The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
I just learned that Justin Polazzo, a security consultant employed at Georgia Tech, died on the 4th.
We met Justin a couple of years ago, and enjoyed his energy and enthusiasm for security. Many who are active on security lists (such as Funsec) may remember him under his nickname, Dude VanWinkle.
Our condolences to his family on their terrible loss.
RIP Dude. We’ll miss you.
Alex Eckelberry
Yes, it’s a ridiculous spam, but the malware it delivers is a rather nasty spambot. As Adam here says “This is a very hard-to-remove spambot (full kernel malware), capitalizing on recent news events.”
Uses a redirect through Google (quite common these days) to deliver the user to the malware site. The initial payload is a trojan downloader (VT report here), which then pulls down the spambot, which we label as Trojan.Crypt.XPACK.Gen (VT report here).
Alex Eckelberry
(Thanks Adam)
My post on John Jacobson’s photo drew some great response (John is our IT director). Well, he has a site — http://www.g33kart.com/. It’s great work and worth a look.
Incidentally, those in the know will recognize a couple of Sunbelt employees in the photos…
Alex Eckelberry
Our good friends over at iDefense sent us a heads-up on some nastiness occurring with unpatched Adobe Acrobat 7 and 8 versions.
According to their advisory (attached here, PDF):
Since Jan. 20, 2008, banner ads have actively served malicious PDF files that exploit the vulnerability and install the Zonebac Trojan horse. Once installed, the Trojan kills various antivirus products and modifies search results and banner ads. A similar attack occurred in October 2007 when the same group used a Realplayer zero-day exploit to install the Zonebac Trojan.
No anti-virus vendors currently detect the malicious PDF files. This type of exploit can be used in Web browser and email attack vectors. This vulnerability affects Adobe Acrobat Reader v7.x and versions prior to 8.1.2. Complete mitigation requires upgrading to Adobe Acrobat 8.1.2.
Adobe security advisory link here.
We’ve analyzed the binaries of this attack and it’s real. Updating Acrobat is easy: Just go to Help/Check for Updates. Do it as quickly as possible.
Alex Eckelberry
We’ve seen a number of examples lately of legitimate security companies being advertised through malware.
It is important to note that this advertising is not from the companies themselves. It’s coming through affiliates (meaning,people who make commissions sale they refer).
1. Advertising through Trojan DNSChanger
We have observed both StopZilla and PC Tools being marketed in search redirects from Trojan DNSChanger infections. A video through Vimeo is available below; unedited raw video is available here (video taken on 1/22/2008).
Trojan DNS Changer video from alex eckelberry on Vimeo. Click here for a higher quality version
(Apologies for the poor voice recording quality.)
2. Advertising in LOP
Symantec and Zone Labs products have recently been observed being advertised through popups in CiD (Circle Development, aka C2 Media or Lop.com).
(Observed on 2/6/2008)
3. Advertising in SurfSidekick
Ben Edelman also recently observed a full-screen popup of the Symantecstore.com site while running SurfSidekick.
Traffic flowed as follows: From SurfSideKick (aka Deluxe Communications) to Traffic-Director to Digital River to Symantecstore. Ben was kind enough to provide a screen-capture and a full packet log.
(Observed on 2/3/08)
Affiliate programs are a great way to spread the word on your product, but they need to be monitored carefully for abuse.
Alex Eckelberry
(Additional credit to Adam Thomas at Sunbelt for creating the video)
My good friend and colleague Randy Abrams at ESET showed me their new SysInspector last week when I was in DC, and it is cool little utility.
From their description:
ESET SysInspector is an application that thoroughly inspects your computer and displays gathered data in comprehensive way. Information like installed drivers and applications, network connections or important registry entries can help you to investigate suspicious system behavior be it due to software or hardware incompatibility or malware infection.
I’ve installed it and am still learning it. But it looks like a potentially great new tool for analyzing troubled systems.
You can download a free beta copy here.
Alex Eckelberry
If you’re interested in the subject of malicious banner ads hitting the web (in the form of malicious swf ads), MSMVP Sandi Hardmeier is keeping track of a number of them at her blog. These ads promote rogue antispyware programs.
Good work, Sandi. Keep it up.
Alex Eckelberry
In a classic “Thank You For Smoking” spin, Zango CTO KeithKen Smith has responded to my post on Snopes pushing adware:
To be sure, Snopes was pushing Zango: in exactly the same way that it continues to “push”, oh, let’s see, umm, QuickBooks, the Oreck Air Purifier, eBay, a call spoofing service (served up helpfully by Google), and an e-tutorial service for kids who aren’t doing well in school. In other words, Snopes.com serves ads, and makes money from those ads.
This is sophistry at its best and ignores the key fact: This pop-under ad was pushed consistently (at least in my geographic region) and could have easily been turned off through the Fastclick UI. Furthermore, this was one of several pop-unders — it was not a banner ad or a Google adword (which the site has plenty of).
As I’ve said before, I have no problem with advertising. I do have a problem with constantly pushing this type of ad. I did notify Snopes months ago, and they ignored my notification. Perhaps they considered my email spam, perhaps they never saw it, perhaps they didn’t understand it — whatever — but the ultimate point is, it was an ongoing campaign that was prominent on this site.
Later, after ending the original post with “these aren’t the droids you’re looking for” ”Nothing to see here folks. Move along” (yes, he really does say that), Keith then pushes the old “we give great content in exchange for loading your machine up with crap”:
Zango uses desktop advertising to help keep the content we DO install FREE. In other words, if you install our SpamBlockerUtility, you really do get an anti-spam engine that you would otherwise have to pay money for. And yes, while you have it installed, we will show you some targeted ads, a trade-off that we describe no less than three separate times during the install process. But you really (honestly, truly) do get the anti-spam software that the ad referred to.
This is disingenous. You may get a spam blocker, but what you get in return is patently awful.
And the notice and disclosure? Zero, by today’s standards. It’s buried in a massive EULA, as Harvard researcher Ben Edelman has confirmed independantly. We’re back to 2004 all over again.
Remember that almost two years ago, Zango trumpeted it’s new notice and disclosure, promising:
It’s important to us that consumers understand our products and that they provide full, informed consent before installing our software. Is this the last of our efforts in improving the user experience? Absolutely not.
Now, apparently because this spam blocker is part of their “Hotbar” acquisition, that notice and disclosure is not required.
Zango has a real problem. By our own research, 80% of its business comes from seekmo, the porn side of its business. They need more “legitimate” customers but have an increasingly difficult time getting them. We believe that the company is having a very difficult time actually spending their ad dollars to promote their product, since so few sites will take on their ads.
And now, with Snopes no longer pushing a Zango ad, it’s even harder.
And, separately, Snopes responds:
Reader CD got a response from Snopes, which he reports as following:
Thank you for inquiring about the possibility an advertisement that violates our acceptable advertising guidelines at www.snopes.com/info/faq.asp#ads may have been displaying to some visitors to our site.
We have temporarily removed from our site *all* advertisements from the agency that handles the ad in question while we investigate if and how such an ad was indeed being served to some of our visitors.
We don’t ever knowingly run adware or malware on our site — that’s not who we are or who we’d ever want to be.
Ok, I’ll give the Mikkelsons the benefit of the doubt. It’s possible that the advertisements we observed were based on geolocation, and it’s quite possible that the they never knew that the ad was pushing adware.
I wouldn’t stop using Snopes. It’s a good service. I’ll keep checking the site, but I really doubt you’ll ever see anything like this happen again.
However, one part of the strategy of the Antispyware Coalition to reform the business is “public shaming” — that is, to shine light on bad practices. Snopes has learned a hard lesson. They’ve stopped pushing these ads, and the internet community is a bit of a better place now.
And that, folks, is a good thing.
Alex Eckelberry
Audio and slides from the recent Antispyware Coalition Public Workshop are now up. Link here.
Alex Eckelberry
(Thanks Harriet)
(Thanks to Bill Pytlovany for the image)
I was up in DC on Thursday for the Antispyware Coalition’s Fourth Public Workshop. I moderated a panel entitled “CSI Spyware: Can Investigators Stay Ahead of the Bad Guys?”. I was fortunate to have really great panelists: Chris Boyd, FaceTime Security Labs; Lance James, Secure Science Corporation; Cindy Southworth, NNEDV; and Luke Erickson with the FTC.
Chris Boyd put a bunch of pics of his trip on Flickr (including pictures of Lance James doing a very good job on the piano), and Bill Pytlovany blogged about it a bit here.
Hopefully someone taped the thing so we can put up a vid of some of the parts of the conference.
Update: Link to audio and slides here.
Alex Eckelberry
I was traveling so I guess I missed it — the TSA now has a blog.
Link here (http://www.tsa.gov/blog/).
Alex Eckelberry
(Hat tip)
See in the wild.
What is 7 + 3?
To combat spam, please solve the math question above.