Month: April 2007

malwarealarm(dot)com downloads a variant of rogue antispyware application SpySheriff.

Here’s an interesting thing. By traversing through scanner(dot)malwarealarm(dot)com/, we see a cornucopia of vile and misleading pages used in advertising by these enterprising criminals.

When the online scanner does a “system scan”, it’s just pulling file names from scanner(dot)malwarealarm(dot)com/5/fileslist.js (you can see the contents here). In other words, no scan is actually occurring, just file names are being displayed.

Not very surprising, but pretty sick, eh?

Alex Eckelberry
(Thank to Sunbelt researchers Patrick Jordan and Adam Thomas)

They’ve been doing it for years.  Here’s a recent version.

Blown up, we see:

(Yes, I know, slow news day.)

Alex Eckelberry

Another spam making the rounds this morning. Adam Thomas in our research department did a quick analysis of it and what it does to a system is not pretty (without the help of my staff, there is no way I could do the blog volume I do).

So, taking a look at the source, we see that it’s directing to http:/ /gooffhere(dot)com. There are no pictures of Paris Hilton as promised by the email, but we do see two IFRAME’s in the source code of the page:

1. hxxp:/ /81(dot)29(dot)241(dot)160/in(dot)php?2856985855 – exploit

Loads:
hxxp://81(dot)29(dot)241(dot)160/launcher(dot)php?uid=2856985855&domain_id=2 (downloads a binary, a Trojan Downloader for iframebiz)

Loads:
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=1 (downloads a binary)

Loads:
hxxp://pornstar-photos(dot)com/adv/windows_update(dot)exe

Loads:
hxxp://adultvideodot(dot)com/harre/1471548324/1/player(dot)php?m=ms53bxy=&id=1176
hxxp://xfuzrplryy(dot)com/dl/loadadv693(dot)exe (IFRAMEDOLLARS Trojan Downloader)
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=2 (binary – Fake Alert Trojan – BraveSentry)
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=3
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=4
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=5
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=6
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=7
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=8
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=9
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=10

2. hxxp://www(dot)kozirodstwo(dot)com/cgi-bin/n/nnn(dot)cgi?p=driv

The Trojan above makes a request back to the controlling server for a configuration file, which will contain a download link (or links) for additional malware.

hxxp://www(dot)kozirodstwo(dot)com/c(dot)php?l=us&d=d9abb07e934440e1b3a6a395976f7d53&ver=3(dot)5(dot)3&rvz1=26916&rvz2=0004604046 (config)

In the parameters above, we see that they are passing along an MD5 hash probably for record keeping. Each link can only be used once, but we can modify the hash a bit in order to see the configuration file which returns:

hxxp://kozirodstwo(dot)com/top/abc1006def(dot)exe

Now, this is a known malware domain. They use a new exploit framework called NeoSploit.

Upshot? If you have an unpatched systems (or unpatched systems without adequate protection) and you click on this spam, you’re in a world of hurt.

Alex Eckelberry
(Credit to Adam Thomas for the real work)

This is truly remarkable.  We’re in the Tampa Bay area, about 250 miles from Waycross, GA.

Now, there’s a huge fire up in Waycross.  And through an odd quirk in the wind patterns, we’re getting the smoke.  I just stepped outside and it was pretty rough — just a carpet of smoke throughout the area.  The picture below doesn’t do the situation justice, but here’s an example:

Alex Eckelberry
(Credit to Robert LaFollette for the picture, and here’s a panorama he did as well.)

Yesterday I had a post on a nasty new image spam making the rounds that immediately infects an unprotected system with the WMF exploit.  A picture of Paris Hilton, it wasn’t a nude image per se but did show an extremely small portion of her, well, nude parts.  I received a complaint about this and have since modified the image.  Before all the Europeans pile in <grin> and complain about us “Puritan Americans”, let me just say that for many, it’s more of a problem that people view this blog at work and don’t want the stuff on their system.  I understand this. 

I do always try and keep this blog on a PG-13 rating and want to make sure everyone knows that we won’t publish images that are offensive, or if they are offensive, we will block out the offending areas.

Alex Eckelberry 

Alex Eckelberry
(Thanks, Patrick)

Malware Stopper, a new variant of SpySheriff.

Update:  Add malwarepanacea(dot)com to your blocklist as well — another SpySheriff variant.

Alex Eckelberry
(Credit to Patrick Jordan)

A new set of spam uses the WMF vulnerability as an exploit — right in the spam. Simply viewing the spam in the preview pane will exploit a system (if you’re not patched or don’t have adequate AV protection).

The picture on the left is a normal image. That “picture” on the right (with the red x) is a fake WMF image which triggers the exploit. The source of the spam (with malware links) is here.

Alex Eckelberry

We market a number of SDKs (Software Development Kits), which allow developers to integrate things like antispyware/antivirus technology, packet filtering, firewalls, etc. into their own products. But Joe Wells has come up with a different type of SDK that only an engineer cum sci-fi writer could think up:

The Story Development Kit.  It allows others to build stories around the world he’s created in his book, StormScape.

Original!

Alex Eckelberry

We’ve been getting complaints from customers that one of our competitors has apparently been scraping the web to see who our customers are and then has been attempting to get the customer to move over to their solution by providing misleading information.

Here’s a couple of examples of emails I’ve received:

“By the way, I just had a voicemail from Herb Shelton at Webroot software. He said he got my name … from the Sunbelt website. He was doing a salespitch for Webroot, apparently, telling me how much better Webroot was than Sunbelt.”

“FYI, [redacted] called me this a.m. He said he was contacted by Chris Garrison from Webroot who left him a message saying he saw that he was a customer of Sunbelt and he would like to speak with him about enticing him to move over to Webroot…”

So we sent a letter, no response and we just got a report again today of this happening.

I’m a little baffled, frankly, that a competitor would resort to scraping names of customers from case studies and the like and then contact them. Are things really that bad out there? Is there that little new business to generate, rather than resorting to these kind of tactics?

It’s actually kind of funny in a sort of tragic way. An antispyware company spying…

Whatever.

Alex Eckelberry

Georgetown professor Carol Quigley, in his extraordinary book Tragedy and Hope (one of the greatest books on modern history you’ll ever find, in my opinion, and a book I highly recommend reading) made the observation that a key part of understanding the British government is that, despite appearances otherwise of convention and practice, it is a nation completely bereft of a constitution.

And that is no more evident in the new talking cameras. 

I’m so revolted by the notion of camera’s barking at citizens to pick up a misplaced coffee cup or piece of litter that it’s difficult to put my feelings into words.  Nevertheless, Britons have acquiesced, tacitly or otherwise, to this extraordinary intrusion on their privacy.  A once great country that was a beacon of democracy and hope for many countries is now becoming a police state.  Silly histrionics on my part?  Not really.  It’s the simple truth.

Alex Eckelberry
(Hat tip)

Picture of the day (thanks Andy).

Bonus! The Power Washers Network (PWN). (Thanks Dan).

Alex Eckelberry

We just released CounterSpy Enterprise 2.0. This is our “enterprise” version of CounterSpy which allows system administrators to control spyware and other malware threats throughout their organization.

This new version incorporates our new “hybrid” antispyware engine, which merges classic spyware detection and remediation with our new VIPRE technology (VIPRE incorporates both traditional antivirus and cutting-edge antimalware techniques). This combination of technologies provides faster scanning with less system resources than the previous version.

Lots of new stuff in this release.

I did a webinar yesterday on the product, as well as a discussion of our philosophy with regard to malware (as well as current trends, etc.). I highly recommend viewing it. You can see it here (unfortunately, the few websites I visited during the presentation weren’t recorded due to some glitch in the recording system, but the rest is fine).

This is a hot release and I’m really proud of our team here.

Corporate propaganda here.

Below is more information for current customers who are upgrading:

Licensing: If you’re currently under maintenance this is a free upgrade and your existing license key will work fine in CSE 2.0

System requirements: The system requirements are here and should be reviewed prior to deployment.

Upgrading to the CSE 2.0 Server and agent: The direct download link to the CSE 2.0.2171 installer is here. Upgrading the CSE server to version 2.0 is supported for versions 1.5 and higher. The upgrade process for the server is extremely simple, just download the release and run it on the server. All existing information will be upgraded and migrated to the 2.0 installation. Remember to upgrade to .NET 2.0 on the server first and reboot if prompted.

After upgrading the server all your existing agents will continue to function as normal with the exception of Active Protection. Since the Active Protection component is significantly different the 1.8 agents will cease to offer Active Protection until upgraded to version 2.0. All other functions such as definition updates, scheduled scans and reporting will operate as normal. Additionally you will see that in the CSE 2.0 console that the “Last Scan Complete” column will show “Never Scanned” until a scan is completed by the agent after the server upgrade was completed.

Upgrading the CSE agents to 2.0 is supported for versions 1.5 and higher. Once the CSE server has been upgraded the simplest way to update the agents is by setting them in the policy(s) to automatically check for software updates. This setting is located under the “Advanced” button on “Agent” tab of the policy. If you have more than a 100 agents on a single policy you may want to create a copy of the policy, set it to automatically upgrade the agents and then move a 100 agents at a time to the new policy so as to not overload your network with upgrading agents.

New Features Overview:

New Engine – The agents are now using a new scanning and removal engine which now includes Sunbelt’s new VIPRE technology. This new engine is faster and requires less system resources while at the same time has improved detection for more sophisticated threats such as rootkits. Additionally, the engine includes FirstScan, which is our new scan and remove on-boot technology designed specifically to detect and remove the most deeply embedded malware before it can run or install. Triggered through a CounterSpy system scan, FirstScan will run at the system’s boot time, bypassing the Windows operating system, to directly scan certain locations of the hard drive for malware, removing infections where found.

New Active Protection – The active protection system had been completely replaced with a new kernel-level component. The new system offers real-time blocking of threats from being executed while also being able to prompt the user to take action if suspicious behavior is detected. Additionally the administrator can create their own custom defined list of allowed and denied applications.

Automated Deployment Service – It is now possible to have CSE automatically deploy agents to the network. At a policy level this feature can be enabled and the admin can specify any combination of machine lists, IP addresses, IP ranges, IP subnets, and AD queries to be resolved and deployed to without admin interaction. The traditional methods of deployment such as console push and MSI packages are still included.

New User Features – The new agent now has many more options that can be exposed to the user at the discretion of the admin. The features include the ability to pause a scan that is in progress or disable active protection. As well, the end user can now be allowed to view the scan results and manage his own quarantine using a new end-user UI. Agents can still be run in a completely silent mode with no end-user interaction.

Incremental updates – This new engine fully support incremental updates so definitions can be released more often with less bandwidth impact and shorter download times for end-users that use CounterSpy at their home office.

New Agent Features – The new agent includes all of the above features as well as several other technologies. The agents can now go over the Internet to obtain definition updates if their CSE server is unreachable. They can also be set to throttle the rate that they download definition files and updates from CSE server so as to not saturate slower network connections. Advanced scheduling options now allow the agent to start scans at randomized times and make up for missed scheduled scans.

New Console Features – The administrative console for CSE has been redesigned to include more information. The admin can now tell at a glance when an agent last scanned and print from any of the customizable agent grids. The console to server communication has been reworked and optimized to respond quickly even under heavy usage. Advanced features, such as the Agent Recovery Mode which allows agents removed from the CSE server to automatically attach back to the server, are exposed to the admin.

New Server Features – The services for CSE have all been consolidated into a single process which increase the performance while at the same time decreasing the memory and CPU requirements. Additionally the new service has been ported over to .NET 2.0 which also increases the efficiency. The new CSE server component is not only compatible with the new agents but backwards compatible with the older 1.5 and 1.8 agents so upgrading can be done in stages.

Alex Eckelberry

Well, maybe.

“That document has mistakes in it that are sufficient to show that it’s impossible that this operation could be real,” Eisner told ABCNEWS.com. “Anybody, you or I, could have taken this and fact-checked this thing and we would have learned that this was nonsense. We would have learned that the organization in the letterhead hadn’t been in existence for many years, that the person who signed it last served in that post in 1989 and that the court in Niger had been renamed in 1990.”

If the CIA had done a Google search on the documents, it could have altered the course of history, according to Eisner and Royce.

Link here.

Alex Eckelberry
(Hat tip)

Image spam has been routinely breaking antispam engines. Now, a new pump-and-dump image spam type is on the loose, attempting to bypass the filters.

The “classic” style:

The new style:

We might expect more of these, depending on their success rate.

Alex Eckelberry

Searching Google for “Virginia Tech”, one sees the following sponsored search result:

It’s not a news item. It’s an ad for the Starware toolbar. While a fairly innocuous toolbar as these things go, it has had a history of poor installation practices and is listed in our database.

So… Isn’t this just a bit tasteless?

Alex Eckelberry
And a hat tip to Zae

A few weeks ago, Robert LaFollette, our creative director, was shooting wildlife at Honeymoon Island (a beautiful local nature park).  He was trying to get close to an owl and almost stepped on a very large rattlesnake.  He ran like hell and didn’t (probably fortunately) have the presence of mind to take some pictures.  (Robert is an extraordinarily talented photographer who has had his wildlife photos published — I highly recommend looking at his blog here).

Well, I got a Canon Rebel XTi for Christmas and have been getting involved in wildlife photography with one of my sons. And so we went out last weekend to Honeymoon Island to take some shots.  Unfortunately, it was a very windy day, so I wasn’t able to get many pictures of the birds.  We got a few pictures of some ospreys and many up-close shots of an armadillo (since animals aren’t hunted on the island, they have no fear of humans and you can get quite close). 

A bit disappointed (but still thoroughly enjoying the beauty of the place), we were walking back on the trial when I heard my son say “Daddy!!!”.  I looked down to see this huge rattlesnake.  This thing was a giant, and I was just walking right by him.  I backed away, started shooting and then my son and I watched in awe as he slowly meandered across the trial.

Robert and I have named this big old rattler Humphrey.  He’s also our informal mascot for our new VIPRE technology. Next week, I’ll blog some pictures of Hudson, another predatory animal…but that’s for next time.

Alex Eckelberry

Should we tear down the Internet and start all over?
The global network that we now know as the Internet was not, contrary to popular belief, carefully designed by Al Gore. Instead, it “just grew that way” out of the military and university sponsored ARPA (Advanced Research Projects Agency) project. It was based on protocols that were designed with no real concern for security and that never anticipated the huge volume of traffic, nor the types of traffic (such as streaming audio and video) that go over the ‘net today.

Now some university researchers are saying that we should scrap the whole thing and start over. I don’t know about that. Sure, we might end up with something much better in the end, but the interim phase might be awfully painful (think about the disruption caused by major road reconstruction projects). Read more about the idea here.

Support a cause or charity as you chat
Microsoft has a new initiative whereby they will share part of the Windows Live Messenger advertising revenue with various organizations such as the Red Cross or Sierra Club each time a user starts an IM conversations using WLM. You get to choose the organization you want to support, by joining the program here.

Buying online without a credit card
Want to take advantage of low online prices but don’t have a credit card or don’t feel comfortable sending your credit card info over the ‘Net? You’re in luck; it seems more and more online retailers are now accepting “nontraditional” payment methods such as PayPal and Google Checkout. Read more here.

Vista Reliability Monitor
Another new feature in Vista is the Reliability Monitor, which has been added to the Performance tool that you may be familiar with from Windows XP. When you try to open the Reliability and Performance Monitor from the Administrative Tools menu, you’ll be prompted for elevation of privileges. Then in the console, click Reliability Monitor in the left pane and you’ll see the System Stability Chart and System Stability Report in the right pane. Here you can see a history of hardware and application failures, software installations and uninstalls and other reliability-related information. This makes it easy to see if, for example, the installation of a program or driver corresponds with the time you started to experience application failures. You can see a screenshot of the reliability monitor here.

How to get and use more Vista gadgets
The sidebar is one of the cool new features in Vista, but you aren’t limited to just the sidebar gadgets that come with the OS. You can find all sorts of new ones here. Note that you can install the same gadget more than once; for instance, I have a simple digital clock gadget that’s installed in five instances, one for each of several time zones I want to keep up with.

Have more gadgets than will fit on the sidebar and don’t like having to use the arrow buttons to move to the second sidebar “page?” Did you know you can detach gadgets from the sidebar and place them on your desktop? Line them up on the other side of the screen or on a second monitor to create a “second sidebar.” You can take a look at my sidebar gadgets on my April 15 blog post.

How to keep your frequently used programs secret in XP
Don’t want others who use your computer to know what programs you use most frequently, or just want to keep a specific program from being displayed in the Most Frequently Used Programs list? Do this for each program:

1. Start the registry editor.
2. Navigate to the following key: HKEY_CLASSES_ROOTApplications and find the program that you want to hide
3. Create an empty string value named NoStartPage
4. Close the registry editor and restart the computer.

Don’t fall for the “Microsoft Lottery” scam
This one has been making the rounds for a while now, but some folks are still getting taken in. The email message purports to be from Microsoft, announcing that you’ve won a big lottery prize. If it sounds too good to be true, it usually is. This is just a variation on the old Nigerian scam. Read more here.

Hack: Move the My Documents folder in Windows XP
This is a hack that should only be used if, for some reason, you can’t move the My Documents folder to another location (normally, you right-click on My Documents, choose Properties, then Move). This method involves editing the Registry, so be sure to back it up before you begin just to be safe. My Documents is a “shell folder” which Windows treats as a special type of folder. Here’s how:

1. In the Registry Editor, navigate to: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders
2. Double click MyDocuments in the right pane.
3. In the Value Data field, type the new location path and click OK.

This moves the folder but not its contents. You’ll have to move the current contents manually (drag and drop or cut and paste in Explorer). If you aren’t comfortable editing the Registry, you can install TweakUI for XP and use it to move the folder. You can download it from the Download list in the right hand column here. You can also read more about moving shell folders here.

Again, this method is recommended only if all other options fail.

Vista won’t start after you install XP in a dual boot configuration
I’ve heard from several people recently who bought new computers with Vista preinstalled, but they want to install XP. However, they don’t want to wipe out Vista; they want to be able to dual boot between the two. Unfortunately, installing XP after Vista can cause Vista to be unbootable. KB article 919529 explains why and provides the solution.

How to delay loading of specific services in XP
Sometimes, especially with older computers, you might need to delay loading of some Windows services in order for the computer to boot properly. You can control how services are loaded by editing the Registry. For instructions on how to do it, see KB article 193888.

Can’t access XP computer on the network?
Are you having trouble accessing an XP computer on your home or office network? A friend of mine recently installed Vista but couldn’t get his Vista machine to access resources on his XP machine. Turns out this is a registry configuration issue that can be easily fixed by a simple registry edit. Thanks to Jeff for the tip. For instructions, see KB article 913628.

Until next week,

Deb Shinder

Here goes Deb again on one of her rants… and here comes the comment storm 😉 Personally, I’m a pretty big fan of open source and believe that it’s got a place — maybe not on my Mom’s computer, but certainly in many other areas. Anyway, read on and comment away… — Alex

It’s “common knowledge” in some circles that open source software is “better” – but is it true? Does software really want to be free? Is software created by committee really more secure? Do those who push open source (or at least some of them) have something besides software to sell?

I hear it all the time: open source is supposedly more inherently secure than proprietary commercial software, because it’s “peer reviewed.” That’s the magic that the open sourcerers invoke, but they’ve never really explained to my satisfaction how opening up the kernel to any and everybody can make a program more secure. I can see how it could make for more features, but I can’t see how it makes for more security.

The ironic thing is that many of those same people who tell me that open source software is more secure are also warning us that we can’t rely on information we find in Wikipedia. Why? Because it’s open to any and everyone to post articles. It follows the same “peer review” model as open source software. So why is being open a bad thing in one case and a good thing in the other?

I have nothing against open source software. I just don’t buy into the “it’s better because it’s open source” propaganda. I use some open source programs, and although they generally don’t work as well and aren’t as user friendly as commercial programs, the price is right. My dad always told me that, in general, you get what you pay for, so I don’t expect as much of something I’m not paying for.

But open source doesn’t always mean it’s free, either. Let’s take a look at Linux, for example. Depending on the distribution, prices run the gamut from free download to hundreds of dollars. Open source server software can be quite expensive. Even when the software doesn’t cost anything upfront, there may be hidden costs involved in using it. Because the free versions don’t provide any technical support, there are plenty of people making money supporting open source products. And if your time is worth money (mine certainly is), time spent compiling a kernel or writing your own drivers is going to cost you.

Of course, some people would prefer to spend $500 in extra time than $200 out of their pockets, and that’s their choice. But you have to admit it’s a bit insidious, sort of like the way people who never see all that money coming out of their weekly paychecks seem to think the government is giving them some sort of gift when they get their tax refunds. But as the website for the GNU project (which developed licenses for open source software) says, “Free software is a matter of liberty, not price.”

Now, if you’re a programmer type who wants to be able to rewrite the program code for your own purposes, open source is a great choice for you. But the vast majority of regular computer users just want software that works and don’t want or need access to the source code. I had a friend who ranted and raved about Microsoft operating systems for years. Finally, about a year ago, he decided he’d had enough and he was going to run Linux from now on. Within six months, he was back to XP. Why? “I never realized how easy Windows really is to use until I tried Linux.”

In fact, I have a lot of friends who complain incessantly about how bad Windows is and talk about what a great idea open source is, but who are still using Windows. If you ask them why, they tell you it’s because “Microsoft has a monopoly.” Huh? There are dozens of distributions of Linux available. Some of them are free. There’s nothing stopping those folks from wiping Windows right off their hard disks and running open source. So why don’t they?

Another thing my dad always told me was that actions speak louder than words. I respect the open source advocate who actually uses open source software. I don’t put much credence in the complaints of the Windows bashers who keep on using Windows.

And if you really believe in “freedom” when it comes to software, how about letting those of us who prefer to use Windows do so without condemning us for that choice? It doesn’t matter to me what software anyone else uses. So why are the open sourcerers always trying so hard to convert me?

Does software really want to be free? I guess some of it does and some of it doesn’t. It’s just as silly to expect every software company or developer to give their products away as it is to expect Sears to give away refrigerators and furniture. Sure, you can go to Craig’s List and find all sorts of appliances and such that are free for the asking. And if that’s the way you choose to outfit your house, that’s fine with me. But don’t look down on me if I choose to pay for my new dishwasher, okay?

At least if my store-bought dishwasher doesn’t get my dishes clean or my paid- for programs don’t work the way they’re supposed to, I feel justified in complaining about it, and maybe I’ll even get something done about it. If I find myself stuck with a hunk of junk that some stranger gave away or my free download hoses my system, what am I going to do? Ask for my money back?

How about you? Do you buy the idea that being “open” makes software more secure, or automatically makes it “better” or somehow morally superior to closed source software? Have you tried open source operating systems? Did you come back to Windows or do you still use Windows for some of your computers? If so, why? Do you get tired of being looked down on because you haven’t gone “pure open source?” If you use both open source and proprietary software, what do you like and dislike about each?

Deb Shinder

Ages ago (Sunbelt was founded in 1993, so we’re a rather ancient company by today’s standards), we had our feet firmly in the Windows NT system management space — and did quite a bit of business in event log management. Then we made the move into security software and the rest is history. 

But we still keep an eye on the market and have many friends in the business.  One of those companies is Dorian Software and Andy Milford over there has started a new blog just on event log management.  You can see it at http://eventlogs.blogspot.com/.  If you’re into event log management or analysis, it’s worth putting the site into your RSS feed.

Alex Eckelberry