In the Wild

Kittycard.exe is now of one the filename use by this Storm Worm. Email received today: The new filename is Kittycard.exe: Half of malware scanners via VirusTotal.com will detect it while half did not: For you… to read: The Storm Worm: http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html Just How Bad Is the Storm Worm: http://blog.washingtonpost.com/securityfix/2007/10/the_storm_worm_maelstrom_or_te.html My previous blog entries on Kitty (Storm Worm) : 2 more Kitty, Kitty Detection Improving, Norton blocked Kitty, Kitty Kitty

Symantec wrote:  the PDF file will download ldr.exe file F-Secure reports: The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more components. So I grab both .exe files (ms2.exe and ldr.exe) and uploaded it to Virustotal.com.  The AVs should protect and detect users from it if it failed to detect and block the malicious PDF file. Scan results: Only 50% of malware scanners will detect the ms2.exe as malicious. 71.88% of malware scanners will detect the ldr.exe as malicious. Screenshots of the result at http://www.dozleng.com/updates/index.php?showtopic=16119

If you haven’t update your Adobe Reader to v8.1.1, you better to do it NOW. The vulnerability is being exploited now and yup, it’s in the wild because I received copies already.  Screenshots at http://www.dozleng.com/updates/index.php?showtopic=16119  Adobe fixed the security issue by releasing v8.1.1.  See their advisory here and please update NOW. Microsoft updated their security advisory on the above due to increased of threat level. Read the write-up of Symantec on what they detected and blocked in the email I received : Bloodhound.Exploit.163 – Bloodhound.Exploit.163 is a heuristic detection for PDF files attempting to exploit the Adobe Acrobat Mailto Unspecified … Continue reading In the wild: Malicious PDF files; Which AV will detect it?

Symantec and Websense have warned Skype users of a new worm that spreads itself via Skype text messages. Dubbed Chatosky by Symantec, the cycle starts with a Skype user receiving a message offering a file called sp.exe. According to Websense’s preliminary analysis, when that file is run it installs a password-stealing Trojan and propagates itself via Skype. The malware also tries to connect to a now-disabled remote server to collect additional code. Websense says the original infections appear to be in the Asia Pacific region, especially Korea. CA’s, Sophos’ and McAfee’s security sites had no information about this worm at … Continue reading Skype Worm Breaks Out in APAC

Date:  December 15, 2006 Severity: High Systems Affected:Symantec AntiVirus 10.0.x for Windows (all versions)Symantec AntiVirus 10.1.x for Windows (all versions)Symantec Client Security 3.0.x for Windows (all versions)Symantec Client Security 3.1.x for Windows (all versions) Overview:The eEye Research honeypot network has recently detected a new worm that is actively exploiting a remote Symantec vulnerability originally discovered by eEye Research on May 24, 2006 and patched by Symantec on June 12, 2006. This vulnerability has been publicly exploited as early as November 30, but this is the first example of a worm leveraging this vulnerability for self-propagation. Generally, patch processes are not … Continue reading Worm Alert: Big Yellow; Worm hits computers via Symantec Corp.’s antivirus program

Rustock, also known as “Spambot”, is a family of back door programs with advanced user and kernel mode rootkit capabilities. Rustock has constantly been in development since around November, 2005. Rustock is a tough threat to combat because of its approach of combining multiple evasion techniques to remain undetected by commonly used rootkit detectors, such as Rootkit Revealer, IceSword, and BlackLight. To obtain a “deep dive” on how Rustock works and why it is currently able to defeat so many security vendors, please visit Symantec’s Handling Today’s Tough Security Threats Web site. Once on the site, please look for the … Continue reading Rustock: Deep Dive