Virus writer arrests; Win2K expired password login

This issue's topics: Introduction: * Two virus writer arrests; Win2K expired password login; Opera update Virus News: * Taiwanese Trojan author arrested * Alleged Randex author also arrested Security News: * Windows 2000 users may be able to login despite expired passwords * Favicon bug in Opera invites phishing attacks * How much is that bot in the Windows?

This issue's topics:

Introduction:

* Two virus writer arrests; Win2K expired password login; Opera update

Virus News:

* Taiwanese Trojan author arrested

* Alleged Randex author also arrested

Security News:

* Windows 2000 users may be able to login despite expired passwords

* Favicon bug in Opera invites phishing attacks

* How much is that bot in the Windows?

Introduction:

Next week is a short week that includes Microsoft patch day, so we've kept things short this week. A couple of virus writers have been arrested and charged, meaning we have seen about as much law enforcement action against virus writers in the last year as we saw in all the rest of virus writing history previous to that...

On the security front, a non-critical bug in Opera's handling of favicons raises a possible opportunity for those behind phishing attacks, although realistically, Opera's userbase may be spread thin enough on the net that this does not seem worth exploiting to the phishers. Windows 2000 Server domains that have exactly eight character FQDNs do not properly prevent users with expired passwords from logging in and we include an item showing the extent to which high-speed Internet users are attractive targets for those behind spam.

Virus News:

* Taiwanese Trojan author arrested

CNETAsia has reported the arrest of a 30 year old Taiwanese engineer, Wang An-ping. Wang has admitted writing and distributing a remote access Trojan that was subsequently used in attacks, reputedly by Chinese hackers, against Taiwanese government computers.

Wang originally planned to sell Peep, but eventually released the remote access Trojan (RAT) and its companion 'client' program freely through a web page.

Peeping Taiwanese Trojan author is arrested - cnet.com

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Alleged Randex author also arrested

The Royal Canadian Mounted Police have arrested and charged a 16 year old from Mississauga, Ontario who is alleged to be the author of the Randex worm. Machines infected with the worm have subsequently been used as spam relays and lists of such machines have been sold on the Internet. (For more news on 'bots for sale' issues, see the 'How much is that bot in the Windows?' item in the Security section, below.)

Randex is closely modelled after the SDBot family (source code for which has been available on the Internet for quite some time). Thus some antivirus companies have classified the Randex variants simply as SDBot variants, and others have used the family names Lioten and Randbot.

Canadian Authorities Charge 'Randex' Author - washingtonpost.com

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Windows 2000 users may be able to login despite expired passwords

According to a recent post to the Bugtraq mailing list, if a Windows domain has an FQDN (fully qualified domain name) exactly eight characters long, users whose passwords have expired will not be prevented from logging in. Microsoft is reported to have a hotfix available to address this bug and PSS should be contacted to obtain this hotfix if your installation is affected.

Archived Bugtraq list message - securityfocus.com

* Favicon bug in Opera invites phishing attacks

Security researchers at GreyMagic have discovered that the Opera browser improperly handles 'favicon' images, opening the browser to a form of URL obfuscation attack that may be especially appealing to phishers.

Favicons are those customized icons displayed at the lefthand end of the address bar in modern web browsers, and elsewhere (e.g. in the bookmarks list, etc). Normally favicons are limited to a set size, and are square. Unfortunately, Opera does not enforce these requirements and happily displays non-square icons. Presented with a rectangular image as a favicon, Opera displays the full image without clipping the extra graphical depiction to the right of the normal limits for such icons. This results in the contents of the address bar being 'hidden' behind the extended area the favicon occupies.

Opera 7.51 fixes this and although this is not currently known to be actively exploited, you would probably be better to be safe than sorry.

GreyMagic Security Advisory GM#007-OP - greymagic.com

Opera download page - opera.com

* How much is that bot in the Windows?

For much of the last year there has been increasing talk of spammers paying virus writers to develop malware to spread around the Internet then assist the spammers with their mass mailing, and of hackers building up large 'bot nets' of compromised PCs that they then sell to spammers and others with dubious motives for the bandwidth and/or anonymity a large, distributed bot net can provide. But how big a problem are such things really?

Sean Lutner, a network engineer from huge USA ISP Comcast, helped put things in perspective recently by admitting 'We're the biggest spammer on the Internet'. Comcast's official e-mail servers send out about 100 million e-mail messages per day, but the Comcast network as a whole (largely comprised of small business and home cable network clients) sends about around 800 million messages per day. Some of the 100 million are spam and some of the 'extra' 700 million are Comcast users legitimately sending via non-Comcast managed mail servers. However, a significant chunk of those 700 million are messages sent by 'spam bots' and open relays running on Comcast's customers PCs. The owners and users of those machines are mostly unaware of the situation as the bot software has been installed via various security compromises, backdoors installed by worms and viruses and so on.

The linked article has more details and discussion of what Comcast has decided to do to address this problem.

Attack of Comcast's Internet zombies - news.com

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesComcast CableF-SecureKasperskyKasperskyMicrosoftSophosSymantecTrend Micro AustraliaWang

Show Comments

Market Place

[]