SPAM and VTM

Today I was interviewed by Belgian Commercial broadcast TV station VTM concerning the problems with SPAM for the evening news. It was a very short interview this time. I will put a sample of it in on my website next weekend at the press page. At least some of my colleagues at NOXS could find themselves in the background.

22 Years IT, 11 Years WAVCI, 16 Years Security!

Time flies ... Today I'm working 22 years inside Information Technology, my Website www.wavci.com is 11 years up and I'm working for over 16 years within the IT Security Branch. I will reach my 10 years with NOXS (UNIT4-Agresso Holding) at the end of this year. It's also 22 years ago that I saw my wife for the first time. We will be married for 19 years in the beginning of September 2006. 25 August, a magical date isn't it. Let's see what the future will bring. Let's see what security will bring in the future. I'm still 100 % convinced that we will see malware everywhere even at your TV, refrigerator or even elevator. But that will possibly take another 22 years.

XBOX 360 Viruses?

Until now, gaming consoles have been more or less immune to malware. Yes, there're been Trojans for the Nintendo DS console and for the Sony Portable Playstation but the number of victims has been small. This is because the user has to tweak the console in order for so-called homebrew software (i.e. software not certified by the console manufacturer) to run.
Microsoft recently announced that shortly, users will be able to purchase a development kit with a $99 a year registration fee. Programs developed using the kit will only run on Xboxes where the user has also paid the registration fee, and they can only be copied to another console as source code. From a security point of view, this is a wise decision. I hope that things won't change much in the near future. If Sony, Microsoft , Nintendo or hackers made it possible to easily download programs developed by users via the Internet, we would get severe problems. The combination of unprotected gaming consoles, the Internet and the possibility of previously unknown vulnerabilities would lead to gamers who had been immune to malware becoming a target for virus writers. And you never know which exploits are possible on the Xbox or the other consoles ... Let's see what the future will bring.

The difference between bad and good!

An organization called ConsumerReports published an article yesterday that suggests it 'created 5,500 new virus variants derived from six categories of known viruses, the kind you'd most likely encounter in real life.' This is a really unbelievable and completely unethical. There are plenty of 'real' viruses, worms and Trojans around without well-meaning organizations generating more of them, for whatever reason. The premise on which ConsumerReports seems to have based its actions on is this: "We hadn't seen any independent evaluation of antivirus software that measured how well products battle both known and new viruses, so we set out to fill that gap.” In fact, AV-comparatives publishes tests evaluating products' ability to find both known and unknown threats ... and they do this without having to create new viruses. There are also a number of other independent organizations that test the detection capabilities of antivirus products, including AV-Test GmbH, Virus Bulletin, ICSA Labs and West Coast Labs. And they all can do better tests without the creation of real viruses. Creating new viruses for the purpose of testing and education is generally not considered a good idea - viruses can leak and cause real trouble (you can read an open letter on the AVIEN site about that which I also signed years ago). People just don't know the difference between good and bad anymore!

IRC bot uses 5 days-old exploit MS06-040.

Hopefully everybody followed the advice I gave a few days ago. I just saw the first bot exploiting the remote code execution vulnerabilities patched in last Tuesday's patch set by Microsoft. The bot, known as Mocbot is apparently only able to spread to Windows 2000. (Maybe also to Windows XP SP1 computers) The bot connects to IRC servers at: bbjj.househot.com:18067 and/or ypgw.wallloan.com:18067 ...
Network admins might want to monitor connection attempts to those hosts from within their network. The bot is using the Microsoft Windows Server Service Buffer Overflow MS06-040.

Patching, patching ... Hurry up!

Or be safe, if you have a good AV/IPS solution in place...
Well it certainly didn't take long for some to start making available (and its public available) exploits against the vulnerabilities described in MS06-040, MS06-042 and MS06-046, which where only released yesterday. Those of you're still testing patches, you'd better hurry up and get some of these fixed before you get hit. Just as a reminder:
Filtering ports 135-139 and 445 helps against MS06-040; as do private VLANs (preventing client-client communication in the switch). None of those will help your fileserver, so patching is critical. Since there are still unpatched vulnerabilities in this software, filtering still remains crucial. If you cannot apply MS06-042: stop using MSIE now, use an alternate browser.
Switching away to a browser not doing ActiveX (almost any will do) should help protect you against MS06-046 attacks as well. But the best solution is to patch and do the above, layered defences.
eEye released even a free scanner for detection of MS06-040.... People if you got a good AV/IPS solution in place you don't need this. I could even say if you need to use that free scanner, it means that there is something wrong with your security solution!
(Retina MS06-040 NetApi32 scanner http://www.eeye.com/html/resources/downloads/audits/NetApi.html )

Linux magazine prints rootkit manual!

The magazine for Linux users Linux Magazine has published an article entitled 'How to write a rootkit'. The piece is the cover story for the August issue of the magazine. According to the magazine's website the aim of the article is to arm systems administrators with the knowledge they need to stop rootkits - and anti-rootkit technology is examined elsewhere in the magazine. However, this does not detract from the fact that much of the cover article is devoted to an in-depth description of the routines required by a successful kernel rootkit - including example code. To see this piece of irresponsible journalism for yourself, visit http://www.linux-magazine.com/issue/69/. The magazine itself did a test 6 months ago about some Linux av-scanners. The articles were definitely not independently written if you look carefully to the authors. Again an example of bad journalism. Linux experts please at least try to interview some known anti-malware experts before you try the next time to create some good articles. And please ... 'open-source' or 'free' is NOT always the best thing.

First Windows Powershell POC Virus MSH/Cibyz released last week.

Last week, a proof of concept virus MSH/Cibyz based on Windows PowerShell was released by members of the RRLF virus group. PowerShell is the new command line shell and scripting language for Microsoft Windows and is seen as a replacement for the default command interpreter shell. It runs on Windows XP, Windows Server 2003, Windows Vista and Windows Longhorn but does not come installed by default as of now. Members of the RRLF group had previously released two proof of concept viruses in the past year targeting Microsoft Windows Vista. First was MSH/Danom a script virus written in Monad, the predecessor to Windows PowerShell and the other was W32/Usined alias MSIL/Idonus that used the .Net framework. Sadly these viruses can’t make the claim to be Windows Vista viruses and are just Microsoft Shell viruses. This doesn’t seem to deter virus authors working overtime to get their creations ready for Windows Vista and Longhorn to ensure they are in the news for all the wrong reasons. With Windows PowerShell offering the functionality to do anything one can do from the graphical user interface, via a command line shell, it makes it an attractive platform for malware authors to write next generation viruses. We don't see these virusus in-the-wild yet and if we will see a lot of those script viruses remains the question but my guess is that after the release of Vista we will be flooded...