Hello and welcome to the Thursday, February 19th,

2006 edition of the Sands and the Nett Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sandsdot edu graduate certificate program in industrial

control system security. Well, Xavier continues to be on a role this week with yet another piece

of malware to analyze. And in this case, it's actually a nice example on how to combine different

piece of malware with certain actors.

A week or so ago, Xavier did already talk about a piece of malware that used an MSI

wallpaper as part of its payload. Now, in that particular case, it was really just used

sort of to basically half an image to attach a coat to.

So the image itself, that wallpaper, could have been any other image.

But what Xavier found is that there's other malware that uses exactly the same image, suggesting that it was created by the same actor.

Also uses some other similar techniques and such as the Malber that Xavier covered in the past.

And overall, Xavier found a few hundred of pieces of submissions to a virus total that included this image, not all of them being labeled as malicious.

And that's where it gets interesting whether or not you should add something benign like this

image to some form of signature.

Maybe it's be interesting to sort of highlight certain samples and maybe look at them

with more detail or included as part of signature, of course not necessarily as the only

signature to look for malicious activity.

And yesterday, Dell released an update for Recovery Point for Virtual Machines.

This update is fixing fixed credential vulnerability,

so nothing really all too special here,

...