Friday, January 27, 2006

Wife.d, Nyxem.e or Blackworm not widespread in Belgium and the Netherlands

The real exact infection number counter seems to be around 300.000 infections at this moment. The pie chart shows the total infections by country for all countries with greater than 2000 infected IP addresses. The high infection rates in India, Peru and Italy are interesting to note. It is possible some of these figures are not 100% correct, but I do believe India is the hardest-hit country by far in terms of overall infection rate. Even so, 300.000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. And like I told you before Belgium and the Netherlands got just a few hundreds of infections. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning.

Thursday, January 26, 2006

Another anti-spyware initiative

Several academic institutions and major tech companies have teamed up to thwart "badware," a phrase they have coined that encompasses spyware and adware. Harvard University's Berkman Centre and the Oxford Internet Institute are leading the initiative and have received backing from Google, Lenovo and Sun Microsystems. The new website,, is promoted as a "Neighborhood Watch" campaign and seeks to "provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers." The group differs from the large Anti-Spyware Coalition which is backed by Microsoft, Symantec, Yahoo, Computer Associates, AOL, and many others, by attempting to be a more grassroots initiative. StopBadware seeks the involvement of the community by asking for submissions of stories and technical reports.
Honestly speaking I have my doubts about this project. There are already numerous initiatives and the only one which makes sense to me is the anti-spyware coalition. They are even using a new name which is ridiculous ... badware is malware, a name which is already defined ... less or more... if you see what I mean. I don't believe in a Neighborhood Watch if your gatekeepers are babies, but you'll never know.

Monday, January 23, 2006

Nyxem.e widespread?

This worm definitely has a problematic payload and with over 600.000 infections worldwide now the effect could be bad. The worm's destructive payload activates on every third day of the month by replacing the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP. The worm also has an interesting feature: it increases a counter on a website every time a new machine gets infected. The status in Belgium and the Netherlands seems to be quite stable at this moment with not too much infections yet but this could change.Will we see more problematic viruses like this one in the near future?

Was Brain the first virus?

Several people asked me if Brain was really the first virus ... well no, it was the first PC virus.
The Brain computer virus started spreading among IBM PC systems 20 years ago this month, but the self-propagating program was not the first computer virus. The honors go to a UNIVAC program that acted as a carrier for a variant of the Animal game. The virus, though it was not called such, was dubbed PERVADE by its author, John Walker. A network administrator in the 1970s, Walker created the program to help him deal with all the requests for his variant of the ANIMAL program, a game where the computer would try to guess the animal the user was thinking about by asking yes-or-no questions. Other administrators would send him tapes on which he could copy the ANIMAL program. After mailing several tapes to interested people, Walker decided to create a program to distribute the game automatically. Whenever ANIMAL would run, the PERVADE program would look for writable directories on computer and copy itself to the directory. Within a few weeks, administrators at other companies started reporting the program on their systems. Walker went on to found AutoDesk in the 1980s. The Brain virus does not even get a trophy for the first general personal computer virus. That nod goes to the Elk Cloner program for the Apple II created by Rick Skrenta, now the co-founder and CEO of The program would infect Apple II disks and display a poem every fifth time the program ran. Four years after Skrenta created his cloner program, two Pakistani brothers, Amjad and Basit Farooq Alvi, created the Brain virus to infect IBM PCs. The program may have been the first attempt at "viral" marketing: An infected machine would flash a message on the screen, advertising the company Brain Computer Services of Lahore, Pakistan.

Thursday, January 19, 2006

Happy Birthday Brain!

Time passes sometimes too quickly. It's just 20 years ago that the first pc virus appeared: Brain. It's also unbelievable how complex new viruses are if you compare them to the Brain virus. I'm also too long in this business, that's now about 17 years .... a record in Belgium (and also in some other parts of the world)! Let's keep us going for another 20 years ... when viruses will appear on all our equipment: refrigerators, toasters, etc ...

Tuesday, January 10, 2006

WMF exploits - Two new areas of vulnerability?

There may be two new areas of attack for malformed WMF files, which
may not be covered by MS06-001? So far, no exploits in the wild have
been reported and I am watching this new potential exposure.
Microsoft Windows Graphics Rendering Engine Multiple Memory Corruption
QUOTE: Microsoft Windows WMF graphics rendering engine is affected by
multiple memory corruption vulnerabilities. These issues affect the
'ExtCreateRegion' and 'ExtEscape' functions. These problems present
themselves when a user views a malicious WMF formatted file containing
specially crafted data. Reports indicate that these issues lead to a
denial of service condition, however, it is conjectured that arbitrary
code execution is possible as well. Any code execution that occurs
will be with the privileges of the user viewing a malicious image. An
attacker may gain SYSTEM privileges if an administrator views the
malicious file.
But let us stay calm as it is not 100% sure yet, that we will have a new problem.
The time was too short for me to look into this very closely.
Microsoft official response to today's Bugtraq disclosure will be posted shortly at:

Friday, January 06, 2006

WMF Microsoft patch realeased a few hours ago

We just found out that Microsoft is going out of normal update cycle to release security update MS06-001 today. This will fix the WMF vulnerability on XP, 2003 and 2000 (sp4) systems. Microsoft originally planned to release the update on next Tuesday, but they finished testing early.
Everybody was hoping they would get the patch out before a major attack would start. Now it looks like Microsoft succeeded in doing just that. That's very good news, thank you Microsoft. The patch can now be downloaded from here.

Wednesday, January 04, 2006

WMF exploit again, interviews and Sober!

At the moment, the number of different WMF exploits I saw has gotten well past a hundred and more are coming every hour. But that's not the worst. The most recent exploits show that the bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products. So much for the dark side taking a break over the winter holidays and New Year... And of course Microsoft is busy developing a fix but that takes ages... Good points however for Ilfak Guilfanov's patch, which is currently the most popular one. Also a beta version of the Microsoft patch, scheduled to be released on January 10, was leaked on the Internet. Microsoft has recommended customers to "disregard" it and they warn that threats could be hidden in any patches coming from dubious sources. Of course, you should never use a patch from an untrusted source, no matter how promising it looks. Ilfak's patch is the only one I can recommend. Make sure you do some testing beforehand, especially if you are going to deploy it on a large number of production machines though. You should always be very wary of any third party patch from an untrusted source, whether it's claiming to fix an old vulnerability or the latest WMF vulnerability. This is a method which has successfully been used in the past to distribute malware.

During the day I've been interviewed by 2 Belgian TV Broadcast stations VRT and VTM. You can find them at the sites and however I will also post a snippet of them next weekend on my press page. Also the Newspaper 'De Morgen' asked me for some comment.

Like I've told you before (last year?) within this blog, this exploit would become a large problem.
You definitely can see it now, isn't it?

And possibly with all these problems we will miss another upcoming problem ... the rise of the old Sober ... the update phase starts on the 6 of January 2006. This means that all machines infected by Sober will try to download and execute code from certain addresses... oh oh what a week!!!!

Monday, January 02, 2006

Overview of 2005 Malware
That's the Computerworld (Dutch-Belgian) page where you can find the overview of 2005 viruses and malware. I'm also quoted. I will also put a link on my press page shortly.
Let's hope now that the WMF exploit-based malware is not giving us our first large 2006 outbreak.

Other WMF malware ...

And it continues to rain other malware based on the WMF exploit. It's seems to be a race to have a winner, something like the best spreading malware based on the WMF exploit. Will we get problems with it? Yes, we have already problems, a lot of people don't know it yet but they have been infected in the last week and still nobody seems to ring the alarm bell. But I do know there have been a lot of problems already. Several calls and cases are proof from this. It's just that nobody seems to realize what's really happening. Those WMF problems/malware are In-The-Wild and not only in Belgium.