX Solutions
    24 Corporate Plaza #180
    Newport Beach, CA 92660
    http://www.pivx.com
    thor@pivx.com
    Phone: +1 (949) 231-8496
    PGP: 0x5A276569
    6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

    PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
    Qwik-Fix <http://www.qwik-fix.net>

    -----
    NTBugtraq Editor's Note:

    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    -----


  • Next message: Marc Maiffret: "EEYE: RealSecure/BlackICE Server Message Block (SMB) Processing Overflow"

    Relevant Pages

    • Fw: [Unpatched] The Bizex worm
      ... We have all talked about how most viruses and worms that actually spread ... Everything indicates that Bizex is a worm which was created as a hired ... several vulnerabilities and exploits in multiple technologies such as ...
      (Bugtraq)
    • [Full-Disclosure] Fw: [Unpatched] The Bizex worm
      ... We have all talked about how most viruses and worms that actually spread ... Everything indicates that Bizex is a worm which was created as a hired ... several vulnerabilities and exploits in multiple technologies such as ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Fw: [Unpatched] The Bizex worm
      ... old "icq downloads stuff to a known ... effectively making this a worm that explots a zero day ... > New variants of Bizex are expected in the near future. ... > several vulnerabilities and exploits in multiple technologies such as ...
      (Full-Disclosure)
    • Code-Red: An analytic model of its spread
      ... Subject: Code-Red: An analytic model of its spread ... and then try to compromise that IP address using ... the worm analyzed by Eeye has what seems like a bug. ... compromised machine picks other machines to attack completely at random. ...
      (Incidents)
    • RE: IPS, alternative solutions
      ... Will the worm use that same method? ... mechanisms that cover the same space as patching covers. ... known vulnerabilities, ... by pitching themselves as a combination of an IDS and a firewall. ...
      (Focus-IDS)