Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #7

January 24, 2006

Flash Report:
SANS Internet Storm Center has found that more than 500,000 personal computers have been infected by the 'Grew' worm (it goes by a number of different names, e.g. 'Nyxem'). On February 3rd, it will delete all documents (Word, Excel and a number of others). Make sure your mom and your kids (and everyone else who may call you when they lose data) to update their AV signatures and run a full scan. "Update now or all your files may get lost." A special Storm Center website on the problem:

This site will be updated more information is discovered.


FBI Study Pegs Cyber Crime Losses at $67 Billion
Online Banking Fraud Tripled in UK; Banks Asked To Improve Security
Google Refusing to Comply with Government Request for Search Data
Lawsuits Have Not Put a Dent in Illegal Downloading


Eight Arrested in Connection with Phishing Ring
Guilty Plea in Botnet Case
Center for Democracy and Technology Files Adware Complaints with FTC
Heap Overflow in KDE Desktop Environment
Nyxem Worm Aims to Overwrite Files
Symbian Trojans Detected
E*Trade Will Cover On-Line Fraud Costs for Customers

************************* Sponsored by Permeo ***************************
New security ebook on Information Theft Prevention

In The Definitive Guide to Information Theft Prevention, security author Dan Sullivan provides advice on information protection and privacy regulations; how to tackle threats from unmanaged devices; how to secure managed devices; and how to leverage new security technologies. This guide also discusses risk management, incident responses and emerging best practices around information security.
Download Chapter 1 now!
Security Training Opportunities in the Next Four Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program.

Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa Or you can take SANS training anytime, anywhere with the new SANS On Demand.

Details on these and other programs:


FBI Study Pegs Cyber Crime Losses at $67 Billion (19 January 2006)

An FBI study of 2,066 firms found that 90%% had experienced cyber crime events and 64% had experienced financial losses from such events. Worms and viruses caused the most damage despite defenses most organizations had put in place. Average losses were $24,000.

Bank Fraud Tripled in UK and Banks Asked To Improve Security (23 January 2006)

The Financial Services Authority (FSA) in the United Kingdom has called on banks to increase security measures to protect customer accounts. FSA reports that online bank fraud tripled in the first half of 2005 compared with the same period in 2004. Lloyds issued 30,000 security devices to customers in a pilot project.

Google Refusing to Comply with Government Request for Search Data (23/20/19 January 2006)

Google is resisting government requests for data on its search engine usage. The two requests the government has made are for a random sample of 1 million web site addresses in its search engine index and for the text of all queries made on the search engine during a specific week. The government maintains it needs the records from Google to prepare its defense in a lawsuit brought by the American Civil Liberties Union. The lawsuit challenges the Child Online Protection Act (COPA) on the grounds that it violates the First Amendment. The government wants the information to help support its claim that COPA is stronger than Internet content filtering in efforts to prevent minors from accessing pornographic Internet content. Google believes the government's demand for information is overreaching. Other search engine operators, including Microsoft's MSN and Yahoo, have complied with the government's request for search data. Both say no personal information was revealed.
[Editor's Note (Grefer): People concerned about having their originating IP address revealed might consider services of an anonymizing proxy server and/or network, such as "tor" - The Onion Router. Expect slower response time using an anonymizing service. See

Lawsuits Have Not Put a Dent in Illegal Downloading (20 January 2006)

The International Federation of the Phonographic Industries (IFPI) says that despite thousands of legal cases regarding illegal file sharing being brought to the courts, "the level of file sharing has remained the same for two years." Although IFPR chairman John Kennedy sees the fact that piracy has not increased as a victory of sorts, he also believes that the number of court cases brought against illegal file sharers needs to increase in order to reduce the level of piracy.
[Editor's Note (Schultz): Although perhaps lawsuits have not suppressed illegal downloading so far, I believe that if the entertainment industry keeps initiating court cases, sooner or later the user community will get the message that illegal downloading produces undesirable consequences. At the same time, however, the entertainment industry needs to also keep pursuing other approaches (such as it has). It needs to continue putting pressure on organizations that develop and distribute peer-to-peer file sharing programs as well as to develop built-in copyright protection mechanisms, provided of course that these mechanisms are not like the draconian one that Sony recently tried. ]

********************* Sponsored Links: **********************************
1) Free webcast: Stop network attacks with intrusion prevention system. Featuring Gartner and a customer.

2) " Top 10 Database Vulnerabilities" whitepaper - What they are, how they work & how to stop them.

3) ALERT: YOU vs Sober/Zotob/Bagle Variants? Is Your Internal Network Safe? Download FREE White Paper "Zotob: Zero-Hour Detection and Response"



Eight Arrested in Connection with Phishing Ring (23 January 2006)

Eight people have been arrested in Bulgaria on charges they are involved with a group responsible for sending a phishing email. The group allegedly operated a number of phony Microsoft web sites; the phony email was sent with addresses spoofed to appear they came from Microsoft billing account management. Recipients were asked to divulge credit card information that ring members allegedly used to buy goods and make wire transfers.
[Editor's Note (Kreitner): It's refreshing to see an organization take responsibility on its own initiative to be accountable for the well-being of its customers, just because it's the right thing to do, instead of avoiding accountability by hiding behind a heap of disclaimer language.
(Schultz): E*Trade has done the right thing. Unless users have been negligent in some way (e.g., by giving up their login credentials to others), financial institutions and brokerages should reimburse customers who are victimized by online fraud. South Korea recently passed a law with these provisions; it is now time for other countries such as the US and UK to do the same. (Honan): This positive and proactive step from E*Trade demonstrates how information security can be used as a competitive advantage rather than a hindrance. ]

Guilty Plea in Botnet Case (23 January 2006)

Jeanson James Ancheta has pleaded guilty in Los Angeles federal court to charges stemming from having taken control of hundreds of thousands of computers, establishing a zombie network and offering the use of its services to send spam and launch distributed denial of service (DDoS) attacks for a fee. A plea agreement in the case, which has not yet received a judge's approval, would give Ancheta a prison sentence of four to six years, have him forfeit US$58,000 in profit and a BMW and pay US$19,000 in restitution. Sentencing is scheduled for May 1.


Center for Democracy and Technology Files Adware Complaints with FTC (23 January 2006)

The Center for Democracy and Technology (CDT) has filed two complaints with the Federal Trade Commission (FTC) against 180solutions, a web-based marketer CDT claims is tricking people into downloading adware. The complaints accuse 180solutions of unfair and deceptive business practices. CDT deputy director Ari Schwartz says "there are many cases where there is no notice and consent (to download the adware and) there are others where there is deceptive notice and consent."
Links to the text of the complaints available on the CDT website:
[Editor's Note: A previous SANS NewsBites item stated that 180solutions has sued F-Secure because F-Secure labels 180solutions' software as spyware.
(Shpantzer): Ben Edelman's meticulous research on adware and the mechanics of affiliate marketing is a great resource for people who want to understand this complicated issue. 180solutions is covered on Edelman's site here:


Heap Overflow in KDE Desktop Environment (23 January 2006)

A heap based buffer overflow vulnerability in the KDE desktop environment could be exploited to crash programs that use kjs, a Javascript interpreter used in the Konqueror browser and "other parts of KDE." The flaw affects versions 3.2.0 to 3.5.0 of kjs. Fixes are available from various vendors; KDE released a patch last week.
KDE Advisory:

Nyxem Worm Aims to Overwrite Files (22/20/19 January 2006)

The Nyxem worm, also known as the Kama Sutra worm, carries a malicious payload that corrupts a wide variety of Microsoft documents. Nyxem arrives as an attachment and tries to delete security software. It also contains code that overwrites data in a wide variety of files.

Symbian Trojans Detected (23/20 January 2006)

A handful of Trojans that infect Symbian-based smart phone devices have been identified since the first of the year. The Sendtool Trojan places a tool on infected devices that can be used to send other malware to more devices via Bluetooth. The Pbstealer Trojan sends personal data from address books, calendars and task lists on infected devices to other Bluetooth-enabled devices. The Cdropper Trojan tries to install variants of the Cabir and Locknut viruses on infected devices. The Booton Trojan reportedly places corrupted components on phones it infects which makes it harder to restart the phone.

[Editor's Note (Shpanzer): It's bad enough to have your smartphone infected (potentially making the phone an eavesdropping device, etc.) My main concern is that the infection can spread to the rest of the corporate network from the inside, once the phone is synced with the PC. ]


E*Trade Will Cover On-Line Fraud Costs for Customers (18 January 2006)

E*Trade says it will reimburse its customers if they are victimized by online fraud. In general, online brokerages place the responsibility for security squarely on the shoulders of the investors. The Securities and Exchange Commission has not issued guidelines for investment firms regarding data security; last year the Federal Financial Institutions Examination Council set data security guidelines for banks.


NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit