[Security] New Skype worm and rejoinder on URL obfuscation

F-Secure, Trend Micro, and Symantec reports on a new worm spreading via Skype.

The malware is the usual IM variety, propagating by sending links to Skype contacts. The link at face value points to a purportedly harmless JPEG file. But once clicked, a copy of the worm is downloaded and executed on the user's computer. It displays the image SOAP BUBBLES.BMP (if it exists on the user's computer) to hide the malware's existence.

It also exhibits properties common to bot worms, like shutting down security applications and blocking security-related Web sites via HOSTS file modification.

Skype users are advised not to click on links sent via Skype's chat feature, unless they are very sure that the link is legitimate.

Incidentally, in a previous post, I discussed the problems in lack of standards in making malware descriptions. Once again, the lack of standards defeat the purpose of obfuscating malicious URL. Both Trend Micro and F-Secure blog posts on the Skype worm published the malicious URLs that the worm sends. Both employed URL obfuscation, but with different output.

(click on the image to view full size)
On F-Secure:


On Trend Micro:


Based on the two posts, we can determine the complete URL.

[World Domination] Don't try this at all

This is not the way to advance your company's way to world domination:

During a presentation to announce Symantec's latest product, a spokesman for the company delivered an enthusiastic pitch to a roomful of big name clients. Indeed, such was the emphasis on the "uniqueness" of his company's offering that attendees could have been forgiven for thinking that no one else made anti-virus software.
...
During the wrap-up to his presentation, the spokesman was forced to query collective laughs, and quite possibly shouts of "it's behind you", by turning to face his presentation screen.

He found the source of their amusement in the form of a prominent pop-up box, obscuring his Powerpoint presentation, stating that the rival Kaspersky anti-virus software loaded on the machine he was using to present had updated its definitions.

Oops.

Lesson 1: use your own product.

Lesson 2: if you don't trust and use your own product, it's time to quit.

Lesson 3: do not use a test machine/competitor testing machine for presentation use.

Lesson 4: 99% of salesmen are liars. Yes, I made that figure up. Go figure.

(Crossposted from here.)

[Security] Norton Internet Security 2006 COM Security Bypass Vulnerability

iDefense has issued a report about a vulnerability in Symantec's Norton Internet Security 2006.

The vulnerability exists in an ActiveX control installed by Norton, which is registered as safe. This control is not designed to be used in an Internet Explorer window; when opened in IE, an error occurs and the browser is left in a "defunct" state. After this, other Symantec ActiveX controls can be created, without the need to be marked as safe.

This can lead for remote code execution if the said controls contain malicious actions or exploitable methods. A remote Web site can host an ActiveX control and it is loaded when the site is visited.

Symantec has issued an advisory to address this issue. Symantec users are advised to use LiveUpdate to be safe from this vulnerability.

(Crossposted here.)

[Tech News] Now McAfee Has Joined the Fray

Previously, I had written about Symantec's complaints about Microsoft and how they've been handling the information around Vista's security features. Microsoft's current claim is that they're choosing to keep the information secure from third party groups in order to better secure the new operating system.

This week McAfee joined in the calls for Microsoft to disclose the needed code for their own security applications to interface or even replace (hence shut down) Microsoft's security applications what are set to be bundled with the Vista operating system.

Things are definitely going to be messy and I'm fairly certain they'll only escalate as we near the official Vista launch by next year. Current reports are that Microsoft only expects to publish one more version of the OS, Vista RC2, prior to the final launch. It's really not that far off, when you put things into perspective, and this means the computing world is going to go through another ripple of change as everyone scambles to adapt to the new operating environment.

With luck, we the users will be the ones to benefit, but somehow I'm not quite sure if that's really what is primarily in the minds of these big software companies. Only time will tell.

[Tech News] Breaking Into Windows

CNet News reports that Symantec has accused Microsoft of withholding key APIs for Windows Vista, which in turn gives the software giant an undue advantage in the security market.

In case you haven't been following the news, Window Vista is the next big upgrade to the largely successfuf Microsoft operating system, which is touted as their most secure OS to date. There are a host of security features that have been announced as part of the Vista package, many of them being direct competitors to other existing security software out in the market today.

The arguments raised by security companies like Symantec are that Microsoft are deliberately keeping the lid on the information they need to make their programs compatible with the default security programs that are a part of Vista such as Windows Defender and Windows Vista Firewall. If the third party software providers are unable to make their products compatible with Vista in time for the October production releases of the newer Vista-compatible PC units of the various manufacturing companies, they stand to miss out on providing their products to Windows Vista customers.

Microsoft stands to benefit from such a scenario given they're only recently entered the security market. Keeping their application programmable interfaces (APIs) private can force third party groups to customize their products to work within Vista's security suite as opposed to replacing Vista's applications with their own products.

It's unlikely that Microsoft will necessarily go to this extreme in order to promote its own products at the expense of others given their previous history with antitrust suits in Europe including the EU's current scrutiny the upcoming Windows release. Let's face it - they can't be that stupid, can they?

This promises to be an interesting release, to say the least. As 2007 draws closer, more and more complications appear to be popping up left and right. This is not something all that new - I don't think there have been any new Windows releases in recent history that have not been met with concerns as varied as they appear to be today.

[The Web] Technical Support

In line with recent frustrations with my company's IT Department, I thought it might be interesting to try a few related searches in the area to see what comes up on Google.

I tried the generic search query [technical support] just to see what I'd get, and the results were actually pretty interesting. Here are the sites I received in response to my search in the order they appeared at the time of this article:

1. Microsoft Technical Support (http://support.microsoft.com/)
   
2. Technical Support & Documentation - Cisco Systems (http://www.cisco.com/en/US/support/index.html)
   
3. Home Page >> Netscape.com (http://www.netscape.com/FAQ/)
   
4. Apple - Support (http://www.apple.com/support/)
   
5. Dell Support (http://support.dell.com/)
   
6. QUALCOMM's Eudora Technical Support (http://www.eudora.com/techsupport/)
   
7. Support - Semantic Corp. (http://www.symantec.com/techsupp/)
   
8. Adobe - Support (http://www.adobe.com/support/)
   
9. HelpOnThe.Net: Tech Support Guy (http://www.techguy.org/)
   
10. BNA TEchnical Support (http://www.bna.com/contact/techsupport.htm)

Now given that Google's results are based around the PageRank system, which determines the relvance of a search result based on the number of links to that page by other pages of equally high link ranking, this makes the search results the most relevant based on what people are linking to.

Given my search, this can lead you to interpret the results in several ways. Since most people are linking to the Microsoft Technical Support page, it means that Microsoft Products are the most linked to because (1) they have the most number of users, (2) they have the most issues or (3) most support sites refer you back to them in order to resolve your problems. I'll not pass judgement over the results just yet - but it does make you think, right? It certainly amuses me, hahaha!

What is also interesting is the other products on the list. Given these same possible explanations for why they appear so highly in the search results, it makes you consider just how many people are utilizing products from these developers like Cisco and Netscape.

Netscape surprised me a lot since they don't have majority market share in the browser market, and yet they're highly ranked. A lower market share would eliminate explanation #1, so that leads me to think they have a lot of issues? If it's a question of users, why doesn't Mozilla Firefox come up this high on the search results list rather than Netscape? The amusement continues...

Having Apple and Dell on the list makes sense from a user support perspective because of the loyal following for Mac products and of course the iPod line. Dell is number one PC manufacturer in the US so naturally they'd trigger a lot of support links as well. The same logic follows for Eudora as an alternative email client to MS Outlook, Symantic because of their anti-virus software (Norton) and Adobe because of their large product suite.

The point of this article - a short lesson on what your search results might actually mean. While we normally see search engines as a means to an end, just something we pass through before we get to the real information that we want, looking at Google search results can also reveal a lot about our behavior in this technically-driven world. Our search results reflect what we're linking to, hence what we're reading and what we tend to look for. It might be because of sheer number of users or in this case, the sheer number of potential problems.

Think about it.