Month: February 2006

Follow-up to my post about a study by the University of Washington that found spyware is decreasing:  The full research paper has been published.

It does include adult sites, which was a question earlier.  From Suzi Turner:

The PDF has several charts including one that shows the changed numbers in the types of spyware from May 2005 to October 2005.  Two categories decreased – dialers and adware.  Keyloggers increased from .04 to .15 %, trojan downloaders increased from 9.1 to 13% and browser hijackers increased from 60 to 85%. One note, all of the testing of spyware was done by scanning with Lavasoft’s AdAware, no other anti-spyware software was used to detect threats. It’s been well documented that no single anti-spyware or anti-virus app will detect every piece of spyware, so the numbers could have been different if several programs had been used. I have noticed in the last few weeks there’s been a considerable decline in the number of new users registering at my SpywareWarrior forum for help with spyware removal.  I hope that is a sign that spyware infections are decreasing.  Who knows, if spyware really declines maybe this blog will turn into Suzi on SuSE one of these days. 

Link here via Suzi.

 

Alex Eckelberry

From Ben Goodger:

The story of Mozilla is long and rich in detail. There are many perspectives. This is mine.

Getting Involved
I got involved with Mozilla because I loved the idea of working on something that had the potential to make an impact on millions of people. My friends and I lived in our browsers, so there was also a tangible payoff for contributions that made it into a shipping Netscape release. After switching gears on the layout engine, it looked like Netscape needed all the help it could get. In early 1999 only the most basic elements of the old Communicator suite were in place in the new browser; you could barely browse or read mail as Netscape’s engineers worked furiously to erect the framework of the application.

More here via Paul Thurrott.

Alex Eckelberry

 

Link here.

Alex Eckelberry
(Thanks Jarrett) 

Robotic software programs, called ‘bots or agents, automate actions that are typically performed by real people. ‘Bots can be used for good purposes or good – there are ‘bot programs that play games over the Internet, for example, and ‘bots that collect information for search engines, like the GoogleBot. Programmers have used ‘bots on eBay to automatically search the site for bargains. ‘Bots are common on the Internet Relay Chat (IRC) network, where they can moderate a channel by “listening” for profanity or other undesirable conversation and removing violators from the discussion. So-called ChatBots can carry on conversations over Instant Messaging programs.

Unfortunately, ‘bots have gotten a bad reputation because attackers can use them for malicious purposes, such as coordinating a distributed denial of service (DDoS) attack to overwhelm and crash a company’s network. The first ‘bot attacks were against IRC servers but the practice soon spread way beyond IRC. Other uses of ‘bots include:

• ‘Bots have been used to commit “click fraud,” where the ‘bot pretends to be a Web user clicking on an ad, to generate a high number of pay-per-click fees paid by the advertiser to the site owner.
• ‘Bots can collect information such as the passwords, credit card numbers and other confidential information that users type into Web forms for the purpose of identity theft.
• Another malevolent use of ‘bots is to relay spam, to hide the identity of the sender.
• ‘Bots can sniff network packets to read the data inside, and use keyloggers to capture everything a user types.
• ‘Bots can spread new ‘bots, thus propagating themselves through HTTP, FTP or email.
• ‘Bots can manipulate online polls and ratings, so that the ‘bot can greatly increase – or decrease – the apparent popularity of a book on Amazon, an article on a Web site, or a candidate in a political poll. Each ‘bot has a different IP address, so the votes seem to be coming from different, legitimate voters.

What happens when lots of ‘bots get together? Somewhat like an unruly mob, they can do more harm working in conjunction with each other than individual ‘bots can do. “BotMasters” are people who run robot networks called BotNets, using worms, Trojans and backdoors to install the ‘bot software on the systems of unsuspecting users. Then each user’s computer becomes a part of the BotNet, which is controlled by the BotMaster.

The ‘bot software is hidden from the user, who has no idea his/her computer is being used to commit attacks, intrusions and theft of data, or to distribute spam, spyware, and viruses. Because the systems are under the control of a remote entity, they’re often called “zombies.” For a quick overview of how BotNets work, watch the video called “About BotNets” linked here. (Quicktime).

Last October, Dutch police shut down a BotNet that included more than 100,000 computers and arrested its perpetrators. The BotMasters were using the zombie computers to attack networks and hack into bank accounts and PayPal and eBay accounts. You can read more about it here.

The incidence of BotNets (or at least, those that were discovered) started increasing enormously in 2004 and continues to rise. According to Symantec’s Global Internet Threat Report in 2005, there was a 140% increase in the number of active ‘bots observed per day over the previous reporting period.

BotNets have become big business. BotMasters will rent the use of their BotNets for 10 to 25 cents per machine, so that those without the technical savvy to set up their own BotNets can still have the use of one to launch attacks, distribute spam, commit identity theft, or whatever other nefarious activities they wish. Some common ‘bot programs include:

• Agobot/Phatbot/Forbot (there are more than 500 known versions)
• SDBot/RBot/UrBot (published under the Gnu Public License)
• GT-Bots (IRC script-based ‘bots)
• Q8 Bot (for UNIX/Linux systems)
• Perl bots (written in Perl scripting language, also used on UNIX systems)

How do you protect your computer from becoming a member of a BotNet? The same way you secure it against other threats: Update your system to the latest security patches religiously (and SP 2 really helps); and install good firewall, antivirus and anti-spyware software.   Tight on cash?  Read our Security on the Cheap writeup here.

Let us know your experiences with ‘bots. Are you worried about the BotNet threat? Have you ever discovered ‘bot software on your system? What measures do you take to protect against becoming an unwitting member of a ‘bot army? Tell us what you think about ‘bots.

Deb Shinder

Just how does the NSA do the whole wiretapping thing, anyway? From USA Today:

The National Security Agency has secured the cooperation of large telecommunications companies, including AT&T, MCI and Sprint, in its efforts to eavesdrop without warrants on international calls by suspected terrorists, according to seven telecommunications executives.

More here via Martin McKeay.

But curious about security at the NSA?  Open source all the way! From Xavier Ashe (who looked at the picture below and surmised what was running):

So what are the super secret tools that the NSA uses?  dShield, Ethereal, Nessus, Nmap, Cain & Abel, Metasploit, Snort, and Kismet.  Good to know that our government supports open source projects… or maybe they just like free tools.     

Click here for the pic.  And here for the source Washington Posts article. 

Alex Eckelberry

Not exactly mainstream stuff here, but interesting for techies.  Krugle promises to help developers rapidly find source code and technical information.  Launching at Demo 2006.

Link here via John Battelle

Alex Eckelberry

Nothing too exciting here, just another example of poor webserver security practices .  Glamour-shop(dot)com promises “high quality gifts”.

Instead, it hits you with a WMF exploit which then does all sorts of nasties.

http://glamour-shop(dot)com/backdoor/ – gives you the WMF exploit.

http://glamour-shop(dot)com/down.txt – It apparently pulls the downloaders from here. 

And the cache of treasure (don’t run these — bad stuff):

http://glamour-shop(dot)com/stats/bin/bin.exe
http://glamour-shop(dot)com/stats/bin/bin2.exe
http://glamour-shop(dot)com/stats/bin/bin3.exe
http://glamour-shop(dot)com/stats/bin/bin4.exe
http://glamour-shop(dot)com/stats/bin/bin5.exe

Discovered through a pop-up: Our researcher discovered this site from a porn site ad that popped up during research. He followed the link and got hit at the main url with the WMF exploit. 

This site was advertised through a Thanks to Jarrett Levine in Sunbelt Spyware Research.

Alex Eckelberry

CAIDA, the Cooperative Association for Internet Data Analysis, has provided an extensive writeup on the BlackWorm/Kama Sutra/Nyxem email virus

While email viruses and worms are a ubiquitous part of the online environment, Nyxem was relatively rare in that newly infected hosts connect once to a single website, providing a single source of information about the infected population.

Of more critical interest to those infected, the virus also contained a malicious payload designed to overwrite files with certain extensions on the 3rd of every month (beginning February 3, 2006). Affected file types include: .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp.

We estimate that between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC. At least 45,401 of the infected computers were also compromised by other forms of spyware or bot software.

Really good reading if you’re interested in this virus.  Link here.

Alex Eckelberry
(Hat tip to Gadi Evron)

 

 

Xavier Ashe posted a great Dr. Fun cartoon on RFID.

Link here.

Alex Eckelberry

 

I’m actually glad that law enforcement is starting to wake up to the dangers of MySpace. 

From the Connecticut AG’s office:

“I am deeply disturbed by reports that underage girls with profiles on the Myspace.com web site may have been victims of sexual predators.

“My office has received numerous complaints over the last month that minors can easily post and view inappropriate and sexually suggestive material on Myspace.com, possibly in violation of state law.

“My office investigated and confirmed that children can readily view not only inappropriate material, but also obscene images through the site’s free and publicly accessible areas. The site posts no warnings that pornography and adult content are present and has no mechanism to prevent minors from viewing obscene material.

“I have referred this matter to the Chief State’s Attorney’s Office for possible criminal prosecution. My investigation is continuing.

“I am shocked and dismayed that the operators of Myspace.com fail to shield minors from pornographic images and that the web site may have been used by sexual predators targeting minors. As a parent, I find it appalling and abhorrent that a web site would so poorly police its pages. This site is a parent’s worst nightmare.

“Internet sites have a legal and moral responsibility to protect children from obscene images and inappropriate material. Internet site owners who shirk their legal responsibilities should be prosecuted to the fullest extent of the law.

“I urge parents to vigilantly monitor their children’s Internet activity. Following a few simple rules greatly reduces the danger of kids viewing inappropriate material or falling victim to sexual predators: Never let children surf the Internet behind closed doors. Keep the computer in the living room or other area where you can easily monitor sites they visit. Restrict all surfing to when a parent is home. Warn children to never post personally identifiable information on the Internet.”

Link here via Sandi.

Parents really need to perform oversight on what their kids are doing on these blogs — including reading them.  For example, I had a friend recently who was shocked to see his daughter openly talking about smoking pot on her blog.  He had no idea and didn’t even really understand what MySpace was.   There is lots of stuff that these kids are doing, and oversight as well as educating your children on the dangers and issues of online blogging is essential.  

 

Alex Eckelberry

Thanks again to Sandi on tips to remove IE 7.  Invaluable…

Link here.

 

Alex Eckelberry

Update: See here for the full writeup.

The spectre of lawsuits, broad use of XP Service Pack 2 and FTC enforcement seems to be helping:

A new study details the extent and seriousness of potentially destructive spyware on the Internet, finding that it is still prevalent but declined significantly…

The study examined popular categories of Web sites including games, news and celebrity sites. Among the findings:

• More 5 percent [sic] of executable files contain piggybacked spyware.
• One in 62 Internet domains performs “drive-by download attacks” to force spyware on users who simply visit the site.
• Game and celebrity Web sites appeared to pose the greatest risk for piggybacked spyware, while sites that offer pirated software topped the list for drive-by attacks.

Link to here via Suzi Turner.

Suzi Tuner at ZDNET makes a good point, though:

One in 62 of 20 million sites is quite a large number still. The article does not mention if porn sites were checked. Porn sites are a huge source of spyware usually downloaded though exploits. The CoolWebSearch porn sites alone number in the thousands and are guaranteed to give you a nasty payload. This page at Webhelper’s site has links to lists of CWS sites and the Apha Sort in Text Format list has 3,500 sites listed. Most of them are porn sites.

We’ll have to see what the full details are when the final paper is released.

Alex Eckelberry

Re the BlackWorm/Kama Sutra/Nyxem video: The rate of infection for BlackWorm didn’t match the actual amount of machines that had destructive results on the 3rd.   Remember, this is the worm that was supposed to kill a lot of machines (estimates were that approximately 300,000 systems were infected) on February 3rd.

F-Secure writes:

– The amount of machines that were really infected still on Friday was much smaller than the total amount of machines that got infected (and cleaned) during the whole outbreak. This number is probably in the tens of thousands. Which is not a lot of computers out of, say, one billion computers in the world.

– Many of the infected machines were not rebooted on Friday. They were simply running all the time. The worm only does damage when you start the machine on the 3rd.

– Many infected home machines were shut down all of Friday, and nothing happened. People went to movies, bars, parties on Friday night instead of surfing.

– The media coverage on the whole incident prompted many people to check their system and clean them up in time.

F-Secure link here.

Alex Eckelberry

Unless you’re born with a silver spoon in your mouth, the expense of textbooks are a tough part of college — it’s the “second tuition” you have to pay. 

Catherine Forsythe (one of my favorite bloggers) has come up with a new service that tries to help.  BookGap is a listing service for books.  Focused on textbooks (but usable for regular books), the service hopes to help bring the cost of textbooks down.  You simply list a book you want, or a book you have available. You could rent a book, or sell a book. The service is free while it’s in beta. 

Link here.

 

Alex Eckelberry

I’m sorry if you’ve been having problems reading this blog.  There seem to be some problems over in Blogger land…

Frustrating…

 

Alex

Thanks to sharp-eyed blog reader Mercen4ry for catching this one: The New York Times reports that America Online and Yahoo are about to start charging customers $.025 for “guaranteed” delivery of email to others.

It means that the email won’t be nailed by their spam traps. 

America Online and Yahoo, two of the world’s largest providers of e-mail accounts, are about to start using a system that gives preferential treatment to messages from companies that pay from 1/4 of a cent to a penny each to have them delivered. The senders must promise to contact only people who have agreed to receive their messages, or risk being blocked entirely.

Both companies swear that “the senders must promise to contact only people who have agreed to receive their messages, or risk being blocked entirely.”  

This is not a new idea: Habeas has had a system like this for years. 

NY Times article here via BoingBoing.

Alex Eckelberry

Our research team has uncovered a malicious Winamp playlist file (.pls) actively being used to hoist spyware onto victims machines who are running unpatched versions of Nullsoft’s Winamp music player.

On Monday, computer security firm Secunia issued an advisory for this bug:

Some vulnerabilities have been reported in Winamp, which can be exploited by malicious people to compromise a user’s system.

1) A boundary error during the handling of filenames including a UNC path with a long computer name can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename with an overly long computer name (about 1040 bytes).

NOTE: An exploit is publicly available.

The vulnerability has been confirmed in version 5.12. Other versions may also be affected.

Successful exploitation of any of the vulnerabilities allows execution of arbitrary code on a user’s system when e.g. a malicious website is visited.

Thankfully, Nullsoft quickly posted a fix for this vulnerability on their website. Additionally, users of vulnerable versions are also warned when opening their media player that a newer version (5.13) is available to download to fix this security vulnerability.

Not following the recommendation from Nullsoft to upgrade to version 5.13 could result in the extremely nasty CWS Looking-For.Home Search Assistant infection as well as an installation of our good friend SpySheriff.

After surfing to a malicious website on our test machines, the file “x.pls” begins to download. Almost immediately, Winamp starts to execute the play list and remote code execution begins. A VirusTotal scan shows that only one AV vendor is detecting this.

Screen shots of the hijacked browser:

Sunbelt Software recommends network administrators and individual users block this site either at the gateway or on the desktop:

008k.com (195.225.177.27)

Adam Thomas
Spyware Research

Sans just recommended removing certain IP ranges from block lists:

Update:
Based on feedback from Intercage customers, we no longer recommend to block them. Please let us know if you see any problems from 69.50.160.0/19 and we will try to facility contact and a resolution.

Link here.

The IP ranges in question are:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 – 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 – 85.255.127.255)

While we rarely disagree with our friends at SANs, we do NOT recommend removing these ranges, at least not 69.50.160.0/19.  This is a live bad range.

Examples:

kristinapollard.com 69.50.188.36
Andy Placid      
London  GB      
placid @ treffend.com

Or this one:

And let’s not forget the very evil Vcodec, http://www.vicodec(dot)com (69.50.160.61), which is responsible for SpyAxe, SpyStriker, desktop hijacks, pop-up advertising, toolbar installs, and all that fun.

As regards the 85.255.112.0/20 range, the IP range is hosed with live files and the sites that look normal also make calls to the 195 and 85 of the Russian servers:

• dirty-rape(dot)com calls in the rotational 85.255.113.22 IP that will end up running a wmf exploit and infestation. 
• 69.50.161.169 dirty-rape.com calls in Iframe:85.255.113.22/inc/yfuzz.html
•  85.255.113.22/inc/yfuzz.html redirects to: 85.255.113.10/?to=yfuzz&from=in
•  85.255.113.10/?to=yfuzz&from=in calls: 85.255.113.83/users/fill/web/count.php?id=yfuzz
•  85.255.113.83/users/fill/web/count.php?id=yfuzz in Iframe runs 85.255.113.83/users/fill/web/xxx.wmf
•  The wmf calls to 85.255.113.84/users/smell/web/sex.

85.255.114.* is also a bad site (Wuster Ltd sites running wmf exploits). 

However, 85.255.112.0/ to 85.255.112.255 may be clean.

Maybe SANS should recommend to blocking specific domains and IP address instead. 

For example:

x-stories.org – 69.50.187.19
zlex.org – 85.255.115.227
85.255.116.213
85.255.117.51

And preferably these as well:

Noi.themovie.com that calls the x-stories.org – 69.50.187.19
Cleanchan.net – (formally fullchain.net) -195.255.177.21

Or else people with un-patched machines are going to end up looking at this

or this, depending on the day and time:

 

Alex Eckelberry
(Thanks to Sunbelt researchers Patrick Jordan, Adam Thomas)

ServerVision, our server management tool, is being transitioned to Aldebaran Systems. We’ve worked closely with Graham Bradshaw, Aldebaran’s CEO, on the transition for our customers. 

All customers under existing ServerVision maintenance contracts will continue to receive product support and product updates through Aldebaran.  ServerVision users will be asked to perform a simple no-charge upgrade to Aldebaran ServerAssist, an enhanced version of ServerVision.  All of existing customized settings and policies will be automatically migrated to the new version.

Aldebaran will also offer customers of Sunbelt ServerVision the opportunity to purchase maintenance at a discounted price through March 31st, 2006.

The transition is effective February 1, 2006.  Sunbelt will honor any existing quoted purchases for ServerVision through February 28th.

The folks at Aldebaran are a good group, and I feel that this is ultimately the best move to insure that our customers continue to get ongoing support and upgrades for this product.  ServerVision is an outstanding product and one of my personal favorites and I’m glad to see it in good hands.

Aldebaran website here.  Press release here.

Alex Eckelberry