Archive for December 2005
December 31, 2005, 10:14 pm
The following is a comment by editor Pescatore in the SANS NewsBites email:
[Editor's Note (Pescatore): There has definitely been an increase in
attacks via links in IM messages. Users who will no longer click on a
link in an email for fear of phishing are still clicking on links in IM
messages - and usually clicking within seconds of receipt, as compared
to email messages that may sit in the users in-box for quite some time.
Enterprises who have made the decision to allow public IM services to
be used by employees need to make sure that IM filtering services are
put in place, and employees warned that IM screen names are just as
insecure as email addresses.]
December 31, 2005, 8:43 pm
More bad news on the Windows Meta File front.
According to the latest SANS ISC Diary, McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.
How does McAfee know how many infections occured? With Symantec my clients aren’t reporting anything to them. Does McAfee have all client infections reported to them (both consumer and corporate)?
December 31, 2005, 2:27 pm
Long time readers (and I’d like to thank both of you) know that I really hate Redmond Magazine and what they’ve done to the old MCP Magazine. Fortunately, I’ve got a mag that is actually useful. TechNet is published by Microsoft so it doesn’t have the annoying anti-Microsoft rhetoric that mars Redmond Mag.
I got the January/February issue this week and its got a “Hey Scripting Guy” article that addresses one of my problems. Creating a script to determine last logon time. Next it has an article by my personal security hero, Jesper Johansson. There is also a NTFS permission article that I haven’t read yet that looks interesting.
December 31, 2005, 2:07 pm
If you’ve read any security sites over the past week, you know about the zero day Windows Meta File vulnerability.
Well it keeps getting worse. Kaspersky reports that there is now a MSN Messenger worm that sends a link to a wmf exploit file. When you follow the link the exploit runs a vbs script to install a bot. Have a nice day.
They also say it is possible to exploit this vulnerability even if shimgvw.dll has been removed from the system. They say that disabling and then removing the dll provides a large measure of protection, but dont think you are safe.
It keeps getting worse. Is anyone else waking up at night thinking about this?
December 27, 2005, 1:42 pm
According to this article at Blink.nu, the MIcrosoft Online Crash Analysis is capable of detecting some worms and viruses. Not only that the recommended action is to initiate a scan through Windows Live Safety Center. I think that is pretty sweet.
December 25, 2005, 8:47 pm
Luke 2
8And there were shepherds living out in the fields nearby, keeping watch over their flocks at night. 9An angel of the Lord appeared to them, and the glory of the Lord shone around them, and they were terrified. 10But the angel said to them, “Do not be afraid. I bring you good news of great joy that will be for all the people. 11Today in the town of David a Savior has been born to you; he is Christ[a] the Lord. 12This will be a sign to you: You will find a baby wrapped in cloths and lying in a manger.”
13Suddenly a great company of the heavenly host appeared with the angel, praising God and saying,
14″Glory to God in the highest,
and on earth peace to men on whom his favor rests.”
December 24, 2005, 4:27 pm
The FTC report to congress on the CANSPAM legislation is available here. The report has been widely criticized for saying that the CANSPAM legislation was successful.
It says “since (the) enactment of CANSPAM, spam volume has begun to decline as has consumer frustration.” One of the notable aspects of CANSPAM was that the amount of spam skyrocketed after it was passed. Spamming was made legal as long as a legitimate optout address was provided and headers were not forged. Message Labs reports confirm that spam volume skyrocketed after CANSPAM and only since October have they returned to earlier levels. Causation has not been proven.
Consumer frustration has dropped because many ISPs and companies have added spam filters. The spam filter technology has advanced to the point that false positives and false negatives are minimized. Further several spammers have been taken out of the business by state attorney generals rather than FTC action. The FTC correctly reports that ISPs blocking of outbound port 25 except for through their own mail server has hampered the spammers abilities as well.
December 22, 2005, 10:35 pm
Indian software company Sanra has announced a new anti-malware solution called Rudra. Rudra is a no-update solution that sounds like it is a mix of HIPS and tripwire. It assumes a clean system at install and then monitors for changes.
It seems like the documentation does a good job of describing what it is not. It is not virus definition based or heuristic based. But when it describes what it is, it is less forthcoming. How does it determine that a new program is a threat or not? Sounds like its a whitelist only approach to the computer.
A SecurityPipeline article says this program will be available the second week of January.
December 20, 2005, 10:28 pm
I learned of this article over at the broadbandreports.com security forums. Holy_Father, the author of hacker defender a common windows rootkit speaks about his motivation. I cant vouch for its veracity, but then I say the same about every news.com article I link to as well. 
“Antivirus companies sell a fake sense of security, but they do not bring real security to your computer. Antivirus just fights programs that are visible to common users.”
“Yes, antivirus products will protect you against wildly spreading threats like destructive worms. But the real danger for users is from pointed attacks, where private tools are used”
Don’t forget as Message Labs has pointed out, targeted attacks are becoming more common. Don’t think it can’t happen at your company. This rootkit author sees his rootkit as forcing antivirus companies to develop better products.
holy_father says that today’s heuristic scanners and polymorphic scanners are crap. They are defeated by minor changes to the source code of the malware. I can see that working against bad heuristics like Symantec’s bloodhound, but I would hope that Esafe’s sandboxing approach would provide more of a challenge.
December 20, 2005, 3:00 pm
I heard about this sketch on SNL this week. Thanks to Scoble, I’ve got the link to the video.
http://www.youtube.com/watch.php?v=zLElfJ9YCh0
Its all about the hamiltons yo
