Sunday, December 31, 2006

Several Millions 'Happy New Year' worms spammed!

At this time, I have received tons of reports of people having seen variants of the email containing the postcard.exe attachment as previously reported. Some AV vendors call it W32/Nuwar@mm . I even received a video from a reader Didier Stevens trying to look at it here (a YouTube Video).
The variants may be changing the subject lines, but are definitely changing the executable name. Reported name variants are "greeting card.exe", "greeting postcard.exe" and "GreetingCard.exe". A list of lines and variants were provided by some readers and vendors. This is a good start, but most likely partial: Annual Fun Forecast! Baby New Year! Best Wishes For A Happy New Year! Fun 2007! Fun Filled New Year! Happiness And Continued Success! Happiness And Success! Happiness In Everything! Happy 2007! Happy New Year! Happy Times And Happy Memories! May Your Dreams Come True! New Hopes And New Beginnings! New Year... Happy Year! Promises Of Happy Times! Raising A Toast To Happy Times! Scale Greater Heights! Sparkling Happiness And Good Times! Warm New Year Hug! Warmest Wishes For New Year! Welcome 2007! Wish You Smiles And Good Cheer! Wishing You Happiness! Wishing You Happy New Year!
Some of the variants are even not detected yet if you are using the normal update procedure from several AV vendors... I hope you will not be infected next year with any of these ... A Real Happy New Year from me to all of you!

PS: At this moment the spamming of Tibs/Nuwar/Luder just suddenly stopped. The question is for how long.

Friday, December 29, 2006

More Happy New Year e-Card problems!

What did I tell you. There's a large scale spam, send out with short e-mail messages. No text, just the subject field of "Happy New Year!" and a file named postcard.exe as an attachment. The attachments are variable and most AV-packages at this moment can detect it, at least if you did an update. In general, kill all files named "postcard.exe". They are always problematic in my opinion. Please don't use virtual cards! Just use plain text ...

Thursday, December 28, 2006

Happy New Vista Year!

Do virus or exploit writers ever go on vacation? I don't think so! On December 20, a new zero-day exploit for Microsoft Windows operating systems was released. This exploit targets a weakness in the Client Server Run-Time Subsystem, and allows local privilege escalation or denial of service. Microsoft has acknowledged this vulnerability and admitted that its newest operating system, Windows Vista, is vulnerable. And it seems that we even got 5 more problematic Vista flaws as well ... and that's just the beginning probably. I predicted these problems already one year ago ... It's time to take a holiday break isn't it, so please keep reading for more on exploits released this holiday season. And guess what .. I'm sick at home today ... It seems that I got no defense for this biological virus which took my voice away. But I'm getting better already...Happy holidays!

Virtual postcards are dangerous!

As we see every year, Christmas season is a great opportunity for a new virus to spread by email using “Christmas” as a reason to read the email. We just had a post here on Avert Labs blog about one a few days ago. Several days ago I got an email from my bank, stating that I could start to send Christmas and New Years virtual cards through their website! I immediately thought that it was a phishing scam, so I decided to check the link. It was indeed a new url created by the bank, something like www.christmascards[insert Bank Name here].com , where you could select up to 4 different Christmas / New Years cards and send to your friends… Like every year I got several malware virtual postcards. I really don't like virtual postcards, but here, this strange marketing campaign will make things real easy for the bad guys, since the real bank sent a mass mail to all customers telling them that they can send those cards from their website. Now, what do you think will happen when the bank customers start to receive fake virtual postcards on behalf of the bank, with attached malware? Unfortunately there seems to be more Christmas-related malware floating around. Now there's a backdoor named Christmas_Puzzle.exe. This one uses a rootkit to hide its presence on a system. And then there's a PowerPoint file named Christmas+Blessing-4.ppt (see picture). This one uses MS06-012 or a related vulnerability to drop and execute two embedded programs. As a decoy, the exploit has been embedded in an innocent Christmas-themed PPT slideshow that has previously made the rounds. So take my advice: just send out 'plain-text Seasonal Greetings'. Merry Christmas!

Monday, December 18, 2006

A few tips against SPAM!

So, what can we do to protect ourselves and help turn the tables in the fight against spam? First, it’s critical that computer users protect their desktop and, if possible, their Internet gateway against spam using an up-to-date antivirus, firewall, and spam filter. Second, users should not click on any email that appears to be spam, nor should a reply be sent to any email that is spam. Doing so could alert the spammer(s) that the user is replying from a legitimate email address (therefore, the spammer would find it worth the time to send more spam in the direction of that Inbox). Last, but not least, users should never click on any link in a suspicious email. If it is felt that the sender is legitimate, users should contact the sender directly (not by email) to ensure the email message is also legitimate. I know that even these small tips will not be enough but at least they will be a help to reduce the SPAM problem in general. 90 % of all email at this moment seems to be SPAM ... it's really bad this time but it seems to be logical as it is nearly the end of the year...

Monday, December 11, 2006

Another MS Word Vulnerability...

Yesterday Microsoft Security Response Center reported about yet another Word vulnerability. The new vulnerability affects Word 2000, 2002, 2003 and Word Viewer 2003 but not Word 2007. The vulnerability allows a malicious person to automatically execute code on the target machine when a DOC file is opened so it's very similar to most of the other Word vulnerabilities we've seen during 2006. As it is being exploited, although the distribution so far is very limited, and there is no patch available I can only continue to use the same workaround as previously recommended - not to open or save any DOC files from untrusted sources or files that you have unexpectedly received from sources you trust. Of course I don't want to exagerate and hype these things but as you see there is still a lot of work which must be done by Microsoft.

Saturday, December 09, 2006

More Adobe and Microsoft problems ...

Microsoft has announced that it plans to release 6 updates on December 12th. These bulletins address vulnerabilities in Microsoft Windows and Microsoft Visual Studio. The highest severity rating as given by Microsoft for the bulletins is critical. Microsoft has not announced that the Microsoft Word vulnerability, as previously reported on December 6, will be patched on December 12. This vulnerability, described in Microsoft Security Advisory (929433), covers an unspecified code execution flaw that may allow for arbitrary code execution when processing Microsoft Word documents with malformed strings. Code execution would be at the rights level of the victim. I recommend not opening documents from untrusted sources and using extreme caution when opening documents from trusted sources. Further on two 0-day issues have come to light recently affecting Adobe Download Manager and the Microsoft Windows Media Player. Each of these issues may allow for arbitrary remote code execution. The Adobe Download Manager vulnerability lies in the AOM format parser. The Windows Media Player vulnerability lies in the WMVCORE.DLL library. Both of these vulnerabilities would require user interaction to successfully exploit. I predicted all these problems a long time ago...

FlexiSpy on TV (Q21 - WDR)

Wolfgang Rathgeber, the German journalist who interviewed me for the Q21 magazine-WDR has put up some information related to the problem at his Blog which you can find at .
You can even find more at the Q21-magazine page of the interview viewable at
I must say that the reportage was made quite good and very attractive. I got several good comments on it. If you missed it, you can visit my 'press page' to watch it. On the picture you can see Wolfgang and myself sitting together in a typical old Brussels bar. I must say that it's a shame that Vervata, the company which created this software will be shortly also adapting it to the Windows Mobile OS platform. And they still deny that this software is 'problematic'.

Wednesday, December 06, 2006

Problematic Zero-day Vulnerability in Microsoft Word!

Microsoft has just released a security advisory (929433) about a new zero-day vulnerability found in a bunch of versions of Word and also Works: Word 2000, Word 2002, Word 2003,Word Viewer 2003, Word 2004 for Mac, Word 2004 v. X for Mac, Works 2004, Works 2005, Works 2006
So far the use of this vulnerability is limited and the AV industry is monitoring the situation. Let's just hope Microsoft can get this fixed in time for the next batch of monthly patches which is on the 12th of December. In the meanwhile, you could follow this useful workaround suggested by Microsoft: Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. Interesting suggestion isn't it? That's what I call a bad 'Sinterklaas' gift. I hope the Holy Man will give us something better next time!

Sunday, December 03, 2006

WDR Q21 interview and DataNews trainings special.

I was interviewed yesterday by Wolfgang Rathgeber (see picture) from WDR for the tv-magazine Q21. It took about 5 hours to make this interview. And this is only good for 7 minutes broadcasting time. You can watch it now next Tuesday via WDR at 21.00 . It's all about spying with mobile phones and I'm showing the very nasty sofware FlexiSpy which is able to help you with this in a very easy but unsafe way. You can definitely define this kind of software as Spyware. It's good that some mobile AV-software like the one from F-Secure will be taken care of this kind of Malware. And this is not all for today ... Two days ago DataNews published a special about IT-training. I was interviewed and cited about the need for security training. I also explained that the lack of security awareness within small companies is still a big problem. At least large enterprises seems to now a little bit better what they are doing. I will try to put some of these interviews at my press page next week. And now I have 2 days off ... at last ...

NOXS Security Congress 2006

Our 2 day congress was a success. With over 300 participants divided over Luxembourg and Belgium we can define it as 'The Security Event' to be! However I can't feel my feet anymore and my voice seems to be fading away...