In case you missed this bit of security news last week, according to Heise Security -

"A team of researchers from Bonn University and RWTH Aachen University have analysed the notorious Storm Worm botnet, and concluded it certainly isn't as invulnerable as it once seemed."

Analysts attempting to traverse the Storm botnet without being detected has proven it to be complex - discovery usually leads to a DDOS attack on the researcher. Having carried out such research covertly and claiming that the botnet can be rapidly taken down is highly significant in terms of the resultant reduction in spam levels and ability to carry out DDOS attacks.

Microsoft's attempts to disrupt the botnet with the Malicious Software Removal Tool, while not definitive, are proving successful. Malware analysts and observers far and wide welcome the news that these researchers have gone one step further by announcing it is theoretically possible to fatally damage the Storm botnet with a single strike.

But, the researchers have noted that there are legal concerns involved in the solution. It's ironic that a single strike that has the potential to take the Storm botnet down from the inside is punishable under German law (and the same may be true in other parts of the world, as well). The Storm botnet is so significant that most people would agree that, when it comes to permanently disrupting it, the end justifies the means. This particular situation gives rise to an ethical dilemma but, ultimately, using illegal methods is not acceptable, however frustrating it may be. Still, even if the researchers are not able to deploy this solution, the data gathered from this research will take us a significant step towards combating and defeating Storm.


The business-oriented social networking site, LinkedIn, has had a recent bout with malware, as you may have seen by all of the buzz this week in the news headlines. As most of you who use them know, social networking sites, while having many advantages to users, have long been targeted by socially engineered scams - meaning you need to take care when roaming around on these types of sites.

In terms of the issues seen lately on LinkedIn - profiles on the site were created to act as a staging point for the distribution of 'FakeAlert' software. This malware serves typical scareware messages claiming that your machine is infected and that you should install the rogue anti-malware application that the warning message is peddling. Despite the FTCs recent efforts in tackling the scourge of rogueware, the fact that these applications continue to proliferate proves they still provide a significant return of investment for malware authors.

The LinkedIn profiles themselves consisted of links that claimed to lead to pornographic images/video content of various celebrities. Upon landing at these sites, victims were invited to install a codec to allow them to view the (non-existent) video; the file was not a video codec, but malware. This method of attack continues to prove to be extremely effective. The social engineering technique being applied is, sociologically, extremely interesting; despite users increasing awareness of Internet safety (i.e. maintaining download discipline, avoiding untrustworthy sites, and generally being aware of the pitfalls when navigating the seedier side of the 'net), using a combination of celebrity and sex to entice continues to be effective.

On the plus side, LinkedIn.com has worked very quickly to deal with this threat - it's encouraging to observe the site's administrators' rapid response time. When the scam first became apparent, many profiles were removed immediately. Currently, all of the malicious profiles that we located have now been cleaned up.


Microsoft is releasing another "out of band" update tomorrow. This update is to fix a recently discovered zero day vulnerability in Internet Explorer 7 that is actively being exploited.

More information about the vulnerability can be found at Microsoft's Security Advisory page.


Recently, we came across this rogue: Antivirus Plus. What makes this one different from others was that it was distributed directly as a fake video codec. They have now removed the fake alert step in between.

fake codec install


AntivirusTrigger is a new rogue anti-spyware application and a clone of VirusTrigger. It will give exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove the reported threats.

AntiVirusTrigger's GUI


...they snatch their "presents" from gullible computer users!

As the holidays are quickly approaching, many people around the world plan to do some serious shopping for Christmas presents. Unfortunately, this time of year also means a peak in cyber crime activity. In shopping malls - and other crowded places - thieves are lurking around, waiting to get their hands on people's well deserved earnings. One mistake, one lost moment, and your wallet may be gone forever.


You've probably heard the news on Microsofts plan to discontinue its Windows Live OneCare and roll out "Morro", a free anti-malware application.


As the volume of malware increases, the more signatures we add into Ad-Aware's Detection Database. Naturally, with the huge increase in bad stuff out there, the size of definition files will increase in line with the amount of malware detections we add.


We are disappointed to announce that the FRA-law that we discussed in yesterday's blog was actually accepted as law by the Swedish Riksdag (national government) yesterday. The number of delegates voting for the new law was 143 and the number of delegates voting against the law was 138. The number of delegates that were absent, and therefore did not vote, was 67.  Only one delegate refused to vote on the matter. Apparently, there was "no time" to wait for a proper investigation of the entire proposal and the addendum, and the decision was to accept the law quickly and then wait for an extra addendum proposal this autumn. The fast process was highly criticized but the directive was to come to a resolution before the summer holidays.


There is an ongoing debate about whether FRA, the Swedish National Defense Radio Establishment, should be allowed to extend their surveillance activities to include the surveillance of wire-based Internet traffic and phone conversations that pass the Swedish borders.

The proposed law was first discussed in 2007, and a decision was tabled during this past year. The proposal has resurfaced with the same vague wording as in the original proposal presented a year ago, and there are few clear rules for when such extended surveillance activities should or should not be allowed. There is also a big question mark regarding the authorization of the wire-based surveillance activities as well as the storage and the destruction of sensitive surveillance data.


In an attempt to bolster the number of drones in their botnet the Storm Gang has started sending out more spam email.


You may read product reviews, but how much do you know about the anti-malware product testing process?

We'd like to call your attention to one of our recent white papers, "How NOT to Test Anti-Malware Products" by Lavasoft CTO Joe Wells. You can find the article online in the Lavasoft Security Center.

Stay tuned for future white papers on the subject of correct anti-malware product testing.