postcard.gif.exe; virus numbers!; IE7.beta warez bugged; Black Tuesday: be prepared

Published: 2005-08-07
Last Updated: 2005-08-09 23:43:39 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Thanks Chris!

Chris sent us some packets, which fellow handler George Bakos took and discovered what looks like a weird bug out of in some equipment. We've notified the vendor and will follow up on it but promised to keep it under wraps till appropriate to speak about it.
If it turns out to be more widespread than it appears now, we might decide to
act otherwise at such time.

So please, do send it weird unexplained packets, some of us eat them for breakfast.

You'll be making the Internet a better place. This is also why Chris deserves his 5 minutes of fame.


Ian sent in the incoming email of some spam claiming to be a postcard and an analysis he did of the referenced critter.
A virustotal scan I ran later today has the usual diverse names. Moreover it gets that void look in the eye of some anti-virus software.

Scan results
File: postcard.gif.exe
Date: 08/07/2005 21:09:18 (CET)
AntiVir found [BDS/Zapchast.2]
Avast 4.6.695.0/20050805 found [Win32:Jeefo]
AVG 718/20050807 found [Win32/Hidrag.A]
Avira found nothing
BitDefender 7.0/20050807 found [Trojan.Zapchas.F]
CAT-QuickHeal 7.03/20050807 found nothing
ClamAV devel-20050725/20050807 found [W32.Jeefo]
DrWeb 4.32b/20050807 found [Win32.HLLP.Jeefo.36352]
eTrust-Iris found nothing
eTrust-Vet found nothing
Fortinet found [IRC/Zapchast.4D53-bdr]
F-Prot 3.16c/20050805 found nothing
Ikarus found nothing
Kaspersky found []
McAfee 4551/20050805 found [Generic component]
NOD32v2 1.1187/20050805 found [IRC/Cloner.AS]
Norman 5.70.10/20050805 found nothing
Panda 8.02.00/20050807 found [W32/Jeefo]
Sophos 3.96.0/20050807 found [W32/Jeefo-A]
Sybari 7.5.1314/20050807 found []
Symantec 8.0/20050806 found nothing
TheHacker found [Trojan/Downloader.IstBar.gen]
VBA32 3.10.4/20050805 found [Backdoor.IRC.Zapchast]

There goes my faith in anti-virus software. Just kidding. Those folks are fighting an uphill battle that is by nature reactive as the bad guys have their tools just as we do.

So what more than to run a different brand of anti-virus software in the perimeter and on the desktop can you do ?

Start with user education. Some awareness training will do wonders.

Next make sure all windows desktops/laptops that are rolled out are set up to show extensions of all files so that the user does in fact have a chance to see the real name and get alarmed by the *.gif.exe once they went to that training telling them they'll get punished if they click on anything that looks like that.

Finally, try to filter messages where the formatting is such that the URL that the "a" tag refers to is different from the apparent URL inside the tag. Those message should be quarantined. Also avoid all of those double extension attachments and downloads whenever possible into an environment that is file extension sensitive such as windows.

Virus numbers!

The thing with these differing names for a single virus though is simply put: why do you need them? Well they are good to talk to somebody else. E.g. Melissa rings a bell doesn't it. But as the example above shows these names lead to nothing but confusion. "Yeah, I got to clean Jeefo."; "Good luck with that one, I just cleaned Zapchas.". Let alone the numbering/lettering used for the variants. Once these get beyond B it seems as if some count faster than others. This lack of sync causes people to only remember the name, not the version. But the payload, impact, clean up, ... of a virus can be quite different between these variants causing even more confusion.

So we could continue to argue -as customers- with our vendors and demand they synchronize it. Tried that, apparently it still doesn't work all that well in the real world, despite promises to the contrary.

The other thing with virus names is that it creates the chances for fame and glory for the author. "I wrote Mellissa" (no I didn't, but you'll get the meaning) is much more of an interesting statement at some hacker convention than "I wrote CXN-2001-0041".

So here goes my suggestion for you to like or dislike: Let's -as customers- demand that our suppliers switch to a system like the one used for vulnerabilities:

- CXN: Common eXploit Number

- CXC: Common eXploit Candidate

Once a CXN is issued everybody switches their CXC to a CXN. A CXN is exactly one variant of one exploit (such as a virus), proven by samples kept by that central ly.

Let's demand the vendors fund a little 3rd party organization that keeps the numbers in sync and if they are smart they can learn to share descriptions and the like (which do cost a lot of money to produce and gain us little as to exactly who made them as long as they are good enough).

At the same time the Internet at large gets rid of the fame and glory of the authors having a recognizable hook to get their trash in the press for their 15 minutes of fame.

Yes I'm taking the step to sweep viruses/worms/trojans/... all into a single "exploit" bin. It only makes sense as it all grows to the same thing anyway.

The next logical step would be to link exploits to vulnerabilities and there you have the birth of a relational database. That database could (eventually) expand to include vendor info such as which version is vulnerable, and what patch stops the vulnerability, creating a link between e.g. the IDS seeing an exploit and the admin relaxing as he sees the patch has already been deployed site wide for the associated vulnerability, and that the anti-virus reports it stopped it as well.

In Dutch there is a saying "hoop doet leven". It is hard to translate, but literally it is something like "hope makes living". But I'm not expecting the vendors to be thrilled about it. FUD does sell products in our field.

IE7.beta warez bugged?

Microsoft is rightfully restricting downloads of IE7's beta release. This creates a market for warez versions and Craig reported that one of those was bugged with spyware. It's a big download and a big thing to search through, so it's not (yet) confirmed by us.

But the generic advice to stay away from warez is easy to make. Aside from the legalities and ethics, you do not know what you get in your hands. It might erase everything, send spam in your name, erase all network shares it has access to, ... or it might do as advertised. How will you know?
You do know you got it from people telling you they don't mind to break the law and provide you with an illegal copy of some piece of software.
Now, who do you trust?

Black Tuesday: be prepared!

Next Tuesday will be a Microsoft patch day. Probably this will be causing a lot of reboots throughout the world.

An anonymous reader pointed out this blog:
. It contains experiences of locked up machines that have older APC software and might cause it to hang during a reboot due to an expired cert in a java runtime environment. Perhaps some preparation will safeguard you from jumping to the "blame those new patches" conclusion.

update: another anonymous reader gave us this URL from APC:
and which let us to find the writeup of sun on the issue at:

Swa Frantzen
0 comment(s)


What's this all about ..?
password reveal .
<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
Enter corthrthmment here...

Diary Archives