Users login

Create an account »


Users login

Home » Hacking News » Design Flaw Stops InvalidSSL Worm

Design Flaw Stops InvalidSSL Worm

by Phiber on September 1st, 2001 A potentially dangerous new Internet worm has been rendered sterile, thanks to a weakness in the program's code, anti-virus experts said today. The data-destroying worm, which has been dubbed InvalidSSL and other aliases, travels as a Trojan horse program attached to an e-mail message masquerading as a Microsoft security bulletin.

According to the message, which arrives with a forged "from" address of [email protected] and a subject line of "Invalid SSL Certificate," recipients should install the attached file, sslpatch.exe, to protect Internet Explorer against a buffer overflow caused by a faulty digital certificate.

Unlike an earlier mass-mailing worm, the pesky SirCam, which contained its own e-mailing engine, InvalidSSL attempts to relay infected e-mails through an open mail server located in Israel, on the Internet, the address of which has been hard-coded into the worm.

According to Network Associates, the operator of the open SMTP server has recently disabled relaying, which should prevent Invalid from spreading any further by e-mail.

A message at the Web site of the Black Cat Virii Group states that InvalidSSL was created by the group's founder, a virus writer named Dr. T. According to a description included with the source code available at the site, the "interesting" part of the worm is its ability to damage executable files by encrypting them with the Windows CryptoAPI, a cryptographic service built into recent versions of Windows.

"There are (few) worms which use this way of infection ... so I decided to code myself a new one," wrote Dr. T.

According to domain records, the Black Cat site is registered to Alexander Tsechansky of Yehud, Israel.

Because of the worm's ability to effectively destroy .exe files on a victim's computer, anti-virus vendor Central Command today issued a press release pronouncing InvalidSSL a "dangerous Internet worm."

But according to Nick FitzGerald, an independent virus researcher with Computer Virus Consulting, the worm's threat is neutralized without the ability to spread by e-mail.

"Assuming it stays that way, InvalidSSL is now sterile and few more people should see it," said FitzGerald in a posting to a virus discussion list.

Network Associates and Trend Micro both have given Invalid a "low risk" rating. Neither have received any reports of the worm being in the wild. Central Command said it has obtained one report of Invalid from a customer.


Network Associates description of InvalidSSL is here.

Central Command's press release is here.

a Newsbytes article

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »