research the vector. close the
door.
|
|
|
October 2005 VECTORBLOG October 19, 2005 doomed As a pre-Halloween treat, this scary story of a possible avian flu pandemic should get everyone assessing their own organizations and disaster plans (in case the killer computer bugs come knocking). Although many people dismiss FUD as a poor reason for action, the fear generated by possible pandemics (of both the biological and cyber varieties) can be harnessed for a lot of good ends. This report examines such issues and should make for a topical and interesting read for continuity planners everywhere. Check out a new Emergency Preparedness article, Doomsday: Virus Story (PDF).
October 12, 2005 0w3nd Although it started slowly, 2005 is quickly becoming another good year for arresting malware writers. The alleged ring leaders of a 100,000+ node bot net were picked up by Dutch police, hopefully with the added benefit of bringing in more information about the underground bot-for-hire racket. This is a topic followed closely by infectionvectors (and likely yourself if you find yourself here). More details to follow. more news at: http://news.zdnet.co.uk/0,39020330,39228020,00.htm
October 11, 2005 or treat October's security advisories are out from Microsoft. There are a few that look interesting for worm writers, especially the COM+ vulnerability. Of course, never count out the IE cumulative updates (and Direct Show this time around), which draw malware authors like the proverbial flame/moth relationship. As SANS noted, the eEye report for the COM+ flaws came with a blueprint for the exploits, patch up as soon as can be tolerated. The Plug & Play flaw requires valid credentials, so a new, powerful Zotob shouldn't be an issue.
The SANS note: http://isc.sans.org/diary.php?storyid=750
Get the infectionvectors summaries and downloadable tables: summary, XLS, & CSV.
October 10, 2005 playtime Malware authors have hit the Playstation Portable and Nintendo DS platforms. Certainly, it was a matter of time, as every networkable device will eventually get the time/attention of an aspiring malcoder eventually. The first few pieces of code do something similar to other first generation Trojans, they make the platform a doorstop. Check out the commentaty in the Hotzone: Brick by brick: Platforms, Virii, Doorstops (PDF).
October 7, 2005 tomato Sober brought the first use of the new Common Malware Enumeration nomenclature (that I have seen anyway) on an antivirus vendor site. CME-151 (the CME name for this Sober variant) is now displayed as an alias on Symantec’s, McAfee’s, and I’m sure other AV sites. http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.q@mm.html http://vil.nai.com/vil/content/v_136390.htm
The CME effort between MITRE and US-CERT aims to reduce public confusion during malware outbreaks by offering a standard, common name for reference. For example, instead of Sober.Q (Symantec), Sober.AC (Trend), Sober.R (McAfee), we will just use CME-151. Personally, I like the effort, which is well overdue; however, it is on the media to adopt such a standard. That seems a little tough to sell, as news stories will lose some of the punch if CME-15 is used instead of Zotob. “Blaster” sounded cool, as did “MyDoom;” a number just doesn’t have the same sizzle. Either way, this will improve research efforts greatly, which is not necessarily in line with the goal of “public” benefit – but an improvement nonetheless. Want more information? See their FAQ: http://cme.mitre.org/about/faqs.html. Their current list of malware is available at: http://cme.mitre.org/data/list.html.
October 6, 2005 queued up The latest of the English/German mass mailer’s iterations was released in early October of 2005, with a look very similar to previous versions. This variant poses as a notification that the user’s password was changed (without specifying what the password in question is actually for). Sober.Q, once executed, opens a small phony error box, in an effort to trick users into thinking that nothing was launched on their machines. In the background, however, the worm collects email addresses from the local disk and then sends a copy of itself to each. No additional payload or download has been seen in this version of the mass mailer at this time (similar to earlier variants).
October 5, 2005 feel good This will make anyone happy that was sickened by the scams built upon the Katrina hurricane tragedy (see an infectionvectors.com report here). A man who picked up almost US$40,000 was arrested for fraud in Florida (so, he was fairly familiar with hurricane tragedies I guess): http://news.zdnet.com/2100-1009_22-5735475.html.
October 4, 2005 how I spent my vacation After a (arguably) well-deserved break, the vectorblog and reports that you have come to love in the last year are back. It has been one year since this site was launched in its current iteration. Over the vacation I spent time thinking about how this site fits into the malware/security mix. Look for changes to the content, removing the things that overlap with more established and better-suited channels and an increase in things that are (from my estimations) unique to this forum. As always, any recommendations or comments are welcome - vectorblog. |
Copyright Ó 2005 infectionvectors.com. All rights reserved.
