Monday, March 28, 2005

The Melissa case ...

How could I forgot ... 6 years and 2 days ago the famous Melissa virus started spreading on March 26, 1999. This case was quite interesting... for a number of reasons.
First, Melissa made history as the first macro-virus with email worm traits. The first macro-viruses appeared back in 1995, but Melissa was the first one to combine macro-virus capabilities with the ability to spread via email. And how! Tens of thousands of infected emails spread within hours. IT giants such as Microsoft and Intel were among the hardest hit. In fact, Microsoft even shut down their email system temporarily to prevent the virus from spreading further.
Yes, it was certainly one of the most serious epidemics in Internet history.
The new concepts and simple code attracted other virus writers who later used the Melissa source code to create dozens of other email worms. Second, the Melissa outbreak was one of the few times when the author was quickly identified, arrested and sentenced. David Lee Smith (see picture) from New Jersey (USA) was arrested only 4 days after Melissa was detected. He was tried in May 2002 and sentenced to 10 years in jail and fined $2,500. However, he actually only served 20 months: the sentence was reduced in view of his cooperation with the prosecution and offers to help track down other virus writers. Exactly how Smith assisted prosecutors is unclear, though he allegedly helped track down Simon Vallor and Jan de Wit. Ooddly enough, several well known virus writing groups ceased to exist precisely between 2000 and 2002.
David Smith was identified and arrested due to an interesting and at that time rarely used feature of MS Word. Even in 1999 MS Word saved information about the author of the document in the file properties. David put the first copies of Melissa in the newsroom and all of the copies contained his data. The FBI had no trouble in tracking him down.
This is what I call at least interesting history!

VTM interview and article ...

for Network & Telecom are online now, you can find everything at our press page ...

Sunday, March 27, 2005

DVForge Virus Prize cancelled!

There was a company from Tennessee, USA offering $25,000 for the first native, in-the-wild virus for Apple Macintosh OS X. Which of course is irresponsible and possibly illegal. They also miss the point by mentioning that "international law forbids the transmission of computer viruses that damage infected computers". On 27th of March the DVForge Virus Prize site was changed and the competition has now been canceled. In their new statement they say that they were contacted by a large number of Mac users who convinced them this was a bad idea. I'm really happy to see this company came to their senses before anything bad happened.

Linux sucks?

As I discussed briefly last month, three security researchers have done a controversial study that proves once and for all that Windows is way safer than Linux (or something along these lines). The study was presented last month by my friend Richard Ford, Herbert H. Thompson and Fabien Casteran, and the full report has now been published. It's available for download from Security Innovation.

Thursday, March 24, 2005

Unique Belgian AV law nearly ready ...

A unique Belgian law is nearly ready that will make it necessary to have a free anti-virus protection at the ISP-level. That's nice however it will never break the new range of viruses which are not only using email as their infection vectors. At least it could give some protection to users who don't know anything about viruses. Nevertheless a special approach which looks to the public 'ground-breaking', but is that really the case ...

Noxs at

Noxs at Noxs knocks your socks off!

View full size image
Moblog with PicoBlogger

Wednesday, March 23, 2005

My new company car...

My new company car... sponsored by McAfee ;-)

View full size image
Moblog with PicoBlogger

Trendmicro's cocktailbar...

Trendmicro's cocktailbar... At

View full size image
Moblog with PicoBlogger

Noxs at

Noxs at The first day...

View full size image
Moblog with PicoBlogger

Monday, March 21, 2005

Malware problems must be explained by real experts!

Indeed and this is definitely not always the case. I just heard and saw 2 examples of this: Look at my own interview for VTM today, there was a difference between the 13 and the 19 o'clock version, in the latest one they used together with me some unknown 'university' guy to give an 'explanation'. In the first interview I gave both explanations. A second example: At VRT radio 1 they interviewed Benelux General Manager of Symantec ... nice if you have to say something about money matters, in this case unbelievable... they are other people inside the Symantec organisation here in the Benelux which are better positioned to explain these kind of things in my opinion. Please 'press agencies' or journalists try to find valuable resources and get the information from the real experts. It's also a problem outside Belgium of course...

Eddy on VTM News at 13:00 and 19:00 Today.

I was just interviewed by VTM concerning the growing problems with Spam and Phishing. You can still watch this at 19:00 hours (News) or via the VTM site at I will put this live as well on my press page very shortly.

Sunday, March 20, 2005

New interviews posted on my press page.

Some new interviews are posted on my press page, look at the latest additions to 'my short interviews' ... NOXS jaagt op Spyware, etc ...

RTL-TVI finds sometimes the virus problem too difficult...

Yesterday, a journalist of RTL-TVI phoned me concerning an article in 'Le Soir' where my Finnish friend Mikko Hypönnen (see the family and friends page on my website) declared the problems they see with 'Cabir' and 'ComWarrior'. He also told the press that email will change within the next years, an idea I do support for several years BTW. After telling and explaining all this stuff to the journalist and of course confirming that this is still not a problem right now but more a problem for tomorrow, RTL decided not to come and interview me as this could be to difficult to explain to their viewers... of course this is my own interpretation, maybe it was not spectacular enough or ... anyway let's see what will bring the future.

Tuesday, March 15, 2005

Early MS patches for US government!

Microsoft has revealed that it will provide the US Department of Homeland Security (DHS), the US Air Force (USAF), and similar organizations early access to software security patches that it will later release publicly. Security experts immediately assailed the move out of fears that information about the patches--and thus, the flaws-- could find its way into the hands of malicious hackers.
Here's the problem: If Microsoft provides detailed information about a Windows security flaw far enough in advance of the public fix, malicious hackers could use that information to construct malicious software (malware) that exploits the vulnerability. But Microsoft is providing only the actual patches, not detailed information. But hackers are already reverse engineering patches the day the patches are released to discover which software processes the patches change, and thus, in many cases, gather information about the flaw they fix.
However, that's generally difficult and time-intensive work.
Although the company acknowledges there is some risk, Microsoft tries to counter these fears by noting that it will disseminate patches only to trusted government agencies. However, reports last week noted that the DHS would provide other government agencies with access to the Microsoft patches as needed, heightening fears that the patches could be used for illicit purposes: The patches will likely be provided to a wide range of people, any one of whom could spread the code to hackers.
For me this approach is unacceptable as other corporates will not get access to these however I like the idea. MS should look into the possibility of creating their OS more securer.

Monday, March 14, 2005

Firefox not Spyware free!

We all know about those ActiveX installers that attempt to install all manner of nasties when using Internet Explorer, but now it seems the producers of all that malware are now turning on other browsers. This time they are using a Java installer to push all kind of of unwanted malware onto your PC. Christopher Boyd at tested out this latest bit of malware after hearing a rumour about a Firefox adware bundle on a forum. The malware installer in question is capable of working against a number of web browsers with native Java Runtine Environment support. This allows the installer to attack most browsers including Firefox, Mozilla, Netscape, Avant and in some cases Opera. In this instance this little bit of malware goes and installs a whole bunch of Internet Explorer specific nasties, including DyFuCA, Internet Optimiser, ISTsvc, Kapabout, sais (180 Solutions), SideFind and Avenue Media. Now this presents an interesting twist, because in Boyd’s tests his Internet Explorer was locked down, and he’d visited the site the installer was executed from he was not affected by the installer. However once the installer was allowed to run it went ahead and trashed his Internet Explorer setup, thus ensuring that next time the machine reboots all that nasty malware is executed and will continue to hijack the PC.
Now we should just say first, in the defence of all the browsers that Boyd tested, there was user intervention required to install this crap, it all popped up a ‘Do you want to allow this to run’ dialog and in this test (we stress this was a test) Boyd clicked on the ‘yes’ button. In normal circumstances no sane user should press ‘yes’, they should click ‘NO’, just to repeat that CLICK NO, never never click ‘yes’...

Wednesday, March 09, 2005

'Publishing vulnerabilities' illegal in France.

After the conviction in a French court on criminal charges of the security researcher Guillaume Tena it seems that in France at any rate the IT Security industry could find themselves falling foul of the law for publishing security vulnerabilities. Guillaume Tena in 2002 published a series of security vulnerabilities with the Viguard anti-virus software published by Tegam. However Tegam did not like this adverse publicity for their software and initiated legal action against Guillaume. That legal action resulted in a criminal case going to trial in a Paris Court. The prosecution claimed that Tena violated article 335.2 of the code of intellectual property, prosecutors asked the court for a four month jail term and a 6,000 euro fine. Guillaume alas was convicted by the court and was handed down a 5,000 euro fine, which was suspended on the provision that Guillaume does not re-offend, i.e. publish any more security vulnerabilities, otherwise he would be required to pay the fine. However the legal action goes on, Tegam is also proceeding with a civil action against Guillaume, in which they are demanding 900,000 euros in damages. As a result of the conviction, it sets a precedent for other security researchers that operate in France, that they could suffer a similar fate for publishing their so called 'research'.

Tuesday, March 08, 2005

Eddy quoted in 'De Tijd'.

A nice new article appeared in 'De Tijd' today. I'm cited and quoted on several virus related issues. I will bring it online in my 'press' page at my site next weekend!

CommWarrior mobile phone worm not so dangerous!

So the spreading over MMS messages works. However there seems to be a significant delay between the MMS messages. As a result, Commwarrior will not spread rapidly like e-mail worms do and note also that it even take more steps for installing such a broadcasted application than with bluetooth messages. Add also the fact that a lot of operators have not enabled this MMS feature by default ... so as a result Commwarrior MMS spreading is not as dangerous as it could have been. Good News!

Monday, March 07, 2005

First MMS mobile phone virus

I just heard from people at F-Secure that they found the first MMS mobile phone virus. They call it CommWarrior. MMS stands for Multimedia Messaging Service. These are text messages that include an image, audio or video. MMS messages are sent from one phone to another or to email.
Phone viruses so far have been spreading over Bluetooth - so they only affected phones that were nearby. A MMS virus can potentially go global in minutes, just like email worms do.
First analysis shows that it attempts to spread over both MMS and Bluetooth. The virus seems to be from Russian, as it contains text that says "OTMOP03KAM HET!". Which roughly translates to "No to braindeads".
We'll definitely see more and more problematic mobile phone viruses. How long before we will get a real problem with this kind of viruses remains an open question.

Cabir 'hoaxed' by Belga Press Agency.

The Belgian Press Agency Belga is exagerating the possibilities of the mobile phone virus Cabir. After an article at the Sunday Times it seems that some press agencies took the wrong conclusions as this virus could 'dial out' and such things. Please Belga ask a second opinion at a virus expert (like me ;-) ) before publishing something you read in the press! BTW this is not the first time this is happening ... several years ago they looked at a real hoax as a real virus! At least some people at VRT Radio and TV checked with me what really was happening and didn't make 'news' about it. That's what I call a fine journalistic approach.

Wednesday, March 02, 2005

Free Reverse Engineering Tools for IDA.

I just heard some interesting news from Data Rescue, F-Secure and and iDefense.
The iDefense guys have recently started to release free tools for the Reverse Engineering community. Today they released Pedram Amini's IDASync, which allows multiuser synchronized use of IDA (one of the main tools for any reverse engineer). The IDA-tool itself is produced by the company of my old Belgian friend Pierre Vandevenne.

Virus uses Client/Server approach!

One feature of these new detected variants of Bagle is to use infected computers to seed out emails with the downloader program as an attachment. So in addition of sending out emails with the virus, they send out emails with a downloader which won't spread further. Lots of them.
So far, we've seen 4 different downloaders and several different Bagles...
There's something else too. These new Bagle variants are using a client / server architecture to spread further. What? A Client / Server virus? Yes.
Normally Bagle variants search the local hard drive to find email addresses to send itself to. These new variants connect to a web back-end. The back-end server will then return 50 unique email addresses that it generates using directory harvest techniques. The virus will then send a copy of itself to these addresses and loop over. We come accross lots of them here in Belgium but I don't call this an enormous outbreak...