Brochure
Best Practices

I.S. Sentry, Inc.
Information Systems Perimeter Security
Sales@ISSentry.Com

"So much is coming out so fast that the biggest hole now for companies and individuals keeping their virus signatures updated is the smaller and smaller window we have to figure out a virus and post a signature change," said Hinojosa. "Now it's typical that we have just a few hours of opportunity to get something out." - F-Secure

Virus News (Submit an Article)

Microsoft Word Zero-Day Attack (Alpha - The cNet Blog)  12/06/06
Software giant Microsoft says it is currently investigating reports of a new zero-day attack on Microsoft Word. The affected software includes Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 X for Mac, as well as Microsoft Works 2004, 2005, and 2006. Because the vulnerability exploited is brand new, there is no patch available. Successful execution of this flaw could lead to backdoor remote access of an infected PC. In order for this attack to be successful, the end user must first open the infected Word document. Do not open or save Word documents from untrustworthy sources, such as unsolicited e-mail or Web sites. For more, see Joris Evers' article on News.com  [Click here for Full Article]

Review: McAfee Total Protection Beta Takes On Windows Live OneCare (Small Business Pipeline)  06/26/06
With Microsoft grabbing recent headlines on the release of its Windows Live OneCare product, established players in the Windows security and utilities market are taking action to show that they can hold their ground. On the same day that Microsoft announced the availability of OneCare, McAfee responded by starting the beta test program for its next generation of products, code-named "Falcon."

McAfee's Total Protection provides an extensive set of features that go beyond security to offer data protection and system maintenance. 

According to McAfee, it will eventually release four security suites, the first two of which are now available as downloadable betas. McAfee Total Protection is built on previous McAfee products such as VirusScan and Personal Firewall but adds new features to deal with emerging threats such as phishing. McAfee VirusScan Plus offers a subset of Total Protection's features dealing with virus, spyware, or hacker activity. I downloaded and installed the Total Protection beta to see how it holds up. [Click here for Full Article]

Secuirty Vendors Spot Second Excel Bug (Desktop Pipeline)  06/05/06
Just days after Microsoft confirmed that its Excel spreadsheet had an unpatched vulnerability currently being exploited by attackers, security vendors on Tuesday reported a second zero-day bug in the popular business application.

Last Thursday Microsoft acknowledged that a critical flaw in Excel was being used by attackers who had targeted a single company, the second such admission in a month. In May, a bug in Microsoft Word was used in similar fashion by hackers who targeted a small number of victims. A week ago, Microsoft patched the Word flaw.

Monday, the Redmond, Wash. developer issued a security advisory that promised a patch for the first Excel vulnerability and spelled out several steps enterprises and individuals could take to protect their systems until a fix was released.

In the advisory, Microsoft noted that Excel 2000, 2002, and 2003 for Windows (as well as the for-free Excel Viewer 2003 utility), and Excel v. X and 2004 for the Mac were at risk. The company also recommended several different defensive strategies, ranging from blocking all Excel-related file types at the gateway to deleting 40 keys from the Windows Registry to block Excel documents from opening directly within the application. [Click here for Full Article]

Microsoft Clarifies Advice On Word Zero-Day Exploit (Desktop Pipeline)  06/05/06
Microsoft revised a security advisory targeting an in-the-wild exploit of Word XP and Word 2003 to clarify a work-around for enterprises, repeated that it was on track to deliver a fix June 13, and offered up another tactic to protect users.

The advisory, which was revised Friday, now includes more detail about how corporations can defend themselves by using group policies to force Word into running in "Safe Mode."

The online alert also reiterated the patch's timetable. "The security update is on schedule to be released as part of the June security updates on June 13, 2006," it read. [Click here for Full Article]

OpenOffice.org Denies Macro Exploit A Problem (Desktop Pipeline)  05/31/06
OpenOffice.org, the open-source project that produces an alternative to Microsoft's Office suite, said it won't patch its software against a recently launched macro threat.

In a statement prominently displayed on the OpenOffice.org home page, the group also disputes applying the label "virus" to Stardust, the proof-of-concept exploit discovered last week by Kaspersky Labs.

"The 'proof-of-concept macro virus' showed that it is possible to write a simple 'virus-like' program using OpenOffice.org's macro language," read the statement. "This is a known risk with any capable macro language. To mitigate against this risk, by default OpenOffice.org detects if a document contains macros, displays a warning, and will only run the macro if the user specifically agrees. This behavior conforms to industry best practice." [Click here for Full Article]

Symantec Patches AV Flaw In Five Days (Tech Web)  05/30/06
Symantec finished patching its buggy anti-virus line Sunday, just days after another security vendor said that machines running Symantec's enterprise products could be easily hijacked.

A stack overflow in the Cupertino, Calif. security company's Client Security 3.0 and 3.1, and its AntiVirus Corporate Edition 10.0 and 10.1, were fully patched as of Sunday, according to an updated advisory on Symantec's Web site. The fixes must be downloaded and installed manually.

Early Friday, Symantec confirmed that the two corporate anti-virus titles were flawed, and said it was working on a fix. Later that day, the company posted signature updates to its intrusion prevention system (IPS) appliances to protect those customers with the hardware on their networks. [Click here for Full Article]

Symantec Says Its Own AV Product has Zero-Day Vulnerability (Tech Web)  05/26/06
Symantec acknowledged on Friday that its enterprise anti-virus product line has an unpatched, "zero-day" vulnerability that can be used by attackers to hijack systems.

"Symantec Antivirus is susceptible to a remote code-execution vulnerability. This issue allows remote attackers to execute arbitrary code with SYSTEM-level privileges, facilitating the complete compromise of affected computers," the company said in an alert Friday to customers of its own DeepSight Threat Management System.

Thursday, security vendor eEye Digital released a preliminary alert that said Symantec AntiVirus 10.x and Symantec Client Security 3.x included a remotely-exploitable vulnerability that could be attacked via a network-style worm which wouldn't require any user interaction to compromise a computer. [Click here for Full Article]

Yahoo IM Worm Hijacks Browsers, Plays Migraine Music (Tech Web)  05/22/06
A worm running through Yahoo's instant messaging network is installing a browser of its own -- a first for IM malware -- that leads users to adware and spyware sites, several security firms said Monday.

The worm, dubbed "Yhoo32.explr" by IM security vendor FaceTime Communications on Friday and "Browaf" by Symantec on Monday, is installed when Yahoo users click on a malicious link embedded within an instant message.

Yhoo32.explr downloads and installed the so-called "Safety Browser," which adds an IE-like icon to the desktop, and when used, takes the unsuspecting to sites where their PCs are infected with adware and spyware. The worm also changes the home page of IE to point to Safety Browser's site.

To complicate things, Safety Browser doesn't post an Uninstall option in Windows' Add or Remove Programs Control Panel applet. [Click here for Full Article]

Microsoft Word Zero-Day Hack Under Way (Tech Web)  05/19/06
Symantec raised its overall Internet alert Friday on the news that a zero-day vulnerability in Microsoft Word was being exploited by hackers hoping to hijack PCs.

"Currently, observed attacks are limited to attacks against select targets," Symantec warned in a bulletin to customers of its DeepSight Threat Management System.

The attack is successful against the newest version of Microsoft's word processor, Word 2003, but only crashes Word 2000 and Word XP, without leading to a computer compromise. [Click here for Full Article]

Review: F-Secure's Internet Security 2006 (Desktop Pipeline)  03/27/06
F-Secure's Internet Security 2006 is a good all-around, inexpensive security package that also includes rootkit detection

For system builders frustrated with the high cost and limited functionality of security suites from the likes of Norton, McAfee and Trend Micro, I have found a terrific tool-kit alternative.

It's a security suite called Internet Security 2006. Offered by Finnish company F-Secure, this suite offers not only all the functionality of products from the Big Three, but also rootkit detection—and for $10 less than the Big Three Charge.

Like the Big Three, F-Secure offers anti-virus and anti-spyware capabilities, a firewall, mail screening, and content filtering. But F-Secure's rootkit detection is the most significant feature. According to our best guesstimate, this will be the only security suite on the market to offer rootkit detection for at least the next six months, possibly even for the next year. [Click here for Full Article]

Microsoft Fixes nasty Outlook, Exchange E-Mail Bug (Tech Web)  01/10/06
Microsoft's security problems didn't improve much Tuesday, when it followed last week's out-of-cycle fix of a major bug with two more "Critical" vulnerabilities, including one that allows attackers to hack into any Exchange server or Outlook owner's PC just by sending a malformed e-mail message. The most dangerous of the two new vulnerabilities is the one spelled out in MS06-003, argued Mike Murray, director of research at vulnerability management vendor nCircle.

"This one isn't an MSBlast-style bug, but it's severe enough that if someone is clever, they'll come up with a quickly-propagating worm that will do some major damage," said Murray.

The problem, he added, is that it's a "dual opportunity vulnerability," since it impacts both Outlook, Microsoft's main e-mail client, and the Exchange mail server software. [Click here for Full Article]

Sober's Attack May Be Nothing To Sweat (TechWeb)  01/05/06
The countdown to the next Sober worm attack reaches zero Thursday afternoon in the U.S., but some analysts say they've seen clues that show hackers have been scared off their intended infection campaign.

In December 2005, a pair of security companies dug deep into the code of that month's Sober wave -- the most recent of a two-year-old malicious code clan -- only to discover that the attacker had scheduled his next attack, and embedded the date inside the worm. That same week, other researchers cracked the algorithm Sober.z used to generate URLs for the sites it would use to update itself and then launch a new round of infections.

The trigger date: midnight UT (Universal Time). [Click here for Full Article]

Next Sober Attack Slated For Jan 5 (TechWeb)  12/07/05
The next big Sober worm attack is scheduled to take place January 5, 2006, a date probably picked because it's the 87th anniversary of the founding of a precursor to the Nazi Party, a security firm said Wednesday.

January 5, 2006, was the date embedded in the most recent Sober variants, said Ken Dunham, a senior engineer with Reston, Va.-based VeriSign iDefense, a security intelligence firm.

"We did reverse engineering on the variants, and found this date in the code," said Dunham. "The way this works is that at a pre-determined time, computers already infected with Sober will connect with specified servers and download a new payload, which will likely be spammed out in the millions, as was the last version." [Click here for Full Article]

New Breed Of Malicious IM Bots Get Interactive (Messaging Pipeline)  12/06/05
The IMlogic Threat Center has issued a warning on a new breed of malicious IM bots which dupe users into activating their IM worm payloads.

Once a user's system in infected, the bot reportedly sends new messages to the user's buddy list that appear to come from the infected user, instructing the recipients to download the malicious content.

One troubling aspect of this new attack, which has been broadcast over the AOL Instant Messaging network in a version called IM.Myspace04.AIM, is that the infected users can't see the messages the worm is sending out on their behalf, according to IMlogic. In the case of the IM.Myspace04.AIM IM bots, when recipients of the bot's messages reply, the bot sends a follow-up message that says, “lol no its not its a virus” or "lol that's cool." [Click here for Full Article]

Microsoft Likely To Break Cycle, Patch Early (TechWeb)  12/01/05
An "extremely critical" threat may cause Microsoft to release a patch before its next scheduled round of software patches.

The unpatched vulnerability in Internet Explorer is bad enough, said the company which reported the Trojan drive-by download exploit to Redmond, that Microsoft will probably fix the problem before this month's scheduled patch day, December 13th.

"This is an extremely critical threat," said Alex Eckleberry, president of anti-spyware developer Sunbelt Software. "It's not widespread, it's not like a Sober or a Zotob, in fact we’ve seen it only a limited number of sites. But it's really, really bad.

"Even running a fully patched Windows XP SP2 system, you can still get nailed."

The hole in Microsoft's popular IE browser goes back several months, when a researcher reported the vulnerability to Microsoft. Initially, the bug was thought to only crash the browser, but new information points to a greater threat: that an attacker can run malicious code remotely on a compromised PC by luring users to a malicious Web site.  [Click here for Full Article]

Sober Attack Biggest Virus Outbreak Ever (Security Pipeline) 12/01/05
Apparently, messages from the FBI and CIA are the way to spread worms, a security firm said Thursday as it tallied up Sober's wildfire spread during November and concluded that the outbreak was the biggest ever.

E-mail security provider Postini said that it had quarantined more than 218 million Sober-infected messages in the last seven days, more than four times the 50 million-message average that it blocks in a run-of-the-mill month.

"This Sober generated close to a 1,500 percent increase in virus-infected e-mail traffic in the past week,” said Scott Petry, vice president of products and engineering at Postini, in a statement.

Petry also said that Sober's attack was twice as large as the largest previous on Postini's records. [Click here for Full Article]

IM Threats Skyrocket In November (Security Pipeline) 11/30/05
Akonix Systems, the San Diego provider of instant messaging security systems, said that its Security Center team tracked 62 IM-based attacks in November, a 226-percent increase over last month.

The most significant new finding was that viruses no longer discriminate against specific IM systems, and can have a far costlier impact in terms of potential damage. Akonix reported that 36 percent of the IM attacks hit more than one public network and 13 percent of the attacks had the capability to spread through all four major IM networks.

The Akonix Security Center noted that 58 of the worms detected were variants of previous worms, while four new worms were introduced during November. [Click here for Full Article]

Sober.t, Sober.u, and Sober.v Prevention and Cure (cNet)  11/15/05
In an unusual twist, Bavarian police warned of these latest variants of the Sober viruses 24 hours before their release onto the Internet. Sober.t (w32.sobert.t@mm), Sober.u (w32.sober.u@mm), and Sober.v (w32.sober.v@mm) are all classic e-mail-spreading viruses, released within 12 hours of each other, harvesting e-mail addresses from victims' computers, possibly for later spam distribution. The main consequence of these viruses may be congested e-mail servers. These Sober variations affect only Windows PCs; Mac OS, Linux, and Unix users are not affected. Because these Sober variants t through v spread via e-mail and may create remote access to an infected computer, these viruses (collectively) rate a 5 on the CNET/ZDNet Virus Meter. [Click here for Full Article]

Keyloggers Jump 65% As Info Theft Goes Mainstream (TechWeb)  11/15/05
The number of keyloggers unleashed by hackers exploded this year, soaring by 65 percent in 2005 as e-criminals rush to steal identities and information, a security intelligence firm said Tuesday.

"The overall number of keyloggers has just skyrocketed this year," said Ken Dunham, senior engineer with Reston, Va.-based VeriSign iDefense. "It's all part of the last year's, 18 months' change in motive toward crimeware."

Keyloggers are small programs, silently installed by the attacker, typically after an earlier attack that compromised the computer through a vulnerability in the operating system or Internet browser, that record all or selected keystrokes, then sends that data to the hacker. [Click here for Full Article]

Sony Drops Rootkit Copy Protection, But It's Still On The Hot Seat (Desktop Pipeline)  11/11/05
Despite Sony BMG Music Entertainment's decision to stop using its controversial copy-protection technology, the anger generated by what one expert called "inept-ware" is unlikely to subside anytime soon.

Security experts believe that the world's second largest music label failed to see the ramifications when it chose to install the software without first seeking permission from PC users, and then using technology called a "rootkit" to hide its presence. The software came with 20 music CDs sold by Sony BMG.

But some customers of the record company and its parent, Sony Corp., were far less forgiving. [Click here for Full Article]

Yet Another Dangerous Worm Snakes Its Way Through AIM (Systems Management Pipeline)  10/28/05
A worm spreading through America Online's Instant Messenger (AIM) network carries a dangerous rootkit, code designed to hide a hacker's work from anti-virus scanners, a security firm warned Friday.

Sdbot.add, said instant messaging security vendor FaceTime, includes the "lockx.exe" rootkit.

Rootkits are among the most dangerous types of malware, since they hide illegitimate processes and files, and can trick logging functions into not recording malicious activity. And they're becoming more common, say some experts. According to Moscow-based anti-virus developer Kaspersky Labs, the number of worms or Trojan horses equipped with rootkits more than tripled in the first half of 2005.

If the AIM-running machine is infected, Sdbot.add gives the attacker control of the PC, lets him load additional software on it, and tries to disable installed security programs. It may also drop a slew of spyware and adware on the system, including programs from 180Solutions, Zango, and MaxSearch. [Click here for Full Story]

Bird Flu Trojan Poses Danger to Word Users (Systems Management Pipeline)  10/27/05
Spammers and scammers have already used the public's fear and curiosity about the avian flu to spread their schemes, but now hackers have turned to the trick, a security company warned Thursday.

A new Trojan horse, dubbed "Navia.a" by Panda Software, uses subject heads of "Outbreak in North America" and "What is avian influenza (bird flu)?" to dupe recipients into opening an attached Microsoft Word document.

That's when Navia.a goes old school: the Word document is infected with malicious macros. One of the macros makes several Windows kernel calls to allow the Trojan to create, change, or delete files, while the second installs "Ranky.fy," another Trojan that opens a back door to the PC.

“Unfortunately, we were expecting something like this," said Luis Corrons, director of Panda's research, in a statement. "This is not the first time, and won't be the last, that writers of malicious code have taken advantage of people's misfortune and anxieties to spread their Trojans and worms."  [Click here for Full Story]

Vulnerability Spotted Symantec Antivirus Scan Engine (TechWeb)  10/05/05
Another anti-virus vendor stepped up to acknowledge that a bug in its software gives hackers unauthorized entry into supposedly protected systems.

Symantec acknowledged a vulnerability in its Symantec AntiVirus Scan Engine software -- a TCP/IP server and programming interface that lets third-party developers add support for Symantec content scanning into their own applications -- which could let attackers slip their malicious code onto a system.

"A remote attacker that had the ability to access the affected service could leverage this issue by sending a malicious HTTP request to the service," Symantec said in a security advisory released late Tuesday. "This vulnerability allows attackers to execute arbitrary machine code in the context of the affected application…[to] allow remote attackers to gain privileged remote access to computers." [Click here for Full Story]

Kaspersky Says It's Fixed AV Scanner Flaw (TechWeb)  10/04/05
Kaspersky Labs on Tuesday confirmed that its anti-virus scanning engine was flawed, and said it was working on a fix. The Moscow-based security vendor also said a stop-gap measure, signatures for its software that will detect possible exploits, is already in place.

Monday, a researcher known for spotting bugs in security software disclosed one in Kaspersky's AV engine that could be used by attackers to grab complete control of a PC protected by the company's Windows products. Kaspersky's scanning engine can be tricked by malformed .cab files -- a format used by Microsoft to hold compressed files on distribution disks and PCs -- into causing a heap overflow, said Alex Wheeler.

As Kaspersky confirmed the vulnerability in an e-mail to TechWeb, it also said it had already stymied possible exploits by building and releasing a package of signatures that detect possible exploits. [Click here for Full Story]

Worm Targets Online Gamers to Steal Virtual Stuff (TechWeb)  08/24/05
A keylogger-equipped worm that steals usernames and passwords from the massive medieval fantasy role-playing game, "Priston Tale," demonstrates the economic power of the virtual world, said a security firm Wednesday.

"This isn't just about doing better in a computer game," said Sophos technology consultant Graham Cluley in a statement. "Criminals are stealing virtual assets like armor, money, and weapons to trade for hard cash in the real world. We are seeing a trend of more battles between Internet gamers and malicious code to assist with this kind of robbery."

Dubbed "PrsKey.a" by Sophos, the worm waits for users to enter either Priston Tale or the Web-based Yahoo e-mail service, then starts capturing keypresses.

Like many other large-scale online games, Priston Tale is most popular in South Korea, but it also has players across Asia and in the U.S. [Click here for Full Story]

"Stealthy" Worms, Trojans Seen Tripling in Number (TechWeb)  08/22/05
Attackers are increasingly turning to stealthy rootkits to keep anti-virus vendors from detecting and deleting malicious worms or Trojan horses, a Russian security firm said Monday.

"Over the last 12 months, we've seen a large jump in the use of rootkits," said David Emm, a senior technology consultant with Kaspersky Labs, a Moscow-based anti-virus vendor.

Since the first of the year, the number of rootkit-equipped worms or Trojans that Kaspersky's analyzed has tripled, noted Emm and Roel Schouwenberg, a senior research engineer with the company.

"Increasingly, the line between hackers and virus writers gets blurred," added Emm. "This is one more area where people writing viruses, and Trojans in particular, as well as adware, have borrowed tools from the hacker world. With malicious code writing now a profitable business, they want to cover their tracks." [Click here for Full Story]

Opening a Different Can of Worms (server pipeline)  08/19/05
The slew of bot worms unleashed last week exploiting the Windows 2000 Plug and Play vulnerability opened up a can of worms of a different sort that has been simmering in security circles since late July.

For vendors, solution providers and security researchers, the debate over whether and how to disclose vulnerabilities in a vendor’s products is heating up to the point that policy changes may be coming. Traditionally, security researchers go to the vendor first to give the company time to patch a vulnerability before making it public. But not all researchers.

That’s why 3Com’s TippingPoint division recently launched a program to pay researchers to come to them with vulnerabilities instead of going public. If TippingPoint’s move heated the debate, Cisco raised it to the boiling point when the vendor stopped a discussion of a vulnerability in its Internetwork Operating System at the Black Hat conference in Las Vegas late last month. [Click here for Full Story]

Windows Worm Spreads Quickly (Reuters)  08/17/05
A computer worm targeting corporate networks with the Windows 2000 operating system arrived less than a week after Microsoft warned of the security flaw.

As experts predicted, the Windows hole proved a tempting target for rogue programmers, who quickly developed more effective variants on a worm that surfaced over the weekend and by Tuesday had snarled computers at several large companies.

Among companies affected by the worm and its variations were ABC, CNN, The Associated Press, The New York Times and Caterpillar. In California, San Diego County said it needed to cleanse 12,000 computers of the bug. ABC News producers had to use electric typewriters Tuesday to prepare copy for their "World News Tonight" broadcast, according to spokesman Jeffrey Schneider [Click here for Full Story]

New Internet Worm Affects Windows Users - Trend Micro (Reuters)  08/15/05
SINGAPORE (Reuters) - A new Internet virus has been detected that can infect Microsoft's Windows platforms faster than previous computer worms, said an anti-virus computer software maker.

The ZOTOB virus appeared shortly after the world's largest software maker warned of three newly found "critical" security flaws in its software, including one that could allow attackers to take complete control of a computer.

The latest worm exploits security holes in Microsoft's Windows 95, 98, ME, NE, 2000 and XP platforms and can give computer attackers remote access to affected systems, said Trend Micro Inc.. [Click here for Full Story]

Hackers Said to be Close to Windows 2000 Worm (TechWeb)  08/12/05
Just three days after Microsoft disclosed multiple critical vulnerabilities in Windows, exploit code for one of the most dangerous has appeared on the Internet. Security firms sent out alerts warning Windows 2000 users to patch ASAP or risk a worm attack in the near future.

"I don't think [Windows 2000] users have an awful lot of time to patch," said Gunter Ollmann, the director of Internet Security Systems' (ISS) X-force research group. "We'll most certainly see a worm using this exploit," he added.

There's also evidence that hackers are trying to develop code that would successfully attack less-vulnerable Windows XP SP1 machines, Ollmann said. In any case, the clock is ticking. "What's out there now puts this on the level of script kiddies," said Ollmann, using the term for less experienced, less technically-astute hackers. [Click here for Full Article]

New Keylogger Steals Passwords from IE (TechWeb)  08/11/05
The keylogger behind a major identity theft ring is especially invasive, said an anti-spyware vendor Thursday as it prepared to roll out a free detection and deletion tool.

Last week, Florida security company Sunbelt Software said one of its researchers had stumbled on a server that held a file containing a large number of usernames, passwords, telephone numbers, credit card and bank account numbers, and other personal information.

All the information, Sunbelt now says, was gathered with a new, potentially damaging keylogger, a small program which secretly steals information. [Click here for Full Story]

Editors note: Sounds like a good reason to use FireFox or at a minimum do not store passwords in Internet Explorer.

Reatle.e Prevention and Cure (cNet)  08/08/05
While it's a very minor threat, a new mass-mailing virus, Reatle.e, can do a fair amount of damage should your system become infected. Reatle.e (w32.reatle.e@mm, also known as Lebreate.e (Sophos)) is the fifth variant of the Reatle family and appears to be targeting past Netsky infections; it also threatens to create a distributed denial-of-service attack on one or more antivirus software vendors. Fortunately, Reatle.e's spread is limited because it targets Windows computers vulnerable to the LSASS vulnerability Microsoft patched more than a year ago. Because Reatle.e spreads via e-mail, opens backdoor access to a remote user, and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter. Despite our high rating, we still consider Reatle.e to be a minor virus. [Click here for Full Story]

Worms Could Slip Through Nets (TechWeb)  08/05/05
Future worms may be able to slip through the early warning networks deployed by the likes of SANS Internet Storm Center and Symantec, researchers from the University of Wisconsin said Friday.

But experts from Internet Storm Center and Symantec discounted the impact of the researchers' proposed evasion tactics.

In an award-winning paper presented earlier this week at the Usenix Security Conference, three computer scientists from the University of Wisconsin-Madison said that attackers could launch a widespread probe of the Internet, then use the publicly-available data of the detection networks to identify individual sensors. A worm that encodes those IP addresses could conceivably sneak through the early warning networks, which are used by government and private enterprise to warn of unusual activity or developing attacks.  [Click here for Full Story]

Windows Vista Viruses? Already? (cNet)  08/04/05
Antivirus vendor F-Secure is reporting the first viruses targeting the yet-to-be-released Windows Vista operating system. Someone in Austria has published five viruses on the Internet that target Microsoft Command Shell (MSC), also known as Monad, which will resemble command shells currently used by the Unix operating system. Though still in beta and not due on desktops until late in 2006, the Windows Vista operating system might not even ship with MSC installed; Microsoft is said to be considering saving MSC, or Monad, for an unnamed future server edition instead. Either way, the appearance of these MSC viruses demonstrates just how determined some virus writers are to ruin our day.  [Click here for Full Story]

Virus Writer Targets AV Vendors (TechWeb)  07/29/05
A virus writer apparently seeking notoriety instead of financial gain has released malicious code that ridicules anti-virus vendors and Sasser worm author Sven Jaschan, a security firm said Friday.

The Lebreat-D virus, which is rated a low threat, creates in infected computers a JPEG image file of Jaschan, a German teenager recently convicted of authoring the widespread Sasser and Netsky worms, Sophos Plc said.

The Lebreat worm, which is spread through email attachments and exploits a Microsoft security vulnerability, opens a backdoor to an infected Windows computer, enabling a hacker to gain control. The virus indicates that a denial of service attack could be planned against security vendors Symantec Corp. and McAfee Inc., but doesn't say when, Sophos said. [Click here for Full Story]

Get Some Online Backup Against Viruses (smallbiz pipeline)  07/22/05
Admit it, sometimes you don’t update your computer’s antivirus software often enough. Other times, your antivirus protection misses something despite meticulously updating its virus signature files. It happens to all of us.

In such cases, I’ve found online security resources invaluable. Over the years, the best such resource has been Trend Micro. It has caught viruses that other tools have missed. And its tech support has been smack on target in its prompt responses despite that the product is cost free -- some of the best money I’ve never spent. Even when its free antivirus checker found nothing, my confidence in the tool has brought peace of mind as the absence of a virus led me to focus on other sources of problems on computers. I’m impressed that I’ve never experienced a virus that Trend Micro missed. And perhaps best of all, the Trend Micro’s URL at the end of this story has been there whenever I’ve needed it for more years than I can remember, unlike the sometimes changing offerings of competing security companies.

A couple of important tips:

* Like similar online virus checkers, Trend Micro’s tool doesn’t remove viruses. It identifies viruses and offers remediation solutions. [Click here for Full Story]

Virus Writers Adopting Stealth Strategy (TechWeb)  07/22/05
Virus writers who once favored releasing malware that would clog corporate networks by the thousands have shifted to a strategy of secrecy in which they commandeer PCs on the Internet in the pursuit of dollars instead of notoriety, a security expert said Friday.

Security firm Symantec Corp. has seen a dramatic decrease in network-damaging viruses over the last year and an increase in less destructive Trojans that quietly embed themselves into a PC.

Such viruses typically scour computers for people's personal data, such as social security numbers and passwords, and then send the information to a clandestine server, Dave Cole, director of product management for the Symantec Security Response Center, said. The data is usually sold on the black market to criminals looking to use the information to obtain credit cards or raid bank accounts. [Click here for Full Story]

ITunes-Disguised Worm Spreads Via IM (security pipeline)  07/20/05
A worm disguised as a file coming from iTunes, the popular online music service from Apple Computer Inc., has been found on America Online Inc.'s instant messaging service, a security firm said Wednesday.

The Opanki.worm, first reported earlier this month, arrives as the file iTunes.exe, Trend Micro Inc. said. The writer apparently is trying to trick the recipient into thinking that the file is associated with Apple's iTunes music software, which is installed in a PC to download and play songs from the company's online store.

If a person clicks on the file, then the worm is installed in the PC, where it opens up a port that's used to upload adware. Adware can display pop-up ads and other forms of advertising to a computer user, as well as track Internet activity. [Click here for Full Story]

U.K. Under Cyber Attack, Security Center Says (desktop pipeline)  06/16/05
Government agencies and companies in the U.K. are under attack by a concerted series of Trojan horses out to steal information.

Government agencies and companies in the U.K. are under attack by a concerted series of Trojan horses out to steal information, the country's National Infrastructure Security Co-ordination Center (NISCC) announced Thursday.

According to the NISCC, whose duties correspond to the U.S. Computer Emergency Readiness Team (US-CERT), more than 300 U.K. agencies and companies have been targeted by the attack, which involves more than 75 different Trojan horses and in many cases, can be traced back to the Far East.

While the attacks have been underway for some time, the NISCC said in its alert that it wanted to spread the news to "raise awareness of these attacks and provide protective advice." [Click here for Full Story]

Help Avoid Computer Viruses that Spread Through E-Mail (Microsoft)  Added 06/09/05
Many of the most common computer viruses and other malicious software are spread through e-mail attachments—the files that are sent along with an e-mail message. If a file attached to an e-mail message contains a virus, it's often launched when you open the file attachment (usually by double-clicking the attachment icon). No matter what e-mail program you use or what version of Windows you're running, you can help avoid some viruses by following a few basic rules. If you use the latest version of Outlook or Outlook Express and if you use the latest version of Windows, there are a few unique enhancements and default settings to help keep you from accidentally infecting your computer with a virus. Read on to learn. [Click here for Full Story]

IM Worm Blitz Continues (systems management pipeline) 06/07/05
Threats to instant messaging clients and networks continued to climb in May, a security firm said Tuesday, a trend that's been plaguing users since the beginning of 2005.

According to instant messaging security vendor Akonix, its Security Center researchers tracked 51 new IM and peer-to-peer (P2P) threats during May, more than half of the total recorded for the entire first three months of 2005.

"As we've seen since the beginning of the year, IM networks have been on the receiving end of an unprecedented barrage of security attacks," said Francis Costello, Akonix's chief marketing officer, in a statement. "Virus writers, hackers, and scammers are becoming more sophisticated in their approach to vulnerable, insecure IM clients and networks, distributing not just viruses and malware, but putting together blended attacks and phishing scams."

During May, Akonix posted alerts for seven variants of the MSN Messenger-targeting Kelvir worm, six of the Opanki worm that attacks America Online's AMI client, and four of the Oskabot worm. [Click here for Full Story]

Mytob Worms Run Phishing Scams (security pipeline) 06/03/05
Some of the latest Mytob worms have adopted phishing-style tactics to entice users into infecting themselves with malware that lets hackers snatch control of compromised PCs.

Mytob's creators continue to crank out variants, said U.K.-based security firm Sophos on Wednesday, at such a rate that they accounted for two-thirds of the top 20 threats during the last 7 days. The quickly-appearing variations may be tests to tweak Mytob into a "super worm," some analysts have recently argued. If that's the case, the move to phishing tactics could be significant.

While most Mytobs arrive in attachments to e-mail messages, some versions eschew the attachments and instead include a bogus URL in the message.

The messages seem to come from the user's IT department or ISP, with subject heads such as "*IMPORTANT* Please Confirm Your Account" (a phrase often used by phishers to trick people into divulging bank account numbers), and that claim a security problem with the recipient's e-mail account needs attention. To bolster the masquerade, the message supposedly comes from the user's own e-mail address domain; likewise, the link is to the user's domain. [Click here for Full Story]

Mytob's Hackers May Spawn Unstoppable 'Super Worm' (smallbiz pipeline) 06/03/05
There's mounting evidence that a group of industrious hackers is working on an especially destructive "super worm" that could spread from PC to PC indefinitely, or until it ran out of targets to infect.

The most recent clues are found in the slew of Mytob worms released this week that signal a systematic development process that may indicate," a security researcher said Friday.

Six variations of the Mytob worm have been spotted since Wednesday, June 1, by anti-virus vendors such as Symantec, bringing the total count since its debut four months before to more than 100. But prolific as it is, Mytob's reproductive habits aren't what draws attention from some experts. [Click here for Full Story]

Hackers, Spammers Partner Up To Wreck Havoc (smallbiz pipeline) 06/02/05
A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert said Thursday.

The attack, which involves a new combination of malicious code, shows evidence of "tactical coordination that is unprecedented," said Sam Curry, vice president of Computer Associates' eTrust security group.

Unlike blended threats, which were first popular two years ago -- and in which one piece of malicious code uses multiple tricks or tactics to spread -- this recent attack is a convergence of malware itself and its creators, Curry went on.

"They're collaborating, and making quite an effective parcel," said Curry. [Click here for Full Story]

Sober Worm Causes Surge in Virus-Infected E-Mail (smallbiz pipeline) 06/01/05
A big jump in e-mails carrying the Sober worm contributed to nearly a fourfold increase in virus-infected messages in May, a security firm said Wednesday.

The number of infected e-mails captured by e-mail security firm Postini rose by 381 percent to 184 million, compared to April, officials said. Fully 78 percent of the e-mails contained the Sober worm.

Sober traffic reached an all-time high from May 3 to May 7, when the percentage of e-mails containing the virus, 14 percent, was higher than the percentage of legitimate e-mails, 13 percent, Postini said.

"Sober worm traffic in May was staggering," Andrew Lochart, senior director of marketing at Postini, said in a statement. [Click here for Full Story]

Latest Threat: Custom Worms Built For Industrial Espionage (desktop pipeline) 06/01/05
An industrial espionage ring broken by Israeli police is just the lastest evidence of a trend towards smart targeting by hackers.

The industrial espionage ring broken by Israeli police over the weekend, where private investigators hired a programmer to custom-create a Trojan horse that was then planted on rivals' PCs, is only the most recent evidence of a trend towards smart targeting by hackers, a security analyst said Wednesday.

Police in Tel Aviv and London arrested 18 people on Sunday, including executives of a Volvo importer, two cell phone providers, and Israel's largest satellite television company, and charged them -- and investigators they hired -- for gaining illegal access to competitors' computer networks.

According to authorities, three Israeli private investigation firms hired a British programmer to create a Trojan horse, which was then distributed both on CD and via e-mail to the rivals. The Trojan allowed the investigators to access PCs remotely, which they did to gather confidential information such as the amount bid for contracts. British authorities arrested the alleged Trojan creator, Michael Haephrati, 41, and his wife, Ruth Brier-Haephrati, 28, last week in London, and are holding them awaiting an extradition hearing Friday. [Click here for Full Story]

Bagel Variant On The Loose (security pipeline) 06/01/05
Almost 70,000 copies of a new variant of the Bagle downloader had been intercepted by MessageLabs as of 5 p.m. last night, according to the anti-virus vendor. The virus seems to have originated from an address alleging to be within Yahoo! Groups.

This recent Bagle version drops a trojan that tries to download itself from a wide variety of locations. Those computer users who activate the attached file unknowingly unleash the virus, which harvests email addresses it locates on the users' hard drives. The virus then forwards itself by way of the list of email addresses it has discovered in the infected computer. Once activated, the Bagle downloader variant places a copy of an executable file onto the compromised computers. That file then polls a vast list of URLs for the availability of a new mass-mailing component.

According to MessageLabs, the subject lines for the infected email is empty, and no body text is included. Roughly 70 variants have been reported of Bagle, which have been tracked since the virus first appeared in January 2004. [Click here for Full Story]

What is a Computer Virus (Microsoft) 05/23/05
Computer viruses are software programs deliberately designed to interfere with computer operation, record, corrupt, or delete data, or spread themselves to other computers and throughout the Internet, often slowing things down and causing other problems in the process.

Just as human viruses range in severity from the 24-hour flu to the Ebola virus, computer viruses range from the mildly annoying to the downright destructive, and come in new and different forms. The good news is that with an ounce of prevention and a little knowledge, you are less likely to fall victim to viruses and you can diminish their impact.

Note: No known viruses have the ability to damage computer hardware such as disk drives or monitors. Warnings about viruses that can cause physical harm are either hoaxes or misinformation. [Click here for Full Story]

Help Avoid Computer Viruses That Spread Through E-Mail (Microsoft) 04/20/05
Many of the most common computer viruses and other malicious software are spread through e-mail attachments—the files that are sent along with an e-mail message. If a file attached to an e-mail message contains a virus, it's often launched when you open the file attachment (usually by double-clicking the attachment icon). No matter what e-mail program you use or what version of Windows you're running, you can help avoid some viruses by following a few basic rules. If you use the latest version of Outlook or Outlook Express and if you use the latest version of Windows, there are a few unique enhancements and default settings to help keep you from accidentally infecting your computer with a virus. Read on to learn [Click here for Full Story]

Goto the Archive