From; Panada Oxygen3 24h-365d: "Everything should be made as simple as possible, but not one bit simpler." Albert Einstein (1879-1955); physicist and mathematician. - Software vulnerabilities: an increasingly common means of infection for viruses - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, May 25 2004 - Exploiting software vulnerabilities has become one of the most important means for malicious codes to spread to as many computers as possible. In today's Oxygen3 24h-365d we will look at how worms like SQLSlammer, Blaster, Sasser... have managed to cause worldwide epidemics in extremely short periods of time, by taking advantage of certain security flaws and we'll examine the preventive action that users can take. Software vulnerabilities can be defined as "flaws or security holes in a program or IT system, often used by viruses as a means of infection or by hackers to obtain unauthorized access to systems". In simpler terms, a software vulnerability is a design flaw in one of the programs installed on the computer, which could allow a virus to carry out malicious actions without the user having to open an infected e-mail, run suspicious files... Software vulnerabilities can also open up a door for any malicious user that wants to enter your computer. Usually, when a software vulnerability is detected, the vendor of the affected software releases a patch that fixes it. The problem arises when a malicious user learns of the flaw and quickly develops an "exploit": a technique or program that takes advantage of a vulnerability and can be incorporated into malicious codes. Viruses designed to take advantage of software vulnerabilities have the advantage -from their creators' point of view- of spreading very quickly as they carry out unusual actions. Sasser, for example, exploits the LSASS buffer overrun vulnerability which allows malicious code to be run. Many other viruses -like Blaster- do not need to use the more usual means of propagation as they can get into computers directly through communication ports. The possibilities are endless, and depend only on the type of vulnerability exploited. The best way to avoid the actions performed by this type of virus is to install the patch that fixes the corresponding security hole. However, many users, either due to lack of information, or due to the fact that they use illegal software versions that prevent updates from being performed, do not install patches, which leaves computers unprotected. This is also known by creators of malicious code and explains why, once a virus that exploits a certain vulnerability appears, many others follow. This is why new worms keep appearing -like some variants of Netsky- that use the Iframe vulnerability, used by Klez.I, detected more than two years ago. Likewise, since Sasser was released, many viruses have appeared which also exploit the LSASS vulnerability: Cycle.A, Kibuv.A, and the variants A, B and C of Bobax. In any event, the best protection against software vulnerabilities is to download the latest patches available to fix the application. For this reason it is important to stay well-informed by periodically visiting the websites of the vendors of the programs installed on your computer. It is also useful to subscribe to computer security bulletins such as Panda Software's Oxygen3 24h-365d. For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. ------------------------------------------------------------ The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's free online scanner: 1)Netsky.P; 2)Briss.A; 3)Sasser.ftp; 4)Qhost.gen; 5)Netsky.D. *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member