Month: October 2006

Ryan Naraine at eWeek just wrote a story on botnets and spent some time with our research team as we purposely infected a machine to see a botnet in action. 

In a bland cubicle on the 12th floor, Eric Sites stares at the screen of a “dirty box,” a Microsoft Windows machine infected with the self-replicating Wootbot network worm.

Within seconds, there is a significant spike in CPU usage as the infected computer starts scanning the network, looking for vulnerable hosts.

In a cubicle across the hall, Patrick Jordan’s unpatched test machine is hit by the worm, prompting a chuckle from the veteran spyware researcher.

Almost simultaneously, the contaminated machine connects to an IRC (Internet Relay Chat) server and joins a channel to receive commands, which resemble strings of gibberish, from an unknown attacker.

“Welcome to the world of botnets,” said Sites, vice president of research and development at Sunbelt, a company that sells anti-spam and anti-spyware software.

“Basically, this machine is now owned by a criminal. It’s now sitting there in the channel, saying ‘I’m here, ready to accept commands,'” Sites explained.

Link here and pictures here.

Alex Eckelberry

We’ve been doing a lot of work to our research center recently (http://research.sunbelt-software.com) and I encourage you to check out some of the newer things. 

First off, there’s the real-time threat report.  This is powered by Threatnet, our user community, and is a list of the top threats being removed from user’s computers.

Then, there’s a section which provides the latest threat definition information for our antispyware products:

Under Submit a Threat, you can submit malware to our research team.

And an extraordinarily powerful tool is our automated malware sandbox.  This tool will provide you with an exhaustive summary of what a piece of malware is doing, along with a brief listing showing what some other engines are detecting it as.   It will also be accessible in the near future at http://sunbeltsandbox.com.

There’s more to check out, so feel free to browse the site.

Alex Eckelberry

 

Microsoft will allow security developers access to the kernel in Vista 64:

In another change, Microsoft had planned to lock down its Vista kernel in 64-bit systems, but will now allow other security developers to have access to the kernel via an API extension, Smith said. Additionally, Microsoft will make it possible for security companies to disable certain parts of the Windows Security Center when a third-party security console is installed, the company said.

Link here.

Microsoft’s attempt to lock the kernel through PatchGuard was very worrisome to the security community.  It would have been a significant handicap to the security community against the battle against malware authors.

Alex Eckelberry

Zango under attack by none other than adult webmasters — for cookies, of all things…

More here at VitalSecurity (note, a lot of the links in this post are to adult webmaster forums with pornographic images — to avoid potential issues, simply turn off images in your browser.)

Alex Eckelberry

Our peripatetic creative director, Robert LaFollette, just got back from Portland, Maine for a photography workshop and took some beautiful photographs. 

Link here. There’s lots of additional photos here and you can even pick up the blog post here where a few weeks back, Robert, his wife and I ventured out by boat to the beautiful desolation of Caladesi Island.

Enjoy.

Alex Eckelberry

Recently, WebRoot quietly released a beta of SpySweeper program which includes integrated antivirus functionality from Sophos.  Now, it’s official:  They will be bundling Sophos’ engine with SpySweeper.  PC Tools moved into the virus space a while back by licensing Kasperksy’s antivirus engine, sold as a stand-alone product.  And Aluria (now part of Earthlink) has had antivirus functionality for a while now, licensed from Authentium.

Obviously, these companies have all recognized that they need to have antivirus in order to have a solution to compete with the likes of Symantec, Trend and McAfee — and Microsoft.  And with VCs (venture capitalists) behind WebRoot and PC Tools, the stakes are high. 

It’s interesting to note that all the companies involved have gone the route of licensing the technology versus building it themselves.  A year ago, WebRoot apparently was building their own AV engine, but the VCs behind the company reportedly canned development. 

There are other issues which highlight the shifting sands of the business:  The spyware market is still a good market, but leveling off for these players. WebRoot is seeing its sales peak at about $75 million in sales and PC Tools at about $40 million. 

Each have their different strengths:  WebRoot owns the retail channel (and importantly, the “tech bench” channel, like GeekSquad) and PC Tools is a powerhouse in online marketing (with their infamous “scan and scare” tactics — scan a machine, find a bunch of “spyware” — usually cookies — and require the user to pony up cash for removal).   But WebRoot, no slouch in online marketing, is also getting into the more aggressive tactics, having also moved into the “scan and scare” methods to increase online sales.  

Both have made efforts with various degrees of success into the enterprise channel — frankly, where the real money is made.  WebRoot did it with big dollar techniques, hiring a field sales force, which they laid off after not seeing the returns expected.  PC Tools has gone into the market with baby steps, hiring veteran enterprise sales guy Chris Mossing, and promptly (and inexplicably) removing him three months later and then giving away their enterprise product for free.  

PC Tools raised about $20 million a few months back from an Australian private equity firm, part of which went to the founders.  WebRoot raised over $100 million (at a high valuation), out of which the founders, Steve Thomas and his girlfriend, Kristen Talley, were given about $80 million.  But WebRoot made a deal with some very powerful players, people like Technology Crossover Ventures.   At the valuation they invested in, and assuming normal valuation targets, they need WebRoot to be worth well over $700 million to make their target return. That’s a tough play.  

And the second tier players like Tenebril and Aluria have gone by the wayside.  Both sold out at firesale prices: Aluria for $5 million to Earthlink and Tenebril at $3 million to Process Software.   

So out of the triumvirate of antispyware players (WebRoot, PC Tools and Sunbelt) there are some interesting business issues.  And in my next blog posting, I’ll discuss some of the technology aspects of the antispyware space. 

Alex Eckelberry

Update:  See comments section for PC Tools response.

Here’s a post from today:

So how does that qualify me to be one of the inaugural Intel bloggers? Perhaps because I’ve demonstrated that I’m a sucker for a challenge. I’ll be honest, I’m worried about these blogs being able to succeed. I’ve worked on many official IT@Intel briefs and white papers, and the process of authoring these things and taking them through legal, and political review is not for the faint of heart. Everything must be squeaky clean and very precisely aligned. These blogs are a much more open avenue of communication, and do not quite agree with some of the more conservative aspects of Intel’s nature. Some people inside Intel flat out don’t “get blogs”, and like the idea at all. That’s where I smelled a challenge, and I was hooked.

The site can be found here: http://blogs.intel.com/it

Alex Eckelberry
(thanks Dan)

 

It’s worth noting that after a hailstorm of patches yesterday by Microsoft, the daxctle.ocx vulnerability was not patched.

We have observed this exploit in action in the wild. However, it is not widely used (the two sites we saw it on are now dead) and it is a pretty crappy exploit (meaning, it doesn’t work all that well).  

Nevertheless, it is an exploit, it has been observed in the wild, and it’s not patched.

Mitigation: The DirectAnimation Path control can be disabled by setting the kill bit for the following CLSID:  {D7A7D7C3-D47F-11d0-89D3-00A0C90833E6} More information about how to set the kill bit is available in Microsoft Support Document 240797. More at CERT.

Alex Eckelberry
(and a hat tip to Altieres Rohr)

One of the most difficult aspects for many people to understand about TCP/IP networking is subnetting.  Our friend George Ou wrote an outstanding piece on the subject a while back, and we highly recommend it if you’re looking to get a full understanding of this area.

IP subnetting is a fundamental subject that’s critical for any IP network engineer to understand, yet students have traditionally had a difficult time grasping it. Over the years, I’ve watched students needlessly struggle through school and in practice when dealing with subnetting because it was never explained to them in an easy-to-understand way. I’ve helped countless individuals learn what subnetting is all about using my own graphical approach and calculator shortcuts, and I’ve put all that experience into this article.

Link here.

 

A great man has died, a man of integrity, drive and intelligence who did a great service to our industry. 

We regret his passing.

Alex Eckelberry

And it’s a big one.

Patch patch patch.

 

(This is supposed to be a G-rated blog, but my first response to this was: WTF?)

We see all kinds of stuff.

It’s a “terrorism” toolbar made by Conduit (formerly EffectiveBrand) and distributed by an apparent security firm run by a fellow who advertises himself as “Internet Anthropologist”.

It promises to:

• Fight terrorism or just stay informed with Intel “NOT ON TV”. 
• Terrorist are spreading their HATE and lies on the WWW. You can post the truth in the same forums they use, counter their lies with the truth. 
• We provide state of the art security and guide lines.   
• Including RULES TO HELP KEEP YOU SAFE.   
• Even an encrypted IM so you can counter-terrorist surf with a buddy (recommended) and keep in touch. 
• Join our “cyber corps”, for tips and help. We give you Tools for evidence collection and reporting links. 
• OR JUST KEEP INFORMED WITH THE BEST INTEL ON THE NET. AND REMARKABLE SOURCES, live and Real time.

And

 TOOLBAR Includes FREE: Arabic Keyboard, 1000 terrorist sites, “Al Qaeda” manual, steganography tools, translation Arabic to English, and a list of forums they use, Encrypted email and IM. Music Juke box, all FREE, to help in your Anti-terrorist surfing.

Free EASY VPN, Proxy tester, Intel updates, Investigative TOOLS, SECURITY systems, Terrorism SOURCES and a group to work with if you want. Knowledge Base, Gov. Sources, VIDEOS, posting tools, who owns site, location etc. Screen grabber, NAS AND CIA PHONE NUMBERS, CUSTOM RSS feeds, Also NBC survival FAQ. Radiation and Blast Caculators, Home made Fallout Meter, Rootkit Hunters.

A little moving ticker of “Terrorist Events” gets installed up at the top.

Choice phrases include:

North Korea claims nuclear test DONE  
Now They Show Themselves  
PEOPLE LEAVING ISLAM, CAUSE  
Letter Casts Doubts on Iran’s Goal for Uranium  
Armor Saves ‘Lucky’ Marine in Iraq  
Pennsylvania: Man Accused of Qaeda Conspiracy  
Blessed be al Qa’ida and Arab Mujahideen  
“Prime Minister” of Jihadism  
Terrorists adapt to damaged Al Qaeda 
“Serri Lel-Ghaya” (top secret)  
MUSLIM IDENTITY  
Mr. Buffett’s ( BILLONAIR ) Excellent Idea  
Allah’s reality  
Allah’s fatwa against terrorists???  
mockery of Islam  

Each ticker is linked to an article like this one:

And the Intel button links to this page:

And check out the pull-down menu:

But serious antiterrorism folks need a rest, too, right?  No problem! Notice “Our Jukebox”?  It’s linked to a collection of YouTube music videos so you can “listen while you work”.

The toolbar can be downloaded from a site that is run by “Gerald”, who calls himself “Chief Forensics Computer Researcher (tracking & Research)”. His background is as an “ex-Private Investigator, former Stockbroker ( series 7 and 13 ), and Degreed Internet Anthropologist ( study of how Internet culture works).”  There’s even a  Powerpoint available on his company. 

An example of some of the text on his site:

We have Contacts at all major news CNN, ABC, Fox, CBS, TIME, MAGS & NEWSPAPERS

Inputs to major US Intelligence services, Pentagon OASD/C3I/ITD (OSD-DOM) , and NIPR.mil and Air Force Sec, and Army signal command, and SSG/SWSN, and can serve as a untracable conduit for data from Information Brokers.

NOTE: We have chose not to use a Domain name/url for security reasons. A DOS (denial of service) attack takes several hours to set up, a NON-domain URL takes 10 min. to change, it takes weeks to change a Domain URL. Any questions, you can email US.

But what, there’s more! There’s even a link to another toolbar in the product, a police toolbar!

 

This terrorism toolbar looks harmless enough and is distributed by an apparently well-meaning fellow.   In fact, there’s probably even some useful links in the toolbar if you’re really into this field.  

Like I said, we see all kinds of stuff.

Alex Eckelberry
With copious thanks to Dude VanWinkle, Adam Thomas, Tom Robinson and Patrick Jordan

Joe Wells, our chief scientist for security research, interviewed by Jennifer LeClaire:

TechNewsWorld: When consumers buy a top-rated software product, are they really getting what they paid for?

Joe Wells: It depends on the reliability of the rating method. On one hand, the more the method depends on precise testing the better; on the other hand, the more the method depends on the tester’s personal opinion, the worse it is. So tests that emphasize look and feel tend to be less dependable.

TNW: What is your philosophy on quality assurance and testing for anti-malware software?

Wells: We test our software in the same basic way all software is tested. But in addition, we must test against real, active threats, including detection, remediation, correct information, as well as false positive testing.

TNW: In the wake of this Consumer Reports incident, what can we learn about the art and science of testing anti-malware software?

Wells: The CU testing is a simple example of a testing body not researching to find out what the current state of the art in security testing actually is. There are papers available on well-established scientific procedures for testing antivirus and anti-other malware products.

Link here.

Alex Eckelberry

 

WGA in Vista: a growing concern
There’s a growing concern about the way Windows Genuine Advantage, Microsoft’s anti-piracy technology, will be implemented in Vista. It’s been reported that if your copy of the OS doesn’t pass the test, some functionalities won’t work, including the Aero interface and Windows Defender (the built-in anti-spyware software). Microsoft says the operating system itself won’t be “shut down” for failing to pass the “genuineness” test, but it will run in “reduced functionality mode.” Now, you might be able to get along okay without Aero, but according to the following, another little “functionality” that will be shut off (after one hour) is your Web browser. Link here.

Now that could cause some problems. On the other hand, if the software really is pirated, Microsoft certainly has the right to deny all functionality. The problem is when WGA is wrong. I wrote more on this dilemma in my blog post of October 4 here.

More laptop battery recalls: is yours on the list?
If you have a laptop computer, there’s a good chance that it uses a Sony battery. So far, Dell, Toshiba, Apple, IBM, Fujitsu and now Hitachi have announced recalls of Sony batteries installed in their laptop. Acer is considering doing so. HP has said that their laptops are safe from the overheating problem because of the way their systems are configured. Now we hear that Sony is planning to announce their own recall to encompass all these batteries. Wondering whether or not your laptop has one of these recalled batteries? For information on exactly which laptop model from each manufacturer are affected, see this guide.

Vista goes to sleep
A cool new feature in Windows Vista is “sleep” mode, which combines the benefits of Standby and Hibernation. Standby mode in XP saves your data in RAM and goes into a power-saving mode, and Hibernate mode saves it to the hard disk and then shuts down completely. This new power management option, Sleep, saves your current data to both RAM and the hard disk, and then goes into a very low- power-consumption state where only a few key components such as RAM and CPU are turned on. When you press a key or move the mouse, the computer “wakes up” almost instantaneously (2 to 3 seconds).

It works a little differently with laptops. When you go into Sleep mode, the data is saved in RAM. If the battery level gets low, the machine will power itself back up to the level needed to save the data to the hard disk, then shut off completely. This makes you less likely to lose data. Although Sleep mode will be the default when you push the power button, you can still shut down completely from the Start menu.

How to log onto your XP computer when you’ve forgotten the password
If you forget the password to your XP user account, you may still be able to get back in. The easiest way is to use a password reset disk, but if you didn’t create one, there’s still hope:

1. Log onto the computer with the administrator account (or have someone who has the administrator password perform these steps).
2. Click Start | Run.
3. In the Run box, type control userpasswords2
4. Click OK.
5. Click the user account for which you’ve forgotten the password.
6. Click Reset Password.
7. Enter a new password, confirm it, and click OK.

There are a few caveats to keep in mind before using this procedure. With XP Pro, you’ll no longer to be able to access encrypted files or encrypted email messages. With XP Home, or with Pro in a workgroup, you’ll need to boot into safe mode before logging on with the administrator account.

Display the Power Meter on your laptop all the time.
If the icon in the system tray goes away when you plug your laptop into an A/C outlet, but you’d like to be able to continue to see the icon (to check on how fully the battery has charged), you can do the following:

The default setting is to display the Power Meter icon when you’re using battery power, but you can indeed set XP to add the icon to the taskbar permanently. Here’s how:

1. Click Start | Run.
2. In the Run box, type PowerCfg.cpl.
3. Click OK.
4. Click the Advanced tab.
5. Check the box to Always Show Icon On The Taskbar.
6. Click OK.

The icon image will display as a plug when you’re on A/C power, and as a battery when you’re on battery power. It will indicate whether the battery is charging or is fully charged. You can also configure the Power Meter to display information for multiple batteries, or set it to sound a warning when your battery gets low, from the Power Meter and Alarms tabs, respectively.

How to make a local printer available during Remote Desktop connection
If you connect to a Windows XP Pro computer via remote desktop, you normally have access to the printer(s) that are installed on the remote computer, but you may want to print on a local printer instead (that is, a printer that’s installed on your client machine), since it’s likely to be physically closer to your location. You can make the local printer available in the Remote Desktop session, via the Remote Resources tab in the Remote Desktop Options dialog box. For complete instructions on how to do so, see KB article 312135.

Having trouble creating a scheduled task in XP?
If you try to use the Scheduled Task Wizard to create a new scheduled task on your XP computer, and the Wizard hangs up, it may be because of a problem with permissions for the Start Menu folder in the All Users profile when you’re logged on as a local user. You can fix the problem by installing the latest service pack, but if you have a compelling reason not to do so, there is a hotfix available from Microsoft that addresses this specific problem. You can find out more about it in KB article 841846.

How to use Network Monitor Capture Utility to capture network traffic information
You can use Netcap.exe, a utility included with XP, to find out network traffic information for troubleshooting performance problems. This is useful to determine which computer (source or destination) is causing slow network transfer performance. Netcap.exe is a command line tool. For instructions on how to use it, see KB article 924037.

Note: Netcap is installed when you install the Support tools that are on the Windows XP CD-ROM.

Deb Shinder, MVP

There are all sorts of “free” software downloads that you can find on the Web. Some are illegally shared pirated programs, but most are either genuine freeware (the developer gives the program away, expecting nothing in return), shareware (you can use the program for a while to determine whether you want to keep it, and then are expected to pay if you decide that you do) or adware (the developer is supported by advertising of some sort). This can be in the form of banner ads embedded into the program’s interface, or services that deliver targeted advertising when you’re online.

Last week, we recommended a number of utilities to help clean up duplicate files on the hard disk, all of which had been referred to us by readers. Afterwards, we discovered that one of these reader-recommended software programs is associated with an adware service, 180Solutions. The name of the program is Duplicate File Killer, and it includes and installs the Zango Search Assistant, which displays ads based on your Internet browsing. If you tried out this software and want to remove it, you can remove it using using the Add/Remove Programs applet in Control Panel.

Meanwhile, we tested several more duplicate file removers and found one, with a confusingly similar name, DupKiller, that really is freeware with no adware or other “hidden features,” doesn’t impose a limit on the number of files/folders or drives it works with as some free versions do, and doesn’t include nag screens asking you to donate or upgrade to a paid version.

It’s a fairly quick download over a broadband connection, at 2.76 MB, and it installed easily in less than a minute and includes an uninstall option. We liked it because it works with removable media as well as hard drives, and gives you lots of options. For example, you can have files moved to the Recycle Bin or delete them completely from the hard disk, and you can exclude specified folders or file types from the scan altogether. You can also choose whether to scan hidden system files.

The interface is simple and easy to use, and the scan is fast. The program scanned my C: drive, containing 16,459 files, in just 45 seconds using quick scan mode, and found 417 duplicate files. This program can also be configured to do a byte-by-byte comparison, so that if even one byte is different, the files will not be flagged as duplicates. Best of all, it has received “no spyware, no adware, no viruses” awards from several different sites. You can find out more and download the program here.

Tell us what you think about the whole adware concept. Is obvious adware just as bad as spyware? Or is it okay as long as you’re notified before installation that the adware is included and told how it works?

Would you prefer to pay for software to avoid advertising of any kind, or are you willing to tolerate advertising in exchange for free software? Do you ever use “donationware”? If so, do you ever donate to help support the developers?

Deb Shinder, MVP

Every year, SC Magazine hosts a vote on the best security products.   Of course, CounterSpy Enterprise and Ninja are both nominated . 

If you’re a user and would like to vote, here’s how:

Best Anti-malware Solution  – Both Ninja and CounterSpy Enterprise are listed.
 
Best Email Security Solution – Ninja is listed.

Note that these are for the enterprise versions of our products — not the consumer.

Alex Eckelberry

Last week I wrote about the Patchou MVP issue.  On Sunday, I posted a message to a forum on MessengerPlus, and then the entire thread was removed.

Anyway, now Patchou has had his MVP status revoked by Microsoft. 

From Microsoft:

“Cyril Paciullo was awarded with MVP status this year on the basis of his technical expertise and strong community contribution. However, his active MVP Award status was revoked as soon as the extent of the connection between his application and spyware was made apparent to the MVP Program,” the company said in a statement.

Link here.

There was, of course, a flurry of support for Patchou from the faithful, including a comment storm on the VitalSecurity blog.

Ok, to those who support Patchou?  Fundamental problem:  LOP stinks.  And imagine someone installing MessengerPlus and getting that little cute icon to “upgrade your antivirus program” and getting an outright fraudulent scam.  Imagine that person being a relative of yours who doesn’t quite know much about computers, and getting scammed.  Or getting popups they don’t know the source of (because LOP does not disclose that the popup was generated by LOP, unlike even WhenU or Zango).  

And here’s what’s really sad:  Patchou is an impressively good programmer and deserves better.  But he made his bed and he now has to sleep in it.

The one thing to his credit is that the LOP install is clearly disclosed and the user gets a choice — and you can uninstall it through Add/Remove programs.  That’s good. But he chose to associate himself with this adware program, while there are other ways to make money in the shareware model.  Have a premium version that people pay for — the standard shareware model.   Have a version with banner ads, like AOL IM (inside the program, not as popups) and then maybe have a separate version which people pay for that doesn’t have ads.  Or splash Google adwords all over the site.  Or do a deal with the Google Toolbar or Yahoo Toolbar — not the best solution but much better than LOP.  Whatever. Christ, even an adware program like WhenU would have been better than LOP. 

To all those who support Patchou, install LOP.  And perhaps after that experience, you’ll understand why so many people were upset by Microsoft’s decision.

More at VitalSecurity and Sandi’s blog.

Alex Eckelberry

 

New energy drink called SPAM.

Link here via John Murrell.

You can view a 41 minute Webex presentation/interview with Dean Turner, Executive Editor of the Symantec Security Report here.

More at Inside Digital Media.

Alex Eckelberry

My partner in crime with PIRT (Phishing Incident and Takedown squad), Paul Laudanski, just got back from Amsterdam where he presented at the RIPE conference.

From Paul:

300+ folks live plus a live webcast.  The presentation was received very well by the audience.

No excerpt for the moment, but they’ll be adding it in shortly.

The PDF form doesn’t do it justice as the animation was removed.  The phish screen shots come from Gary [Warner] who I credited live.

You can see his presentation here.

And an urgent note:  We need more volunteers to do phishing takedown.  If you like a challenge, love solving puzzles and are sick of phishing, you’ll really enjoy the work. Email me if you can help.

Alex Eckelberry