thadmiller writes "Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections if the computers are behaving as if they have been compromised by malware. For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus, taking control of the system and using it to send spam as part of a botnet." Update: Jason Livingood of Comcast's Internet Systems Engineering group sent to Dave Farber's "Interesting People" mailing list a more detailed explanation of what this trial will involve.

itwbennett writes "If antivirus protectors could collect data from machines and users, including geographic location, social networking information, type of operating system, installed programs and configurations, 'it would enable them to quickly identify new malware strains without even looking at the code,' says Dr. Markus Jakobsson. In a recent article, he outlines some examples of how this could work. The bottom line is this: 'Let's ignore what the malware does on a machine, and instead look at how it moves between machines. That is much easier to assess. And the moment malware gives up what allows us to detect it, it also stops being a threat.'"

An anonymous reader writes with this excerpt from Help Net Security: "In the never-ending battle to protect computer networks from intruders, security experts are deploying a new defense modeled after one of nature's hardiest creatures — the ant. Unlike traditional security devices, which are static, these 'digital ants' wander through computer networks looking for threats ... When a digital ant detects a threat, it doesn't take long for an army of ants to converge at that location, drawing the attention of human operators who step in to investigate. 'Our idea is to deploy 3,000 different types of digital ants, each looking for evidence of a threat,' [says Wake Forest Professor of Computer Science Errin Fulp.] 'As they move about the network, they leave digital trails modeled after the scent trails ants in nature use to guide other ants. Each time a digital ant identifies some evidence, it is programmed to leave behind a stronger scent. Stronger scent trails attract more ants, producing the swarm that marks a potential computer infection.'"

Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."

Frequent contributor Bennett Haselton writes with an idea that he thinks could help keep browsing on Microsoft's browser more secure for users — and benefit Microsoft as a result. "Tests show that IE's malware filter performs well against other browsers that use the Safe Browsing blacklist from Google. But wouldn't IE's filter be even more effective if it used both filter lists at the same time? And are the political obstacles to that really so insurmountable?" Read on for the rest of a plan that seems a lot more than half-baked.

caffiend666 writes "A newly found deep ocean worm 'can cast off green glowing body parts, a move scientists think may be a defensive effort to confuse attackers. Researchers have dubbed the newly discovered critters "green bombers." ... The first of the new species has been given the scientific name Swima bombiviridis. ... [T]he worms are able to regenerate the body parts.' So, it's a naturally occurring animal that rips off its arms and throws them, and we're not talking about a game from ID Software?"

dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."

darthcamaro writes "Remember Conficker? April first doom and gloom and all? Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master command and control. Speaking at the Black Hat/Defcon Hat security conference in Las Vegas, Mikko Hypponen, chief research officer at security firm F-Secure, was told not to talk in detail about the Conficker gang — the problem is that not all researchers were under the same gag order. Just ask Roel Schouwenberg, senior anti-virus researcher at security firm Kaspersky, who says 'The Conficker botnet is autonomous; that is very strange in itself that they made Conficker replicate by itself. Now it seems like the authors have abandoned the project, but because it is autonomous, it can do whatever it wants and it keeps on trying to find new hosts to infect.'"

holdenkarau writes "Several news sources (Mashable, The Inquistr, etc.) are reporting that AT&T is blocking img.4chan.org in the southern United States. That server is used for the infamous /b/ board (the home of anonymous). TechCrunch calls the decision to block 4chan 'stupid,' noting that they may have 'opened perhaps the most vindictive, messy can of worms.' The Inquisitr suggests that 'The global internet censorship debate landed in the home of the free.' moot (who runs 4chan) asks users to call AT&T, while some others suggest more drastic action (like cutting AT&T fiber)." Update: 07/27 09:23 GMT by T : Readers' comments below suggest that a) the purpose of the block was to curtail the effects of a serious DDoS attack and b) that the block has now been lifted, at least for some regions.

tsu doh nimh writes "Several news sources are reporting that the tens of thousands of Microsoft Windows systems infected with the Mydoom worm and being used in an ongoing denial of service attack against US and S. Korean government Web sites will likely have their hard drives wiped of data come Friday. From The Washington Post's Security Fix blog, the malware is 'designed to download a payload from a set of Web servers. Included in that payload is a Trojan horse program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over every sector of every physical drive attached to the compromised system.' ChannelNews Asia carries similar information."

CWmike writes "Microsoft's new free security software, Windows Security Essentials, passed a preliminary antivirus exam with flying colors, said independent and trusted firm AV-Test, which tested Essentials, launched yesterday in beta, on Windows XP, Vista and Windows 7. It put it up against nearly 3,200 common viruses, bot Trojans and worms, said Andreas Marx, one of the firm's managers. The malware was culled from the most recent WildList, a list of threats actually actively attacking computers. 'All files were properly detected and treated by the product,' Marx said in an e-mail. 'That's good, as several other [antivirus] scanners are still not able to detect and kill all of these critters yet.' It also tested well on false positives."

alphadogg writes "Forget spam, viruses, worms, malware, and phishing. These threats are apparently old-school when compared to a new class of denial-of-service attacks that threaten wireless data networks. The threats were outlined in a talk in NYC Thursday by Krishan Sabnani, vice president of networking research at Bell Labs, at the Cyber Infrastructure Protection Conference at City College of New York. Sabnani said they are the result of inherent weaknesses in Mobile IP, a protocol that uses tunneling and complex network triangulation to allow mobile devices to move freely from one network to another. 'We need to especially monitor the mobile networks — with limited bandwidth and terminal battery — for DOS attacks,' Sabnani said, adding that the newest DOS attacks on wireless networks involve repeatedly establishing and releasing connections. These attacks are easy to launch and hard to detect, he said."

snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."

Frequent Slashdot contributor Bennett Haselton writes with his idea for mass adoption of anti-virus software: "If the US government did more to encourage people to keep their computers secure — by buying TV ads to publicize free private-sector anti-virus programs, or subsidizing the purchase of anti-virus software — we'd all be better off, on average. That's not just idealistic nanny-statism, but something you can argue mathematically, to the point where even some libertarians would agree." Read on for the rest of Bennett's thoughts.

CurtMonash writes "Twitter was hit Saturday by a worm that caused victims' accounts to tweet favorably about the StalkDaily website. Infection occurred when one went to the profile page of a compromised account, and was largely spread by the kind of follower spam more commonly used by multi-level marketers. Apparently the worm was an XSS attack, exploiting a vulnerability created in a recent Twitter update that introduced support for OAuth, and it was created by the 17-year-old owner of the StalkDaily website. More information can be found in the comment thread to a Network World post I put up detailing the attack, or in the post itself. By evening, Twitter claimed to have closed the security hole."

nk497 writes "Conficker seems to finally be doing something, a week after hype around the worm peaked on April Fool's Day. It has now downloaded components from the Waledac botnet, which could contain rootkit capabilities. Trend Micro security expert Rik Ferguson said: 'These components have so far been missing, but could this finally be the "other boot dropping" that we have all been been waiting for?' Ferguson also suggested that people behind Conficker could be the very same who are running Waledac and created the Storm botnet. 'It tallies with some of the assumptions people have made about Conficker — that the first variant was actively trying to avoid the Ukraine because Waledac was Eastern European,' Ferguson added."

nk497 writes "Microsoft is warning that malware writers have adapted a four-year-old virus to use features of Conficker to take advantage of Windows flaws. Other similarities between the adapted Neeris worm and Conficker are that it downloads a copy of the worm from the attacking machine using HTTP, spreads via autorun, and uses a driver to patch the TCP/IP layer of the system. It even saw a traffic jump around the first of April, when the Conficker hype peaked. But the Microsoft researchers suggested Conficker may have copied Neeris, or that they're copying each other: 'It is possible that these miscreants somehow collaborate or at least are aware of each other's "products."'"

walrabbit writes "Wang et al (2009) (from Albert-László Barabási's lab) modeled the spread of mobile phone viruses based on anonymised call and text logs of 6.2 million customers spread over 10,000 towers. Their simulations shows that the spread is dependent on the market share of a particular handset, human mobility and mode of spread: bluetooth or MMS or hybrid. 'We find that while Bluetooth viruses can reach all susceptible handsets with time, they spread slowly due to human mobility, offering ample opportunities to deploy antiviral software. In contrast, viruses utilizing multimedia messaging services could infect all users in hours, but currently a phase transition on the underlying call graph limits them to only a small fraction of the susceptible users. These results explain the lack of a major mobile virus breakout so far and predict that once a mobile operating system's market share reaches the phase transition point, viruses will pose a serious threat to mobile communications.' You can read the full text (PDF) and supporting online information (PDF) (with interesting modelling data and diagrams)." (Also summed up in a short article at CBC.)

Nieriko writes "Reports are trickling in about the impact from the Conficker worm, as infected systems passed zero hour at midnight and began downloading additional malicious components. Here are a couple of the more notable incidents caused by Conficker so far, according to published reports: — '... shortly after midnight local time, an ATM in the capital city of Reykjavik began spewing 100-Krona notes. ... A nuclear missile installation near Elmendorf Air force Base outside of Anchorage, Alaska briefly went on a full-scale military alert after technicians manning the bunker suspected that several of their control systems were infected with Conficker.'"

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."