[Dshield] FW: New virus alert: W32/Bugbear.B-mm

James C. Slora Jr. Jim.Slora at phra.com
Thu Jun 5 19:14:21 GMT 2003

John Hardin wrote 05 Jun 2003 08:05:14 -0700

> > Attachment names are also variable, possibly based on from filenames
> > on the infected machine with an extension of either .scr, .pif or .exe
> Trivially easy to block.

Yeah, trivially easy.
Cocky> Just make sure all computers have properly updated Outlook or OE and
have their security set properly.

Paranoid> Oh wait, some users disable security because they trade Word
documents in email.
Cocky> That's OK - we'll drop .pif .scr and .exe at our MTA - IF it is
capable of that.

Paranoid> Yeah but what about third party web mail?
Cocky> OK we'll block users from accessing Hotmail and other similar
services - IF we have a firewall/proxy/etc configurable for that.

Paranoid> But there are too many sites to know you've blocked them all -
message boards, personal webmail servers, etc
Cocky> OK, we'll use content filtering to block user downloads of EXEs etc -
IF we have the filtering software and if this is approved by our bosses.

Paranoid> So all we have to worry about is infected VPN users sending
Bugbear encrypted into our network through file shares that are the primary
purpose of the VPN?
Cocky> Ummm... virus definitions should cover that - if our vendor has
released new definitions

Paranoid> Wait, Bugbear is also a file infector. That means it could
actually hide within any executable on any network where a compromise has
occurred. If we're already infected, Bugbear could insert itself into the
self-extracting virus definitions we download.
Cocky> We'll verify checksums of the virus definitions. I'll just learn how
our AV vendor provides checksums, and master the simple utility that checks
them against the downloaded definitions.

Paranoid> Yeah but Bugbear kills AV programs and can infect them afterwards,
so downloading new defs won't help if you're already infected.
Cocky> We can configure our IDS to watch for signs of infection, once we
know what to look for. Our rock-solid backup system will let us quickly
recover all infected systems after we disconnect them from the network.

Paranoid> And how do we know there aren't any trojans left on uninfected
systems if the Bugbear owner goes fishing from one of the infected computers
inside our main defenses?

etc. etc.

Easy as pie! Easy to stop it, and easy to get burned by it too. There are
lots of measures you can and should take to help make networks more secure,
but a little bad luck can defeat the best defenses just as easily as a
skilled hacker.

I never feel the network is protected. I just do what I can, try to learn
and to anticipate threats, and hope for the best.

More information about the list mailing list