Security Manifest : ANNOUNCEMENTS

Microsoft MVP Conference!

trafton — Wed, 28 Sep 2005 03:08:00 GMT

I'm currently in Bellevue, Wash., a suburb of Seattle about 50 miles north of my hometown, for the MVP conference. It is quite a cultural difference (it's an entire county away!), but hopefully I'll get used to it. :) I'll try to post pictures of interesting things when I get back.

Return

trafton — Mon, 15 Aug 2005 00:47:00 GMT

I have returned from my vacation, which bled into yet another vacation to beautiful Toronto, a rich and diverse city. I was simply astounded by the number of languages that I couldn't even recognize! I hope everyone is having a good summer and tolerating the heat.

Vacation!

trafton — Mon, 18 Jul 2005 18:53:00 GMT

I will be on vacation for about a week and a half on the beautiful Olympic Peninsula. Ergo, posting will be limited unless there is a notable virus outbreak. Hope everyone out there is having a wonderful summer!

Renewed!

trafton — Wed, 05 Jan 2005 21:43:00 GMT

I got a welcome surprise in the mail today - a notification that I have been awarded as an MVP for the second year, which I suppose makes me a sophomore member of the program. I am honored to continue to be in this wonderful program with such great people.

To Microsoft and my fellow MVPs, a *huge* thank you - you rock! :)

Happy New Year!

trafton — Sat, 01 Jan 2005 09:22:00 GMT

The fireworks just ended over the Seattle Space Needle and I just wanted to drop in to wish everyone a happy and safe new year!

I thought this picture might be especially appropriate given the season (hopefully one that no one reading this will ever get to see first-person):

Being that this is the new year, I also put up a new theme for the blog as well as added a blogroll, which I will hopefully have many entries to add to in the future. Enjoy everyone, and do have a good 2005!

"In Absentia"

trafton — Fri, 27 Aug 2004 15:15:00 GMT

Various things (educational advancement, email troubles, acts of God) have conspired so that I was unable to update the Security Manifest for the entire month of August. I will start updating again, more frequently than before, I hope, come September, unless I somehow underestimate the difficulty of various schedules.

My apologies.

False Positive Problem Probably Solved

trafton — Fri, 18 Jun 2004 17:01:00 GMT

Exploit-MhtRedir.gen Detection Should Be Fixed

I've discovered what I'm pretty sure is the root problem of the detections of Exploit-MhtRedir.gen on this blog. The detection was limited to McAfee VirusScan and was due to the program misinterpreting quoted text as malicious code. There was no infection in the page, and at no time did this quoted content (which was from a Secunia alert) present any security risk to visitors of the blog.

I'm trying to work out why VirusScan detected the code but not other antivirus programs, and it appears to be a case of VirusScan using a more general detection string. If you receive any detection from this page, please feel free to tell me about it.

Probable False Positive on this Blog

trafton — Fri, 18 Jun 2004 16:53:00 GMT

McAfee Detects Exploit-MhtRedir.gen

For some reason, it appears that a single antivirus product - McAfee VirusScan - has been detecting the virus Exploit-MhtRedir.gen in this blog. It looks like this is an incorrect detection so far, but I am working on trying to figure out what exactly is causing the problem. If you are using any other antivirus program and are getting a detection for this page, I'd love it if you could inform me. So far, no other program I've tested has triggered this detection.

Thank you and sorry for any inconvenience.

Vacation Miscellanea

trafton — Fri, 04 Jun 2004 15:04:00 GMT

No Updates this Weekend, Part of Summer

This weekend, I will be in Portland, Ore., visiting some family friends, so I'm afraid I probably won't be able to update Security Manifest unless there is a seriously major outbreak. In addition, part of the summer I will be staying in Blyn, Wash., near Sequim, where I will have no Internet connection. Updates will be limited to a few times per week. Of course, there are many other great resources which you can access from the random links which appear on the left of the page.

Have a good weekend! Hopefully the nice summer weather most people are having will stick around...

New Virus Write-Up: W97M.Nobody

trafton — Mon, 24 May 2004 21:09:00 GMT

Word Macro/IRC Worm

A write-up for the IRC worm and Microsoft Word macro virus W97M.Nobody can now be found here.

New Article: Finding Virus Information Online

trafton — Sat, 22 May 2004 17:42:00 GMT

Strategies for Virus Info Searching

I've posted a new article about finding information on viruses. You can access it by clicking on “Finding Virus Info“ under links or by clicking here.

Bad Timing, Literally

trafton — Tue, 11 May 2004 23:31:00 GMT

Time Should Be (Sort Of) Correct Now

For some reason, probably the server configuration, the time was displaying as GMT -11 (my time zone is GMT -8, but it subtracts three hours for some reason.) It is now PST/-8 as it should be (which is GMT -5 in the configuration.) Sorry for any inconvenience.

Removed Outbreak Warning for Sasser.B

trafton — Sat, 08 May 2004 16:10:00 GMT

Follow-Up: Five Days Since Initial Outbreak, Downgrade Appropriate

I have just removed the outbreak warning for W32/Sassser.worm.B. Although Secunia still rates it as a High risk, at five days old, it is unlikely that it is any longer an outbreak as much as a very widespread worm. Speaking of Secunia, I have also added it to the Recommended Links area, which now can be scene in place of the Sasser.B outbreak warning.

SpreadList Added to Page

trafton — Sun, 02 May 2004 16:17:00 GMT

New Feature: SpreadList

I have added a small section to this page, by the name of SpreadList. SpreadList is an informal and non-scientific list of what viruses have been spotted, either via arriving in my inbox or by support requests on the Microsoft Newsgroup. More information and the list can be found here:

http://msmvps.com/trafton/posts/5794.aspx

A link has also been added to the side bar.

New "Recommended Link" Feature

trafton — Sat, 01 May 2004 00:05:00 GMT

When There's No News, Recommended Links Will Appear

I have added a quick JavaScript that selects from a range of excellent security-related links and displays one along with a description. Certain links come up more often than others; a randomization method is used (and the JavaScript is indeed poor; I will improve it when I get a chance, but I was going for functionality on the most part.) I hope you will all enjoy this feature, and I also hope to add a wider range of links in the future.

A Few Quick Words on "Outbreak Warnings"

trafton — Wed, 28 Apr 2004 17:37:00 GMT

Follow-Up: The Why, How, and When

I should explain the “outbreak notification” warning for Bagle.AA. This is mainly there because I want to post additional news, but Bagle.AA is so news-worthy it should remain somewhat prominent so people browsing this page would see it. Thus, the idea for the outbreak warning was developed.

An outbreak warning is basically little more than a notification on the screen added when the following conditions are met:

- The worm in question is spreading quickly and is at least Medium-High at one location with strict ratings.
- Most antivirus companies at least rate the virus Medium.
- Spread potential is quite high (mass-mailers mostly.)
- Detection for this worm was instituted in response to the sudden outbreak, as opposed to just starting to spread after a week or so.

Exceptions will be made to the last two rules if necessary.

For worms that constitute a Medium-High risk, the warning period is between 24 and 48 hours; a High risk worm would be 48 to 72 hours and until it is downgraded to Medium, while a High-Outbreak worm would be until it is downgraded to Medium or at least a week has passed.

The company ratings I look at most are McAfee and Symantec's, as they tend to put the most stock into their risk ratings. Symantec rates on a 1-5 scale, 1 being equivalent to McAfee's Low, 2 to their Low-Profiled, 3 to their Medium, 4 to their High, and 5 to their High-Outbreak (Symantec has never rated a worm this.) Typically, Medium-on-Watch worms at McAfee are either 3's or 4's.

Bagle.AA will probably be downgraded in 24 hours or so unless more companies upgrade it to High risk.

Osama bin Laden Capture Virus Spam

trafton — Thu, 22 Apr 2004 20:30:00 GMT

“Psyme“ Variant Spammed in Form of Osama Capture Information

Panda Software reports that a new variant of VBS/Psyme is currently spreading. The latest nefarious pathogen comes in the form of an email with the subject “Osama Bin Laden Captured”. The message goes like this:

Hey, Just got this from CNN, Osama Bin Laden has been captured! Goto the link below to view the pics and to download the video if you so wish: (DANGEROUS ADDRESS REMOVED) “Murderous coward he is”. God bless America!

The message may also come as a source from BBC. Either way, when the victim-to-be clicks on the machine, a variant of VBS/Psyme is downloaded by the name of VBS/Psyme.C. The VBS/Psyme family uses the overwriting of local files by exploiting ADODB.Stream object.

One must suspect that Panda is slightly hyping this; one would be right. These sort of spammings are not rare, but if indications are true, the spam is a tad wider than average. Users should be cautious and not click on suspicious links such as these.

Improved Site Categories

A quick note: You'll notice now that security and virus alerts are sorted by urgency. This should allow easier access to this information sorted by risk. Note that every category includes higher risks, so “Security (Medium)” will also include risks in “Security (Urgent)” and “Security (Very Urgent)”. How does the scale work? Low is a notable inclusion that really isn't that viable in the field. Medium is a risk between low and medium, or an exploit/virus likely to be seen in the field soon, but now. Urgent is either fast spread or a potentially very dangerous exploit/virus that could spread quickly. Very Urgent is a very dangerous exploit/virus that is spreading. For instance, this VBS/Psyme variant is low, while the notification to patch because exploits for the April patches were found in the wild was Urgent, and a new NetSky variant found in the field but getting mostly low (but a few medium) risk ratings was rated as Medium.

New Section: In-Depth Virus Descriptions

trafton — Sat, 17 Apr 2004 19:05:00 GMT

A new section can now be viewed under “Virus Descriptions” on the FAQ part of the links section (the bar to your left.) From the description:

”There are a number of viruses that have a good amount of information published online, but it seems to be scattered across a number of difficult-to-find web sites. The intention of this database is to organize and describe a collection of common but poorly documented viruses. It will be updated with a new description each week. The two fields represent a mathematically-calculated 100-based risk scale, and then the viruses sorted alphabetically.”

The first write-up to be added is for the Kazaa-based high-level file infecter W32.HLLP.Hantaner. I hope to add one per week as the section grows. Hopefully you will find it informative and helpful.

New Article Available: Submitting Virus Samples

trafton — Sun, 11 Apr 2004 16:00:00 GMT

I just posted an article I wrote detailing the various antivirus vendors and how to submit samples to them. I hope to update this with more vendors as time goes on, as well as more details, especially about the isolation of infected files, something which is quite difficult to do over the Internet. You can find the article here. I have also added it to the FAQ links section under “Submitting Virus Samples.”

Hello World

trafton — Fri, 09 Apr 2004 12:34:00 GMT

Originally posted: Wednesday, April 7th, 2004 at 10:42 PM PDT. This should be the first post before The Daily Update, but .Text got the times messed up. Oh well.

Greetings

Hello and welcome to the uncreatively titled Security Manifest (I welcome any suggestions for a more colorful handle.) I'd like to start out with a note on the use of "manifest" in the title instead of, say, "blog": this is not really a traditional blog, per se. Actually, I am probably just kidding myself. This is pretty much a blog, but the word "blog" has always sounded to me like some sort of bad-tasting Scandinavian dessert dish. As for more serious issues, read on.

Who?

My name is Benjamin Johnstone-Anderson. I’m a 14-year-old student from Washington state in the United States. I enjoy sunsets, long walks on the beach, and people who don’t wait a month to apply critical security patches. Also, I was awarded as a Microsoft MVP (Most Valuable Professional) for Windows Security, specifically for work on breaking virus news at the McAfeeHelp Forums.

What?

Ideally, Security Manifest will provide a competent collection of security information from many sources in a prompt and accurate manner. On most days, there will be one post on SM containing a summary of the day’s events in the security field, and perhaps a few additional points of note. On more active days, El Manifesto may have several additional posts for up-to-the-minute updates. This may increase or decrease for temporarily periods of time as schedules allow. Information will be collected from various sites, such as news wires, antivirus vendor sites, industry publications, and the usual other suspects.

I will do my best to present an accurate, marketing-free news source. However, due to the fast-changing nature of the security world, wires sometimes cross, but The Manifest will do its darnedest to filter out the most plausible, and hopefully correct, details. Although the most complete information will be provided, it is not recommend anyone utilize SM for mission-critical business. It is targeted primarily to security-aware techies and intermediates with a will to expand their horizons.

Conflicts of Disinterest

The cynical may point out that working as a volunteer on the McAfeeHelp Forums and being a Microsoft MVP could cause a conflict of interest. Sure, I’m a human with good knowledge of the security world, and this means I have opinions. Chief among these are that customers should feel free to chose their own operating systems, antivirus programs, firewalls, and software in general. My job as a Microsoft MVP is to support people using Microsoft products with improving their experiences on them. My best knowledge is in Windows, as it is the only operating system I use much, and this is why I will focus on Windows security. Most security news is Windows-related, in fact, and my intent is not to fan the flames of any sort of software war, but to provide information about how users can protect themselves.

I will make no stance on what constitutes a better antivirus program. Really, most every virus scanner these days can detect most every common virus. For those truly concerned about technical details, I recommend Virus Bulletin, which publishes an occasional highly controlled review of most major antivirus programs, and some smaller ones, and tests them against a recent list of viruses that are spreading in the field. As obvious from these tests, all of the programs are generally fairly matched, and which one to chose is a personal question which I will not comment on.

I will, however, recommend free removal tools as I see fit. McAfee’s Stinger is more or less unique in this realm, as it does not specifically constrict the scan to one worm. For those on slower connections, this may not be the best choice, which is why I’ll also recommend a remover specific to that worm if it is available.

Thanks

Thanks go out for various things to Kelly Marshall, Jurren Bouman, the McAfeeHelp.com Forum staff, all of the Windows Security MVPs (and Susan Bradley, who manages to do ten things at once better than anyone else can do one). Special thanks go to Harry Waldron and Jerry Bryant.

The Future

I hope to soon move Security Manifest to a better server, as LiveJournal really isn't the proper place. Any suggestions are more than welcomed, especially those regarding hosting.