Month: October 2008

Google now warning vulnerable site owners that they need to patch. 

Alex Eckelberry

This site is a sister to WiniGuard, a rogue antispyware program related to Innovagest 2000… a noted bad actor…

However, there are no downloadable binaries. Something to keep an eye on, though.

Just to put this into context, we’ve seen the Innovagest gang around some really horrific products, like Antivirus XP 2008, XP Antivirus — and much more.

Alex Eckelberry
(Thanks Bharath)

If you get this Friend Request in MySpace, it’s not a good one.

Here’s the profile page:

However, clicking on the page brings up this oddball page:

Notice the use of a “translate” page on Google. Possible a new redirect type of activity to avoid filters…

The page pushes a Zlob fake codec variant, disguised at a “MySpace Profile Object”.

Thanks to Big R, a security researcher, for this catch.

Alex Eckelberry

There’s something in the tapwater in the area, as Tampa Bay Magazine just decided to nominate me as a CEO of the Year. 

I think they have me confused with another Eckelberry.

Prediction:  My name will be shortlived on their website. Only a matter of time.

Alex

Marco Giorgini, a grad student, has been working on his thesis on consumer perceptions of antivirus software. 

He has a survey up, here.  Feel free to take the survey and make your voice heard.

(I also recently did a similar survey.)

Alex Eckelberry

ZlobTrojan Distributing site:
91.203.92.11 Medialibsms. com

Scam Internet Security Page:
91.203.92.11 Ahomepagepark. com

404ErrorpageScam:
91.203.92.11 Whyisdnserror. com

Security Guide Scam Page:
91.203.92.12 Scdesktopicons. com

Ad-Server-Gate Pages:
91.203.92.11 Cxdgl. com
91.203.92.11 Jhgpq. com

Protection Center Scam Page:
91.203.92.12 Asecurenotification. com

Scam Security Toolbar site:
91.203.92.12 Protectiontoolbars. com

IE AntiSpywareStore site:
208.72.168.94 Howtoiexplorer. com

Bharath M N

AOL has contacted me about my blog post and is taking down the pages.  I’ve shared with them additional pages as well.

All in all, impressive alacrity and willingness to fix the problem.  Thanks AOL.

(Btw, some may have been confused by my headline (“non-benign neglect”).  And their confusion would have been justified: It was an error in a play on words on Salutory Neglect, not on “benign neglect”, which brings forth a less desirable connotation.)

Alex Eckelberry

I like Secunia, so no hard feelings from our side.

But truly, this test they published the other day, showing that “security suites fail exploit tests” is a silly and useless PR stunt. I think they were just trying to get some news for their business of patch scanning or something, and decided to kick the AV players around for fun.

Testing guru Andreas Marx of AV-Test.org pretty much sums up the issues with it:

– Some critical details are missing, for example, the time of the last update of the scanners, the exact product versions, and the like.

– Only the on-demand scanner and the on-access guard was tested, so it was only checked if the file-scanner would trigger an alert.

– The paper also speaks about a test with html/web pages, but I cannot see a single test case for the part in the review (is it missing or was it excluded?)

The “scan some files only” part especially concerns me, as only one out of many built-in security features of a suite was tested (but it’s very fast: such a test might just take a minute or two completing, for scanning the entire set of files).

In most cases, it is simply not practical to scan all data files for possible exploits, as it would slow-down the scan speed dramatically. Instead of this, most companies focuse on some widely used file-based exploits (like the ANI exploits) and some companies also remove the detection of such exploits after some time has passed by (as most users should have patched their systems in the meantime and in order to avoid more slow-downs).

There are a lot more practical solutions built-in to security suites, like the URL filter (which checks and blocks known URLs which are hosting malware or phishing websites) and the exploit filter in the browser (which would also block access to many “bad” websites). Some tools also have virtualization and buffer/stack/heap overflow protection mechanisms included, too.

Then we have the traditional “scanner” — and even if some exploit code gets executed, a HIPS, IDS or personal firewall system might be able to block the attack. For example, some security suites are knowing that Word, Excel or WinAmp won’t write EXE files to disk — so potentially dropped malware cannot get executed and the system is left in a “good” state.

A few weeks back, I’ve written the following text for our own test report:

“A comprehensive review should not only concentrate on detection scores of the on-demand scanner, as this would give a user only a very misleading and limited view of the product’s capabilities.”

When comparing the security of cars, we would not only focus on the
safety belts, but also check the ABS system (anti-lock braking system), one or more airbags, crush zones, the ESP (electronic stabilization program) as well as constructional changes and many other features which make a car secure. The different detection types have to be taken together to make a valid statement about the whole detection mechanisms: neither static nor proactive detection mechanisms alone can catch all malware.

It is important to have good heuristics, generic signatures and dynamic
detection and prevention in place to be able to handle new unknown malware without any updates. It is crucial to have good response times, to be able to react to new malware, when proactive mechanisms fail to detect them. It is essential to have good static detection rates, to be able to handle already known malware, even before it is executed on a system. So comparing single features makes less sense, as we should think about the fact that a user has not bought an AV product to find some viruses and report them, but he has actually bought a service to keep his system malware-free.”

Therefore, a better test setup would be to actually have the vulnerable applications installed on the test PC, together with the security suite. (BTW: I’m sure, no user would have all of the different applications on Secunia’s list on his PC — so one might concentrate on the most recent or most widespread exploits only.) Then the tester would need to trigger the exploit, and see if the machine was exploited successfully or not. (Please note that the scanner or guard might not be able to see a file at all, if it’s a memory-based exploit, so the quoted detection rates might not even be relevant in some cases, as no files are written to disk.)

This would actually a much more interesting and relevant test which is really focusing on the entire suites’ features and not only on the “traditional” scanner part of an AV product. A few more points are mentioned in two papers, published by AMTSO, the Anti-Malware Testing Standards Organization.

Alex Eckelberry

Nothing really new here but I figured I’d say something on the subject:  AOL has some malware floating around.

Some examples:

AOL’s German Hometown page has a number of pages that redirect to rogue antivirus programs like Antivirus XP (note that AOL does plan to discontinue to Hometown, so that’s a help):

hometown aol de/xotueqkgqivyh/software_project_management_tool_jam html
hometown aol de/xotueqkgqivyh/how_to_download_sql_server_2000_service_pack_4 html
hometown aol de/wquvwlhiyqtdq/mercury_outboard_force html
hometown aol de/wquvwlhiyqtdq/lexus_of_orland_park html
hometown aol de/qkirjaqrxotue/www_recumbentbicycles html
hometown aol de/qkirjaqrxotue/www_locumtenensusa_com html
hometown aol de/qkirjaqrxotue/tupulove_tu144 html
hometown aol de/qkirjaqrxotue/tortured_girl html
hometown aol de/qkirjaqrxotue/sue_summerfield_sex html
hometown aol de/qkirjaqrxotue/sexual_fanatasy html
hometown aol de/qkirjaqrxotue/sex_pretoria html
hometown aol de/qkirjaqrxotue/sex_positon html
hometown aol de/qkirjaqrxotue/punk_styles_for_girls html
hometown aol de/qkirjaqrxotue/preteen_portal html
hometown aol de/qkirjaqrxotue/pink_vids_porn_ebony html
hometown aol de/qkirjaqrxotue/nude_women_dog html
hometown aol de/qkirjaqrxotue/nude_preteen_boys_sex html
hometown aol de/qkirjaqrxotue/nasty_girl___jadakiss html
hometown aol de/qkirjaqrxotue/messy_girls html
hometown aol de/qkirjaqrxotue/lesbian html
hometown aol de/qkirjaqrxotue/latin_teens_nude html
hometown aol de/qkirjaqrxotue/kayla_nicole_brenneman html
hometown aol de/qkirjaqrxotue/inset_porn html
hometown aol de/qkirjaqrxotue/incest_gay_twin_male html
hometown aol de/qkirjaqrxotue/hare_core_porn_stars html
hometown aol de/qkirjaqrxotue/girls_rule html
hometown aol de/qkirjaqrxotue/girls_night_ideas html
hometown aol de/qkirjaqrxotue/gcpd___corporal html
hometown aol de/qkirjaqrxotue/gay_roommate_porn html
hometown aol de/qkirjaqrxotue/fetishism_definition html
hometown aol de/qkirjaqrxotue/extra_marital_sex html
hometown aol de/qkirjaqrxotue/dorian_eltanal html
hometown aol de/qkirjaqrxotue/coral_bay_wa html
hometown aol de/qkirjaqrxotue/cockoldhusbands html
hometown aol de/qkirjaqrxotue/cockfighting_gamecocks html
hometown aol de/qkirjaqrxotue/circumvent__s html
hometown aol de/qkirjaqrxotue/busty_ebony_secretary html
hometown aol de/qkirjaqrxotue/brittany_cummings html
hometown aol de/qkirjaqrxotue/anne_woodcock html
hometown aol de/qkirjaqrxotue/analytic_function html
hometown aol de/aautnirpkzjuk/netbui_being_used_by_unix_printing html
hometown aol de/aautnirpkzjuk/download_terminator_2__judgment_day_for_amiga_free html
hometown aol de/aautnirpkzjuk/download_free_fire_red_pokemon html

And the US site shows a bunch of junk as well:

hometown aol com/ZaneDelacruz42/teenage-sex-vid html  
hometown aol com/ValeriaBall85/best-adult-joke html  
hometown aol com/russellroon67/article-dr -adam-harris html
hometown aol com/RodneyLevine37/scooter-sex-dwarf html  
hometown aol com/richardhaet62/index html  
hometown aol com/NonaMorton70/asian-fanatic-radio html  
hometown aol com/milomcclure/index html  
hometown aol com/MelvaLucas16/ebony-rimming html  
hometown aol com/LincolnWynn32/khan-fishies-fuck html  
hometown aol com/JuliaOneill69/best-boners-boner html  
hometown aol com/JuliaOneill69/best-ass-kiera html  
hometown aol com/JennyHooper34/nhl-uniforms html  
hometown aol com/JanetParker74/fisting-alsha html  
hometown aol com/GeorgeRush68/picture-hardcore html  
hometown aol com/florencerand36/lawrence-co -oh-government html  
hometown aol com/ErvinJohnson67/motel-sluts html  
hometown aol com/DesmondDuke49/funny-sexy-pitures html  
hometown aol com/DeanMcintosh74/huge-horse-cum html  
hometown aol com/DarinJackson32/dressing-woman html  
hometown aol com/BriceFlowers48/boobs-and-bellies html  
hometown aol com/biggerx98y/medical-penis-photo html  
hometown aol com/BartTalley70/australia-porno html  
hometown aol com/AvaMelton38/jessica-barton-nude html  
hometown aol com/AntonBarrett40/big-and-tit html  
hometown aol com/AlonzoDuke36/chat-de-porn-video html  

And Journals…

journals aol com/ykyhexeaxo/jaliyah/entries/2008/10/11/driving-safe-with-bluetooth-headsets/3302 
journals aol com/uleujpaax/felicia/entries/2008/10/11/is-sex-safe-losing-mucus-plug/652
journals aol com/SweetJ686/Elisabeth13 
journals aol com/stmstmstm/Stephanie99 
journals aol com/stevejones280361/Charlotte87 
journals aol com/stenctull/Alberta24 
journals aol com/stebooth2/Charlotte44 
journals aol com/solracd/Tara71 
journals aol com/nuvosarude/alfred/entries/2008/10/11/is-it-safe-to-steam-clean-your-car/4663 
journals aol com/nagyzcujba/brodie/entries/2008/10/08/where-can-i-look-at-houses-for-sale-online/3286 
journals aol com/marcelahot19/ryder-cup-ryder-cup-2008/entries/2008/10/06/lego-history-blindekuh/2522
journals aol com/lyndseyonly20/marc-zumberg-mark-zomberg/entries/2008/10/08/anthony-rakis-hawaiian-tropic-zone/2419 
journals aol com/iamwhoiam676/KraziethoughtsfromaKrazieGurl/ 
journals aol com/hardmovieboy/blog/entries/2008/10/11/india-australia-live-streaming/1432
journals aol com/hardmovieboy/blog/entries/2008/10/11/history-of-the-world-part-1/1430 
journals aol com/hardmovieboy/blog/entries/2008/10/08/asian-ass-porn/1202

Of course, there’s still the problem with Google Groups (and others), turning out loads of junk. So AOL isn’t alone in this malware fest.

Alex Eckelberry

Columbus, Ohio police officer Ken Braden has been reprimanded for not writing enough traffic tickets. 

However, he’s tied for making the most criminal arrests.

Priorities, people.  Priorities.

Alex Eckelberry

A bit of dark humor in what is a patently awful situation.

Alex Eckelberry

Rapid Antivirus is a new rogue security product from the SpywareNo family and it’s a near clone of Antivir64.

91.208.0.220 Rapidantivirus. com

Typical Fake/Scare scanner page

Bharath M N

Zlob Trojan Distributing site:
91.203.92.11 Movsmedia. com

Scam Internet Security Page:
91.203.92.12 Homepageonweb. com

404ErrorpageScam:
91.203.92.12 Misdnspage. com

Security Guide Scam Page:
91.203.92.12 Websclinks. com

Ad-Server-Gate Pages:
91.203.92.12 Qpwoi. com
91.203.92.12 Ghjfd. com

Protection Center Scam Page:
91.203.92.11 Securefires. com

Scam Security Toolbar site:
91.203.92.11 Safetybargoal. com

IE AntiSpywareStore site:
208.72.168.84 Ietoolsupdate. com

As we always say please stay clear of these sites.

Bharath M N

Antivirus 2010 is a new rogue security product. This rogue is a clone evolved from IEdefender that begat XP Antivirus, that begat Antivirus 2008, that then begat Antispyware 2009.

Thanks to Patrick Jordan for the detailed historical information about this rogue family.

217.20.175.74 Av2010. net

The rogue application uses the same old tricks to lure users into purchasing their worthless application.

Fake Windows Security Center

Fake BSOD

Bharath M N

Thanks to Patrick Jordan for the Rogue update.

XP AntiSpyware 2009 is a clone of WinReanimator and XPSecurityCenter rogues.

This group of rogue security products are usually pushed through Trojan-Downloader.braviax or Trojan.fakealert Trojan.

Fake Windows security Center

206.161.120.20 Xp-antispyware2009. com
206.161.120.21 Xp-antispyware-2009. com
206.161.120.22 Xpantispyware-2009. com
206.161.120.23 Xpas2009. com
206.161.120.24 Xp-as-2009. com

Bharath M N

Now that is something really funny:
A plugin for google mail that prevents you from sending emails completely drunken!
No, it’s not a joke it really exists here: click

Sometimes people have really strange ideas… This time it was even funny and entertaining. The plugin activates itself during weekends, so not much of use for me since my beer evening is usually monday evening. Oh wait, you can even configure that? Downloading it right now!

Signing off (completely sober!)
Michael St. Neitzel

I was privileged and honored last week to give an address to Virus Bulletin delegates at the Virus Bulletin 2008 conference in Ottawa, Canada.

I’ve posted it here, so if you’re masochistic enough to watch me bloviate for 40 minutes on the state of the industry, feel free to watch the show (I apologize for the poor audio quality).

(Clicking will launch a new window; expect a small delay.)

Podcast version here (mp3). A copy of the Powerpoint is here (pdf). The survey data (including the raw Perseus files) is here. Feel free to contact me directly with any follow-up questions or if you want the financial data I used in my analysis.

Alex Eckelberry

Zlob Trojan Distributing site:
91.203.92.11 Vmpupdate. com

Once the Trojan is installed it further downloads and installs VirusResponse Lab 2009 rogue security product.

66.232.113.62 Virus-labs2009. com
66.232.113.62 Virus-response. com
66.232.113.62 Virusresplab. com
66.232.113.62 Virusresponse2009. com

Scam Internet Security Page:
91.203.92.11 Homepageroze. com

404ErrorpageScam:
91.203.92.12 Dnserrorz.com

Security Guide Scam Page:
91.203.92.11 Linkondezktop. com

Ad-Server-Gate Pages:
91.203.92.12 Fghin. com
91.203.92.11 Pbkjh. com

Protection Center Scam Page:
91.203.92.12 Asecurevillage. com

Scam Security Toolbar site:
91.203.92.12 Toolbarfornew. com

IE AntiSpywareStore site:
208.72.168.92 Iexplorerfile. com

Please stay clear of all these sites.

Bharath M N

Serious spammers get around CAPTCHAs with ease.

There’s now a solution that’s brilliant and highly effective. Link here.

(Yes, it’s humor.)

Alex Eckelberry
(thanks Ferg!)

After weeks of drama, it appears that Intercage is down for the count.

Gadi Evron has a post, here. 

One down.  A few more to go…

Alex Eckelberry