New Computer Virus Exploits Microsoft Flaw
A new version of the Bugbear e-mail virus emerged on the Internet early Monday that can automatically infect computers by exploiting a flaw in Microsoft Corp. software for which there is currently no available fix.
The virus, dubbed "Bugbear.e" by antivirus companies, uses an HTML e-mail that exploits a flaw in Windows-based computers' Internet Explorer Web browsers to cause its dangerous executable file to silently run without the user clicking on it. Bugbear.e is considered a "worm," or a virus that can spread without human action.
For now, the worm isn't prevalent on the Internet, though its auto-execution feature could help it gain ground, said Craig Schmugar, manager of Network Associates Inc.'s virus-response center. The maker of McAfee antivirus software rates the Bugbear.e low risk, as does Norton antivirus maker Symantec Corp.
Separately, Network Associates warned Tuesday of a medium-risk virus known as "Netsky.s," which first emerged Sunday.
It is highly unusual for an e-mail virus to exploit a flaw for which there is no fix, or "patch," a phenomenon defined by some experts as a "zero-day attack." (Others define it as an attack using a flaw that security experts didn't know existed.) Such attacks are somewhat common in hacker programs known as Trojan horses. But in a worm, they particularly unnerve security experts and network operators because large numbers of computers could be vulnerable to attack and quick defenses would be harder to come by.
To date, attackers have preferred to quietly use zero-day attacks in Trojans rather than risk detection with a noisy virus. "In general, the trend is that we're moving away from notoriety and fame being one of the motives to criminal gain," says Ken Dunham, director of malicious code at iDefense Inc. And attackers realize "there's a lot more value in a zero-day attack than a worm that spreads and does whatever."
Still, among security experts' biggest fears is a zero-day network worm. That would be a program akin to last summer's Blaster worm that uses an unknown flaw or one for which there is no patch to spread virtually unchecked through vulnerable machines via Internet connections.
Bugbear.e isn't this type of program and can be more easily stopped with antivirus software. And experts say a similar attack on an Internet Explorer flaw isn't likely to make it into a network worm because a user must view Web content. But Bugbear.e's use of a flaw with no available patch illustrates how the gap between the knowledge of a vulnerability and the release of malicious code that exploits it is shrinking, and bringing us ever closer to a zero-day network worm.
Microsoft wasn't immediately able to comment on the flaw or when a fix might be available. Antivirus companies have rolled out software updates that can block Bugbear.e and another Bugbear variant that also emerged in the last day.
The flaw that Bugbear.e exploits was disclosed online in February, along with a sample attack program, Mr. Schmugar said. It has since been used by several Trojan horses, which are dropped onto PCs by malicious Web pages.
The virus essentially advances the delivery of a Trojan by using e-mail to push PC users into viewing malicious Web content. In victim PCs, Bugbear.e finds sensitive personal information and sends it to the attacker, including cookies, text from open windows and data captured by a program that logs keystrokes to filch passwords and credit card numbers.
The e-mail messages that carry Bugbear.e are blank, use faked "from" addresses and can have one of many subject lines, including "Hi!", "hmm.." and "SCAM alert!!!" It carries an attachment with a name that's randomly chosen from a file found on the infected computer and has either a .zip or .htm ending. Clicking on the attachment also will cause infection by the virus.
互联网上出现针对微软软件的新病毒
周一早晨在互联网上出现了最新版本的Bugbear电子邮件病毒。该病毒利用微软公司(Microsoft Corp., MSFT)软件之中的漏洞自动感染电脑,而这种漏洞目前尚无法进行修补。
被反病毒公司标记为Bugbear.e的该病毒利用超文本标识语言电子邮件进行传播。它利用以Windows为操作系统的电脑中IE网络浏览器内的漏洞,在用户没有点击文件的情况下,就可悄无声息地运行危险的可执行文件。Bugbear.e被认为是一种蠕虫病毒,即用户没有行动也会传播的病毒。
网络联盟公司(Network Associates Inc., NET)病毒响应中心经理Craig Schmugar表示,目前而言,该蠕虫病毒尚未在互联网上流行开来,但是其自动执行的特性将使得其日益扩大。这家反病毒软件公司将Bugbear.e的评级定为低风险,Norton反病毒软件制造商赛门铁克(Symantec Corp., SYMC)也作出类似评级。
另一方面,网络联盟公司周二对Netsky.s病毒作出中度风险的警告,该病毒上周日首次出现。
微软未能立即就该漏洞或何时提供补丁发表评论。反病毒公司已经推出软件升级版本以屏蔽Bugbear.e以及周一出现的Bugbear另一个变种。
