Month: January 2008

Got this from someone today:

If any of you are headed overseas armed with your new iphones, watch out. If you let it download data it can really cost you. After a 36 hour trip to London they suspended my service when it hit $3,500 for data charges. Since then I’ve retroactively added their best data plan and am still looking at a $600 plus bill. Even so, the plan allows for a measly 50mb per month (I burned 120mb and don’t even remember looking at much besides the NYT) and is only good in certain countries.

Anybody know a consumer protection beat writer?

Gulp. Any other similar experiences out there?

Alex Eckelberry

Our good buddy Bill P got pitched to bundle a toolbar with his product, WinPatrol. Unlike some others out there, he firmly passed, passing up loads of money:

I crunched the numbers and sure enough the revenue I could receive by including the toolbar would be huge. My overhead is low and the free version of WinPatrol has many thousand downloads even on the slowest day. If I chose to include the Ask.com tool bar I could probably retire comfortably by the end of the year.

Unfortunately, a number of people think I’m a really, good guy and I respect their opinion. For the last ten years WinPatrol has had a flawless reputation. I know myself, I really hate companies that install additional software that I didn’t ask for. It’s not only rude, it’s just wrong.

Right on, Bill.

Alex Eckelberry

Today, we released version 5 of iHateSpam.  Initially, this release will support Outlook, and by the end of the quarter, we’ll have support for Outlook Express and Thunderbird (for now, people wanting spam protection for Outlook Express should download iHateSpam 4). 

Upgrades to this new version are free for current iHateSpam customers under a maintenance plan.

This new version was developed in partnership with our friends over at Cloudmark, and it is light years ahead of our prior version (which, frankly, had gotten long in the tooth).

There’s a long, long story behind iHateSpam.  It was the first security product I launched shortly after coming to Sunbelt in 2002, and I have lots of memories with this little tool (and a few tales to tell, but that’s for another time).

Feel free to take it for a spin.  It’s a really nice desktop antispam solution, and it’s priced to be a no-brainer.  Product page link here, company PR here.

Alex Eckelberry

Patrick Jordan

First, we have a complete rip-off of the PC Tools site, pushing the rogue security program SpyShredder.

Then, courtesy of our friends at F-Secure, we have this application for the Mac which finds malware on any machine (Mac, Windows, whatever), even when there is no malware there. In fact, what is finding is completely bogus.

And check out these amazing results on what I thought was a Windows XP system:

Alex Eckelberry
(Thanks Adam)

Back in 2003, when we first shipped our antispam product for businesses, iHateSpam for Exchange, we built it to be specifically designed for Microsoft Exchange. Then, when we came up with iHateSpam’s successor, Ninja Email Security, we again focused on tying very closely into Exchange.

Hooking tightly into Exchange has real benefits to the administrator. For example, since we’re on the Exchange box, we’re seeing every email in the organization, so we could then do things like intra-company attachment filtering.

However, we found that a number of admins were using our Ninja product on Exchange, but also running a box on the gateway to “pre-filter” to reduce the load on Exchange — often, cheap boxes. And this makes sense — with 90% of email traffic being spam, it makes sense to keep as much load off the Exchange server as possible.

We thought we could do a better job of it, and so we started working on our product — evaluating the competition, seeing what was out there.

A dominant theme in our research was something like this: A company takes a bunch of open source software, puts it on some cheap hardware, and ships it. Certainly, there were exceptions. At the high end of the market, you have companies like IronPort, which builds beautiful technology on top of Dell hardware. But it’s very expensive stuff.

We don’t like expensive.

Now, there are a few core components in an email security appliance:

– The operating system. In most cases, you’ll see Unix variants, but in some, you’ll see Windows server boxes.
– Mail server software. This handles the job of actually delivering the email. Often, SendMail is used for this task.
– An antispam engine (often, SpamAssassin, a solid antispam engine)
– An antivirus engine (often, ClamAV)
– The hardware itself

In other words, what a number of companies will do is simply take a hardened version of Linux, put SpamAssassin and ClamAV on top of it, add a few enhancements, make a UI to pull it all together, throw it on a box and ship it.

Now, that model is fine, but we didn’t agree with many aspects of it (for starters, why not just do it yourself at that point?).

So what could we do that could really give the competition a run for their money?

First, we could start with the hardware. Instead of using low-cost, disposable hardware, we would partner with Dell, which makes outstanding server hardware (you can argue about their desktop systems, but their servers are an entirely different game). By doing so, we would be able to get solid quality hardware, as well as provide our customers, at no charge, Dell onsite service with a guaranteed four-hour turnaround time. It costs me more. But it’s better.

Then, we took an excellent Linux variant, CentOS, and hardened it for enterprise-grade security.

Then, our software would be carrier grade, not a bunch of apps thrown together in a box.

Our mail server — the most important component — was going to be top notch. So we partnered with MessageSystems, a leading developer of mail server software that’s used by carriers (for example, Verizon is one of their customers). This software is rock-solid, and is also blindingly fast.

Then, we partnered with our friends at Cloudmark to for the antispam component; and BitDefender for the antivirus component (we’ll add our own AV engine later this year, after our AV certifications are complete). Cloudmark is the Rolls-Royce of antispam products, with low false positives and a high catch rate; BitDefender is one of the best antivirus engines on the market.

And instead of some UI that looks like it was made to run on an old Dec VMS system, Robert LaFollette, our creative director, worked to make something that was elegant, powerful and simple. We wanted to make it easy to use, realizing that a lot of admins don’t have the time or patience to go through pages of documentation.

We didn’t go for having all the possible bells and whistles in the first release. We focused on providing solid email security that won’t break your budget (or the delivery of your email).

So there you have it: Ninja Blade, our first hardware product. And the price is very, very low: $1,995 for the base model (up to 500 users), with an additional $599 for the first year of updates and upgrades. Prices go up from there for larger sites.

If you want to see the UI, I have a real-live box that you can play on. Simply go to demo.ninjablade.com, and use the user name “admin” and password “ninjablade”. Have fun! (The server gets reset periodically, so just try again in a few minutes if the link doesn’t work.)

More corporate propaganda here, and the product website here.

Alex Eckelberry

Bear with me — we’re testing the new Ratings feature available with Haloscan.

If everyone thinks the whole idea is stupid, I’ll drop it. 

Alex Eckelberry

Last night, I did one last quick email check before calling it a night and saw a message from a friend who works with a small non-profit. She’d forwarded the Barbara Moratek spam, greatly concerned about it. I took a quick look, and got a blog post up so that at least people searching the name would be warned. I didn’t think it would elicit much reaction.

This morning, I took a look at the comments and was just disgusted to see all the comments from non-profits that had been targeted by this scam. These were the people who Googled the name and found my blog post. What about the others who didn’t?

How sick to target people who are working with no money to help others in need.

Oh, that’s bad, bad karma.

Alex Eckelberry

codeczang(dot)net

Pushes both Windows and Mac TrojanDNSChanger.

Mac: codeczang(dot)net/download/codeczang1123.dmg
Windows: codeczang(dot)net/download/codeczang1123.exe

And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Patrick Jordan

There is a new scam going around where small non-profit organizations are being targeted by a “Barbara Moratek” of the “Ivete Foundation“.

The email looks something like this:

———
From: B. Moratek- Ivete Foundation [mailto:bmoratek@ivetefoundation.org]
Sent: Thursday, January 10, 2008 5:42 PM
To: <redacted>
Subject: Information for prospective donors

Would you have additional information for prospective donors or volunteers other than what is on your website? Thank you in advance.

Warm regards,

Barb
Barbara Moratek
Vice President, Director of Grant Programs
Ivete Foundation
Phone-
Fax- 800.397.7205
Web- www ivetefoundation.org

The spam email is likely some type of 419 scam.

However, Googling “Barbara Moratek” shows a bunch of links pushing fake codec Trojans and other junk sites (many on Blogger).

It’s likely that malware sites are taking advantage of the fact that people will be googling this name to find out more about it, by stuffing pages with the term “Barbara Moratek” (spamdexing), having purchased or otherwise acquired “zeitgeist” keywords (meaning, loading sites up with current “hot” keywords and then using them to lure people to their site).

Our research is continuing, but we felt it prudent to get a blog post up so that people googling this name will hopefully have some kind of warning.

Alex Eckelberry

Gizmodo’s take on CES (thanks Steve). For CES veterans, it’s funny. (Thankfully, I didn’t go this year.)

And getting from Here to There (via beSpacifc).

Alex Eckelberry

Since some may ask, we have had the MBR rootkit (Trojan-Spy.Madlo) in our defs since around mid-December.  Through our primary infection tracking system, Threatnet, we believe that current in-the-wild propagation is very light to practically non-existent.

It still doesn’t mean it’s still not a very serious potential threat. 

Alex Eckelberry

Here’s a legitimate bank, Banca Fideuram, whose real site is actively being used in phishing redirects.

You can see for yourself how poor a job that’s been done with this site: this link will generate a popup that’s certainly not from the bank.

Pretty sloppy.

And now we have congress-critters unwittingly being used in redirecting to all kinds of sites. Take a gander at this Google search [*.house.gov/exit.aspx]. See all the spam links pushing redirects, hopping off the website of our Honorable Reps? Or how about just putting in the word “intelligence” for some more fun?

This poor congress-critter is unwittingly redirecting some visitors to a hard core porn site, gipno(dot)com — www.blunt(dot)house.gov/exit.aspx?link=gipno(dot)com.

Heck, they’re not the only ones. Take, for example, Hershey’s (which, to their credit, requires user assent to redirect), or this school.

Some of these have been out for quite some time…

I’m certain there’s lots more out there. Feel free to post more of your own findings in the comments section.

Alex Eckelberry
(Credit to Francesco Benedini, sikurezza.org mailing list and Marco d’Itri for pointing out the bank redirect, and Adam Thomas for the house redirect)

Same old DNS Changer Trojans.

codecpro samples:
Windows: codecpro net/download/codecpro123.exe
Mac: codecpro net/download/codecpro123.dmg

codecviva samples:
codecviva com/download/codecviva1234.exe
codecviva com/download/codecviva1234.dmg

As always, please do not download these Trojans unless you know what you’re doing.

Patrick Jordan and Adam Thomas

Proposed banished words, by Lake Superior State University, including the terms perfect storm, webinar, surge, organic, wordsmithing, surge and random.

Alex Eckelberry
(Thanks, Andrew)

Stu Sjouwerman here does the annual prediction thing in his newsletter, Wservernews. (Note that the predictions are geared toward his audience, IT folks.)

Since I don’t do annual predictions (I hate doing these types of things), I’ve decided to post his.

I don’t agree with all the points, but some are interesting. So here it is:

Stu’s 2008 Predictions

MICROSOFT: Windows XP lives! Redmond will announce another extension until Jan 2009 for WinXP, instead of the June 30 cutoff. During 2008 they will trumpet that they broke the 200 million Vista sales, but will not report the amount of people that have downgraded to WinXP.

OPERATING SYSTEMS: Virtualization will continue strong growth as W2K8 Hyper-V is released. — Desktop virtualization will start its mainstream debut in 2008, providing intelligent provisioning of applications to desktop users. — Open Source Solutions will continue to grow, but at the same slow pace. — Linux Desktop solutions will continue to show promise, and despite Vista, will continue to fall short. — IPV6 will start becoming relevant. — Vista will get a 10% market penetration in 08, and thus will start getting attacked significantly more.

IT BUDGETS: SMB will mainly spend the money which is not sucked up by ‘keeping the lights on’ buying blades, virtualization storage and security. — If you have lots of small satellite offices, their pipes will need to be beefed up in 2008 as the Internet slowly but surely is getting gridlocked.

MALWARE: Spam will still be a problem. — Malware will use high traffic Internet sites as go-betweens to help bypass current detection and control methods. — (Spear) phishing attacks will continue to rise, and several will hijack presidential campaigns. — For SMBs servicing public companies, regulators and auditors looking downstream will knock on their doors, too. — Up to now, mobile devices and IM have been relatively malware free, but… no more in 08.

MACRO ECONOMICS: The collapsed two housing / mortgage bubbles (which were fueling each other) will be the precursor for a major 2008 correction on either the Indian or Chinese stock exchanges or both at the same time. Keep in mind that ultimately money is nothing more than an idea, and this idea is backed by confidence. If the confidence drops, the bottom falls out of bubbles. Strap yourself in for the coming year.

HARDWARE: Wireless Internet devices become a BIG deal. “I want my IP phone + music + kindle + video + Internet” Google buys 700MHz spectrum, and sells a single device that does all that with no per minute fees; free, but Adwords-based or monthly flat rate subscription. — Support for Muni Wi-Fi is going to die and will be eclipsed by Wi-Max. — 2008 will see the first mass produced plastic digital displays. — You will see the first game control hardware that used a headset reading brain waves. — 24 inch wide-screen monitors will hit the mainstream mid 2008 and thereafter will become the norm. Look for Wi-Fi-based robots emerging from small companies this year, and a new Sony AIBO doggie with the same features.

SECURITY: Electronic voting machines will be hacked in November 2008. — ‘Cloud Computing’ will penetrate as the new 2008 buzzword, but security issues with it will keep it from going mainstream. — Users will still be your weakest link in 2008. — The Payment Card Industry (PCI) standard will get teeth and very real for anyone accepting credit cards. — Bots will go peer-to-peer and harder to take down. — Criminals will start attacking virtual worlds — Virtualization opens up a new huge attack surface.

2008 TECH TRENDS: Redmond’s new SilverLight V2 technology will have a 30% market share by the end of 2008, mainly at the expense of Adobe’s Flash. — Tesla will produce 600 electric sports cars at a hundred grand each and sell them all — TV will be IP-streamed at the same time as broadcast. — Amid growing privacy concerns and intense state-level opposition, the costly Real ID Act of 2005 will collapse under its own weight in 2008. — The ‘presence’ aspect of Unified Communications (UC) which is able to track you down where ever you are, will cause major backflash in early UC deployments.

2008 CAREERS: Admins that are able to include security in their job responsibilities will do well. Add disaster recovery and business continuity and you will be doing more than fine. 2008 is the year to take ownership of your career path. Your boss will not do it for you. Try Identity Theft as a career path, it will be extremely lucrative in 2008. ;-D

WEB SECURITY: The first shots have already been fired, but a major diplomatic incident regarding hacking will erupt, allegedly involving the Chinese getting access to highly confidential data. In the mean time, the Olympic village in Beijing will be hacked from outside China. — Plan to be invaded by (or block) Social Networking site traffic.

GLOBAL CLIMATE: I predict that at least one cruise line will offer “2008 Northwest Passage” tours through the once again ice-free polar ocean. — Did you know that computers consume 14% of the energy generated in the U.S.? In 2008, Intel will start a ‘Green IT’ campaign of “ten times the performance at 10 times less the power.” — But IT departments will suffer from 2008 Eco-Fatigue as many IT vendors suddenly declare all kinds of non-proven environmental benefits.

WILD-ASS GUESSES

• Oracle Buys SalesForce.com
• Palm gets acquired by Microsoft
• Adobe gets acquired by Microsoft
• Yahoo will sell out to… Microsoft
• Presidential race Obama / Huckabee has electronic voting scandal
• Google shares will hit $900, but will see another 25% dip as well, they will get into TV and radio, and announce their own OS.
• Hi-Def Format Wars will declare peace and come out with one standard, compatible with both formats, with disks below $20.
• Microsoft launch IE8 in the Spring of 2008. The entire planet needs to be rebooted.
• Facebook is going to see the same kind of decline in popularity in 2008 that MySpace saw in 2007. The network that is actually really useful for techies like us (LinkedIn) will do extremely well.

Well, there you have it.

Alex Eckelberry

As sometimes goes in this business, misinformation slips through the cracks.

In my post earlier today, I had said that code had been published on this exploit, which makes it very serious.

However, it turns out that this is likely not the case. I was misinformed.

No source code published means a greatly reduced threat level.

I’ve updated my original blog post as well.

Alex Eckelberry

Update/Correction: I was misinformed — it appears that the code has not actually been released, which greatly reduces the threat.

This is actually serious — an unpatched RealPlayer vulnerability.

The code has been published, but we have not seen it being used. However, it could go live at any minute.

There is no known workaround. While the vulnerability has been reported for version 11 of RP, it’s unknown whether or not other versions (or alternatives) are affected.

With the current rash of malicious ad banners, one has to take extra care. The MySpace malicious banner ads were using the Neosploit exploit framework. This particular vulnerability, as far as we know, has not been released into that framework, but if it does, we have a real problem.

Heck, now is as good a time as any to get rid of that awful player.

More info:

Sans advisory (worth reading)
Secunia
FrSIRT

Alex Eckelberry
(Thanks Francesco)

We worked earlier today with Brain Krebs at the WP about malicious banner ads on Myspace.  (Malware is being delivered through exploits, but fully patched systems won’t be affected.)

Sandi Hardmeier has also been tracking ads at Excite and, now, Blick (a popular German site).  These are different than the Myspace ads (in that they don’t seem to be dumping an exploit-driven payload). 

Alex Eckelberry

My post earlier this week about STOPzilla bundling the Ask Toolbar deserves some correction.

It turns out it’s not a specially-branded version of the Ask Toolbar (unlike the case of WebRoot and ZoneLabs).

It’s their own toolbar, which uses Ask search results (Ask pays for so-called “search syndication”, deals that generate traffic to their search engine).

The STOPzilla folks argue it’s a horse of a different color (their note here). But is it a horse of that color (as Maria argued)? (Sorry for the obscure Shakespeare references, I know I’ve lost half my audience, but it makes the blog more entertaining for the other two people who read this blog.)

Here’s why it’s still a questionable decision:

• It’s a pre-checked option. Yes, this gets hazy, because it’s “their program”. But… still, it’s bothersome.
• And it is a partnership with Ask, a questionable venture on the part of a security company. Now that part is also bothersome. The Google or Yahoo Toolbars haven’t been installed through security exploits.

Ask (formerly Ask Jeeves) has had a history. Now, as far as I can tell, the company has been clean for some time now. They have made dramatic, and often impressive improvements, and I recognize their work, and the genuine hard work of Ask’s Kirk Lawrence. (Uber-spyware fighter Ben Edelman does claim that he recently got an install of an Ask toolbar without any notice or consent, but I haven’t verified this claim.)

So Ask really has made a real effort to clean things up and it shows. And the search engine itself is harmless.

I do understand STOPzilla’s point. It’s not the Ask Toolbar per se. It really is their own toolbar, and all it’s doing is using Ask search results. Fair enough. But is this a prudent move, being that they’re a security company? Does it show too much effort to monetize their customer base, rather than focus on good security? Does it show poor institutional memory, jumping in the sack with Ask? Or is it harmless and simply good business sense on their part?

I’m curious to hear your thoughts.

Alex Eckelberry
(Adrian Kingsley-Hughes at ZDNET weighs in on the bundling issue as well.)