research the vector. watch the profits. close the door.         

    vectorblog  about  contact


MSN Search










July 28, 2005

realty and reality

The virtual space of the web has resulted in two very tangible revenue streams: one for big business selling products and services and one for criminals. A new report takes a look at the issues and interconnection surrounding these profit centers and what they mean for the future of "ecommerce" (is that word still being used?). Check out Web Retailing: Virtual Reality (& PDF) for a quick read on this subject.


July 27, 2005


The Anti Spyware Coalition (ASC) has come out with a definition of spyware. As most virus researchers will agree, the definition of "virus" (and malware altogether) has been a particularly stubborn hindrance to the antivirus community for a while. 


From their website


Spyware and Other Potentially Unwanted Technologies Technologies implemented in ways that impair users' control over:
Material changes that affect their user experience, privacy, or system security
Use of their system resources, including what programs are installed on their computers
Collection, use, and distribution of their personal or otherwise sensitive information
These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.

I like the spirit of the definition and especially the attempt to bring this discussion into some common ground. Will the definition stick? Send you thoughts to the vectorblog. Check out their press release on the subject at:


July 26, 2005


The "postcard" Trojan is sneaking around again. Samples received in the last few days point to postcard4u and bring in a copy of Jeefo for you hijacking pleasure. More analysis soon on this interesting wave of malware. 


July 19, 2005

reuse, recycle, react

Over the weekend, quite a few news organizations picked up a story about PEW's study that documented some home computer users dumping spyware/worm-infected boxes and getting brand new ones rather than attempt to fix the problem. This story is intriguing for many reasons, from the plight that most users are in with spyware to the ideology of disposable appliances that are not truly "broken" in the more traditional sense. The story has prompted a short feature - "Disposable Victory," which addresses this tactic against malware. It's available here and as a PDF


July 18, 2005

personal attacks

Another interesting review of the recent developments in the malware world at Viruslist - Alexander Gostev's Quarterly Malware Evolution report available at The feature elaborates on some of the trends that have also been reported on, such as the return of file infector programs and the more personal nature of Internet crime (targeted Trojans, phishing, etc.). 


July 17, 2005


Just days after dealing with one vulnerability that was leaked outside of the normal release schedule (the JVIEW flaw) Microsoft has had to post an advisory for a second. There is a problem with RDP (Remote Desktop Protocol) that makes a DoS possible against machines with the service running and accessible. Most of the time, any server that one would manage with RDP would require VPN access (i.e.: 3389 is not open to the outside world); if your server does not work this way, it may be time to consider it. The exploit involves a malformed request packet sent to TCP 3389 which knocks over the service and can make the server reboot. The full bulletin is available:


July 13, 2005

summer trio

July's security bulletins from Microsoft make a small, but potentially potent, group. Each has the capability of being part of widespread malware attacks, especially considering the existence of proof-of-concept code. The JVIEW Profiler flaw was previously reported, the Word and image rendering bugs are also Critical. See the details on the three advisories and download the monthly roll-ups here

See the report from Microsoft for July here


July 12, 2005

free registration

Two pieces of malware that peaked my interest today: Aemonet and Rants. The first is a Trojan that steals email addresses, searching the same way any mass mailer would, and then registers those email addresses with a porn-peddling website. Say thanks to any of your friends that find themselves executing a copy of this program. Rants is a mass mailer (which also travels via AIM, for more on that see the IM feature) that kills a few security applications. Nothing new about this, but it keeps the "death of the mass mailer" arguments fresh in my head. 


July 11, 2005


Sven Jaschen (Sasser/Netsky) was sentenced last week, to what many have called a lenient sentence; but it was not much less than everyone thought the punishment would be considering his status as a minor. The sentencing closes the circle on the first payout under Microsoft's Anti-Virus Reward program, known to many as bounties for malicious coders. The requisite comment is available along with the first salvo regarding the bounties, which is an issue is sure to revisit. Check out the report here


July 6, 2005

where you been

It has been quite some time since a significant malware threat hammered the Internet. Although I am the first to admit that there is nothing concrete about the ratings AV companies give to viruses, it is interesting that there has not been a Category 3 worm reported by Symantec in all of June, nor a severe warning from Trend or Panda. This looks like a symptom of malware authors being content to infect a large number of boxes with multiple iterations of code, constantly changing the product. Although it is much too early to announce a new trend, worms like Mytpb, as featured in this report on infectionvectors, may have changed the worm-crafting business forever. 


One more thing, Commwarrior is on the move again. F-Secure's weblog reported the SYMBOS worm spreading under the guise of a cracked version of Doom2. 


July 5, 2005


The Microsoft warning for the JVIEW vulnerability (and proof-of-concept code) should set off a few alarms for systems administrators. This threat is similar to other IE problems, allowing remote code execution (the proof-of-concept looks easy to incorporate into all types of nastiness). For this reason, your organization may have already adopted a practice that stops the threat - by filtering/blocking ActiveX, changing browsers (although I continue to contend that this is temporary at best), preventing HTML mail, etc. Malware will likely appear this week that hits a few users via drive-by, with mail-based attacks to follow. Check out the report on this vulnerability here in the hotzone.



July 4, 2005

no free lunch

The cynical may say there was no more appropriate way to mark the US Independence day weekend than with a worm that promises free money. Kelvir hit the IM users of the world again with a version that sends a message that includes:


hey these kramer friends give $100 dollar free for new poker members



Copyright 2005 All rights reserved.