Dancing in the streets (almost): Intercage going down in flames

Intercage, the reviled ISP that has a fairly repulsive track record of turning a blind eye to hosting of malware, looks like it might finally be going down in flames.

Too soon for massive partying and dancing in the streets, but it’s certainly acceptable to have a little happy dance.

Stay tuned to Brian Krebs’ blog, where he is giving the blow-by-blow. Like this update this morning:

Update, Monday, Sept 8, 12:00 p.m. ET: Todd Braning, vice president of BandCon, just e-mailed me to say that BandCon also has stopped providing connectivity to Atrivo/Intercage. From his e-mail: “Intercage, a new customer, was connected to the BandCon Network for total of about a week. Once we recognized and issue with Intercage, BandCon took immediate action and terminated services. We are no longer providing services to AS27595. This can be confirmed here.”

WVFiber is the only company still providing direct connectivity to Atrivo, and as stated before they plan to pull the plug by Thursday at the latest, so it appears that Atrivo will have to find another network provider or it will very soon cease to be reachable on the Internet.

Brian also just wrote another blog post about Estdomains, where he mentions Sunbelt’s Patrick Jordan’s work in the area of tracking bad websites. Nice work Patrick.

And to Brian: Thank you for your continued hard work in uncovering these issues. Your work is making a difference.

Alex Eckelberry

Norwich Bulletin calls for Julie Amero resolution

A bit of a surprise…(If you’ll recall, the Norwich Bulletin could not have been described as a friend of Julie’s in the past.)

Prosecute, or drop charges
If the New London State’s Attorney’s Office is still sure it has a solid case against Amero, it should present that case at trial and allow Amero’s defense to refute the evidence. If not, then the state has an obligation to drop the charges and allow Amero to get on with her life without this cloud hanging over her.

To do nothing is an injustice.

This case generated worldwide publicity at the time of Amero’s arrest nearly four years ago. It has resulted in hundreds of people coming to her defense, including a cadre of computer experts who claim Amero was the victim, not the perpetrator. The computer experts claim it was the school that was at fault for not providing the computers with the firewall protections against the unseen spyware and adware that caused the images to appear.

The state, meanwhile, maintains it was Amero surfing the Web looking for pornographic material during class, and allowing students to be exposed to it.

It’s time for the state to prove its claims or drop the charges.

Link here, with additional commentary by Rick Green of the Hartford Courant here.

Alex Eckelberry
(And if you’re not familiar with Julie Amero, this search result will give you an idea.)

The Atrivo/Intercage saga continues

More breaking news from Brian Krebs at the Washington Post. This is getting really interesting…

Update, Sunday, Sept. 7, 8:02 p.m.: I spoke today with Randy Epstein, president of WVFiber and co-founder of Host.net, which acquired WVFiber just six weeks ago. Epstein said after reading reports from Security Fix, Hostexploit.com, Spamhaus.org and others about cyber crime activities at Atrivo, WVFiber has decided to drop Atrivo as a customer. WVFiber plans to stop providing upstream connectivity to Atrivo by Wednesday or Thursday at the latest, Epstein said. That would leave Atrivo with just a single upstream provider — Bandcon.

Update, Sunday, Sept. 7, 9:15 p.m.: nLayer Communications, a company that owns a significant slice of the Internet addresses used by Atrivo/Intercage, is demanding that Atrivo vacate the space and return the addresses by Sept 30.

“Atrivo/Intercage has not been a direct customer of nLayer Communications since December 2007, but they still have some legacy reallocations from our IP space,” wrote nLayer co-founder Richard A. Steenbergen, in an e-mail to Security Fix. “Since they are no longer a customer, we require that they return our non-portable IP space, and have given them a deadline of September 30th to do so. If the IP space is not returned by that point, we will follow standard procedure to reclaim it, including null routing the space, and sending cease and desist letters to any network who still transits it without our permission.”

According to Steenbergen, Atrivo/Intercage must return roughly 7,400 IP addresses.

Link here.

Alex Eckelberry
(Thanks, Ferg)

How to make notepad.exe a malicious file

As is well known, malware authors routinely use packers (aka “protectors) to disguise their files (as well as decrease their file size).

A number of AV products simply blacklist anything that’s packed, thus not having to bother with emulating the executable and finding out what’s really inside. (Like many AV companies, we do this for some obvious malware packers ourselves, but it has to be done with an extensive in-house whitelist to verify that you’re not going to get false positives.)

Just as a curious experiment, I recently packed notepad.exe into a variety of packer formats and submitted them to VirusTotal. (I’m not the first to do this exercise, either — a similar exercise was by shown by VirusBuster at CARO in May.)

This is a miniscule sample, but it allows you to see the various levels of aggressiveness on detecting packers by AV engines. It also shows why some engines have incredibly high detection rates on VirusTotal.

Notepad.exe packed with MEW (packing with FSG will likely show similar results as well).

Notepad.exe packed with UPX (UPX is the most common packer, used for many legitimate applications — it’s a very dangerous packer to blacklist, since false positives will be through the roof.)

Notepad.exe packed with PEspin

Notepad.exe packed with PECompact

In the end, blacklisting packers is going to be old news, because malware authors have changed and are now doing all kinds of exotic custom packing –– and in many cases, not packing at all.

Alex Eckelberry

FTC revamps education site

I got a note from a contact at the FTC last week about their revamped educational site, Onguardonline.

I wanted to let you know that we re-vamped OnGuardOnline.gov, the website about computer security from the federal government and the technology industry.    

A just-released Web 2.0 redesign allows users to grab and embed games and videos, search for topics on the site, take a “show of hands” poll, and have a more interactive experience while getting useful tips and information about computer security.

There are articles and engaging games on sixteen topics – including social networking, phishing, email scams and laptop security; plenty of buttons and banners you can post on your blog; free publications consumers and organizations can order; and links to the OnGuard Online partners from the public and private sector. 

Feel free to take a spin around the site and drop your comments here.

Alex Eckelberry

More interesting Atrivo/Intercage/Estdomains stuff

On the heels of a post by Brian Krebs about Atrivo’s biggest backbone provider pulling the plug, we have this post today from Russ at Intercage on NANOG:

Hello Everyone,

Good morning.
Seeing the activity in regards to our company here at NANOG, I believe this is the most reasonable and responsible place to respond to the current issues on our network. We hope to obtain non-bias opinion’s and good honest and truthful information from the users here.

Being that there are much larger operators here then us, what kind of insight can you give to the issues that have arisen?

We’ve near completely removed (completion monday 09/08/08) Hostfresh from our network. 2 of their /24’s have been removed:
58.65.238.0/24 dropped
58.65.239.0/24 dropped
The machine’s they leased from us have been canceled.

What do you suggest for the next move?

Thank you for your time. Have a great day.

Alex Eckelberry

Interview with Sunbelt Director of Support

Following on my previous post on support, Jamie Hudson is Sunbelt Software’s Director of Technical Support. Larry Jaffe here had the opportunity to sit down with her last week and discover what it is like to run such a vast in-house operation.

What is your objective?

As Director of Technical Support, my objective is to provide the highest quality of service possible to our customers. Our customers are very important to us and quite simply without them we would not be a successful.

One of my goals is to make our support department more visible to our customers. Recently I opened up a board on Getsatisfaction.com to make our company more visible. Customers can log onto that site and report issues on the products or talk about the products. Our support actively monitors this form. Another way we reach out to our customer base is by sending a customer service survey after each ticket has been closed. Each response is personally looked at by me. If a customer is unhappy, I respond to them or if they have feedback, I take that and decide how feasible it would be for our support department. We are very open to customer feedback and are working towards making ourselves more accessible to our customers.

Sunbelt caters to both home and enterprise users, does this require different parameters for each, or is your overall purpose the same.

There are four different departments within support. The first team that all of our customers will encounter is our coordinator team. The coordinators answer all of the incoming calls, create tickets, and then pass the calls onto an available technician. They also make tickets for every single email that we receive in our support inbox. Our other teams are as follows: one supports our home and home office users and one supports our enterprise users. We also have a team that provides specialized install services and onsite installs for our email archiving product. The departments are quite different in their needs but the overall purpose of giving the highest quality of service is universal across all teams.

 What do you look for in support personnel, i.e. what makes a good support person? 

I mentioned this previously, but we have four departments that fall under the umbrella of our support. Each requires a different skill set but in general, I look for individuals with previous technical experience. Of course, this technical experience differs depending on the department they are interviewing for. I also look for people who are very eager to learn. I find this to be a key ingredient to a successful support technician for Sunbelt.

Sunbelt is one of the few companies that is still doing Tech Support in house and in the U.S. Can you tell me why you chose this route? 

Having U.S. based support sets Sunbelt apart from most of our competitors and allows us to provide the highest quality service that we can. Our products are developed internally in the same building that our support resides and this allows us to report issues and get them fixed for our customers in a much more timely fashion. I also believe the quality of service with offshore support is nowhere near the level of support that we already provide. The number one compliment our support receives is how we are in the U.S. and because of this; we can cater to our customers needs more efficiently. For me the old saying of “If it isn’t broken, don’t fix it” applies here.

Isn’t it more expensive? 

I have researched both offshore support and keeping support in our current location. It is a little more expensive to keep it in the U.S but not as expensive as you would think.

 What are the benefits to both the user and to Sunbelt?

There are so many benefits to having our support in the U.S. but I will only list the most important benefits below:

  1. Communicating with our support department is easier for our U.S. based customers
  2. Our support department is in the same building as our development team. This means we can get bugs communicated quicker to development and in turn resolved quicker
  3. Management of a centralized support department is much easier hence the department will run smoother
  4. Sunbelt is able to more easily meet our customer’s needs and desires

Well, of course, I completely agree with Jamie. 

Alex Eckelberry

New rogue security product: Smart Antivirus 2009

Smart Antivirus 2009 is a new rogue security product and a near clone of AntiSpyware 2008

Smart Antivirus 2009

Smart Antivirus 2009 Home page
Smart Antivirus 2009 HomePage

Typical fake/Scare scan page
Smart Antivirus 2009 Scannerpage

List of sites used in this scam

Smartantivirus2009. com
Smartantivirus-2009. com
Smart-antivirus2009. com
Smart-antivirus-2009. com
Smartantivirus2009buy. com
Smart-antivirus2009buy. com
Smart-antivirus-2009-buy. com
Smart-antivirus-2009buy. com
Smart-antivirus2009-buy. com
Smartantivirus-2009-buy. com
Smartantivirus-2009buy. com
Smartantivirus2009-buy. com

Bharath M N

When extortionists don’t deliver

Invariably, a post I write about a rogue security product (such as XP Antivirus 2008) makes its way into a Google search result, and people come to my blog thinking I am somehow responsible.

But it’s painful to see how people get so ripped-off by these extortionists…

Estortion1238812388

They pay, but it doesn’t seem to matter… How I loath these slimeballs.

Alex Eckelberry

Have You Been a Victim of Unethical Software Company Practices?

(A guest blog by Sunbelt’s Wxpnews editor Deb Shinder)

Computer software is a unique type of product because it’s not really a physical product at all; instead, it’s classified as “intellectual property” – an intangible item that you can’t hold in your hand. You don’t spend your money for the code itself – that remains the property of the developer who created it or (more frequently) the company that paid the programmer(s) who developed it. You simply pay for a license to use the software, subject to conditions specified in the End User License Agreement (EULA).

This has caused no end of consternation among computer users. We aren’t used to buying things this way. A book is a form of intellectual property, too – but we don’t generally “license” the right to read the words; rather, we purchase a physical copy of the book and then we own it and can do pretty much whatever we want with it: sell it to someone else, give it to a friend, leave it lying on a park bench for strangers to find and claim (legally, we are prohibited from doing some things, such as making photocopies of it and selling them to others, but that’s expensive and a hassle so it almost never becomes an issue).

The problem is that the intangibility of software (and some other products such as digital music and movies) makes it very easy and cheap to copy and distribute in bulk. Licensing is one of the only ways the creators can retain control over the fruit of their labors. And licensing in itself is not a bad thing. Most reputable software vendors try to make their EULAs emulate the situation you have when you buy a book; i.e., the terms usually stipulate that you can give the program away, or transfer it to another computer – as long as you remove it from the one it’s on. But you can’t make copies and use it on multiple computers (except in some cases where the EULA allows for you to install a program on two or more computers within your household; this so-called “family licensing plan” is becoming more and more popular).

In theory, this prohibition on making copies is no different from the copyright laws that prohibit photocopying a book. In practice, it feels more restrictive because of the ease and convenience with which you could, technically, make such copies. Folks argue that “I can loan my book to someone else if I want.” And indeed, there’s nothing in most software licenses that keep you from loaning your computer to someone else so they can use the software. What you can’t do is “loan” them just the software without the computer – as you can’t loan someone the words without the physical book you bought (by photocopying those words).

It gets tricky, though, when some companies start to sneak more and more restrictive terms into the EULA. And “sneak” is applicable here because, when you buy boxed software in the store, you’re actually unable to read the agreement until after you’ve paid for the product, taken it home and opened the box (not that most people read it, even then). For an interesting discussion of some issues pertaining to EULAs, click here.

We’ve talked about EULA terms here before, so we won’t go into that in detail. Instead, I want to discuss some other questionable business practices that we sometimes run into when dealing with software companies. Many of these are made possible (or at least made easier) due to the way much software is sold today – paid for and delivered over the Internet rather than bought in a box at a store. And some of these practices are by no means unique to software companies; they’re the same unethical practices engaged in by businesses of all kinds that participate in “remote” transactions, whether over the ‘Net, over the phone or through the mail.

Whenever you give a company your credit card number, there is a risk that they will use it in ways you didn’t intend. One problem encountered with the new subscription based software services (and one reason many are wary of them) is the difficulty of terminating a subscription. You sign up for a year and pay by credit card. At the end of the year, the company automatically renews your subscription and charges you for another year, whether you wanted it or not. Here’s an example of such a complaint against one software company.

(In fact, this is common practice for many businesses. I ranted have ranted long and often about security alarm monitoring services that contain a contract clause stating that unless you cancel the contract within a short window of time prior to the end of your three year contract, it will automatically renew (and obligate you to pay) for another three years. Some states (New York is one) have passed legislation to ban these automatic renewal clauses and I am currently trying to convince my own state representatives to do the same).

Companies that embrace the automatic renewal practice argue that they do it for customers’ convenience. They say if they didn’t, you might forget to renew and then you would be without the service. This might be okay if, when you initially sign up, you select an option to automatically renew (but in my opinion, locking you in to another three years of service as the alarm companies do is never okay). We’ve set up a poll to ask readers what they think about this practice as it pertains to subscription software. Please let us know your opinion on this by voting in the SunPoll.

Then there are marketing practices that may not be blatantly unethical, but are extremely annoying to customers. For instance, with many companies that sell business-oriented software, finding out what their software costs is like pulling teeth. I guess it’s a case of “if you have to ask, you can’t afford it,” but it really makes it difficult to compare different products. If I know a particular software package costs $15,000, I’m not going to waste my time evaluating a trial version of it for my small business. If it costs $1500, that’s a whole different story. But some vendors seem to hold their prices as closely guarded secrets.

Some won’t even let you download a trial version without making a sales pitch to you over the phone. Tom recently clicked a “Try it now” link for an enterprise level virtual appliance software package, which took him to a form to fill out. He expected to receive a link to download the trial; instead he got email telling him that they would have to contact him by phone in order to get the evaluation version. Needless to say, he didn’t evaluate that package (and it won’t get his recommendation or even consideration). What if you have total hearing loss or can’t speak due to a larynectomy? Does the company discriminate against disabled persons by not allowing them to evaluate the software? An extreme question, perhaps, but is it ethical for a company to advertise a free trial and then hijack you into listening to a high pressure sales pitch?

When you think about it, software makers have a tremendous responsibility and hold a position of trust with their users. Most customers are not very technically savvy and must trust the software company that its software not only does what it claims to do, but doesn’t do other things that the customer doesn’t want. A program that you install on your computer can be coded so as to create a “back door” that will allow the programmer to get into your system and take control of it. This is often the basis of Trojans and other malware, but the capability can be written into almost any software. Every time we install a program, we’re trusting that software vendor to be ethical.

What unethical practices have you encountered in buying software? Share your experiences and opinions.

Deb Shinder

Chrome rocks. I don’t care what others say

There are conflicting opinions on Chrome.

Whatever your opinions, this is release major.  It’s a game changer.   

Based on my initial impressions, I really like this browser.  It’s just the kind of next-generation thinking that’s needed in the browser space.  

I don’t care about all the all plug-ins that aren’t available, because I don’t use them.  And Chrome gives me enough toys that it more than makes up for the loss of a few plug-ins.

Walt Mossberg gave it a decent review, but sited a few things he didn’t like:

My verdict: Chrome is a smart, innovative browser that, in many common scenarios, will make using the Web faster, easier and less frustrating. But this first version — which is just a beta, or test, release — is rough around the edges and lacks some common browser features Google plans to add later. These omissions include a way to manage bookmarks, a command for emailing links and pages directly from the browser, and even a progress bar to show how much of a Web page has loaded.

Whatever. I don’t use bookmarks (believe it or not).  A command for emailing links and pages directly from the browser?  Again, this is a non-issue for me. How about simply CTRL-D to select the URI, then CTRL–C to copy it, then ALT-TAB to get to your email program?  Seems pretty easy and fast to me.  And a progress bar?  Again, who cares.  Chrome is so dammed fast I don’t really need one anyway. 

As far as speed, Mossberg’s results, which showed that it wasn’t faster than Firefox, are directly contradicted by Adrian Kingsley-Hughes’ more scientific method of testing, which indicate that Chrome is blisteringly fast. 

I haven’t run any benchmarks, but this thing really does smoke.  Yes, it’s fast, but it’s also the user experience.  You may not get a page immediately but you feel that it’s faster based on the browser presentation.

Matt Cutts at Google also has a nice roundup of common Google Chrome objections.

And yes, there is a new security issue (carpet bombing) but I’m certain Google will patch this very quickly. 

Alex Eckelberry

Spam as visual poetry

A new campaign currently running. 

While it perhaps looks like visual poetry (inspired by Augusto de Campos?), it’s a cute trick to bypass filters.  

Spamart128381231288

If you select the text, you see something else:

Spamart128381231288a

So, “Special Offers for Viagra and Cialis” is actually:

Solve
Protector;
Exhortation
Conversation
Inconstant,
Attendants,
Loquitur;

Oceans
Favour
Favour
Exhortation
Reins
Solve

and so on.

Alex Eckelberry

Scam sites update

Zlob Trojan Distributing site:

IP: 77.91.231.201
Vidsware. net

IP: 77.91.231.183
Mediaoptimizr. com

Following are the component sites used by the Trojan:

Scam Internet Security Page:

IP: 85.255.116.214
Doublestartpage. com

404Errorpage Scam:

IP: 85.255.118.242
Errorofbrowser. com

Security Guide Scam Page:

IP: 85.255.118.34
Scnewlinks. com

Ad-Server-Gate Pages:

IP: 85.255.118.37
Tivbm. com

IP: 85.255.118.37
Iodls.com

Scam Security center site:

IP: 85.255.118.37
whataniceview. com

Scam Security Toolbar site:

IP: 85.255.118.212
Aperfectbar. com

Another component Site used in the Internet Explorer tools menu to redirect to fake/scare scanner pages

IP: 216.255.179.243
Usefulietools. com

and to wind up the scammers use a new site to push AntiSpyCheck rogue security product.

IP: 85.255.121.179
Antispychecker. com

As we always say please stay clear of these sites.

Bharath M N

Yup:

The TSA is tightening its photo ID rules at airport security. Previously, people with expired IDs or who claimed to have lost their IDs were subjected to secondary screening. Then the Transportation Security Administration realized that meant someone on the government’s no-fly list — the list that is supposed to keep our planes safe from terrorists — could just fly with no ID. 

Now, people without ID must also answer personal questions from their credit history to ascertain their identity. The TSA will keep records of who those ID-less people are, too, in case they’re trying to probe the system.

This may seem like an improvement, except that the photo ID requirement is a joke. Anyone on the no-fly list can easily fly whenever he wants. Even worse, the whole concept of matching passenger names against a list of bad guys has negligible security value.

Link here.

Alex Eckelberry

Sad surf stories

Gustav_A2008244_1645_1km copyMy son and his friends love to surf.

The only problem: There is no surf on the west coast of Florida.

Except during a hurricane.

So last weekend, these hardy, indefatigable boys were absolutely determined to surf the tattered remains of Fay. As an old-time surfer, I went with them, more out of concern for them than any great interest in getting pummeled by storm surf.

It was fun, but my reward for three hours in the water was the worst sunburn I’ve ever had. Yes, I know the rule about the danger of being burned when it’s overcast, but you’re really not thinking of sunburn when there’s a frigging hurricane. I spent most of the week groaning and moaning pathetically.

So there goes that grand adventure story.

Sunday, Hurricane Gustav was barreling up the Gulf. So, off we went to surf those waves. Great conditions, with magnificent tubes, and that wonderful backspray of atomized salt water you only get in a strong offshore wind.

And now, my reward? Massive jellyfish stings. What the heck are jellyfish doing in our parts? Apparently they were flung over here from the 35–foot waves deep in the middle of the Gulf, where Gustav was churning away. LocalMotionSurferGoesHorizontal copy

Jellyfish.

I think it’s time to sit it out from now on.

At least, until the next hurricane.

Alex Eckelberry
(And on a more serious note, one can only surf the outer fringes of a big storm with even a vague notion of relative safety, and even then, real caution is required. We also always surf near a lifeguard just for added safety. Finally, surfing in a hurricane is pure suicide and should never, ever be done.)