Friday, August 26, 2005

Two arrests in Zotob case!

Two men have been arrested regarding the Zotob PnP worm case. Moroccan authorities arrested "Diabl0", aka Farid Essebar and Turkey authorities arrested "Coder", aka Atilla Ekici. The suspects are aged 18 and 21, respectively. Both nicknames can be found inside the code of Zotob.A: the worm connected to a irc server named "" and contained the words "Greetz to good friend Coder". Diabl0 is most likely associated with some of the Mytob variants as well. You can find more at Maghrep Arabe Presse in Morocco. That's what I call a very fast response from these authorities. I'm looking forward to find out more of this case.

Monday, August 22, 2005

Bozori and Zotob the first real company worms.

Bozori or Zotob are no different to earlier Internet worms like Blaster or Sasser: it uses an exploit to spread directly to vulnerable machines. We've had no reports of infection from individual users. There's no question that this worm was spreading heavily. However, it seems to be confined to localized 'explosions' inside large corporations. These organizations, typically made up of 'small internets' behind heavily defended Internet gateways, have experienced infection.
Bozori, it seems, causes local outbreaks, whenever it's able to reach the critical mass (and this is heavily dependent on the level of management in the organization). The worm can't reach many machines over the Internet because these days everybody deploys a firewall. However, a worm can penetrate a local network without going through the firewall: when an infected laptop is brought into a network large problems appear. That's why small companies and home users haven't been affected. On the other hand, a number of globally interconnected corporations, running large networks of computers - practically their own reduced versions of the Internet – have been hit badly. This incident suggests that we're on the threshold of a new era, in which 'company worms' will cause 'local network outbreaks' in large corporations, but will have little effect on the Internet as a whole. And yes we got solutions ... IPS but not everyone is buying this as it is not really cheap... Oh yes I nearly forgot to mention that some of my interviews are published on our press page at .
And not every newspaper was interested in publishing something only for 'companies'. Was it not problematic enough?
In mean time some zero day exploit appeared: msdds.dll ... more at Let's hope we don't get anymore problems with this in the future!

Thursday, August 18, 2005

Returning to normal.

The outbreak of the varieties of three worms -- "Zotob," "Bozori" and "IRCbot" are turning to a normal situation over here. No more companies are attacked anymore. It's also very noticable how mostly US companies have been infected... Some media are comparing this outbreak to Sasser making this outbreak bigger than the Sasser outbreak. This is incorrect in my opinion however it is true that only a few days were needed to use the MS05-039 vulnerability into some worms. The Sasser worm was made in a few weeks. This is worrying as this timescale seems to reduce every year exponentially. How far are we away from a large zero-day exploit attack? Nevertheless press and media are still interested in all the details. We got interviewed by newspapers 'Het Laatste Nieuws', 'De Tijd' and 'De morgen' today.

Wednesday, August 17, 2005

Botwars ... another scary day!

Computer worms that have brought down systems around the world in recent days are starting to attack each other. There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines. The varieties of three worms -- "Zotob," "Bozori" and "IRCbot" -- are still exploiting a gap in Microsoft Windows, mostly Windows 2000 operating systems, on computers that not had the flaw repaired and were not shielded by firewalls.
The latest variants of Bozori even remove competing viruses like Zotob from the infected machines. The worms caused also some havoc in Belgian branches of some large international US companies. I've given interviews to QMusic, RTBf radio, Kanaal Z, Belga, De Standaard, Het Laatste Nieuws (Interesting for 'HLN': this is one of the first times they contacted me, I hope we can establish a good relationship!). VTM and VRT contacted me as well but only to acquire information for a short news item. And I almost forgot ... I advised in the morning the BIPT to send out a virus alert as it was really needed.
Strange, just a few weeks ago I told you that there was a big outbreak coming after some quiet months ... never mind ... stay tuned over here (advice for everyone) and I will keep you updated of the situation ... definitely if it's getting worse.

Tuesday, August 16, 2005

A scary day!

Wakening up with a drastic attack on a money transport just a few hundred of meters from your frontdoor is really scary! That happened to me today. It's like bombs falling just around you. And that was not the only thing ... some new variants of Zotob appeared and an Ircbot variant with something new up it's sleeve: instead of the usual replication methods of guessing share passwords or probing for RPC/LSASS vulnerabilities, this bot was using the brand new MS05-039 Plug-and-Play vulnerability - just like the Zotob worm. I have also put my interviews from last friday on the press page. Please have a look at I'm still convinced that the so called 'heavy hacker' was a script-man (instead of script-kiddie), and definitely not a real hacker! See my former blog.

Sunday, August 14, 2005

A new worm using a new exploit

A new worm known as W32/Zotob using the MS05-39 Plug-and-Play vulnerability has been found.
This is nasty, as patches for this vulnerability have only been available for five days.
The worm is based on Mytob and might be using exploit code published by 'houseofdabus' four days ago.
This whole case has a nasty ring to it...the infamous Sasser worm was released two days after 'houseofdabus' released exploit code for the LSASS vulnerability.
However, Zotob is not going to become another Sasser. First of all, it will not infect Windows XP SP2 machines. It also won't infect machines that have 445/TCP blocked at the firewall. As a result, majority of Windows boxes in the net won't be hit by it.
This worm replicates by scanning random machines at port 445/TCP. When a victim is found, the exploit code downloads the main virus file via ftp from the scanning machine, sets up ftp server on the infected machine and starts scanning for more targets.
Patch as quickly as you can or use some kind of buffer overflow technique with your soft- or hardware. It's a nasty one but we will not get a large outbreak of this one I think.

A fake Belgian hacker and the newspaper "Het Laatste Nieuws"

The unbelievable happened again a few days ago. Some guy, Pieter Miclotte, claimed to be 'the most famous Belgian computercriminal'. The paper "Het Laatste Nieuws" spent(waisted) 3 pages on this man. It was even on the first page. Of course this guy is definitely a criminal but definitely he doesn't know enough about computer hacking to be called a hacker. Again an example of very bad journalism.... And then the media attention ... it's a shame that everybody waisted so much time on this guy. Kanaal Z(Belgian tv station) and also 'De Standaard' contacted me to have some realistic opinion and approach to the topic. I will put these interviews on my webpage very soon. Note to 'Het laatste Nieuws' : Maybe you could check with a specialist next time about the real content before publishing it!

Tuesday, August 09, 2005

Ready for the storm?

It's unbelievable calm in virusland, don't you think. Mostly after some months of inactivity we see some virus alerts. Let's see if we will have them as well next month .... of course there's always something going on like Microsoft that takes out MSH out of VISTA (so say bye to the just found VISTA viruses), like a new Bagle and a new mobile phone trojan Blankfont but ... still it's too quiet. I definitely espect some kind of outbreak, only this year it takes longer compared to the last 3 years.

Thursday, August 04, 2005

A wrong Virus Bulletin ...

Somebody notified me about a suspicious link. The link itself attracted my attention: ...[removed]
Naturally, anyone who follows information security knows Virus Bulletin: one of the oldest and most respected publications in the AV industry. I'm writing from time to time for them.
No, their site has not been hacked. If you read the URL carefully, you'll notice that the word bulletin is misspelled - bulettin. Moreover, Virus Bulletin can be found on-line at a slightly different URL: Most of us only scan URLs at best, and the malicious version is certainly close enough to the real thing to fool people. Virus writers are at it again: masquerading as a respected AV publication is a good way to get people to trust you.
Oh, before I forget... If you receive this link, don't click on it. The new virus 'Landis' is ready at that link to infect your pc and it sends the link out on command from its owner.

First Windows Vista Virus

Virus authors have produced proof of concept viruses targeting the scripting language behind prototype versions of Microsoft Windows Vista. An Austrian virus writer published five sample viruses that target Microsoft Command Shell (MSH) in a virus-writing magazine.
As MSH (codenamed 'Monad') is due to ship as the default shell for Windows Vista, these five pieces of malware can be classified as the first viruses for Windows Vista. However, there is still plenty of time for Microsoft to reconsider shipping MSH with Windows Vista. It is about a year ago since the concept of viruses for MSH was discussed by anti-virus researcher Eric Chien of Symantec at the Virus Bulletin conference. It is also understood that the MSH environment would provide virus writers far more powerful features than they ever could get with VBScript. So will this be the next big thing for viruswriters or not?