SubSeven is back after hiatus
According to an entry on July 31, 2009 on www.subseven.org, the infamous backdoor SubSeven is back. "Work with the crew on a new version of 2.2 has begun. For now we will call it 2.3", said mobman, who is known for having written the first version of the program in 1999
ClamAV DoJoSec Talk Addendum
Just a quick note to clarify something I said yesterday at DoJoSec. During my talk, I mentioned that ClamAV is supports a variety of operating systems, including Linux, Solaris, BSD, OS X, etc. Packages are made available by third-parties for some of those. However, you can build
Virut Analysis and Snort Rule
Virut (from virus + trojan) is a family of malware that has been around in since about 2006. Unfortunately for us, it is still around 3 years later with new variants being released on regular basis. We came across a recent Virut sample (MD5:e68c4b9428f41036b1cf890d93bdf390) and t
MS09-002 in the wild
Yesterday we came across a website taking advantage of a programming error in Internet Explorer that allows a remote attacker to execute code on a vulnerable system. Microsoft issued an advisory (MS09-002) on February 10, 2009 and released a patched on the same day to mitigate th
Tony Blair has NOT died today
It seems like the Armenian Branch of Nathan Associates Inc (per a whois lookup of the IP address) is hosting a webpage claiming that former UK Prime Minister Tony Blair has died. As far a we know, Tony Blair is well as of February 17, 2009. This page uses the same template as the
Dial up security woes from East Africa
Two weeks ago, I upgraded my Internet connection at home. I went from a DSL (512 Kb/s download) to a fiber optics (20 Mb/s download) connection. A few days after getting this incredibly fast (and relatively affordable) connection I traveled from the East Coast of the United State
Rootkit takes advantage of MS08-078 vulnerability
On December 17 2008, Microsoft released security update MS08-078 to patch a vulnerability found in several versions of Microsoft Internet Explorer. The root cause for this vulnerability was found to be the incorrect handling of certain XML tags in Internet Explorer that reference
Logical signatures in ClamAV 0.94
Up until ClamAV 0.93, the following formats have been used the most to write signatures to detect malware: SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0;Subsig1;Subsig2;... Logical signatures should be stored in .ldb files. Let us illustrate how logical signat