Wednesday, January 24, 2007

Want To Know More About Rootkits?

I'm very very proud to announce the publication of Rootkits For Dummies.

Some friends of mine have been working very hard on this book for quite a while now and it is fantastic to see it finally in print. Here is a bit of blurb for you.

Product Details

Authors: Larry Stevenson and Nancy Altholz
Tech Editor: Lawrence Abrams

Forensics Advisor: Dave Kleiman
Media Advisor: Mahesh Satyanarayana (swatkat)
Firefox Advisor: Abdul-Rahman Elshafei (AbuIbrahim),
Firewall Advisor: Allen C Weil (PCBruiser),
IE7 Advisor: Bill Bright.
Rootkit Research Team: Don Hoover (Hoov), James Burke (Dragan Glas), Anil Kulkarni (wng_z3r0), wawadave, and Michael Sall (mrrockford).

ISBN: 0471917109
ISBN-13: 9780471917106
Format: Paperback, 384pp
Publisher: Wiley, John & Sons, Incorporated
Edition Description: BK&CD-ROM
Series: Dummies Series

This book provides a thorough introduction to the topic of rootkits-- what they are, how to detect them, how to dispose of them and how to know when the best thing to do is to wipe your system clean and start all over, and how to mitigate damage if it's possible.

The CD will include several important tools for detecting rootkits, conducting forensic analysis, and making quick security fixes is like an emergency first-aid kit for network administrators and regular users.

I've already ordered my copy from Amazon. :-)

Friday, January 19, 2007

Beware the Storm Worm

Over the last few days we have suffered some severe weather in the UK, yesterday was truly horrendous with winds of up to 99 miles per hour causing 11 deaths, many injuries and millions of pounds worth of damage.

If that wasn't bad enough, it seems that the bad guys took advantage of this and sent out a mass email attack with a trojan horse attatchment with the subject line, "230 dead as storm batters Europe."

As reported by TechRepublic;

"Storm Worm," one of the larger Trojan horse attacks in recent years, is baiting people with timely information about a deadly, real-life storm front, security researchers said Friday.

Over an eight-hour period Thursday, malicious e-mails were sent across the globe to hundreds of thousands of people, said Mikko Hypponen, chief research officer for F-Secure.

People who open the attachment then unknowingly become part of a botnet. A botnet serves as an army of commandeered computers, which are later used by attackers without their owners' knowledge.

Storm Worm carries the subject line "230 dead as storm batters Europe," Hypponen said, noting the unusual twist to the e-mail.

"The e-mail was started 15 hours ago, when the storm was peaking in Central Europe," Hypponen said. "This is unusual in that it was very timely."

Storm Worm is a Trojan horse with an executable file as an attachment. Cybercriminals took advantage of social engineering, using the news of the European storm to get people to open the attached malicious file, which promises more news on the weather emergency. The recipient must open the file for it to execute.

The file creates a back door to a computer that can be exploited later to steal data or to use the computer to post spam.

Email to watch out for;

230 dead as storm batters Europe
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
A killer at 11, he''s free at 21 and kill again!
British Muslims Genocide

Read More.exe
Full Clip.exe
Full Story.exe

Monday, January 15, 2007

A-Squared False Positive - winlogon.exe

If you are a devotee of the excellent A-Squared anti malware scanner then you might have got a bit of a shock if you ran a scan today.

The legitimate winlogon.exe file has been identified as a trojan, this has been confirmed as a false positive however and it will be fixed in the next update. See Emisoft forums for more details.

Friday, January 12, 2007

Spybot Search and Destroy January 12th

Spybot Search & Destroy -


+ NSIS Media Extension
+ Cassava
+ Fakealert + Hitvirus + Leena + Look2Me + PornWebTV + Smitfraud-C.AntiFirewall + SpyFalcon + SpyGuard + SpywareBot + TrustCleaner ++ + Zlob.KeyGenerator (2)
+ AdwarePunisher + Hotbar + MyWay.MyWebSearch + Oska.Deskmates + SpywareKnight
+ SVerner.Search
+ AnotherBOT + ConHook + Innovagest2000.SpyDeface + Kuasio.Ka + Troj.PrintSpool + Win32.Agent.Acz + Win32.Gadu + Win32.Microjoin + Win32.Small.avq + Win32.Small.cyh + Zlob.DirectVideo (2) + Zlob.SiteTicket + Zlob.VideoAccess (2) + Zlob.VideoActiveXObject ++ Zlob.VideoCodec2007
Total: 348611 fingerprints in 58163 rules for 2611 products.

Friday, January 05, 2007

MS Security Bulletin, Advance Notification for January

Microsoft have released an advance notification for the updates that are due to be released next Tuesday.

Don't forget to prepare for the updates as I've outlined in an earlier entry - How To Prepare for Patch Tuesday.

On 9 January 2007 Microsoft is planning to release:

Security Updates

  • One Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for this is Critical. This update will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. This update will require a restart.
  • Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
Microsoft Windows Malicious Software Removal Tool
  • Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
    Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
  • Microsoft will release No NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
  • Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
Microsoft Security Bulletin Advance Notification

Microsoft will also be hosting a webcast on Wednesday January 10th 11:00 AM Pacific Time (US & Canada), for attendees to ask questions about the bulletins and get answers from the security experts.

Wednesday, January 03, 2007

Windows Defender (beta2) Has Expired

Windows Defender Beta2 expired on 31st December, please make sure you upgrade to Windows Defender Final.

Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected and minimizes interruptions and helps you stay productive. Now with 2 free support incidents for Windows XP and Windows Server 2003.

Note: If you have version 1.1.1592.0, you must first manually uninstall Windows Defender before you can install this newer version. To configure or remove the existing version, use Add/Remove programs in the Control Panel. You can check your version of Windows Defender by clicking the down arrow next to the help icon and choosing ‘About Windows Defender’.