Monday, December 31, 2007

Happy New Year!

Be very careful as the Storm Worm keeps spreading his word and email messages.
In fact, it may be a good idea to be suspicious of any email arriving in your inbox that wishes you New Year’s greetings, especially if it asks you to click on a link to retrieve it. What makes these malware domains difficult to take down is the methodology in which these criminals have deployed them, and the clever way they knew how to maximize their “window of opportunity” due to registrar operation hours during the end-of-year holiday. And a lot of registrars are just closed for the next 7 to 10 days. Ten or more days of availability — at the very least — will more than likely contribute to these criminals building an even larger botnet.
Nevertheless A Happy New Year from me to you all and ...
stay tuned as 2008 will bring again other things to look at ... also for me. ;-)

Friday, December 28, 2007

Bhutto Assassination Malware ...

Cybercriminals wasted no time riding on the tragic and shocking news of former Pakistan Prime Minister Benazir Bhutto’s assassination, as some AV and security companies discovered a number of malicious Web sites that came up on Google search results using the simple search term “benazir”. These sites attempt to infect users who want to know more about the unfortunate incident. One of the sites in question has an embedded malicious JavaScript redirect. The malicious script downloads a Trojan which in turn downloads more malicious files. There is even a host of other news sites and blogs taking advantage of this news. The malicious JavaScript is also embedded in other Web sites with a wide scope of topics and interests. There are many other sites that have been possibly compromised including MSN, BlogSpot, etc. Most AV products are detecting these files as malware already however but like always, be aware that it could go wrong somewhere.
It's a shame that such things happen on the back of other shocking news facts.

Tuesday, December 25, 2007

Storm is Back!

After 2 very quiet months the Storm gang seems to be back in business.
Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a Christmas-themed stripshow directing victims to merrychristmasdude.com.

The message comes in with a number of subjects:
Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

Updated subjects:
“Merry Christmas To All”
“Warm Up this Christmas”
“Mrs. Clause Is Out Tonight!”
“The Twelve Girls Of Christmas”
“Jingle Bells, Jingle Bells”
“Cold Winter Nights”

The body is something similar to:
This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-) http://merry christmasdude.com/

But that's not all ... I also saw another zipped sample sent straight to one of my honeypots with a subject 'Merry Christmas' and an infected 'ecard.zip' attached!

Be very carefull these days as scanners are less updated and the infected samples can pass easily!!

A Merry Christmas to you all!

Sunday, December 16, 2007

2007: A year of threats across several technologies.

The main trend I have observed this year has been the spread of malware activity across several forms of technology and applications. I wrote for Virus Bulletin magazine a comment article about this which has just been published in the December issue. You can read the full article at my press page or at the Virus Bulletin magazine site or via this link.
I'm looking forward to the new year as this will bring some new opportunities for me. I will give you more info soon.

Sunday, December 09, 2007

Attention with e-cards!

It is the season to be wary. Sadly, malware authors are quick to seize on current events to cloak their social engineering attacks -- which typically involve tricking people into clicking on a malicious link or visiting a malicious Web page -- in an aura of legitimacy. So it seams again that the holiday season brings a surge in holiday-oriented scams as already new malware oriented e-cards started to appear.
Some of these e-cards are purportedly sent from a legitimate source and try to lure the victim to click on the link to view the e-cards, which have underlying tricks to try and infect the computer. With the Xmas bells starting to ring, the first incidents started to appear already. While these e-cards may appear to come from a familiar brand name, the "From:" field is forged. And the spammer responsible, perhaps aware that e-cards have acquired an air of disrepute, has even gone so far as to include the phrase "(no worm, no virus)" in the e-card's text, as if such an assurance made the message safe. ;-)

So in short, don't send fancy e-cards, just use plain text messages! They are much safer and to my opinion much nicer ... If everybody would do this, it could create at least a little bit a more safer internet.

Sunday, December 02, 2007

EICAR Call for Papers, Laval (France)

17th EICAR Annual Conference

IT Security is facing a paradigm shift
New threats and more subtle methods of attack require
different approaches and solutions

The 17th Annual EICAR Conference to be held from 3 May to 6 May 2008 in Laval, France brings together experts from industry, government, military, law enforcement, academia, research and end-users to examine and discuss new research and development in anti-virus, malware, e-security, e-forensics and Information and Communications Technology (ICT) Management
The main theme EICAR 2008 conference will be devoted to Malware and Virtualization. The new malware threats which have recently emerged with virtualization (e.g. SubVirt and BluePill malware) represent a huge and complex challenge to current detection capabilities. With virtualization, malware detection is bound to undergo a major revolution. The aim of EICAR
2008 conference is to gather computer virology experts (researchers, AV industry people...) to think about the best technical or non-technical solution in order to fight against virtualization-based malware.

This call for papers invites the submission of full papers and abstracts on one or more topics that may include but are not restricted to:
* Virtualisation and its Risks
* Malware and Virtualisation
* Malicious code and its side effects
* Viruses and worms
* Vulnerabilities and Software Bugs
* Spam and Phishing
* Spyware
* e-Crime and e-Forensics
* Information Assurance
* Ethical and Moral Aspects of Malware Writing
* Identity Management
* ICT Security and Policy Management
* Intrusion Detection and Prevention
* Human aspects of INFOSEC
* Awareness and Education
* Cryptography and Steganography
* Legal, Privacy and Social Issues of ICT Security
* IT Governance and Compliance
* Cyber Terrorism

The conference committee is seeking submissions of papers for oral presentation at the conference in two major categories:
* Peer reviewed papers - these papers will be selected on
basis of blind peer review by members of the program
committee and other independent reviewers (where necessary).
Case studies, research in progress and full research papers
will be considered for the inclusion in the conference
program. There is no definitive word limit fo
the submissions; however, it is anticipated that submissions
will be between 3500 and 5500 words. The program committee
will not accept research proposals for submission to
the conference.
* Other papers - these papers will not be peer reviewed,
however due to the considerable interest in the conference
in the previous years these papers will also be selected
by the program committee. This category covers corporate
papers, best practices, new technologies, policy issues etc
and the conference committee are eager to obtain submissions
from industry, government and other sectors for this category.
However, marketing papers will not be accepted for
the conference.

The conference committee can accept only limited number of papers in each category and the acceptance ratio in the past few years was about 30-40% of submitted papers only. All accepted papers will be published in electronic form on the Conference CD-ROM and peer reviewed papers only will be published in the printed version of the EICAR Conference Proceedings (book with ISBN). The best papers will be published in a special issue of the Journal in Computer Virology, a research journal published by Springer Verlag.

Submission deadlines:
Peer reviewed papers (in full) due 20 January 2008 Other papers (non reviewed - abstracts) due 20 December 2007

Full CFP is available at
http://conference.eicar.org/