It's not so dangerous this time (yet) ...

Hundreds of malicious Web sites are attempting to exploit the most critical of two flaws announced in Microsoft's browser over the last week, convincing two companies to release workarounds late Monday to head off the threat. Security firms Determina and eEye Digital Security each created a standalone patch to protect Windows systems that use Internet Explorer to browse the Web. The vulnerability, the most critical of three announced in the last week, is reportedly being actively exploited by more than 200 malicious Web sites. So Microsoft is again last to bring out there own patch ... however are these other companies not using these patches in a commercial way? Are they not exagerating? This is not the same situation as last time during the WMF exploit period when the risc was really higher in my opinion.

Another dangerous zero-day IE exploit on the loose.

The unpatched CreateTextRange vulnerability in Internet Explorer is already being used by at least one Web site to install spyware on users' machines. Disclosed only Wednesday, the flaw in IE 5.01, 6.0, and the January version of IE 7 Beta 2 Preview has security vendors worried because a patch isn't available from Microsoft. Thursday, as news circulated that a working exploit had been publicly posted, Microsoft said it was working on a fix. Even before the site exploiting the CreateTextRange bug was discovered, several other security companies had raised alarms. It reminds me at the Windows Metafile fiasco in late December, when another "zero-day" flaw hit Windows users.
Disable IE's active scripting or switch to any other browser which is not using this... or try to find out if your AV package is able to counter this exploit.

InfoSecurity Belgium 2006 finished.

A lot of people visited our (NOXS) booth at InfoSecurity Belgium 2006 this year. It's definitely the best security event in Belgium. It's 'the event' as well to have a good chat with some local security related friends.
I also wrote the opinion article for the InfoSecurity Data News Guide : The illusion of security. You can find it at my press page.

My wife and I are both 'in Security'.

If you didn't know this before ... my wife Nadine is a police-officer (Inspector) working for the Kastze police zone in Belgium. She works also as a MEGA-officer (Drugs Abuse Resistance Education) and is a teacher at the Police Academy PIVO. You could say that we are both dealing with security. The local police opened its doors today. Everybody got the possibility to look at the daily duties of the complete police team. Interesting as well was the look at the infrastructure of the police office itself. If you compare this with our work you could really say that we have something in common!

RFID virus POC paper

Cheap radio chips that are replacing the ubiquitous barcode are a threat to privacy and susceptible to computer viruses, scientists at a Dutch university said on Wednesday.
The paper presents an attack where the tags carry a small amount of data (127 characters) that will infect the RFID reader. More precisely, they use an SQL injection attack against an Oracle database backend that interfaces with the reader. The reader will then continue to infect all new tags it sees. Luckily, this is currently only a proof-of-concept attack, even though it's a scary idea. The problem is that an infected RFID tag, which is read wirelessly when it passes through a scanning gate, can upset the database that processes the information on the chip, says the study by Melanie Rieback, Bruno Crispo and Andrew Tanenbaum.
Well don't worry at this moment as this is only a POC. The 'EICAR taskforce on RFID' will take action ASAP to prevent such real attacks. But 'that' will take 'ages' in my opinion... ;-)
You can find more info within the self-replicating RFID viruses paper. The paper is titled "Is Your pet Infected with a Computer Virus?".

I'm not at Cebit, I'm home!

Unbelievable, it seems to be a must to be at Cebit. Well I'm not, I returned home safely after my visit to Stockholm and I'm ready for our next event: InfoSecurity Belgium 2006 however in meantime I will be travelling around between some customers and sending loads of emails between hundreds of people. What a life ... and just at that moment McAfee released some problematic dat-file. If you did an on-demand scan during the 5 hours the bad dat-file was appearing at the website, you could facing up with problems with missing 'MS Excel' or even other legitimate applications. Well it happened before with TrendMicro and Symantec also. Of course the new datfiles which were on the web since saturday returned proper detection. I haven't seen any AV-company which didn't got any problem with their signature files in the past. Still I find the detection from McAfee as one of the best!

Diner at Gamla Stan (Stockholm) and attacks in the hotel...

It's getting better and better over here in Sweden. I attended a Sygate-Symantec course (Yes, I know.. unbelievable ... isn't it!) and afterwards we managed to go out with the teacher and two other guys. We took the metro or 'tunnelbana' to Stockholm's Old Town called Gamla Stan. With -14°C we managed to find quickly a nice Swedish restaurant in the middle of Gamla Stan called Kaffegillet. The Reindeer steak was perfect. Back in the hotel however I found a SQL Slammer and RpcDcom buffer overflow attack on the hotel's network. That's THE reason to have IPS and AV and Personal Firewall on your system! At least I don't have to worry...

First fake eicar test string inside a mobile virus!

My friend Mikko H. Hypponen of F-Secure sent me yesterday the first fake eicar.com (test string) inside a mobile virus. It seems to be dropped dropped by a new Symbian virus (Appdisabler.I). It won't run and it contains this text: {Series60ProductID}$EICAR-SYMBIAN-ANTIVIRUS-TEST-FILE-2006!
What could be the reason to drop such a file which is even not detected as the real eicar string and which can't be run.... tell me!
Thanks Mikko for bringing this up to the EICAR organisation.

Symantec Nordic at Kista

Today I arrived in Sweden. I just did a quick tour of Stockholm before I did go back to Kista (a suburb of Stockholm). The weather is not brilliant and Stockholm seems to me not the best looking city in wintertime. Also Kista gives me a strange feeling: A large shopping mall next to the business zone and that's it! Let's hope the next days will be more interesting compared to this first look of Sweden. The picture gives you a view out of my hotel window.

Bye BlackHat, Here I come Stockholm!

I' m just back from the BlackHat conference in Amsterdam. Some talks were quite interesting however I've heard some untrue statements about some AV-products... I'm not going into detail right now but generally the conference was not bad! I even found 4 other AV-people like Costin Raiu and Roel Schouwenberg from Kaspersky Lab visiting the conference. Jarno Niemelä from F-Secure did give a talk about Symbian malware. Oh yes, I'm heading to Stockholm now to visit Symantec Nordic. So my next post could be from Sweden.