Month: October 2007

I’ve stopped doing the Sunbelt Weekly TechTips.  For now, you can read them in Wxpnews, our weekly newsletter for consumers.  Subscribe here.

Alex Eckelberry

With all the hoopla these days surrounding the “Storm Worm”, our Research Team feels that there are some EXTREMELY DANGEROUS threats out there that are being overlooked. One such threat is Trojan.Netview. You may recall that it was observed being installed during the Bank of India hack.

One variant that we have recently found being distributed is actually detected quite well. Some appear to be general heuristic detections, but the malware itself is over one month old so most antivirus companies should be detecting it by now. It is interesting, however, that no attempts have been made to change it’s signature in order to defeat security software.

While detection by major antivirus companies is good, there are still several factors that make this Trojan extremely dangerous.

1. It uses Net View to find vulnerable network shares to steal data from

The name “Trojan.Netview” was devised by the simple fact that this malware uses the net view command. According to Microsoft:

Net view displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.

You can try this yourself by typing the command “net view” inside of a command prompt.

By using this command, the Trojan is able to search for vulnerable network shares to steal information from. A server or workstation containing accounting databases, credit card information, bank account information, system backups, company trade secrets or any other sensitive data, doesn’t need to be infected in order for the data to be stolen. Instead, just a single infected user on the network who has access to network shares containing this data, is putting their company or business at serious risk.

Once the Trojan has identified these vulnerable systems, the data is copied from them and uploaded to an FTP server located in Russia.

2. It is highly distributed

For over a one month now, the MD5 hash of the Trojan has not changed. This fact, may be itself an indicator that the malware is having success. Typically, malware authors re-compile their code quite often in order to defeat security software (as an example, the “Storm Worm” typically changes every sixty (60) seconds).

In addition, Trojan.Netview is usually bundled with massive malware infestations that usually contain software which disables security software.

These days, it seems that we cannot get away without mentioning the Storm Worm, but there happens to be a relationship between Storm and Trojan.Netview. On 10/11/2007, the Storm Worm code changed a little bit. One of these changes was the ability for it to make multiple copies of itself on the infected system with the name “_install.exe”. Another change in the Storm code is the ability to inject malicious IFRAMES into HTML documents (htm, php, asp, xml, etc). This mean that any webmaster making modifications to a webpage and is infected with Storm, is aiding in the propagation of additional malicious code. With the sheer volume of infected Storm hosts, there is no doubt that some websites are going to be automatically defaced by this added functionality.

One recent webpage analyzed by our research team containing the injected code, is responsible for the installation of Trojan.Netview, as well as several other pieces of malware:

Unfortunately, this hotel PMS (Property Management System) appears to be yet another victim of the Storm. Notice that there is a copy of storm, “_install.exe”, which we mentioned earlier located on this remote server:

It is unknown what other data may have been stolen from this hotel.

3. It does a decent job of hiding itself

Trojan.Netview typically copies itself to your root directory as “wsusupd.exe”, with the hidden system file attribute set. While this may seem a bit archaic compared to more sophisticated malware that use rootkit technology to hide, it does not mean that this stealthing technique is ineffective. Out of the box, Windows is not configured to show system hidden files and most end users do not bother to set the option to view them.

4. Specific targets?

Trojan.Netview appears to search for specific data to collect, exibiting a particular interest in transaction systems, database backups, and even antivirus quarantine folders (which we observed earlier during the Bank of India hack). For obvious reasons, there are pictures that we can’t share be here are some that we can.

This appears to be a phisher who had his/her information stolen:

This Giftshop’s data is now in the hands of the bad guys:

Pictured here is a dump of credit card transactions. The logs have since been removed from the server:

This appears to be a 911 emergency center system. While we are not 100% certain, “STATION1” could be one indicator:

So what can be done protect yourself or organization from this threat? As we have preached many time before: Keep your systems patched and use up to date antivirus software or other security software. Of course, a full scan with CounterSpy or CounterSpy Enterprise will remove all variants of this Trojan that we know about.

To see if you are currently infected, it might be a good idea to monitor your network for traffic flow to the IP address: 82.146.43.55. And while you are at it, be sure to deny all access to this address on your firewall.

Adam Thomas

Just got this by email from Didier Stevens:

I witnessed a man-in-the-middle attack on the TLS at hack.lu (a hacker/security conference held in Luxembourg) this weekend. Thomas Roessler, who was also in the room, managed to capture a lot more than a screenshot and posted his fact-findings here.

So, what happened? As I said in a spontaneous lightning talk after that session, my diagnosis was that somebody was running a man-in-the-middle attack on a room full of security people. The tool they were using rewrote the TLS certificates that were shown by servers, but tried to keep the human-readable information in the certificate intact. (As Benny K notes in a comment, “the certificate seemed fine”.)

What fascinates me most about this incident is that several security professionals in the room still accepted the forged certificate while they knew they were connected to a hostile wireless network.

You can see the image at Didier’s blog here.

Alex Eckelberry

For your weekend viewing pleasure: AOL France did an amazing video of the End of AOL France.

Must watch.

The password is “aollover”.

(Via Silicon Valley Insider.)

And it’s all done in one shot.

On seeing the video, ex-AOLer Peter Shankman (who got laid off from AOL in 1996), said “say what you want, but working at America Online was still, to this day, the best thing that ever happened to me in my life. The second best thing was being laid off.” (And he loves the French video — “when we got laid off in 1996, all we did was drive home and drink beer.”)

Alex Eckelberry
(Thanks Skip)

One of the hazards of blogging and writing about malware is that occasionally, users will Google a piece of malware, find some posting on our website or blog about it, and incorrectly assume that we’re the makers of it.

In this case, a user, Jane, apparently googled WinAntivirusPro, thought that we are the ones who make it and sent us a scathing letter recently. It’s high on profanity, so I have not posted it directly in this blog — instead, it’s linked here. It just goes to show the absolute rage that a piece of malware can create in a user.

Unfortunately, our attempts to convince users that we’re not the developers of this type software often fall on deaf ears.

Ah well.

Alex Eckelberry

We had a pretty good turnout on our presentation on email archiving yesterday. In case you missed it, a replay is available here.

Alex Eckelberry

Dns changer fake codecs.

Alex Eckelberry

You can’t make this stuff up. We just received this sick spam from a user in the field:

Then, followed by this one:

The contact email address appears to be an email address of a legitimate (err, normal) person, so it’s likely an attempt to wreak havoc on some poor sods life (a Joe Job). We continue to research this.

Alex Eckelberry

Update: Brian Krebs let me know that this isn’t new. I’m surprised I’ve never seen it before.

Joe St Sauver, Ph.D. at the University of Oregon gave a rather grim presentation at the Internet2 Member Meeting last week.

He points out the potentially serious issue of electromagnetic pulse (EMP) and pandemic flu as threats. While some might feel this is a good opportunity to bring out the Good Old Aluminum Foil, it is interesting stuff, possibly serious and having a basic understanding of these types of threats is worthwhile.

Today we’re going to talk about two unusual threats: high altitude electromagnetic pulse (EMP) effects and pandemic flu.

Those may seem like a couple of odd topics. After all, aren’t system and network security guys supposed to worry about stuff like network firewalls, hacked systems, denial of service attacks, computer viruses, patching, and when you last changed your password? Sure. No question about it, those are all important system- and network-related security topics, and those are all topics which have been covered repeatedly in a variety of fora.

Given all those sort of mundane threats, it can be hard to think about “throw it long”/less-talked-about threats — after all, there are just too many high profile day-to-day operational IT security threats which we have to worry about instead, right? No – emphatically no! You need to worry about both the day-to-day stuff, and the really bad (but thankfully less common) stuff, too.

Check it out here (pdf)

Alex Eckelberry
(with thanks for Paul Ferguson for the link.)

I’m putting a call out for beta testers for the new version of our network security tool, Sunbelt Network Security Inspector (this a tool for network security analysis, not for home/consumer use — think of tools like Nessus, etc.).

If you’re involved in network security, I invite you to beta test this new release. Simply send an email to beta(at)sunbelt-software.com, with the subject “SNSI 2.0 BETA”.

Alex Eckelberry

From Byron Acohido (of USA Today):

As many of you know, I have been working with Jon Swartz on a non-fiction techno thriller about Internet security and cyber crime. We’re in the home stretch, with publication set for April 2008.

Here’s a preview from their website:

On a frigid afternoon in December 2004, veteran Edmonton Police Detectives Al Vonkeman and Bob Gauthier hustled to the Beverly Motel, a dingy, cinder-block establishment, where rooms rent by the hour. They were chasing down a tip that someone in Room 24 was using the phone to access a dial-up Internet account linked to an email folder brimming with stolen identity data.

As Vonkeman and Gauthier prepared to burst in, the door to Room 24 opened and out strolled Biggie, a garrulous methamphetamine addict and trafficker they’d arrested numerous times, followed closely by Socrates, a gaunt 20-year-old computer nerd. Both were sky high on ice—crystal methamphetamine—but gave the officers no trouble. Inside Room 24 the detectives found meth pipes, stolen credit cards, notebooks with handwritten notations about fraudulent transactions, and print-outs of stolen identity data. The distinctive sickly aroma of recently-smoked ice pervaded the air.

“They were just starting to set-up,” recalls Vonkeman.

Biggie and Socrates were preparing to play bit parts in an international money laundering scam made possible by the financial services industry stampede to exploit the Internet’s convenience and global reach. The little operation in the motel room may have looked like small potatoes. But Vonkeman and Gauthier would later discover that the pair worked in concert with a loose confederation of hackers and scammers based in the U.S., Quebec, Romania and Bulgaria. The Edmonton addicts, in fact, comprised a prototypical cell of street operatives helping to carry out the final, riskiest step of online scams—extracting cash from hijacked accounts.

The set-up in Room 24 was not an isolated example. The Internet is rife with chat rooms where drug addicts and street toughs forge partnerships with Third World hackers and fraudsters. This teeming, mostly unseen, world of Internet crime points up a cataclysmic shift all too quietly reverberating through Western society. Here’s the dirty little secret about the digital age we live in: no one is safe from data theft and online financial fraud.

Link here.

Alex Eckelberry

Following on my previous rant, iPhone Elite (a development group that’s spun off of the unofficial “iPhone Dev Team”) has posted instructions on how to unbrick an iPhone (via InfiniteLoop).

While it’s certainly doable for anyone with a modicum of technical expertise (and written for that audience), one can only wonder about average users (for whom it could be argued that Jean François Champollion had an easier time deciphering Egyptian hieroglyphics).

Example:

6. Complete the baseband downgrade by jailbreaking/activating, installing SSH on to the iPhone etc. There are tons of wiki’s about that so I won’t repeat. (Probably also true for step 4 and 5.)

7. Extract the baseband firmware and EEPROM files of 3.14 from the ramdisk of firmware 1.0.2. The files are named ICE03.14.08_G.eep and ICE03.14.08_G.fls and are located under /usr/local/standalone/firmware.

8. Get the secpack of baseband firmware 4.0 (some people have that, I have no idea how they got it but its needed). Name it “secpack”. (maybe http://**********.com/files/61914114/secpack40113.bin will help)

9. Download iEraser2 here or from Geohot’s blog.

10. Install all the tools onto the iPhone (I use the location /usr/local/bin.) You need to have SSH access to the 1.0.2 firmware iPhone and upload iEraser2, the secpack, ICE03.14.08_G.eep, ICE03.14.08_G.fls and anySIM 1.0.2

This is ludicrous. Apple, please figure out a way, tacitly or explicitly, to unlock the damned phone so people can get on with things — and please stop bricking phones. Your contract with AT&T is not nearly as important as your goodwill and market opportunity.

Alex Eckelberry

For some time, malware researchers around the globe have been tracking the shady work of the Russian Business Network (RBN) .

If you wanted to point a finger at one group responsible for a lot of pain on the Internet these days, it’s this outfit.

Brian Krebs at the Washington Post has written a good overview of the RBN.

Article here, with further posts on Brian’s blog here and here.

Alex Eckelberry
(Hat tip to Ferg)

Who is Alexey Tolstokozhev? According to a post on a website run by “Alex Loonov”, he’s a really bad spammer and he’s been shot.

Wow, just saw this on TV, so I decided to translate this story into English so my readers will be first to learn this. Sorry for mistakes in my English, I’m doing this in a hurry 🙂

Alexey Tolstokozhev (btw, in Russian his name means ‘Thick Skin’), a Russian spammer, found murdered in his luxury house near Moscow. He has been shot several times with one bullet stuck in his head. According to authorities, this last head shot is a clear mark of russian hit men (known as “killers” in Russia).

This is starting to circulate around the net rapidly.

Except I’m not sure it’s true.

Alexey Tolstokozhev doesn’t show up on ROKSO. He doesn’t show up on any web searches. And no one I know in the security industry has ever heard of this guy.

And who is Alex Loonov? Well, his website shows all kinds of archives and looks like it has a lot of material.

Except it was only registered today, at, of all places, the infamous EST Domains.

I smell a hoax.

Alex Eckelberry
(Hat tip to Jose Nazario)

Update: Yup, it’s certainly a hoax.

Update 2: I wouldn’t encourage visits to this hoax site. There’s no malware on it and you’re not going to get infected. But given where this thing is hosted (and the fact that it is tracking visits), why bother? (If you’re seriously paranoid, you might even go so far as to use TOR to anonymize yourself.)

At any rate, here’s the link to the hoax website: loonov(dot)com/russian-viagra-and-penis-enlargement-spammer-murdered(dot)htm

This is a new scam, which does a fake scan of your PC off of a web page. Pretty cool to watch — it just makes stuff up.

As Sunbelter Patrick Jordan says:

It installs a toolbar and an exe in a webspyshield folder however, it is a fake web based scam. You have to be connected for it to run and I would hate to think what anyone may pay for to register it as it is no real software but only a new form of their online scanner scams.

The hijackthis shows it even hijacks the home page.

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://webspyshield(dot)com/scan.html
O2 – BHO: WebSpyShieldToolBarShower – {DC87418B-0B2C-424E-900D-54F2ECE15B6B} – C:Program FilesWebSpyShieldWebSpyShield.dll
O3 – Toolbar: WebSpyShield – {E4988DE7-C5DB-4173-96F9-AAC426AF7BCE} – C:Program FilesWebSpyShieldWebSpyShield.dll
O4 – HKCU..Run: [WebSpyShield] C:Program FilesWebSpyShieldWebSpyShield.exe

Alex Eckelberry
(Credit to Bharath)

Our new email archiving product, Sunbelt Exchange Archiver, is being released November 5^th. I’m holding a webinar to give a preview peek of the product.

Webinar: Powerful Email Archiving for Exchange Made Easy

Join us for a sneak preview of Sunbelt Software’s new Exchange email archiving and compliance solution, Sunbelt Exchange Archiver™, scheduled for release the first week in November.

If you need a powerful, easy to use, enterprise-class email archiving tool that automatically enables you to comply with all requirements, and allows you or your end-users to transparently retrieve any archived email, then don’t miss this webinar.

The webinar will be hosted by Alex Eckelberry, CEO and Greg Kras, VP of Product Management for Sunbelt Software on Tuesday, October 16th at 2:00pm EDT and will explain the features and benefits of implementing a powerful email archiving solution on your Exchange Server at an affordable price.

Learn how Sunbelt Exchange Archiver can help you:

• Improve Exchange performance
• Eliminate PST headaches
• Dramatically reduce backup times
• Use up to 80% smaller message store
• Meet compliance requirements
• And more

When: Tuesday, October 16, 2007 2:00 PM EDT

To register for this event click here.

I’m actually quite excited about this release. This is a really, really good tool for archiving emails for security, compliance and performance purposes.

Alex Eckelberry

How to make custom toolbars out of folders
One way to make a custom toolbar in XP or Vista is to use the New Toolbar selection when you right click the taskbar. Then you can browse to a folder and turn it into a toolbar. However, if you have multiple monitors, you may in some cases have trouble docking these new toolbars on your secondary monitors. Here’s another way that will overcome that problem.

1. Right click the desktop, select New and then Folder.
2. Name the new folder whatever you want your new toolbar to be.
3. Now drag shortcuts for the applications or files you want to access with the toolbar into the new folder.
4. Drag the folder onto the monitor where you want to dock the new toolbar, if it isn’t there already.
5. Now just drag the folder to any side of the screen (except the one that drags it off screen to another monitor). This will create a toolbar there with the contents of the folder.
6. Right click an empty spot on the new toolbar to change the size of the icons, configure whether or not to include text with the icons, etc.

You can put any kind of file or program on these toolbars. For example, I created a toolbar that holds shortcuts to each computer on my network. You can see screenshots of these custom toolbars on my blog site.

Where are Vista system restore files?
QUESTION: Just a short question. Hope you can answer it for me. Where can I find the system restore files in Vista? Thank you. — Ken K

ANSWER: The file filter driver system for system restore used in XP and other previous versions of Windows is replaced with a new approach in Vista. Now, when you create a restore point, a shadow copy of a file or folder is created. A shadow copy is essentially a previous version of the file or folder at a specific point. Windows Vista can create restore points automatically, or do so when you ask. When the system needs to be restored, files and settings are copied from the shadow copy to the live volume used by Windows Vista. To find shadow copies for a particular file, navigate to that file in Windows Explorer, right click it and select Properties. Then click the Previous Versions tab. Here you’ll see the shadow copies that have been saved on the hard disk and the date when each was created. To find the actual location of the copy, right click it, select Properties, and look at the Location field on the General tab. See the screenshots of this here.

How to log onto XP if you forgot your password redux: In our last TechTips, we wrote about how to logon to XP if you forgot your password. Reader Angus Scott-Fleming writes “Have you seen or used this? I have, it works as advertised, allowing you to boot from a CD and reset any local Windows NT/2000/XP user’s password: Link here.

WGA validation no longer required to download IE 7
Microsoft has changed their policy on downloading Internet Explorer 7. Now all XP users can upgrade to the newest version of the browser – without going through the “Windows Genuine Advantage” validation process to verify that you aren’t running a pirated copy of the operating system. Is this a trend? Will the company back off the annoying (even to those with a genuine OS) WGA validation requirement for other downloads? We don’t know, but it seems like a step in the right direction. Read about it here.

Vista: What’s that power button on the Start menu for?
Vista gives you plenty of options when it comes to shutting down your computer. At the lower right of the Start menu, you’ll see three buttons: a Power button, a lock button and a right arrow button. Clicking the right arrow gives you all the usual choices: switch user, log off, lock, restart, sleep, hibernate and shut down. Clicking the lock button gives you a fast way to lock the computer. Clicking the Power button will save your work and programs as they are and put the computer into sleep mode or, if it’s a portable computer and the battery is low, this will save your work to the hard disk and turn it off. See a screenshot of these buttons here.

IE home page resets to “about:blank” and Defender quits
If you suddenly find that your home page has been reset to “about: blank” and Windows Defender unexpectedly quits, take action quickly. This can mean that your computer has been infected with the Win32/Banker Trojan, and it’s an ugly one because it collects personal information when you visit online banking sites. To find out more, see KB article 894269.

Troubleshoot problems with reading CDs and DVDs
If your Windows XP computer is unable to read a CD or DVD, it can be due to any of several causes. KB article 321641 provides troubleshooting guidelines to help you determine what the problem is and how to resolve it.

Automatic updates cause Svchost.exe issues
When you use Microsoft Update to scan for or apply updates that use Windows Installer 3.1, you may find that CPU usage goes up to 100% and the computer stops responding and/or you get an access violation error related to the svchost.exe process. If this is happening to you, check out KB article 932494.

Deb Shinder

This is actually quite serious. Beer(dot)ch has been hacked and is serving some very vicious malware. DO NOT GO TO THIS SITE UNLESS YOU KNOW WHAT YOU’RE DOING.

Alex Eckelberry
(Hat tip)

Yahoo guy Ian Rogers skateboards (something I used to do until fairly recently, when a broken rib made me realize my age) and used to tour with the Beastie Boys.

Ok, so that makes him generally cool. But his anti-DRM rant at to music industry folks is downright inspiring.

I’m here to tell you today that I for one am no longer going to fall into this trap. If the licensing labels offer their content to Yahoo! put more barriers in front of the users, I’m not interested. Do what you feel you need to do for your business, I’ll be polite, say thank you, and decline to sign. I won’t let Yahoo! invest any more money in consumer inconvenience. I will tell Yahoo! to give the money they were going to give me to build awesome media applications to Yahoo! Mail or Answers or some other deserving endeavor. I personally don’t have any more time to give and can’t bear to see any more money spent on pathetic attempts for control instead of building consumer value. Life’s too short. I want to delight consumers, not bum them out.

If, on the other hand, you’ve seen the light too, there’s a very fun road ahead for us all. Lets get beyond talking about how you get the music and into building context: reasons and ways to experience the music. The opportunity is in the chasm between the way we experience the content and the incredible user-created context of the Web.

Lots more here.

Ok, so time for me to rant:

Back in the 80s, I started my professional career at a company called Borland, one of the great success stories of the early microcomputer software business. (While Borland is still around, it’s not nearly the same company as it was, now having moved to Austin, TX from laid-back Santa Cruz, CA and ventured into software for quality assurance testing. Quite different so I can’t speak to the current culture.)

Philippe Kahn, the CEO of Borland, had a very simple philosophy, which molded a lot of my subsequent thinking and practice as I moved forward in the industry.

The philosophy was:

1. No copy protection.
2. Users agreed to a simple “no-nonsense” license agreement, which simply stated that “software was like a book”, and was written in something close to readable English.
3. If you didn’t like the software, you could get your money back (incidentally, the rate of people returning products was incidental).
4. Products were priced affordably (and this was the linchpin of the whole philosophy).

Simple concepts. But the world was different back then. A lot of people in the business now don’t know how bad things were. But here’s the contrast:

1. Software was copy protected and it was a PAIN. An entire company, Central Point Software, was built around a product called Copy II PC, which allowed you to break copy protection. And even if you were the legal owner of a software program, you still wanted to break the copy protection, so you could actually use the product.
2. License agreements were horribly complex.
3. You couldn’t get a refund if you weren’t satisfied.
4. Software was outrageously expensive.

By doing what he did, Kahn helped boom the business. Many people got started in programming with Turbo Pascal, Borland’s first product. You could actually afford it — it was 50 bucks. Microsoft’s Pascal was something like $500 dollars at the time. The company went on to launch a number of other products, but then got bogged down in some bad acquisitions and subsequently got murdered by Microsoft’s pricing strategies for MS Office. (More on that whole story another time.)

To me, Kahn’s philosophy was completely logical. If you made something people wanted that was affordable. people would buy it and they wouldn’t pirate. And by showing the user respect, and not treating everyone like a dishonest scumbag, guess what: You get more honest users.

And so now we come to DRM. It’s as if no one every learned from our early mistakes.

Here’s what’s going to happen:

1. If it’s not stopped, DRM will continue to get more and more complex, with more and more hardware and software interaction, in order to beat the constant stream of people breaking DRM. This will end up breaking applications and the computers themselves. Complexity built upon complexity results in disaster.

2. Hackers will continue to beat the system and so the cycle will continue, getting more and more complex. See 1 above.

3. Some enterprising person will come along and introduce “DRM free” music/videos/games or what have you, and take the market by storm.

The most you want in a licensing control system is “enough to keep the innocent honest”. Such is the case with registration keys for software products — the honest person will pay the registration fee. The dishonest person will always break it. But when you build a system to stop all possibilities of dishonesty, it almost seems that you are building a system based on the logic that “all people are dishonest”, which has as its corollary, “guilty until proven innocent” — in essence, building a system around proving a negative.

Let’s hope that we can create a simple framework for both artists (who really just want to share their creativity with others while getting fairly recompensed) and users to benefit. If we can relieve the system of the DRM virus, it will flow freely and grow.

Alex Eckelberry
(Hat tip)

Interesting little comment storm on yesterday’s blog post.

Alex Eckelberry