Re: Deloder worm has resurfaced. Watch your privacy!

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: 03/29/03 

From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
Date: Sat, 29 Mar 2003 12:21:11 +1200

"Kyle Lai" <kyle@kylelai.com> wrote:

> DeLoder worm has resurfaced during the past several days. ...

"resurfaced" as in "we are seeing a rash of new infections of the
original" (which is what "resurfaced actually means) or as in "there
is a new variant of it which is getting some traction".

> ... Here are
> some info missed by many anti-virus analyses...

Not so much "missed by their analsyses" as "won't be detected by virus
scanners".

Now, you're a clever chap Kyle, so can you suggest any reason why an
antivirus developer might chose to _not_ detect a legitimeta remote
control application such as VNC??

> Deloder worm leaves a VNC (free remote control software) service
> running on the infected systems, and it also set a VNC password, which
> eventually allowed anyone with malicious intent (hackers) to get in
> via VNC. There are tens of thousands of Windows 2000 & XP systems out
> there that are infected with Deloder (according to CERT, possibly
> 140,000 on 3/17/2003).

Could you provide a reference for that CERT claim of 140,000 Deloder
infections? I recall CERT (and saw it in other reports whose sources I
cannot divulge) saying on 11 March that a 140,000+ GT-bot network had
been found:

   http://www.cert.org/advisories/CA-2003-08.html

> The password that was set by Deloder was cracked by KLC Consulting
> Security Team, ...

...using a simple brute-force VNC password cracker...

> ... and the information is available in the article below.
> With this password in hand, anyone can detect (not too difficult) and
> connect to infected systems and watch the computer screen, take over
> the keyboard and mouse control, or just spy on every single keystroke
> and mouse move by the infected users. Watch out, and protect your
> privacy!

And without your article, very few people would have taken the time or
effort to crack the password. So, the upshot of your "work" is that
many more people can now easily take advantage of the existence of what
you claim (CERT claims) is a 140,000 strong network of machines
unknowingly running VNC with this configuration.

Why did you not include download and operating instructions for
obtaining and using a port scanner? Then even those readers who may be
too dense to know how to do that can join the ranks of the "hacker
wannabes" your analysis has just assisted.

I am interested in how you justify your membership of the ISSA in light
of its code of ethics:

   http://www.issa.org/codeofethics.html

and your actions in publicly releasing the VNC password used by Deloder.
I see your actions as contrary to all but the last two of the items in
that code, specifically:

    * Perform all professional activities and duties in accordance with
      the law and the highest ethical principles;

As no formal list of "the highest ethical principles" is given, my
highest ethical principles must be considered as suitable as the basis
for comparison. As I would not have released that information because
doing so would violate my ethical principles, your releasing the
information puts you in beach of that point of the ISSA's code.

    * Promote good information security concepts and practices;

As your actions are in breah of "good security concepts and practices"
(by being in breach of other items in the ISSA's ethical code) you are,
obviously, also in breach of this one because acting in the role as an
information security professional and publicly promoting yourself
through your unethical acts cannot be seen as promoting good practice.

    * Maintain the confidentiality of all proprietary or otherwise
      sensitive information encountered in the course of professional
      activities;

The password to an illicitly installed system backdoor, present by your
own estimates or those of another professional or body whose opinion you
respect on 140,000+ machines on the public Internet is senstive
information. You clearly became aware of this in the course of your
professional activities.

    * Discharge professional responsibilities with diligence and
      honesty;

You seem to have posted this message, and put your analysis on your web
site with diligence and honesty, but as doing so _with the report of the
otherwise secret VNC password_ constituting a breach of ethics, your
preofessional responsibilities have not been discharged diligently (you
missed that your attempts at self-aggrandizement through publishing more
detail than anyone else was unethical).

    * Refrain from any activities which might constitute a conflict of
      interest or otherwise damage the reputation of employers, the
      information security profession, or the Association;

Need I spell out why you are in berach of this one?

Of course, probably other professional organizations with similar ethical
codes to which you are affiliated -- I didn't bother to check.

I wonder if you have enough conviction to report yourself to the ISSA
(and any other organizations to which you affiliate yourself whose ethical
codes you will also likely have broken) and resign your membership?

Oh, and you'd better report yourself to (ISC)2 for an ethics review
panel hearing to consider revoking your CISSP:

   https://www.isc2.org/cgi/content.cgi?category=12

> The article below also has methods of detection, fixes, and
> recommendation for protections against future worm/Trojan attacks.

It also recklessly exposes information better not made public.

There are good reasons why measured analyses of Deloder do not include
the password information. Further, there are compelling ethical
reasons for them to not include that information. The rest of your
analysis is a good and useful contribution, but it and your ethical
reputation are spolied by a couple of sentences. 

--
Nick FitzGerald

Relevant Pages

  • Re: Deloder worm has resurfaced. Watch your privacy!
    ... "resurfaced" as in "we are seeing a rash of new infections of the ... Could you provide a reference for that CERT claim of 140,000 Deloder ... ...using a simple brute-force VNC password cracker... ... I wonder if you have enough conviction to report yourself to the ISSA ...
    (microsoft.public.win2000.security)
  • colloidal silver bacterial testing at BYU University
    ... Tuesday, May 16, 2000, a quality colloidal silver may serve as a suitable ... Staphylococcus aureus (Pneumonia, eye infections, skin infections (boils, ... 1/22/99 BYU Report. ...
    (sci.med.diseases.lyme)
  • Ohio - Pigs - C.Diff
    ... Doctors finally diagnosed the Copley Township woman with "C. diff" - ... circulates in hospitals and nursing homes. ... A new government report says the intestinal infections in hospitals ...
    (uk.business.agriculture)
  • Re: desktop hijacker
    ... | all infections. ... On Win9x/ME platforms the report will not be shown in your bowser ... It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML ... Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool. ...
    (microsoft.public.windowsxp.security_admin)
  • Royal Society: Hospitals losing fight against superbugs
    ... Britain's hospitals are losing the fight against superbugs, ... "pre-antibiotic" era with no effective treatment for some infections. ... reducing the number of antibiotics taken, a report released by the ... infections are increasingly resistant to the medicines we have come to ...
    (uk.business.agriculture)