Antivirus: December 2005 Archives

SANS Newsbites on IM Security

The following is a comment by editor Pescatore in the SANS NewsBites email:

[Editor's Note (Pescatore): There has definitely been an increase in attacks via links in IM messages. Users who will no longer click on a link in an email for fear of phishing are still clicking on links in IM messages - and usually clicking within seconds of receipt, as compared to email messages that may sit in the users in-box for quite some time. Enterprises who have made the decision to allow public IM services to be used by employees need to make sure that IM filtering services are put in place, and employees warned that IM screen names are just as insecure as email addresses.]
By Roger on December 31, 2005 10:14 PM | | Comments (0) | TrackBacks (0)

The fog is getting thicker, and leon is getting larger


More bad news on the Windows Meta File front.
According to the latest SANS ISC Diary, McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.

How does McAfee know how many infections occured? With Symantec my clients aren't reporting anything to them. Does McAfee have all client infections reported to them (both consumer and corporate)?

By Roger on December 31, 2005 8:43 PM | | Comments (0) | TrackBacks (0)

WMF IM Worm

If you've read any security sites over the past week, you know about the zero day Windows Meta File vulnerability.

Well it keeps getting worse. Kaspersky reports that there is now a MSN Messenger worm that sends a link to a wmf exploit file. When you follow the link the exploit runs a vbs script to install a bot. Have a nice day.

They also say it is possible to exploit this vulnerability even if shimgvw.dll has been removed from the system. They say that disabling and then removing the dll provides a large measure of protection, but dont think you are safe.

It keeps getting worse. Is anyone else waking up at night thinking about this?

By Roger on December 31, 2005 2:07 PM | | Comments (0) | TrackBacks (0)

MS Online Crash Analysis

According to this article at Blink.nu, the MIcrosoft Online Crash Analysis is capable of detecting some worms and viruses. Not only that the recommended account is to initiate a scan through Windows Live Safety Center. I think that is pretty sweet.

By Roger on December 27, 2005 1:42 PM | | Comments (0) | TrackBacks (0)

Sanra Rudra

Indian software company Sanra has announced a new anti-malware solution called Rudra. Rudra is a no-update solution that sounds like it is a mix of HIPS and tripwire. It assumes a clean system at install and then monitors for changes.

It seems like the documentation does a good job of describing what it is not. It is not virus definition based or heuristic based. But when it describes what it is, it is less forthcoming. How does it determine that a new program is a threat or not? Sounds like its a whitelist only approach to the computer.

A SecurityPipeline article says this program will be available the second week of January.

By Roger on December 22, 2005 10:35 PM | | Comments (0) | TrackBacks (0)

Hacker Defender author speaks

I learned of this article over at the broadbandreports.com security forums. Holy_Father, the author of hacker defender a common windows rootkit speaks about his motivation. I cant vouch for its veracity, but then I say the same about every news.com article I link to as well. :)

"Antivirus companies sell a fake sense of security, but they do not bring real security to your computer. Antivirus just fights programs that are visible to common users."

"Yes, antivirus products will protect you against wildly spreading threats like destructive worms. But the real danger for users is from pointed attacks, where private tools are used"

Don't forget as Message Labs has pointed out, targeted attacks are becoming more common. Don't think it can't happen at your company. This rootkit author sees his rootkit as forcing antivirus companies to develop better products.

holy_father says that today's heuristic scanners and polymorphic scanners are crap. They are defeated by minor changes to the source code of the malware. I can see that working against bad heuristics like Symantec's bloodhound, but I would hope that Esafe's sandboxing approach would provide more of a challenge.

By Roger on December 20, 2005 10:28 PM | | Comments (0) | TrackBacks (0)

Struggling with the modern realities of antivirus

Thomas Claburn writes in Information Week (reprinted by Security Pipeline) about the struggle of antivirus companies to keep up with attacks. Its an interesting timeline to follow the creation of definitions for the Santy worm.

It sounds like at least at some antivirus firms they may finally be ready to move on from the broken virus definition update model, and move on toward proactive defenses.

By Roger on December 11, 2005 8:18 PM | | Comments (0) | TrackBacks (0)

Hacktool.netcat

Symantec has decided that netcat is a hack tool! What’s next? telnet? Netcat is in number 4 on insecure.org’s list of top security tools.

I’m trying to decide if this is worth spending time on. I’ve been able to get Ghost Mail by Robert Yale off of Symantec’s hit list in the past. But I think this might be a tougher argument. Its like the radmin detection. It’s a common enough tool, but if one person uses it for bad, oh no it must be designated for removal. I think Symantec is playing fast and loose with the "extended security threat" categories. Sooner or later everything will be listed there.

Its not as if Symantec makes this easy to ignore. First you add it to an ignore list for the realtime scan. Then for the scheduled scans. Then the real fun begins. You have to disable the startup quick scan (with 10.0.1.1000 and later this is an option in the SSC), and it looks like you may need to disable the defwatch scan according to this article http://tinyurl.com/cokvu Lastly, users may create their own scheduled scan. You can't exclude netcat from that, all you can do is program it to leave it alone.

By Roger on December 6, 2005 9:36 AM | | Comments (1) | TrackBacks (0)

Seattle Times adopts IMLogic IM Manager

Businesswire reports that the Seattle Times is deploying IMlogic IMManager

Their primary goals are:


  • gain visibility into staff instant messaging (IM) use
  • ensure compliance with internal and external use policies
  • prevent cyber threats from entering its network

"We had no visibility and no way to monitor, control or track IM use. We didn't know if files were being sent out without our knowledge,"
"Rather than shut down all IM use, we opted to manage it. Our tech folks did a thorough evaluation, talking to our peers and researching different solutions. IMlogic IM Manager and its Real-Time Threat Protection System turned out to be technically superior."

By Roger on December 5, 2005 9:09 PM | | Comments (0) | TrackBacks (0)

IM Worms Increasing?

ZDnet repeats a Akonix press release reporting that IM Worms have been increasing in November as compared to October.

Its kind of satisfying that 36% of the worms target more than one network. Back when IM Worms first came out they were occuring on the Windows Messenger network first and the Microsoft bashers were lining up to take their swings. Those critics fell strangely silent after more worms targeted the AIM network which is more widely used in the U.S.

Do you trust reports from security vendors? They profit by selling software to protect against X. So are they unbiased when they say X is on the rise (thus you need our product).

By Roger on December 3, 2005 2:23 PM | | Comments (0) | TrackBacks (0)
« Antivirus: November 2005 | Main Index | Archives | Antivirus: January 2006 »

Search