20 May Jumcar. From Peru with a focus on Latin America [First part] Jorge Mieres
18 May NoSuchCon 2013 Stefano Ortolani
17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
27 Apr CeCOS VII Michael
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Hurry if you want to buy floppy disks from PC World! It seems that this UK retailer will not be stocking floppy disks once their current supplies run out.
How times change. Once upon a time, until the mid 1990s in fact, floppy disks were the main carrier of malware. And 'social engineering' meant a user forgetting to remove a floppy disk from the drive before s/he shut down the PC, so that the machine attempted to boot from the disk when they next started up.
We just got contacted by a Russian user whose machine picked up Junkie, an old multipartite threat that infects COM files and the hard disk MBR
We haven't seen anything like this for a while. With all the changes in technology, I wonder how much longer Junkie and its like will manage to survive.
We’ve just been contacted by a user who let us know that www.adoronin.ru has been infected with Trojan-Downloader.JS.Agent.bx. This Russian site can be used to book tickets for theatres, concerts, musicals, the circus and sporting events on-line. As there’s a lot of interest in the theatre and sports over here, the site gets pretty busy - a smart choice for a malicious user to infect a lot of systems.
So how did our user realize the site was infected? He clicked on an banner leading to the site. The banner was placed on mail.ru, which is one of Russia’s biggest Internet portals with more than 3 million users. But then his antivirus started to react, as he put it, "strangely". It clearly showed him that the page he was trying to access was infected. It didn’t show the adoronin address though, but an entirely different address. It was clear that code had been injected into the main page of the adoronin site - code that would then download Trojan-Downloader.JS.Agent.bx to the user’s machine.
The Web Anti-virus component of Kaspersky Anti-Virus 6.0 detected the malicious activity and asked the user if he wanted to block it. This prevented his machine from being infected. And it gave us and the site administrator a heads-up - working with us, he was able to clean his site.
TomTom has followed in the less than illustrious footsteps of iRiver, no name USB sticks, McDonalds, Apple and others by shipping a device containing malware. In most previous cases the malware in question was a virus which spread to drives. So I was expecting the same when I got my hands on the files coming from the TomTom GO 910.
Kaspersky Anti-Virus detects these files as Virus.Win32.Perlovga.a and Trojan-Dropper.Win32.Small.apl. Trojan-Dropper.Win32.Small.apl is somewhat of a generic detection - it covers any file which has been created using a specific virus writers’ tool. Trojan-Dropper.Win32. Small.apl functions as an installer for Perlovga.b and...a backdoor! As I haven't seen any mention of a backdoor in coverage about the incident, I was surprised to come across it.
Even though it is a backdoor with limited functionality, the very presence of Backdoor.Win32.Small.lo slightly changes the situation. Perlovga is more of an irritant than a serious threat, but as it makes use of autorun.inf functionality to spread via disks there's a real danger of Perlovga.a and the Dropper file (which in turn installs the backdoor and Perlovga.b) being executed automatically as soon as Windows reads the drive/device.
This probably won’t be the last case of infected devices, and it would be nice to see a little more clarity regarding the precise payload. I suggest that the next company which finds itself sending out infected devices should contact us and ask us for a detailed analysis so they can issue an appropriate warning to their customers.
I decided to introduce a bit of variety into my daily commute today by scanning the Wifi networks on the way to the office.
I used my Sony pcg-fxa53 laptop with a senao NL-2311CD Plus Ext2 pcmcia wifi card, an external antenna, and a garmin legend gps navigator. As for software, I used Linux SuSE OSS 10, kismet, gpsd, gpsmap and google api.
Once I'd thrown all that together (and of course I could write an article on that) I set off for work.
I live pretty close to the office, and my commute only takes about ten minutes - even in that time I was able to collect a fair bit of data which is shown in the picture below.
Overall, I detected 40 Wifi networks: the totally unprotected networks are marked with a red dot, those with WEP enabled are marked with a yellow dot, and those with WPA are marked with a green dot.
Just another little bit of data to add to our continuing research on wifi networks and encryption around the world.
I've been thinking about Apple's recently announced iPhone. If the iPhone gets anything near as popular as the iPod, percentage-wise, there might be some interesting changes to the malware landscape. Why?
#1: The iPhone will become the preferred target for writers of mobile malware.
#2: The iPhone is going to run a slimmed down version of OS X. Although it won’t be running the same architecture it's plausible that both OS X for Workstations and OS X for iPhone may have at least some of the same vulnerabilities.
This would mean that those hunting for OS X vulnerabilities get two bangs for their buck, albeit with a bit of extra work. In other words, this will mean an increase in the number of vulnerabilities identified in Apple's workstation OS.
Then again, the phone industry isn't quite in the state as the portable media player industry was when the iPod was introduced. So it remains to be seen if the iPhone will reach a comparable state of supremacy.
In all likelihood it will be a while before I'm proven right or wrong. If ever. But it’ll be interesting to see what happens.
Later today Microsoft will release its latest security patches. These will include a Critical update for Windows and three others for Office (the highest of which will also be Critical). You can find the notifications in the usual place.
The use of unpatched vulnerabilies continues to be a significant part of the cyber threat landscape and, unsurprisingly, has kept Microsoft busy during 2006, as the table below shows.
We hope that the release of Windows Vista will mean less patches, but since current systems will be with us for some time to come, we'll need to remain on our guard to stay secure.