The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
SpywareIno wrote about Evidence Eliminator and called the compay
“scum”. Pretty harsh words.
Well, after having seen this screen this morning, I can say that I can’t agree with them more completely.
Click to enlarge
Alex Eckelberry
Thanks to Patrick Jordan for finding this one)
From Deb Shinder:
It’s not just that the amount of spam is increasing lately (over the last few weeks, I’ve gone from getting 5-10 spam messages in my Inbox each morning to 20-40). Thank goodness for iHateSpam (on a recent typical Monday, over 3000 spams were caught by our server-level filters, addressed to either my husband or me, or to nonexistent addresses in our domain, before they ever reached our mailboxes). The really bad part is that the “quality” of the spam that gets through is deteriorating.
Now maybe “quality” is a contradiction in terms when you’re talking about spam, but here’s the point: in the past, the majority of spam messages that got through my filters were attempts to sell something, similar to the junk mail that we get in our physical mailboxes. Annoying, but not infuriating. My mail filters caught the blatant porn spam and other offensive messages.
The past month has seen a big increase in spam scams of all kinds. Part of this is undoubtedly the natural tendency of con men rushing in where angels fear to tread after a natural disaster like Hurricane Katrina – I’ve seen a few of the fake charity solicitation spam with links that most likely lead to phishing Web sites. These sites are dangerous. It would be bad enough if the only problem were that the unsuspectingly person who enters credit card information to supposedly donate to the charity has those funds diverted to the scammer’s use, but it gets worse. The credit card info itself is often used to steal the person’s identity and make other, unauthorized charges. This is, in my opinion, the lowest of the low. Federal and state governments are cracking down on these scammers. Read more here.
Another spam scam I’ve been seeing regularly is from an organization that calls itself SPAMIS, which is supposed to stand for “Strategic Partnership Against Microsoft Illegal Spam.” I started getting these months ago, and found it pretty ironic that these claims that Microsoft sends unsolicited and unwanted e-mail were being sent as … unsolicited and unwanted e-mail.
The more recent messages from SPAMIS have gone far afield of the “spam” claims against Microsoft, and started making other accusations. The latest one, which I got last Thursday, is titled “Microsoft plans to stop supporting the American economy by outsourcing more than 10,000 jobs over 10 years to China.” When you dig deeper into this story, you find that the source of those numbers appears to be Kai-Fu Lee, the Microsoft executive who left to work for Google and is being sued by Microsoft for breaching the non-compete agreement that he had signed. Not exactly an unbiased source.
But whether or not the outsourcing numbers are true, it’s highly unlikely that the company has any plans to “stop supporting the American economy.” And if they did, what does that have to do with spam (which is supposedly SPAMIS’s purpose for existing)? It has become very clear, if it wasn’t already, that SPAMIS is not an anti-spam organization like CAUCE (the Coalition Against Unsolicited Commercial Email), but is in fact an anti-Microsoft organization that uses spam to further its campaign against the company.
To confirm even further that SPAMIS is a spammer, their most recent messages – like so many other spam messages – disguise who the message is from by placing the recipient’s own e-mail address in the “from” field. Thus, when their messages show up in my mailbox, it looks as if they came from me. Gosh, why would a legitimate organization do that? Obviously lots of other folks are onto their scam and blocking mail from their own domain.
According to several sources on the Web, the driving force behind SPAMIS is none other than Robert Soloway, who is a well-known spammer and seller of mailing list addresses. According to Spamhaus, a popular register of known spam operations, rumor has it that Soloway has hired virus writers to create spam zombies. You can read more about Soloway here.
It comes as no surprise that Soloway was one of the spammers Microsoft sued for illegal spamming. He has recently mounted a campaign against Microsoft’s Sender ID framework, a technology that’s designed to stop spam by verifying the IP addresses of email senders and comparing them to the registered addresses for the purported sending domain to authenticate senders’ identities – you can read more about Sender ID here.
I’m also getting lots of spam these days in other languages, including those in Cyrillic and Asian alphabets. Don’t know what they’re trying to sell me, but at least those are easy to tag as spam.
What about you? Have you noticed any new patterns in the spam you’re receiving lately? Are any of the new spam messages particularly annoying to you? Are you seeing more scam spams than usual? Are your filters having a hard time keeping up as the spammers change their domains and methods? Feel free to comment.
Deb Shinder
Here is a good explanation of exactly how WPA works.
Alex
(Thanks to our Deb Shinder and Steve C. who sent us this link)
No. I think you’re way, way safer using Firefox over IE, but now, according to security expert George Ou, Firefox now has more vulnerabilities per month than IE (you need to read the whole article to understand the data).
Read George’s blog here.
Click here to read an unrelated CNET story about Symantec’s recent statements on Mozilla browser security (“Mozilla Web browsers are potentially more vulnerable to attack than Microsoft’s Internet Explorer, according to a Symantec report…There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox”).
Alex Eckelberry
We’ve developed a version of CounterSpy that can be put into gateway appliances. Our first deal is with a company called Cymphonix. They make a pretty nifty appliance— it blocks spyware and a lot more, such as shaping bandwidth (meaning, you can give different users and applications different restrictions on bandwidth).
Alex Eckelberry
This Russian website writes about hacking the Cisco IOS (the Internet Operating System—what their routers run on)..
In case you don’t speak Russian, we have translated the text (some potentially offensive text was removed):
On September 9th Andrey Vladimirov, security specialist, known as the co-author of “Wi-Foo: The Secrets Of Wireless Hacking” book, revealed information regarding the end of “brain storm” which targeted Cisco software vulnerabilities in his LiveJournal blog, where he goes by nick name “dr_nicodimus”.
Researches developed methods of injecting code in Cisco IOS and figured out how Exploits and Shellcode could be written for that platform. They created mechanisms that allowed implementing cross-platform worms for IOS. They detected a big number of vulnerabilities in EIGRP routing protocol. To demonstrate this they attacked one Cisco box from the other and as a result they were able to run IRC server on hijacked machine.
Therefore, we can certainly say that they succeeded in cracking Cisco router software and this demonstrates once again that overestimating the idea of “security through obscurity” leads to very dangerous consequences.
Hopefully, Cisco will take in account the lessons learned by Microsoft and will soon release their own “Cisco IOS SP2”.
I admittedly don’t have much sympathy for Cisco these days after watching their treatment of Michael Lynn and their frantic and bungling efforts to kill the information (one of the most mindboggling things I’ve seen was this video of Cisco employees tearing up his presentation at the BlackHat conference).
Alex Eckelberry
(Thanks to Olexiy for the translation)
According to this video at Microsoft’s Channel 9, Outlook Express will be renamed Windows Mail and will have spam filtering. More here.
Alex Eckelberry
This is actually useful. The Common Vulnerability Scoring System allows companies to realistically interpret a security threat for their organization.
From the article in CNET:
“CVSS goes beyond today’s severity ratings, such as the familiar “critical” and “important” found in security bulletins from Microsoft. The new scoring system, which uses numbers between 1 and 10, enables organizations to calculate the specific risk to their own environment by adding information related to their IT systems. This could help them prioritize patches.”
Alex Eckelberry
Crackz sites (where one can find stolen registration numbers for software) are always good places to get yourself a big fat payload of spyware. But there’s fuel to the fire from two notable researchers: Microsoft MVP Chris Boyd at VitalSecurity.org writes a damming review of a program called Crack Extractor which has a mass of spyware as a payload. And Roger Karlsson stepped in with a video taken back in June of YourSiteBar, 180Solutions, Exact Advertising and more distributed side by side with a license key generator for Nero 6 Ultra Edition CD burning software.
This just in. Information Week’s review of enterprise antispyware products resulted in CounterSpy Enterprise winning Editor’s Choice.
“Sunbelt CounterSpy Enterprise wins our Editor’s Choice award for its modern interface design, ease of deployment and ability to remove what we threw at it. “
Article here.
(Correction: As Mitch Wagner points out, this is actually a Network Computing article that was republished in Information Week).
Alex Eckelberry
(Apologies for the shameless plug.)
Christopher Abad at Cloudmark (a business partner of Sunbelt’s) wrote an extraordinary paper on phishing several months ago. If you haven’t seen it, it’s highly recommended research treatment of the subject.
For example, by spidering through IRC servers, they found this complex interrelation among phishers:
(Click to enlarge)
Alex Eckelberry
(Thanks Eric)
In early 1999, Brad Greenspan founded Entertainment Universe. Just a few months later, he completed a complex transaction where he raised capital from Lehman Brothers, Eisenberg Partners and others; acquired CD Universe (an online CD retailer); and went public on the OTC bulletin board by merging with Motorcycle Centers of America (an empty public shell). This all occurred on the same day, April 14th.
Within months, he continued his acquisition spree, acquiring MegaDVD.com, an online DVD retailer; entered into an agreement to buy Case’s Ladder; and signed in a letter of intent to buy Gamer’s Alliance.
Dizzy yet? Well, that’s the story of the early days of eUniverse, which later became Intermix, a subject of an entanglement with the New York AG’s office.
Brad left eUniverse in the fall of 2003 and the company later became Intermix, got into trouble with the New York AG, came to an agreement with the AG and then got bought by Rupert Murdoch.
Now, Brad set up a website that is making some pretty damning allegations against certain members of the Intermix management team. He alleges that Intermix managers Brett Brewer, Adam Goldenberg, and Thomas Flahie profited by selling stock before the AG’s investigation was announced. Further, he alleges that Vantage Point Partners, an investor in Intermix, sold stock as well during roughly the same period. Vantage Point is the employer of Intermix chairman David Carlick and board member Andrew Sheehan.
(Chart from insiderstocksales.com)
He also claims that Intermix actually increased its online downloads while the AG’s office was investigating.
And he’s launched a website with slideshows to prove his point.
Is he right? Well, that’s actually hard to tell. Many executives in public companies put themselves on automatic selling programs, which sell their stock regardless of their insider knowledge. Whether or not an insider profited while in possession of material and confidential insider information is a subject of a vast amount of law and really can’t be speculated on without a thorough investigation by the SEC. In other words, don’t jump to conclusions without knowing all the facts.
Alas, I’m not a lawyer and also just don’t have the time to delve into what certainly looks like a fascinating story. If anyone else wants to get into it, go for it.
Alex Eckelberry
(Thanks Ben)
Several months after a class action lawsuit against Direct Revenue, 180 Solutions is now in the target of a lawsuit.
Blogged here at ZDNET. You can download the court document here.
TechDirt also blogs on here.
Alex Eckelberry
EULAs — End User License Agreements — are those agreements that you usually sign by clicking “I Agree” on a software installation. They are usually complex legal documents (one practically needs a law degree to pour through them).
JavaCool Software has come up with a nifty tool that actually parses EULAs into key areas, like Advertising, Privacy, Search Terms, and assigns “interest levels” (basically, almost like a threat level). The basic version is free, and is available here.
This screen shot is of a Direct Revenue install that was analyzed:
. 
(Click to enlarge)
Alex Eckelberry
(Thanks to Corrine for the tip)
SearchSecurity has an article out today about educating employees about spyware. Link here.
Alex Eckelberry
Kirk Lawrence at AskJeeves responds to our earlier post on AskJeeves.
The article can be found here but I’ve pasted it below as well:
Response to Sunbelt’s Blog Posting
Ask Jeeves recognizes that industry confusion exists around downloadable software products, which can lead to erroneous flagging of user-friendly products by anti-spyware makers. Ask Jeeves’ products are not adware or spyware and we take this issue very seriously. We recently contacted Sunbelt Software to correct, what Sunbelt itself recognizes, is inaccurate flagging of our products as adware and spyware by their software. This gross misrepresentation of our product was misleading to consumers and, as such, we felt it must be corrected.
We support industry efforts to regulate standards and believe strongly in the value of companies dedicated to clarifying vendor practices for the consumer while taking the necessary to steps to ensure that accurate information is provided to the public. Unfortunately, the most recent report released by Sunbelt Software still does not provide accurate information to consumers, further muddling what is already a confusing industry issue. Ask Jeeves takes great pride in the integrity of the Company’s Fun Web Products and family of My Search toolbars and is deeply concerned by the assertions made in Sunbelt’s report. The report includes old and inaccurate data that misrepresents our practices. This erroneous information disseminated to the public only serves to do consumers a disservice by taking the attention off rogue vendors and on to companies who create and distribute legitimate and user-friendly consumer products.
We’re proud of the steps Ask Jeeves has taken to protect consumers and feel it necessary to clarify the misstatements issued in the Sunbelt report:
· Ask Jeeves prohibits both its direct advertising and third-party distribution partners from using drive-by download practices. Ask Jeeves has, and will continue to terminate advertising partners that violate our contracts.
· Ask Jeeves also prohibits the use of any type of click fraud to force installations, such as a “fake close x” to mimic user-initiated click activity. The force-installs through security exploits that are cited in the report were in direct violation of our contracts, and those partners were terminated. In addition to the contractual terms we have in place, we have implemented technical measures to prevent rogue advertisers from engaging in this type of activity.
· Ask Jeeves requires clear, concise and complete disclosure to be provided before our applications are downloaded and installed either directly from our sites or through our third-party distribution partners. All Ask Jeeves downloadable software applications must be distributed with an End User License Agreement (EULA) that is easily accessible prior to installation. All Ask Jeeves applications also require the consent of the user prior to installation.
We don’t stop there. Ask Jeeves is consistently looking for ways to be more proactive in our approach to ensure that partners comply with our policies. Several months ago we created a compliance office to monitor the actions of the third party partners and distributors of our toolbars and bring partners who violate our software guidelines (http://sp.ask.com/docs/jeevesinc/policy_download.html) into compliance or, in some cases, terminate the partners that do not comply with required changes. We will actively investigate allegations made by Sunbelt Software against our partners to determine if they are in breach of our policies, and will take swift action if we uncover any violations. We recognize it is difficult to monitor the entire Internet and encourage our users to report violations of our policies by emailing us at reportviolations@askjeeves.com.
In closing, Ask Jeeves condemns practices that deceive users into downloading or installing software and will continue to work to ensure the only people downloading our products are those that choose to affirmatively engage with them for the great functionality they offer.
We appreciate the user and industry feedback that helps make our products better and we’re proud of the steps we’ve taken to protect consumers. We’ll continue to evolve with changing industry standards while delivering great products people that millions of active users enjoy every day.
Kirk Lawrence
Director of Internet Security and Privacy
Ask Jeeves, Inc.
My head is spinning. Really.
According to this article by Paul Thurrot, “Microsoft is creating seven versions of Vista for end users (nine if you count the N Editions that will target European markets). To differentiate these products, the company is carefully matching feature sets to the expected markets that will adopt each product version.
Two low-end versions of the product, Vista Starter Edition and Vista Home Basic Edition, won’t feature the much-vaunted Aero UI that will adorn all the other Vista versions. Instead, these versions will use a lower-quality, XP-like UI that’s more appropriate for the low-end hardware that infrequent PC users and emerging markets might use. Vista Starter and Vista Home Basic will also lack the rolodex, tab previews, and task bar preview features that other Vista editions will offer.”
Alex Eckelberry
A couple of weeks back, I blogged on a new site, called phishfighting.com.
The idea is you enter a URL into the site, and it sends the phishing site fake hits every 20 seconds.
Well it was a hot subject. Lots of comments on the original blog, and I followed up with a new blog entry here. Now, Microsoft MVP Sandi Hardmeier at the SpywareSucks blog had even more damning comments than the prior one:
Here’s the deal. The sentiment is great, but the reality is not. Having “fun“ is of no practical use (although it may make you feel good).
Many phishing sites are hosted on compromised computers – computers that have been hacked. The owners have no idea what has happened to their systems, and invariably each phish site only lasts 5 to 9 days (on average) before the phishers move on.
Who are we punishing here? The victim whose computer has been hacked and who has to pay for the phisher bandwidth, and now the bandwidth generated by sites like
phishfighting? Are we punishing the phishers? They don’t care. When one site is
compromised they simply create a new one.
We’re dealing with professionals who are more than capable of weeding out and
discarding fake data. All they need to do is whip up a little programme that
will retrieve, and test, information provided with no human interaction or
effort. If you think that there is a person, or a series of people, wading
through print-outs trying out each log-on by hand, I’m betting you’re wrong in
that assumption. Think about it. How many millions of phish emails do you think
are sent out every day? The bad guys have the capacity to handle a *lot* of
data.
Not only that, the Anti Phishing Working Group advised in their July report that there has been a 100% increase in the number of phishing sites that attempt to infect systems with keyloggers and trojans to capture sensitive information such as usernames and passwords. The implications are far worse, in such circumstances, than the compromise of username and password for one financial institution.
What is phishfighting’s “Method One” for retrieving a phishing URL? They say “Simply click on the link and copy the real url from the browser bar“… NO!!! DON’T DO IT!!!!! Don’t click on the link!!!!!
Edit: Let’s expand on this – don’t even *open* a phishing email. If it includes remote graphics, and your email client is set to download such things, simply by opening the email you are confirming that your email is “live“, making it immediately valuable to all kinds of spammers, and saleable.Also, some phishing emails attempt to infect computers as soon as an email is
opened by using certain old security vulnerabilities that *should* be patched,
but may not be.
All that we get from services such phishfighting is a misplaced sense of satisfaction that we are somehow hurting the phishers. We’re not.
There is NOTHING on the phishfighting site that teaches users how to report phish sites to ISPs and get them shut down legitimately.
Phishfighters say that they are not using a DOS (denial of service) tactic because they only send one fake alert every 20 seconds. Is that 20 seconds per report, or 20 seconds per URL? The site doesn’t say.
Don’t use services such as phishfighting. Use spamcop to report spam emails (http://www.spamcop.net/). Learn how to read emails headers and report spammers to their ISP (http://www.stopspam.org/email/headers.html) but remember, the spamming computer may be a zombie, the owner may have no idea what has happened, so be nice.
Use allwhois (http://www.allwhois.com/) to trace the host of phish sites and report their existence direct to the host ISP – get the site shut down. Again, remember the host computer may have been hacked, and the owner completely unaware of what has happened. Be nice.
Please, don’t use services such as phishfighting and DON’T click on the link in a spam email … please.
Robin Grimes, the developer of PhishFighting.com, responds with this:
As I understand, from reading [his] post, his main premise is that the Phishers are to smart for us and that clicking a phishing email link can be dangerous. So let’s address his concerns:
1. He is correct that clicking a link in a phisher’s email can be hazardous. This is why I’ve posted alternative ways to determine the phisher’s real link. He’s correct that I
should point out that “Option 1” is hazardous, so I’ve updated PhishFighting.com
to make note of this.
2. His premise that Phisher’s are to smart for us, that they all have programs to test and filter false data is a little broad reaching. I’m sure there are some very sophisticated Phishers out there, that won’t be the least bit inconvenienced by receiving false data. But I’m willing to bet that a majority of the Phishers are basically petty thieves and that getting 100’s or 1000’s of fake entries will inconvenience them to some degree. And that’s really the point of PhishFighting.com, to in some small way cause them the inconvenience that they cause us.
3. He say’s “Don’t use services such as phishfighting. Use spamcop to report spam emails (http://www.spamcop.net/)”. His premise is that using spamcop.net or some other reporting agency will stop Phishing, it hasn’t, or will have more impact than PhishFighting.com. Possibly but I haven’t seen any evidence that Phishing is on the decline. I received 4 new phishing emails this weekend. Phishing seems to be growing, not declining.4. He also states that I don’t offer any alternative ways to fight phishing on my site. That’s true, namely because I have not found any real method that actually has a major impact on Phishing. There are a lot of sites and agencies purporting to offer some solution or impact, but I have not heard of one that can prove it, myself included. I don’t
claim that PhishFighting.com will solve the problem, but then nobody has a
solution. There is no other way for an individual to fight back against Phishers. If PhishFighting.com inconveniences the Phishers in any small way then it’s doing what it is designed to do. Plus there is a certain amount of “Feel Good” factor in being able to do something other than just reporting them.PhishFighting.com is all about giving the individual a method of striking back,
even if it is in some very small way.If you have additional questions, tips, suggestions, or just want to tell me I’m a
dipstick, email me at Support@PhishFighting.com Robin
Robin at PhishFighting.com should be congrutulated for at least trying something to fight fishing and it’s sad to see that some people have been piling up on him.
But Sandi at SpywareSucks brings up good points, and one should be careful using such a service. Often, my response to phishing is to report it to eBay, PayPal, or the bank in question; and if a legitimate site is compromised (all too common), I try to alert the siteowner. Phishfighting is another tool in your arsenal, but if used, must be done so with caution.
So in the end, I’ll leave it up to your best judgement.
Alex Eckelberry
