Monday, April 30, 2007

Google and malicious sponsored links.

Google has removed paid links that advertised seemingly legitimate Web sites but actually tried to install nefarious programs on PCs. The links were displayed as "sponsored links" after visitors entered specific queries into Google's search service. Clicking the links would ultimately go to a legitimate site, but by way of another site that attempted a "drive-by installation" of password-stealing software. Miscreants placed the links using Google's AdWords service for advertisers.

Nevertheless I love Google. Yesterday I registered via Google, just to see how Google Apps are integrated into this 'domain pack'. Honestly it's easy and pretty good in my opinion. And even on a nice day as today with again no rain I was busy with it. Yippeeee, this is now the officially longest period in my life without rain! I love the warming-up effect from the earth .. well at least at this moment. I'm returning to my sunny garden now.

Wednesday, April 25, 2007

NOXS = Part of the Westcon Group Officially!

The contract Unit 4 Agresso and Westcon entered into regarding the sale of NOXS has been notarized, after the required approval from the competition authorities was obtained. The selling price of the NOXS distribution activities amounts € 53,25 million euros. NOXS is now part of the Westcon group. It reminds me at other events in my life: the different steps which keeps up appearing and brings a change to your life without knowing it ... well, at least I will be always busy with malware and the prevention or solution of it. For me it's more than just work, it's my life. Some people will never understand this.

Sunday, April 22, 2007

Nintendo's Wii security problems fixed?

Having a browser on board is asking for security problems even if it's on a gaming console. It seems that the popular next generation games console the Nintendo Wii has garnered some attention from the IT Security community. They have been picking holes in the software that makes up the Wii. Don’t worry, we’re not going to see thousands of Zombie Wii forming botnets just yet. The vulnerability that was found in the web browser Opera a few months ago can affect the browser included in the Wii. Now it seems that Opera for the Wii (aka ‘Internet Channel’) that was posted originally to the store was a pre-patch version of Opera. So anyone that downloaded the original Internet Channel for the Wii will have installed a vulnerable version of Opera. Although the current available exploits only crash your poor Wii, it is possible that someone could turn this into something more than a DoS but remote code execution exploit. But luckily the window of opportunity is closing for this vulnerability. On April 12 a patched version of Opera was added to the store for new Wii owners to download and existing owners to update from. I recommend that existing Wii owners look to upgrade ASAP the installed version of the Internet Channel they have on their console.
When will we have a security problem for the new Playstation 3 which has also browsing capabilities? Ah well ... I love my XBOX 360 which has currently no browsing possibilities.

Monday, April 16, 2007

YouTube broadcast available as MP4 file.

Two weeks ago I published my my first YouTube broadcast which got already good reactions.
You can find my first posting at . You can subscribe and view the complete channel at . Some people asked me to put it in a more readable and portable format like mp4. So I created a new directory on my website and you can find my first broadcast in mp4 format now at .
If you rightclick on this link and choose 'save as',
you can download the broadcast itself.
At least you got something different for your mediaplayer now. ;-)

Vulnerability in RPC on Windows DNS Server.

Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. Upon completion of this investigation, Microsoft will take appropriate action. International customers can use any method found at this location:
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Friday, April 13, 2007

Another W32/Nuwar or Zhelatin variant on the loose!

Yesterday and today, several e-mails with love themed subjects were seen in the wild. While some of the subjects are a rehash of previously used subjects such as Sending You My Love, The Dance of Love, and When I'm With You, others are new:
A Dream is a Wish, A Is For Attitude, Eternal Love, Kisses Through E-mail, etc ....
The e-mail messages themselves have no text, instead, they have attached executables with romantic sounding filenames. These included:
Love Card.exe Love Postcard.exe Greeting Card.exe Postcard.exe
All files are detected as a Win32.Zhelatin or W32/Nuwar variant depending on the product you use.
A second run occurred after several hours.
This time, the subjects were security related.
Subjects included:
ATTN! Spyware Alert! Virus Alert! Worm Alert! Worm Detected!
Furthermore, the message body is an image file which advises the receiver to patch their systems. Also included within the image is a password in order to extract the attachment.
The filenames vary but they have the following format:
The executable contained within the Zip archive has the same name as that of the archive but with an EXE extension.
Please update ASAP as I have seen some products missing some of these variants.

Monday, April 09, 2007

World War III started during the Easter weekend!

Of course WW III didn't start this weekend however a large amount of malicious email has been sent with subjects suggesting a missile strike to civilian targents in Iran:"USA Just Have Started World War III" "Missle Strike: The USA kills more then 20000 Iranian citizens" "Israel Just Have Started World War III" "USA Missile Strike: Iran War just have started" Malicious executables with "video.exe", "movie.exe" etc. are attached. The files are detected by some AV vendors as W32/Zhelatin or variants of W32/Nuwar@MM. Also in Belgium we see a large amount of these. And that's not all, I even found a new backdoor/bot detected by no vendor at all at this moment. I've send the samples further to some Anti-Virus labs to add detection to their products ASAP. Happy Easter!

Tuesday, April 03, 2007

My first YouTube broadcast.

I just launched the first WAVCi lab broadcast at
YouTube. You can find my first posting at

You can subscribe and view the complete channel at

The broadcast will be dedicated to anti-malware, viruses and
security. It will be created in a different way compared to
other security broadcasts.

The whole broadcast depends also on what you want. So please
send your reactions to the mailbox I'm mentioning during
the broadcast. It's you who decide what I will do with
the broadcast in the future. I also will divide it up in several
chapters with some specific returning chapters with possibly
some items which have completely nothing to do with
security or anti-malware. Watch carefully and you can even
have a laugh with my 'blooper'.

At this moment you can also win
a full year subscription of McAfee VirusScan if you can
find out what the object is at the end of this first broadcast.
So please have a look and spread the word and also ...
send your requests and comments to the mentioned email address.

Monday, April 02, 2007

Microsoft will release update for ANI vulnerability on Tuesday.

Microsoft has announced that it will release an update-patch for the ANI vulnerability on Tuesday the 3rd of April. This is a week earlier as they usually release security patches on every second Tuesday of the month but as there is an increasing activity of sites and malware using the ANI vulnerability, they decided to give it an immediate 'go'. You might wonder how they were able to get the update out so quickly considering it was first used in exploits late last week. The issue of the ANI vulnerability was actually brought to Microsoft's attention back in December 2006 according to their their Security Response blog and they've investigating and working on a fix since then. Still I'm worried about this as they possible could already released this maybe last month ... It's good to know however that the AV products now covers most of the new ANI related worms or exploits.