Month: October 2005

As I’ve written earlier, I often joke that some of these Internet security suites are worse than spyware.  A nasty spyware application does a number of notable things: It pummels you with popups and slows your system down. Internet security suites pummel you with popups (aka security warnings) and slow your system down. But worse, they have the audacity of charging you an arm and a leg.  See Security on the Cheap for my thoughts on the whole matter.

Rob Pegoraro’s latest article in the WashingtonPost proves the point:

…the complexity of the Symantec and McAfee suites seems to cause them to fail in ugly and destructive ways, according to readers who have written in to complain about these problems week after month after year…Most important, the latest McAfee and Symantec suites just don’t work all that well.”

(By the way, I disagree with Rob’s positive assessment of the Windows firewall in his article, but that’s a different issue.)

When Microsoft announced that they would be getting into the antivirus client-side business earlier this year, one major security company CEO was quoted as saying “we’re going to give Microsoft a whoopin!”.  My first thought was “wow, that is going to be one large can of whoopass—I mean literally”.  Some of these suites are just appalling in their size and bloat. 

Microsoft getting into security software is really not cool.  They are hurting their developer ecosystem, and I am tired of Microsoft constantly pushing its way into the space of its developers on one hand while gland-handing on the other (see this video for what I mean).  

Now, Stu Sjouwerman has this to say in our enterprise-focused newsletter W2knews, commenting on the business market for antivirus:  

“So Redmond is going head-to-head with the AV community at last. Well, they are going to have a tough time. Basically everyone is already AV-equipped so this is a replacement market. They will have to be a LOT better than existing AV players, and that is going to be hard. And they cannot drop their prices too much, as that will cause the antimonopoly lawsuits to come out of the closet. Good luck Redmond. You are going to need it. More about Ballmer’s announcement at MS PressPass.”

Microsoft may have a tough time of it on the business side, but on the consumer side, some of the companies making security suites are just giving Microsoft a helping hand.  Security companies, mine included — rally, circle the wagons, hide the children, get out the big guns and write the best damned code that you can.   

Alex Eckelberry

Update:  <sigh> What I wrote earlier was propaganda done independently by our sister company’s UK office, and is not in line with Official Company Propaganda.  Official Company Propaganda is a deal where we provide this information monthly to a Big Security Magazine. 

Here is the Official Top 10 List, as provided by our Chief of Propaganda.  The data are pulled from the 15th of one month to the 15th of the next month and are identified as high risk threats with the percentage based on number of times each threat was found divided by the number of scans run. These threats are classified high risk or severe based on method of installation among other criteria.

 

Threat Name	Description	Percentage Found
ABetterInternet.Aurora	Opens popup ads on the desktop based on a user’s surfing history, may disable or uninstall other software, and thwarts uninstallation through the use of resuscitator code.	5.27%
iSearch.DesktopSearch	Removes the user’s access to use Windows Search and replaces it with C:WINDOWSisrvsdesktop.exe.	5.26%
IST.ISTbar	Internet Explorer Hijacker that modifies home pages and searches without a user’s consent.	5.00%
ABetterInternet	Shows advertisements based on  web pages viewed and web sites visited.	4.84%
180search Assistant	Logs the web pages visited and uploads the data to its servers.	3.87%
ShopAtHome	Installs itself in the Winsock layer of the computer and redirects users to merchant sites in order to take affiliate fees from them automatically without user knowledge.	3.86%
IST.SideFind	Installs an Internet Explorer browser helper object that includes extra buttons for adware.	3.68%
eXact.BargainBuddy	BargainBuddy is a Browser Helper Object that watches the pages the browser requests and the terms a user enters into a search engine web form. If a term matches a preset list of sites or keywords, BargainBuddy will display an ad.	3.21%
CoolWebSearch	CoolWebSearch is part of a strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc.	3.18%
IST.PowerScan	IST.PowerScan is advertised through ordinary web pop-ups, and can be installed with help from the the ISTBar adware. It monitors a user’s browsing habits and distributes the data back to the author’s servers for analyses.	2.99%

Our Chief of Propaganda wasn’t happy.  Naughty Alex!  Naughty Naughty Naughty!!!! 

Old post follows for historical context.

Fwiw — from our propaganda department.  Link here.

The top ten most prevalent threats are:

IST.ISTbar	9%
Claria.DashBar	7%
AvenueMedia.DyFuCA	7%
ABetterInternet	5%
IST.SlotchBar	5%
iSearch.DesktopSearch	5%
ABetterInternet.Aurora	5%
WebSearch Toolbar	5%
IST.SideFind	4%
180search Assistant	4%

But what’s cooler is that you can see, in real-time, what the current top threats are as reported by our ThreatNet community.  Just go to this link.

Alex Eckelberry 

A family member has been emailing me, raving about the new AOL Explorer.

Ok, it’s slick.  It has tabbed browsing.  It has desktop search. It has built-in spyware scanning. It has built-in WhoIs if you want to check the owner of a website. 

In short, it’s a pretty hot little browser.

But it’s still built on Internet Explorer, so it’s NOT an IE replacement.  It’s basically a really nice enhanced version of IE. 

Let’s compare.  InsultMonger.com, which urges you to install Zango through a Zango-built Flash overlay, looks like this in IE:

Here’s what that same page looks like in Firefox:

And here’s what that same page looks like in AOL Explorer:

In other words, it’s still IE. If you’re sticking with IE, that’s not some terrible thing, but if you’re moving to an alternative browser for security purposes, you’re probably one step better with AOL Explorer over IE, but you’re still better off using Firefox, Opera or whatever else (maybe even Flock, whenever it ships).  

Alex Eckelberry

A closed Blockbuster store gave out the equivalent of free money by apparently dumping a tasty cache of confidential customer data on…the sidewalk.

Following on the heels of their distasteful marketing of the “No Late Fees” campaign, one truly does wonder. (By the way, I recently rented from Blockbuster and actually found the new “No Late Fees” program to be consumer-friendly—it was just that the ad campaign was misleading, as you still got charged if you didn’t return the video.)

Throwing out critical customer data on a sidewalk, though, is completely inexcusable.

Alex Eckelberry
(Hat tip)

There’s this box that some dealers are installing in cars. If you haven’t made your payment, it shuts the car down. Targeted at customers with poor credit, it’s a way for “buy here, pay here” dealers to reduce their risk (did you know that car sales slang for a person with poor credit is “a roach”?).

One such box is made by Payment Protection Systems. Video example here.

In a sense, it’s not much different than the Repo Man coming to get your car if you don’t make your payment. But there’s some hint in this article that this might become more prevalent — remember that modern cars are basically computer-controlled systems.

Alex Eckelberry
(Hat tip to Catherine)

In just a few days, we get the FTC going after a spyware distributor, the Dutch nailing a group of naughty gents running a zombie army, other naughty boys get caught in England for creating a worm, 10 people got nailed for identity theft, the Tsunami hacker gets nailed, and eXact gets served a class action lawsuit.

Busy busy busy busy…

Alex

Update: The Tsunami hacker thing — that’s not a good catch. I’ve blogged about it here. This guy did not deserve what he got.

Jasper Johansson, co-author of Protect Your Windows Network, wrote me about the weird hosts file that we found out there.

“…it is a really dumb mistake on my part. The concept itself is sound, but the file is horribly flawed. I received it from a friend of mine with the comment that it would block spyware sites. Of course, if you can enumerate them, it would. Unfortunately, being stressed to get the book finished I did not test it like I should. I just trusted his judgment, which turned out to be horribly suspect. The file did not block spyware sites as much as it blocked sites that he considered “annoying.”

After publication we realized the problem and worked with the publisher to fix it. The first two print runs were relatively small and in the third run this file was removed. We instead put a link in there to the one from mvps.org, at http://www.mvps.org/winhelp2002/hosts.htm. That one is sound, and regularly updated.

Sorry for any inconvenience this has caused. I saw your blog post just now and posted a comment to it with this information in it. I really am sorry. I wish I had taken the time to evaluate this file just like I tested all the other software I wrote for the book …

I got the Safari site taken down too. Thanks for letting me know about it. I really am sorry for any trouble this caused… Jesper M. Johansson” 

Dr. Johansson is a highly respected security guru, a Senior Program Manager for Security Policy at Microsoft.  Clearly, this was on oversight in the 11th hour heat of getting a book out.  

In short, an honest and forgivable mistake.  Fortunately, the distribution of the rogue hosts file is probably limited. 

You gotta feel for this guy.

Alex Eckelberry

Are you ever curious about how those scammy little stocks advertised by spam actually do?

Check out this site, Spamstocktracker.com.

Hot Stock	Purchase $	Current $	Today	Stock Fell	Purchase Date
WYSK.PK	$0.160	$0.039	0.00	75.63%	May 05, 2005
FCDH.PK	$0.410	$0.0011	+0.0004	99.73%	May 06, 2005
IGTS.PK	$0.030	$0.018	-0.003	40.00%	May 06, 2005
NDIN.PK	$0.085	$0.008	0.00	90.59%	May 06, 2005
AGMG.PK	$0.030	$0.006	+0.0005	80.00%	May 09, 2005
CITC.OB	$2.060	$0.71	0.00	65.53%	May 10, 2005
MOGI.PK	$0.247	$0.125	-0.015	49.39%	May 10, 2005
IFXH.PK	$0.360	$0.10	+0.01	72.22%	May 10, 2005
EOGI.PK	$0.055	$0.018	+0.0015	67.27%	May 10, 2005
LMMG.OB	$0.053	$0.058	+0.007	UP 9.43%	May 11, 2005
LDTI.OB	$3.200	$0.40	0.00	87.50%	May 11, 2005
NCSH.OB	$2.410	$1.40	-0.06	41.91%	May 12, 2005
TSHO.PK	$0.380	$0.36	0.00	5.26%	May 20, 2005
SLXI.PK	$0.360	$0.12	-0.01	66.67%	May 20, 2005
PHXI.OB	$0.006	$0.0003	0.00	95.00%	May 20, 2005
EHPC.PK	$0.040	$0.0023	-0.0009	94.25%	May 20, 2005
VNBL.OB	$0.171	$0.084	+0.001	50.88%	May 24, 2005
MPLK.PK	$0.055	$0.005	0.00	90.91%	Jun 01, 2005
CALB.OB	$0.185	$0.031	-0.0055	83.24%	Jun 01, 2005

Alex Eckelberry
(Tip of the hat to John Murrell)

Some of these are pretty trite (“only communicate with people who are on your Contact List or Buddy List) but some are useful.

Link via Donna.

Alex Eckelberry

On the heels of the Groundbreaking SunbeltBlog Article Security on the Cheap, PC Mag publishes their list of free schtuff. 

Cheap at twice the price!

Alex Eckelberry
(The Reigning King of Cheapskates)

Musd read.

Alex Eckelberry
(Thanks Suzi, Ben) 

CNET News.com votes the Sunbeltblog one of the top 100 blogs.

Now this really puts me under pressure 😉

Alex

 

Link here.

US non-profit IT company MITRE today announced the Common Malware Enumeration Initiative. Headed by the United States Computer Emergency Readiness Team (US-CERT) and supported by an editorial board of anti-virus vendors and related organizations it should provide a neutral, shared identification method for malware outbreaks.

During a virus outbreak, participants on the CME board request an identifier from an automated system by providing a sample of the virus and as much additional information as possible. An identifier in the format ‘CME-N’ where N is an integer between 1 and 999 is generated and distributed to the other participants. The participants then disseminate the CME identifier to their contacts in the industry and reference the CME identifier on their web pages, in their product, or when speaking to the press.

Mark Harris, director of SophosLabs at Sophos, one of the CME Editorial Board members, commented: “Historically, regulating virus naming has proven difficult for security vendors, because of the need to issue threat protection as quickly as possible to customers. We encourage more anti-virus vendors to participate in this initiative, which will benefit customers involved in securing their computers from malware attack without disrupting the serious work of rapid virus analysis and protection.”

More information on CME is available at http://cme.mitre.org

Alex Eckelberry
(Thanks Jason)

If you go to this link, you get a hosts  file filled up with all kinds of antispyware companies and sites! (For those of you unfamiliar with a hosts file, you can get a definition here.)

Using this hosts file will block most of the known universe of anti-spyware companies and websites. Companies like Lavasoft, Spybot and…Sunbelt.  And lots of community sites.

The parent directory has a readme file which lists the contents of the directory as including “a HOSTS file to block spyware”.  GULP.   From the Readme, one gets that this HOSTS file is part of a companion CD for a book called “Protect Your Windows Network”, by Jesper M. Johansson and Steve Riley.

My guess is that this was once legitimate but the ftp site got hacked and this new hosts file was put up.  Who knows.  We’re trying to find out.

Do you laugh or cry?

Alex Eckelberry
(Another prop to our Adam Thomas)

Update:  I did a bit of checking into this.  It turns out we found out about this because a customer called in to our Support department because they were having update issues.  Jon Petita, the support engineer, noticed weird entries in the customer’s hosts file… and brought in our spyware research team, and that’s when Adam Thomas in research discovered this weird hosts file out there.  

We were hoping it wasn’t in use.  But at least one customer was found using it.  Thankfully, there was no spyware on his system.

I do hope that there aren’t more people who installed this wacko hosts file (although probably the worst that will happen is that they won’t be able to get to a bunch of antispyware sites and companies).  

 

Aye, our little naughty venal Sheriff is at it again. 

Look at this terrifying screen (the url is masked as the site returns a backdoor with Trojans, etc.):

(Click to enlarge)

Links point to SpySheriff download.

When you download the program, you get this odd little install screen which points to a EULA at www.spy-sheriff.com/eula.php.  The EULA, which you have to manually enter in the address bar to actually see, is actually a EULA for a completely different program — some kind of stock photography/font program.

Running the scan alerts you to cookies being “severe privacy risks”.  Trying to remove these dastardly threats, of course,  requires a purchase.

The irony is the program crashed when trying to do the purchase.

 

Alex Eckelberry
(Thanks to Adam Thomas here at Sunbelt for discovering this one)

 

 

Link here:

FTC Seeks to Halt Illegal Spyware Operation
Lure of Anonymous File Sharing Software Exposed Consumers’ Computers to Spyware

The Federal Trade Commission has asked a U.S. District Court judge to halt an operation that secretly installed spyware and adware that could not be uninstalled by the consumers whose computers it infected. The defendants used the lure of free software they claimed would make peer-to-peer file sharing anonymous. The agency alleges the stealthy downloads violate federal law and asked the court to order a permanent halt to them.

According to the complaint filed by the FTC, Odysseus Marketing and its principal, Walter Rines, advertised software they claimed would allow consumers to engage in peer-to-peer file sharing anonymously. With claims like “DOWNLOAD MUSIC WITHOUT FEAR,” and “DON’T LET THE RECORD COMPANIES WIN,” the defendants encouraged consumers to download their free software. The agency charges that the claims are bogus. First, the software does not make file-sharing anonymous. Second, the cost to consumers is considerable because the “free” software is bundled with spyware called Clientman that secretly downloads dozens of other software programs, degrading consumers’ computer performance and memory. Among other things, this accumulated software replaces or reformats search engine results. For example, consumers who downloaded the spyware may try to conduct a Google or Yahoo! search. Their screens will reveal a page that appears to be the Google or Yahoo! search engine result, but the page is a copy-cat site, and the order of the search results is rigged to place the defendants’ clients first. The bundled software programs also generate pop-up ads and capture and transmit information from the consumers’ computers to servers controlled by the defendants.

The FTC charged that the defendants have an obligation to disclose that their “free” software download caused spyware and adware to be installed on consumers’ computers. But instead, the FTC alleges, they hide their disclosure in the middle of a two-page end-user licensing agreement buried in the “Terms and Conditions” section of their Web site. In addition, the FTC alleges that the defendants deliberately make their software difficult to detect and impossible to remove using standard software utilities. Although the defendants purport to offer their own “uninstall” tool, it does not work. In fact, it installs additional software, according to the FTC’s complaint.

The FTC charges that the practices of Odysseus Marketing and Walter Rines are unfair and deceptive and violate the FTC Act. The agency will seek a permanent halt to the practices.

The defendants are based in Stratham, New Hampshire.

Alex Eckelberry
(Thanks Suzi!)

Interesting read in CSO magazine.  Link here via beSpacific (which also has other related articles on the subject).

In this article, the bank profiled has a fine-tuned system where it gets rapid notification of a new phishing attack, and then starts the process of getting the server shutdown.

There is also a hint that the bank may use “dilution”, a polite term for something bordering on a denial of service attack — putting in fake account information below the threshold of an illegal DOS—something like what you see with PhishFighting.com.

Alex Eckelberry 

Another one — this one against eXact. Link here.

Alex Eckelberry
(Thanks to Ben Edelman)

This site has lots of info.

There’s been discussion going around about among elite antispyware security forces about Google’s Toolbar being “whacked”. 

What’s happening is that some criminal gang out there is installing a hacked version of the Google Toolbar via stealth on a relatively small number of systems.  Ostensibly, this is to give them the aura of legitimacy for their own nefarious means (for example, getting people to think they’re using Google, when in fact, they’re using something else).

The important question is: Why is this different than stealth installs by adware companies? 

Why is this an important question?  Because adware/spyware companies will inevitably point to this install as being something that makes them innocent of stealth installs that occur from their own affiliates and distributors (“you see, it’s even happened to Google, we’re all the victims of rogue distributors”, etc.).   In fact, we’ve already had one adware company approach us on this issue.

There are vast differences between this single unauthorized install of the Google Toolbar and the massive number of illegal force-installs (to say nothing of the continuing installs with sub-standard, inadequate notice and disclosure) that have been going on for years by some adware/spyware companies.

For example:

1. This Google Toolbar install is completely unauthorized

The bad guys installing Google Toolbar are doing it without any  participation or knowledge on Google’s part whatsoever. The toolbar itself is not even being pulled from Google’s servers. It’s a hacked version being installed from the bad guys’ own servers. That’s quite a bit different from non-consensual adware installs, which sees the bad guys operating within adware companies’ own affiliate distribution channels and using adware companies’ own installers and servers to install software.

2. Google is the innocent victim here

At the heart of this rogue install is a HOSTS file hijack that directs network requests for Google to the bad guys’ own servers. Thus, these installs are being used to spoof Google and hijack traffic away from Google’s sites and services. Google derives no benefit whatsoever from these hijacks, even unintentionally or unwittingly. Rather, it suffers as a result of these hijacks, which exploit Google’s good name even as traffic is driven away from their sites and services. Again, this is quite in contrast to non-consensual adware installs, where adware most certainly does derive economic benefit from force-installs, which expand an adware company’s advertising base and drive traffic to its sites and services.

3. Google did nothing to incentivize these hijacks

Google is not paying for these installs and the motive behind them is not to get paid by Google, quite unlike non-consensual adware installs, which occur precisely because adware companies’ provide the economic incentive to perform stealth installs of adware software (best example: installs of adware/spyware through bot-nets).

Google’s hands are clean; the hands of a number adware company’s are most certainly not. We predict that no one in the security community will be wringing their hands over whether to target Google toolbar for detection and removal, because this install (including all the accompanying malware files) is easily distinguished from legitimate Google Toolbar installs.

Alex Eckelberry
(Thanks to Eric Howes for his extensive contribution to this post).