Contents in This Issue
Total Page:16
File Type:pdf, Size:1020Kb
OCTOBER 2005 The International Publication on Computer Virus Prevention, Recognition and Removal CONTENTS IN THIS ISSUE 2 COMMENT UNDER ATTACK Time to embrace the digital age Apart from being large multinationals, what do CNN, UPS, the New York Times, General Electric 3 NEWS and ABC News have in common? The answer is that they (reportedly) were all infected by Zotob. Martin AVIEN virtual conference Overton provides an overview of this summer’s Symantec snaps up WholeSecurity most fast-spreading network worm. CME initiative sets forth page 4 GATHERING CLOUDS VIRUS PREVALENCE TABLE 3 PSGuard is a ‘virus and spyware remover’ program which is promoted through the Win32/Nsag FEATURES infectors. While questionable in terms of motive, the program itself has no malicious payload. Roel 4 Zo-to-business Schouwenberg considers the problems ‘light grey’ 6 Grey clouds on the horizon applications such as this pose for the AV industry. page 6 11 BOOK REVIEW COMPARATIVE REVIEW Vers & virus 27 products squeeze onto the Windows 2003 Advanced Server testing bench 12 COMPARATIVE REVIEW this month. Matt Ham has the details. Windows 2003 Advanced Server page 12 20 END NOTES & NEWS This month: anti-spam news and events, we review Jonathan Zdziarski’s Ending Spam, and Des Cahill explains the benefits of trust and accountability. ISSN 0956-9979 COMMENT ‘This new format will thus allowing us to include the most up-to-the-minute material each month. enable us to deliver For those who lovingly maintain a back catalogue of Virus Bulletin almost hard copy VBs, this is without doubt the end of an era, but it also marks the start of a new chapter. VB will instantaneously.’ revert to the practice of producing an annual CD-ROM and in future every subscriber will receive a CD-ROM in Helen Martin January containing all the issues of Virus Bulletin published Editor, Virus Bulletin in the previous 12 months (January to December). Alongside the new format, a new pricing and licensing TIME TO EMBRACE THE structure will be introduced from January 2006 – the first time the basic price of VB has changed in 16 years. DIGITAL AGE Individual subscribers will see a significant cost saving, Virus Bulletin has seen a few changes over the years – with the new subscription costing $175. Corporate editors have come and gone, the days of listing all customers will see a change too – from January a known viruses along with descriptions and their corporate subscription (or ‘licence’) will allow hexadecimal search patterns are long gone (indeed the subscribers to post Virus Bulletin issues on their days of being able to list all known viruses within the company intranet or otherwise circulate them internally, confines of a 24-page publication are over – when VB thus allowing all employees access to the magazine. The was first published in July 1989 the total was a new pricing structure will be as follows: manageable 14), the design and layout of the • Individual subscribers (the magazine may be magazine have been updated, while features such as the accessed only by the named individual): $175 VB 100% award scheme and the VB Spam Supplement have been introduced and become part of the furniture • Corporate subscriber whose company’s annual along the way. turnover is $0–10 million (the magazine may be circulated internally/posted on intranet): $500 The next major change is that, from January 2006 Virus Bulletin will become a wholly electronic publication, • Corporate subscriber whose company’s annual delivered in PDF format to all subscribers. turnover is $10–100 million (the magazine may be circulated internally/posted on intranet): $1000 Every month all subscribers will receive notification via email that the new issue of Virus Bulletin has been • Corporate subscriber whose company’s annual released, and a simple click of the mouse will take the turnover is $100+ million (the magazine may be subscriber to www.virusbtn.com where the latest issue circulated internally/posted on intranet): $2000 will be available in PDF format to be read online, • Bona fide educational institutions/charities: $175 saved to disk or downloaded and printed. This new • Public libraries: $500 format will enable us to deliver Virus Bulletin almost instantaneously, cutting out the inevitable postal delays As previously, individual subscribers will qualify for a as well as the limits imposed by the printing schedule, discount on the cost of registration for the Virus Bulletin conference, and corporate subscribers will be assigned a block of discounted conference registrations, the number depending on their subscription type. Editor: Helen Martin While this will almost certainly qualify as the greatest Technical Consultant: Matt Ham change the magazine has seen so far, subscribers should Technical Editor: Dr Morton Swimmer rest assured that, as the adage goes, the more things change Consulting Editors: the more they remain the same: there will be no change Nick FitzGerald, Independent consultant, NZ in the nature of the magazine, its content, or its purpose. Ian Whalley, IBM Research, USA As ever, Virus Bulletin will remain dedicated to its quest Richard Ford, Florida Institute of Technology, USA to provide unbiased and exceptional reporting of all Edward Wilding, Data Genetics, UK matters relevant to the anti-virus and anti-spam industries. More information about the changes will be sent to subscribers over the coming months. 2 OCTOBER 2005 VIRUS BULLETIN www.virusbtn.com NEWS AVIEN VIRTUAL CONFERENCE The organisers of the inaugural AVIEN/AVIEWS virtual Prevalence Table – August 2005 conference have issued a call for papers. The conference, which will take place on 18 January 2006 by webcast, will Virus Type Incidents Reports be based on the theme ‘Battling malware – a view from the trenches’. The organisers are seeking submissions for Win32/Netsky File 16,929 47.35% 30-minute presentations on a range of subjects (a full list Win32/Bagle File 6,537 18.28% can be found at http://www.avien.org/conf2006cfp.html). Win32/Mytob File 3,985 11.14% Abstracts should be sent in RTF or plain text format to Win32/Mydoom File 2,928 8.19% [email protected] by 10 October 2005. Win32/Zafi File 2,287 6.40% While the conference will be open only to members of the Win32/Lovgate File 520 1.45% AVIEN/AVIEWS forums, members may sponsor non-members, who will be vetted for approval. Registration Win32/Klez File 275 0.77% details will be circulated in the forums and on the website in Win32/Funlove File 226 0.63% due course. Win32/Dumaru File 218 0.61% Win32/Bagz File 215 0.60% SYMANTEC SNAPS UP WHOLESECURITY Win32/Pate File 123 0.34% Symantec has announced that it plans to purchase privately Win32/Bugbear File 119 0.33% held behavioural endpoint security solutions provider Win32/Mabutu File 109 0.30% WholeSecurity Inc. Win32/MyWife File 104 0.29% WholeSecurity’s behavioural detection technology identifies Win32/Agobot File 95 0.27% both known and unknown threats without requiring users to Win32/Reatle File 94 0.26% install or update signatures, and can be used against Win32/Mimail File 93 0.26% traditional malware threats such as viruses and worms, as well as against phishing threats. WholeSecurity’s customers Win32/Fizzer File 90 0.25% include eBay, Deutsche Bank and Visa. Symantec plans to Win32/Swen File 83 0.23% offer standalone products using WholeSecurity’s technology Win32/Sdbot File 82 0.23% as well as incorporate it into its security software suites. The Win32/Valla File 79 0.22% acquisition is expected to complete later this month. Redlof Script 72 0.20% Win32/Mota File 64 0.18% CME INITIATIVE SETS FORTH Win32/Bobax File 46 0.13% US-CERT will officially unveil its Common Malware Win32/Yaha File 45 0.13% Enumeration (CME) initiative this month. The scheme, which will be operated by MITRE, and will work very much Win32/Randex File 23 0.06% like the current Common Vulnerabilities and Exposures Win32/Wurmark File 19 0.05% (CVE) initiative, aims to reduce the public’s confusion Psyme Script 18 0.05% during malware incidents, enhance communication between Win32/Hybris File 16 0.04% anti-virus vendors and improve communication and information sharing between anti-virus vendors and the rest Win32/Magistr File 16 0.04% of the information security community (see VB, September Win32/Maslan File 15 0.04% 2005, p.14). This month sees the debut of the CME website, Laroux Macro 11 0.03% which will host information about threats, together with the Others[1] 220 0.62% all-important CME tag for each major threat – which it is hoped security companies will incorporate into the names Total 35,756 100% they assign to the threats. The first version of the CME website will include descriptions of a couple of dozen [1]The Prevalence Table includes a total of 220 reports across threats, but a more comprehensive collection is planned for 60 further viruses. Readers are reminded that a complete listing is posted at http://www.virusbtn.com/Prevalence/. later in the year. Information about the initiative can be found at http://cme.mitre.org/. OCTOBER 2005 3 VIRUS BULLETIN www.virusbtn.com FEATURE 1 ZO-TO-BUSINESS Any system that shows the port to be open (Windows 2000 and XP) is sent a copy of the exploit code, regardless of Martin Overton whether it has been patched, or is vulnerable. Independent Researcher, UK If the system is an unpatched Windows 2000 system, then the exploit code should run and cause a buffer overflow On Monday 15 August something started to spread quickly unless the system is protected in other ways. If the exploit on the Internet, causing many companies’ Windows 2000 code runs successfully, this will create a shell (CMD.EXE) systems to reboot themselves without human assistance.