Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More on Nyxem

Published: 2006-01-23
Last Updated: 2006-01-23 22:13:35 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it's still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).

This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can't be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven't seen in other analysis of the worm says:

"Additional Registry Changes

  • The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed."
The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can't trust it, but this looks like another (big) problem for the average user out there.
0 comment(s)

Illusions of Security: wrap-up for Mac OS X

Published: 2006-01-23
Last Updated: 2006-01-23 22:07:43 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
A few days ago I wrote an article titled "illusions of security". We got quite a bit of response on it.

Some of the response came from vendors, but the point of the article was to try to create awareness at the staff of those (third party) vendors, the salespersons working in shops, administrators and users of computers that there is no such thing as an invulnerable computer.

Some responses were pointers to tools on how to secure Mac OS X and that part does have merits to do a follow-up. Perhaps the security community needs to learn a bit more of Mac OS X. I count myself as one of those who still needs to learn more about OS X. One way to learn more is to know what is available.

So some recommendations from our readers:
NOTE: this is not a recommendation from myself, the handler or SANS. It's just a list gathered from feedback of our readers, use at your own risk.

I'm actually sure there's more out there but we'll leave it as an excercise for our readers to find it for themselves.

Swa Frantzen
0 comment(s)
Diary Archives