October 2005 - Posts
Not much is in the news today, although I am happy to announce that rumours regarding the discovery of a worm using the latest Windows vulnerabilities was a false alarm. More details follow
Trend Announces Fanbot.C Error
From InformationWeek:
A security firm on Monday mistakenly identified a new Trojan as the first to exploit one of last week's vulnerabilities in Windows, but corrected itself and labeled it as one which attacks the same bug as August's Zotob bot worm.
Fanbot.c, said Trend Micro late Monday, included a proof-of-concept exploit against one of the vulnerabilities disclosed Tuesday, Oct. 11 in Microsoft's MS05-051 security bulletin. Trend also said that although the Trojan was written in Visual Basic -- which usually indicates low-level skills on the part of the attacker and often means it's a "script kiddy" copy-cat -- arming malware with yet another exploit matched earlier hacker habits.
By early Tuesday, however, Trend had modified its technical description of Fanbot.c to say that the exploit was actually one directed toward the Plug and Play bug unveiled in August's MS05-039 bulletin.
The full article about the good news can be found here.
The Daily Update returns after a small hiatus for testing week...
October 2005 Security Release
Three critical updates, five important updates, and one moderate update have been released to address issues in Windows. You can view the bulletin here. And make sure to update!
Mytob Over 300 Variants
Mytob.LE has been released, making it the 317th variant of the prolific Mytob family. The latest variant offers more of the same, with new passwords and emails.
A quick daily update today. Symantec has now named Sober.Q (aka .R) to be a low-medium (2) risk, although McAfee maintains it at Medium. It looks like this one is not going to be a huge outbreak. More coverage of Sober.R should be available tomorrow as we start to see reports on spread rates coming in. Symantec's write-up of Sober.R, which they call Sober.Q, can be found here.
Also in news today, a small percentage of the Internet was taken down today. This was not security-related as many feared, but instead due to a contract dispute between two major service providers. Full details can be found here.
A new worm, Sober.R, is spreading moderately in the field.
More details about this when they are available, and can be found here in the meantime:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=136390
Flaws Discovered in Kaspersky Antivirus
Techworld reports that Kaspersky, a Russian security program, is having security issues with its Antivirus program due to an exploit:
Kaspersky Lab has been hit by a security bug affecting a wide range of its anti-virus products. The bug isn't limited to a particular platform, and can be exploited through several common protocols to take over a protected system.
The attack is apparently related to malicious .cab files. When scabbing an infected .cab file, Kaspersky can experience a heap overflow and allow a malicious attacker to control the infected machine.
Microsoft Office Exploit Code Circulating
The same article goes on to talk about circulating code for a Microsoft Office exploit:
Separately, security vendors warned that exploit code has begun circulating publicly for an unpatched flaw in Microsoft Office that was first disclosed in April. The exploit makes it easier for attackers to take advantage of the hole, which, like the Kaspersky flaw, could allow attackers to take over a system.
Note that just because code is circulating does not mean it is associated with a known threat at this point, and this one isn't.
Yes, Daily Updates are back. And permanently this time!
Good News, Bad News: Virus Attacks Down, but Attacks More Sophisticated
As anyone who follows viruses knows, this has been a rather quiet year for viruses of all types, especially mass-mailers. This is part in thanks to better technology and enforcement, and part in thanks to luck. In any case, though, ZDNet is reporting that antivirus firm Sophos and email security company BlackSpider Technologies both have reported a significant downturn in the quantity of viruses coming in. This is hardly a surprise, especially when you consider that after nineteen months, the top worm still is Netsky.P, which celebrated its eighteen month birthday last month. Worms rarely last longer than a few months on top. A notable exception being Klez.H's two-year reign on the charts starting in early 2002, but unlike Klez, Netsky remains on the top primarily because it lacks any competition for the spot.
Although mass-mailers have downturned over the last few months, an even more damaging threat, especially on the corporate level, looms:
"Smaller, targeted attacks are on the increase, with the emergence of a new breed of financially-motivated online criminal. The concern is that if users continue to combine unsafe computing practices with outdated threat protection, they'll be a soft target for this new form of attack," Theriault warned.
I tend to believe there is little, if any, correlation between the two. Targeted attacks, especially of a financial nature, have been developing for a while, and even made national news when it was suggested that the Sobig.F worm was linked to organised crime. The news about the reduced number of mass-mailer hits is promising, but not necessarily a trend that will last very long. We can only keep our fingers crossed and our software secure.
Bagle Naming Convention Split
Apparently, a number of antivirus companies have determined that recent variants of the prolific and previously successful Bagle worm family are not Bagle-y enough. Computer Associates named a recent Bagle variant Wreckage.A, while Trend Micro has donned a new Yabe family of worms for two recent Bagle variants. These splits have not been uncommon throughout Bagle's naming, and it is possible that the names will be reconciled if a breakout occurs. However, should a major version of the “Wreckage” or “Yabe” worm families be reported in the news, it is fairly safe to assume that they are Bagle versions.
Cool Link of the Day
The University of Virginia provides a Security Tip of the Day on their web site here. The messages are meant for University of Virginia students, and it's not exactly a Tip of the Day (unless refreshing the page somehow has an effect on the space-time continuum, in which case I do not recommend that anyone above 30 use this web site), but it's certainly interesting. The tips are pretty basic, but even the best of us need reminders sometimes. And so do all of your friends and family members who think that “.pif“ stands for “picture information file.“
That's all for today.
I returned from the MVP conference and slept in yesterday. It was a wonderful three days, although certainly tiring! I learned some, got to see what Microsoft has up their sleeve, and I am indeed quite impressed. I didn't manage to take any photos, but fellow Security MVP Steve Friedl over at BroadbandReports.com logged the public parts of the session. His write-up and commentary can be found here. It comes highly recommended, although it's definitely for techies.
It wasn't a big trip for me, as I live just about 40 miles to the south of Bellevue, but it's always nice to go up to the east side of Lake Washington. If you happen to find yourself in the area and are looking for some food, I recommend Byblos Deli in downtown Bellevue. Delicious! :)