Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

Softpanorama Malware Protection Bulletin, 2007

Malware 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010
2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Top Visited
Past week
Past month


Old News ;-)

[Dec 7, 2007] Warning sounded over 'flirting robots' Beyond Binary - A blog by Ina Fried -

Pretty funny but not very plausible ;-). Anyway onthe internet you never know who is on the other end of the online chat....

A program that can mimic online flirtation and then extract personal information from its unsuspecting conversation partners is making the rounds in Russian chat forums, according to security software firm PC Tools.

The artificial intelligence of CyberLover's automated chats is good enough that victims have a tough time distinguishing the "bot" from a real potential suitor, PC Tools said. The software can work quickly too, establishing up to 10 relationships in 30 minutes, PC Tools said. It compiles a report on every person it meets complete with name, contact information, and photos.

"As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering," PC Tools senior malware analyst Sergei Shevchenko said in a statement.

McAfee Margins Under Siege by Symantec, Microsoft (Update2)

Dec. 3, 2010 | Bloomberg

McAfee Inc., the security software maker that lured customers from larger Symantec Corp. to drive its stock 35 percent higher this year, is about to come under attack.

Symantec is fighting back with discounts of as much as 70 percent and a new product that has caught up with McAfee features to stop more viruses and spam, block intruders and control how computers enter the network. Microsoft Corp., with its history of undercutting prices in markets it enters, has readied its own security software.

McAfee Chief Executive Officer Dave DeWalt will be forced into steeper price cuts, said Morgan Stanley analyst Peter Kuper. He expects McAfee's profit-margin expansion to slow within six months, after doubling to 20 percent of sales in the past year.

``McAfee may have reached its peak growth,'' said Kuper in Boston. ``Symantec has to stop the share loss, and discounting is the obvious approach.''

Kuper says to sell Santa Clara, California-based McAfee, the second-largest maker of software protecting computers from hackers, while most analysts advise clients to buy. He predicts it will fall an additional 16 percent from today's close to $32, from a peak of $41.35 on Oct. 31.

McAfee fell 67 cents to $38.28 at 4 p.m. in New York Stock Exchange composite trading. Symantec, down 16 percent this year as it reorganized its sales force and struggled with product delays, fell 28 cents to $17.52 on the Nasdaq Stock Market.


Corporations, government agencies and institutions are the primary battleground, spending $2.15 billion on antivirus software last year, according to Gartner Inc.

Almost all companies already own programs to protect their systems, said Natalie Lambert, an analyst at Cambridge, Massachusetts-based Forrester Research Inc. ``The market is saturated, so every single customer win is a rip-and-replace.''

For two years, Cupertino, California-based Symantec has been most likely to be ripped out. Its programs, including AntiVirus Corporate Edition and Symantec Client Security, were harder to manage than its competitors', analysts said. The company struggled to integrate eight acquisitions, leading to disarray in its sales team.

General Electric Co. stopped using Symantec to protect 350,000 computers and switched to Sophos Plc, the Abingdon, England-based security vendor said in June.

McAfee was the biggest benefactor from Symantec's missteps. The company convinced 85 corporations to defect in the most recent quarter. Most switched from Symantec, McAfee spokesman Joris Evers said in an e-mail.

Market Share

Symantec's worldwide market share for antivirus software sold to institutional accounts fell 1 point to 38 percent last year, while McAfee's share widened by 1.8 points to 25.4 percent, according to Stamford, Connecticut-based Gartner.

McAfee made 58 percent of its $1.14 billion in 2006 revenue providing security software to organizations, and the rest from sales to consumers.

Symantec got $2.02 billion, or 38 percent of revenue, from large security customers in the fiscal year ended March 30, while consumer sales totaled $1.59 billion. The company also sells data storage services.

McAfee used a more than one-year head start on an easier- to-manage security product, Total Protection for Enterprise, to win sales while charging more than Symantec.

``We deliver more value than anyone else,'' said Bill Gardner, McAfee's director of competitive marketing.

Discounts, Giveaways

Symantec's response is Endpoint Protection, released in September. The product allows customers to install and manage antivirus, anti-spyware and network-access technologies on thousands of computers from one console.

Symantec is giving Endpoint Protection to clients who pay maintenance fees for some earlier products. To displace rivals, Symantec will also trim 45 percent off Endpoint's list price, and resellers may cut even further, said Kevin Murray, senior director of product marketing. A highly sought client may get as much as 70 percent off in ``rare'' instances, he said.

McAfee will probably be forced to follow suit, said Kuper and Amrit Williams of competitor BigFix Inc.

``McAfee will do extremely competitive discounting deals when they aren't the incumbent,'' said Williams, chief technology officer of the Emeryville, California-based maker of programs combining system- and security-management. ``Customers are demanding more and they want to pay less.''

Willing Bettor

Eighteen analysts suggest buying McAfee, seven recommend holding, and four say sell. McAfee has shown it can market new technologies faster, said Walter Pritchard, an analyst with Cowen & Co. in San Francisco, who advises investors to buy both McAfee and Symantec and doesn't own either stock. ``I'm willing to bet more on McAfee's ability to execute than on Symantec's.''

Pressure on McAfee may be heightened now that Microsoft, the world's biggest software maker, began offering its Forefront programs for computers and servers on July 1.

Forefront can't protect against as many kinds of attacks as some other products, analysts and competitors said. Microsoft's pricing has put pressure on Symantec and others, Murray said.

``Microsoft can thrive on good enough,'' said Lambert, who predicts the company will further commoditize security software. ``Vendors become scared, add functions and lower prices to become competitive.''

Microsoft earlier undercut prices for databases, taking sales from Sybase Inc. and Oracle Corp. The same thing occurred with file servers, where Windows hurt Unix server sales. ``Even if a customer doesn't choose Microsoft, it will use the idea of choosing Microsoft to get a better discount,'' Lambert said.

Microsoft has implemented ``competitive but fair pricing models'' for its security products, Steve Brown, director of product management, security and access, said in an e-mail. The company wouldn't discuss Forefront features in detail.

McAfee's margin expansion may slow as prices drop and the company acquires technologies to fend off more online threats, Kuper said. ``You will start to see the beginning of the decline two quarters from now.''

To contact the reporter on this story: Rochelle Garner in San Francisco at

[Aug 7, 2007] Security Watchdog blog

July 16, 2007 |

Scammers donating your money to charity

Look out for small but unauthorised charitable donations from your credit card, it could be scammers testing the validity of the card. In a warning, Cyber-Ark said that this is especially worrying for business debit and credit card account holders, as they tend to have less control over card use than their personal counterparts.

July 16, 2007

Commercial cyber crime boom

The commercialisation of cyber-crime is driving malware writing activity and will lead to progressively more serious IT security threats, according to research from Frost & Sullivan.

The analyst believes the global market for antivirus technologies reached $4.6bn in 2006, up 17.1 per cent from $4bn in the previous year.

[ Jun 28, 2007] Mal-ObfJS-C Where When

"the servers targeted in this attack have almost exclusively been running some flavour of Apache on Unix."
22 June 2007

For the past 7 weeks SophosLabs have been tracking an attack targeting sites all over the world. In the attack, legitimate sites have been compromised so that they serve up a malicious JavaScript (Mal/ObfJS-C). In this post, I present a brief summary of the data obtained thus far.

Since May 1st, we have found 3,896 URLs that have been compromised, over 1,627 different domains. The subject matter of the hacked sites covers as wide a range of topics as you can imagine. Clothes boutiques, driving instruction, nude beauty pageants, celebrity gossip, hypnotherapy through to handmade musical instruments. Most worryingly, there are some fairly popular sites within the list, including a fairly large bank (this site was hacked last week). Taking a deeper look at the data, we can gather further information about this campaign.

As you can see from the following graph (note the log scale on the y-axis), the vast bulk of the compromised pages are being served up from sites in the United States, closely followed by Brazil, Canada and the UK.

It should be noted this data is based on the country in which the host web server resides - it does not indicate the locale of the site itself. For example, several '' domains were found to be hosted within the US.

To get a true impression of the scale of such an attack, looking at domain names alone is insufficient. We have encountered previous cases where initial data based on a plethora of compromised domains has suggested a large campaign, only to find that they all were as the result of the hacking of a handful of boxes within a single service provider (Troj/EncIfr-A for example). Looking at this data from an IP perspective reveals 324 unique IP addresses, the bulk of which are hosting a low number of compromised sites.

As might be expected, we can see that in several cases, once the hackers have managed to hack a server, they have compromised several sites hosted there.

Probing further, we can try to identify the operating system and web server application. As you can see below, the servers targeted in this attack have almost exclusively been running some flavour of Apache on Unix.

Though we cannot deduce the method employed by the hackers to compromise the servers, such data is nonetheless interesting. Gathering and analysis of such data provides us with valuable information to assist in the fight against web attacks. As ever, it is imperative that web servers are maintained and patched to the latest level. If you outsource the responsibility of this to your ISP, ensure they follow good practice. Remember, their failure could lead to your loss of credibility if it is your site that gets hacked into a malicious drive-by.

Fraser, SophosLabs UK

[Jun 28, 2007] How can I protect against malicious iFrames - CNET Viruses & security alerts Forums

See also Malicious iframe hacking attack

For home users:

* Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.
* Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source.
* Beware of unexpected strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages.
* Enable the "Automatic Update" feature in your Windows operating system and apply new updates as soon as they are available.
* Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.
* Free security tools are available at

[Jun 28, 2007] Computerworld - Porn sites serve up Mpack attacks by Gregg Keizer

Malicious iframes is a very dangerous attack

25/06/2007 (

Several hundred pornography sites are surprising unwitting users with a smorgasbord of exploits via Mpack, the already notorious hacker toolkit that launched massive attacks earlier this week from a network of more than 10,000 compromised domains.

Trend Micro has spotted nearly 200 porn domains -- most dealing in incestuous content -- that have either been hacked or are purposefully redirecting users to servers hosting Mpack, a professional, Russian-made collection of exploits that comes complete with a management console.

Even though there are far fewer porn sites in this newly discovered infection chain than in Monday's "Italian Job" attack -- called that because most of the 10,000+ hijacked sites were legitimate Italian domains -- they've managed to infect twice as many end-users' PCs, said Trend Micro in a posting to its malware blog.

"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said.

Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec, for instance, asked how hackers were able to infect so many sites in such a short time, and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly.

"The MPack gang appears to be using an IFRAME manager tool to automate the task on a large scale," said Amado Hidalgo, a Symantec security analyst. The tool, which Hidalgo said was basically an FTP updater using MySQL as a back-end database, regularly checks a large list of sites to inject the malicious IFRAME code.

Hidalgo also spelled out how hackers have been getting into legitimate sites, which puzzled investigators earlier this week. "It takes as input a list of Web site administrator accounts, possibly obtained in the black market," he said. Those administrator accounts are recorded in MySQL, and the manager can be left running so that it re-infects sites that have been purged of the IFRAMES code. "A simple clean-up of the page is not sufficient," advised Hidalgo. "The site administrator's credentials need to be changed."

Sophos, meanwhile, analyzed the nearly 4,000 compromised sites it had found delivering the malicious IFRAMES code, and found that the overwhelming majority -- 98 percent to be exact -- were running the Apache Web server. "The servers targeted in this attack have almost exclusively been running some flavor of Apache on Unix," said a Sophos in a blog entry Friday. That's not always the case, said Ron O'Brien, senior security analyst at Sophos. "Overall, hacked sites are about evenly split between Apache and [Microsoft] IIS servers, but in this subset it's almost entirely Apache." Another interesting factoid, said O'Brien: "Of all the sites we've tracked that serve malicious code, about 80 percent have been hacked."

Still other researchers rooted out details of Mpack, including its price and the nom-de-plume of its creator. Ken Dunham, director of VeriSign-iDefense's rapid response team, said Mpack sells for around US$1,000, and that the man [or woman] behind it goes by "$ash" in the Russian hacker underground. The latest version of Mpack, .90, includes exploits for eight different vulnerabilities, six of them flaws in Windows or Internet Explorer, including the dangerous ANI bug that affected Vista earlier this year.

"This is a powerful Web exploitation tool," Dunham said.

[Jun 22, 2007 ] Pornography is BAD for you!

It is most likely this attack was made online sometime last week, around June 17, based on Trend Micro's World Virus Tracking Center.
Trend Micro

Be careful in searching for porn sites, you may get other forms of "malicious" content that is definitely undesireable.

Just a few days after the infamous Italian Job malware, Trend Micro found another one with a similar modus operandi, but instead of hacked Italian web sites, the infection chain starts on certain pornographic sites.

The pornographic sites, which tend to specialize on incestuous content, has an obfuscated IFRAME code appended at the end of the HTML code. This IFRAME redirects to another domain that will serve a script file to download a copy of TROJ_AGENT.QMN. Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES.

The detections for web pages containing the obfuscated IFRAME code, as well as the script file that downloads TROJ_AGENT.QMN are still being created as of writing.

This particular attack uses the tookit MPack v0.86, the same one used in the Italian Job attack, and, despite only having 197 domains with IFRAMEs (as compared to the Italian Job's 10,000++ domains), are able to infect twice as much as the Italian Job.

It is most likely this attack was made online sometime last week, around June 17, based on Trend Micro's World Virus Tracking Center.

[Mar 29, 2007] W32/, W32/, Win32/Looked.S, W32.Looked.P

This is a file infecting worm -- virus+worm combination. Virus part infects EXE files by prepending the body.

Also known as W32/Downloader (F-Secure), W32/HLLP.Philis (McAfee), Win32.Looked, Win32/Looked!Dropped!Worm, W32.Looked.P (Symantec), W32/Looked-AV (Sophos), Worm.Win32.Viking (Kaspersky)

Based on your sample Phillis/Looked is a file-infecting worm that spreads via network shares. The size of executable is 72,316-bytes compressed Win32 executable. The worm also drops a 33,680-byte DLL which is used to download and execute binary executables.

When executed, Win32/Looked copies itself to the %Windows% directory using the following filenames:

  • C:\WinNT\uninstall\rundl132.exe 72,316 bytes
    C:\WinNT\Logo1_.exe 72,316 bytes
    C:\WINNT\RichDll.dll 33,680 bytes
  • I can confirm that inoculation against this worm/virus can be achieved by setting the key


    subkey: auto

    value: "1"

    Virus does infects most or all .EXE file it finds on accessible partitions during the initial launch. Infected files are larger then original by 72/73K (72316 to be exact). The virus scans all the drives it can reach on startup. So if server has some network drives mapped, the results are predictable -- all EXE files on remote drives are infected. It looks like newly mounted partitions (for example USB drives mounted after computer was infected) are unaffected

    I would like to stress it again: all EXE files belonging to all installed applications on servers are affected: Notes, Oracle, Java, you name it. Microsoft patches are infected too ;-) If the server is infected with several worms executables like algore32.exe they are infected too :-).

    [Mar 21, 2007] Ole registry Cleaner - Vers 1.5

    The purpose of this program is to remove the Ole garbage left in the registry after installing and deinstalling several Ole (Com) dlls. This program can be especially useful to those who build dlls in Visual Basic. They know what I mean.

    [Mar 21, 2007] Warning -- floods of Allaple worm alerts.... sid200329(2-5)

    It looks like bleeding edge snort rule have ICMP rule for Allaple worm but it is unclear whether tit is correct or even relevant. First of all worm produces several types for ICMP packets and this one might be a minority or limited to a particular strain.
    File: [Bleeding] / sigs / VIRUS / WORM_Allaple (download)
    Revision: 1.8, Fri Mar 16 08:52:23 2007 EDT (5 days, 1 hour ago) by jonkman
    Branch: MAIN
    CVS Tags: HEAD
    Changes since 1.7: +1 -1 lines
    2003484: Adding threshold
    #by Matt Jonkman
    alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Outbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,; reference:url,; sid:2003292; rev:5;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Inbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; classtype:trojan-activity; reference:url,; reference:url,; sid:2003293; rev:5;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,; reference:url,; sid:2003294; rev:4;)
    alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; classtype:trojan-activity; reference:url,; reference:url,; sid:2003295; rev:4;)
    #Matt Jonkman
    alert tcp any any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly part of DDOS"; flow:established,to_server; content:"GET /  HTTP/1.1|0d 0a|"; rawbytes; depth:20; threshold:type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,; reference:url,; sid:2003484; rev:3;)

    Date: March 16th, 2007

    Subject: Warning -- floods of Allaple worm alerts.... sid:200329(2-5)

    List-id: Bleeding Sigs <>

    Over the last 24 hours we have had about 50 sources fire 20 million ping
    packets containing the string that triggers the Allaple signature.  The
    only affect it has has is to gum up my snort database.   I don't believe
    this is worm traffic and if is a ddos it is pretty feeble.  It was
    however a fairly effective dos against my snort system -- two sensors
    saw this traffic so that's a total of over 40 million events in the
    database.  :(
    I have now disabled all those rules and am (slowly) deleting all the
    records from the data base.   Can I suggest that these rules be disabled
    by default with a comment saying why.
    Anyone got any idea why this traffic was sent (I doubt if they were
    really trying to attack my snort system).   They have sent enough
    traffic to random addresses to map our network 200 times over.

    [Mar 14, 2007] SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

    Compare with Allaple.B (aka Rahack.W and Rahack.WW) description. Some additional information on DDoS attack; might be incorrect and the whole analysis is very superficial.
    Allaple worm

    Published: 2007-03-14,
    Last Updated: 2007-03-14 23:54:52 UTC
    by donald smith (Version: 1)

    This comes from one of our friends over at the Finish cert team CERT-FI / FICORA.

    "CERT-FI has been tracking the situation with the Allaple worm
    for about 8 months now. We have traced the evolution of the
    worm since the first variants came out.

    Allaple is a polymorphic worm. The first variants spread through
    Radmin installations that had weak passwords.
    Every variant so far also tries to locate
    all html files on the harddisk to prepend an <object> -tag
    into the file to ensure activation of the worm when a local
    webmaster views the files. Traces of this behaviour can be
    seen on some websites: There's an <object> tag right below the
    <html> tag in the page, with the source pointing to a random

    The first variants were DDOSsing only 1 target and the DDOS was a basic
    SYN flood. Shortly there after another target was added to the DDOS routine in the

    A bit after that the spreading mechanisms were changed from
    Radmin scans to basic catering of Windows exploits,
    and yet another target or victim was added.

    The SYN DDOS routine has been the same from the first variant
    to the latest variant available. Early in the winter code was
    added to do HTTP GETs on the target websites.
    A few other ports
    were also targeted. One site is currently getting gentle packet
    love on tcp ports 22,80 and 97. Another site is getting packets and
    HTTP gets on port 80, and yet another is getting packets on
    ports 80 and 443.

    The worms have absolutely no Command and Control channels in them.
    Once released, there is no way to make them disappear. Their sole
    purpose is to spread and DDOS.

    In case you are in the correct position, and you feel you would
    want to help in this pesky problem, here are a few tricks you can
    use to identify Allaple variants on the loose in your networks:

    1) ICMP packets with the string "Babcdefghijklmnopqrstuvwabcdefghi",
    sans quotes, in the payload.
    2) Echo requests to entire networks including host octets of 255 and 0.

    We have reason to believe that there will be more variants,
    it's just a matter of time when a new one pops out into the open.

    CERT-FI is interested in any information or observations regarding the DDOS
    or the malware itself. We can be contacted at cert(at)"

    [Mar 12, 2007] Windows Malicious Software Removal Tool

    Another useful free tool from Microsoft

    This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

    [Mar 9, 2007] Description of the Port Reporter Parser (PR-Parser) tool

    Microsoft's specialized sniffer that can be useful for analysis of network worms, for example Allaple.
    When a Microsoft Windows-based computer becomes vulnerable, an attacker typically uses the resources of the Windows-based computer to inflict more damage or to attack other computers. This kind of attack typically involves activities such as starting one or more processes, or using TCP and UDP ports, or both. Unless an attacker hides this activity from the Windows-based computer itself, you can capture and identify this activity. Therefore, looking for indications of this kind of activity can help you determine whether a system is vulnerable.

    The Port Reporter tool is a program that can run as a service on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000. The Port Reporter service logs TCP and UDP port activity. On Windows Server 2003-based and Windows XP-based computers, the Port Reporter service can log the following information:

    The data that is captured by the Port Reporter service may help you determine whether a computer is vulnerable. The same data is also useful for troubleshooting, for gaining an understanding of a computer's port usage, and for auditing the behavior of a computer.

    PR-Parser is a tool that parses the logs that the Port Reporter service generates. For additional information about the Port Reporter service, click the following article number to view the article in the Microsoft Knowledge Base: 837243 ( Availability and description of the Port Reporter tool The PR-Parser tool provides the following three basic functions:

    The PR-Parser tool has a Windows Graphical User Interface (GUI) that makes it easier to review the logs. By using the GUI, you can sort and filter the data in a number of ways. The PR-Parser tool helps you identify and filter the data that you are interested in. The tool provides the following functionalities:

    The PR-Parser tool provides some log analysis data also. This data can help you understand the usage of a computer. This data includes the following:

    [Feb 25, 2007] Allaple.B (aka Rahack.W and Rahack.WW) description

    Standard Softpanorama spyware defense strategy based on Ghost does wonders against this worm but additionally on infected computers passwords need to be made stronger (two words (AOL-style) pawwrods with min length 10 or 12 can help here) and patches need to be installed (automatic installation of patches on desktop is highly recommended).

    Allaple.b worm was discovered somewhere in late 2006 and was active for several month after that.

    It propagates rather slowly and does not create "avalanche epidemics" but it does propagate and at the beginning signatures for detecting and removing the worm were very weak. In March 2007 they got better and for example F-secure (which uses Kaspersky engine) which was unable to disinfect strain B completely with signatures older then, say, Feb 28, 2006 ( I do not know the exact date) now is doing better, although far from perfect, job. It looks like with signatures later then March 3, 2007 DrWeb detects it but still cannot disinfect completely this particular strain of the worm (I checked a free version called cureit)

    Allaple is a polymorphic network worm which contains just one executable. Polymorphism means that every copy of the worm is slightly different from each other as for the content (probably due to polymorphic decryptor), but paradoxically the length of all instances is constant (57856 bytes)

    Also when scanning the drive for HTML files and generates and drops a lot of executables with random names that contain exactly eight characters. The only exception in the first executable which always has name urdvxc.exe which is hardwired in the worm code (see below).

    Also when worms executable runs it behaves like old polymorphic file viruses -- the polymorphic decryptor decodes the body and then control is passed to the this static part of the worm code that allocates a memory buffer and extracts the main worm's code into it. Only after then the control is passed directly to the extracted worm's code. At the same time while going to such length as for encryption the worm body author(s) left the size of the worm's executable file constant.


    [Feb 24, 2007] Generic method of fighting network worms that use NetBIOS (ports 137-139) like recent RAHack.BB (Panda) network worm ( aliases RAHack.W (Symantec), ALLAPLE.B (Trend Micro), Allaple.B (Sophos), net-worm.win32.allaple.b (F-secure), Trojan.Starman (Drweb).)

    As Allaple/RAHack worm like several others is programmed to use NetBIOS ( it heavily uses port 137 ) so if we disable this service it loses its ability to propagate. While this is an inoculation and not disinfection but is can suffice.
    To do this you need to go to TCP properties for a particular network adapter that you are using (this is per adapter setting so on docked laptops you need to deal with two adapters; or three if we count wireless), go to Advanced, then WINS and click on "Disable NetBIOS over TCP/IP" setting.
    See Microsoft article Direct hosting of SMB over TCP-IP( for additional details (it looks like this setting can be enforced via Microsoft DHCP server or group policy if Active Directory is used).
    I got the original idea from the following email:
    NetBIOS-free SMB protocol on port 445 in Windows 2000-XP

    Jay Ts jay at
    Wed Aug 29 21:52:52 GMT 2001

    Chris Hertel wrote:
    > Yes, we know.  Have known for over a year.
    > I think it was Tridge who convinced Microsoft to use port 445. 
    Cool.  So can I assume that it will be no problem to add support for it?
    And are plans for such in process?
    - Jay Ts
    > > Hi,
    > > 
    > > Yesterday a friend forwarded to me this URL at Microsoft:
    > > 
    > >
    > > 
    > > It is about support in Windows 2000/XP for running SMB for
    > > file and printer sharing over port 445, with no overhead of
    > > NetBIOS.
    > > 
    > > The question of course is, are the Samba Team aware of this,
    > > and can it be supported in future versions of Samba?
    > > 
    > > The webpage says it is possible to set up a Win 2000/XP network to
    > > only use the new protocol, and shut out SMB/NetBIOS networking on
    > > ports 137-139 entirely.
    > > 
    > > - Jay Ts

    [Feb 21, 2007] NIST SP 800-83 Guide to Malware Incident Prevention and Handling
    November 2005

    At lease something from NIST. The guide actually documents several good practices like blocking executable attachments in email ( BTW zip files with short names, say less then 14 characters also should be blocked as some viruses expolit this format; in all large organizations email users should be trained should give attachments meaningful -- and that means long -- names. Such a policy not only ensure proper level of email courtesy but also provides additional level of virus protection...

    Adobe PDF (2.89 MB)

    [Feb 8, 2007] Security News - Study shows hackers rely on dumb users

    I am curious how they got this figure one attempt every 39 seconds, during a 42-day period. Looks suspicious to me. May be researchers helped hackers a little bit playing both sides simultaneously :-). First of all dictionary scripts are not that effective if account is blocked after 5 unsuccessful attempts which is default of most properly configured Unix servers. So while good passwords are definitly important and I agree that eight characters should be a minimum length for password the success rate raise some red flags. To get for properly configured set of Unix systems 825 successful dictionary attacks is not an easy task in the period is just from 14 November and 8 December, 2006. That's 25 days so that's 33 successful attacks daily. Assuming that the study observed 1000 Unix systems we have success rate 3.3% (it was just three person study) something is wrong here. Or may be researchers fall victims of excessive security zeal.

    February 08, 2007 Hackers mostly try obvious passwords, exploiting poor security, rather than performing difficult exploits, according to a study which left computers online with weak passwords.

    The four Linux computers were hit by some 270,000 intrusion attempts - about one attempt every 39 seconds, during a 42-day period, according to the study by a researcher at the University of Maryland who wanted to see how hackers would attack them

    Among the key findings: weak passwords really do make hackers' jobs much easier, and an improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.

    The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems - and what they do once they gain access.

    Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.

    Some 825 of the attacks were ultimately successful and the hackers were able to log into the systems. The study was conducted between 14 November and 8 December at the school.

    Cukier was not surprised by what he found. 'Root' was the top guess by dictionary scripts in about 12.34 percent of the attempts, while 'admin' was tried 1.63 percent of the time. The word 'test' was tried as a username 1.12 percent of the time, while 'guest' was tried 0.84 percent of the time, according to the experiment's logs.

    The dictionary script software tried 43 percent of the time to use the same username word as a password to try to gain entrance into the affected systems, Cukier said. The reason, he said, is that hackers try for the simplest combinations because they just might work.

    Once inside the systems, hackers conducted several typical actions, he said, including checking software configurations, changing passwords, checking the hardware and/or software configuration again, and loading and installing a program.

    For IT security workers, the study reinforced the obvious. 'Weak passwords are a real issue,' Cukier said.

    At the University of Maryland, users are told that passwords should include at least eight characters, with at least one uppercase letter and one lowercase. The school also recommends that at least one character be a number or punctuation symbol, Cukier said. All passwords should be changed every 180 days, according to the university's recommendations.

    "That's really reasonable," Cukier said of the guidelines. "It's not helpful if the password is so complicated that people don't remember it and [therefore] write it down on a sticky note next to their computer."

    Users can use the title of a favorite book for a password or even the first letters from a memorable sentence, he said. "They'll be easy for you to remember because you'll be able to remember the sentence ... without having to write it down," Cukier said.

    [Feb 8, 2007] Microsoft tweaks IE7

    In my experience with early versions of IE7 is that it is not stable, bloated slow and buggy. Sometimes it is unable even to load a webpage -- IE7 reports DNS error instead. Refresh helps but this is a very annoying problem...

    February 08, 2007 (IDG News Service) -- Microsoft Corp. has quietly released a patch aimed at improving the performance of Internet Explorer 7's phishing filter ahead of the company's regular patching schedule, which occurs on the second Tuesday of every month.

    The update was made available last week on on Microsoft's Web site, according to a blog entry on IEBlog, which is written by the IE team at Microsoft.

    This update addresses an issue some users experience when navigating to a page with multiple frames, or where frames are being navigated simultaneously, according to the post by IE Program Manager Steve Reynolds. This kind of navigation occurs when the IE phishing filter, which attempts to block access to sites that may try to defraud Web users, evaluates a Web page when a user navigates to it. The result is multiple simultaneous evaluations for the same page, Reynolds wrote in his post.

    In addition to being available on Microsoft's Web site now, the patch will also be released later this month for Windows XP and Windows Server 2003.

    Phishing filter performance is not the only complaint IE7 users have had since the final version was released in October. Frequent crashes and other performance problems such as excessive memory consumption that results in slow page loads have been reported.

    [Feb 8, 2007] Google releases customized version of IE7

    December 15, 2006 Internet Explorer 7 browser in which Google, not Windows Live Search, is the default search engine.

    The customized version of IE7 can be downloaded from Google.

    In addition to using Google as the default search engine, Google's customized version of IE7 provides users with the Google Toolbar and a Google home page they can personalize.

    According to a posting on Microsoft's IEBlog by Tony Chor, Microsoft's group program manager, Google and other companies, including Yahoo Inc. and, were able to build customized versions of IE7 by using the Internet Explorer Administration Kit.

    Microsoft released the tool kit so developers could customize IE, as well as to provide companies with help to configure and deploy the browser through the corporation, Chor wrote in his posting.

    Microsoft released IE7 for Windows XP on Oct. 18. IE7 is also included in Windows Vista, which is currently available in full release only to business users. Windows Vista will be available to consumers on Jan. 30.

    [Jan 10, 2007] NSA helped Microsoft make Vista secure

    From Av point of view this is a very positive development.

    January 10, 2007 (IDG News Service) -- The U.S. agency best known for eavesdropping on telephone calls had a hand in the development of Microsoft Corp.'s Vista operating system, the software vendor confirmed yesterday.

    The National Security Agency stepped in to help Microsoft develop a configuration of its next-generation operating system that would meet U.S. Department of Defense requirements, said NSA spokesman Ken White.

    This is not the first time the secretive agency has been brought in by private industry to consult on operating system security, White said, but it is the first time the NSA has worked with a vendor prior to the release of an operating system.

    By getting involved early in the process, the NSA helped Microsoft ensure that it was delivering a product that was both secure and compatible with government software, he said.

    "This allows us to ensure that the off-the-shelf security configuration that the DOD customer receives is at a level that meets our standards," White said. "It just makes a lot more sense to be involved upfront, than it does to have the tail wag the dog."

    The NSA's involvement in Vista was first reported yesterday by The Washington Post.

    The NSA has provided guidance on how best to secure Microsoft's Windows XP and Windows 2000 operating systems in the past. The agency is also credited with reviewing the Vista Security Guide published on Microsoft's Web site.

    Microsoft declined to allow its executives to be interviewed for this story. But in a statement, the company said that it asked a number of entities and government agencies to review Vista, including the NSA, the NATO and the National Institute of Standards and Technology.

    Still, the NSA's involvement in Vista raises red flags for some. "There could be some good reason for concern," said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). "Some bells are going to go off when the government's spy agency is working with the private sector's top developer of operating systems."

    Part of this concern may stem from the NSA's reported historical interest in gaining back-door access to encrypted data produced by products from U.S. computer companies.

    In 1999, then-Rep. Curt Weldon (R-Pa.) said that "high level deal-making on access to encrypted data had taken place between the NSA and IBM and Microsoft," according to EPIC's Web site.

    With Vista expected to eventually power the majority of the world's personal computers, it would be tempting for the government agency to push for a way to gain access to data on these systems, privacy advocates say.

    The NSA provided guidance on Vista's security configuration, but it did not open any back doors to Windows, White said. "This is not the development of code here. This is the assisting in the development of a security configuration," he said.

    While the NSA is best known for its surveillance activities, the work with Microsoft is being done in accordance with the NSA's second mandate: to protect the nation's information system, White said. "This is the other half of the NSA mission that you never hear much about," he said. "All you ever hear about is foreign signal intelligence. The other half is information assurance."

    Recommended Links

    Google matched content

    Softpanorama Recommended




    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes


    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

    Copyright © 1996-2020 by Softpanorama Society. was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to make a contribution, supporting development of this site and speed up access. In case is down you can use the at


    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Last modified: March, 12, 2019