Monday, December 27, 2004

New Php problems ...

Php users, Update php and AV sigs, MS users, Update your AV sigs....
A few of the pairs of eyes in the FOSS (Free and Open Source Software) community recently looked over the security of php, and as a result of that community effort developers released new versions in a flurry last week. If you haven't updated, please do so asap. A php Internet worm released on 12/25/2004 that doesn't use php bulletin boards - it attacks "ALL php scripts/pages which are vulnerable to a "File Inclusion" Flaw". K-OTik Security has issued an Alert to clarify issues relating to whether or not php worms commonly named santy.c and santy.e attack bulletin boards. They have demonstrated that a php worm released on 12/25/2004 and commonly called santy.c and santy.e has had incorrect information associated with the descriptions of it that may delude you into thinking that, since you do not use php bulletin boards, your server is not at risk. K-OTik Security has named this the PhpInclude.Worm and their alert is emphatic that "This worm attacks ALL php scripts/pages which are vulnerable to a "File Inclusion" Flaw (related to an insecure use of the Include() & Require() functions). These "programming" flaws are independent from the server's PHP version, they result from common coding mistakes" K-OTik has described this worm as a significant threat.
Why does K-OTik publishes the code on the net?! I have my own thougths on publishing such code on the internet. Everybody can easily grab this code and create their own worm or virus with it. Is it not enough just to publish the news on the net? Publishing such code on the net is for me the same as what virus writers are publishing on their websites... if you know what I mean. Again an example from what I call 'unethical code publishing'. The internet is really becoming the playground for such people.

Friday, December 24, 2004

Merry Christmas Microsoft ...

Three new MS Windows vulnerabilties have been published, along with 'Proof of Concept' exploit codes. All vulnerabilties reported are targeted at NT based systems, NT, 2000, 2003 and XP. This involves one overflow in Windows its winhlp32.exe file, which is used to open .hlp files.The other vulnerabilities don't affect Windows XP/SP2, showing again that XP/SP2 seems to be more secure than previous versions.
This includes a vulnerability with which a specially crafted .bmp, .cur, .ico or .ani file can cause arbitrary code to be run.The other vulnerability is a DoS, a specially crafted .ani file can cause the system to crash. A vulnerability, which can be considered critical, released one day before Christmas, not an ideal situation to say the least.Yet another reason to be even more careful these holidays. I hope we don't see anything else and that everybody at least can enjoy there holidays. Merry Christmas to everybody!

Wednesday, December 22, 2004

Santy killed in action by Google

Santy has died. The Santy worm is not spreading any more, thanks to Google.
Google started filtering the queries made by the worm around midnight GMT, effectively stopping the spread of the worm. Apparently they are doing this based on a combination of the search terms and the User-Agent header field.
Google has also started showing the defaced websites in it's index. MSN Search already had them visible over 12 hours ago, so apparently the indexing process takes longer at Google.
Like I reported earlier, MSN Search reports huge numbers of websites to be affected. However, if you keep viewing the search index pages, you get different results. MSN Search reports 29,000 hits, but runs out of the hits already on search index page 15 - with 153 actual hits shown. Google finds about 1500 defaced sites right now. It's hard to estimate how many actual sites got hit. So the possible 39.000 number from my former report could be completely wrong!

Tuesday, December 21, 2004

Santy.a infection on websites!

Today I received some reports about certain sites being defaced. Investigation has shown that a worm which utilizes a vulnerability in phpBB is responsible for this. Further analysis has shown that although older versions of phpBB are vulnerable, phpBB 2.0.11 is not. Therefore I strongly urge everyone to update to phpBB 2.0.11 to prevent infection by this Worm. Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits. This virus spreads on web servers running the phpBB 2.x application. Other systems are not affected. The worm uses Google to search for target systems to attack, by running a query for text present on web pages that are served by phpBB. A normal pc user cannot be infected by the worm by visiting an infected website.

Free AV for Belgium?

Yesterday, Phillippe De Coene made a proposal to give free anti-virus and security software to the Belgian citizens as a service. You can read more on the website .
As I like the original proposal some of the practical stuff mentioned by Phillippe seems to me completely unrealistic. To use ISP's to provide free AV tools is an idea which is realised already by most of the Belgian ISP's. I particularly liked the idea to give AV for free to the Belgian citizens however how would you do that: Buy 2 million copies of McAfee for Belgium? His proposal to nearly create 'another' (free) package by the help of our universities is very naive ! It's completely impossible. To stop computers from coming on the network (another step in his proposal) without anti-virus is the general idea from what the AV industry tries to realise in corporate networks... I know how to implement this in a corporate network. It is theoretical possible to do this in this situation but it's not evident. Do you think that a normal home user wants this always? You are touching his or her 'free thinking' isn't it? A human or in this case a pc user must have the possibility to choose. And what about the aspect of support of the product. The main problem with every software package is support! How does he think to realise that? Changing the BIPT into a normal CERT is the only concrete and realistic idea I've heard in the proposal. Maybe he wanted the attention by the press just to realise that last part.

Monday, December 20, 2004

Adware moves in the virus arena...

Adware is changing his behaviour. Adware has been compared to Trojan code for quite some time, but now we're seeing Adware behaving like a file infector. A variant of the infamous CoolWebSearch family is infecting legitimate files in a way that when the infected file gets run, the Adware file gets loaded too. This is something new. This means that you need to disinfect the legitimate file. It will be interesting to see how most anti-spyware programs will cope with this issue, as their engines aren't designed to disinfect executable files. Is this the dead of most anti-spyware programs or will it speed up the process of integration inside the real anti-virus programs?

Thursday, December 16, 2004

Microsoft and Spyware!

Microsoft Corp. today announced that it has acquired GIANT Company Software Inc., a provider of anti-spyware and Internet security products. Microsoft will use intellectual property and technology assets from the acquisition to provide Microsoft® Windows® customers with new tools to help protect them from the threat of spyware and other deceptive software. Microsoft plans to make available to Windows customers a beta version of a spyware protection, detection and removal tool, based on the GIANT AntiSpyware product, within one month. The upcoming beta will scan a customer's PC to locate spyware and other deceptive software threats and enable customers to remove them. The tool will be configurable to block known spyware and other unwanted software from being installed on the computer. It will be available for Microsoft Windows 2000 and later versions. More information about Microsoft and its efforts to address computer security and provide customers with guidance about spyware and information about anti-spyware solutions is available at Interesting, isn't it?!

Wednesday, December 15, 2004

And other Christmas viruses ...

Indeed it's not only Zafi.d but also Atak.i or h (depending on the AV vendor) which seems to be attacking our pc's this time and that latest one hides itself also as a Christmas card. It's not the first time we see such things however it's the first time I saw a Christmas e-card Virus in Dutch(Zafi.d)! In the past we saw for instance 'Happy99' which caused also a lot of problems several years ago. Again the social engineering trick seems to work. People please think twice if you come across a new Christmas card. Just use plain text, that's what I call 'retro', if you know what I mean .... And Oh yes, VRT Radio called me today about this problem. I was in 'Actueel' and other news-journals from 15h to 19h. Look at 'press' page for more info.

Tuesday, December 14, 2004

W32/Zafi.d@mm spreading !

W32/Zafi.d@mm sends fake e-Christmas cards and seems to be spreading in the wild. We also saw some samples over here in Belgium. Most AV vendors give this a medium level alert. Find more info at the AV vendors websites.

Sunday, December 12, 2004

Eddy/NOXS in Data News

Last friday two nice articles appeared in Data News, a professional magazine which is read by the Belgian IT-world. One article was dedicated to NOXS and the other one was looking into my career until now. They even published a picture of my family, what appears to be the first time for such a magazine!

Wednesday, December 08, 2004


I was just interviewed by RTL-TVI (French) Television concerning the problems with viruses during the last year. It was a headline in the news from 19h 8 December 2004. We will put this on our press page next week.

Tuesday, December 07, 2004

Spyware booming?

The deluge of spyware festering on consumer and corporate PCs will help to spark a boom in spending on security software. Spyware, also known as adware or malware, is infecting millions of computers with multiple purposes: stealing personal information, enabling identity theft, tracking users' online activity, and selling the information back to anyone willing to pay. At the moment anti-spyware will increasingly become part of antivirus vendors' offerings. Spyware is very different from viruses however, and is much more difficult to eliminate because it establishes itself in a computer's registry. In my opinion the antivirus vendors will take the lead in tackling spyware very shortly.

Sunday, December 05, 2004

WAVCi Website redesigned!

Our design of the WAVCi website didn't change since august 1995. We thought it was time to change it now. So we redesigned it completely and published it last night. I hope you like it. Please let me know what you think of it ...

Saturday, December 04, 2004

Lycos attacks spammers

In a surprising move, Lycos Europe has started organizing a distributed denial-of-service attack against web sites run by spammers.
Lycos, via its site, is offering a free screensaver for download. The screensavers make constant http requests to spam websites. The idea is to slow down spam servers by overloading them - ie. by launching a DDoS. Which is illegal in many, many countries.
Although this seems like a good idea, I don't recommend using the screen saver because of possible legal problems.
In an interesting twist, apparently one of the spam sites under attack from Lycos' "Make Love not Spam" operation has turned the tables. The front page of a spammer site called (which used to sell cheap mortgage loans) has been changed to contain a Meta Refresh tag, redirecting all web traffic
As an end result, depending on how the Lycos client works, the screen savers downloaded from might be attacking the download site itself.
In another development, Lycos made a statement that this site was not defaced yet.
Lycos has confirmed that their screensaver does not follow Meta Refresh tags, so this attempt by spammers will fail. The site seems now to be temporarily unavailable...

Microsoft releases critical update for IE !

A few days ago Microsoft released a critical update for Internet Explorer. Affected systems are Windows NT, 2000 and Windows XP.Windows XP SP2 and the 64 bit version are not affected.
More detailed information can be found in Microsoft Security Bulletin MS04-040
This update fixes a bug that allows remote code execution. This bug has been exploited by several malware lately.

Eddy on Radio 2 - Huisraad

30 November 2004 - I was interviewed live by Kim Debrie for her radioshow 'Huisraad' at 8:15 am. Also this 'snippet' in mp3 format will be published on our site next week. We got a lot of response from the listeners after putting the NOXS-contact details on the Radio 2 website.