Month: August 2008

Jeff Lawson blogged last week about problems with a TRUSTe certified site, iGive.

Briefly, Jeff found a number of problems with iGive’s security model:

• Unauthenticated autologin URLs
• Insecure cookie logins
• Insecure charity details
• Insecure member listing
• Tracking images (not uncommon, but in this case, it wasn’t disclosed in iGive’s privacy policy)

While TRUSTe did ultimately take action on Jeff’s security issues (and according to Jeff, they did understand the issues and did communicate to iGive), Jeff adds some additional color in an email exchange:

At least in my case, TRUSTe was effective in getting some action from iGive, after months of inaction after attempting to work with them directly. TRUSTe’s staff were able to understand the seriousness of the issues and made efforts to reproduce my claims before passing them on.

My main complaint with TRUSTe is with the fact that they intentionally avoid taking any role in auditing their member companies, even at the most superficial levels. I don’t believe TRUSTe would have even recommended that iGive conduct their own general security audit if I hadn’t suggested it. If TRUSTe doesn’t want to take the responsibility of performing security audits, perhaps they should place a membership requirement for periodic external reviews by a designated security firm. Watchdog complaints seem to unreasonably require the reporter to satisfy the burden of proof upon the reporter before any action is taken.

The lack of full transparency around the corrective actions done is a little disappointing, though probably not unreasonable since it usually involves the PR image of their member companies.

You can view Jeff’s blog post here.

TRUSTe recently went for-profit, which only opens the door more potential weakness in the face of a paying client. On the other hand, they did hire the highly-respected researcher Sandi Hardmeier as one of their online watchdogs/security researchers — something which shows an increased vigilance in policing their certified companies.

(Now, in fairness, I understand that security audits may not be economically feasible at their current rates, but perhaps there are other methods — like having a TRUSTe “Audited” seal, denoting a higher level of security in a site.)

Alex Eckelberry

The GUI is similar to XPAntivirus, however it’s a different program.  

Typical fake scan page (and notice the fake system tray message, actually in the browser).

Almost non-existent detection by existing antivirus engines on this one…

Supporting sites:

ia-scanner com
ia-license com
ia-payment com
ia-support com

Alex Eckelberry
(Thanks Bharath and Patrick Jordan)

A new round of spam pushing fake codecs. Last week we had fake Reuters. Now, we have fake CNN.

That “flash player” is a Trojan and will only make your day decidedly less pleasant.

Alex Eckelberry

We’ll be there exhibiting this Wednesday and Thursday.  Feel free to drop by and say hello.

Alex Eckelberry

Power Antivirus 2009, recent entrant to the sleazy fake antispyware world (at power-antivirus-2009 com) started making the rounds late last week.

Incidentally, the installer is signed by Verisign’s Thawte division…

Alex Eckelberry
(thanks, Patrick Jordan)

Chandra will be discussing the Rustock rootkit at AVAR 2008. The subject will be interesting:

Paper title
—————–
What makes the Rustocks tick!

Abstract
————-
The Rustock family of rootkits is undoubtedly the most notorious collection spambot rootkits. Rustock A, B and now Rustock.C have invaded the Web chronologically in that order. Each newer variant has evolved with increasing degree of sophistication and complexity. This paper first presents a comparative analysis of the evolution of sly techniques used by these Rustock variants. The comparison includes their mode of infection, explanation of kernel code disassembly for their stealth mechanism, underlying operation and techniques for detection and remediation. Then it delves into a very detailed reverse engineered analysis of the latest Rustock.C variant. The analysis encompasses different phases of its kernel and user mode activity. Specifically, this paper includes explanation of Rustock.C DriverEntry startup code for its multi-layered unpacking routine, well tuned loader, techniques for obfuscation of loaded image, hook initialization routines and several more aspects. In regard to the steady state operation the paper describes its driver dispatch routines and activities of its worker thread that manifest its underlying operation. In addition, the paper also presents some of its new techniques for registry hiding, file system hiding, anti-debugging tricks and revival strategy that all work collaboratively to make it a highly effective spambot rootkit.

Chandra’s become an AVAR regular, having presented at AVAR 2006 (“B-tree with fixed node size and no minimum degree”) and 2007 (“Design of X86 Emulator for Generic Unpacking”). Nice work Chandra.

Alex Eckelberry