MoMusings

Beagle is back and with three new presents for us, yes three new Beagle droppings for unwary users to step in and spread round the ‘net when they get infected.

MessageLabs has allegedly already intercepted over 70,000 copies since the emergence of this new variant at 12:00 GMT on Tuesday.

So what do we know so far?

The samples that I’ve seen so far typically have a blank subject and no body text, that is viewable.

The attachments I’ve seen so far include:
1.zip through to 9.zip
Work.zip

Which contains one of the following:
19_04_2005.exe
20_04_2005.exe
01_05_2005.exe
02_05_2005.exe
03_05_2005.exe
16_05_2005.exe

These new variants drop a Trojan which attempts to download malware from a long list of URLs that are contained in the code.

Windows users who launch the attachment, unzip it and then run the executable file contained within have infected their system [yes, there are people out there which will carry out all these tasks just to infect themselves]. The next step for the malware is to harvest any email addresses it can find on the infected systems hard drive. To complete its list of chores the malware then sends itself to each and every email address it managed to harvest from the infected computer.

It appears that at this time these three new variants are all the same, except that each one has been packed/compressed with different tools to try and slip past virus scanners.

Links:
The Register
F-Secure Lab Weblog
F-Secure Description

I’ll try and post more when the dust has settled a little.

Looks like there may be another 3 variants out there…..oh joy!

I recently mentioned, almost in passing, a new malware family known as Mytob. Well since that posting the author(s) of Mytob have been even more active in creating new variants. So much so that we are now at variant FC [127th variant]*, which was found earlier today. This is really a follow-up article to the one about bots and botnets I posted yesterday.

What is Mytob?
Mytob first appeared on the 26th of February 2005, and boy did it cause some confusion in the anti-virus world. Some vendors said it was just another Mydoom variant and other said it wasn’t. This naming war went on for a week or so, finally they all decided that it should not be classified as ‘just-another-mydoom’. With little fanfare it was christened with the new family name of ‘Mytob’; ‘My’ from Mydoom, and ‘Tob’, which is the word ‘Bot’ reversed, which sums it up quite nicely.

The reason a new name was finally used rather than Mydoom was that although Mytob has been created from the Mydoom source code, it has had a number of changes made to it, as well as a number of additional tricks added to increase its ability to spread.
One of the new tricks which were added was an exploit to enable it to spread using the LSASS vulnerability [ala Sasser].

How does it spread?
There are two specific vectors that it uses to spread, these are:

E-mail
When Mytob propagates via email, it starts by gathering new victim email addresses from files with the following file name extensions:

.adb, .asp, .dbx, .htm, .php, .pl, .sht, .tbb, .wab

when it has harvested all the e-mail addresses it can find it the constructs an e-mail, using a spoofed from address and send it out to the intended victim using its own SMTP engine. No it doesn’t depend on Outlook, Outlook Express, Notes, Mapi or any other mail product to enable it to spread.

LSASS
Unlike Mydoom, Mytob can also spread directly from system to system by identifying systems that can be infected by exploiting the Lsass vulnerability on Windows systems. This vulnerability was patched in 2004 [MS04-011], so there is NO excuses for getting infected by Mytob via this method.

Backdoor [Bot capabilities]
Mytob also functions as a bot. It connects to an Internet Relay Chat (IRC) server and joins a specific channel. Once signed in for duty it listens for commands coming from a remote malicious user. It executes these commands locally on an affected system, providing the remote user virtual control over the system.

New techniques:
Recently a number of new techniques and technologies have been incorporated into the latest variants of Mytob. I will cover each briefly below, including links to sources you can visit to get more details on that specific function/feature:

The BU variant added another exploit to its box of tricks, in this case it was the DCOM RPC [MS03-039]

The CI variant also generates IP addresses and spreads by attempting to drop a copy of itself in the target addresses’ default shares. If the shares are inaccessible, it uses a hardcoded list of user names and passwords [A Dictionary attack] to try and gain access to the system.

The EK variant also downloads other components from set webservers.

The latest variant [FC] has even more tricks up its sleeve. It modifies the ‘HOSTS’ file; to stop an infected user getting to certain sites, such as AV vendors, etc. It also attempt to terminate any running [or installed] security software, such as AV, personal firewalls [including the XP firewall], anti-spyware tools and even Windows Update. Finally, it also appears to block the use of the registry editing tools; REGEDIT.EXE and REGEDT32.EXE and other useful diagnostic tools such as REGMON, TASKMON, SYSEDIT and lots of other tools too.

This quote is taken from McAfee page on Mytob: “Newer variants include the FURootkit** , contain an Instant Messenger worm component “, so you see that development is still ongoing.

It seems that the source code for Mytob is either well distributed on the internet or that there is one or more teams of programmers constantly adding new functionality to it, as it seems to be rather unlikely that a single author could produce so many variants in such a short time.

* The actual number depends on which vendor you use.
** For more information on rootkits, see my posting dated 12th April 2005 entitled ‘Rootkits Revealed’.
The graphic is from the TREND page on the FC variant found today.

I’m currently writing a paper for the Virus Bulletin conference, to be held during October in the fair city of Dublin, Ireland; the paper is about bots and botnets*. So, when I saw the this news item yesterday I decided it was time to post a blog entry on the subject of bots and botnets; especially as bots are very widespread now.

So, what is a bot?
‘Bot’ is a contracted (truncated or short) name for a software robot. A bot is a piece of software that allows a system to be remotely controlled without the owners knowledge, it can also be used to automate common tasks. System infected by a bot are often referred to as ‘Zombies’ or ‘Drones’.

And, what is a botnet?
A group [’Herd’ or ‘Network’] of Zombie systems controlled by the ‘Bot Master’ [sometimes called a ‘Bot-Herder’]. These botnets are told what to do by the botnet owner. This can be anything that the bot has been programed to do….including updating itself or installing new malicious software.

If you saw the film ‘iRobot’, this is similar to the way the C-5 robots are controlled when commanded to carry out tasks that are in breach of the ‘Three Laws of Robotics’.

Why you should be interested…
Well would you be interested when your door explodes at 3A.M. and police pour into your house and arrest you? You would, well that’s a surprise!

So, why might this happen to you?

Let me describe a scenario which will help to explain why this could happen to you, even if you have done nothing wrong, illegal or immoral, and all that you need to be able to see yourself in this scenario is a PC and an Internet connection.

How to become a Zombie or Drone…

Your computer is connected to the Internet and unknown to you it becomes infected by a bot; this particular bot uses a known vulnerability in Windows to get in without your knowledge or permission. The bot adds itself to the registry to ensure that it always gets loaded when Windows starts. Once loaded, the bot will connect out to the Internet and log in to a dedicated IRC [Internet Realy Chat] channel for the botnet it belongs to; effectively signing in for duty…..

Now, the botnet owner decides to carry out a DDoS [Distributed Denial of Service] attack on a major company. His botnet is 1,000 strong [a small botnet, they can be 100,000+ in size], so he tells his Zombies [including your PC] to attack the site….At this point your PC is firing off thousands of requests to the site, and so are all the other Zombie PCs [All DSL connected at speeds from 128Kbps to 2048Kbps].

Now, let us switch to the victims view

The victims IT staff notice that their IDS/router/firewall has lit up like a Christmas tree; incoming e-mail has almost stopped, all the web servers are crashing under the load, and nobody from the company can browse the web, oh dear!

So, the IT staff quickly scribble down some of the source IP addresses that the attacks are coming from, they inform their IT Director, who tells them to contact their ISP and the Police and supply the IP addresses that they have managed to record.

The ISP staff trace one of the IP addresses back to your PC and pass the details to the police.

Your system is repeatably used to attack others, and is reported again and again to the authorities.

Now, let me add several other things to the mix, your system is now also being used to send SPAM, Phishing scams and new malware through, not only that but someone has found out that you are infected by a bot, and has decided to use the built-in backdoor to upload stolen software and credit card details onto your system.

Q. What may happen when this information is also given to the authorities?

A. Exploding front door early in the morning!

Now, what are the authorities going to find when they examine your computer, and who is going to be in trouble, you or the miscreants that have been using your system?

Well, in the short to medium term, you will be the one that will appear to be guilty and how will this effect you personally? How long will it take for the authorities to realise that you are innocent, weeks, months?

OK, back to the article I linked to in the first paragraph. Malware authors are working very closely with organised crime to create new bots, which they use to build botnets which they can rent out, not only to cyber-extrotionists, spammers, scammers but also for those that wish to store stolen data, software and other illegal material without having to worry about being caught in possession of it.

Oh, and by the way this bot has also been commanded to download and install a keylogger, so now all your credit-card and other persoanl details are being harvested too…..I bet you can’t wait until you get your next bank/credit-card statement!

These botnets, which are increasingly built to order, are usually between 100 and 5,000 members [Zombies] in size.

FAQs:
Q. But I run Anti-Virus software so the bots can’t infect me.
A. The source code for most of the major bot families is constantly being updated to create new variants [strains]. These new variants may not be detectable by AV software at the time you get infected. Remember this mantra: “Anti-virus is only as good as it’s last update” and this one too, for that matter “If the malware isn’t in the AV products database of known malware, chances are it won’t be detected”**. Anti-virus is for most parts a ‘reactive’ technology, never forget that!

Q. My system is fully patched, so I can’t get infected in the way you describe.
A. Bots can get onto you system in many ways; dropped via a worm coming in via e-mail, Instant Messaging, hidden inside a Trojan program, put there by someone else…..and so on.

Q. I use a software firewall, so that will stop the bot connecting to the Internet to get its orders.
A. Many bots now either disable personal firewalls, anti-virus and anti-spyware tools, or they use rootkit techniques to get access before these tools are running thereby making the bot invisible to them.

Q. But I only connect to the Internet for 15-60 minutes at a time, so I can’t get infected, can I?
A. I personally know of a system that was infected by 6 malware strains in under 10 minutes of connecting to the Internet. Of those 2 of them were bots.

Please don’t take this short article as a full explanation of bots, botnets and how they work or are used [misused?], all feedback and comments are most welcome.

To use a well-known quote from Star Trek - “Resistance is futile, you will be assimilated!” No, resistance is not futile! Using up-to-date anti-virus, a good personal firewall, anti-spyware software, a rootkit detector and some common sense will help to minimise the chance of you becoming part of the Bot collective.

Links:
Stealth virus warning sounded again [ZDNet]
Experts: Zombies ousting viruses as malware of choice [C|Net]

* The paper will be available on my personal website after the conference.
** Yes I haven’t forgotten about heuristics, but these usually only detect a small number of new strains.

A new malware was reported by Symantec on the 22nd of May 2005 that does something rather nasty with certain file types; it makes an encrypted copy of the file and then deletes the original, effectively denying you access to your own files!

This new malware is known as:

• Virus.Win32.Gpcode.b [Kaspersky Lab]
• PGPcoder [McAfee]
• TROJ_PGPCODER.A [Trend Micro]
• Trojan.Pgpcoder [Symantec]

It affects all Windows platforms; Mac and *NIX systems are not affected [nothing much new there then].

The files it targets are the ones with the following extensions:
.asc, .db, .db1, .db2, .dbf, .doc, .htm, .html, .jpg, .pgp, .rar, .rtf, .txt, .xls, .zip

Each folder that contains encoded files will contain a file called ‘ATTENTION!!!.txt’. The contents of the file is the following:

Some files are coded.
To buy decoder mail: [user]@yahoo.com
with subject: PGPcoder 000000000032

As with most modern malware it also modifies the registry to ensure its automatic execution every Windows system startup.

Once all suitable files on the infected systems have been successfully encoded [both on the local infected system, and any writeable network shares the infected system has access to], it will remove itself by creating and running a file called ‘c:\tmp.bat’; it will even delete the batch file too.

The original version [Virus.Win32.Gpcode.a] was found in December of 2004 and interestingly Kaspersky also found the second variant later that month, so why has it taken Symantec [and other AV vendors] so long to add detection to their products?

The thing is, that this type of cyber extortion is not new, in fact botnets are often used to extort money; “pay up or we will DDoS you off the internet” is the common threat used by modern cyber-extortionists. One of the first cases occurred back in 1989 [which I will cover below]. At that time most malicious software were a mere gleam in the eye of the malware author, who may well have been nothing more than a gleam in the eye of their father at that time too.

The first case of cyber extortion using malware I personally saw, and remember is the famous AIDS Information Disk. Let us travel back into the murk of malware history…

According to Virus Bulletin “some twenty thousand envelopes containing a 5.25 inch floppy disk [if you remember what they are, see picture] were bulk mailed from London to computer users in the UK, Europe, Africa, Scandinavia, and Australia. The disks, which were DOS compatible, were marked ‘Aids Information Diskette Version 2.0′ and encouraged the recipient to insert the disk and install its contents on the computer.”

If the recipient complied and installed the software, the program would modify the AUTOEXEC.BAT so that every time it was executed a hidden counter program incremented by one. Once the counter reached 90, the data on the trojanised hard disk in the system was encrypted. The affected user was then informed by a message on the screen that the only way to get the data back was to pay the licensing fee to PC Cyborg Corporation.

The license agreement was printed on a a blue leaflet that accompanied the diskette and printed in ‘very’ small print. This urged the user to send $189 or $378 to a post office box in Panama.

The program was clearly an attempt to extort money from unsuspecting users (the program actually conducted an AIDS risk factor questionnaire, so that users might have considerable reason to be nervous about their data), and therefore more likely to pay-up and less likely to contact the authorities.

The perpetrator of this scam was one Dr. Joseph Popp, who was identified when he began behaving strangely in Schipol Airport, Amsterdam. An alert security guard who inspected Popp’s luggage spotted a rubber stamp bearing the name PC Cyborg Corporation. Popp was later extradited to the UK to await trial. During his stay at Her Majesty’s pleasure, he was reported to be wearing hair curlers in his beard, and a condom on his nose, apparently ‘in order to ward off radiation’. Not surprisingly, he was found unfit to be tried and returned to the USA. However, he was later convicted, in absentia, by Italian courts.

Personally, I prefer the method used in Black Adder Goes Forth [Episode 6. “Plan F: Goodbyeee…” ], which uses a couple of pencils and a pair of underpants [preferably clean]. The pencils are inserted into the nostrils [one in each] and the underpants are worn on the head. The final piece of this cunning ‘insanity ploy’, is to answer every question with the word ‘Wibble’, preferably used in multiples.

Links:
http://www.virusbtn.com/resources/malwareDirectory/about/history.xml

Last weeks SPAM assault from Sober.q should now be over. However as of Monday the 23rd of May Sober.q changes its mode, from spamming to downloading an unknown new component which it will execute; allowing it to carry out its unknown assigned task.

At this time nothing is known as to what this new component is, or what it may do.

So, what do we actually know about this new mode?

Sober.q queries a list of NTP servers which it has encoded withing itself to synchronize the time. If the date is 23rd May 2005 or later it changes its behaviour; instead of mass mailing right-wing SPAM e-mails, it attempts to download and execute a file from one of the following domains:

• people.freenet.de
• scifi.pages.at
• free.pages.at
• home.pages.at
• home.arcor.de

The directory part of the URL that will be used to download the unknown new component is made up of a pseudo-random string. It is based on the date returned from the NTP servers.


The following is a list of the NTP servers which are monitored:

• Rolex.PeachNet.edu
• clock.psu.edu
• ntp3.fau.de
• utcnist.colorado.edu
• sundial.columbia.edu
• time-a.timefreq.bldrdoc.gov
• ntp-sop.inria.fr
• rolex.usg.edu
• time.xmission.com
• ntp.massayonet.com.br
• ntp-1.ece.cmu.edu
• time.nist.gov
• ntp.lth.se
• cuckoo.nevada.edu
• ntp-2.ece.cmu.edu
• time.kfki.hu
• ntp.pads.ufrj.br
• time-ext.missouri.edu
• os.ntp.carnet.hr
• timelord.uregina.ca
• ntp2b.mcc.ac.uk

Conclusions:

Well, something may or may not happen on Monday due to Sober.q downloading and executing new code and/or instructions. We could see more SPAM [political, gambling, body part enlargement, watch, mortgage, software, drugs, stocks or pr0n related] DDoS attacks, another mass-mailing member of the Sober family installed, an Instant Messaging worm, a bot, another trojan, or it may all come to nothing as we’ve seen before…..However, I somehow doubt this, this time…..Batten down the hatches, I suspect we’re in for a bumpy ride!

So, what is your guess as to what we will see [or not see] when Sober.Q changes mode?

Links:

Sober.Q Description [F-Secure]
The Register

I’ll try and updated this entry as new information becomes available…..stay tuned!

Update May23rd 09:30 GMT+1: The update phase has started as expected, however so far there is nothing for Sober.q to download.

Update May23rd 13:30 GMT+1: Still nothing for Sober.q to download, at this time.

Update May24th 09:30 GMT+1: No sign at this time of Sober.q finding anything to download, however this new cycle will continue, using new date related psuedo-random links each day until Thursday this week, before going back to its existing right-wing SPAM mode.

I know we are almost two thirds the way through May, and that this posting is rather late, however, better late than never I always say

I’ve finally managed to find some time to create some graphs and perform some trend analysis from the raw data from my WormCharmer and Bayesian filter for April. Hope they are of some interest?

I have included three sources of information for the graphs and pie-charts, these are:

• Kaspersky
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2+ years, Malware Bayesian Filter 1+ year.

In total I captured 2327 samples during April, which have been catalogued as 159 distinct families and variants. In comparison in March 2005 I captured 2326 samples which were catalogued as 148 distinct families/variants.

During April I captured 24 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The first pie chart below shows the Top 10 distinct malware by percentage. As you can see this includes not only mass-mailers but also five share-crawling worms [1 Sdbot, 2 Opaserv and 2 Agobot variants]. The share-crawling worm and bot W32/Agobot.DAJ [Frisk] was the sample with the highest number of captures closely followed by W32.Mytob.ah [an e-mail worm that is also a share-crawling worm and bot] and another Agobot variant WORM_AGOBOT.ALV [Trend] and W32.Zafi.b@MM falling to 4th place. The Netsky family of e-mail worms are still represented; three members of the family appear in the top 10 for April, although they are showing signs of tailing off.

If you compare the above to the data from Kaspersky you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties. As you can see the top 10 from Kaspersky is dominated by e-mail worms. New entries include three Mytob variants.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of April] here. This clearly shows that April was very slightly busier than March but still quieter than February as far as e-mail based malware was concerned.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 125,4825 [as at the end of April 2005]. That’s a growth of 13,387 so far this year!

In April we saw the following new malware appear:

Mytob. This is family of worms which first appeared in March’s results is based on the MyDoom e-mail worm, but with a twist! The source code was modified to also enable it to spread using the LSASS exploit [ala Sasser], as well as via the more common e-mail vector that MyDoom used.

In April we saw many new variants of this family of e-mail worm/bot hybrid [25 since the 15th of April]. In fact I will write a full blog entry on it in the next few weeks, as this family has come from almost nowhere to being a major threat with a serious number of offspring to its name already.

We also saw new seven new Bagle variants along with new Kelvir [IM Worm] variants. The latter used a new technique in using links to the malware body/payload instead of using the more common approach of using attachments. What is more is that the sites hosting the malicious bodies/payload were running the PHP scripting engine which is extremely powerful and can easily be used to do rather nasty things.

Conclusions:

Well, as you can see the bots are on the march [in April] and they are taking lessons from root-kits, using techniques to make them almost invisible, even to many AV products. This is a very worrying trend, but it is not unexpected……In fact I’m surprised it has taken the scumware authors so long!

I also presented a paper at the EICAR 2005 conference which was held in Malta this year.

I know I’ve been quiet over the last few weeks, this is due to the large quantities of new malware I have been trapping, writing papers, presentations and presenting at an international conference; EICAR 2005 in Malta at the beginning of May and the upcoming Virus Bulletin conference in Dublin later this year.

Anyway, enough excuses!

Well, I suspect that over the weekend, and so far this week you have been seeing a fair number of political spam e-mails in both German and English that [in most cases] contain little more than a single line of text and a link [or multiple links] to political news sites/coverage. This political spam seems to be mostly related to right-wing [Nazi/Neo-Nazi] politics.

The interesting thing is this in not ‘normal’ SPAM, it is in fact being generated by systems infected by an e-mail worm, known as Sober.q, which is downloaded from a number of sites automatically on systems already infected by the Sober.p worm.

Sober.q is written in Visual Basic, packed using UPX [to try and obfuscate the content and make a virus scanners job harder], has its own SMTP engine and does not replicate. So in many ways it should be considered more of a Trojan than a worm. Like previous malware is will also install itself in the registry to ensure that it gets loaded when the system starts. Furthermore it will try and terminate a number of security tools, including Microsoft Anti-Spyware [formerly GIANT], HijackThis and NOD32.

If that is not annoying enough, it will also try and disable Windows Update and the XP Firewall by changing registry key entries that control their behaviour.

However, unlike many bots that are out there, Sober.q [which is not a bot] is not acting as a spam proxy; all spam generated by Sober.q originates on the infected system, rather than being routed through it by spammers who rent out the spam proxies that get installed by bots.

On installation Sober.q drops a file named Spammer.Readme that contains a link and the following text:

Ich bin immer noch kein Spammer!Aber sollte vielleicht einer werden In diesem Sinne

This is basically a message to the Anti-virus companies stating “I’m not a spammer, although I might become a one!”.

So, what do the spam e-mail that this Trojan generates look like?

Well, I’m not going to show them all, but here is one example:

Lese selbst:
http://www.[replaced].de/npd_info/deutschland/2005/d0305-14.html

Jetzt weiss man auch, wie es dazu kommt, dass Drogen, Waffen & Handy’s in die Haende der Knacki’s gelangen!

Below is a list of 30 of the subject lines I’ve seen so far:

4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
60 Jahre Befreiung: Wer feiert mit?
Armenian Genocide Plagues Ankara 90 Years On
Auf Streife durch den Berliner Wedding
Augen auf
Auslaender bevorzugt
Auslaenderpolitik
Blutige Selbstjustiz
Deutsche Buerger trauen sich nicht …
Deutsche werden kuenftig beim Arzt abgezockt
Dresden 1945
Dresden Bombing Is To Be Regretted Enormously
Du wirst ausspioniert ….!
Du wirst zum Sklaven gemacht!!!
Gegen das Vergessen
Graeberschaendung auf bundesdeutsche Anordnung
Hier sind wir Lehrer die einzigen Auslaender
Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer
Multi-Kulturell = Multi-Kriminell
Paranoider Deutschenmoerder kommt in Psychiatrie
S.O.S. Kiez! Polizei schlaegt Alarm
Schily ueber Deutschland
The Whore Lived Like a German
Transparenz ist das Mindeste
Trotz Stellenabbau
Tuerkei in die EU
Turkish Tabloid Enrages Germany with Nazi Comparisons
Verbrechen der deutschen Frau
Volk wird nur zum zahlen gebraucht!
Vorbildliche Aktion


So, the e-mails that are generated and sent by Sober.q infected systems are non-viral; they have no attachment, they cannot [currently] infect a system. The risk they pose is minimal, mainly clogging up mail servers, causing confusion; due to forged e-mail addresses and spreading information related to right-wing politics. What do you do with them? Send them to the great digital ‘bit-bucket’ [delete them].

As a final note: Sober.q looks for a file named ‘bbvmwxxf.hml’ in the Windows System folder. If it finds it Sober.q will not install itself on the system, however the system is still infected by Sober.p!

Links:

Email-Worm.Win32.Sober.q [Kaspersky]
WORM_SOBER.U [TREND]
Sober.q [F-Secure]

Right, just another few hundred new samples to investigate and a conference paper to finish, on top of my usual workload…

The FULL paper written for the 2005 EICAR Conference, entitled:

‘Anti-Malware Tools: Intrusion Detection Systems’ is available here.

This covers how SNORT can be used to detect malware (viruses, worms, trojans) as well as the more usual network threats that IDS is normally used to detect.