UserFriendly on Bill Gates’ obviously wrong claims

two years ago bill gates came up with a proclamation saying that in two years spam will be gone.

we’ve been considering what to write about these claims (now known as wrong, what a shock), for about three weeks now. we ended up deciding the regular press will cover it.

anyway, today on funsec paul ferguson (fergie) saved us the trouble:

“spam is dead in two years!” was one in a series of such predictions, starting with the classic:
“640k ought to be enough for everybody”
– bill gates, 1981.

bill gates is obviously a genius, but as Sunshine keeps insisting on writing in his blog; prophecy was given to fools. bill gates is no fool and should stay away from such prophecy. it’s obviously not his thing.

bill, you might be an anti-spam kook if…

(got anything to tell ren&stimpy? email us:


CME-24 (BlackWorm) Users’ FAQ

This FAQ was authored by members of the TISF BlackWorm task force (specifically the MWP / DA groups and the SANS ISC handlers).

The purpose is both to provide with a resource for concerned users and network administrators, as well as to be a level-headed myth-free source on the subject.

There seems to be excessive media hype as well as some “end-of-the-world” type predictions. The end of the world is not coming and most of us will still be here after February 3rd, but this is a serious issue for those who are infected and we didn’t manage to get to.

“300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn’t the quantity of infected users, it is the destructive payload which is most concerning.”
– Joe Stewart, LURHQ.

CME-24 (BlackWorm) Users’ FAQ

Q. What is CME-24?

A. A mass emailing worm with a destructive payload.
Please see
for pointers to antivirus vendor descriptions and analyses relating to
this malware.

Q. I hear about new viruses all the time–what makes this one a “big

A. This destructive virus will delete files from a number of popular
programs on February 3rd, and on the 3rd day of the month thereafter.

Files which may be deleted by the malware include files ending with the
extension of DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP

Another factor that potentially makes this virus particularly noteworthy
is that it has seen broad distribution, with the estimated infected
machines in the hundreds of thousands.
LURHQ statistics

Another factor that potentially makes this virus noteworthy is it’s self
defense mechanism. It closes windows if the caption has any of the
MICRO, NORTON, REMOVAL, or FIX. So many antivirus programs, scanners
etc… can not be updated or used on a system that is infected with

Q. You refer to this virus/worm as CME-24 — that’s not what *my*
antivirus vendor calls it. What other names does CME-24 use?

Vendor            Malware Name

Authentium        W32/Kapser.A@mm
AntiVir           Worm/KillAV.GR
Avast!            Win32:VB-CD [Wrm]
AVG               Worm/Generic.FX
BitDefender       Win32.Worm.P2P.ABM
ClamAV            Worm.VB-8
Command           W32/Kapser.A@mm (exact)
Dr Web            Win32.HLLM.Generic.391
eTrust-INO        Win32/Blackmal.F!Worm
eTrust-VET        Win32/Blackmal.F
F-Prot            W32/Kapser.A@mm (exact)
F-Secure          Email-Worm.Win32.Nyxem.e
Fortinet          W32/Grew.A!wm
Ikarus            Email-Worm.Win32.VB.BI
Kaspersky         Email-Worm.Win32.Nyxem.e
McAfee            W32/MyWife.d@MM
Nod32             Win32/VB.NEI worm
Norman            W32/Small.KI (W32/Small.KI@mm)
Panda             W32/Tearec.A.worm (W32/MyWife.E.Worm)
QuickHeal         I-Worm.Nyxem.e
Sophos            W32/Nyxem-D
Symantec          W32.Blackmal.E@mm
Trend Micro       WORM_GREW.A (Worm_BLUEWORM.E)
VirusBuster       Worm.P2P.VB.CIL


Q. What is CME?

A. CME provides single, common identifiers to new virus threats to reduce public confusions during malware outbreaks. CME
is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware.

Q. How do people get infected with CME-24?

A. Known methods for infection include infected email attachments and
network shares, however other mechanisms are also possible.

While some areas of the world appear to be more prone toward infection
than others, it appears that infected systems may be found in virtually
all countries.

Q. What should I do to protect myself from getting infected with CME-24?

A. There is a number of things you can do:

Email attachments can contain viruses.

If your Internet Service Provider provides an email scanning service
subscribe to it.

Do not open attachments without first verifying that a trusted sender
intentionally sent it to you by asking them if they sent you an

Scan email attachments before opening them.

Do not open emails that claim to have naughty content. This is a common
trick used by email based viruses.

Backup your system!
You should be routinely making backups of your system. If you’ve been
putting it off, do it now. Backups will be a foundation that will help
you recover if your system does get infected. Backups are the most
reliable way to recover your data in the event of any data corruption

event, virus, malware, or hardware failure.
Note that your backup should be taken to non-rewritable media and/or
stored offline. If you do not make your backup to non-rewritable or
offline media, depending on the format you use; your backups might be at
risk from the malware’s destructive payload. This is particularly true
if you currently backup important files into a zipped archive, use
mirrored hard drives, or file shares none of those will protect you from
the destructive potential of this worm.

On new systems create recovery CDs. Many systems sold today do not come
with recovery CDs. The person purchasing the system is expected to
create them. Consult manufactures documentation for details.

Insure that you have antivirus software installed, and that you have
up-to-date antivirus definitions covering this particular malware. Do a
full system scan and confirm that you are not infected with CME-24 or
other malware. If you are infected, seek professional assistance to fix
the problem at once.

Do not unnecessarily share or mount shareable filesystems. Filesystems
should never be made available via weak or non-existant passwords.

Q. Help, I think I have been infected with CME-24. What should I do now?

A. If you have anti-virus software installed verify that it is up to
date. Check with your anti-virus vendor if you are unsure of how to do
this. If you had anti-virus software that you believe was disabled by
CME-24 you may have to uninstall it before re-installing it.

If you do not have anti-virus software installed there are several
anti-virus products that offer free or trial tools. maintains a list of antivirus products.
and West Coast labs at
and ICSA$gdhkkjk-kkkk.

Some of these vendors offer free online scans as well. Be aware online
scanners usually require activex or java be enabled, may take a long
time and probably require admin privileges. Online scanners also do not
provide any long term protection against reinfection

If you’ve already been infected, you should seek professional help to
deal with that infection at once. Failure to deal with this malware
prior to the 3rd day of the month can result in data loss.

Q. Some very important file was trashed by the worm. I really need to
get the information that was in that file. I don’t have a clean backup.
What can I do? Can I get back at least part of that file?

A. Possibly, some file recovery tools might recover all or part of the
missing data. A data recovery service may be your be able to assist.

Q. Why would someone do something so tremendously stupid and

A. Unless the author comes out and tells us we may never know why.

Q. I run Windows Media Center Edition, Mac OS X, Linux, have a Treo,
etc. Is my system at risk? Or is this just a Windows XP thing?

A. This virus only affects Windows operating systems. It affects nearly
every version of windows.

Microsoft’s Security Encyclopedia

Windows NT 3.x/4.0, 95, 2000, XP, Server 2003, ME and 98 are all
potentially affected.


Q. I’m a mail server administrator. How can I protect my customers
from CME-24 and other malware?

A. There are several things you may want to do:

You may want to run a server-side antivirus program, or software to
strip or defang potentially dangerous attachments. Under Unix, ClamAV
ClamAV is one example of a free antivirus program that
you can run on your mail server; Procmail Email Sanitizer
is an example of a program that you can run to remove or defang
potentially hostile attachments. Under Windows there are several email
scanning antivirus programs available.

You should also endeavor to accept, process and resolve notifications
you may receive about infected customers. Confirm that you have a
working abuse@ address, a working postmaster@ address, and current
whois contact information for your domain(s). See
RFC 2142 for clarification.

If you have netblock(s) that have been assigned to you via SWIP or
whois, or an autonomous system number (ASN), please make sure that you
have current abuse reporting contact information defined in whois for
those resources as well.

If you operate an intrusion detection system, consider running
the Bleeding Snort rules that may help you to identify potentially
infected customers.
Bleeding Snort Rules

Educate your customers about security effective practices.

Site license an antivirus product and distribute it to your customers.

Encourage customers to routinely apply patches.

Encourage customers to use a software and/or hardware firewall.

Encourage customers to routinely backup their systems.

Where terms of service and applicable law permits, scan customer systems
for vulnerabilities and insure that customers get fixed or removed from
the network.

This document was prepared by the TISF BlackWorm task force which
includes many elements in the security communities including: anti spam
groups, CERTs, anti-virus teams, academia, law enforcement, and ISP’s.

The TISF BlackWorm task force would like to thank all the contributors
to this FAQ including: Members of the DA/MWP groups and The Internet
Storm Center handlers.

Original can be found at:
SecuriTeam Blogs


Winamp 5.12 “play list file” 0day [PATCHED]

a vulnerability for winamp 5.12 was released today (full disclosure mode):

a specially crafted winamp play list file can be used for remote exploitation (i will never understand why such vulnerabilities are called remote).

“the current version of winamp contains an error in its playlist parsing allowing malicious users to execute code via a prepared playlist.”

the poc code suggest using an iframe on a web site linking to the specially crafted file as a possible attack vector.

most people don’t believe a worm is very likely, but i wouldn’t completely rule it out yet.

there are several reasons why a worm potentially could be riskier than the usual mass mailers we see:

1. how many organizations filter email attachments by eliminating known bads rather than allowing known goods? this is a (somewhat) new bad.

2. the social engineering effect should not be dismissed:
- people love clicking.. which we know.
- people get mp3′s in email often or at least not be surprised
when once in a blue moon they do.
- social engineering effect of the above two points is: hey! new
mp3! (i.e. cool mp3/winamp icon).

i wouldn’t rule it out so quickly… although…

some clients won’t show icons… nothing we haven’t seen before with mass mailers and something people may not bother with…

but it is more than a just a possibility and should be taken into account. after all, we have seen what a worm designed only to effect one brand of personal firewall did (witty, anyone?).

winamp vulnerabilities of the past have not been that successful for massive exploitation, though, so in my opinion all bets are still open on this one.

a simple way to avert this until a patch is available would be to remove (or change) the file associations for .pls and .m3u.

update from the winamp development team:
(thank keith!)

yes, we know about it and it’s already been fixed :-)

here is the patched in_mp3.dll for 5.12

this url will be removed once a new client with this fix has been

(place in_mp3.dll in the winamp\plugins folder)

there’ll be a 5.13 released shortly, which will be exactly the same as
5.12 but with the patched in_mp3 included.

there’ll be a separate patched in_mp3.dll included with the next public
release of 5.2 beta (, also
hopefully today.

gadi evron,


Two versions of Google

we’ve all been hearing about rising concerns regarding privacy issues and the problem of what us search engines show in china or how they are being censored there by authorities.

i just found this on lgf:

tiananmen – by

tiananmen – by

compare what the chinese see, and what the rest of the world sees.

gadi evron,


Memoirs of an (infected) virus researcher

I’ve just finished reviewing another antiviral program. During the
testing, I found out something interesting.

My primary test machine was infected.

Now, this, one would think, is not necessarily remarkable. But, you
see, I have a grave shortage of equipment. The test machine is also
the communications machine. And, it wasn’t supposed to be infected.

Still, it happens from time to time.

There was the time, rushing the Michelangelo deadline, that I had made
the world’s only copy of Michelangelo on a 720K diskette. And then
booted from it. Just after midnight on the evening of March 5th.
(Well, it was late, and all …) Took me another 20 minutes to put it
together again.

That’s another thing. The primary test machine is a laptop. Dual 3
1/2″ floppies. No hard drive. Safer that way. When I’m using it for
communications, I simply use another diskette. Bootable.
Write-protected. Except when I have to make corrections. But I do
that on the desktop machine. No chance of infection if I never put it
into the test machine unprotected.

But I must have. Sometime. And that sometime had to be more than
three weeks ago, because that was the last time I did any live

And what was it I was infected with? DIR-II. Stealth to the max.
Fast infector with a vengeance. I must have infected everything in

Except I didn’t.

First of all, communications generally deals with either text files or
archives. Unless the archives are self-extracting, they are not
targets for infection, and neither are the test files. So for over
three weeks, I was shuttling files from one machine to another, and
the virus never had a chance to transfer. Must have been frustrating
for it.

A couple of points about the DIR-II. It *does* infect text files. At
least, it infected one of mine. The filename was SIGBLOCK.NTE, for
those who are wondering. Only 340 bytes, so only the first chunk of
the viral code shows.

Secondly, the business of renaming your programs to non-executable
extensions, with the virus active, works like a hot darn for
disinfection. Remember to do a CHKDSK /F, *after* you have finished
and booted clean, in order to reclaim lost disk space. I got
everything back fine. Except SIGBLOCK.NTE.


New BlackWorm variant itw?

f-secure released an advisory on it:

gadi evron,


BlackWorm: pcaps

the good guys over at sourcefire who have been helping with the tisf blackworm task force since the beginning released an analysis of blackworm, accompanied by a ton of pcaps. check it out:

and the actual analysis and pcaps here:

gadi evron,


UK Home Office Trying To Ban Development Of Hacker/Security Tools.

I’m all for stronger Cyber Laws in the UK, as I am the first to admit that they really are quite lax at the moment, but the proposed new additions to the Police and Justice bill really are taking things too far now.

I’m happy that they plan on extending the maximum prison sentence for hacking into computer systems from 5 to 10 years. The part of the new bill that I have a huge problem with is Clause 35, which contains provisions to stop the development, ownership and distribution of aptly named “hacker tools”.

My big question on this one is, so where the hell does that leave all of us in the security industry if this goes bill gets passed? If we’re not allowed to legally use the same tools as our enemies, we are not going to be able to defend our networks adequately at all. If this gets passed, then this will end up giving the UK government even more power, and thus making corporations and security professionals powerless against hackers, thus being forced to rely on the British government to protect all computer assets in the country. So if company A gets hacked, what should we do, stand by idly and wait for the police to do something about it? This would cost the country and the economy millions of pounds! I also know for a fact that the National High Tech Crimes unit do not currently have the manpower to take on a task with as great a magnitude as this. I really hope that all parties involved in passing this bill take everything into consideration before coming to a decision, as this could have far reaching consequences for the UK as a whole.

The entire proposed Police and Justice Bill can be found online at


BlackWorm: infected users stats and graphs

using data we at the ietf blackworm task force got from rcn, the good guys at lurhq (joe stewart) came up with this, and it was decided to make it public:

i’d like to quote joe on the critical nature of this worm:

“even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like sober or mydoom. however, with this worm it isn’t the quantity of infected users, it is the destructive payload which is most concerning.”


gadi evron,


Memoirs of a (media star) virus researcher

I have been known, from time to time, to make rather unkind statements
about the accuracy of virus reports in the mainstream media. Some of
my antipathy arises simply from the fact that there is an awful lot of
“mythology” surrounding viral programs, and most pieces that appear in
the media simply perpetuate this. Some of my experience, however, is

A reasonably prominent periodical devoted to security topics had been
advertising for writers in, among other areas, the virus field, so I
sent some sample materials off. I did not hear anything for about
eight months, and then I got a call asking me to do an article. On

However, it was not enough to write the article. No, I had to contact
the vendors and listen to what they had to say on the topic. This
actually consumed the most time. Some research, and some roughing out
an outline, took up two hours. A rough draft took three. Polishing
the final draft took about an hour. Lots of room for profit there.
(Of course, when you consider the years it took to build the
background to be able to do that, it tends to reduce the margin a
bit….) But contacting three consultants, two user-group
representatives, and eleven representatives from seven major vendors
took more than fourteen hours spread over a ten-day period. In the
end it got me one very helpful vendor contact (Carol Smykowski from
Fischer International), one returned message, one faxed spec sheet
from a loosely related product, and a
heavy parcel, which arrived postage due after the deadline. Needless
to say, this was less than helpful to the project.

In the end, the article was rejected. Not enough “vendor quotes.”

What is really important here is the fact that most of the articles
being generated in the trade press are, by and large, “infomercials”
on the printed page. Articles are being written by people who, if
they have a technical background at all, are writing out of their
field and are being judged on the
acceptability of the content to vendors and advertisers. The vendors,
quite happy with the situation, are in no hurry to be helpfully
involved in the process (or even to return phone calls).

As two examples, I cite the recent (as this is written) releases of
PKZip 2.04 and MS-DOS 6.0. For the first month after the release of
the new PKZip, while the nets were stretched by the reports of the
various bugs and the latest release by PKWare to try to correct them,
*PC Week* blithely rhapsodized over “version 2″ and advertised that it
had version 2.04c (the real buggy one) on its own board. Meanwhile,
in spite of the protests of the virus research community *before*
MS-DOS 6 was released, and the almost immediate storm of reports of
bugs and problems with various of the new features, the trade press is
only now, after six weeks of ecstatically positive reviews of MS-DOS
6, starting to report some of the potential problems.)


Stupid people

All my life I’ve come across stupid people, I’ve come to expect people to be stupid, and I’m usually not let down by that assumption. When I find intelligent people I treasure them like Eskimos would treasure electric blankets covered in whale fat powered by a bucket sized cold fusion reactor. Of course I use the web more than is healthy, that’s one reason I always speak to stupid people, this is all fine and something I take in my stride. It’s when you come across people that aren’t meant to be stupid yet are that you lose that little faith you had left in humanity. It’s when an admin of a site which has thousands of members and has been running for 3 years doesn’t realise how bad it is that people can run HTML from PMs, signatures, usernames, forum posts or article comments.

You inform the admin about these flaws, explaining the dangers of XSS by taking the example of an attacker using JavaScript, you let them know they should run htmlentities() on all user input. What do they do? They either totally ignore you or they add some code to replace all instances of <script> with script. Idiots.

Here’s my theory; People who had Geocities accounts when they were 10 branched into 3 paths. They either 1) Got bored of the whole developer thing and started collecting Pokemon cards 2) Got good and now make efficient, secure web applications or 3) stayed at the Geocities level but got money and can afford their own domain. It is this 3rd category that now pollute the web with their binary waste. When you don’t realise that error checking is needed to prevent anyone from deleting a PM you need to find a cliff to jump off. When told so and your counter-argument is that no one can be bothered to manually browse to /remove_pm.php?message_id=1, …id=2, …id=3 Then a cliff simply won’t do the job, you’ll need to find something simpler. I suggest jumping on front of a car…. …yes, a moving one.

The lesson: I understand that people have to start at the basics of anything before they can get any better, but for the love of all that’s holy (Eskimos in their bucket sized cold fusion reactor powered, whale fat covered, electric blankets) read articles on the web, ask people, learn mistakes others’ made, experiment on your own computer or borrow books from a library before you go spending money to manage a web site. I understand that everyone makes mistakes but learn from them and learn to accept help from people who offer it.


BlackWorm: infection rates stay the same

after investigation with the isp (rcn) and various people from the tisf blackworm task force (special thanks to joe stewart, randy vaughn, johannes ullrich and all the sans isc handlers) it appears that someone (probably the worm author) was trying to be funny and ddos the counter.

looking only at unique ip addresses and removing the ones from the ddos, we end up with only about 300k users whose world is going to crumble on february 3rd.

gadi evron,


BlackWorm: ISP notifications – done!

in cooperation with many (us-cert, fbi, sans isc, many in the industry, etc.) and with special thanks to:
dr. johannes ullrich (sans isc) and prof. randal vaughn (randy —, an attempt to contact all the isp’s who have infected users has been made.

a new list of ip’s that hit the (still secret) counter address is being compiled, so we can make another run of isp notifications.

the reporting emails are sent from and contain a url to the sans isc with a time-limited specially crafted url for the respective isp authorities to get their infected users’ information from.

if you did not yet get a report, feel free to contact us.

gadi evron,


BlackWorm: 2 million infected?

the counter is now at 2 million. check out sunbelt’s blog on this:

from past experience the 2 million hits probably mean a little over a million infected users.

gadi evron,


OS X As A Pentesting OS

Apple’s OS X has been recieving a lot of flack lately, both in regard to security issues and as it’s worth as an OS. I used to be a long time Linux/BSD user, until one day I found an 12′ Apple Powerbook lying around. After playing around on it for a week or so, I really began to see the possibilities, which lead me to go and buy my own 15′ Powerbool and to see if this could replace my aging Dell laptop which was currently dual booting Debian and OpenBSD. As OS X is built on a FreeBSD microkernel, it has all the BSD bits under the hood, so I wanted to see how far I could push this baby, and see if I could end up using a Mac for my daily pen-testing work, and have a rock solid secure operating system to work on at the same time? The answer is a huge yes!

OS X may have it’s faults, but it is a damn site more secure than Windows, but then again, that doesn’t really take too much now does it? It ships with a built in firewall, which is the standard FreeBSD IPFW (IP Firewall),this really is an great firewall, and in my opinion blows the likes of IPchains/IPtables on Linux out of the water. It’s a lot easier to configure, and has a hell of a lot more options. I won’t argue that the interface that Apple gives you is really basic, and consists of options like, enable/disable SSH, SMB, VNC, etc, and whether or not you want logging turned on or off. As a security professional, and a UNIX geek, this really isn’t good enough at all, so we need to drop under the hood and really modify these rules to suit our everyday needs, and only allow the things in and out that we really want to, and to have some fun we’ll set it so certain rules only kick in at certain times of the day (using cron) or when our laptop is getting scanned/probed (portsentry). For info on how to lock down IPFW on OS X either read the IPFW man page (best way), or have a look at these links, as they will give you the basics:

Great! So now we’re got the firewall on our shiny new Mac configured, and we can move on to other things, before we start adding a load of tools and the like. OS X comes with a great utility called FileVault, what this little baby does is encrypt your entire home folder and everything in it with 128-bit AES encryption. The encryption and decryption happens in real time, and when you turn it on, there really isn’t any performance hit at all. So now we have a OS that after the few minutes we just spent tweaking it, is already a hell of a lot more secure than most other OS’s.

Now OS X has a load of cool applications already developed for it, especially for anything media related, but we’re not going to go down that route. We want a pen-testing box to play with. First things first, if you’ve ever used Free/Open/Net BSD or Debian/Gentoo Linux then you’re going to know how useful the ports and package collections are. OS X doesn’t ship with any form of ports collection, but you can just install one, and away you go. Currently you get two different ports trees for OS X Fink ( and Darwin Ports (, my personal favourite is Darwin ports, as it has a lot more security related ports. So get that installed, all the installation instructions are on the Darwin ports site, and it’s a pretty painless install.

Now on to adding some tools on our little beast, the tools that I most frequently used on Linux/BSD are listed below, all the ones with * next to them are able to be installed on OS X, most of them through the Darwin ports tree.

Cryptcat* (OS X has NetCat installed by default)
Metasploit Framework*
Perl (Installed by default)
Web Scarab*

So as you can see, I managed to get everything that I was using on Linux and BSD installed, I also have a load of other tools installed, but the ones listed above are the more popular tools. If you can install anything on BSD then it should be taken as a given that you’ll be able to install it on OS X (it may require a bit of extra work, but usually nothing major.) This does include window managers as well, as I’ve had Fluxbox and KDE running.

When it comes to wireless tools, you really can’t go wrong with KisMac, it’s a clone of Kismet, but yet is does a hell of a lot more than Kismet, for instance it has built in WEP cracking, which really is a nice added plus. I know that this sort of thing is planned for the next big release of Kismet, but still, on OS X it’s here now. One thing here though, you need to have a Powerbook to be able to use KisMac as the standard Apple airport card currently can’t do passive sniffing, and the Powerbooks are the only Macs with a PCMCIA slot. If your wireless PCMCIA card isn’t supported head over to and see if there’s a driver listed for your card there. Wirelessdriver works like a charm for my Orinoco and Prism cards.

There’s also MacStumbler and iStumbler which are pretty much like NetStumbler, never been a great fan of NetStumbler, but useful for a quick look around.

Well that’s about it, but I’d seriously recommend a Mac with OS X for pen-testing, mine hasn’t let me down yet.


BlackWorm: ISP notifications of infected IP’s

with coordination between the tisf blackworm task force (from the da / mwp groups), us law enforcement and the isp, a list of ip addresses that are possibly infected is now in our hands.

our group, as well as others such as the sans institute are now dividing the work-load and sending out email notifications to isp’s for ip addresses in their net-space.

please expect that email message soon. thanks.

gadi evron,