Wednesday, May 31, 2006

Three new articles on the press page.

Three new articles with some interviews with me will be available shortly on my press page which you can find at
One of them is from the Gazet van Antwerpen Newspaper (31 May 2006-Today) and is commenting the problems seen with security and wireless networking, the second one was published in Smart Business Strategies (June 2006) and comments on the movie Firewall. The third one is a conference report of the EICAR conference 2006 I wrote for Virus Bulletin June 2006.

Microsoft's Live OneCare GO!

Windows Live OneCare will go on sale online today and in U.S. stores Thursday. The $49.95-a-year subscription service includes anti-virus protection, firewall, anti-spyware, PC tuneups, file backups and free support. One subscription works for up to three PCs. It's part of a broader move into security software that is positioning Microsoft to compete with other companies that offer security protections for its Windows operating system. McAfee's new offering, code-named Falcon, will come out this summer. Symantec will release a new service, code-named Genesis, also this year. From security flaws to untimely crashes, Microsoft Corp. has caused PC users no small amount of frustration over the years. Will they now be willing to pay the company to solve their computer-related woes? Microsoft will soon find out.

Symantec vulnerabilities update confusion.

All versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable. Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok. Symantec released 4 patches for each product: Symantec Antivirus Corporate Edition10.1.0.394 -> ; -> ; -> ; -> and Symantec Client Security -> ; -> -> -> . Now, if you are running any other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion. There seem to be some mitigations to the problem though. As eEye stated, this is a remotely exploitable vulnerability. Symantec Antivirus Corporate Edition, when in managed mode, will have the service Rtvscan.exe listening on TCP port 2967. In case that your host based firewall is configured to block access to this port ( meaning that you can't manage the client from the centralized server, at least not until the client connects to it) you should be ok. This is the kind of problems I really don't like. And I'm possibly not the only one. Do I have another AV product on my machine? What do you think?

Tuesday, May 30, 2006

Refunds for Sony DRM rootkit victims.

A class action suit against Sony BMG has been granted final approval for a settlement by the federal court, allowing music fans to claim refunds and free music downloads. The case was brought against the music giant after it included potentially dangerous copy protection software on an estimated 15 million music CDs. Sony's controversial digital rights management software, included on CDs from the likes of Neil Diamond, Alicia Keys and Dido, introduced a rootkit-style "cloaking" vulnerability onto PCs. The vulnerability was exploited by some malware in an attempt to evade detection by anti-virus software, leading to a public relations disaster for Sony. Let's hope that other entertainment companies interested in protecting their music and movies from pirates will hopefully have learned not to borrow techniques from malicious hackers.

Monday, May 29, 2006

Spam is hot or not?

A few weeks back, prolific anti-spam researcher John Graham-Cumming announced a new site,, where you can donate your time to spam research. That's right, visitors to the site can spend a few minutes (or hours, or weeks, as you deem fit) looking at messages one at a time, and judging whether they think each is a spam or a ham (legitimate, non-spam) message, thereby helping The Cause. This is important because (a) it helps improve the quality of the collection, and (b) coincidentally, it helps build a benchmark for how good or bad actual humans really are at making this judgment. The preliminary results are already interesting. John looks at it that it's like Hot or Not for email. Interesting is the fact that machines are sometimes better at classifying email than humans. And the result of this project certainly will shead more light on that topic.

Symantec damaged and repaired!

A lot of reports and press releases pointed us to an "Advisory" posted at eEye that describes a remotely exploitable vulnerability in Symantec Antivirus 10.x and Symantec Client Security 3.x. Symantec responded very quick and posted patches for the Security Advisory SYM06-010. It appears at this time that the patches are manual download and install. We don't know at this point if a product live update will be posted for these patches but for the meantime it is there for manual load. If you have the newest Symantec products it seems to be patching time. Why can't all software products be without exploits. Isn't everybody not searching the exploits or bugs inside products?

Spyware goes the parasitic way

The concept of ‘parasitic spyware’ predates the popularity of the term Spyware or Adware. W95/MTX was a parasitic virus discovered nearly six years ago and contained a backdoor (one type of spyware that allows a remote attacker control an infected computer remotely). In recent years there’s been a clear distinction between the well organized spyware creators and parasitic virus authors, but that may be changing. The group behind or the so-called gang has begun to move into the area of parasitic virus creation, seen with the discovery of W32/Fontra.a. This is the same group who heavily exploited [Exploit-WMF] a 0-day WMF buffer overflow vulnerability around the time that it was discovered. They’re known for, among other things, hacking web servers to embed small encrypted script code that load other web pages containing various exploit code (such as Exploit-ANIFile, Exploit-ByteVerify, Exploit-CodeBase, etc). Typically the exploit code results in a downloader .EXE file being run on vulnerable systems, which then installs dozens of other downloaders, spam, proxy, and password stealing trojans. It’s also common for rogue anti-spyware scanners to get installed along the way, such as SpySheriff, Spyaxe or BraveSentry. This group keeps the target moving and appears to be well funded, which could equal a rise in the number of parasitic infectors discovered over the next several months. Who is funding those guys, organised crime? We don't know yet but time will tell...

Sunday, May 21, 2006

New MS Word zero day vulnerability.

The Internet Storm Center is reporting a new zero day vulnerability in Microsoft Word. I don't yet know if the exploit is being widely used. However, early reports indicate a limited, targeted, attack something I predicted about a year ago now. Malware which spreads via email is exploiting the vulnerability as a specially crafted MS-Word doc attachment. If the attachment is launched, this triggers a process which results in a backdoor being installed. So, it's a new vulnerability, and new malware targeting that vulnerability, but as far as we know, it's not being widely exploited at the moment. It's called W32/Ginwui by most AV-labs or vendors.

Thursday, May 11, 2006

Firewalls and mailboxes...

It's unbelievable ... look what we found this morning in the NOXS mailbox : Yes, a firewall with a request from the customer to repair it ... That company must have some very good security at their gateway at that moment. They are very lucky that we found it as mostly this mailbox isn't being used anymore thanks to the real postmen bringing the mail straight to us...

Nice comments from Microsoft!

We've got some nice comments from Microsoft about (our) EICAR 2006 conference. Look at for more.

Tuesday, May 09, 2006

No virus outbreak during the EICAR 2006 Conference.

We didn’t got a fourth outbreak of a new virus this year during the EICAR conference. The release of Sober.P in Germany on the first day of the conference last year caused a lot of activity and provided another talking point as this added to a trend that seems to have emerged over recent years - Bugbear.B having been released during the 2003 EICAR conference and Sasser having appeared during the 2004 EICAR conference.

Wednesday, May 03, 2006

EICAR 2006 Conference in Hamburg has been a success!

The conference has been a success. A lot of attendees and nice papers made the conference a must this year. I possibly will post more material shortly but these are already some small pictures I took with my mobile phone. But now I say bye to Hamburg. The next conference location will be Budapest or Barcelona but it still can change...

Richard Ford, David Perry and Larry Bridwell during a break

Prof. Klaus Brunnstein during his brilliant keynote speech