DP's Security Bits

Anti-Virus Vendor Response Times To Recent Sober Outbreak as Reported By AV-Test for November 28, 2005

This week, we present more antivirus software vendor response results from AV-Test, an independent test lab that tracks dozens of antivirus products on numerous platforms. Several new variants of the Sober worm have been released in the last two weeks, and one of them was a significant outbreak. Below AV-Test tracks anti-virus vendor response to that outbreak. They used a sample with the MD5 0xcb73f0c6d0a20e191c21cc47dff1e471 and the size 55,390 bytes.

This first table shows antivirus vendors whose products found the new strain without any updates. The outbreak started around 2005-11-21, however, as the "new" variant was very similar to the old version many AV products already detected this threat with older signatures. Even so, we're impressed that many products detected this threat without a specific signature.

Apple has released security updates to address thirteen vulnerabilities identified in Mac OS X. These flaws could be exploited by remote or local attackers to execute arbitrary commands, bypass security restrictions and conduct cross site scripting attacks.

Keylogging programs are the epitome of online stealth, and they're also a mushrooming problem on the Internet, where identity and intellectual property thefts are fueling an explosion of key-capture tools.

More than 6,000 keylogging programs will be released by the end of this year, according to projections by iDefense. That's an increase of 2,000 percent over the last five years, company officials said.

Color laser printers sure are nifty, but they might be a little more nifty than you bargained for because certain printers made by manufacturers such as Canon, Epson, HP, Lexmark, Xerox, and others place tracking dots on every document you print. Why are they there? Ask the U.S. Secret Service.

Manufacturers place the dots on printed documents as part of a deal with the Secret Service, which the EFF (Electronic Frontier Foundation) says is ostensibly to catch counterfeiters. Although this practice hasn’t always been a secret, the information that’s placed on the documents was unknown until the EFF recently conducted research to break the code that’s used in at least one of the printers.

We’ve found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer, says EFF Staff Technologist Seth David Schoen.

According to the EFF, you won’t even notice the dots unless you look at a printed page with a blue light and a magnifying glass or microscope. The yellow dots are less than 1 millimeter in diameter and usually repeat over each page of a document.

It shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers, says EFF Senior Staff Attorney Lee Tien.

Sober.x, the year's biggest worm outbreak, showed little signs of slowing Monday, a security company reported.

One in every 14 e-mail messages passing through the filters of U.K.-based Sophos carried the Sober payload, with the worm accounting for 85 percent of all malicious code detected.

The sheer rate at which this worm is spreading proves that the devious tricks work," said Graham Cluley, senior technology consultant at Sophos, in a statement.

By Sophos' year-to-date tally, Sober.x is 2005's third-most prevalent worm; only Netsky.p and Zafi.d top it on the chart.

Published: 2005-11-27,
Last Updated: 2005-11-27 23:25:58 UTC
by Johannes Ullrich (Version: 1)

A draft US law to increase the security and privacy of personal information held by companies took a step forward last week, when it was approved by the influential Senate Judiciary Committee. The bill includes a duty to disclose security breaches.

Under the bill, data brokers will generally be required to let individuals know what information is held about them and, where appropriate, allow individuals to correct demonstrated inaccuracies. They will also be obliged to notify law enforcement agencies, consumers and credit reporting agencies when digitised sensitive personal data has been compromised.

Opera Software ASA has released an upgrade addressing two serious security flaws involving Macromedia's Flash Player and a code execution bug affecting Linux and Unix users.

The first problem relates to Flash Player and was made public earlier this month. Macromedia warned that the bug in Flash Player, a widely used piece of desktop software, could allow attackers to take over a system.

The release also fixes a problem identified by Secunia Research, involving the shell script used to launch Opera in Linux and Unix environments. The flawed script processes shell commands enclosed in URLs passed to Opera via the command line.

Another free Windows firewall bites the dust. Symantec Corp. has announced rather abruptly that as of next week it will no longer support or offer its Sygate line of firewall products.

The move comes little more than three months after Symantec bought Sygate Technologies along with its Sygate Pro and Sygate Free personal firewall products.

No word yet on whether folks who recently purchased Sygate Pro will be eligible for a refund.

I recently became aware of a program that provides Secure Instant Messaging. ChatPatrol from ELMTree Software. The program is out of beta and Version 1.4 is available for download. It runs on Windows 2000 SP4 and Windows XP

A quote from the developer: "Did you know that all of your conversations over public IM networks like (AOL, MSN and Yahoo!) are available for anyone to read? If you wish to ensure that your conversations are confidential and that no one except the person the message is intended for can read it, ChatPatrol can help. If you want to enjoy confidential communications we can help you if you are using the official AIM, MSN or Yahoo! clients, or one that is compatible with those networks."

There is also an online forum for questions and support. This looks like a real nice program so if you want to keep your Instant Messages secure, give the program a look.

Disclaimer:I have no affiliation with ELMTree Software and have not personally tried the program.

Mozilla, Microsoft and Opera developers met last week in Toronto to decide on a standard method of conveying website trustworthiness to web surfers.

The upcoming Internet Explorer 7 will use coloring of the address bar to offer feedback to users - It will display red if the site is a known phishing site, or green if the site is secure. The security certificates will also be displayed inline, for verification at a glance. Opera has also included phishing deterrents in recent versions, in the form of a toolbar.

Lavasoft, makers of Ad-Aware SE have announced that they have removed WhenU.Save / SaveNow from their detection database with the definition release SE1R76 22.11.2005.

After a period of probation, we have decided to remove WhenU.Save / SaveNow from our detection database. WhenU.Save /SaveNow was placed in a probationary period as of 9th November, at which point we asked for public commentary.

• CME-681
• Email-Worm.Win32.Sober.y
• Sober.AH
• Sober.Y
• W32.Sober.X@mm
• W32/Sober-Z
• W32/Sober-{X
• W32/Sober.AH.worm
• W32/Sober.Y@mm
• W32/Sober@MM!CME-681
• W32/Sober@MM!M681
• Win32.Sober.W
• WORM_SOBER.AG
• Z}

Microsoft Corp.'s Windows OneCare beta is finally ready for public consumption.

The consumer-facing PC security bundle, which is being tested in a private, invite-only manner, is on the verge of being rolled out to a broader public audience.

The program, which bundles virus scanning, firewall protection, data backup and PC cleanup tools, was recently refreshed to add new features for file scanning and data backup.