Month: January 2009

New run, targets Yahoo advertisers (Yahoo’s service is similar Adwords).

Sample text:

Update Account Alert Notification !

Dear Advertiser,

Account Notification: Account ‘Yahoo! Inc’ [2233234322] has stopped displaying ads at this time because the account balance has reached zero.

For more information regarding this alert, please log into your account at: (spoofed Yahoo link) and click the “View All” link in the Alerts panel. For additional help, please visit our Help Center.

Sincerely,

Your Partners at Yahoo! Search Marketing

Failure to login and update your information may lead in deactivating you account.

Please do not respond directly to this email, as we are unable to receive replies at this address. To contact Yahoo! Customer Support, please log into your account at (spoofed Yahoo link) and click the Customer Support link in the upper right of the page.

Copyright ©2009 Yahoo! Inc. All rights reserved.

Clicking brings up a Yahoo Search Marketing screen:

Sample site:

adui-marketing-source net/yahoo.sponsored.search/loadSignin.htm

Alex Eckelberry
(Thanks to Kevin Lee)

(Malvertisements are Flash ads that have been modified to redirect to a malware site. A malware author takes an ad (often a legitimate one) and then embeds malicious URLs into it, and then attempts to place the ad on various sites. The ads will typically redirect to a fake scareware site, which tells the user their machine is “infected”, and attempts to get the user to download a fake security product which then extorts money to “remove” fake threats from a user’s PC. These ads often have methods of IP and time-targeting, so they only go off in certain locations, or at certain times, making them more difficult to detect.)

Here’s an example as to how malware distributors get their malicious ads onto major websites.

First off, just to make sure there’s no confusion, Posner Advertising is a completely legitimate, top New York agency.

Using a spoofed email address, a fellow by the name of “Alvin Ortiz” has been claiming to be from Posner Advertising, attempting to place malvertisements on various sites. According to veteran ad guy Ken Margolis at Premium Network, “…Ortiz had spoofed the agency name with a unique url and email address, but when we pasted them into a web browser, the URL redirected to the legitimate agency’s domain. This made it look more authentic.” (You can see the spoofed sites they created here, including ones for agencies Posner and Quigley Simpson — and why is it that Sandi reported them to Directi, and there’s still no action?)

Ortiz placed a $20k order with Ken’s company, but Ken, who has been around the block, was suspicious: “When we reviewed his credit application, his references and bank did not check out and we learned he was conducting a fraud campaign.” Note that his credit references included reputable companies, such as Quigley Simpson.

However, in a tough economic environment, some ad networks may not be as careful, and just be glad just to see an order, placing the malicious ad in their network of websites. It’s a regular routine at Sandi Hardmeier’s blog, where she writes about malicious ads found on various sites — often, major ones. The FTC also documented this type of activity being done by Innovative Marketing, which was allegedly creating fake agencies just for the purpose of placing malveritsements.

Ad networks need to be especially careful with new clients. Check their credentials and references carefully. Be wary of new clients who, out of the blue, try to place ads at the end of the month (when sales reps are particularly desperate). Look out for new clients who don’t want to pay using normal payment terms (like offering to send a wire transfer in, as opposed to getting credit approval). Check new ads using sites like Adopstools (we also have a service for ad networks with our Sandbox, and other companies like ClickFacts provide services as well).

Alex Eckelberry

Google Adwords phishes have been quiet for a while, but now they’re back.

Unlike most of the other Google Adwords runs, these are not using .cn TLDs, instead ones like Belgium and EU (.be and .eu).

Some sample URLs:

adwords.google.com.mstrack01 be
adwords.google.com.fputs eu
adwords.google.com.mjstr-1 be
adwords.google.com.mt-spr1 eu
adwords.google.com.mdstr be
adwords.google.com.pmstr be

All fast flux:

And all appear to have been registered with Tucows.

Alex Eckelberry

Some people have been asking if VIPRE works under Windows 7.

The standard CYA corporate answer is “Sunbelt Software does not support operating systems in beta”.

Ok, ok, I know, you still want to know.

The answer is yes, both the consumer and enterprise versions should work fine. (There have been some minor glitches and issues reported, primarily with the service having a delayed start, but our testing and our field reports show no major problems.)

However, we still don’t support operating systems in beta 😉

Alex Eckelberry

I got some sage advice from someone years ago: Don’t ever write anything that you wouldn’t want on the front page of the NY Times.   

Or, on Shankman’s blog.

Just because social media is personal, it doesn’t mean you don’t have to be careful. (Of course, there have been a few people who have gotten on the front page of the NY Times by writing things that really should have never have been written…)

Alex Eckelberry

My showbiz bro Stephen just finished a trailer for a movie called Dirt.  He sez: “Pulled an all weekender to make this trailer for some friends that got into Sundance.  It’s a great film, will be the next “An Inconvenient Truth”

Looks interesting, actually.  Link here.

Alex Eckelberry

I find this rather humorous.

Alex Eckelberry
(Thanks, Jeff)

Nothing worse than an angry monkey.

Actually, make that…nothing worse than an angry, feces-throwing monkey.

Last known whereabouts:  about 5 miles from our offices.

Alex Eckelberry

The rapid spread of the Downadup worm only highlights the sad state of security in the enterprise.

The network worm, which exploits a long-patched hole in Windows, spreads itself in all sorts of ways — brute force attacks (highlighting the need for better passwords, and disabling logins after a small number of unsuccessful attempts), USB sticks (mitigated by simple device control, trivial through GPO), autorun/autoplay (these should always be disabled in an enterprise environment), and, of course, it’s use of an vulnerability that was patched in late October. Oh, and there’s a few other things, not the least of which is setting as many business accounts as possible to Limited User, decent web filtering, and so on.

Will there be lessons learned? Hopefully, as we move toward 4 million infected machines, there will be.

Alex Eckelberry

We’re seeing a fair number of pages on Narod (a service by that provides free web hosting, from Yandex, the Russian search engine).

These are used for both redirects to malware, as well as redirects in spam.

Example spam that redirects to a Russian webcam site:

Sample URLs:

jamesyff.narod.ru
martinezdgi.narod.ru
butlereua.narod.ru

Also a fairly large amount of redirects that point to another, US-based webcam site. Examples:

evlanovnartae.narod.ru
varfolomeyguf.narod.ru
ivlevkazimycy.narod.ru
stanislavaupi.narod.ru
parfenoebgrib.narod.ru
baymakovdaeu.narod.ru
feofantabaunu.narod.ru
zabusovkarluh.narod.ru

Administrators would be well advised to simply block any email or web traffic with narod.ru.

Alex Eckelberry

I’ve been tracking a steadily increasing amount of redirects, often from legitimate .gov, .edu or major corporations.

The cause of these redirects are, in many cases, a result of configurations of Ultraseek/Autonomy/Verity search software (Ultraseek, Verity and Autonomy are all the same company).   Most, if not all, enterprise search redirects I’ve seeing now are related to Ultraseek.

For example, we see that the Coca Cola Credit Union is currently redirecting to malware. 

An example string is as follows:

http://search.creditunion.coca-cola.com/creditunion/cs.html?url=//marker2009 com%2Fin.php%3F%26n%3D1131%26t

(The link is slightly munged for safety).

Here’s that same redirect that’s safe.

Going up a notch, we see the tell-tale Ultraseek search engine.

This is a simple configuration issue and leaves a wide-open redirect.  Webmasters using these tools must close them from redirects.    

These search hacks have involved a number of very high profile institutions. I often report them but don’t bother to blog them.  But I’ve gotten a bit tired of seeing them occur so easily and regularly.

For example, here are some redirects currently using Ultraseek search redirects — these are live, right now:

search.networkworld.com/cs.html?url=//marker2009 com
search.neb.com/cs.html?url=//marker2009 com
www.javaworld.com/ifind/java/cs.html?url=//marker2009 com
search.creditunion.coca-cola.com/creditunion/cs.html?url=//marker2009 com
search.icbcasia.com/cs.html?url=//marker2009 com
search.bucknell.edu/cs.html?url=//marker2009 com
search.ncrel.org/cs.html?url=//marker2009 com
search.dot.state.co.us:8765/cs.html?url=//marker2009 com
search.cignagovernmentservices.com/cs.html?url=//marker2009 com
searchawwarf.org/cs.html?url=//marker2009 com
search.wexford.ie/search/cs.html?url=//marker2009 com
search.paychex.com/cs.html?url=//happy2009texmas com
cpastar2.cpa.state.tx.us/cs.html?url=//halfstyles-1 com (likely uses Ultraseek)
search.ssga.com/cs.html?url=//happy2009texmas com
datafind.gov.bc.ca/cs.html?url=//halfstyles-1 com
mail2.sasked.gov.sk.ca:8765/cs.html?url=//halfstyles-1 com

All of these sites lead to sites pushing malware.

What needs to happen is that the folks at Autonomy/Verity/Ultraseek have to get a message out to administrators and webmasters warning them of the problem, and the configuration steps needed to resolve them. 

Now, Ultraseek isn’t the only issue occurring right now in redirects… Perhaps more later.  

Alex Eckelberry

A malware author responds to Microsoft, which found a message  (which malware researcher S!Ri.URZ posted on his blog) in code of the Zlob trojan.

For Windows Defender’s Team:
I saw your post in the blog (10-Oct-2008) about my previous message.
Just want to say ‘Hello’ from Russia.
You are really good guys.
It was a surprise for me that Microsoft can respond on threats so fast.
I can’t sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows 😉
Happy New Year, guys and good luck!

P.S. BTW, we are closing soon. Not because of your work. :-))
So, you will not see some of my great 😉 ideas in that family of software.
Try to search in exploits/shellcodes and rootkits.
Also, it is funny (probably for you), but Microsoft offered me a job to help
improve some of Vista’s protection. It’s not interesting for me, just a life’s irony.

Maybe all he really wants is woman good with plow.

(Note:  An earlier version of this post mistakenly named S!Ri.URZ as the malware author.)

Alex Eckelberry
(Thanks, Bharath)

Despite jokes otherwise, someone would have to be a living under a rock not to know that soon, TV is going to digital. And now we want to delay it?

President-elect Barack Obama’s transition team Thursday asked key members of Congress to consider delaying the nation’s switch to digital television scheduled for Feb. 17, saying there is “insufficient support” for the problems consumers will experience during the shut-off of analog signals.

No. Don’t delay it. Just do it. Just because there are some who live their lives half-asleep doesn’t mean the world has to wait for them.

Alex Eckelberry

Excellent blog post by Schneier this morning on the issue of allocating resources. Basically, FBI resources have been taken off of counter-terrorism to work on the Madoff case.

A major question is: have we helped create a worse situation in the financial markets by putting too many resources on a rarer problem, terrorism, at the expense of protecting people from other threats?

I have certainly seen this myself. When talking to FBI agents about malware issues (including very severe issues involving keyloggers stealing personal data), I’ve heard them speak of the fact that terrorism is a higher priority in the agency, leaving them fewer resources to combat other issues like malware. And it’s not like they don’t want to help — I’ve never met a federal agent who wasn’t absolutely committed to putting bad guys away and fighting the good fight. They themselves feel helpless in these situations — good people in a tough situation. They do what they can, but there’s only so much they can do.

This is more than sad, especially when you’re sitting on a pile of stolen personal data, and the feds can’t deal with it adequately for lack of resources.

What we’ve done is scare the crap out of people, over-allocate resources, created a monstrous bureaucracy, and lost sight of the fact that these agencies only have so many resources, so much time, and they can’t spend it all on terrorism.

And for many years, anyone who pointed this blindingly obvious fact was labeled themselves as some sort of weak-kneed, pacifist, terrorist sympathizer who didn’t somehow “get it”.

Ridiculous.

Alex Eckelberry

The OLPC is an amazing little device. Unfortunately, the altruists who are running the project haven’t gotten far enough, and they’re laying off staff (although they have managed to get 500,000 laptops to the third world).

I admit to being completely baffled by the organization’s model. They practically refuse to sell these machines to the public — a public that really wants them. The only way to get one was to buy one off eBay (overpriced) or to do a give-one, get-one deal at $400.

It’s just bizarre to me that they wouldn’t sell these — think of all the parents who might get these little things for their kids as their first computer; or the people who simply want to experiment and play with a cheap, high-quality open-source device. The decisions by OLPC show an incredible arrogance and ignorance of basic economics.

Hey, OLPC: Get off your high-horse and do something that the business world learned a long time ago: When a customer wants to buy something, LET THEM BUY IT.

Then, maybe, you can get enough funds to actually do what you want to do.

Alex Eckelberry

We have some Twitterers here.

Jeff Cain (Business Support) http://twitter.com/jeffc_sunbelt
Jamie Hudson (Support Manager) http://twitter.com/Jamie_Hudson
Sunbelt Support (Support, general) http://twitter.com/Sunbelt_Support
Sunbelt’s avatar (some kind of marketing thing) http://twitter.com/pcspeedguru
Kara Kritzer (Marketing) http://twitter.com/karacoatta
Dodi Glenn (Software Testing) http://twitter.com/dodiglenn
Robert LaFollette (Art department) http://twitter.com/rjla67
Sunbelt (general) http://twitter.com/SunbeltSoftware

I have a twitter account but, alas, rarely use it.

Alex Eckelbery

Earlier this week, I blogged about the MLB pushing malware. 

The site looks clean now.

However, I will say that it has been very difficult to diagnose, because these fake malvertisements use things like geolocation and time to activate.
In general, the message is — be careful out there.

Alex Eckelberry

We’re working on getting this taken down. However, it’s something that may be of interest.

Offenbachers.com is hacked — badly. The webserver performs a 302 redirect if the referrer is found. Seeing the hack requires that the site see you as a referrer.

Going to the site normally yields this:

However, when you visit the site from Google you get this:

And this:

I made a really quick little video here (it’s not elegant but I’m tight on time).

Alex Eckelberry
(Thanks to Sunbelt’s Francesco for the help, and thanks to John for reporting the site)

Update: As of 1/9/2009, site appears clean.

Finally, the proof you’ve been waiting for. Jobsrated.com has analyzed 200 jobs, and rates math at the top. Software developers have a good showing as well.

Here’s the top 12 (I went to 12 because I rather liked the idea of a philosopher being on the list):

1. Mathematician
2. Actuary
3. Statistician
4. Biologist
5. Software Engineer
6. Computer Systems Analyst
7. Historian
8. Sociologist
9. Industrial Designer
10. Accountant
11. Economist
12. Philosopher

And not to worry: for those not inclined to the hard sciences, the soft ones have a showing as well.

Link here (via beSpacific).

Alex Eckelberry

(Stock photo)

As you can imagine, I really, really don’t like this.

On orders from the federal government, Philadelphia is replacing all its electromechanical signal boxes with a digital system that will eventually host the guts for a citywide network of surveillance cameras. While the old signal boxes were small enough to be strapped to the poles of traffic lights, the new digital, camera-ready signals require a lot more space – freestanding cabinets 67 inches tall.

Link here (hattip).

Alex Eckelberry