Antivirus: June 2006 Archives

Alex is having a temper tantrum

Alex over at Sunbelt Software blog is having a temper tantrum over what he terms the predatory pricing of Microsoft Onecare and Frontbridge. Image what he'd be saying if they were giving it away as they probably should be.

I dont really follow this all that closely. I'm currently a user of Microsoft Antigen and the prices quotes for Frontbridge seem to be what I'm paying for Antigen now. So I dont see the predatory pricing. Further he says Microsoft has gone outside the norm in their pricing method. The reality is that Sybari was always a subscription based model where the software is license for a period of time only. This is not a change.

The Legacy antivirus vendors should be on notice. If they want to continue with the same crappy products bundled together for higher prices it will no longer work. Alex says that Microsoft will stiffle innovation. I say the opposite. AV companies need to get off the bench and create better products.

By Roger on June 20, 2006 7:21 PM | | Comments (0) | TrackBacks (0)

To beat the bear

In May 2005 I wrote about the security analogy about the bear, two guys one of home stops to put on running shoes. Its "good enough security." I dont have to outrun the bear, I just have to outrun you. I opined that that good enough security is only good enough for when your security exists only so you can check off a requirement with a regulatory agency. In reality, targeted attacks destroy "good enough" security. What if the bear doesn't care about your slower friend, what about when its personal.

In the June 2006 issue of SC Magazine, the opening editorial makes use of this analogy and makes the point that good enough security doesn't work against internal attacks either. They would argue that the main defenses are policies such as job rotation, separation of duties and rotation of duties.

By Roger on June 16, 2006 10:00 PM | | Comments (0) | TrackBacks (0)

Can't stop for a minute

I glanced at my blackberry during dinner and saw a whole mess of virus alerts such as the following:

The message sender was
alerts@CNN.com

The message originating IP was 81.168.6.17 The message recipients were user@$mydomain.com

The message was titled Osama Found Hanged The message date was Thu, 15 Jun 2006 22:02:54 -0700 The message identifier was (empty) The virus or unauthorised code identified in the email is:
/var/qmail/queue/split/0/attach/3384881_4X_AZ-D_PA2__Photo=20and=20Article.exe
Found the W32/Sdbot.worm.gen.as virus !!!

In case its not clear that is the admin notification when someone sends a virus. Looks like another run of viruses being spammed. How many times have they tried the Osama bin Virus since 2001.

By Roger on June 15, 2006 6:45 PM | | Comments (0) | TrackBacks (0)

Additional Details on SAV 10 Vulnerability released by EEye

eEye has released additional details on the SAV 10 vulnerability.
http://www.eeye.com/html/research/advisories/AD20060612.html

As rumored the vulnerability is in the remote management, and would allow an attacker to run code with system priviledges.


Overview:
eEye Digital Security has discovered a vulnerability in the remote management interface for Symantec AntiVirus 10.x and Symantec Client Security 3.x, which could be exploited by an anonymous attacker in order to execute arbitrary code with SYSTEM privileges on an affected system. The management interface is typically enabled in enterprise settings and listens on TCP port 2967 by default, for both server and client systems.

By Roger on June 13, 2006 10:40 AM | | Comments (0) | TrackBacks (0)

Yahoo Zero Day: JS.Yamanner Update

The SANS Internet Storm Center has information answering my question on the conflicting info on whether or not you have to open the attachment.

To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses.

They go on to say that the virus is poorly coded and does not do everything the writer is trying to achieve. There are two versions in circulation, with the second being an attempt at a bug fix.

Symantec 6/12 virus defs detect this.

Yamanner is written in Javascript. It exploits a vulnerability in the Yahoo email service to send a copy of itself to the user's Yahoo email contacts.

Mitigation is tough at this time. You can't disable javascript and still access Yahoo Mail. The viral messages are from people you know. You could not open unexpected messages, but that kinda negates the purpose of the Internet in my opinion. Users in the Yahoo Mail beta are not effected.

By Roger on June 12, 2006 4:42 PM | | Comments (0) | TrackBacks (0)

Yahoo Zero Day: JS.Yamanner

There is some talk over on the Full Disclosure mailing list of a worm on Yahoo Mail. They say it is exploiting a vulnerability in Yahoo Mail so that when you open an email with the exploit it will send email to gathered yahoo addresses.

Symantec has a writeup here.

JS.Yamanner@m performs the following actions: Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:

From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.

Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.

Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.

Targets email addresses from the @yahoo.com and @yahoogroups.com domains.

Contacts the following URL:

[http://]www.av3.net/index.htm
Sends a list of email addresses gathered to the above URL.

Its not clear from this if the user is required to open an email attachment to be exploited or if it occurs as the email message is opened.

By Roger on June 12, 2006 11:02 AM | | Comments (0) | TrackBacks (0)

McAfee Misdetects EICAR

EICAR is the antivirus industry standard for verifying that the antivirus scanner is on, it can detect something. Its a harmless line of text.

According to a post on the Full Disclosure mailing list, McAfee is misidentifying EICAR as elspy.worm.

The misdetection was reported when McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11)
using the 4781 DAT file was used. I have not verified this report.

By Roger on June 11, 2006 12:10 AM | | Comments (0) | TrackBacks (0)

Message Labs Link Following Feature

Message Labs is rolling out an update to its antivirus scanning with a new feature called link following.

The free Link Following feature will automatically examine all email messages containing URL links. Upon seeing a particular URL for the first time, Link Following will allow the email to continue on its path while it creates a copy of the URL for further investigation. Link Following actively (either heuristically or manually) follows these links and checks the linked website for viruses or other types of potentially harmful content or payload. If a suspicious link is confirmed as viral, a signature is created and any further emails containing that link are treated as messages containing a virus. This means that they will be quarantined for fourteen days under the same MessageLabs Anti-Virus procedure currently in place.
By Roger on June 9, 2006 9:05 AM | | Comments (0) | TrackBacks (0)

Patching Symantec

Good article post over at boardfish (second post down on the page) on patching using the msp files. Its similar to the method I advocate.

I'm really not sure why they have him create a second administrative install point for the second patch.

Also not sure why you'd patch the install point and then reinstall from there instead of merely rolling the patches to the clients.

Are we free to use any MSI method we prefer? Or are there Symantec specific ways of doing things?

By Roger on June 5, 2006 12:36 PM | | Comments (2) | TrackBacks (0)
« Antivirus: May 2006 | Main Index | Archives | Antivirus: July 2006 »

Search