Wednesday, October 25, 2006

CyberCrime and Vacation ...

I'm curious exactly how many people are being arrested and convicted of cybercrime in 2006. In 2004 there were about 100 people caught around the globe, in 2005 - a few hundred, and so far, in 2006, there have been about 60 arrests. I wonder if anyone is keeping an accurate record, and has full cybercrime arrest statistics - these numbers are based on publicly accessible news sources. The numbers seem to be dropping. I'm afraid that modern cybercriminals are getting more experienced and more cautious, and it's becoming more difficult to investigate the cases. That's also what generally see. At least I'll try to keep a record about what's going on the next 2 months of this year but, for the next week however you will find me on a beach or somewhere in some desert at the Emirates or Oman. Let's hope I'll get some rest and that no one tries to launch a major attack or malware during my week off.

Wednesday, October 18, 2006

iPods and Viruses!

Apple Support has a very interesting notice available today. It seems that some of the iPod (video) units available for purchase from September 12th contain the RavMonE.exe virus. More details are available from:
http://www.apple.com/support/windowsvirus/.
I'm not sure that Apple come very well out of this. Their "apology", centred round a gratuitous snipe at Microsoft (from whom they could learn something about QA, at least in terms of malware management), is placed fairly inconspicuously a couple of levels down on their support page, and offers nothing by way of remediation except pointers to some anti-malware applications (including OneCare!) Not a real description of the problem, either and no attempt at risk evaluation. "Small number", "less than 1%", "less than 25", and "easy to restore" are also mentioned frequently in the notice. With more than eight million iPods shipped in Apple's third quarter I would be interested in a raw number for that 1% effected by this. What's one percent of a few million?
BTW the name of it is W32/Rjump.worm. It is a worm written using the Python scripting language and was converted into a windows portable executable file using the Py2Exe tool. It attempts to spread by coping itself to mapped and removable storage drives and also opens a backdoor on an infected system.

Tuesday, October 17, 2006

First Pictures of the Virus Bulletin 2006 Conference in Montreal.

As always this good and nice conference ended too early. There were very good presentations. I liked very much the speeches from Mikko Hyppönen, Richard Ford, Sarah Gordon, Randy Abrams, Guillaume Lovet, Matthew Braverman and Paul Ducklin.
So I'm back home now. I will post a link to my pictures soon in all the Virus-related forums. Meantime I'll give you a preview. And eh .. Oh yes, I ended on a real Canadian CarShow yesterday!






































Wednesday, October 11, 2006

Virus Bulletin 2006 Conference Started!

And it was a good start in my opinion. In one of the best keynote speeches I have ever seen my friend Mikko Hyppönen from F-Secure showed the public the history of 20 year malware. A history I made part of for the last 16 years. Mikko you did it again: A nice interesting to-the-point presentation. He reminded me a few hours later that he has read my Blog about the trojans designed to target online computer games and virtual worlds. I must say that McAfee's Blog and Mikko's Blog (see www.f-secure.com/weblog ) reminded me about it but I wrote it after that my colleagues got some problems with it. I do have some good friends involved in these kind of virtual worlds and some of them got the infections as well! I personally have also a 'Second Life' in SecondLife. The thing is that I really want to create awareness of this situation as it seems to become more problematic.
Back to the conference ... I will try to post some pictures of it shortly. And let's hope we will continue to see other good presentations. The goodies at the sponsor booths are not really surprising ranging from what I call 'pepper spray' (an Anti Bacterial Hand Sanitizer) at the BitDefender booth via 'EICAR-newsletters' at the ICSA booth to 'Keyboard Dusters' from Eset.

BTW If you can find my alter ego (my name is enough) within SecondLife
I'll give you a goodie! ;-)

Sunday, October 08, 2006

Virtual Viruses in Montreal?

Just before going to Montreal and the Virus Bulletin Conference I saw the past weeks several trojans designed to target online computer games: Massive Multiplayer Online Role-Playing Games, such as World of Warcraft, EverQuest, Lineage, and Second Life. Now, this might sound pretty harmless to some of you. It sounds like kids using trojans to steal somebody's game progress, right? Wrong.
MMORPGs are big commercial operations with many millions of subscribers. With seven million subscribers paying monthly for their accounts, World of Warcraft's Blizzard Entertainment must have hundreds of millions in revenue per year. And there's lots of money involved in secondary markets. There are loads of people playing these games to create virtual stuff to sell at auction. But why make virtual stuff when you can steal it? The target of the trojans is to gain access to thousands of accounts to steal the gold, weapons, and spells those accounts possess. Then the gold, weapons, and spells are transferred to other accounts and are sold in online markets - For real-world cash.
At least Montreal is a normal city with real people, a real conference and real malware. I'm looking forward to it because it's not virtual.

Here I come Montreal!

I'm nearly ready to go to this year's Virus Bulletin's Conference venue in Montreal, Canada. In the past years we got some outbreaks during these conferences but I don't think this will be the case now ... well let's hope so. I will give you an update when I'm there or when I'm back including some pictures. You can find more at www.virusbtn.com . This year I'm not speaking.

Wednesday, October 04, 2006

MSN problems and a VRT interview today.

The criminals behind a recent MSN worm have been quick to respond to MSN's updated network filters, and have already deployed a new method (which has already been seen in the wild) to bypass the filters. What is it? Offline messages. Windows Live Messenger (aka MSN Messenger 8) introduced the long awaited ability to send messages to offline users. Users of earlier versions of MSN Messenger can receive messages sent while they’re offline; they just can’t send messages to their contacts who are offline. Why is this important? It turns out that messages sent to offline contacts in WLM aren’t being filtered in any way! This means that the attackers can send any message they want, provided it’s to offline users. I know that messages are being sent to offline users, but at the moment it's not absolutely clear how this is being done. It's to be hoped that Microsoft will fix this loophole as soon as possible. We'll also be keeping our eyes open for an IM-Worm which sends messages specifically to offline contacts. Because of this kind of new problematic I've been interviewed today by the Belgian Broadcast TV-station VRT. If I got the time I will put the interview online within the next week ... and that will be a busy week for me ... I will be off to the yearly VB-conference, this time in Montreal, Canada.