Month: January 2007

I came across this new word, coined by Brad Dinerman as reported in a recent article about IT buzzwords.

Combining the words “security” and “paranoia,” it means the condition of being concerned about security to the detriment of everything else. Most of us who’ve worked with computers during the last few years have encountered it – sometimes even in ourselves. And just as regular paranoia can sometimes go so far that it makes the paranoid more vulnerable instead of more safe, securanoia taken to the extreme can end up leaving your systems more likely to be attacked successfully rather than less.

A common example where securanoia often rears its head is in regard to password policies. We all know that password cracking is one of the most common ways for hackers to get into computers and networks without authorization, so it’s important that passwords be difficult to guess.

Users’ passwords should never reflect easy-to-discover information such as a spouse’s or child’s name, your phone number, your social security number, or the once-popular mother’s maiden name. In fact, strong passwords shouldn’t be real words at all, since the bad guys have software that can quickly try random words from the dictionary.

This has led many IT administrators to set up stringent password policies: no names or dictionary words, long minimum lengths (such as 14 characters), complexity requirements (must contain both lower and upper case alpha characters and numerical characters and symbols), etc. Then, for good measure, you may require that all users change their passwords every two weeks, and prohibit using the same passwords over again. In theory, this makes for passwords that are about as secure as you can get – but it fails to take into account one very important security element: human nature. By making the passwords almost impossible for users to memorize (and about the time they do finally get them memorized, it’s time to change them again), such policies may encourage those users to write their passwords down and keep them close by the computer – a security breach that completely defeats the purpose of having strong passwords in the first place.

I’m not criticizing the intent of those who want to keep their systems and networks as secure as possible; we’re bombarded every day with new stories of operating system security flaws and new viruses and attack methods, and it’s hard not to get a bit paranoid about computer security. But when our security measures start to interfere with our ability to use our technology for what we want, maybe it’s time to pull back and temper it with a little common sense.

A reader recently wrote (tongue in cheek) that “The Security People have a secret society that meets in deep dark places so they can dream up new ways to protect us from ourselves.” I’m a “security person” myself, and sometimes it even seems that way to me, too.

I live in a home with a beautiful lakefront view, and consequently, we have picture windows along the back of the house to take advantage of that view, which adds a lot to our quality of life. Now, it would be a lot more secure to put bars on all those windows, even more secure to live in an underground shelter with no windows at all, but I don’t want to go that far in the interests of security. And just as we must balance security and livability in our living quarters, we need to do the same thing when it comes to protecting our computers.

Do you suffer from securanoia? Do you know somebody who does? Are security concerns making it more and more difficult for you to get anything done on your computer? Do you think the quest for the perfectly secure system can be taken too far?

Deb Shinder, Microsoft MVP

A substitute school teacher in Connecticut has been found guilty of exposing children to porn.

She could face up to 40 years in prison.

However, there are some interesting aspects to this case:

• The defense contends this was a case of spyware on the school machine — a barrage of popups.
• The school did have content filtering but the license was expired.
• According to another article, “Computer expert W. Herbert Horner, who performed a forensic examination of the computer for the defense, said Amero may have been redirected to the sexually-oriented sites through a hairstyling site accessed from the computer. He said the site allowed spyware to be downloaded onto the computer which allowed the pop-ups.”
• And, according to one source, the Trial Judge, Hillary Strackbein, “was seen falling asleep during proceedings and made comments to the jury that she wanted the case over by the end of the week. It was also reported that Judge Strackbein attempted to pressure the defense into an unwanted plea deal, in place of a trial. The defense attorney for Amero, moved for a mistrial shortly before closing arguments Friday, based on reports that jurors had discussed the case at a local restaurant.” (I believe that the judge questioned the jurors subsequently and they denied having discussed the case.)
• And, the detective in the investigation “admitted there was no search made for adware, which can generate pop-up advertisements”.

Was justice done here? A bad spyware infestation can splatter a machine full of porn popups and it’s a bit unnerving to think that a teacher could get hard prison time for something that was likely to have been completely innocent.

Alex Eckelberry
(Thanks Walter)

Update: The local Norwich paper actually thinks this is a just conviction! Serious need to get on the Clue Train.

Update2: My letter to ComputerWorld. I’m now convinced that Amero is innocent and have offered our forensic services to the defense on a pro-bono basis. I hope she can win on appeal.

Update3: ComputerWorld writer has a change of heart. More facts here.

Update4: So much more has been published on this blog, so if you want the latest, scan the blog itself. You can also see my opinion piece for the Norwich paper here.

Digg this story.

Just got in off the red-eye this morning from CES so I’m sleep-walking through the day.

Biggest news? The new Apple iPhone. Of course, Apple wasn’t at CES (thump). Other than that, CES merely confirmed that a) there really are over 1,000 different types of digital cameras and b) there really are hundreds of different types of plasma screens.

Good stuff: I got to meet up with a good number of people I hadn’t seen in a while, and met for the first time a bunch of journalists that I really respect, people like Dwight Silverman, Ed Bott, Dan Tynan and Carl Siechert.

Petty annoyances: CES is this hodge podge, market-place like atmosphere. In the old days of Comdex, the main halls were for the big guys — IBM, Microsoft, etc. The Hilton and Sands tended to be for the smaller companies. This was a distinct class structure (created largely by the fee and advance payment structure by tradeshow power-broker Sheldon Adelson), but it made the show more consistent. CES, on the other hand, may have some a Crazy Eddie-style hawker of a new flashlight right next to, say, HP’s booth. Oh, and my seat was broken on my return flight. A sold-out flight, so I just lived with it. Whatever.

Products? Don’t ask me. I certainly didn’t do any in-depth review of products, because I didn’t have the time (nor patience) to do the whole show and look at all the toys. Besides, how can one possibly understand and take in all the data, without being at least marginally educated in each field? Some of what I found out about was through chatting with people, like the the product manager at Cobra, who told me about a cool new radar detector they’re coming out with that has built-in GPS– based detection for speed and traffic cameras (not that I would ever use about that); and another company’s CEO with a wifi-based wireless speaker system that might be promising.

Most relaxing moments: I was given an invite from a good friend to go to the Dolby suite. It’s in the middle of the show floor, you enter a different world, with a masseuse, an open bar,
hors d’oeuvres, and most importantly, comfortable seating. Ray Dolby wandered in for a bit (he looks like a really nice fellow) and the Dolby folks were kind enough to give me a care package, which included the new Beatles Love CD. (Thanks, Steve!) Of course, I also fit in some time later to play Blackjack with a group of very happy Gator fans (there were lots of them in Vegas for the game).

Humorous experiences? Not much, although I did find some humor with these new infrared sinks, towel and soap dispensers that most of the public restrooms have now. I walked into a large, crowded public restroom and watched as the system went absolutely bezerk as it accidently sensed all the passers-by — sinks turning off and on, soap pumping out. It looked like a cross between Poltergeist and the The Sorcerer’s Apprentice. Talk about false positives..

Great impressions: The new Wynn hotel — wow, this is a really nice hotel — really nice. And Panasonic’s display of its large-scale flat screen TVs with Kabuki theater performance. The company had multiple huge flat screens setup, with a Kabuki performance in the middle two screens, and the screens themselves would move up and down and rotate to follow the performance. Extremely cool. Finally, Honda’s Asimo robot was wowing the crowd, right next door to massive Hummers and tiny Lotus’ loaded to the gills with state-of-the-art sound systems (some making the building shake with low-frequency vibration).

Scale? The crowds are always epic and are something to behold.

Anyway, I think I’m done talking about CES.

Alex Eckelberry

The seventh annual WebLog awards are being held. Feel free to nominate your favorite blogs!

Link to the voting here.

Alex Eckelberry

Lots of great comments on my post about “de-crapyfying” your PC. I plan on putting some of the tips given by readers up into a new post late next week. So if you have anything else you’d like to add, please do so in the comments.

Alex

Almost everyone in the antispam community is quite familiar with the concept of greylisting. However, it’s not always clear to the rest of the world how exactly the technology works.

We’re implementing this technology in our next version of our corporate email security product, Ninja, and our product manager for email security, Quentin DeWitt, using some other source s and his own input, put together a nice little overview of what it is and how it works.

Greylisting.
Greylisting is a method of defending against e-mail spam. A mail server which uses Greylisting will “temporarily reject” any e-mail from a sender it does not recognize. If the mail is legitimate, the originating mail server will try again to send it later, at which time your e-mail server will accept it. If the e-mail is from a spammer, it will probably not be retried, and spam sources which re-transmit later are more likely to be listed in Antispam databases.

Greylisting requires little configuration and few resources. It is designed as a complement to existing defenses against spam, and not as a replacement.

How it works.
Typically, a server that uses Greylisting will record the following three pieces of information (known as a “triplet”) for each incoming e-mail message:

• The IP address of the connecting e-mail server
• The sender e-mail address
• The recipient e-mail address

This is checked against the e-mail server’s internal database. If this triplet has not been seen before (within some configurable period), the e-mail is grey listed for a short time (also configurable), and it is refused with a temporary rejection. The assumption is that since temporary failures are built into the RFC specifications for e-mail delivery, a legitimate server will attempt to connect again later on to deliver the e-mail.

Is Greylisting Effective?
Greylisting is effective because many mass e-mail tools used by spammers will not bother to retry a failed delivery, so the spam is never delivered. When a spammer does retry a delivery after the waiting period has expired, however, it will likely be after a number of automated honeypots have detected the spam source and listed both the source and the particular message in their databases. Thus, these subsequent attempts are more likely to be detected as spam by other mechanisms than they were at first.

How useful is Greylisting?
The main advantage from the users’ point of view is that Greylisting requires no additional configuration from their end. If the server utilizing Greylisting is configured appropriately, the end user will only notice a delay on the first message from a given sender.

From a e-mail administrator’s point of view the benefit is twofold. Greylisting takes minimal configuration to get up and running with occasional modifications of any local allowlists. The second benefit is that rejecting email with a temporary 450 error (actual error code is implementation dependent) is very cheap in system resources. Most spam filtering tools are very intensive users of CPU and memory. By stopping spam before it hits filtering processes, far less system resources are used. This allows more layers of spam filtering or higher throughput.

Sunbelt Messaging Ninja and Greylisting
Greylisting within Ninja 2.1 will be turned off by default. It is easily enabled and setup through the Ninja console on the Exchange Server and operates in our Connection level filtering component in conjunction with RBL and SPF to fight spam at the border of your e-mail server. Once enabled it functions automatically to Greylist e-mail sent to the server and builds it’s own allowlist as well as taking into account those specified by the admin. The resources used be Greylisting in Ninja are very minimal. It should be setup only on the Front End server in a Front end/Back End Server setup. Once Greylisting is enabled you should see even less spam make it through to your inbox.

Alex Eckelberry

This is not something new, but just something to share, especially in light of the fact that Zango owns HotBar.

First, we see this ad placed through Fastclick on a well-trafficked website.

The ad ultimately goes to this page:

As you can see, there is a note that there will be ad-supported software. Note the “Safe Download …Click Run to ensure safe download”.

A big fat EULA which you agree to, and then the screen below. (You can read the EULA here),

Well, after you’re done, you’ve installed a plethora of crap, and your machine gets popup ads like this one:

And look at the toolbar when I search for “puppies”!

(In fairness, if you click on the blue bar at the bottom, you’re sent to a page which then provides the option of turning off your popups):

Finally, the usual desktop shortcuts to scammy products, one of which loads a web page which, through the magic of the Internet, incredibly finds problems with your machine and (thankfully!) recommends a solution (example here).

Illegal? No. But consider the average user, who clicks on the “antispam” popup. Then consider what this user’s machine will look like after it’s all over. And some companies still have the temerity to delist Hotbar from their database?

Alex Eckelberry

(Off-topic Friday)

There are situations when bugs get inside your monitor.

Real bugs.

YouTube has some videos here and here.

And a now-famous post on an Apple support forum, which looks like this:

Link here (via John Paczkowski).

Alex Eckelberry

The latest version of the CounterSpy 2.0 beta just got posted late this afternoon. This is a pretty solid beta and now supports Vista.

However, we’re a month away from release and I really would like it to get pounded on by lots of hands. Not just on Vista systems, but XP as well.

You download the beta here, and post any comments on our beta forum here.

Alex Eckelberry

Symantec now has a rock band.

Now we find that BitDefender has, umm, scantilly-glad dancing women dancing (not for the easily offended).

It’s worth mentioning that when we signed a license agreement with BitDefender to include their scanning engine in our Ninja mail security product, they sent an interesting gift: A bottle of wine and condoms.

We’ll stick to giving away motorcycles, home-entertainment systems and, of course, staging lucha libre contests.

Alex Eckelberry

Cisco bought IronPort this morning.

As a general comment, I applaud this decision. It makes sense for them to move into email and web security (not known to many is that IronPort recently launched a web filtering appliance).

IronPort’s products are outstanding, and the company is itself the nes plus ultra of professionalism. Now the issue that Cisco will need to decide upon is whether they want to move downmarket: IronPort has extraordinary presence in the Global 2000 with their high-end systems, but other vendors (notably Barracuda) have a stronghold in the SMB channel.

At any rate, this is a good move by Cisco.

Alex Eckelberry

Forgive the long blog entry. I need to talk a bit about the future of our technology for our partners and our customers. A lot of this is skinny that so far has been part of a skunk works project here. Those that are technically inclined and curious about current thinking in malware fighting, however, may find this subject of some interest.

It all started over a good dinner
On a chilly and blustery evening last January, Joe Wells, Eric Sites (our VP of R&D) and I sat outside overlooking the water at the Island Way Grill, a favorite local hangout. We were trying to recruit Joe from his position as Chief Scientist at Fortinet and the subject was along the lines of a re-invention of the anti-malware model.

In antivirus circles, Joe is a well known figure. The founder of the Wildlist, he’s spent his life writing antivirus engines, getting antivirus patents and working for Symantec, IBM Thomas Watson Labs and Trend (and in his spare time, doing a complete translation of the Bible into the Sahidic dialect of the Coptic language as well as writing science fiction).

The antispyware model: Broken
We have felt for some time that the traditional antispyware model has been fundamentally broken. Antispyware programs had started out originally as niche products, marketed by the likes of mavericks such as Patrick Kolla (SpyBot), Nicolas Stark (LavaSoft) and Bob Bales and Roger Thompson (PestPatrol), and they all relied upon a brute force method of removal.

This method revolved around analyzing the files, registry keys, processes and the like associated with a malware program and putting these values into a database along with a boatload of MD5 hashes (unique signatures generated for files). Then, this database was bolted on to a system scanner. Basically, your classic antispyware product was a giant database attached to a scanning engine.

In other words, antispyware products are basically big fat databases attached to big fat system cleaners.
Why did WebRoot and PC Tools do so well with their tools? Both came out of the system cleaning tools business (respectively, Window Washer and Registry Mechanic). These types of tools pound through a system, looking for files names, directories, registery keys and processes. WebRoot’s SpySweeper, based on the same Delphi code that was used in the company’s Window Washer, excelled at this brute force method of cleaning.

This model worked fine in the early days, and you could typically handle some pretty bad stuff with even SpyBot or Adaware. However, things got rough for the simple reason that spyware authors got really smart because the economics were so strong. The spyware programs got increasingly difficult to remove, such as the practice of using “resusucitators” — programs that would notice when you killed a file, and then recreate it (classic Direct Revenue tactic).

It got so bad that Merijin Bellekom, who had created CWShredder to kill CoolWebSearch, simply threw up his hands in frustration. As he said “I simply do not have the tools to remove the latest variants, they are too aggressive or complicated to allow automated removal by CWShredder.”

We had the typical example of a user trying to remove threats, and needing to use multiple antispyware programs, run in safe mode, beat on the machine, cry, pray, ask for help on forums, run HijackThis a few hundred times, and then maybe get the use of the PC back. Even Steve Ballmer, CEO of Microsoft, went through this hell. And I certainly did on several occasions as I helped others with their destroyed systems.

The model was (and is) flawed. While the major antispyware products have improved dramatically, they simply cannot deal effectively with all the different kinds of today’s threats. You have the problem of depth (how much work is required to remove an infestation) and breadth (the sheer number of infestations that may be found in the wild).

The antivirus model: A surgeon’s touch
Now, while spyware was evolving, antivirus vendors were playing catchup. Antivirus engines had been dealing with nasty stuff for years, and were quite capable of removing all kinds of evil malware like worms and trojans. However, antivirus engines are designed primarily for deftly removing a piece of a file from a file or removing a few files. Consider the Melissa virus, one of history’s most infamous nasties — it was a Visual Basic macro virus. Removal required removing one registry key and removing some VB code from Word’s default “Normal.dot” file.

A surgical approach, compared to antispyware’s demolition-team type of approach.

Contrast this surgical touch with one adware infestation that Ben Edelman documented a while back: 730 registry keys, 1,194 registry values, 461 files, and 43 file folders in one infestation! It was simply an epic amount of crap dumped on a machine. You didn’t need a surgeon. You needed a demolition team!

And the fact is that most of the AV companies simply took a long time to catch up. Why antivirus companies were so late in the game is a matter of speculation, but I believe it came down to the following reasons:

• A bewildering new type of malware that required system cleaning tools as opposed to surgical strikes. AV engines are designed for file-infecting viruses or removals of a few files — not the hundreds of thousands of unique threat types you find in spyware installations.
• Burdened by their own past experience. The AV guys tended to look at threats or targets through their past experience — in other words, they were looking for threats that looked like those they had encountered before. And, by and large, the newer commercial threats — especially adware — did not look like the threats the AV guys were used to dealing with. As a result, some may have been naive about installation practices (especially run-of-the-mill deception and social engineering, as opposed to the classic viruses), and thus weren’t as aggressive in targeting adware programs. They were (and often still are) much too forgiving of unsavory business practices. Finally, they tended to target files and processes, not the complete suite of items (including registry keys) that needed to be removed.
• Worries about legal problems: Antivirus companies were faced with an even more bewildering problem: They were under the threat of legal attack from listing adware and spyware, something they had never really dealt with before.

  The legal problem is interesting when you add in the geographical dynamics of the business. Now, this is all my speculation, but the major antivirus companies are in the US (McAfee and Symantec, and arguably Trend). They may be used to the US legal system (meaning, you can be sued for forgetting to supply toilet paper in the bathroom), but they are large companies, so are always nervous about legal problems.

  The rest of the antivirus business is largely in Europe, and these companies are simply shocked by the US legal system. So you had an interesting intersection: Large companies not wanting to get sued, the smaller companies with a strong consumer voice being European and simply not interested in getting tied down with US legal issues (even some antispyware companies may have fallen for this legal fear — PC Tools delisted a number of threats like Hotbar and new.net based on legal threats it received).

And the real problem with AV products: Bloat
It’s a known problem that many antivirus products have become bloated and inefficient . The reason has a lot to do with the fact that the major antivirus companies need to support a broad range of viruses that may not even run on today’s platforms, because of useless certifications, support for older platforms, etc. But it’s part of why your AV product may take such a big hit on your system resources.

And with a user base that’s leveling off (even declining for some), the game now is recurring revenue. It’s all about subscriptions: Get the user in and get them on a subscription plan, even if it means billing on a “negative option”. Why invest in a market which isn’t growing in huge leaps and bounds, when you can milk the subscription revenue? It’s a cruel statement, but there’s enough truth in it by simple observation. Now Microsoft has raised concerns in enough AV companies to get them moving, but a lot of what we see is the same-old, same-old. More memory-hogging suites and more bloat. It’s a broken model, because no one ever decided to really fix it.

(By the way, I’m not maligning a whole industry here. There are a number of truly standout firms in the AV world that are doing a really good job. My comments are more related to the “usual suspects”.)

Today’s user has a problem: Security has become a menace to performance. It’s also gotten more confusing, blinding users with a blizzard of scary popups (although great improvements, as in Symantec’s handling of incoming threats, have been made in this area).

What we’ve been working on
So what’s our answer to all of this? Wipe the slate clean. Rethink the ideas behind desktop security. Create a new method that’s more efficient and more powerful.

A number of parts have had to come into play to make this happen. I had to hire Joe Wells and a number of other rocket scientists and invest a significant amount of the company’s financial and human resources. I also acquired technology, such as the Kerio firewall, which brought with it a number of innovative technologies such as Host Intrusion Prevention System (HIPS) and a Snort-based Intrusion Detection System (IDS). I’m also in the process of making an investment in some bleeding-edge rootkit technology.

Meanwhile, I’ve had to just be patient and let the team do their work, something not easy for me.

CounterSpy 2.0
CounterSpy 2.0 (currently in beta) is our answer to the problems of dealing with tough blended threats, and incorporates a number of new technologies, such as VIPRE and our FirstScan technology, to deal with the really tough threats. The premise behind CounterSpy 2.0 is:

• So-called “real-time” antispyware protection is not effective. If its not working at the kernel level, it’s not worth the time of day.
• Today’s antispyware technology must work at or below where the malware is executing.
• Equally important are detection, removal and the database definitions.

We believe this new product is a big evolution in antispyware detection and remediation.

There are a number of new features in CounterSpy from the previous version, such as the fact that it runs as a service, has a small CPU and memory footprint, has a new scanning engine, and uses incremental database updates. But I’m sure our marketing people will do a much better job of pulling all of those new features together when we officially launch the product (which will be at the RSA conference in early February).

VIPRE
One of the things we had to do was develop an entire antivirus technology from scratch, and we call it VIPRE. We don’t believe that going out and bolting on an antivirus engine is a good idea from a performance standpoint. The result of piling engine upon engine is ultimately crap, and users see right through it.

VIPRE is a completely new antivirus technology, which incorporates all the classical antivirus techniques (such as removing file-infecting viruses) as well as a number of new techniques. VIPRE is especially powerful in its heuristics capability, something you may have seen if you submit malware samples to VirusTotal. VIPRE is still not done and yet it’s catching an enormous amount of viruses based on its heuristics alone.

(A few notes about VIPRE for the technically-inclined: Since 99% of all malware is compressed (packed), you need to uncompress it in order to find the original entry point (that place where the malware executes) to analyze it. However, there are a large number of different compression methods and variations used. Many antivirus companies create a static unpacker for each different piece of malware, which means they have to hand-roll an unpacking algorithm for each different piece of malware — a time-consuming process. So one of the things we did with VIPRE was develop a “generic unpacker” to dynamically unpack any piece of malware.

But what happens when you actually unpack the malware? You have to analyze it in real-time, so we then had to build an extremely fast emulator which unpacks the malware, executes a few bytes, compares it to a signature and flags it if it’s malware. And while we were at it, we built a full debugging environment for our engineers to run malware in a secure environment and rapidly create new signatures. Furthermore, while much of the AV world may still be using regex expressions in their signatures, we’ve created a new model which improves considerably on the current state-of-the-art.)

VIPRE is also platform-agnostic, able to support Linux, Mac OS, Windows, and any other platform we decide on.

This was a lot of work.

But now VIPRE is basically done. What needs to happen is to get certified by the major certification bodies and to continue adding more viruses in order to roll it up into a full antvirus product. However, a major part of the VIPRE technology is actually shipping in CounterSpy 2.0, solely for the purpose of making CounterSpy 2.0 a more powerful antispyware product. We’ve taken the VIPRE “juice” and put it into CounterSpy, and I think you’ll really notice the difference when you’re dealing with spyware.

VIPRE is a brand new antivirus engine and incorporates the latest thinking in antimalware research. It’s burning-hot fast and extremely efficient.

Kernel-level active protection
Another key thing we had to do was develop a set of kernel-level drivers, designed to run from the start on 32 bit and 64 bit systems. This Active Protection sits at the kernel and sees all, stopping the bad stuff before it has a chance to execute on your system.

Our Active Protection is part of CounterSpy 2.0 but will, of course, be used for our antivirus product in the future.

FirstScan
One nifty feature of CounterSpy 2.0 is its FirstScan technology, which scans certain locations of the drive and removes malware prior to Windows launching. This is done directly to the drive, bypassing Windows APIs, right about the time that chkdsk would run. While other products may attempt removal prior to Windows loading, none that I know of actually scan and remove (correction: there’s one other I now know about).

The purpose is simple: To get the spyware before it has a chance to execute.

The end goal
In the end, you have an anti-malware model that is a hybrid technology, melding the “system cleaning” properties of an antispyware product, along with the efficiency of a powerful antivirus engine. This will first manifest itself in CounterSpy 2.0, which will have major parts of our VIPRE technology in it. Then a full antivirus and antispyware product will follow a few months later. And ultimately, this will all be integrated into an offering incorporating firewall, IDS, HIPs, and all the rest to make a very powerful, yet efficient anti-malware system.

Alex Eckelberry

Gromozon, arguably one of the nastier (if not nastiest) piece of spyware we’ve seen, dropped off the radar screen around late November — and sites typically associated with this malware started foisting off other spyware, including the Rustok.b trojan. (Btw, Symantec has a very good writeup on Gromozon here.)

However, the Gromozon authors are back, and as usual, it’s not pretty. As usual, they’re using exploits to install on PCs (they’re currently only a small number of sites).

Gromozon targets Italian websites only, and does not run inside of Vmware. Combine that with the fact that Gromozon itself is an extraordinarily pernicious and complicated piece of spyware and you have no fun.

So here is Gromozon installing again, using a number of exploits (it’s always used exploits, these are just the current run of exploits it’s using). Some screenshots of the deobfuscated javascript used for the exploits:

The original iframe:

The second nested iframe:

Here’s an attempt to use an exploit an Acer notebooks. (Interesting that they would target Acer notebooks with a specific exploit. While Acer is not a big name in the US, it’s huge in Italy, being the number-one notebook company there):

There’s also attempts to use an MDAC exploit, the XML core services exploit, the VML exploit, the infamous WMF exploit and the Java byteverify exploit.

Note that it meticulously checks for the presence of antivirus programs through ActiveX while before loading the WMF and Java exploits. It checks:

Norton
Windows Defender
Bitdefender
AVG
Panda
F-prot
Norman
KAV
NOD32
Avast
Antivir
Ewido
VBA32

All of these exploits used by Gromozon (except Acer’s) are easily patched by using Microsoft Update.

I feel for Italy.

Alex Eckelberry
(Credit for the real work goes to Sunbelt researcher Francesco Benedini)

Fred Wilson felt that Bob Lefsetz’s 2007 prediction lists was one of the better ones out there and I think it’s pretty good as well.

You can read Bob’s predictions here. Largely oriented toward music, but it has good points.

However, I know I’m going against the tide here, but I’m not in the heavy anti-Dell camp as Bob is. We’re a heavy Dell user, and while it’s not perfect and the quality may not be what it used to be, we’re generally satisfied with their systems (note that we don’t use their support as we do all everything in-house). Of course, I’ve heard the horror stories, but from my personal experience, I’ve never had any major problems with the company.

Ok, now that I opened the Dell floodgates, here comes the comment storm 😉

Alex Eckelberry

I just can’t stand junk on my PC. I recently bought a new Sony Vaio. First thing I did was clean off every possible pre-installed application that I could. Then I did a “bottom-up” style configuration — only adding those things which were absolutely essential. The result is a clean, fast little machine that does what I need it to do. It never crashes and never has problems.

So apart from obsession, there’s good reasons for keeping a clean computer: Every program and hardware device you add increases the chances that your computer will become slower and more prone to crashes. It also dramatically increases the difficulty of diagnosing problems.

How many crashed PCs, tech support calls and ruined weekends are due to crap on a person’s machine? It starts with “personalizing” a PC with themes and cute screensavers (how many times have we heard a computer fart, squeak, groan and splash from some Plus! pack installed?) And then it goes on to “clean-up” utilities, bloated suites and all the rest.

So I propose a new regimen for your computer, turning your computer from a bloated beast into a sleek machine that hums along happily. It’s Alex’s Fresh and Clean Computing!

Here are some ideas to start everyone off. Now, I realize that many of those who read this blog are expert level and really don’t need to be told the things that I’m writing here. So if you have any other ideas, give me your suggestions!

Decrapify! Getting a new computer? Decrappify-it. Or spend an afternoon cleaning all that junk off before doing anything else.

Leverage the operating system. Whatever your complaints, Microsoft has done a Herculean job of making a lot of devices work with Windows. Getting a new printer? Don’t jump to use the supplied drivers. First, see if Windows has a built-in driver already available. If so, use that one. If you think about it, imagine all the crap you could get rid off if you just used the built-in drivers — as opposed to software to operate your wireless keyboard, color printer and all the rest. You’ll find that in most cases, the Microsoft-supplied drivers work just fine and you’ll save yourself one more hassle to deal with. So don’t install a third-party driver unless you feel you absolutely must — and I don’t care what the manufacturer says in its instructions.

Separate your data from the rest. Either partition your drive or get an external drive to hold your data, and keep your primary drive for the operating system and your applications. One reason is organization. But a more powerful reason is that you may need to re-image your drive at some point, so you really should keep your data separate. Yes, a partitioned drive will likely result in a slight decrease in performance, but on the other hand, it will result in much better data management. It’s not vital to do this action, but it’s something to consider.

Consider setting all your accounts to limited user. It’s sometimes a hassle, but it makes a huge difference in security. Remember that kids are some of the biggest sources of infection. Put them on a limited account if you value your PC. (Personally, I don’t run as limited, as I don’t want to bother with hassles. But that doesn’t mean I shouldn’t.). Oh, and have guests in town? Consider setting up a temporary guest account just for them.

Consider re-imaging your drive or deleting your user account. Windows gets clogged up. So if you have good data management in place (see above), reinstalling Windows will be a wonderful fresh start and not difficult. Not interesting in taking such a drastic action? Simply creating a new user account will result in performance gains and start you on the road to Alex’s Fresh and Clean computing.

Ditch the utilities. I was in the utility business for years. I know this space like few others, and I can say that a lot of the stuff out there is of questionable value (and it’s why I got out of that field). Do you really need to buy a defragmenter? Just use the built-in one in Windows (and I even question the value of obsessively defgramenting these days — more on that in some other post). Do you really need one of these “utility suites” you see that seem to promise so much? I don’t think so. Or how about a registry cleaner? They may be spiffy, but I doubt you really need them (and LifeHacker debunks their value, preferring instead the free CCleaner). Do you even need WinZip anymore with the built-in XP zip compression?

Always look at the cost/benefit: You’re adding a program which may dump 40MBs on your hard drive and has all kinds of whiz-bang features. But is the performance tradeoff there? If you love to tweak your machine, that’s cool. Just remember what you’re getting in return and make sure you need it.

Kill AOL. There’s a reason PC World voted AOL #1 on the worst technology products of all time. So cancel your AOL subscription, get a normal internet service provider and start using, at least, Outlook Express or any of the other email programs out there. Again, leverage what’s already in the operating system, instead of using some antediluvian shell to access the Internet.

Kill AIM and Windows Messenger. AIM and Windows Messenger both load a web page every time they startup. You can replace these with a web-based client like Meebo (my favorite) or Trillian. One instant messenger program to rule them all.

Stop with the damned Plus! packs, goofy screensavers and pretty backgrounds already! Wow, you want to kill performance? Use those monstrosities referred to as Windows Themes. Even screensavers hurt performance. (Ok, a confession — my wife loves her Plus! pack and would kill me if I removed it. So there are exceptions, like ensuring continued marital bliss). But do you really need smileys, messenger add-ons and all the rest?

Kill the toolbars. A toolbar has its use, but you only need one: Google’s or Yahoo’s. Choose one. Ashcan the rest.

Question security suites. One of the worst culprits of performance-killing are the security suites. Your system is certain to lose at least 10%–20% of its power by installing one of these programs. Replace security suites with a) common sense and b) best-of-breed point products.

Get your security down to the irreducible minimum. Figure out what you must have. For example, the most significant attack vector for viruses and malware is actually email, so must have an antivirus program. But do you really need three antiphishing toolbars running? I get emails from all sorts of people, and the amount of security crud on these machines gets sometimes quite baffling.

Use the Vmware player. My strongest advice to not get infected is to stay on the main highways of the internet. Most of the really nasty stuff we see is on porn and crack sites. However, here’s a great idea: Download the free Vmware player and use the Ubuntu Browser Appliance. This is free. I constantly do security research and simply couldn’t survive without Vmware.

Any other ideas? Share away!

Alex Eckelberry

RockdotRock was formed in late Summer 2006 by Symantec Corporation as an alternative to broadcast advertising.

Link here.

A few errant thoughts on Vista. Now — don’t get me wrong, I’m not a Vista basher, I actually think they’ve done some impressive things with this operating system. I’m just thinking some thoughts out-loud here.

Performance? This is intriguing: A recent Microsoft-sponsored study of a number of PCs, most of which had at least a gig of RAM and 256Mbs of video ram, has come to the conclusion that “Overall, Windows Vista and WIndows XP were roughly equally responsive on most test operations.” PDF link here (via Paul Thurrott).

This test uses “average” response times. Since we all know that an arithmetic mean can be misleading, you need to delve into the data itself to check it (as a general note: always delve, no matter the source).

It’s not necessarily a bad study. However, looking over it (and aggravatingly, it’s “locked”, so you can’t pull data easily into a spreadsheet for analysis), the low-end machine is an HP 1320y, with 512MBs of RAM (but 256MBs of video RAM). This seems to also be “System C”, which does not show the best results. There are a large number of machines that have 512MBs of RAM or lower (52% of machines are 512MBs, according to PC Pitstop). You can see some more PC stats here, as well as a survey of Vista-ready machines here. Is it a big deal? Probably not. Memory is cheap.

Another factor to consider is that all of the machines in the test except one had 256MBs of video RAM. That’s actually a fairly chunky amount of video RAM — my powerhouse system here at the office only has 128MBs of RAM.

What is Vista’s performance on the typical system you see out there in the wild? How important will hybrid hard drives be?). And what about battery life for notebooks, using Aero?

Bugs? We’ve been working on porting our apps to Vista and it seems to some of us that OS may have been rushed to market. There are bugs. But ok, that’s to be expected with a first release.

DRM? Vista has a lot of DRM features in it. Has Microsoft has sold out the consumer in its attempt to implement DRM by the rules? As Bob Lefsetz says about Zune “…if you play by the RIAA rules, you’re DOOMED to failure.”

Security? Vista is promised as the Great Security OS. However, the very fact that Microsoft has basically thrown down the gauntlet to the hacker community, promising it as a big security upgrade, may mean that hackers will take great delight in finding holes in the operating system. And no matter what you do with security, you still can’t get around the social engineering problem — something that Macs, PCs and Linux systems all share alike.

Personally, I’ll stick with XP for some time until all the kinks are worked out.

Your thoughts?

Alex Eckelberry

I got this one from a user yesterday — a new scam site on the loose — esafetylist(dot)com. Patrick checked it out, and sure enough, it’s a new live one (I have some more I will post later today, time permitting).

Obviously, stay clear of this rogue site and the malware it spawns. If you are infected, the free trial version of CounterSpy (or the CounterSpy 2.0 beta) should remove the infection just fine.

Alex Eckelberry and Patrick Jordan

Happy New Year to all — I feel like many of you have become good friends, even though we only communicate through the medium of this blog. Let’s try to make 2007 a good year for consumers and a bad year for malware authors 😉

Here’s wishing everyone the best year ever.

Alex Eckelberry