Monday, December 24, 2007

Storm is b-a-a-a-a-ack

Hi folks,

As you've probably noticed, Storm is back for Christmas. There are only two noteworthy points about it.

The first is that they've added another fairly new exploit to it, and that is for something called GomPlayer, or the Gretech Online Movie Player, which is apparently very popular in South Korea.

The exploit is from October 2007, and is explained here,, but the key point is that if you're using GomPlayer, you're potentially vulnerable.

The second point is that 3rd party dlls continue to provide the attack points for new exploits. This is kind of interesting, and either means that Microsoft is patching faster than the exploits are coming out, or 3rd parties are not patching fast enough, or perhaps both.

Of course, this also highlights that the Bad Guys don't want or need a massive number of infections... they couldn't handle that... all they want is enough to make a profit. Folks, they're farming the Internet.




Wednesday, December 19, 2007

In the news today... December 19, 2007

Hi folks,

Things have been quiet for a few weeks now, and we've been patiently waiting for the other shoe to drop, especially given that it's the run-up to Christmas, but four fairly notable things have happened today...

First is that the DollarRevenue guys have been fined $1m euros for dodgy practises, with the full story here.

Shout-outs to OPTA, although a bigger fine would have been even better.

(Props: Larry @ Spamhaus)

Second is that the authors of the popular Pinch trojan have been arrested in Russia, full story here.

(Props: Kaspersky Labs and Ferg)

Surely those two events will serve to make perpetrators think twice.

Third is that, seemingly overnight, there was a web worm on Orkut, which seemingly lived, infected 400k computers, and died again overnight due to google being quick to react (shout-outs to google for that). Basic story is that any place where 3rd parties can post to a website, such as scrapbook entries on Orkut, represent an issue. If the 3rd party can post javascript, there's a good chance they can do something malicious, so all such inputs are supposed to be sanitized against that, but in this case the perp found a way to disguise the javascript enough to get past the validation/ sanitization process, and voila .... a webworm. It's a wonder we don't see more of them. Fuller story here.

(Props: Ryan)

The fourth thing is that one of our goat machines we got a virus today from a website. A really, truly virus called Cekar! Cekar is not particularly new, having been around the early part of 2007, and its main function is to steal passwords from a Chinese chat program called QQ (according to McAfee ..., and this makes sense, because it came in from a Chinese exploit server. The exploit that delivered it was old too... an MDAC (MS06-014), but it was interesting to watch it infect the system. It was a fast infector too... instead of waiting for a program to execute before infecting, it hit the whole disk, and all visible network drives in one pass. Quite took us back to the Old Days of the early 90's when fast infectors were the problem du jour.

This really underscores two points... (1) it's way better to keep these things off your disk in the first place, because a fast infector messes you big time, and (2) we are _always_ going to need good antiviruses, just for the times when they manage to get in.



Thursday, December 06, 2007

Grisoft acquires XPL

Hi folks,

Sorry for not writing something sooner... it's been a busy few days. We're pleased to announce that we've been acquired by Grisoft, the developer of AVG. Nearly all the tech and marketing folk, including me and the other researchers from XPL are joining Grisoft, and we're all very excited about it.

AVG is a great little anti virus program, with a huge number of users, and we're looking forward to adding our software to their product. I expect that standalone LinkScanner will continue to exist as long as there are users for it.

The web continues to be the primary attack vector for those who would build their botnets and pwn other people's computers, and real time evaluation of incoming web-pages continues to be the best way to prevent the attacks.