Sunday, November 28, 2004

Open Letter To Anti-Virus Software Companies - A Response

The wife and I just got back from Thanksgiving Vacation with my folks a little bit ago, so I was checking out what I missed since Wednesday (yes, almost five days with no internet!!). Take a look at what I found on the Internet Storm Center’s diary for the 23rd…


Open Letter To Anti-Virus Software Companies - A Response

On November 5, 2004, Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator, sent us an "Open Letter To Anti-Virus Software Companies" that we thought was interesting enough to publish:

Our favorite CTO, Johannes Ullrich, stepped into the fray in the November 8th diary:

Yesterday, we received the following response from members of the USCERT's CME (Common Malware Enumeration) initiative. While we don't have any policy about providing "equal time", we thought that their response was also interesting enough to publish:

------------------begin letter------------------

As members of US-CERT’s Common Malware Enumeration (CME) initiative, we would like to respond to Mr. Chris Mosby’s “Open Letter to the Anti-Virus Software Companies” and let Mr. Mosby and the rest of your readers know that we recognize that there are challenges surrounding the “Virus Name Game.” US-CERT and leading security vendors are working together to solve these challenges.

As you may be aware, US-CERT sponsors the Common Vulnerabilities and Exposures list (CVE), which has addressed similar challenges in the vulnerability space ( By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants mentioned below, hopes to address many of the challenges that the anti-malware community currently faces with respect to identifying malware through the CME initiative.

As a “neutral third party” in the marketplace, US-CERT will coordinate with security vendors to implement a CME malware identification scheme. Limited operational capability is expected 1Q05; this phase will concentrate on the most important threats, including the recent Beagle/Bagle variants. The role of US-CERT will be to assign a CME identifier (e.g., CME-1234567) to each new, unique threat and to include additional incident response information when available. As our experience with CVE shows, once all parties adopt a neutral, shared identification method, effective information sharing can happen faster and with more accuracy, making it easier to distinguish between very similar threats. In this manner, US-CERT believes that an effective structure can be built to improve what is currently the chaotic world of malware identification.

As mentioned both in Mr. Mosby’s letter and the response posted on November 8th, there are significant obstacles to effective malware enumeration, including the large volume of malware and the fact that deconfliction can be difficult and time-consuming. The CVE experience confirms that strong industry support and involvement is required to meet these challenges. To this end, US-CERT is working with some of the key industry players, including McAfee, Symantec, TrendMicro, and Microsoft. In addition, US-CERT plans to meet with other stakeholders to explore how they can contribute and participate. To date, all parties have shown a strong willingness to work together toward the goal of improving the malware information resources available to AV software users, first responders, and malware analysts – anyone who depends on accurate, concise information about malware. Solving the virus naming problem is a challenging process, but a goal shared across the industry.

We certainly welcome observations such as Mr. Mosby’s. From our point of view, the question is not “why should we have CME IDs” but “how do we make CME IDs work?”

Desiree Beck, CME Technical Leader

Andy Purdy, Acting Director NCSD
Department of Homeland Security

Larry Hale, Deputy Director NCSD
Department of Homeland Security

Jimmy Kuo
McAfee Fellow - McAfee, Inc.

Matthew Braverman, Program Manager
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team

Mady Marinescu, Development Lead
Microsoft Corporation
Security Business and Technology Unit – Antivirus Team

Randy Treit, Program Manager
Microsoft Corporation
Security Business and Technology Unit - Antivirus Team

Vincent Weafer, Senior Director, Symantec Security Response
Symantec Corporation

Oscar Chang, Executive Vice President
Trend Micro, Incorporated

Joe Hartmann, Director North American
Anti-virus Research Group
Trend Micro, Incorporated

-------------------end letter-------------------

All I can say is….WOW!!

Friday, November 19, 2004

Sober.I Worm - MEDIUM RISK by Secunia

Looks like Friday is virus day again. Keep and eye on your antivirus vendor's website, this has already reached Medium risk at Trend Micro and McAfee and it looks like it is spreading fast.

Sober.I Worm - MEDIUM RISK by Secunia: "The Sober worm family is proliferic in email generation and this new variant has been declared as MEDIUM RISK by Secunia, and it is reported to be spreading in the France, Germany, and Australia.

Sober.I Worm - MEDIUM RISK by Secunia "

Tuesday, November 16, 2004

Boycott Marvel Comics and all of its subsidiaries. Sign the Petition

From The Pulse:

Marvel Comics
filed suit against NCSoft and Cryptic Studios concerning their creation, gaming sensation City of Heroes on November 10th. The suit alleged COH allowed "players to design characters that are virtual copies of its own superheroes, including 'The Incredible Hulk.'" is now reporting Marvel's complaint also singled out City of Heroes' icon Statesman as "strikingly similar to Captain America" and that "... defendants have created, marketed, distributed and provided a host environment for a game that 'brings the world of comic books alive,' not by the creation of new or original characters but, instead, by directly, contributorily and vicariously infringing upon Marvel copyrights and trademarks." also has information from Marvel lawyers taken from the lawsuit. reports:

"Considering that defendants own no comic characters themselves, it stands to reason that the comic books to which they refer are those that depict the characters of Marvel and others," wrote Marvel's attorneys in the complaint. "Defendants' Creation Engine facilitates and, indeed, encourages players to create and utilize heroes that are nearly identical in name, appearance and characteristics to characters belonging to Marvel."

"'Statesman,' a character strikingly similar to Marvel's Captain America (right down to the trademark large white star on his chest and shield), prominently appears on the front of the City of Heroes box and guides the user through the 'creation' process," argues Marvel's complaint. "Defendants' infringement is so brazen that their only attempt to disguise 'Statesman' is to give him a helmet that is nearly identical to the trademark helmet worn by 'Magneto,' another of Marvel's X-Men characters."

Read more details at

Shame on you Marvel!!

Boycott Marvel Comics and all of its subsidiaries. Sign the Petition

Friday, November 05, 2004

Open Letter to Anti-Virus Software Companies

As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus.

Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know.

The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.

Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could. When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the
Internet Storm Center, Secunia’s Virus Information page, VGrep Online, MyITforum’s Security message boards,and AntiVirus e-mail list.

This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.

While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.

Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.

Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers in the dark again. For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak.
With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.

I think I can speak for everyone in the security community when I say; “dealing with it” is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected.
We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.

However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to accomplish this and keep your customers better informed about how they are protected.

Thank you for your time and attention,
Chris Mosby
SMS Administrator
MyITforum Security Message Board Moderator.

Friday, July 16, 2004

Secunia - Virus Information - BAGLE.AF

Secunia - Virus Information - BAGLE.AF

This one is spreading significantly.

This is a mass-mailing worm with the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* attachment can be a password-protected zip file, with the password included in the message body.
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
* uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.

Tuesday, July 13, 2004

Microsoft Security Bulletin Summary for July, 2004

Of these, two are Critical.

Microsoft Security Bulletin Summary for July, 2004

MS04-024: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) rated as: IMPORTANT

MS04-023: Vulnerability in HTML Help Could Allow Code Execution (840315):
rated as: CRITICAL

MS04-022: Vulnerability in Task Scheduler Could Allow Code Execution
rated as: CRITICAL

MS04-021: Security Update for IIS 4.0 (841373) rated as: IMPORTANT

MS04-020: Vulnerability in POSIX Could Allow Code Execution (841872) rated as: IMPORTANT

MS04-019: Vulnerability in Utility Manager Could Allow Code Execution
rated as: IMPORTANT

MS04-018: Cumulative Security Update for Outlook Express (823353) rated as: MODERATE

Monday, July 12, 2004