Wednesday, January 31, 2007

eBay likes Second Life.

eBay on Monday confirmed its decision to ban auctions for the characters, currency, weapons, attire and accounts of online games such as World of Warcraft, City of Heroes and others. By proactively delisting auctions for property from virtual worlds and online games, eBay may be effectively forcing players who participate in such trades into the hands of giant third-party operations that buy and sell virtual goods. Given that a significant slice of the multi-hundred-million-dollar business took place on eBay until now, the move portends a significant shift in who controls the market for virtual goods. In most cases, publishers of online games include in their terms of service a prohibition on so-called real-money trades (RMTs), in which people buy and sell online games' virtual assets for real money. Players who violate such rules can be banned. But because eBay has dominated the auction market for RMTs, there's little question that the short-term winner in this latest circumstance will be sites such as Internet Gaming Entertainment ( ) that control the third-party market.
Second Life however has escaped this decision because it's defined as 'not a game'.
There are numerous password-stealing trojans specifically designed for World of Warcraft and these other massively multiplayer online games. The passwords are used to steal gold and other items from victims so that it can be re-sold online, a perfect way out for money laundering in most cases. I thaught that eBay did this to stop the misuse of these things. Strange ... Second Life is definitely also one of the targets of those password stealers.

Sunday, January 28, 2007

More Storm Worm Trojans and the KMO-IT roadshow.

1) This weekend another bunch of Storm Worm variants appeared over here in Belgium. Some of them are corrupt. I've been interviewed about the Storm Trojan by the Belgian press agency Belga during the last week. You can find some links at my press page about it.
2) The KMO-IT roadshow seems to be a success until know. I will try to post a picture from it at this blog shortly. We got a lot of participants each session. If you want and have the time .. don't miss it! You can find the dates and places below at this weblog.

Monday, January 22, 2007

Storm Worm is not a Storm in a Teacup.

The weekend has been very busy with the Storm Worm. I saw even new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys, and active network connections. Not every vendor was fast enough to counter the high load of spamming of these new variants however if you have a good strategy to block executables at the gateway or even if you are using some email-clients in a good way (disallowing exe's) you didn't need to use any of the updates. Like I said in the past, it all depends of some small and easy security settings.

Thursday, January 18, 2007

Eddy's One Man Show ...

During the next two weeks I will do a roadshow in cooperation with KMO-IT, Unizo, NOXS and EICAR. Each evening I will give a 2-hour lecture concerning basic security related to small businesses. This could be very interesting for you if you want to know what malware is and how you could protect your business against it. You can find more info at the KMO-IT site ( see ) itself. You can find the invitation flyer at my site link .

Here are some addresses and dates:

Donderdag 25 januari 2007
Auditorium Gaselwest (Electrabel)

Dinsdag 30 januari 2007
Auditorium Electrabel

Woensdag 31 januari 2007
Holiday Inn

Dinsdag 6 februari 2007
Auditorium KBC

Donderdag 8 februari 2007
Auditorium Electrabel

Start: 20:00 hours
It seems that I definitely know what to do during the next weeks.
And to my readers : You are all invited of course!

Monday, January 15, 2007

Defaced still not available!

The site of the Belgian Military and the Ministry of Defense is still not available after the deface which happened yesterday. At least you can find the defaced website at . The site was defaced by the Turk forcers and VolTigoRe (see picture). Why is it taking such an enormous amount of time to re-establish the site or are they really so unsure about the security of the website-platform they've used?

Symantec vulnerability is really problematic!

Something I saw during the past weeks ... Symantec has widely reported vulnerabilities in clients and below. It is a remotely exploitable vulnerability that does not require user intervention. remediates the problem. Over the last several days, we've experienced a significant number of systems (missing the Symantec patch) that have been exploited by a worm. The worm spreads by a number of mechanisms, but namely the Symantec vulnerability over port TCP 2967. I was able to capture traffic from an infected host. The worm tries to phone home to By blocking this on the outbound firewall or router, the worm will stop attempting to spread. We have captured as well a fair number of attacks against ports 2968 and 2967 over the last week and they appear to be identical in payload. The shellcode opens a bindshell on port 8555, which is then connected to and either ftp.exe or tftp.exe are used to download what appears to be the botnet client. I also found samples of new Spybots using this vulnerability at several sites in Belgium. Long story short, be sure to patch your systems! The problem is harder than most of us think.

Wednesday, January 10, 2007

Happy New Month of Apple Bugs.

For many, the Portable Document Format (PDF) has become the de-facto standard for exchanging documents. In using PDFs, some wish to sidestep the risks of malware-prone Microsoft Office documents. But with the announcement of six new PDF-related vulnerabilities in several security forums last week, we should all now be more careful with PDFs.
The first five of these new vulnerabilities have to do with the Adobe Reader plugin. Attacks that exploit these flaws may result in one of more of these results: HTTP-response splitting, cross-site scripting, session forgery, session riding, denial of service, memory corruption, or code execution. This scary list of attack results notwithstanding, a user would have to open a malicious web URL for an attack to occur. Adobe has issued Adobe Reader 8 that remedies these flaws. The sixth new PDF vulnerability is also the sixth of the Month of Apple Bugs (MoAB) installment. If a malicious PDF document crafted to exploit this flaw were opened by a user, it would corrupt memory and could lead to code execution. I predicted in DataNews and also the EICAR newsletter one year ago already that problems like these would arise. Let's see what the New Year will give us concerning other Malware problems.
Let's see as well what the next days will give us ... ah, the yearly 'NOXS New Year diner' is something for tomorrow... I'll hope we don't have an outbreak of something at that moment.