John McAfee Wanted For Murder

Antivirus pioneer John McAfee is on the run for murder, according to Belizean police. This story is about to go viral.

Microsoft Causes OSX Vulnerability, Then Gloats

Microsoft discovered a vulnerability in Word that could allow an attacker to execute code on any system using Microsoft Word to read a specially malformed document, then spins it to say it is proof that Macs are just as vulnerable as Windows to document-based attacks.

Anyone can say they are part of Anonymous... unless it makes them look bad

Anonymous likes to say that anyone can be a member just by saying they are. But apparently anyone creating malware while claiming to be part of Anonymous are officially *not* part of Anonymous. Unless of course it is malware written by other members of Anonymous. This is bizarre circular thinking for folks who have been known to be far more clever in the past. What gives?

Lack of a Backup Could Free a Killer

In a criminal case in Miami in 2009, a man named Randy Chaviano was convicted of second-degree murder committed in 2005 and sentenced to life in prison. As usual, a court stenographer was taking notes at the trial. But then there was a string of coincidences worthy of a Law & Order script.

• The stenographer didn’t have enough paper for her machine — a mistake she’d apparently made before
• Consequently, the notes she took were recorded only in the machine’s internal memory
• She transferred the stenography machine’s records to her own PC
• She deleted the records from the stenography machine
• She didn’t do a backup of the PC
• A virus hit the PC and deleted what was by then the only record of the trial, leaving only a pretrial hearing and closing arguments; it wasn’t clear when this happened

Award BIOS Flashing Trojan

I used to talk about the possibility of a virus or worm writing boot code on hard drives, or flashing devices with new configurations, or even entirely new code. It seems there is now a trojan out there that does just that. Yes the site is in Chinese. But it describes a trojan that flashes Award BIOS code to add a few new functions on bootup.

Symantec has more details on how it infects the hard drive Master Boot Record (MBR) and specifically targets and alters the Award BIOS. Other BIOS brands are not affected.

Ten years later, still the same malware?

At Blackhat2011 during an interview about ESET'S recent Global Threat Report, a reporter asked me why we still see very old strains of common, long-detected malware. After all, haven't we detected these threats in the wild for years by now?

Old Style MBR Viruses are Back

Microsoft is telling Windows users that they'll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine's boot sector.


A new variant of a Trojan Microsoft calls "Popureb" digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog.

If this reminds you of the 80's, it should. At least back then you could boot to your DOS rescue disk and type FDISK /MBR to get rid of boot sector viruses. Now that there is too much money to be made off of viruses, I'm sure this command no longer works.

Japan Criminalizes Creation, Acquisition or Storage of Computer Viruses

A new law in Japan makes creation or distribution of a computer virus without reasonable cause punishable by up to three years in prison, and acquisition or storage of a virus punishable by up to two years.

I am not sure how stringent their definition of "reasonable cause" is in this case, but it sounds like a good start.

Why Penetration Testers Need To Remember The Good Old Days

As a penetration test trainer to fortune 500 companies, I often see a few students in the class phase out and stare off with glossy-eyed disinterest when I cover legacy systems and protocols. Examples of these "boring" topics include Windows NT, WEP, and ancient attacks like the 'Ping of Death'. They ask me "Why do we need to learn this stuff when it was fixed years ago?"

The answer is simple: History repeats itself. Just like these students aren't interested in learning from the past, there is a world of developers out there that exhibit the same disinterest. They're churning out vulnerable code with all kinds of old-school vulnerabilities, and the testers, having also slept through that part of the class, barely know how to detect them.

A subject I almost never see covered in Penetration Test / Hacking type courses in general, is the lowly modem. The rationale seems to be that modems are rarely used within the corporate environment, and when they are, a VPN is deployed. VPN security is well understood, and most (definitely not all) companies that use VPN do utilize them reasonably well. But the VPN does not cover all the layers. The modem is still just as vulnerable to attack as always.

To demonstrate why ignoring technical pieces of our computing legacy is tragic, one just has to look at a recent case in New Hampshire. Asu Pala resurrected an ancient idea: use malware to reconfigure modems to dial through a premium rate service.

The damage? In the nearly 5 years his attack ran, Pala made himself a neat $8 million.

The fact is, old equipment and operating systems abound on the Internet, and they nearly always can be found even within organizations who push policies on eradicating them. On top of that, younger developers who do not know their security history tend to repeat the mistakes that were made before their time.

0-day attacks nearly always have some relationship to the old attacks that we like to think don't occur anymore. Penetration testers who are not acquainted with the legacy security issues are likely to be blind to them when they occur.

Antivirus Companies Finally Do Something About Their Own Website Security

In an industry where security companies have gotten rich enough to practice what they preach, you'd expect them to be setting the example when it comes to secure coding practices. It's the age old story about the cobbler's kids wearing crappy shoes.

You would expect security companies to hire coders that have at least a basic knowledge to do their jobs securely. How is it that so many such company websites would be afflicted with something as blatant as Cross-Site Scripting flaws? What makes this worse is that some of these companies offer secure web hosting, and post bulletins about other company's security issues! Someone isn't doing their homework.

Some of the companies that should know better: Symantec, Eset, and Panda.

Tired of the crap "news" websites are posting about Stuxnet?

F-Secure has posted a bit of a FAQ to help people interested in understanding the Stuxnet worm issue to get more realistic information, versus the omg-CNN-style garbage that has been going around so far.

Is it targeting Iranian nuclear plants? We don't know.

All this conjecture reminds me of the days when hundreds of STONED virus variants were running rampant, and McAfee started pretending they were totally different, and gave them fancy names just to make them sound like different beasts. (for example, Michelangelo). The same virus, with 2 or 3 lines changed suddenly became a totally amazing technological advance hell bent on the worse possible destruction. Just sayin...

Only 1.7% of sites blocked by Scandinavia's "child-porn" filters are actually child porn

It seems that most of the sites on the anti-kiddyporn filters are simply fake. As well, they found that simply reporting sites that have kiddy porn, instead of blocking and ignoring them, got them immediately removed at the ISP level.

Which leaves the author of this story wondering what the list is for in the first place, since it is so easy to get the sites removed.

This is the same type of lip service that has been keeping the antivirus industry alive for years. It doesn't matter that 90% of the functionality claims are useless for absolutely everything except marketing.

First Worm To Deliberately Attack SCADA Systems Found

In June, Belarus antivirus company VirusBlokAda reported a new bug with some interesting features. The Stuxnet worm they discovered was programmed to specifically attack industrial control systems, and reprogram the controllers to hide the changes from view using a methods almost identical to those used in 1980's - 90's stealth viruses.

The last time someone hacked up a SCADA system like this, it caused a 3 kiloton explosion that was reported as having been the most monumental non-nuclear explosion and fire ever seen from space.

ZoneAlarm caught using fake antivirus scare tactics

In a world where its getting harder and harder to tell the good guys from the bad, Checkpoint's ZoneAlarm is now being marketed using the same techniques used by said bad guys. The new scare tactic ads look so much like the non-professional spam ads we all know and love, that their own customers are looking for a more serious vendor to deal with.

Let's see if everyone has learned their lessons and refuse to click on it.

One Reason Nobody Trusts Microsoft's Security Controls

Ever wondered why you are always told to buy firewall software, even though your router probably has a firewall built in, and your operating system probably does too?

Ever wondered why you have to pay for antivirus software, even though it would be fairly trivial for the operating system manufacturer to add this by default - or at least alter the obvious weaknesses that make the viruses so rampant on that specific platform in the first place?

Ever wondered why you have to pay for additional privacy controls, even when the operating system claims to have privacy built into the operating system?

Internet Explorer just became less private thanks to Microsoft bowing to the advertising agencies. That's right - they dropped the ball. The ability to mess your screen up with animated advertisements everywhere you look trumps all security and privacy controls, again.

Microsoft is falling behind so badly, next thing you know, they'll be making an iPad clone. I wonder what "new" security issues will come of that.

Dell Blames Their Own Staff for Spybot Infected Motherboards

Instead of admitting it was a huge corporate blunder, Dell blames a handful of its workforce instead of its own processes and governance, for a recent spat of infected server-class motherboards.

Dell claims all infected motherboards have been replaced.

Microsoft Officially Out of the Vulnerabilities Loop

Companies have finally started to realize that giving Microsoft free security consulting is losing them money overall.

VUPEN, who used to be known as FrCIRT, who used to be a 0-day vulnerability disclosure site, have ceased sending free vulnerability reports to Microsoft to help them fix their security woes. Instead the reports, exploit code, patches, and whatever else they produce goes straight to their paying customers - none of whom are Microsoft.

Can humans be infected by computer viruses?

British scientist Dr. Mark Gasson from the University of Reading inserted a contaminated version of an ID computer chip, normally used to track pets, into his hand to help prove that the chip was able to pass computer viruses on to other external control systems.

Dr. Gasson's chip allows him to pass through security doors and activate his cell phone. It uses ambient electromagnetic energy to transmit data. Through a series of tests, Dr. Gasson was able to show that the chip affects all surrounding computerized systems and if any other implanted chips connect to the system, they too would be damaged by the contaminated chip. 

IBM hand out free malware at a security conference

Rather pathetic news today. IBM gave away USB sticks at the AusCERT security conference which were infected by a 2-year old virus that spreads when Windows automagically executes setup.exe / autorun.ini .  There's no excuse for such sloppiness, but of course, this will be ignored and brushed under the carpet.

Artificial Life Breakthrough

In the early 90's, a lot of studies went into artificial life. Are computer viruses alive? The J. Craig Venter Institute have created what appears to be the first Artificial Life entity that is truly alive and functional. Will the bad guys get ahold of this technology and use it to wage bio-warfare on humans like they did with computer viruses and worms on software and the Internet? Possibly. Time will tell if this technology manages to do a few useful things first.