The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
Robert LaFolette, our creative director, put together this propaganda video of Clearwater, Florida for the Clearwater Downtown Partnership. The photography featured is his from a new book, Clearwater in Pictures.
Yes, it really does look this nice. And yes, we’re still hiring…
Alex Eckelberry
Yes, it’s humor.
I want a REAL VIRUS. One that causes mass chaos across the entire
planet, and does so in the real world, not just in stories created by
bored news reporters trying to make a buck. Hell, why not create a
computer virus that actually spreads the swine flu to every linux user
on earth. After all, most windows users hate linux users, so lets
wipe them off the face of the earth. If you recall, linux users like
to boast that they’re so called “superior” operating system is virus
free. Lets prove them wrong and put them in their rightful place once
and for all. I dont know about you, but I’m damn tired of them
thinking they are superior human beings to everyone else just because
they are too damn cheap to actually pay for a copy of Windows, and
would rather spend their entire lives in some cheap rented basement
filled with damp mildew because they are too busy trying to get their
computers to work, than to actually get a job.
Alex Eckelberry
The internets are buzzing — pictures of an allegedly naked Rihanna were posted on Friday.
Inevitably, the curious or libidinous will search for these pictures. And they just might find a few suprises.
Right now, if you search for “rihanna nude” on Google, you might get some odd results.
The third search result is a page on Microsoft’s Technet, pushing malware. And just further down, is another link which leads to malware.
Here’s how the technet.com page looks (this has already been reported and should be gone soon):
Which when clicked, leads to a celebsxx net, a malware site pushing a malicious fake codec.
Further down, a seperate search result leads to a page at uvouch.com, with a similar fake video image, which when clicked leads to another malicious fake codec site, fonblog net.
The malware campaign itself is nothing special. Just a fake user profile, with a simple animated gif linking to a malware site.
Same type of thing happening with Malin Ackerman (female star of the Watchmen).
…and plenty of other celebrities. A search of the Uvouch site itself is telling. The top results here all point to similar malware links (Megan Fox, Zoe Saldana, Tila Tequila, and so on):
So, no big surprises here. A spicy subject. Sex. Not-so-perfectly secured social networking environments. The result? Boattloads of people getting infected.
Alex Eckelberry
Proxybl is a new blacklisting service that lists open proxies (commonly used in malware, but sometimes used for legit purposes).
Nice site. You can visit it here.
Alex Eckelberry
Apparently advertised on newstarget.com, this product just about takes the cake for serving a large load of horse manure.
The advertisement:
NON-U.S. INTERNET SECURITY SOLUTION CD AVAILABLE: FAR BETTER THAN NORTON ETC
It has now been established that the National Security Agency (NSA) works with/controls Microsoft, Norton, McAfee, and others, in pursuit of the Pentagon’s vast BIG BROTHER objective, directed from the ‘highest’ levels (not the levels usually referred to) which seek to have every computer in the world talk direct to the Pentagon or to NSA’s master computers.
This should come as no real surprise since the cynical spooks even assert this ‘in-your-face’ by advertising ‘INTEL INSIDE’, which says exactly what it means. More specifically, NSA has made great strides in this direction by having a back door built into Microsoft VISTA. Certain computers, especially those labeled with the logo of the ‘fully collaborating’ firm Hewlett Packard, have hard-core setups which facilitate the remote monitoring and controlling of personal computers by NSA, Fort Meade. We now understand that if you are using VISTA* you MUST NOT enable ‘file and printer sharing’ under any circumstances. If you say ‘YES’, so to speak, to ‘file and printer sharing’, your computer becomes a slave at once to NSA’s master computers. DO NOT ENABLE SHARING.
Unfortunately, this abomination is so far advanced that this may not be the only precaution that needs to be taken. As long as Microsoft continues its extensive cooperation with NSA and the NSC (National Security Council), the spying system which assists the criminalized structures, and thus hitherto the Bush-Clinton ‘Box Gang’ and its connections, with their fraudulent finance operations, NSA may be able to steal data from your computer. The colossal scourge of data theft is associated with this state of affairs: data stolen usually include Credit Card data, which the kleptocracy regards as almost as good as real estate for hypothecation purposes. Even so, you can make life very much more problematical for these utterly odious people by NOT USING U.S.-sourced so-called Internet Security and anti-virus software. Having been attacked and abused so often, we offer a solution.
We use a proprietary FOREIGN Internet Security program which devours every PC Trojan, worm, scam, porn attack and virus that the National Security Agency (NSA) throws at us. We are offering this program (CD) to our clients and friends, at a premium. The program comes with our very strong recommendation, but at the same time, if you buy from us, you will be helping us finance ongoing exposures of the DVD’s World Revolution and the financial corruption that has been financing it.
The familiar US proprietary Internet Security programs are by-products of US counterintelligence, and are intended NOT to solve your Internet security problems, but to spy on you and to report what you write about, to centralized US electronic facilities set up for the purpose. You can now BREAK FREE from this syndrome while at the same time helping us to MAINTAIN THE VERY HEAVY PRESSURE UPON THE CRIMINALISTS WE HAVE BEEN EXPOSING, by ordering this highest quality FOREIGN (i.e., non-US) INTERNET SECURITY SOLUTION that we have started advertising on this website. This offer has been developed in response to attacks we have suffered from the NSA nerds who appear to have a collective mental age of about five years, judging by their output.
• To access details about the INTERNET SECURITY SOLUTION, just press THE LIVE LINK YOU HAVE JUST READ, or else press SERIALS in the red panel below. This opens up our mini-catalogue of printed intelligence publications. Scroll right down to the foot of that section, where you will see details of this service. When you buy this special product, you will also, as we clearly state above, be paying a special premium by way of a donation to help us finance these exposures.
The premium contains a donation for our exposure work and also covers our recommendation based on the Editor’s own experience that this INTERNET SECURITY SOLUTION will make your Internet life much easier. Some versions have a ‘Preview before downloading’ feature.
*VISTA: Virtual Instant Surveillance Tactical Application.
The cost? $300!
If you want to read more for humor purposes, you can find an article at the “World Reports” website at worldreports.org/worldreports/internet_security_solution (I’m not linking to them, so they don’t get any SEO benefit, but the site itself looks safe enough).
Now, if these guys ever got into the snakeoil registry cleaning business, they could really cash in.
Alex Eckelberry
My first professional job in the software business was with Borland in 1987.
This is admittedly painful for many Borland alumns. But I suppose all things must come to an end.
It was a heck of a company. I learned the software business there, acquired many of the guiding moral principles that are still with me today — and I had a lot of fun.
Alex Eckelberry
Over the past several months, researchers have seen a small number of phishing attempts taking advantage of a feature in older versions of IE called MIME Sniffing. It’s a weak attempt to bypass spam and phishing filters, by having a non-HTML link in an email.
It’s a pretty dumb hack, frankly. But it’s mildly interesting to observe.
Basically, a phisher takes advantage of a vulnerability in IE versions 4 through 7, where you can have the web server tell the browser that the content type is a particular type of file (jpg, png or gif), but actually render an HTML page (or whatever else).
What’s happening is that IE is “correcting” what it assumes is a mistake. The technique is explained in detail in this Heise article (thanks DJ).
Today, I saw an interesting phish, with the following URL:
acceghsh.nxt.ru/img/6.jpg?nin.ey.it/ws/e$ISAPI.dll?Sign&ru=http%3A%2F%2Fwww¬.it%2F
Or more simply,
acceghsh.nxt.ru/img/6.jpg
(the text string after the ? being simply garbage made to look like a querystring).
So, let’s use a simple tool like web-sniffer to see what’s going on here:
As you can see on the top of the screen, the server is telling the browser that it’s a JPEG file. But when we look at the content, it’s HTML.
And IE 7 will render it as HTML, because it’s assuming the web server made a mistake, and is correcting the “error”:
Nifty, eh?
Let’s take a look at the same page in Firefox:
This whole MIME sniffing thing has been handled in IE 8. It’s the older versions of IE that display the page incorrectly.
Alex Eckelberry
(Hat tip to N)
Not the most surpising news, but there’s SEO search poisoning going on using swine flue keywords.
Using the search term “Swine flu protection”, 8th result:
Using “swine flu statistics”, 2nd result:
Clicking on the link leads to a fake malware scan page (currently dead).
Alex Eckelberry
(thanks, Adam)
When corporations try to control a message they don’t like, they can at least do it with some sense of style or panache. I mean, people, take your lessons from ExxonMobil. Or the Tobacco Institute!
Instead of sending some guy to rip apart a tradeshow booth.
Do they ever learn?
Alex Eckelberry
Our friends over at Network Instruments have done their annual State of the Network study. Nothing very surprising, but some mildly interesting stats.
The study shows marked increases in virtualization — 75% of the respondents now use virtualization, and by 2011, 60% of applications are expected to be running on virtual machines, up from 27% this year.
VOIP is also proceeding at a strong pace. I do hope companies that implement VOIP understand the security issues…
You can read the study here.
Alex Eckelberry
I’m honored — truly.
Alex Eckelberry
Well, sort of.
There’s so much malware these days (our own repository is over 22 million samples) that managing it can be quite challenging.
We routinely scan our repository to optimize our VIPRE engine, and a few days ago, the server croaked and the chip smoked. Literally.
(One thing I’d never experienced before was the stench of a fried CPU. Even after a full day, one of our IT guys brought it upstairs and it stunk to high heaven.)
If you’re curious, this was a XEON dual-core 3.2 with 3 gigs of Ram. 6 TBs of DAS, in a Dell 2650 chassis. I suppose a newer system would have shut down automatically at a high temperature, but this was an older server.
Alex Eckelberry
VIPRE was selected for the upcoming TechEd show…
After carefully evaluating close to 200 individual product entries, our panel of judges has selected the finalists for the Best of TechEd 2009 Awards.
Link here.
And if you’re going to TechEd, we’ll be at booth 111, and we’ll be giving out all sorts of prizes and such.
Alex Eckelberry
I didn’t realize it, but Feedburner feeds on this blog had died with the transition to Google.
It’s all good now.
Alex Eckelberry
With the growth of “clean DNS” services (primarily OpenDNS, which boasts over 10 million users), it was only a matter of time before scammers would catch on.
Enter Trusted-DNS, a service which purports to provide a “clean DNS”. In fact, it’s a dns changer that will likely redirect users to bad sites.
Looking at the download, we see some interesting things. It starts off calling: GetAdaptersInfo, which is used to check the current DNS settings.
Other strings and functions it uses include:
00402040 – DnsFlushResolverCache
00402058 – dnsapi
00402060 – DhcpNotifyConfigChange
00402078 – dhcpcsvc
00402084 – DhcpNameServer
00402094 – NameServer
004020A0 – SYSTEMCurrentControlSetServicesTcpipParametersInterfaces%s
0040219A – SHSetValueA
004021A6 – SHLWAPI.dll
004021B4 – GetAdaptersInfo
004021C4 – iphlpapi.dll
004021D4 – _snprintf
004021DE – ntdll.dll
004021E8 – WS2_32.dll
And so on.
Alex Eckelberry
