antiworm

Patches were released and risk assessment on Microsoft Internet Explorer vulnerabilities was requested. I'm sorry to report that risk assessment of this particular type is rather simple. I can describe it in three steps. (1) The risk of the vulnerability being exploited is real, and high. The nature of the vulnerability itself doesn't much factor into the assessment. What matters most is how many systems do you have running the software with the vulnerability, and how important are those systems. If history is any guide, these vulnerabilities will be exploited by dozens, hundreds, or even thousands of variants of malware, over the next days, weeks, and months. Recently announced vulnerabilities affecting the Microsoft Internet Explorer can be used to install and execute software on the system, when that system has accessed a malicious or benevolent-but-compromised web site. Vulnerabilities like this one have been exploited by literally hundreds of bits of malware i...

The discovery of the W32/Sdbot-UJ worm, which employed the technique of network sniffing, has shone a bit of light on a dark corner of the worm universe. W32/Sdbot-UJ has sometimes been reported as the first worm to perform network sniffing, but almost certainly it was not. It may have been the first such to be captured and analyzed by an AntiVirus vendor, I don't know. This worm employs a technique thought for years by some security professionals to be used by "slow scanners". I say "thought to be used" because it turns out this particular class of worms is difficult to study and not perceived universally as much of a threat. Some professionals even dispute whether Slow Scanners exist, yet. (Everyone seems to agree that if they don't, they will soon enough.) Slow Scanner worms are not widely reported in the media, partly because they are not as flashy as the worms that hit millions of machines in a day and whose propagation efforts are so aggressiv...