Month: May 2008

Sunbelt’s pursuit of science

We’re known for our pursuit of science here.  So I thought I’d bring back a couple of old experiments for your weekend viewing pleasure:

This experiment was an attempt to determine what happens when you put a felt tip marker in the microwave.

And, here’s one where we determined what happens when you drop 50 pounds of silly putty from six stories high.

I hope to put some pictures up soon of another project we’ve been involved in — we bought an 80’s vintage SDI laser a while back, but it’s taken forever to get the thing to work.  This is a very, very large and powerful laser, made for shooting down large objects (e.g. missiles, that sort of thing), so it hasn’t been a trivial task.  We figured we’d use it to shoot products purchased through spam or something.  Hopefully I’ll get some pics up sooner or later.

(It should be noted that Sunbelt’s experiments are always safe, non-toxic and highly respectful of animals, etc.)

Alex Eckelberry

The iPowerWeb Chronicles: Problems persist

iPowerWeb is getting better than they used to be in terms of hacked sites, but they still have problems. Monday, I wrote about DNS hacks they still have problems with (which Micheal Horowitz was kind enough to mention).

Some brief research shows the following iPowerWeb accounts hacked (most should still be live):

voyageofwhisper,com
toysnsilk,com
tnrnelson,com
stevenlin888,com
samplesofserenity,com
reviews-reviews,com
regulatory-compliance,com
pieinear,com
palmhaven,org
mohrfamily,com
midwestwrecker,com
magiciansmarket,com
jonathanfricke,com
jerniganhouse,com
gogosportingnews,com
enshunada,com
endofendo,com
dlar,us
dealindaddy,com
confessionsrus,com
angeleyes03,com
allvisualsigns,com

The typical format for the hack is (5 character string)/adult/adult_12.html, which leads to a page pushing malware. So, confessionsrus,com/cqbku/adult/adult_12.html might show a page like this:

Results12312388888

or this

Results12312388888a

or this

Results12312388888b

(Incidentally, these pages are only accessible through a Google search, you don’t get anything if you just go to the page itself.)

Alex Eckelberry

Vietnamese speakers must not be happy about this…

Vietnamese language pack for Firefox embedded with adware.

Because of a virus infection, the Vietnamese language pack for Firefox 2 was polluted with adware, Mozilla security chief Window Snyder said in a blog posting. “Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy,” she wrote. “Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload.”

Link here.

Alex Eckelberry

Off-Topic: And we thought Y2K was going to be a problem

This is surreal. Gas is now so expensive that some older pumps can’t display the prices.

Just like computer engineers couldn’t imagine that their little machines would last until Y2K, the mechanical engineers who designed these pumps back in 1995 when gas was the equivalent of $1.60/gallon apparently couldn’t imagine a day in 2008 when dead dino juice would be this expensive. Unfortunately for customers who patron stations with this antiquated equipment, they aren’t getting their fuel for the price advertised on the pump. Rather, the state’s Weights and Measures program is giving these businesses extra time to upgrade or replace their pumps as long as the actual price of gas is clearly displayed and customers get an explanation of what’s going. For now they’re doing it the old fashioned way, by multiplying the gallons pumped by the price on the sign.

Link here (via TTAC)

Alex Eckelberry

Good new blog from a Sunbelter

Susan Gorman is our anointed Install Goddess (in other words, she writes the installers you see for all of our products, a task that is actually far, far more complex than one might think).

She runs a great blog on install and configuration management. If you’re involved in this field, I would recommend adding it to your feed.

The blog is located at www.gormanonline.com/blogs/msidle.

Alex Eckelberry

CCTVs don’t work.

000004925279XSmallFor those who have argued on this blog that CCTV cameras help make the UK safer, the Guardian today reports that CCTV’s actually don’t work to reduce crimes, despite enormous cost, and enormous intrusions on personal privacy. This is not new news — the British Home Office said this years ago, despite the expense of these cameras.

Let’s hope that this is noticed in the US, where the trend is going toward more CCTV cameras, not less.

However, the UK is now looking to invest more in CCTV technology, specifically in automated intelligence. Unfortunately, this will invariably create false positives — imagine being stopped after crossing the street, asked for identification, searched and then let go, because an image match flagged you as someone who looked like a criminal.

Massive investment in CCTV cameras to prevent crime in the UK has failed to have a significant impact, despite billions of pounds spent on the new technology, a senior police officer piloting a new database has warned. Only 3% of street robberies in London were solved using CCTV images, despite the fact that Britain has more security cameras than any other country in Europe.

The warning comes from the head of the Visual Images, Identifications and Detections Office (Viido) at New Scotland Yard as the force launches a series of initiatives to try to boost conviction rates using CCTV evidence. They include:

· A new database of images which is expected to use technology developed by the sports advertising industry to track and identify offenders.

· Putting images of suspects in muggings, rape and robbery cases out on the internet from next month.

· Building a national CCTV database, incorporating pictures of convicted offenders as well as unidentified suspects. The plans for this have been drawn up, but are on hold while the technology required to carry out automated searches is refined.

Link here.

Alex Eckelberry
(Hat tip)

McAfee’s deal with Yahoo

Yahoosearch413288

When I first ran SiteAdvisor (back when it was Chris Dixon and a couple of other people, with Ben Edelman lending a hand), my first thought was: A search company is going to buy this.

Well, it turns out that McAfee bought it instead. Yesterday, however, McAfee announced a deal with Yahoo to have search results filtered through SiteAdvisor.

This is a very, very good idea. And, of course, it’s beneficial for McAfee, building brand name awareness.

The major issue I see is false positives, which SiteAdvisor has had problems with in the past, and will put both companies squarely in the sights of upset webmasters. The StopBadware initiative(arguably Google’s only similar offering) battles with upset webmasters on a regular basis, and they have a false positive rate that is arguably non-existent (because their warnings are only based on real malware being on a website, not allegations of spam, etc.). Nevertheless, I’m sure both companies will work through these problems.

As an interesting side note, the current Zango vs. Kaspersky battle may have some bearing here. In its appeal, Zango is arguing that Kaspersky is not acting as an “Interactive Computer Service”:

…Thus, a computer service is “interactive” if it enables people to access the Intenret or access content found on the Internet. Kaspersky does neither of these things and therefore is not an ICS [ed: An Interactive Content Service as portrayed in the Communications Decency Act]. Text here (2.1mb download).

In the Amicus brief that we are a party to, this objection is answered (see page 19 of the brief). However, Zango has backed itself into a corner, because they just defined an Interactive Computer Service as, basically, Yahoo. So I don’t see them having much of a leg to stand on in any fights against Yahoo or McAfee in this regard.

At the end of the day, this is a deal that ultimately benefits the consumer. And that’s ultimately the most important thing we can do as an industry.

Alex Eckelberry

Merril Lynch phish making the rounds

A new Merrill Lynch phish is hitting the rounds, with a dangerous payload.

The phish typically looks something like this:

Merrill12388123888

Subject lines include “New ML Business Centre Login Page”, “Merrill Lynch Business Centre with new Login Page?” and “Merrill Lynch Business Centre Website changing marketing process.”

The phish points to a website which pushes a new “certificate” that is needed.

Merrill12388123888a

The “Certificate” is a variant of Papras, a data-stealing trojan. However, don’t expect it’s only Merrill Lynch. We believe that this trojan is being used in a similar Colonial Bank scam, and there are likely others.

Alex Eckelberry

Problems at iPowerWeb?

We’ve seen hacks on iPowerWeb servers before. Now there seems to be a fresh rash of them. All of these sites are hosted on iPowerWeb-related servers (which include Endurance International Group and Bizland). And all of them have a similar pattern.

Examples:

scioly.org

Scioly12387787

astronomical.org

Astronomical12388

ifess.org

Ifess123888

nvvam.org

Nvvam123881238

Generally, these links redirect to porn:

Porn123888sdf88123

More hacked sites:

nvvam.org
orda.org
chnetwork.org
ifess.org
vraweb.org
spt.org
chnetwork.org
limarc.org
atcsd.com
123child.com
planetarium.net
kci.org
icat.org (not porn, but search redirects)

It’s a DNS hack (very much like what occurred in the past):

111.pornsites2703.planetarium.net

Answer records
name class type data

111.pornsites2703.planetarium.net

planetarium.net

Answer records
name class type data
planetarium.net IN NS ns1.ipowerdns.com
planetarium.net IN NS ns1.ipowerweb.net
IN A 216.130.168.69

iPowerWeb isn’t the only web hosting provider to have this problem. At least one site on Cernio (indybay.org), The Planet (ruby-doc.org) and Media Temple (hml.org) is similarly hacked.

However, they pale in comparison to the iPowerWeb problem.

Alex Eckelberry

Sunbelt now on GetSatisfaction

We’ve just added a Sunbelt Software section on GetSatisfaction. The link is getsatisfaction.com/sunbeltsoftware. This new forum is still in the “experimental” stage for us, but our support staff will be monitoring it on an ongoing basis. It’s brand new, so feel free to get a topic going.

Support personnel here at Sunbelt monitor questions on a variety of public forums, including Wilders (firewall,antimalware, privacy software), CastleCops (CounterSpy, firewall) and Broadband Reports (firewall, software vendors,security). We also maintain our own Lyris list serv for enterprise customers here. Finally, beta version of Sunbelt products are managed at our beta forum.

Alex Eckelberry

Fresh rogue and fake codec sites

In case you didn’t catch these earlier at another site, here are some new domains floating around out there doing bad things.

In some cases, binaries can be captured by using the following example format:

roguesite.com/files/get.php?id=538090733

Created IP Site
4/29/2008 85.255.120.110 flwplayer. com
4/29/2008 85.255.118.214 protectalerts. com
4/29/2008 85.255.118.34 toolbarusage. com
4/29/2008 85.255.116.211 safehomesite. com
4/29/2008 216.255.179.243 getnewfiles. com
4/29/2008 216.255.179.243 asearchflame. com
4/29/2008 216.255.179.243 asearchpool. com
4/29/2008 216.255.179.243 asearchreview. com
4/29/2008 216.255.179.243 explorertool. net
4/29/2008 216.255.179.243 gateietool. com
4/29/2008 216.255.179.243 gatetofind. com
4/29/2008 216.255.179.243 homepagerestart. com
4/29/2008 216.255.179.243 ieservicegate. com
4/29/2008 216.255.179.243 iqsearches. com
4/29/2008 216.255.179.243 linkietool. com
4/29/2008 216.255.179.243 newuploads. net
4/29/2008 216.255.179.243 renewfiles. com
4/29/2008 216.255.179.243 searchinggate. com
4/29/2008 216.255.179.243 searchthruweb. com
4/29/2008 216.255.179.243 shareownfiles. com
4/29/2008 216.255.179.243 trysearchhere. com
4/29/2008 85.255.118.245 dns404rule. com
4/29/2008 85.255.118.212 secureprior. com

Patrick Jordan
Sunbelt Malware Research