Friday, January 25, 2008

Leaving NOXS - Westcon ...

Dear blog readers,

Today I'm leaving NOXS after 11 years.
I can assure you that this gives me a strange feeling.
I thank all my colleagues at Data Alert/NOXS/Westcon
in the past years for the nice experience.

However, I stay within the anti-virus/malware industry. I am going to a vendor.
There will be a small silence on this blog for a week or so. After this period there will be a press release stating where I've started to work and what I will do in the near future.

What do you think? Any idea?

Thursday, January 24, 2008

Viruses in the picture (frames) !

Best Buy Co. Inc. sold digital picture frames during the holidays that harbored malicious code able to spread to any connected Windows PC. It is not recalling the frames, however. A limited number of the 10 inch digital frames sold under its in-house Insignia brand were contaminated with a computer virus during the manufacturing process, according to a notice posted on the Insignia site last weekend. Best Buy did not specify the number of virus-loaded frames that had ended up in customers' hands, but said in a second notice that it is continuing to investigate this problem.
This incident shows again the infection possibilities on every kind of device which has memory built-in. This will become a larger problem in the future. My advice: Please scan always everything you buy ... or at least always have your anti-virus in the background running!

Wednesday, January 16, 2008

Valentine's Zhelatin-Storm.

Yesterday I started receiving another wave of Storm/Zhelatin e-mails, this time exploiting our love: you got it, Storm/Zhelatin started exploiting Valentine’s Day.
The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address. Once a user visits the web site he is served with a nice web page with a picture of a Valentine hart in the middle and a link to download an executable – same as with previous versions. So is there anything new about this variant of Storm? Not really. The social engineering attack is the same as before. Actually, there are a lot of similarities with Storm’s Valentine’s attack last year (2007). The subjects are almost the same and the only difference is that last year Storm sent itself as an attachment. So we can say again .. the story continues.

Thursday, January 10, 2008

Storm is Phishing!

There is another twist in the Storm-Zhelatin story; it is being used to host phishing sites. The gang behind this prolific malware has registered domain names similar those used by well known banks such as Barclays and Halifax. They are directing web requests to these rogue domain names toward computers infected with Storm. The infected computers serve a fake login page and will steal the user name and password of any visitor. Following some sources like F-secure, it seems that somebody is now using machines infected with and controlled by Storm to run phishing scams. I haven't seen this before.

New MBR Rootkit is using an old technique.

Over the past month, a new type of malicious software has emerged, using a decades-old technique to hide itself from anti-virus software. The malware installs itself on the first part of the computer's hard drive to be read on startup, then makes changes to the Windows kernel, making it hard for security software to detect it.

The first interesting part is the timeline:

Aug 1, 2005 - eEye publishes PoC code
Aug. 3, 2007 - Vbootkit presentation at Black Hat USA
Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
Dec. 12, 2007 – First known attacks installing MBR code
about 1,800 users infected in four days.
Dec. 19, 2007 - Second wave of attacks installing MBR code
about 3,000 users infected in four days
Dec. 22, 2007 – Malware Research Form members discover rootkit in the wild
Jan. 2, 2008 - GMER research and analysis of MBR Rootkit code
Jan. 7, 2008 – First anti-virus vendors detect MBR rootkit components
The next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan.

The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities:

Microsoft JVM ByteVerify (MS03-011)
Microsoft MDAC (MS06-014) (two versions)
Microsoft Internet Explorer Vector Markup Language (MS06-055)
Microsoft XML CoreServices (MS06-071)
But that can change at any moment to something more recent.

Malicious software that infected the master boot record was common during the MS-DOS era, but it has not been used much in attacks in recent years.
The rootkit cannot be removed while the OS is running, as it must be removed while the rootkit code itself is not running. During tests, running the "fixmbr" command from within the Windows Recovery Console successfully removed the malicious MBR entry. To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!

Tuesday, January 08, 2008

The iPhone and a trojan!

What did I told you about a year ago ... malware would be coming for the iPhone and ... what appereared several days ago ... indeed a trojan for unlocked iPhones. The trojan installation package seems to be contain false application installation information that causes third party applications to be removed if the trojan is uninstalled from the iPhone. I saw warnings about the trojan at in thread
The malicious package was taken offline soon after the discovery of this low-risk threat over the weekend.
This only shows us a normal security related problem with an iPhone. Be aware that this is just the beginning... It's still strange that we didn't saw too much problems (yes I know, we got a few) with Windows mobile based phones until now, isn't it?

Monday, January 07, 2008

EICAR and the smallest webserver in the world.

I just was made aware that my colleague blogger Didier Stevens created a very small webserver including our EICAR-test file.
You can find and watch what he did at

I must say that this is the weirdest thing I've seen which have been done with the EICAR-test file. Nice isn't it!

If you want more info about the EICAR-test file you can go to the EICAR website.
The file is used to find out if your anti-virus or anti-spyware program is working without having to use a real virus or malware.

Wednesday, January 02, 2008

Four in 10 SMBs are not secure!

Despite the best efforts of many small and medium sized companies, a recent US survey shows that four in 10 companies believe that their networks are not secure. Thirty-two percent of the companies also reported that they had suffered a breach in the past 12 months alone citing virus attacks and Internet downloads as the leading cause of the security breach. The survey, conducted by eMediaUSA on behalf of GFI Software, given to 455 IT executives from U.S. based small and medium sized businesses (SMBs). Further results on the survey can be found at more details on this release can be obtained on this URL

And this is not only in the US. I got the same reports over here in Belgium and the Netherlands, something I found out about 9 months ago and it has not changed in between...