Archive

Archive for May, 2008

AusCERT 2008: Telstra Distributed Infected USB

Telstra is red-faced after handing out malware-infected USB drives to tutorial attendees at the AusCERT security conference on the Gold Coast. [Read Patrick Gray @ SearchSecurity]
~~~oOo~~~
The folks at Australian mega-telco Telstra are wiping eggs from their faces after distributing malware-infected USB drives to attendees at this year’s AusCERT security conference. [Read Ryan Naraine @ ZDNet Blog]
~~~oOo~~~
What an embarring moment… The good thing is that most of AntiVirus scanners already detects that piece of malicious program and if you have a good AV scanner installed with latest or updated signature on it and with an agressive features such as Real-Time detection or AutoScanning for all mounted drives, then definitely no worries of infection.

Virus Total returned 96.88% detection rate which is 31/32 different AntiVirus scanners detect this malware. [VirusTotal Detection]

The culprit … As you can see in the screenshot below, autorun.inf contains instructions that allows USB to auto play once it is mounted in the computer and thereafter, automatically execute sys.exe.

McAfee detects this malware as W32/CEP.worm!33925d66 and has already published a malware report found here.

ThreatExpert Report here.

Archived Malware Reports

It feels good when your old malware reports still exist. I’m saying this because there was once a ruling (Trend Micro AV guidelines) that the last one who analyzed and modified the report gets the credit. So, the original analyst name is removed. I think they already modified this rule …

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_CORN.A

http://www.trendmicro.com/vinfo/jokes/jokesDetails.asp?JNAME=JOKE%5FPCHAUNT%2EA

http://www.trendmicro.com/vinfo/de/virusencyclo/default5.asp?VName=REG%5FZIKDOW%2EA

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=REG_ZIKDOW.A&VSect=T

http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FBARGBUDDY%2EA

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_DAEMONIZE.A&VSect=T

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALPHX.A&VSect=T

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HTML%5FALPHX%2EA&VSect=T

I remember this, the detection name was named after my sister – Minehaha.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_MINEH.A&VSect=T

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=IRC%5FMINEH%2EA&VSect=T

I can’t find my name anymore… TROJ_THEMS — Meths. Actually, the rule is if its new and nobody detects it, then the analyst can name it (of course, following the naming conventions and guidelines).

Speaking of malware naming conventions, this topic is currently a who lot confusion to the industry… few AVs follow CARO naming scheme while others have their own.

Another thing is ethical issue, usually everyone gives the credit of following the detection name if someone already created the detection for that malware (given the name is right – meaning it is readable and doesn’t have any conflicts to a person, company and etc..) but some AV doesn’t follow instead they create their own name (perhaps, for marketing and PR/media purposes).

Refer this recent list/update from AVTest.org:

2008-05-12 Cross Reference List of Virus Names
Each vendor of anti-virus software has a different naming convention and the same virus could have a completely different name in another company’s product. To provide a candle in the dark and diminish the current confusion we created a cross-reference list of all virus names (421 KB), based on the WildList 03/2008

I like this … “Fire the Good People”

When serial entrepreneur Jason Calacanis took the stage at the CeBIT technology conference this week in Sydney, some audience members weren’t sure how to react to his comments. Responses ranged from nervous laughs and stoic looks to bemusement and knowing nods.

Fire the good people

“Fire the good people,” says Calacanis. “Fire them immediately. In a startup company, you can’t waste time on good people. You need excellent people. The excellent people do five times more than the good people.”

Calacanis emphasises that you can replace a good person with someone who is excellent. If you don’t fire the good or average people, Calacanis says: “The excellent people leave because there are just average people around.”

[Read Sydney Morning Herald Blog]

CeBIT Australia 2008

It’s amazing to see different ICT exhibitors all gathered in one roof for three days in CeBIT Australia 2008.

Actually, I missed the first day but it’s alright. I was excited on the second day, where I woke up early to get there at exactly 8:00 am for BloggerZone breakfast (this is a limited invitation to all bloggers around Australia).

The exhibit opens at 10:00am but with the blogger ID we (with my husband) were able to get in early and roam around, while everyone is still rushing to prepare.

As an electronic consumer, I was interested to see new and impressive gadgets but I end-up realizing that we need those CPU cabinets and power rack.

As we were walking around, we noticed that there are only few AntiVirus company there: AVG, ESET, Kingsoft and F-Secure; other security companies are GFI, IntelliGuard and MailGuard. ESET has the most impressive stand because of the data presented that shows their leading detection rate which covers prevalence and zero day threats, heuristics as well as zero false positives (these informations are base on independent AV testers and reviewers).

As we were heading to exit the exhibition hall, I noticed a small device (a thin client) from ThinLinx. Thanks to its CEO John Nicholls who was very welcoming and spent the time discussing to us.

In ceBIT you get freebies, so what I got ? CDs, ballpens, magazines, stickers and red hat (obviously, from RedHat).

Ferret Data Seepage Detection Tool Soon In iPhone

Errata Security has presented the idea of Data Seepage in BlackHat Federal last year.  This ideas has been defined as … 

“data seepage”: bits of benign data that people willingly broadcast to the world (as opposed to “leakage”, which is data people want to hide from the world).

It’s interesting that this bits of data are also known as friendly informations. These are your digital footprints which can be used by hackers to gather or construct information about you. Yes, this is how vulnerable we are … 

As an iphone user and security aware person, I was really excited when Errata blogged “Call for Beta Tester”. So, I immediately send my interest to volunteer and join as beta tester for Ferret (data seepage detection tool) iphone package and they accepted it. 

I’m looking forward to see more security tools in iphone as well as in Mac. 

Identity Theft And Your MSN Account

There are more MSN fraudsters roaming around and this time they are serving twenty different languages.
Last February, I posted this topic “Your MSN Account Has Been 0WN3D“. 

These are phising sites that employs social engineering technique to lure MSN users in giving out their email address and password.

As an effect, the MSN stolen identity can remotely perform instant messaging and email spamming to all contacts as well as it can sneak your personal messages. 


As of the moment, the following IP addresses and domain names are actively serving these MSN phising sites.


Be careful and stay away from these sites!

Install Fring

This is the best application i have installed in my mobile phones: iphone and nokia n95.

Using fring you can online all you messengers from YM, ICQ, AOL, Google Talk, MSN, SIP, Skype and Fring. If you have WIFI in your home, office, perhaps you’re in coffee shop or any access point, this application is incredibly useful which makes you always get connected. The best thing is you can call anyone for FREE. How cool is that!! 

It’s currently in beta version but all functionalities you expect are working well. http://www.fring.com/