The Trojan in question created a thread which sent six SMS messages, the contents of which are obfuscated. However, what the Trojan is intending to do is still cloudy.

The ISC reader in question who alerted the site said he received the unsolicited message of garbled characters and a link to a .JAR (Java ARchive) containing the malware through ICQ.

Rather worryingly, according to ISC only 14 out of 41 AV products detected the JAR file successfully.

Rik Ferguson, senior security advisor at Trend Micro, one of the lucky 14 vendors which did detect the malware, said any mobile malware discovered is noteworthy, because there is so little of it around.

"It could be an attempt to find a way through Java to make it more cost effective to write malicious code because Java was designed to be cross-platform," he added. "It could be an attempt to overcome the homogeneity of the mobile platform."

Stay tuned for more updates.

The research assessed illegal trading of credentials on platforms such as Microsoft Xbox, Sony Playstation and World of Warcraft.

Garlik estimated that around 500,000 XBox Live credentials are being traded on a yearly basis, with a selling price of around £100 for 20 accounts.

It also warned that digital content delivery platform Steam is one of the most highly targeted, with hackers uploading infected add-ons for various titles which contain maliciousTrojan code

"Online games-related account theft is definitely a problem, and while some companies have tried to combat such activity it's an issue that isn't taken seriously enough by most gamers," said Phil Elliott, managing editor of videogames business site GamesIndustry.biz.

"There's a clear risk that compromised personal data could be used for further serious activity."

To minimise their risk exposure, Garlik has warned users not to use the same password for online gaming as banking and other accounts.

The news also comes just a few days after security vendor Webroot reported an "astonishing volume" of phishing Trojans, designed to steal licences, usernames and passwords from gaming accounts.

"These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers -- typically, perhaps unsurprisingly, located in China," wrote Webroot's Andrew Brandt on the firm's threat blog.

Can this really be true? Are PC users really that stupid? Well, as long as the survey wasn't carried out with a select bunch of Luddites, the implications are fairly alarming.

The sheer scale and constantly evolving nature of malware today means regular security updates are essential if your PC is to remain as resistant to attack as it can be. But if, as the research suggests, 40 per cent of women and just 20 per cent of men remember to switch on their automatic updates, the future looks grim.

Of course, enterprise PCs will have the requisite policies and technologies in place to minimise the risk of infection, so why care about the consumer sphere?

Botnets are the source of most evil these days; sending spam, launching denial of service attacks and firing off more malware. Until users take the security of their systems more seriously, these botnet-based attacks will continue to make corporate information security chiefs work hard for their money.

An interesting footnote is the 56 per cent of consumers who ignore security alerts when they flash up. This is a concern that security software companies must consider carefully. Are security notices generally too frequent, rendering the important ones lost in the noise? Should consumers be given an easier way to set alert levels? At the very least, a bit of food for thought.

A survey by access management firm Courion found that, although the majority of IT managers reckon that terminated employees will not attempt to remotely access data, over half admitted to having no real idea of what access routes remain active after someone leaves the company.

"The fact that 53 per cent of IT managers are largely unaware of employee access rights is of great concern, and has been exacerbated by the high frequency of mergers and acquisitions in the current climate," said Stuart Hodkinson, general manager at Courion.

"The time for over confidence has passed. It is important for IT managers to close these holes by undertaking regular audits, and ensuring that employees have access only to the information they need to do their jobs."

This proliferation of what Hodkinson calls "zombie accounts" is also aided by the fact that 28 per cent of respondents said that their company still provisions accounts manually, making delays and errors in deactivation much more likely.

The survey found that nearly half of businesses take more than a day to inform the IT department of a departing employee, and around a third admit that it takes more than a week to shut off access to systems.

Hodkinson sees this as a worrying window of opportunity for disgruntled employees to attack internal systems, or obtain valuable information that could cost the company a lot of money and tarnish its reputation.

The survey also revealed that nearly one in 10 companies could never be completely certain that terminated employees no longer have access to IT systems.

In a blog posting, the firm's Andrew Brandt said that the Webroot Threat Research Group had been tracking an increase in this kind of activity since the start of the year.

He said the researchers had noted an "astonishing volume" of phishing Trojans, designed to steal the licence keys that gamers use to install copies of legitimately purchased games, and also the usernames and passwords which players use to log in to their accounts on games such as World of Warcraft.

"These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers -- typically, perhaps unsurprisingly, located in China," wrote Brandt on the Webroot threat blog.

"We know the exact servers they contact, and what kinds of information they're sending. And we know why: Thar's gold in them thar WoW accounts, and the rush is on to cash in."

According to Brandt, the method by which the initial executable file gets on a user's PC varies, with exploits in malicious iframes being commonplace. Once infected, PCs could end up with "metric tons of malware on them", he added.

"I can only imagine that it takes very little effort for the jerks behind this scheme to retrieve thousands of account details," wrote Brandt.

"With such an effortless infection method, and the difficulty of prosecution (let alone identifying the perps), they don't even seem to be concerned in the slightest about covering their tracks."

Brown and the rest of Parliament is getting ready for its summer holidays so in the midst of scurrying around looking for passports and toothbrushes he has somehow found the time to come up with the idea of publishing all MPs' expense claims online - in the next few days. It is thought that by making MPs more accountable in this way they may stop claiming for things like funeral wreaths and duck habitats.

Doing anything in the 'next few days' doesn't sound like a good idea to us. It has the ring of a rush around it and given the sensitivity of the information involved it really ought to come with the sort of protection that Danielle Lloyd rolls with these days. And that is likely to take a bit more time than the quoted few days.

Unlike the old system, the fact that this one is online will make it open to abuse from both internal and external sources, whether that's admin staff accidentally leaving a USB stick containing expenses details on the train, or attackers trying to hack into the system. And given that the old system couldn't cope with internal abuse we can't help but worry how it will handle a nation full of disgruntled voters and a million sweaty keyboards.

Anyway, like most government backed online initiatives it is bound to run years over schedule, cost billions, and then fall over due to demand on launch - maybe they could use an extra few days to actually make sure that it works.

The IP network provider announced Asset Assurance, a new suite of fault management and monitoring tools and reporting capabilities available to Verizon Private IP customers as a service.

Based on CA's Spectrum Infrastructure Manager, Asset Assurance is a SaaS-based solution combining device monitoring, alarming, fault isolation, root-cause analysis, service-level reporting and IT service management.

An Internet Security Assessment service will provide analysis of potentially harmful traffic, including Virtual Discovery & Classification and External Risk Assessment, supported by professional services.

And new managed security capabilities for Verizon Secure Gateway-Firewall are designed to prevent customers from harmful traffic as they transfer voice and data from public to private networks.

Verizon Business is marketing these solutions at companies of all sizes, saying its flexible billing model will appeal to all.

"IP networks have fast become the heart of most business operations worldwide, which means that companies, more than ever before, are relying on network security and the performance of their business applications to fuel success," said Blair Crump, president of worldwide sales for Verizon Business.

"As a result, we've deepened our global Private IP capabilities to even further boost customer confidence that business communications within and beyond their corporate walls will perform seamlessly and securely."

The vulnerability was first made public when it emerged last November that researchers at Royal Holloway's Information Security Group had found the flaw, which could allow hackers access to sensntive data.

SSH, or the Secure Shell Protocol, was designed to provide a secure channel between networked devices by encrypting data and is widely used by system administrators to allow them to securely access remote systems and to transfer sensitive data across the internet, according to the ISG.

The team duly discovered a basic design flaw which opens up the possibility of limited plaintext recovery attacks against SSH.

Although the attack is difficult to achieve, it is a very dangerous flaw given the fact that SSH is meant to be bullet-proof, and because of what it is meant to protect.

And although the open source implementation of SSH, OpenSSH, as well as a commercial product techTIA, have been updated to include protection for the flaw, firms could still be at risk, according to Gartner analyst John Pescatore.

"If you're using an inexpensive web hoster, query them to make sure they've patched the flaw," he said. "In addition, quite often these open source technologies are built into other pieces of software, so it's important to check if you have some in use, in places you didn't know about."

He advised firms undertake vulnerability scans of their systems to detect if they are running any unpatched versions of SSH.

The commissioner for Information Society and Media, Viviane Reding, told the European parliament earlier this week that the commission "will start work without delay to consult widely and make proposals" regarding the extension of notifaction laws to all firms.

A contentious telecoms bill is currently working its way through parliament, which includes a clause to force ISPs and service providers to disclose any breaches.

In an exclusive interview with vnunet.com last October, European data protection supervisor Peter Hustinx said that any proposals to make data breach notification mandatory for all organisations would be "fair and in line with reality".

But the UK's data protection watchdog the Information Commissioner's Office has argued against such laws, saying it should be allowed to decide on a case-by-case basis whether an individual organisation should be forced to disclose a data breach.

The arguments against such laws usually state that they will desensitise the public to data breaches and thus lose their impact. There are also question marks about whether there should be a lower limit set on how many records are lost, after which point disclosure should be made mandatory.

But supporters of US-style laws say that they will help to give everyone a clearer idea of the scale of the data breach problem - information which will be especially helpful to law enforcers.

The vendor analysed over 680 million vulnerabilities out of which 72 million are critical, generated by around 80 million scans of its customers' systems last year.

According to the findings, the average time it takes for firms to patch just 50 per cent of the critical vulnerabilities they find has dropped a tiny amount from when similar research was done in 2004, to about 30 days.

Some industries are doing well - the service industry has the shortest recorded time of 21 days - while others are less good; manufacturing ranked last with 51 days, for example.

According to Qualys CTO Wolfgang Kandek, there is now consciousness about patching, which is an important step forward. He added that the figures may have appeared slightly disappointing because the vendor is now tracking more variants than in previous years, so there are in effect more vulnerabilities for customers to patch.

However, the danger lies now not with OS vulnerabities, which he agreed most customers have got on top of, but vulnerabilities in things like media players and other applications.

"The OS is OK but people are missing the other stuff," he warned. "Unfortunately, attackers are not at that level - they've got much better since 2004, with single or zero day threats now common."

Plenty of food for thought for CSOs at Infosecurity Europe this year then.

Blunkett's speech has been widely trailed already, with the former Home Secretary likely to launch an attack on the government's "woeful lack of awareness" of the threat to the Olympics posed by cyber terrorists.

Also coinciding with the event, as it did last year, is Information Security Awareness Week, an awareness raising project started by the Information Security Awarenss Forum (ISAF).

"This event will provide a focus for awareness activities for suppliers and consumers of advice, will give experts an opportunity for those promoting awareness to collaborate for greater effectiveness, and will deliver a platform for launching initiatives on which to build and whose benefits are expected to continue for the coming weeks and months," said chair of the ISAF, David King.

PBS is specifically designed for smaller firms which may not have the in-house expertise and resources to manage on-premise security products themselves, according to F-Secure

Version 4.0, which was announced today, features speed and performance improvements and new email and spam protection, according to the firm.

"For a smaller company the Protection Service for Business subscription-based solution is like having a specialist security workforce armed with the latest technology - at a fraction of the cost of hiring IT staff and buying the technology," argued Juha Ollila, vice president of corporate business at F-Secure.

Customers can buy the PSB as a service, or for the Standard version, buy it in a traditional license model.

The software-as-a-service model is gaining increasing acceptance among firms, as it can free up IT resources to concentrate on more strategic objectives.

F-Secure will be hoping that prospective customers are suitably scared intop buying the service, by recent vendor research showing massive growth in malware over 2008.

Written as part of the firm's helpful "securing social media" series, it seeks to explain how you can actually allow what many employees may view as a fantastic business tool, without incurring extra risk.

"Increasingly, it is being used as a communications tool between companies and their customers, to address customer service issues, market new services, share information, or monitor and research what's being said about a company online," says the guide.

"The main risk is similar to that of social networks such as Facebook: trusting networks of people who are unknown to us in 'real' life."

As the guide rightly mentions, most of the Twitter security risks come from potentially malicious links posted by potentially fake account holders, or even from friends' accounts which have been hacked. The increasing number of Twitter applications from third parties can also increase your risk exposure because most ask for your Twitter password, the guide goes on.

"Much of the security on Twitter comes down to applying the same principles as in other media: create and apply a clear user policy; educate employees to use with caution; and keep tight controls on and update your existing security systems to reflect new kinds of use," advises Network Box.

"It is our recommendation that companies should explicitly reference Twitter and microblogs in their Internet and social media user policies."

Crucially, the guide also advises education seminars for staff alongside the usage policies. It has become a bit of a truism these days that AUPs are not worth the paper they're written on unless clearly communicated, and regularly updated and checked, but so few firms seem to adhere to this kind of best practice.

The Conficker Eye Chart features six images; the top row featuring anti-virus firms' logos and the bottom row operating systems other than Windows. The test is based on the fact that Conficker blocks access to over 100 anti-virus and security web sites, said the group.

"If you are blocked from loading the remote images in the first row of the top table above but not blocked from loading the remote images in the second row then your Windows PC may be infected by Conficker," say the explanatory notes on the site.

"If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites."

Despite unprecedented hype from various corners of the media prior to April 1 - the day when infected PCs were scheduled to connect to an update server - the predicted widespread disruption failed to materialise.

Experts have suggested that the criminals who own and operate the botnet would not want to risk losing the valuable network by triggering a major attack.

However, the virus still represents a risk to infected PCs and can be removed simply via a clean-up tool which many of the major AV vendors are now offering on their sites.