Monday, January 31, 2005

XP SP2 heap protection bypassed.

It had to happen, security is a race isn't it. Microsoft’s SP2 heap protection can be bypassed...
To enable:
o) Arbitrary memory region write access (smaller or equal to 1016 bytes);
o) Arbitrary code execution;
o) DEP bypass.
An excellent paper, written by Positive Technologies the authors of MaxPatrol, released the theory and code examples on how to exploit HEAP overflow vulnerabilities on the new Microsoft XP SP2 and DEP CPU’s. The paper can be read here.

Sunday, January 30, 2005

Viruswriter Jeffrey Lee Parson sentenced.

Jeffrey Lee Parson, the teenager responsible for a minor variant of the Blaster worm has been sentenced to 18 months in prison after he pleaded guilty. Let's hope the authorities can find the writer of the original Blaster. More info here

Thursday, January 27, 2005 storm could be finished very fast! was going 'medium' this morning in the world. This virus again has several aliases:
Bagle.AX, Bagle.AY, Bagle.BK,Email-Worm.Win32.Bagle.ay, Bagle.AU ,etc ....
In heaven's name only one 'name' is enough guys... We saw a lot of them today in Belgium but
with all the precautions taken I think we will not see much more tomorrow. It's already going
downwards on some sites.

Monday, January 24, 2005

E-mail Management and Security Seminar with IT Works

If you want to know more about e-mail management and security, you should come to the new seminar from IT Works February 16 2005 at the Sofitel in Diegem. I’m doing for NOXS and IT Works a presentation about malware and it could be very interesting as I am going to speak about nearly every anti-malware solution! You can find more information about it at the site of IT Works or and more about the speakers at . I’m even going to try to ‘clean’ a ‘special’ virus infection during the presentation...

Wednesday, January 19, 2005

Viruswriters not always so young...

Mr. Marcos Velasco(32) from Brazil is completely openly writing viruses and making them available from his website to anyone in the world. Apparently this is not illegal in Brazil.
So anyone can download all his viruses complete with sourcecode and do whatever they want with them. And Mr. Velasco has no problem with this. He has just given an interview about his activities to a Finnish magazine ITViikko. The interview has been published in English on
Writing viruses is wrong. Distributing them is even worse. It should be illegal, too.
Does he really know what he is doing?

Tuesday, January 18, 2005

Cabir found in UK.

The Cabir worm which originally was written as a proof of concept during 2004 and released to a limited group of people and the Anti-Virus companies at the time. It was only in the wild in a limited fashion, however in recent weeks a number of variants and infections has been increasing. The source code was released just a short time ago in the 29A eZine issue 8, which could account for a rise in the infections of the original variant of the Cabir worm. I have confirmed reports by Kaspersky and F-Secure now from UK, Russia, Vietnam, Turkey, India, Finland, China, Singapore, United Arab Emirates and the The Philippines. My advice to users out there with Symbian OS Series 60 based phones, if you have bluetooth enabled ensure that you phone is hidden and not discoverable using bluetooth and only made discoverable when needed for pairing.

Tsunami seems to be a virus.

The W32/Zar (also called W32/VBSun.a,etc) worm spreads via email, tempting innocent users into clicking onto its malicious attachment by pretending to be information about how to donate to a tsunami relief effort. However, running the attached file will not only forward the virus to other internet users but can also initiate a denial-of-service attack against a German hacking website. The spreading and total impact at this moment is very low.

Sunday, January 16, 2005

Another Mydoom, the first for 2005.

Another Mydoom, the first for 2005.
This is a mass-mailing and peer-to-peer file-sharing worm. sending various different types of messages with EXE, SCR or PIF attachments (31774 bytes) or a ZIP (variable size).
The message bodies we've seen so far include these ones:
The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available.The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
You can find more on all the AV vendors websites.
We don't see much traffic for this going on at this moment here in Belgium.

Virus Writer Benny again in the News.

Virus writer Benny from 29A - who has apperead already in this weblog- has apparently again given an interview for international media.
This time he's speaking with Robert Lemos from CNET.
Full article is here.

Anti Virus Vendor court case in France.

There's an ongoing court case in France between Tegam International (French Antivirus vendor) and Guillaume Tena (aka Guillermito). The case is about Mr. Tena finding and publishing possible security vulnerabilities in ViGuard, an antivirus product made by Tegam.
Read both sides of the story; Tegam's version and Mr. Tena's version. More on the court case at

Google Gmail flaw !

The popular Google free email service GMail has been found by the UNIX Community group of HBX Networks to contain a flaw, which could allow an attacer to intercept a users email.
The flaw could be exploited by an attacker by send specially crafted email messages to themselves, and information that is left in memory from previously handled emails for other people will appear within the email sent to the attacker.Sometimes these emails could contain personal information, usernames and passwords and other potentially sensitive information. You can discover more about this flaw and see more details on the HBX Networks UNIX Community Group website.

Tuesday, January 11, 2005

McAfee releases Google Hacking tool...

Sitedigger 2.0 made by the Foundstone division of McAfee is designed to harvest “security exposures” using the world famous search engine. Allegedly it contains 1000+ signatures from Foundstone as well as signatures from (including the latest web cam signature). The only downsides I can see is that you require Microsoft .Net as well as a Google account. If you’re using the free Google account you will be limited to 1000 searches a day.

Monday, January 10, 2005

Exploit code attacks unpatched IE bug.

Code which exploits a vulnerability in the HTML Help control of Internet Explorer has been released onto the net. Secunia has upgraded the vulnerability, uncovered in October 2004, to "extremely critical". Even users who have upgraded to Windows XP SP2 with all available patches are affected, the security reporting firm warns. The vulnerability can be exploited by malicious people to place and execute arbitrary programs on a client system if a user visits a malicious website. It doesn't require user interaction. The vulnerability was originally discussed as the Drag'n'Drop vulnerability back in October 2004. The new development only utilises flaws in the HTML Help control. Users can only protect themselves by disabling ActiveX support or using another product. Some AV products are detecting this heuristically and some of them by use of a signature. Some are not detecting it!

First File Infector for Symbian Based Mobile Phones

A new Symbian OS virus has been released that unlike previous Symbian OS malware that has been released recently is a file infector, in that it can infect Symbian OS executable SIS files.
The worm which is currently known as Lasco.A uses bluetooth as a means to infect other mobile phones that use the Symbian Series 60 platform.It seems that Lasco.A is based on the same source as the Cabir.H worm and is in part very similar to Cabir.H. However unlike Cabir.H, Lasco.A is able to infect Symbian executable SIS files.The worm replicates over bluetooth connections and arrives on the phone as the file velasco.sis. When user executes the velasco.sis and chooses to install the file the worm activates and starts looking for new devices to infect over bluetooth. As long as the target is discoverable and within range the infected SIS file is sent to the remote device.Like the Cabir worm before it, Lasco.A can only infect Symbian Series 60 based phones that have Bluetooth turned on and are set to discoverable.

Thursday, January 06, 2005

Microsoft in the Virus Arena ...

Microsoft Corp., whose popular Windows software is a frequent target for Internet viruses, is offering a free security program to remove the most dangerous infections from computers.
The program, with monthly updates, is a step toward plans by Microsoft to sell full-blown antivirus software later this year. Microsoft said Thursday that consumers can download the new security program from the company's Web site - - and that updated versions will be offered automatically and free each month. It will be available starting Tuesday. Also, Microsoft offered Thursday a free program to remove "spyware," a category of irritating programs that secretly monitor the activities of Internet users and can cause sluggish computer performance or popup ads. Microsoft said the virus-removal program will not prevent computer infections and was never intended to replace the need for traditional antivirus software, such as flagship products from McAfee Inc. or Symantec Corp.
MS has approached the AV market space very strange, and certainly could have improved its OS' security stance many times more and for much less outlay than the cost of its GeCAD AV purchase _AND_ have left the annoying, always on a hiding to nothing and expensive to support end- user market to the traditional AV players interested in those crumbs. This was, of course, largely predictable given MS' long history of never inventing anything terribly useful and never doing anything terribly creative and became entirely predictible when it became clear that MS "needed" to buy an AV developer.
Being in the traditional AV marketplace (and the emerging anti-spywaremarketplace) will make MS' OSes no more "secure" or "reliable" or "trustworthy" than DOS ever was.
Microsoft please take my advise ... you will only win the battle if you could make your OSes more secure!

Tuesday, January 04, 2005

Anti-Spyware from MS nearly ready ...

Publicly, Microsoft continues to be cagey about packaging and pricing plans for its anti-spyware and anti-virus solutions. But privately, Microsoft has begun informing partners of its plans for a security subscription service code-named "A1," according to developers who requested anonymity. Microsoft bought anti-virus vendor GeCAD in the summer of 2003, and anti-spyware maker Giant Company Software last month. As to how it plans to deliver these technologies, Microsoft has declined to give specifics. How/when/if it will repackage GeCAD's technology remains uncertain. The same goes for Giant's — although according to the Windows enthusiast site Neowin, Microsoft is expected to field its first anti-spyware beta based on Giant's technology this week. The anti-spyware beta is code-named "Atlanta".

Original Cabir source code released!

I just saw that the 29A virus group has released the original source code of the Cabir.A phone worm. There's a lot of source code for mobile malware floating around in the underground right now. This might mean even more new variants will pop up in the near future.

Monday, January 03, 2005

Spyware becomes illegal in California.

In a new law introduced today by Governor Arnold 'Terminator' Schwarzenegger consumers will be able to seek up to $1,000 in damages if they think they have fallen victim to Spyware.
The California Consumer Protection Against Spyware Act bans the installation of software that takes control of another computer. It also requires that companies and websites disclose weither their systems install Spyware.
Spyware has fast become one of the single largest threats to all computer users both Corporate and Home users. With peddlers of this malware stooping to many illegal tricks to install on a users PC without permission using the tricks of hackers to install this unwanted software. I think we will see a very interesting and special anti-spyware year 2005 !

Saturday, January 01, 2005

Happy New Year and our Virus Top 2004 !

Based on our observations we have an exclusive top 5 of computer viruses for you here in Belgium, Luxembourg and Europe for 2004 ..... On one we have W32/Netsky.P, on 2 W32/Netsky.D, on 3 W32/Sasser.worm, on 4 we have W32/Sober.J and on 5 W32/Zafi.B ... I wish everybody a Happy New Year 2005!