|
Updates
 A
compilation of the latest information about viruses and worms, security issues
and patches to rectify the same.
New Home for killer codes
Hackers have found another place to hide their malicious code. This piece of
malicious code can reside in the flash memory on graphics cards and related
add-on hardware on computer systems and still it can run the software at boot
time.
The surreptitious code like this, known as a rootkit, can be hidden in the expansion
read-only memory (ROM) which is used by add-on Peripheral Component Interconnect
(PCI) cards, according to John Heasman, a security researcher at Next-Generation
Security Software.
TROJ_DROPPER.CEN
WORM_RINBOT.G
WORM_RINBOT.H
WORM_RINBOT.F
ELF_WANUK.A
WORM_ZHELATIN.CH
TROJ_SMALL.GHI
TROJ_AGENT.IQN
TROJ_VB.BLV
TROJ_MDROPPER.MY
(Source: Trend Micro)
|
With the help of a covert channel to the Internet, this expansion ROM attack
could update itself and run at boot time which is difficult to detect. Developers
creating device drivers usually don’t consider security issues which could
create problems.
According to Heasman, graphic card makers are not thinking about such attacks
and they simply want to make the updating of ROM as easy as possible.
Such attacks which use rootkits stored outside of system memory are not new.
Last year, Heasman presented his practical research about malicious code that
could make use of a motherboard’s Advanced Configuration and Power Interface
(ACPI) to run code at boot time. In November, Heasman released his initial paper
on PCI rootkits.
This sort of attack requires a great deal of technical expertise and effort,
considering that we have not seen many such attacks. Because of the difficulties
associated with such attacks, attackers would rather use a standard Trojan horse
attack to compromise systems. Computers that have specialised hardware security
based on the Trusted Computing Platform will be largely immune to such attacks.
Worm Exploits Solaris flaw
A flaw in Sun Microsystem’s Solaris operating system is being exploited
by a computer worm to propagate. After successfully logging into a system running
Solaris 10, the worm executes a number of commands to plant itself after which
it spreads to other vulnerable computers.
Soon after the report on a blog, Sun confirmed the threat in an updated alert
on its Web site. Sun confirms that at least one worm is making use of this exploit
to compromise system integrity and has offered a worm cleaning tool for all
the users of its OS
The worm takes advantage of a security hole in the Solaris telnet service. Using
this worm, hackers can gain access to a system without any action or permission
from a user. Sun has released a fix for the flaw and urges users to install
it.
There has been some increase in activity on the network port used by Solaris’
telnet feature which was monitored by the SANS Internet Storm Center, which
monitors Internet threats.
Telnet was one of the first methods devised to allow system
administrators to remotely monitor their networks. The service will usually
prompt people for their username and password. However the bug permits access
without a username or password. Machines on which telnet is disabled are not
vulnerable to this attack.
|
