The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
For your blocking pleasure:
urgentwindowsupdate(dot)biz
boostservice(dot)com
securitybulletin(dot)com
bestsecurityguide(dot)com
systemsecurityindex(dot)com
theguardservices(dot)com
Obviously, don’t visit these sites. They are bad.
We’ll may have more up on Monday as well.
Patrick Jordan
PaperGhost reports that the Lolita porn site that was the center of the YapBrowser hullabaloo is down.
Link here.
Alex Eckelberry
Microsoft will re-engineer the patch that’s been causing some difficulties.
From the Stephen Toulouse:
So what we have done is re-engineered the MS06-015 update to avoid the conflict altogether with the older Hewlett Packard and NVIDIA software. We’re going to run a test pass on it and we will release this new update on Tuesday, April 25th. What the new update essentially does is simply add the affected third party software to an “exception list” so that the problem does not occur. The revised update automates the manual registry key fix.
I want to be real clear about that. When the update is re-released, it’s going to be very much targeted to people who are having the problem, or people who have not installed MS06-015 yet. That means if you have already installed MS06-015 and are not having the problem, there’s no action here for you. Windows Update, Microsoft Update, and Automatic Update will have detection logic built into them to only offer the revised update (which essentially includes the reg key fix) to those customers who either don’t have MS06-015 or are having the problem. [My emphasis].
Separately, I saw this last night:
Microsoft released today thru their Download Center the Compatibility Patch for Internet Explorer (KB917425)
Do not install that compatibility patch if you are not experiencing problem in your Internet Explorer *after* installing the Microsoft Security Bulletion – MS06-013: Cumulative security update for Internet Explorer which was released last Patch Tuesday – April, 11, 2006 because… the said compatibility patch was made available only for “customers who have experienced compatibility issues and who require more time to test/update websites and programs that are impacted by the IE Active X update.”
That means if you have already installed MS06-015 and are not having the problem, there’s no action here for you.
Link here.
So. one fix will be coming out on Tuesday (I’ve got an email into Microsoft get a little more data). And there’s one right now for people who are experiencing issues with the Active X update.
And then just to add spice to the whole mix, Microsoft is investigating problems the patch may have had on some Outlook Express users.
I do hope that people aren’t holding off on the implementing the April 11 patch because of fears that it will cause harm to their system. The createTextRange() zero day exploit is still a potential threat out there. Correction: To be clear, MS06-015 does not address the createTextRange vuln. That bulletin is MS06-013.
Alex Eckelberry
Google had a beautiful logo this morning, which looked like this:
Here at Sunbelt, one person sent a group email wondering what it was. Someone else explained that it was dedicated to the birthday of Joan Miró.
It is so cool for a company to change their logo to commemorate the birthday of an artist who is not even known to most of the world (yes, he’s famous in art circles, but do you think the average person on the street would know who Joan Miró is? Well, many do now).
What a good thing Google did today. A lot of people learned a little more today about art, and a lot of people were introduced to a great artist of this century. And that, I believe, is a good thing.
Anyway, some guy called Theodore Feder, who runs the Artists Rights Society, demanded that Google take the logo down. According to a story in the Merc (via techdirt):
“There are underlying copyrights to the works of Miro, and they are putting it up without having the rights,” said Theodore Feder, president of Artists Rights Society.
So Google complied and yanked the logo.
This begs the question: If, as an artist, I were to be inspired by the style of Joan Miro, would I suddenly be in trouble? It seems pretty clear to me that they didn’t steal his art. (If you want to see what his art looked like, you can click here, or do a Google image search.) But it just seems to me to be a representation of his art by a Google artist (granted, a very good representation of Joan Miró’s art).
So, is this an abuse of copyright law? Or is Theodore Feder right? Did Google go too far?
What about the benefits of spreading a bit more art and life into an Internet bombarded with crap and incessant ads for cars, dating sites and casinos — while respecting a great artist of our time?
Alex Eckelberry
Michael Miller, PC Mag’s editorial leader, writes a hard-hitting editorial on the state of security products.
All of you have reason to worry about the prospect of Microsoft entering the security market this summer with a new service called OneCare. But you’re focused on the wrong problem. Instead of focusing on Microsoft, you need to take a good hard look at the effectiveness of your own wares. I’ve talked with a lot of computer users lately, and the conclusion is inescapable: Your products just aren’t good enough.
He’s spot-on. It’s an excellent read. And a wake-up call to the industry.
Alex Eckelberry
MyGeek.com is a third party ad network that has had a business relationship with Direct Revenue (also, a press release last year announcing a “Strategic Partnership”.
Mygeek.com hosts a site called cpvfeed.com (66.179.234.169). CPV stands for “Cost Per View”, something MyGeek is into.
Take a look at this google search.
If you click on that link (which you shouldn’t do), you get this odd page:
Clicking on OK gets you to this bogus security site:
Why is this relevant? A big thing about Mygeek is keyword advertising. If there are keywords purchased by this company for things like “virus”, “spyware”, etc…. well, you get the idea.
Alex Eckelberry
I have a completely eclectic bunch of brothers. One of them does the market. Another is an architect. Another is a high tech marketing consultant. And another is a film director, and was recently working on the film The Mirror. He just forwarded a link to an unofficial (and irreverent) behind-the-scenes video.
He’s the guy with the hat (true, he may have gotten the bad genes, but we don’t hold it against him).
Link here.
Alex Eckelberry
Back in early March, we had blogged about iBill information possibly being leaked on the ‘net.
Wired has since made the following modification to their story:
Editor’s note: Since publication of this article, iBill has spoken with Wired News. The company now says that the purportedly stolen database did not originate with iBill, and only three of the more than 17 million entries match past iBill customers. Asked to respond, Secure Science says it no longer believes that iBill was the source of the data. Read the full story.
Link here.
Alex Eckelberry
Yesterday we wrote about some security scam hijack sites.
Here’s some more for you to block:
IP: 70.86.246.35
17webplace(dot)com
aurealm(dot)com
authorsontour(dot)com
beepwear(dot)com
carterobregonlaw(dot)com
cma2004(dot)com
coloreal(dot)com
ideagenerationmethods(dot)com
indiahcsl(dot)org
interacttheatre(dot)com
poliblog(dot)com
praxispost(dot)com
salestaxsimplification(dot)org
samchampion(dot)com
sapsapphire-emea(dot)com
scienceserver(dot)com
sputnikbook(dot)com
thresholdofvisibility(dot)com
uscmchicago2005(dot)com
All of these sites will attempt (after evaluating your computer’s OS and service pack level) to run currently patched exploits on your system to install Spyware Quake.
Do not visit these sites.
Alex Eckelberry
(Data from Sunbelt’s Patrick Jordan and Adam Thomas)
Robert LaFollette, our creative director, took his wife down to the Everglades (about 3 hours south of us) to “shoot alligators” last weekend. Not with a gun, but with a Canon digital camera (a 20D with a Canon 100-400mmL Pro Lens).
They stopped in a park for a bit and were sitting near a pond eating sandwiches, when Robert stepped a few yards away from his wife. He heard a scream, and turned to find his wife running from a very friendly alligator lumbering over, interested in her sandwich. Robert ran over and tried to distract the gator, to no avail.
Fortunately, some local fisherman threw some fish at the gator, and he went off to munch on the fish. Robert and his wife took off as quickly as they could.
Now, it’s not usual for gators to get near people like this. They actually aren’t much interested in humans (at least large ones). However, just like any other animal, they start to see humans as a source of food when humans make the mistake of feeding them. Robert was told later by the park ranger that the only reason the gator walked up in the first place was probably because the local fisherman had been feeding the alligators — an illegal offense.
Robert has more pics of the whole experience on his blog, here.
Alex Eckelberry
A brief research summary by Sunbelt’s Patrick Jordan on zllin(dot)info installing a security scam hijacker, PestTrap. Link here (pdf).
Alex Eckelberry
The YapBroswer interview with Paperghost.
1) Why is Yapbrowser available to download again, when the application doesn’t actually work? (Any search made results in a page cannot be found message)?
YB: Because there on the main page was only a pattern i.e. only design of a site for a kind. And in general all sites are not completed. Partner program is in a test mode. Even the engine of site has not been installed on a site yet. On them there are no users and there is no traffic. This all is made for us, but not for for public. For public all would be tested and all links would appear in a working kind.
Link here.
Alex Eckelberry
Not sure if you caught this broadside by the EFF against the DMCA:
The DMCA Chills Free Expression and Scientific Research.
Experience with section 1201 demonstrates that it is being used to stifle free speech and scientific research. The lawsuit against 2600 magazine, threats against Princeton Professor Edward Felten’s team of researchers, and prosecution of Russian programmer Dmitry Sklyarov have chilled the legitimate activities of journalists, publishers, scientists, students, programmers, and members of the public.
The DMCA Jeopardizes Fair Use.
By banning all acts of circumvention, and all technologies and tools that can be used for circumvention, the DMCA grants to copyright owners the power to unilaterally eliminate the public’s fair use rights. Already, the movie industry’s use of encryption on DVDs has curtailed consumers’ ability to make legitimate, personal-use copies of movies they have purchased.The DMCA Impedes Competition and Innovation.
Rather than focusing on pirates, many copyright owners have wielded the DMCA to hinder their legitimate competitors. For example, the DMCA has been used to block aftermarket competition in laser printer toner cartridges, garage door openers, and computer maintenance services. Similarly, Apple invoked the DMCA to chill RealNetworks’ efforts to sell music downloads to iPod owners.The DMCA Interferes with Computer Intrusion Laws.
Further, the DMCA has been misused as a general-purpose prohibition on computer network access which, unlike most computer intrusion statutes, lacks any financial harm threshold. As a result, a disgruntled employer has used the DMCA against a former contractor for simply connecting to the company’s computer system through a VPN.
Link here via beSpacific.
Alex Eckelberry
“Martin”, a reader of this blog, dropped a rather interesting comment on the site today.
It’s a link to a discussing going on today at a webmaster community called crutop. The forum link is here http://crutop.nu/Vbulletin/showthread.php?t=63868, and it appears safe enough to browse, although you always visit these at your own risk.
It starts off with one fellow mentioning Suzi at ZDnet’s post on YapBrowser yesterday.
In this forum, we have a fellow by the name of “John Helbert” who apparently represents YapBrowser, and makes this comment (translated from Russian—thanks Anna):
We registered at Zango a couple of months ago, signed a contract and sent them our software to be checked. They checked it and approved it. Meanwhile, our programmers have been writing an engine for the partner program- yapcash.com, but it was never completed.
Our program works in a way that user uses it to check thru FHG (Free Hosted Galleries-ed) for free.
Here is what happened in the past days – The server where we hosted our sites was using 404 traffic for his own purpose. As you can see they have accumulated CP and exps. We didn’t know about it. We only learned about it from the news. You can see on the video that the user is clicking on the link that takes him to a non-existing page.
I repeat that we in no way are associated to CP (Child Porn—ed). We do not need this because our project is absolutely legal and now we are bombarded with the bad reputation issues.
I’ve written earlier about Spyware Quake, a nasty rogue antispyware program that runs a protection racket on people’s PCs, forcing them to buy the product in order to get rid of “fake spyware”.
There is a growing number of sites in the
All these site are part of security scam hijackers we know of well, and have the same script in common in the head of their site code:
The basic look of all the sites is something like this:
They are using both the old Javascript and WMF (css.wmf) exploits to install themselves:
(Javascript exploit)
Server for the IPs
OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address:
City:
StateProv: TX
PostalCode: 75207
Country: US
(Data provided by Sunbelt senior researcher Patrick Jordan)
How to change maximum number of frequently used program shortcuts
When you use the same program frequently, it goes into the Most Frequently Used Programs section of the XP Start menu. By default, the eight most frequently used programs show up here. If you’d like XP to display more (or fewer) programs, you can change that. Here’s how:
If you select a high number, you should also select “small icons” on the General tab so there will be room to display them all.
Great Resource for Understanding Security Bulletins
Each month, Microsoft releases a set of security bulletins on “Patch Tuesday,” along with a technical description of each bulletin. But for some folks, those descriptions are a little too technical and long-winded. Enter Randy Franklin Smith’s Ultimate Windows Security website, where he provides an explanation and his own personal take on each of the security bulletins soon after they’re released. Not only does he mostly de-jargonize the language in the bulletins, he also provides caveats and tips on how to determine whether you need to deploy them based on your particular situation. You can also subscribe to have the assessments sent to you each month via email. Link here.
How to disable media sensing for TCP/IP
Windows XP contains a feature called media sensing that is used to detect whether your computer is physically connected to the network. If it senses that you’re disconnected, it will remove the bound protocols from your network adapter. If you don’t want this to happen, you can disable media sensing by following the instructions in KB article 239924 here.
Can’t open Office files in Internet Explorer
If you try to open an Office XP/2003 file in Internet Explorer 5.5 or 6.0, you might get an error message that says “414 Request – URI too large,” “404 Page Not Found” or “A DDE error has occurred.” This happens because the file or path name is too long. You can update IE with the appropriate service pack to fix the problem. For more information, see KB article 416351 here
XP Search doesn’t find Office files
If you try to search for files created by Microsoft Office programs with the extensions .doc, .ppt, .xls, etc.), you may find that the Search function doesn’t locate any files even though you know that such files exist on the hard drive you’re searching. This can happen when you’ve upgraded or removed Office. For a workaround to the issue, see KB article 312510 here.
Deb Shinder
The Internet community has done a lot of talking about copyright issues. After all, when you spend hours or weeks or months writing a brilliant piece of prose to post on the ‘net, you want to be sure that you get the credit for it.
But what about those less-than-brilliant bits of writing that you may have authored over the years? You know the ones I mean, don’t you? Those embarrassing newbie questions you asked on the tech newsgroup years ago. Those mailing list political exchanges that deteriorated into screeching screeds. Those passionate declarations of everlasting devotion emailed to what turned out to be the very temporary love of your life. Those complex philosophical essays that seemed so clever when you were pounding the keyboard at three in the morning after a few too many drinks and/or a lot too little sleep.
Far from wanting the credit, you probably wish those would just go away. I remember being advised, in my early years, to never send something that I’d written while in an emotional state without waiting a few days and reviewing it in the cold light of day. Since back then, sending a communication – whether a love letter or a letter to the editor or the filing of a lawsuit – meant putting it in an envelope, finding a stamp, and trekking down to the corner mailbox, it was easy advice to follow. Today, sending takes a single click of the mouse, and your words are out there in the wild, and out of your control. And you may not ever be able to take them back.
Even when what you’ve written isn’t particular incriminating, the seeming immortality of electronic communications can be annoying. Who, besides me, has had the experience of putting up a web page on the free server space offered by an ISP and then, after canceling the ISP account, finding it impossible to get that page removed? You end up with this fifteen year old, completely out of date page out there on the Web, which people find when they do a search on your name, containing all sorts of now-obsolete information about you.
Even if the ISP does take down your page, it may not be completely gone. Projects such as the Wayback Machine (www.archive.org/web/web.php) preserve copies of old web pages. Thought you’d gotten rid of that ugly old photo of yourself that used to be on your web site? Sorry, the Wayback Machine can take anyone back to that original version of your site that sports the picture you now hate. You’ve got to wonder if even Microsoft is a little embarrassed by what its web site looked like in 1996 (just type www.microsoft.com into the Wayback Machine and have a look).
What about all the email messages you’ve written over the years? Would you be completely comfortable knowing every one of them is still hanging around somewhere, ready to be exposed to the world? Think just because you deleted them from your machine, you’re home free? Not hardly. Many people use IMAP email servers (such as corporate mail servers) where the mail stays on the server instead of being downloaded to your machine. The advantage is that you can access your mail from different computers. You can delete messages from your mailbox on the server – but most email providers make backups to protect against loss of mail in case of viruses, attacks, hardware and software problems. That’s true if you use POP mail, too.
And never forget that every email message by nature has both a sender and a recipient. The person on the other end may well have saved the message you so desperately wish didn’t exist (or even forwarded it to others). There are ways to restrict some messages from being copied or forwarded by the recipient (for instance, using Microsoft’s Rights Management Services) but they require special software or configurations on both ends, and don’t prevent the recipient from doing a screen capture or even taking a photo of the message on the screen.
If you aren’t thrilled with the idea of having your Internet activity live forever, you’ll probably be interested to know that it may soon be the law. The U.S. Congress is considering legislation to make data retention mandatory. That means Internet providers would be required to record their customers’ online activities and keep those records for a specified amount of time (anywhere from six months to two years has been discussed). The European parliament has already approved similar laws. Read more about U.S. plans here.
States are also getting into the act. In Colorado, a Democrat in the state senate has proposed an amendment to a sex offender bill that would require ISPs to retain records of IP addresses assigned to each of their customers for 180 days, with fines up to $10,000 per incident for violation.
ISPs aren’t thrilled with the prospect of paying for storage space to keep huge amounts of data representing all their customers’ email, web browsing, chat activity, etc. And of course, if such requirements become law, they’ll pass the costs on to their customers and the price of Internet connectivity will rise. Privacy advocates are even more concerned that this is just one more step toward a “big brother” police state. But government officials play their two favorite fear factor cards: 1) it’s to fight terrorism and 2) it’s for the children (to fight child pornography).
These are both noble causes, but do they necessitate keeping all these records on everybody, including people who are not suspected of breaking any laws? Federal laws already require ISPs to retain records if a government entity requests them to do so, as would be done in the course of an investigation where law enforcement had reason to suspect wrongdoing.
For an example of what happens when the government has too much access to people’s private messages, click here.
It seems that in Iran, people who send SMS text messages containing jokes about their president, as well as jokes about sex or the country’s nuclear program, are being arrested. Is this where we want to go?
What do you think? Are critics of the data retention plans worrying over nothing? Are these drastic measures necessary to protect us from Internet criminals? Have you ever posted something on an Internet forum or sent an email that you’re now ashamed of or embarrassed about? Should ISPs have to bear the cost of warehousing customer data? Or should the government (i.e., the taxpayers) pay for it? Will more and more government regulations on service providers result in the Internet once again becoming a luxury only the wealthy can afford?
Deb Shinder
Sunbelt Senior Spyware Researcher Patrick Jordon (aka WebHelper) has just been awarded Microsoft Most Valuable Professional (MVP). He joins Sunbelt’s Eric Howes in this honor.
Congratulations Patrick!
Alex Eckelberry
After my blog post earlier today on a new rogue antispyware program, Spyware Soft Stop, our Eric Howes made a surprising discovery.
Look at this screenshot:
As you can see, it found six files and identified them as various types of malware.
The problem is, not only are those files just junk files (not malware), but the Spyware Soft Stop application itself installed the files.
That’s right, this application planted the very files it claimed to detect as malware.
Unreal.
Alex Eckelberry
There is a new rogue antispyware on the loose, called Spyware Soft Stop (Whois).
If you have the misfortune to run an executable named “sss_bot.exe”, you’ll get presented with a fake (and poorly worded) security message:
What follows are more crafty screens designed to think you’re doing a normal Windows update:
And here’s the lovely app in all of its glory:
..
Of course, numerous terrifying results (all false) that one can only “clean” by purchasing the program.
Alex Eckelberry
(Thanks for the tip from some French friends)