F-Secure has a blog entry on the latest virus varients from the stormwatch virus.
Subject:So Unique
Feeling Horny?
Full Heart
Sending Kiss
Just You
Heart of Mine
I Love You Soo Much
[events]Our Wedding Day
Love at first sight
Dream Date Coupon
Back Together
Attachment: flash postcard.exe
postcard.exe
greeting postcard.exe
Greeting Card.exe
Those are just some of the ones I have seen.
Archive for January 2007
More Stormwatch
That not so fresh feeling
If I were creating a caching proxy, I think I would have it tune by assuming the content needed to be refreshed frequently. Only after a history is established should it save bandwidth by checking for updates less frequently.
We implemented a transparent caching proxy this week. I’m seeing cache freshness issues. When I talk to the vendor about this they blame bad websites. Most websites, use HTTP headers to indicate when the content expires. The problem with this response, is you have to take the Internet as it comes to you. Without this proxy, my users are just fine. Adding the proxy is supposed to make things work better not worse. In my opinion its the vendors responsibility to make it work.
So I’m left with promises that as I add more users, and time passes, the proxies freshness algorithms will learn and I wont see these issues. The vendor points out they have 70% of the caching market so they must be good. I’m left looking at yesterdays news.
Virus of the day
Today’s virus of the day is being detected as win32.small.dam in our inbound email.
The recipient addresses so far are very old. I guess this is one spammer group that hasn’t been sold our corporate addressbook.
The only reason I mention the virus, is the lurid subject lines got a laugh out of me.
“U.S. Secretary of State Condoleeza Rice has kicked German Chancellor Angela Merkel”
other subjects:
“Naked teens attack home director”
“British Muslims Genocide”
Attachment named “full clip.exe” and video.exe
Adobe Strikes Again
I had heard that Adobe Reader 7.0.9 is out, so you no longer have to upgrade to 8 to avoid the vulnerabilities mentioned in their security advisory. The problem is, according to this advisory they are only making 7.0.9 available as a full upgrade and not as a patch. I guess that is part of their program to encourage upgrading. Does this upgrade do anything besides replace one dll?
Email Malware
I’m seeing some interesting things in email this weekend. The first is some email detected as “Exploit/Mime-boundary-quote”. MIME boundary issues may be exploited so that a SMTP gateway email scanner will not detect a virus, but Outlook will be able to interpret the MIME as an attachment. Well, its not getting by our scanner.
The second thing I’m seeing is more Stration virus variants being spammed out. As you’ll recall, Stration is most often characterized as having an attachment named postcard.exe. I’m also seeing an attachment message.dat.cmd. At the time we received the new Stration it was detected heuristically. The signatures weren’t yet available.
GAO – Telecommuters Internet Connection Reimbursable
According to a Federal Computer Week article the GAO has approved a request by the US Patent and Trademark Office that it be allowed to pay high-speed Internet access for patent and trademark teleworkers.
The ability to telecommute itself is a benefit. Now these highly paid workers want the Government to pay for their internet connection too?
What’s kind of funny is that although the GAO is allowing the PTO to pay for the access, they cannot pay for any hardware costs. That encourages the employee to connect directly to the internet, rather than implementing a NAT router.
JAVA exploit code available
http://www.us-cert.gov/current/index.html#sunjpriv
US-CERT announced today that they are aware of publicly available exploit code for multiple vulnerabilities in Sun Java Runtime Environment (JRE). There are several flaws in the JRE that may allow an untrusted Java Applet to elevate its privileges or execute malicious code.
These issues are addressed in the following releases (for Windows, Solaris, and Linux):
JDK and JRE 5.0 Update 8 or later
SDK and JRE 1.4.2_13 or later
SDK and JRE 1.3.1_19 or later
Spam Automation Tools
Brian Krebs links to the XRumer auto-submitter in an entry in the Washington Post Security Fix. Its interesting to see the software that is out there for pumping spam into on-line bulletin boards.
XRumer, uses search engines to gather target forums, it then automates the registration and posting of the spam. They brag in the feature list that they can get around captchas, and email verification. There is a long video demonstrating its use.
Yet Another PDF Vuln
The Month of Apple Vulnerabilities has announced an error in the PDF specification that effects most PDF implementations. The vulnerability could allow malicious code execution.
Is that the third vulnerability in Adobe Reader/Professional since November 30? To quote Dirty Harry, “Well, to tell you the truth, in all this excitement I’ve kinda lost track myself.”
Adobe is expected to release version 7.0.9 this week to deal with one or two of these issues, but I wouldn’t expect them to have this third issue wrapped up.
Other links
Bugtraq
Enough with the zero days
Pascal Meunier writes in the CERIAS weblog about lack of proper etiquette in zero day disclosures.
I do tend to agree with him. Zero day disclosures don’t help anyone but people trying to make a name for themselves, HIPS vendors, and malware purveyors. However, I would say that this post would have been better timed during the first “Month of xyz vulnerabilities” rather than waiting until the critics darling Apple was targeted.
