It's not often we get prior warning of worms spreading.  But yesterday, German officials warned that we would see a new Sober variant using the attachment names “Word Text.zip” or “registration.zip” and, sure enough, we have Sober.V.  Unfortunately, on the same day, we also have Sober.S, Sober.T, and a fairly minor variant, Sober.U.  Although none are spreading extremely rapidly, both have been reported in the United States, Germany, and several other countries.

An article from About.com is available here.  Amusingly, as the article points out, antivirus vendor Trend Micro published a description for the worm (as WORM_SOBER.AD) before it was released - and dubbed it as in the wild!  Impressive forethought, indeed.

Users should be careful with any executables or files that can contain executables (like .zips), of course.  Conventional common sense is the key to avoid infection with worms like Sober.  Filenames associated with these threats are reg_text.zip (Sober.S), excel_table.zip (Sober.T), tabelle.zip (Sober.T), registration.zip (Sober.V), and Word-Text.zip (Sober.V).

Trend Micro has reported that they have found a worm in the wild that abuses the recently-discovered MS05-053 vulnerability, according to their analysis here.  The vulnerability, published three days ago, was rated as critical.  The discovery of a worm in the field this quickly could make for one of the fastest turn-arounds from patch publishing to discovery in the wild.  But, Trend Micro says, upon further review, it's unclear whether the detection is accurate.  CNET News's Joris Evers reports:

Trend Micro on Wednesday reported the discovery of a Trojan horse that it said attacked Windows users through an image rendering flaw in Windows, a day after Microsoft provided a fix for the bug. But it isn't so sure anymore.

The Trojan is referred to as "emfsploit.a" by the Tokyo-based antivirus company. Initially the antivirus software maker reported that the malicious code would crash "explorer.exe" on unpatched Windows machines. Explorer runs key parts of the Windows graphical user interface, including the Start menu, taskbar, desktop and file manager.

But late Thursday Trend Micro said its initial analysis of the Trojan might be incorrect.

"We asked another team to start the disassembly process again," said Raimund Genes, chief technologist for Trend Micro in Europe. That means researchers will reinvestigate the Trojan code to see what it does.

The full article is available here, and a brief mention at the Internet Storm Center is available here.

Two new viruses worth mentioning today - one a mass-mailer spreading, one an interesting conceptual specimen.

Bagle-Based “Lodear“ Appears
A new worm family, Lodear, has appeared.  The first variant seems to be spreading some in the wild.  Information can be found here.  Some antivirus companies consider this a variant of Bagle itself, and the family may be merged with the Bagle name.  Lodear is similar to past Bagle variants.  The primaray symptom of infection is a file called hloader_exe.exe in the Sytem folder.

First KiXTart Virus Appears
A virus infecting .KIX (KiXTart Script File) files has appeared.  This is unlikely to effect most people, but it is the first example of such a virus.  Information is here.  KiXTart is a batch processing script that runs at logon on some Windows computers.  For more information on KiXTart, see here.

Not much is in the news today, although I am happy to announce that rumours regarding the discovery of a worm using the latest Windows vulnerabilities was a false alarm.  More details follow

Trend Announces Fanbot.C Error
From InformationWeek:

A security firm on Monday mistakenly identified a new Trojan as the first to exploit one of last week's vulnerabilities in Windows, but corrected itself and labeled it as one which attacks the same bug as August's Zotob bot worm.

Fanbot.c, said Trend Micro late Monday, included a proof-of-concept exploit against one of the vulnerabilities disclosed Tuesday, Oct. 11 in Microsoft's MS05-051 security bulletin. Trend also said that although the Trojan was written in Visual Basic -- which usually indicates low-level skills on the part of the attacker and often means it's a "script kiddy" copy-cat -- arming malware with yet another exploit matched earlier hacker habits.

By early Tuesday, however, Trend had modified its technical description of Fanbot.c to say that the exploit was actually one directed toward the Plug and Play bug unveiled in August's MS05-039 bulletin.

The full article about the good news can be found here.

The Daily Update returns after a small hiatus for testing week...

October 2005 Security Release
Three critical updates, five important updates, and one moderate update have been released to address issues in Windows.  You can view the bulletin here.  And make sure to update!

Mytob Over 300 Variants
Mytob.LE has been released, making it the 317th variant of the prolific Mytob family.  The latest variant offers more of the same, with new passwords and emails.

A quick daily update today.  Symantec has now named Sober.Q (aka .R) to be a low-medium (2) risk, although McAfee maintains it at Medium.  It looks like this one is not going to be a huge outbreak.  More coverage of Sober.R should be available tomorrow as we start to see reports on spread rates coming in.  Symantec's write-up of Sober.R, which they call Sober.Q, can be found here.

Also in news today, a small percentage of the Internet was taken down today.  This was not security-related as many feared, but instead due to a contract dispute between two major service providers.  Full details can be found here.

Flaws Discovered in Kaspersky Antivirus
Techworld reports that Kaspersky, a Russian security program, is having security issues with its Antivirus program due to an exploit:

Kaspersky Lab has been hit by a security bug affecting a wide range of its anti-virus products.  The bug isn't limited to a particular platform, and can be exploited through several common protocols to take over a protected system.

The attack is apparently related to malicious .cab files.  When scabbing an infected .cab file, Kaspersky can experience a heap overflow and allow a malicious attacker to control the infected machine.

Microsoft Office Exploit Code Circulating
The same article goes on to talk about circulating code for a Microsoft Office exploit:

Separately, security vendors warned that exploit code has begun circulating publicly for an unpatched flaw in Microsoft Office that was first disclosed in April. The exploit makes it easier for attackers to take advantage of the hole, which, like the Kaspersky flaw, could allow attackers to take over a system.

Note that just because code is circulating does not mean it is associated with a known threat at this point, and this one isn't.

Yes, Daily Updates are back.  And permanently this time!

Good News, Bad News:  Virus Attacks Down, but Attacks More Sophisticated
As anyone who follows viruses knows, this has been a rather quiet year for viruses of all types, especially mass-mailers.  This is part in thanks to better technology and enforcement, and part in thanks to luck.  In any case, though, ZDNet is reporting that antivirus firm Sophos and email security company BlackSpider Technologies both have reported a significant downturn in the quantity of viruses coming in.  This is hardly a surprise, especially when you consider that after nineteen months, the top worm still is Netsky.P, which celebrated its eighteen month birthday last month.  Worms rarely last longer than a few months on top.  A notable exception being Klez.H's two-year reign on the charts starting in early 2002, but unlike Klez, Netsky remains on the top primarily because it lacks any competition for the spot.

Although mass-mailers have downturned over the last few months, an even more damaging threat, especially on the corporate level, looms:

"Smaller, targeted attacks are on the increase, with the emergence of a new breed of financially-motivated online criminal. The concern is that if users continue to combine unsafe computing practices with outdated threat protection, they'll be a soft target for this new form of attack," Theriault warned.

I tend to believe there is little, if any, correlation between the two.  Targeted attacks, especially of a financial nature, have been developing for a while, and even made national news when it was suggested that the Sobig.F worm was linked to organised crime.  The news about the reduced number of mass-mailer hits is promising, but not necessarily a trend that will last very long.  We can only keep our fingers crossed and our software secure.

Bagle Naming Convention Split
Apparently, a number of antivirus companies have determined that recent variants of the prolific and previously successful Bagle worm family are not Bagle-y enough.  Computer Associates named a recent Bagle variant Wreckage.A, while Trend Micro has donned a new Yabe family of worms for two recent Bagle variants.  These splits have not been uncommon throughout Bagle's naming, and it is possible that the names will be reconciled if a breakout occurs.  However, should a major version of the “Wreckage” or “Yabe” worm families be reported in the news, it is fairly safe to assume that they are Bagle versions.

Cool Link of the Day
The University of Virginia provides a Security Tip of the Day on their web site here.  The messages are meant for University of Virginia students, and it's not exactly a Tip of the Day (unless refreshing the page somehow has an effect on the space-time continuum, in which case I do not recommend that anyone above 30 use this web site), but it's certainly interesting.  The tips are pretty basic, but even the best of us need reminders sometimes.  And so do all of your friends and family members who think that “.pif“ stands for “picture information file.“

That's all for today.

I returned from the MVP conference and slept in yesterday.  It was a wonderful three days, although certainly tiring!  I learned some, got to see what Microsoft has up their sleeve, and I am indeed quite impressed.  I didn't manage to take any photos, but fellow Security MVP Steve Friedl over at BroadbandReports.com logged the public parts of the session.  His write-up and commentary can be found here.  It comes highly recommended, although it's definitely for techies.

It wasn't a big trip for me, as I live just about 40 miles to the south of Bellevue, but it's always nice to go up to the east side of Lake Washington.  If you happen to find yourself in the area and are looking for some food, I recommend Byblos Deli in downtown Bellevue.  Delicious!  :)