Of all the known computer worms, Mytob was the most resilient and busy. For several months last year, there was at least one new Mytob variant discovered in a month. (See this Techweb article dated April 11, 2005.)

Trend Micro reports two new variants of this worm: WORM_MYTOB.KJ and WORM_MYTOB.JP. And today, I had received a total of 11 emails (all within an hour) containing an attached copy of WORM_MYTOB.FC. MYTOB.FC is an old variant already, discovered last May 2005.

Users are advised to update their anti-virus applications and be careful in handling email messages (specially with executable and/or double-extension files) coming from unknown sources (and even from known sources). BTW, Thunderbird usually tags Mytob emails as junk/spam, so that’s another added protection for users.

Microsoft users are advised to patch their systems. Microsoft has released 5 critical and 2 important security bulletins. Here they are:

• MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution (917159)
• MS06-036 Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)
• MS06-037 Vulnerability in Microsoft Excel Could Allow Remote Code Execution (917285)
• MS06-038 Vulnerability in Microsoft Office Could Allow Remote Code Execution (915384)
• MS06-039 Vulnerability in Microsoft Office Could Allow Remote Code Execution (915384)
• MS06-033 Vulnerability in ASP.NET Could Allow Information Disclosure (917283)
• MS06-034 Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)

Checking my Lycos inbox, I was surprised to see two emails coming from different “banks” – Citibank and Capital One. Funny things is that both had almost the same email: alerts@capitolone.com and alerts@citibank.com. I immediately know these are phishing since I don’t have accounts for both accounts. Plus, the way the emails were presented, they were ugly and obviously shoddy attempts to look authentic.

The Citibank email looks like this:

(Click on the image to enlarge)

The link points to a rather long URL with ccTD .ru – most likely a Russian site. The said site is down at the moment. Who knows when it will be back online.

The Capitol One email looks like this:

The link points to another long URL, which is also down at the moment. And if you are using FireFox, the browser warns the user that the URL is probably a Web forgery. Here’s a screenshot:

As I have said before, cybercrime is the in-thing today, and cash is the name of the game. So be very careful in all of your online transactions.

Probably the most used application in the Microsoft Office suite, Excel has been hit with three security holes this month.

Microsoft has published a Security Advisory, warning Excel users of an Excel vulnerability that allows remote code execution. Affected users should check the suggested workarounds, since this vulnerabilty is already being exploited: see here for a representative malware.

Then, it was found out that entering a very long URL in an Excel cell will cause a buffer overflow. Microsoft has not published any advisory regarding this vulnerability. Full Disclosure has the details here. Here is a description of a malware that exploits this vulnerability.

And, lastly, another security hole in Excel with regards to Shockwave Flash Objects embedded in a spreadsheet has been discovered. This Flash file may contain malicious JavaScript code, and this file is opened when an Excel workbook where this Flash file is embedded is opened. Full Disclosure has the following details. Here is the malware description that exploits this problem.

As usual, be careful when you have received an Excel file as an attachment to an unsolicited email, or email coming from unknown or untrusted sources. Take note that Microsoft has not yet released patches for the said vulnerabilities.

A vulnerability in Yahoo! Web-based services like Yahoo! Mail and Yahoo! Groups allows a malicious JavaScript embedded in an email to automatically execute when the infected email message is opened (in Internet Explorer as F-Secure reports). The email contains the following details:

Subject: New Graphic Site
Body: Note: forwarded message attached.
or
this is test

While it has no destructive payload yet, ISC warns that this could change in a jiffy. Proof? The first variant attempts to connect to a certain Web site; however, a typo prevents the JavaScript from connecting to the target site. Another variant was released to correct the typo. So anything can happen in the next few days (if not hours).

Yahoo! is one of the largest and commonly-used Web-based email provider. Imagine the ramifications of this malware if it could do destructive things (like downloading a file infector like PE_DETNAT.E or an encryptor like TROJ_PGPCODER.D).

Yahoo! is said to be addressing the issue already. Yahoo! email users should check their inboxes for the subject lines, and delete email with the subject stated earlier.

Resources:
ISC blog entry
F-Secure Weblog entry
F-Secure Description
Trend Micro Description

AV companies have different definitions for the word payload. As an arbitrary base definition, Wikipedia defines payload as such:

the payload of a virus or worm is any action it is programmed to take other than merely spreading itself. The term is used for all intended functions, whether they actually work or not.

The Computer Desktop Encyclopedia says payload:

…refers to the software’s harmful results. Examples of payloads include data destruction, messages with insulting text or spurious e-mail messages sent to a large number of people.

Symantec has a slightly similar definition:

This is the malicious activity that the virus performs. Not all viruses have payloads, but there are some that perform destructive actions.

Trend Micro has a different take on the definition:

The term payload refers to an action that a malware or grayware performs, apart from its main behavior. For example, payloads for a worm include all other actions it performs apart from its propagation routines.

Payloads can range from something that is relatively harmless, like displaying messages or ejecting the CD drive, to something destructive, like deleting the contents of a hard drive.

McAfee defines payload as follows:

Refers to the effects produced by a virus attack. Sometimes refers to a virus associated with a dropper or Trojan horse.

From the Big Three’s definition, Trend Micro’s definition deviates from the Wikipedia and the other two quoted companies. Kaspersky, Sophos, and F-Secure do not have definitions on payload. Uniformity has never been AV companies’ forte; they don’t even name malware the same way. But based on the definitions we can safely say that payload refers to the malicious activities that a malware does. We are stumped by Trend Micro’s definition, since the definition will be problematic for Trojan horses.

Trojan horse is a general term that covers malware with different behavior. Based on its definition, Trend Micro sees payload as actions of a malware aside from its main routine. For Trojans, we ask: what is a Trojan’s main routine? It will now depend on what kind of a Trojan a malware is – whether it is a downloader, a dropper, a proxy server, etc.

That’s why I prefer the other’s definition – it has all bases covered.

In the book The World is Flat, Thomas Friedman detailed the reasons behind the success of Apache, the open-source, free Web server software. He said that community-developed software helped in flattening the world. The consumer can now use software without even buying it, and it empowers ordinary geeks to create and share. You do not have to be part of a large software company to create a killer app. And it connects several people to collaborate on a certain power.

Basically, Friedman argues that flattening the world means empowering the people, reducing the top-down structure in a peer association.

He used Apache as an example of a successful free, open-source software. He also mentioned Linux, OpenOffice.org, and Gimp as examples.

Microsoft and other software companies are divided on the issue of open source. Microsoft’s position, according to Friedman, is that open-source does not reward innovators financially. Since there is no financial reward for innovations, R&D will be greatly affected. Bill Gates himself has stated that capitalism drives innovation.

And let’s face it, support for free or open-source software are at best limited to online fora and knowledgebases.

That brings me to antivirus. There is one free, open-source antivirus out there – Clam AV (and its Windows equivalent, ClamWIN). There are free, but not open source, antivirus out there – Alwil’s Avast! Home Edition, Avira’s AntiVir PersonalEdition Classic, and Grisoft’s AVG Free Edition. Now, all of them offer limited support, as opposed to what the Big Three (Symantec, McAfee, Trend Micro) offer.

Based on tests, these free AV software fared well on several tests, but had problems on new malware and spyware detection. Clam AV is not even usually tested; here’s a PC Magazine report, and Clam AV is not included. (Try looking at AV-Test.org and Virus Bulletin to check on how AV software performed on several tests.)

Now, the fact that open-source AV doesn’t perform well, and no support, users are advised to use free ones provided by Alwil, Avira, and Grisoft.

What should Clam AV do now? Continue developing their product, concentrate on heuristics and behavior detection research (intrusion detection will be a bonus), and Clam AV will give the Big Three a run for their money. That will not happen very soon, but time is on their side. They should take advantage of the community of geeks out there, empower them, and consumers’ interest will follow soon.

Now, in conclusion, Microsoft’s opinion on innovation is basically correct – it is a human tendency to seek reward for accomplishments, and money is a great motivator. But Microsoft and adherents are forgetting that humans also tend to seek approval from peers and to contribute for the common good; Friedman believes that that drove the success of Apache and other open source products. Don’t underestimate the power of human nobility.

No, I am not talking about my Smart bill being less than before (how I wish, but with 12% RVAT, that’s wishful thinking). It’s the current bill sent in a significantly smaller envelop, thus shrinking the bill itself. Cost-cutting action, yes. Maybe Smart has already realized that it will be harder for them to sustain the glorious growth of the last five years.

Wired News has reported that an Israeli antispam company had decided to close shop after a vicious spam attack that took down its database server and several other sites:

In an interview with Wired News, Blue Security CEO Eran Reshef said the Israel-based company was closing its service Wednesday since he did not want to be responsible for an ever-escalating war that could bring down internet service providers and websites around the world and subject its users to denial-of-service attacks from a well-organized group in control of a massive army of computer drones.

“Our community would very much like us to continue on the fight against spam, and our community has grown over the last week,” Reshef said. “But at the end of the day if we continue doing so, within a few days, major websites will go down. I don’t feel that this is something I can be responsible for. I cannot go ahead and rip up the internet to make Blue Security work. This is not the decision a commercial entity can make.”

A concerted effort against spam should be taken by all concerned. It’s getting out of hand. For a day, I receive about 120 spam emails in my Yahoo! account; I do not even dare take a look at my Gmail account’s spam box, since that email address is what I usually use in online services and fora.

Try SpyCar and test if your anti-spyware is capable enough of protecting your computer. Note that pattern based anti-spyware might score low in this test.

Read the EULA carefully before starting the test.