Malware Request

December 28, 2008 – 1:35 PM

I am looking to do some analysis on various pieces of malware.  Please forward me some of your junk and any questionable attachments that you may get in your Inbox.  This will be private analysis so please do not expect to hear anything back about what you send.

Please send to:

[email protected]

Thanks,

Troy

Fake Christmas, holiday greetings spread new malware

December 25, 2008 – 7:34 AM

New malware is spreading via Christmas and holiday greetings, security researchers said today, a tactic reminiscent of those used last season by the notorious Storm Trojan horse.

Researchers at the Bach Khoa Internetwork Security Center in Hanoi, Vietnam reported today that a new piece of malware, dubbed “XmasStorm” by the center, is spreading through holiday-themed spam.

Touting subject lines such as “Merry Xmas!” and “Merry Christmas card for you!”, the spam includes links to sites that purportedly host electronic greeting cards waiting for the recipients. In fact, the sites are serving up malware that hijacks the visiting PC, then installs a bot which waits for commands from the hacker controllers.

Nguyen Minh Duc, the manager of Bach Khoa’s application security group, said that XmasStorm originated in China. Hackers have registered at least 75 domain names relating to the malware campaign’s holiday theme in the last month, including “superchristmasday.com” and “funnychristmasguide.com.” According to WHOIS searches, those domains were registered to a Chinese address on Dec. 1 and Dec. 19, respectively.

Source:
http://www.networkworld.com/news/2008/122408-fake-christmas-holiday-greetings-spread.html?fsrc=rss-security

WinSxS Folder in Windows Vista

December 24, 2008 – 6:06 PM

What is the C:\Windows\WinSxS folder in Vista and why does it keep growing and growing and growing?

winsxs

The answer straight from a TechNet Blog:

One of the largest changes between previous versions of Windows and Windows Vista was a move from an INF described OS to componentization.  A component in Windows is one or more binaries, a catalog file, and an XML file that describes everything about how the files should be installed. From associated registry keys and services to what kind security permissions the files should have.  Components are grouped into logical units, and these units are used to build the different Windows editions.

All of the components in the operating system are found in the WinSxS folder – in fact we call this location the component store.  Each component has a unique name that includes the version, language, and processor architecture that it was built for.  The WinSxS folder is the only location that the component is found on the system, all other instances of the files that you see on the system are “projected” by hard linking from the component store.  Let me repeat that last point – there is only one instance (or full data copy) of each version of each file in the OS, and that instance is located in the WinSxS folder.   So looked at from that perspective, the WinSxS folder is really the entirety of the whole OS, referred to as a “flat” in down-level operating systems.  This also accounts for why you will no longer be prompted for media when running operations such as System File Checker (SFC), or when installing additional features and roles.

Basically, do not try to delete it or clean it out.  You may destroy your entire Operating System.

Describing Malware

December 23, 2008 – 8:22 PM

This picture just about sums it up:

malware

Picture Source:
http://www.sophos.com/sophos/docs/eng/marketing_material/sophos-security-threat-report-jan-2009-na.pdf

Make Firefox Alert You When You Send Information Unencrypted

December 23, 2008 – 8:09 PM

Here’s a quick little tip for users that might not know enough about internet security and privacy to stop and look for SSL/TLS (https://) when submitting forms on the web.  Or maybe the form page itself is on an unencrypted page, but the data actually gets sent encrypted when the Submit button is pressed.  Or even worse, the form page is encrypted but your data gets sent unencrypted.  There are many different scenarios that could take place that could leave your data exposed.  You wouldn’t know any of this without checking the source code to see the form action.  Most people do not go this in depth when submitting forms.  They may quickly glance up and look for https:// or quickly glance down and look for a padlock, but that’s normally it.  They submit the data without even thinking about it.

There’s a setting in Firefox that will prompt you when you submit data through the browser that’s unencrypted.  Go to Tools > Options > Security.  Click the Settings button in the bottom section titled Warning Messages and select the option to alert you when you submit information that’s not encrypted:

firefox1

Now when you submit information that’s not encrypted you will get a friendly reminder with an option to Continue or Cancel:

firefox2