A very clever April Fools

The folks at SecurityLab have a hoax up which uses XSS (Cross Site Scripting).  It teaches a valuable security lesson, while having some fun.  

Link: http://www.securitylab.ru/news/extra/293608.php

Alex Eckelberry
(Hat tip to Gadi Evron)


The ANI exploit and CounterSpy and Ninja

This exploit is something of concern. 

Some updates:

CounterSpy: CounterSpy detects the Ani exploit as “Trojan-Exploit.Anicmoo.ax (v)” in definition set 526.  Incidentally, VirusTotal coverage as of 1:30 CET today here.

Ninja: Since email is a potential attack vector, securing that area is of some importance.  The full version of our Ninja Email Security product includes two AV engines — Authentium and BitDefender.  However, many customers only run the antispam portion of Ninja.  So while the BitDefender AV engine in Ninja does detect these malformed .ani files, this will only be useful to customers if they’re using Ninja’s AV functionality.

However, Ninja does include intelligent attachment filtering, which looks past the extensions of many file formats to see what type of file is actualy bein sent.  So we just posted an updated set of SMART definitions for anyone using Ninja 2.1.xxx which will allow you to create an attachment filtering rule to block .ani files regardless of what they have been named. In this way even if you’re not using Ninja’s AV functionality you can still block these files from getting to your users. 

Alex Eckelberry


Oh Dear Lord: This man has actually named his product a “condom”

Condom2134287877I’ve talked about unfortunately-named products before, but this absolutely takes the cake.

There’s a new product out called a Browser Condom.  

The description:

It’s and [sic] advanced technology that allow [sic] you to run any kind of software in your computer without a risk of be [sic] infected with any kindof [sic] virus, spyware, trojan and any kind of malware. (VTD) , Virtually  Transmitted Diseases.

The icon of the product is, well, a condom wrapper.

Why the name?   Was he inspired by the pictures of the Klik Revenue boys exuberantly playing with condoms?  Or the picturesque city of Condom, France?

There’s so much room for so much humor here, it’s difficult to contain oneself.

But I run a respectable blog here, really.  So I’ll let you do the dirty work:   Comment away…

Alex Eckelberry
(A copious acknowledgment to Paperghost, who blogged first about this.)


Ani format exploit — reading in plain text may still be vulnerable

A surprising post at SANs this morning:

A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability (CVE-2007-1765) depending on the actions and settings of the email client.

The surprising element is that read in plain text mode makes some of the clients more vulnerable and actually only offers real added value -for this vulnerability- for Outlook 2003.

More here (via Donna).

This is not a vulnerability to be taken lightly…

Alex Eckelberry


Preview of CounterSpy Enterprise 2.0


Greg Kras and I will be giving a preview of our new CounterSpy Enterprise 2.0 next Tuesday.  (This is the version of CounterSpy designed for business use). 

If you want to take a look, please join us:

A First Look at CounterSpy Enterprise 2.0
When: Tuesday, April 3, 2007 2:00 PM (EDT)
To join the day of the event please visit:

Meeting ID: 92SSQC
Attendee Meeting Key: XR*mw9Z
Audio: Toll free: +1 (800) 416-4956
Toll: +1 (978) 964-0050
Participant code: 104764
Alex Eckelberry

Beware fake IE 7 downloads

There is spam out there that tries to get you to download IE 7.  It’s fake, of course.  When you click on the image, you are then offered to download a trojan (Sunbelt Sandbox analysis here, VirusTotal results here).  Antivirus coverage is mediocre.


And just for fun, check out the source code of this spam.

Alex Eckelberry


Battle stations: New “ani” zero day being hunted

The folks over at McAfee have written today about a new zero day, and it doesn’t look pretty. Our team is on high alert for this exploit and we are actively hunting for any sites which are using it.

From McAfee:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a
fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

The ani format is an animated cursor format. We’ll post more information as we get it.

Alex Eckelberry

Update:  Microsoft security advisory here.