Wednesday, September 27, 2006

EICAR is officially 15 years old today!

EICAR (http://www.eicar.org/) was formally founded on this day in 1991, in Brussels. EICAR was originally conceived as a professional body focused on anti-virus whose membership would extend beyond the technical experts in CARO (http://www.caro.org/tiki-index.php).
For many people, EICAR is best known for the EICAR test file, an industry-standard anti-malware test file that can be used to confirm that anti-malware software is installed and working correctly. Preceded by an inaugural meeting of international experts in 1990 and initiated by Dr. Alan Solomon, the following people met on 27th September 1991 at the Cultural Centre Auderghem, in Brussels, Belgium and founded the 'European Institute for Computer Anti Virus Research' abbreviated as EICAR:
Vesselin Bontchev (Bulgaria), Bruno Imhasly (Switzerland), Dr. Jean Bernard Condat (France), Mark Murry Danton (Southafrica), Rüdiger Dierstein (Germany), Paul Ducklin (Southafrica), Frans Veldmann (The Netherlands), David Ferbrache (Great Britain), Christoph Fischer (Germany), Derek Giroulle (Belgium), Günther von Gravenreuth (Germany), Roger Gustafsson (Sweden), Tjark Auerbach (Germany), Christian Schmidt (Austria), Dr. Paul Langemeyer (Germany), Ian Melamed (Southafrica), Anthony Naggs (Great Britain), Dr. Christian Schneider (Germany), Günther Mußtopf (Germany), Roger Riordan (Australia), Dr. Alan Solomon (Great Britain), Franz Swoboda (Austria), Heinz Trenker (Germany), Theo Lieven (Germany), Michael Weiner (Austria), David Steelman (United States of America), Matthias Vanselow (Germany), Eddy Willems - That's me! -(Belgium), and Christian Schmidt (Austria).
Professor Klaus Brunnstein from the University Hamburg, Germany, also one of the experts and pioneers of the first hour, though never a registered member, chaired the assembly of the founding members.
I must say that I nearly forgot this date until I saw the mentioning of it at http://www.viruslist.com/en/weblog
the Analyst's Diary of Kaspersky Lab. But they think we have been founded a little bit earlier. Of course it depends from which date you are counting and I am counting from the official founding date. ;-)

MS Patch for VML is released earlier.

Nice to see that Microsoft has released a patch against the VML vulnerability outside of their normal update cycle, which is great. The patch is available right now via update.microsoft.com.
Get it. It is called kb925486.

Monday, September 25, 2006

Not a CERT but a ZERT.

Last friday the ZERT was launched - ZeroDay Emergency Response Team . The goal of this group of security professionals is to study 0-day exploits and develop unofficial patches when those exploits pose a security risk to the internet or users in general and a vendor-supplied patch has not been released yet. This is an interesting approach, since we have recently seen so many critical security vulnerabilities and exploits without patches. Remember the Windows WMF vulnerability? On the other hand, despite of the fact that the ZERT group may perform extensive testing, it is ALWAYS advisable to perform your own tests in your own environment, if you plan to apply them, since it may break applications or conflict with a software/hardware vendor guarantee. There's even an unsupported third party patch for the VML vulnerability available at ZERT. I can't recommend it because I even saw some problems related to it: See the discussion at PC Doctor Guides. But it's good to know something is available if this VML problem really gets out of hand (which it hasn't yet). Of course if you got a good AV product you shouldn't be worried at all because there is detection and blocking possible in several ways.

Wednesday, September 20, 2006

VML Exploit and PDF problems.

A new Microsoft Internet Explorer vulnerability has been disclosed publicly that affects the Vector Markup Language processing. A victim would need to visit or be coerced to visit a website that hosted the malicious VML content. Exploitation in the wild has been detected. Microsoft has acknowledged the issue with Security Advisory 925568. And it doesn't stop with this ...
Several new Adobe pdf vulnerabilities were recently announced. The author claims these are basic vulnerabilities in the pdf API or architecture. The author tested his poc's against Acrobat reader and Adobe professional. The details are available here:
http://michaeldaw.org/ or
http://www.eweek.com/article2/0,1895,2016606,00.asp
I predicted about one year ago now that we will face problems with this kind of software. I even wrote it down in an article for DataNews in Belgium in the beginning of this year.

Tuesday, September 19, 2006

Problems, problems, problems but nobody seems to worry about it!

An ActiveX vulnerability has been acknowledged by Microsoft in a recent Security Advisory. This issue was originally made public on September 13th. Exploit code is available but exploitation in the wild has yet to be detected. User interaction like surfing to a malicious website is needed for an attack to succeed. Last Tuesday Microsoft released three Security Bulletins and updated bulletins MS06-040 and MS06-042. One of the newly patched vulnerabilities, MS06-052 Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution, can be remotely exploited without user interaction. However only Windows XP systems that have the non default Microsoft Queuing Service (MSMQ) installed are vulnerable. Because I continue to receive reports from some customers dealing with bots that exploit MS06-040. It's still a problematic period however nobody seems to be really aware of it. It seems that if the press is not taking up the new things, problems may seem to pass by with no dramatic payload. I'm warning everybody that I still see a lot of problems out there and this example is just one of them. Customers, home users and corporates will face more and more problems it they not counter these problems today!

Thursday, September 07, 2006

EICAR anti-virus test file changed into anti-malware test file.

I just sent out the following press release to several press agencies:
Munich and Brussels, 7 September 2006: The past two years has seen the emergence of spyware become a major threat to computer users around the world. With constant new threats coming through there have been several new products designed to detect, prevent and remove spyware and adware and any other unwanted software. Most of these new applications have been integrated into other security applications and most notably with anti-virus solutions.

A problem with the new combined applications is that customers want to know whether the software is working and protecting their computers. This used to be a problem in the early days of anti-virus software. In order to confirm the correct functioning of AV applications, EICAR developed and published the “EICAR Test File, which has been used ever since in nearly every AV product on the market.
However, it was labelled as an ‘Anti-virus Test File’ and the central distribution came from the site http://www.eicar.org/anti_virus_test_file.htm, so it was never seen as an anti-spyware test file.

To make sure customers are happy that their computers are protected EICAR updated the anti-virus test file and combined it with a new anti-spyware test file. This new Anti-Malware test file will enable product developers to add this detection file to their application to prevent confusion between the different sorts of viruses and spyware.

“This combined test file brings EICAR up to date with the new threats that are constantly being developed to attack computers” said Eddy Willems, Director of Press and Information “customers can now feel satisfied that they can see the activity of these threats as separate threats rather then all labelled under anti-virus”

EICAR has modified the contents of the central distribution site (http://www.eicar.org/anti_virus_test_file.htm) to include the new Anti-Virus and Anti-Malware test file, there is also a section at the top of the page to let people know the update has taken place.

The name and contents of the test file will not change. This means that the 68 character string will remain the same to allow backward-compatibility.

About Eicar:

The European Institute for Computer Anti-Virus Research (EICAR) was founded in 1991 and represents an independent and impartial platform for IT-Security experts in the field of science, research, development, implementation and management. The institute would like to inspire information exchange on a global basis as well as synergy building to enhance computer network and telecommunication-security. EICAR supports all kinds of initiatives in terms of technical solutions or preventive measures against writing and proliferation of malicious code like computer viruses or Trojan Horses, and against computer crime, fraud and the misuse of computers or networks, inclusive malicious exploitation of personal data. The institute is dealing with all kinds of technical, organisational, legal and psychological aspects in the context of IT-Security. EICAR is bundling expert know-how from leading scientists and academics as well as recognized researchers, official institutions and global players of the industry.
If you have any questions or would like to arrange interviews please contact our Director Information and Press: Mr Eddy Willems, (email: press at eicar dot org) or phone + 32 (0)2-461.01.70