acm - an acm publication

Articles

Crying Klez
maybe the sky IS falling

Ubiquity, Volume 2002 Issue May, May 1- May 31, 2002 | BY Robert Slade 

|

Full citation in the ACM Digital Library


A fast-spreading virus exploits well known bugs and security loopholes.



Maybe it's because the name is unassuming, without the flash of a "Melissa" or "Loveletter" or "Chernobyl." Maybe it's because various reports have called it Klaz, Kletz, W32/Klez.[a-k]@mm, or I-Worm.Klez. Maybe it's because media viruses like Code Red have exhausted the public's attention. Maybe it's because there have been a number of versions, and only the latest one has made an impact. Maybe it's because the beast is bewilderingly complicated.

Whatever the reason, a virus called Klez (or, more specifically, Klez.H) seems to be happily spreading far and wide, without much attention from anyone except antiviral vendors. Warnings have been issued about it, but these are often limited and unhelpful. The general media have not paid attention to the problem. One of the most widespread and dangerous viruses of recent times, Klez is hard to identify, is difficult to track, is generating serious numbers, and carries a number of payloads. Also, it probably isn't the last of its kind.

Klez is actually a family of viruses. The limited information available seems to indicate that the same author or a small group, probably resident in China, is likely responsible for all of the Klez variants. Eight have been identified so far, seemingly released between the fall of 2001 and spring of 2002. Each variant has added new features and payloads. In little over half a year the Klez family has gone from being a minor nuisance to a major threat.

The first version was so buggy that flaws in programming seemed to be the major concern. However, even then the virus was notable for its ambition and complexity. In addition to spreading itself, Klez dropped a virus called ElKern. (There have been reports of a new version of the CIH virus traveling with Klez, but this may be due to infection of the Klez program file itself.) The subject line, sender address and filename attachment were all variable, avoiding the major means of email virus detection. (Various Klez subject lines have promised games, humour, pornography, vague but important messages, and, interestingly, antiviral protection.) Klez also used a vulnerability in Microsoft's Outlook mailer (actually resident in Internet Explorer programming) that would automatically unpack and invoke the message attachment, in some cases before the message was even read by the user.

(This mailer loophole, sometimes known as the IFRAME vulnerability, was addressed and patched by Microsoft in March of 2001. Users who regularly upgraded installed patches were not at risk of this specific function. The bug is addressed in http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp and http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. However, the more widely known Microsoft security bulletin, http://www.microsoft.com/technet/security/bulletin/MS01-027.asp, deals with a composite patch, and talks about browser certificates, rather than the mail problem. It is also interesting to note that, in order to use this function, Klez forms messages with a non-standard MIME [Multimedia Internet Mail Extensions] format. Non-Microsoft mailers, such as Pegasus and Netscape Communicator, may not even allow users to see the attachment, and thus, inadvertently, offer users additional protection.)

The file attachment, as of version H, will have an extension of .EXE, .BAT, .PIF or .SCR. The MIME file type will not match the extension (although that is not a reliable indicator of a virus infection). Email addresses used to create new infected messages are harvested from the infected machine. Recent versions of the virus also have code to use ICQ as a source of email addresses.

Klez.E (version 2.0, according to internal text), released in January of 2002, added file infection capabilities, so that the virus could spread using email, direct copying to network shares, and infection of program files. (Windows system files were often corrupted by the infection attempts. Other files might be infected by a companion type method: the original file was renamed and hidden and a copy of Klez written with the original filename.) The virus carried its own SMTP (Simple Mail Transfer Protocol) program so that it did not need to use local mail clients. The "From" line was also faked such that if Alice received an infected message from Bob, it might not come from Bob but from Charles, who had addresses for both Alice and Bob on his infected machine. This function not only prevented tracking of the infected machine, but caused many people to try to track infections in the wrong place. In addition, the virus had a payload to overwrite text, Microsoft Word, MP3, HTML and other files with random data, thus destroying the contents.

Early versions of the virus had a hidden message (in the body of the infected message) seemingly indicating that the author was trying to gain a reputation in order to get a better job. Later versions tried to kill processes of the Code Red family of worms, including Nimda, and included hidden messages suggesting that Klez was an antivirus virus. Klez.E, in addition to adding to the list of virus processes that would be stopped, also killed processes for a number of the most popular and effective antiviral programs. It would remove Windows Registry keys for antiviral software, and also corrupted checksums or deleted files for antiviral systems. (Text strings seemed to indicate that this was because the world had not offered the author a well paying computer job.)

The latest version (as of this writing), Klez.H, often sends itself in a message offering a tool to remove and immunize against Klez.E. (It purports to come from one of a number of well-known antiviral companies.) Klez.H also added a new function: it would frequently pick up a file from the infected computer and add it as an attachment to the infected message sent out. There is already one known case where a confidential negotiating document was transmitted to a mailing list of several thousand people in this manner. Fortunately, the file overwriting payload seems to have been removed.

Any available virus tends to spawn variants. It is also not unusual for a virus author to improve on his or her own work, and release new versions. However, variants seldom involve additions of functions and features to the extent seen in Klez. The original version alone demonstrated effective social engineering and polymorphic techniques, as well as complex features that would be dangerous in conjunction with other forms of malware. In less than six months, the author (and the greatest probability is that there is a single author) has added features manipulating processes in memory, attacking antiviral and security software, increasing the means of reproduction and spread, and attacking data availability and confidentiality. It is unlikely that this is the last version of Klez that will be seen, and a number of common viruses could give the author new ideas for new payloads to add and new technologies to employ.

In a sense, though, there is absolutely nothing new about Klez. Microsoft software is well known to be full of bugs and security loopholes: Internet Explorer is much more dangerous to use as a browser than is Netscape Navigator. There are dangerous technologies in common programs that should be disabled or patched. There is a definite trend towards convergence in malware, with different types of programs supporting and distributing each other. Polymorphism has long been known in file infecting viruses: the use of variant subject lines in Klez is tame compared to the (literally) myriad forms of files generated by Tremor.

Most importantly, however, your mother's old adage still holds true. "DON'T RUN THAT PROGRAM ON YOUR COMPUTER! YOU DON'T KNOW WHERE IT'S BEEN!"

Robert Slade is the author of Robert Slade's Guide to Computer Viruses (the title was not his idea) and co-author of Viruses Revealed. He is a prolific and cruel (but fair) book reviewer. More information about Robert Slade is available at http://victoria.tc.ca/techrev/rms.htm or http://sun.soci.niu.edu/~rslade/rms.htm.

COMMENTS

POST A COMMENT
Leave this field empty