July 2005 VECTORBLOG
July 28, 2005
realty and reality
The virtual space of the web has resulted in two very tangible revenue streams: one for big business selling products and services and one for criminals. A new report takes a look at the issues and interconnection surrounding these profit centers and what they mean for the future of "ecommerce" (is that word still being used?). Check out Web Retailing: Virtual Reality (& PDF) for a quick read on this subject.
July 27, 2005
The Anti Spyware Coalition (ASC) has come out with a definition of spyware. As most virus researchers will agree, the definition of "virus" (and malware altogether) has been a particularly stubborn hindrance to the antivirus community for a while.
From their website http://www.antispywarecoalition.org/definitions.pdf:
and Other Potentially Unwanted Technologies Technologies implemented in
ways that impair users' control over:
I like the spirit of the definition and especially the attempt to bring this discussion into some common ground. Will the definition stick? Send you thoughts to the vectorblog. Check out their press release on the subject at: http://www.antispywarecoalition.org/newsroom/20050712press.pdf
July 26, 2005
The "postcard" Trojan is sneaking around again. Samples received in the last few days point to postcard4u and bring in a copy of Jeefo for you hijacking pleasure. More analysis soon on this interesting wave of malware.
July 19, 2005
reuse, recycle, react
Over the weekend, quite a few news organizations picked up a story about PEW's study that documented some home computer users dumping spyware/worm-infected boxes and getting brand new ones rather than attempt to fix the problem. This story is intriguing for many reasons, from the plight that most users are in with spyware to the ideology of disposable appliances that are not truly "broken" in the more traditional sense. The story has prompted a short feature - "Disposable Victory," which addresses this tactic against malware. It's available here and as a PDF.
July 18, 2005
Another interesting review of the recent developments in the malware world at Viruslist - Alexander Gostev's Quarterly Malware Evolution report available at http://www.viruslist.com/en/analysis?pubid=167244347. The feature elaborates on some of the trends that have also been reported on infectionvectors.com, such as the return of file infector programs and the more personal nature of Internet crime (targeted Trojans, phishing, etc.).
July 17, 2005
Just days after dealing with one vulnerability that was leaked outside of the normal release schedule (the JVIEW flaw) Microsoft has had to post an advisory for a second. There is a problem with RDP (Remote Desktop Protocol) that makes a DoS possible against machines with the service running and accessible. Most of the time, any server that one would manage with RDP would require VPN access (i.e.: 3389 is not open to the outside world); if your server does not work this way, it may be time to consider it. The exploit involves a malformed request packet sent to TCP 3389 which knocks over the service and can make the server reboot. The full bulletin is available: http://www.microsoft.com/technet/security/advisory/904797.mspx.
July 13, 2005
July's security bulletins from Microsoft make a small, but potentially potent, group. Each has the capability of being part of widespread malware attacks, especially considering the existence of proof-of-concept code. The JVIEW Profiler flaw was previously reported, the Word and image rendering bugs are also Critical. See the details on the three advisories and download the monthly roll-ups here.
See the report from Microsoft for July here.
July 12, 2005
Two pieces of malware that peaked my interest today: Aemonet and Rants. The first is a Trojan that steals email addresses, searching the same way any mass mailer would, and then registers those email addresses with a porn-peddling website. Say thanks to any of your friends that find themselves executing a copy of this program. Rants is a mass mailer (which also travels via AIM, for more on that see the IM feature) that kills a few security applications. Nothing new about this, but it keeps the "death of the mass mailer" arguments fresh in my head.
July 11, 2005
Sven Jaschen (Sasser/Netsky) was sentenced last week, to what many have called a lenient sentence; but it was not much less than everyone thought the punishment would be considering his status as a minor. The sentencing closes the circle on the first payout under Microsoft's Anti-Virus Reward program, known to many as bounties for malicious coders. The requisite comment is available along with the first salvo regarding the bounties, which is an issue infectionvectors.com is sure to revisit. Check out the report here.
July 6, 2005
where you been
It has been quite some time since a significant malware threat hammered the Internet. Although I am the first to admit that there is nothing concrete about the ratings AV companies give to viruses, it is interesting that there has not been a Category 3 worm reported by Symantec in all of June, nor a severe warning from Trend or Panda. This looks like a symptom of malware authors being content to infect a large number of boxes with multiple iterations of code, constantly changing the product. Although it is much too early to announce a new trend, worms like Mytpb, as featured in this report on infectionvectors, may have changed the worm-crafting business forever.
One more thing, Commwarrior is on the move again. F-Secure's weblog reported the SYMBOS worm spreading under the guise of a cracked version of Doom2.
July 5, 2005
The Microsoft warning for the JVIEW vulnerability (and proof-of-concept code) should set off a few alarms for systems administrators. This threat is similar to other IE problems, allowing remote code execution (the proof-of-concept looks easy to incorporate into all types of nastiness). For this reason, your organization may have already adopted a practice that stops the threat - by filtering/blocking ActiveX, changing browsers (although I continue to contend that this is temporary at best), preventing HTML mail, etc. Malware will likely appear this week that hits a few users via drive-by, with mail-based attacks to follow. Check out the report on this vulnerability here in the hotzone.
July 4, 2005
no free lunch
The cynical may say there was no more appropriate way to mark the US Independence day weekend than with a worm that promises free money. Kelvir hit the IM users of the world again with a version that sends a message that includes:
hey these kramer friends give $100 dollar free for new poker members
Copyright Ó 2005 infectionvectors.com. All rights reserved.