historical vector data. stop tomorrow's worm

    vectorblog  about  contact

 

 

 

 

 

 

 

 


 December 2004 VECTORBLOG

 

December 2004

 

December 24, 2004

arose such a clatter

Released in time for Christmas delivery, 4 new vulnerabilities in Microsoft Windows. Posted early yesterday, the proof-of-concept (read: sploit code for future attacks) data indicates that remote code execution is very possible with an overflow delivered in a specially crafted BMP, ICO, CUR, or ANI. This could be dropped on a user via an email or request to visit a web page with the exploits. Another exploit posted involves the Windows Help system, the target of previous vulnerability research. Hopefully, everyone is enjoying the holidays without much Internet interaction, which could keep any potential worm at bay. Note that no exploit has been found in the wild, however the proof of concept samples that were posted do appear to be legitimate, at least on the few platforms that have been tested. The warnings are: Windows LoadImage API Buffer Overflow, 2 for Kernel ANI (Parsing Crash and DoS), and the winhlp32 heap overflow and integer overflow.

 

December 23, 2004

creationists vs. Darwin

Added as the last vector space report of the year, Virolution examines whether or not viruses evolve and what impact they have on the Internet as they change. The idea of virus evolution has been written about before; this report attempts to provide common ground for researchers and put viral evolution in perspective as an interesting discipline within malware analysis.

 

December 21, 2004

where are you taking our tree santy claus

Another holiday greeting from the malware coders, this time a worm known as Santy. A worm exploiting phpBB software (version 2.0.10 and prior, 2.0.11 includes a fix) is making the rounds, defacing bulletin boards all over the world. The worm, written completely in Perl, exploits a unicode handling vulnerability which allows code injection. The malagent report shows what the defacement looks like and some of the details of the script/worm. Santy (which appears to be named by F-Secure) also records its own "generation" number, incrementing with each infection. This number is displayed in the defacement, as seen in the report here.

 

December 16, 2004

voodoo doll

The last part in this fall's Investing in Awareness series deals with the result of warnings without substance, crying wolf with virus outbreak stories and not truly educating users. The report, Fighting the Voodoo attempts to argue against the "dark art" status many info security snobs like to give to their profession. Check out the rest of the Awareness series here if you haven't already.

 

December 15, 2004

season's greetings

In the fine tradition of such holiday greetings as Happy99 and Navidad, Zafi.D (Erkez) is providing a little Christmas cheer of its own. The worm has basically the same properties as its previous incarnations, except with a new shell and a new backdoor routine. Check out the details here.  

 

December 14, 2004

seconds

The December edition of Microsoft's security advisories\patches is out today. It includes 5 new vulnerabilities (all listed as "Important"). The infectionvectors summary is available here and it includes the previous December release, MS04-040, the IE cumulative update. That update still rates as the most important as it is already being used as a vector for malcode injection.

 

Of particular note to virus researchers will be the update with LSASS in the title, however, this one does not appear to have any remote code/worm implications at present. Certainly the feeling from Microsoft could be considered less than panic, none of the alerts received a "Critical" rating from the software vendor.

 

December 10, 2004

training revisited

November's training presentations are being downloaded at a pretty good clip, as are the new PDF versions of the iv features. Please drop an email our way if you end up using either in corporate training initiatives. 

 

December 6, 2004

dui

Sober.I's imapct has not been fully realized. It continues to pummel mail relays after positing itself squarely into the the top 5 viruses reported to Sophos last month (#2, just missing the top spot). In a very unofficial study, infectionvectors.com honey-inboxes have captured twice as many samples this week as all of the previous weeks since its release. 

 

December 5, 2004

spam crusaders

Much has been made over the recent efforts of Lycos Europe to provide users with a means to fight back against spammers. Lycos offered a screen saver at makelovenotspam.com that initiates a DoS attacks against known spam sites. This is a timely development, as the latest infectionvectors.com Vector Spaces feature deals with vigilante justice on the Internet, by way of "beneficial" worms. Check that report out here. 

 

As one may have guessed, the spammers fought back. The targets of the screen saver redirected the traffic back to the Lycos site, beginning the inevitable infinite regression that is vigilante justice. 

 

A great summary of the legal angles appears at Security Focus, courtesy of columnist Mark D. Rasch, J.D. 

 

December 1, 2004

naming revisited

A report posted on Virus Btn's site reviews the new naming authority set up to mirror the efforts of the CVE database, but for malware. The report offers the opinion that this monumental and life-long bane of the virus analysis world is unlikely to go away quickly, but that this is a good first step. 

 

As previously mentioned in the vectorblog, there is a bigger issue that still needs to be answered in the virus research world: what precisely constitutes malware, what should be catalogued by such an effort? Ideas? send them to the contact address.

 

 

Copyright Ó 2004 infectionvectors.com. All rights reserved.