Sunday, November 27, 2005

Top 10 Hacks and some new press things.

Some article on the internet reminded me at the "top 10 hacks of all time" . Seems that some of the hackers quoted over there are quite good busy with their lives at this moment ... I posted some new articles on my press page after watching Harry's Potter new movie today. At least he seems to know the difference between bad and good quite good... ;-)

Thursday, November 24, 2005

NOXS Security Congress 2005

Today we got our yearly NOXS Security Congress. We got over 350 attendees only in Belgium (80+ in Luxembourg) so you may call it a real success. Unfortunately my mobile picture blog upload software did give some errors today ... so I used another method to post it over here. Hopefully we'll get it back up and working again very soon.

Wednesday, November 23, 2005

Analysing W32/Sober@MM!M681 and more Bagles arriving ...

Well it seems we will get some busy days ... a new wave of Bagles arrived just minutes ago. If it wasn't enough with our outbreak of the new Sober variant. Sober variants are well known for complex replication patterns and payloads. They have also been using spoofed e-mail addreses in the "From:" field, pretending to come from the FBI; reason enough for many unsuspecting users to fall victim to the worm. Sober.K, discovered on February 21 2005, was the first to use this. W32/Sober@MM!M681, which is currently the most popular variant, started spreading actively on Monday, November 21. Although it was released last week, it didn't really pick up speed unless Monday and Tuesday, thanks to the help from a couple of other variants in the family, one of the complex replication patterns mentioned above. The outbreak is medium and large enough, but according to my statistics, it's no match for say, Sober.a back in 2003.
BELGA , the Belgium press agency interviewed me today about the situation in Belgium which seems stable at this moment. It seems however that they didn't quote me 100% correctly. Let's see how the press will pick this up tomorrow morning in the newspapers. 'De tijd' (Newspaper) already called me for some more detailed explanation.

Sober.x or W32/Sober@MM!M681 widespread now ...

And unbelievable but it stays unpredictable how viruses are spreading. At this moment we saw high peeks of this virus. So it's becoming a medium problem now. Meanwhile we are also seeing some new Bagles. It looks for sure that we are coming back to normal levels of virus alerts now: meaning ... too much!!!

Tuesday, November 22, 2005

Sober.x or W32/Sober@MM!M681 not so widespread!

Some CERTS and anti virus vendors alerted the new Sober variant as medium. From our information I classified it just as low to medium: like 2 on a scale of 7 ...

We got a nice day today. I just started to give official McAfee training again. Something I like very much. The NOXS congress this year is also coming up tomorrow in Luxembourg and Thursday in Belgium. This year we will reach a very high number of attendees. I hope I can show you some pictures of the event on one of the following blogs.

Friday, November 18, 2005

Most anti-virus or anti-spyware reviews are wrong!

Most of the 'reviews' are pretty much irrelevant - infact they just annoy me.
There's always assumption on the users ability and configuration - speaking as a neutral for once on this.
Here's the problem - the assumption is that the defence of the system is based on one aspect of how the solution works - an engine/signature. A lot of time and effort was spent in analysing what actions malware typically undertook on launch.The scan engine/signature race is only really relevant if the ONLY process the threat passes through to successful infection is the scan engine/signature. So you CANNOT discount these features. I am sure that most experienced administrators would prefer a system that prevents by default, recognising it as superior and actually understanding what the AV engine is - a last line of defence.
Not accounting for these features is a bit like buying a car based only on the cars engine. It might purr like a kitten, it might pull like a tram, it might sow seeds to compensate for its impact on the environment - but if the dealers are rubbish, or the suspension feels sloppy, or the transmission came from a drill bit and the grip means you spend more time off the road than on it - you shouldn't buy it! A car offers a package of features and benefits - and we generally purchase on balance when whatever is important to us is provided with a particular offering.
In other words, compare like with like - Don't compare the engine with the engine - compare what the customer purchases - The complete PRODUCT - with the complete PRODUCT. And that hasn't been done for ages ... well at least I know what I should buy. (I have it!)

Tuesday, November 15, 2005

New Sober variants on the loose ...

Several new sober variants are on the loose at this moment and In-The-Wild already. Most AV products do have good protection available. Please have a look that you have deployed or downloaded the latest update of your favourite AV product.

Industrial espionage article in Dag Allemaal.

A nice interview with me appeared today in 'Dag Allemaal' a popular magazine in Belgium. It all goes about industrial espionage. I will put a copy on line next week(delayed because of copyrights) at our press page section. It's definitely true that in espionage cases malware can be used to gather the necessary information.

Thursday, November 10, 2005

First 'Sony' Trojan backdoor (which exploits Sony's rootkit DRM) found...

And like I've told you, it's always a matter of days or hours... Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs. Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory. And this malware has also some design flaws. So it really doesn't work quite well. That could be the reason of course why this variant is not found in the Wild. Let's hope this will be the first and the last but I doubt it. Other malware exploiting this will appear unfortunately.

Linux worm Lupper ( Alias: Plupii ) warnings exagerated?

Depending on what news sources you follow, you may or may not have heard about the latest and greatest Linux worm. Here is a quick summary to catch everyone up. On November 6 a new worm began spreading that attempted to brute force a series of URLs associated with three vulnerabilities found on Unix related systems. If vulnerable versions of the software were running, an ELF executable was downloaded from a single IP address into the Web server's /tmp folder, and then it was executed starting the cycle anew. As with many previous worms, both on Windows and *nix systems, some configuration changes would have stopped this worm in it's tracks, even if the systems were wide open with vulnerable software.I can't say that it's the most elegant worm ever, it's certainly not the fastest spreading, and I suspect that it is one of the easier ones for the Internet-Powers-That-Be to stop spreading completely -- turn off the IP address that the worm is downloading its code from. Sure, we end up with a cycle where the author moves to another IP and re-releases the worm. But eventually even the most stubborn virus author will get bored with that game.What's with all the reporting about this worm? Is it just the novelty of a bi-annual Linux worm compared to the systems coming out of Redmond? Or is there more here than meets the eye? I think there is a warning buried here, and maybe we should pay a little attention to it. OK, it's a Linux worm but we didn't saw a lot of these in the wild. But you never know, it could be a warning of what could come...

Thursday, November 03, 2005

And more Bagles ...

And we've got more and more Bagles spammed to us today... Please be advised not to forget to enable 'heuristic analysis' at your gateways if it wasn't done by default. This will stop already a lot of these new variants! I always recommend to use this option everywhere!

Thank you Sony!

Sony releases update for DRM software. The company behind the technology, First 4 Internet, has now released an update for the software. After visiting the web site, downloading and installing the update, it now seems that the DRM software no longer attempts to hide anything on the computer. The rootkit driver (aries.sys) is removed from the system during the update. The update from Sony is available here Thanks also goes to the quite excellent research work done by Mark Russinovich at Sysinternals relating to the "Sony rootkit" incident.

Wednesday, November 02, 2005

Sony uses rootkits, 'It's a shame!'

There's been some bad developments in digital rights management systems (DRM) that have security implications. Some DRM systems have started to use rootkit technology. Rootkits are normally associated with malware but in this case a rootkit is used to enforce the copy control policies of audio CDs! Rootkit is technology that hides software from the user and security software. This kind of technology is normally used by malware authors that want their presence to remain undetected in the system as long as possible. DRM software is not malicious but it has other reasons for hiding from the user. DRM software restricts the user's ability to make copies of a record and for that reason uses technology that prevents removal and modification of the software.Sony BMG is currently using a rootkit-based DRM system on some CD records sold in USA. Sony please change your behaviour and please use another method to protect your music! If this become's a habit we could see viruses undetected for our scanners. So may I ask Sony to stop with this behaviour. It's again a prove that most companies don't know anything about real security or let us say 'good security behaviour'.

New bagles on the loose..

Last night a lot of new Bagles have been spammed again. If you haven't done so please 'update' your AV product as all are detected by most AV software. It seems to become a standard approach (the spamming of new viruses) by the viruswriters.

Magic Byte Analysis .. Is it really a vulnerability?

Recently everybody has been paying some attention to the 'magic byte' vulnerability disclosed by Andrey Bayora. See also my former Blog for more info about this. The vulnerability advisory basically states that the majority of virus scanners are unable to detect some malware if a fake file header is prepended to the malicious file. This goes all about script-like malware going undetected if an MZ header, for instance, is prepended to the file. Most virus scanners seem to assume that such a file is an executable, and will therefore no longer detect the malware. To circumvent this, you need to do scan the entire file for file headers/malicious code.
The whole issue gives rise to an interesting discussion: is this actually a vulnerability?
As the (complete) file's hash has been changed, it's no longer exactly the same file. This means that the malicious file is technically a new variant or even a new malware(virus), not the same old malware. So in my opinion this is not a real vulnerability. The question is, does the so-called 'vulnerability' pose a real threat?
I don't think so. Of course, it remains to be seen exactly how this 'vulnerability' will be exploited. Anyway most AV vendors are adding a new feature... It's a little bit like detecting a new virus. It's not a vulnerability.