Month: December 2009

The FBI has issued a warning about rogue security products, estimating the loss from the malware so far at $150 million.

The bureau also posted a link where victims can report the scams: the Internet Crime Complaint Center (IC3) at www.ic3.gov/default.aspx
FBI news release here.

Tom Kelchner

Case in point: findproper.org

These are the types of sites that are used to download from third party affiliate sites. If the setup.exe had run, it would have installed the AntiMalware rogue.

VIPRE catches and blocks the Trojan installer.

See Sunbelt Rogue Blog here.

Patrick Jordan

The third generation of WiniGuard gets a new clone every 48 hours

A new rogue security product called IGuardPC, that we added to detections today, is the 50th clone of the WiniGuard family of rogue security products. That makes WiniGuard the largest rogue family ever detected by Sunbelt researchers.

The WiniGuard family began in September of 2008. Operators behind it have added variants that our researcher Patrick has sorted into three generations. The latest generation gets a new clone about every 48 hours to stay ahead of public awareness and anti-malware detections. Most of them are being caught by existing VIPRE detections.

First Generation

The first generation of WiniGuard used the site winiguard.com. It was created Sept. 17, 2008, by the same group who probably began circulating rogues using macguard.net, which has the same IP address. WiniGuard installed five files.

Second Generation

SaveKeep, first found August 17, marked the beginning of the second generation. This was distinguished by the use of two files instead of five.

Third Generation

On Oct 17 the TREAntivirus rogue opened the third generation with a new GUI interface.

Today’s IGuardPC makes a total of 50 clones — the largest family we’ve ever found:

WiniGuard rogues by generations

First Generation
10/13/2008 WiniGuard
1/29/2009 WiniBlueSoft
2/20/2009 WinBlueSoft
5/17/2009 WiniFighter
8/12/2009 WiniShield

Second Generation
8/17/2009 SaveKeep
8/24/2009 Savesoldier
8/26/2009 TrustNinja
8/27/2009 SaveDefense
8/28/2009 SafetyCenter
8/29/2009 BlockDefense
9/3/2009 SystemCop
9/11/2009 SafetyKeeper
9/17/2009 SoftSafeness
9/18/2009 TrustWarrior
9/19/2009 SaveDefender
9/22/2009 SaveArmor
9/25/2009 SecurityFighter
9/26/2009 SecuritySoldier
9/28/2009 SecureVeteran
10/2/2009 SecureWarrior
10/5/2009 TrustCop
10/8/2009 SafeFighter
10/9/2009 TrustSoldier
10/13/2009 TrustFighter
10/19/2009 SoftCop
10/21/2009 SoftVeteran
10/23/2009 SoftStrongHold
10/27/2009 ShieldSafeness
10/28/2009 SoftBarrier
10/30/2009 BlockWatcher
11/1/2009 BlockScanner
11/2/2009 BlockKeeper
11/4/2009 BlockProtector
11/7/2009 SystemVeteran
11/9/2009 SystemFighter
11/11/2009 SystemWarrior

Third Generation
10/17/2009 TREAntivirus
11/11/2009 AnitAid
11/17/2009 LinkSafeness
11/17/2009 SiteVillain
11/18/2009 SecureKeeper
11/24/2009 KeepCop
11/26/2009 ReAntivirus
11/27/2009 RESpyWare
11/30/2009 AntiAdd
12/3/2009 AntiKeep
12/7/2009 AntiTroy
12/9/2009 SiteAdware
12/11/2009 IGuardPC

Research by Patrick Jordan

Tom Kelchner

There are some “interesting” similarities between the home page of the DefenceLab rogue and the web pages of some legitimate anti-virus companies.

Our good friends at McAfee alerted us to some of this then Patrick Jordan and Alex Eckelberry took a closer look at the Web site associated with the new DefenceLab rogue that we reported on earlier this week.

DefenceLab was the one that directs the potential victim to a Microsoft Support page, but injects html code into the page in his or her browser to make it appear as though Microsoft is suggesting the purchase of the rogue.

Here’s what we mean by “interesting” similarities:

The “Awards” page was lifted from AVG’s “Awards-References” page right down to a dead link to the ICSA site. (AVG really has ICSA certification and DefenceLab is really malware.)

DefenceLab: http://defencelab.com/about/awards
AVG: http://free.avg.com/ww-en/awards-references

The “License Agreements” also came from AVG:

DefenceLab: http://defencelab.com/about/license
AVG: http://free.avg.com/ww-en/eula

The “Company Profile” was lifted from the Mitnick Security Consulting LLC. site:

DefenceLab: http://defencelab.com/about/profile
Mitnick Security: http://mitnicksecurity.com/company.php

And guess where DefenceLab got its privacy policy:

DefenceLab: http://defencelab.com/about/privacy
Sunbelt: http://www.sunbeltsoftware.com/About/Privacy/

They did leave out one paragraph from Sunbelt’s text though:

“You may send an e-mail or letter to the following e-mail or street address requesting access to or correction of your personally identifiable information:

“Privacy Manager. . “

Tom Kelchner

Researchers at HCL Technology, a strategic partner of CA, found a hacked server on Amazon’s Web Services’ cloud infrastructure working as a command-and-control server for the Zeus botnet. The researchers said the intruders probably found a server — a “target of opportunity” — and hacked it to install their malware. The Zeus server has been removed. The Zeus botnet has been responsible for losses of over $100 million, mostly from bank fraud.

Security company Arbor Networks in August found a botnet using Twitter as a command-and-control channel for its bots.

In September, Symantec researchers found the Chinese-language Grups Trojan using the Google Groups newsgroup escape2sun to distribute commands.

Want to make any predictions?

InfoWorld story here. “Hackers find a home in Amazon’s EC2 cloud”

Register story from August: “Twitter transformed into botnet command channel”

Register: “Trojan taps Google Groups as command network“

Tom Kelchner

In addition to the several malware domain clearing lists available on the net, Paretologic has added their own, available at http://mdl.paretologic.com.

(We also have one, ThreatNet, available as a service to OEMs and security organizations).

Alex Eckelberry

Patrick Jordan found this malicious little nugget today: Internet Security 2010. It’s a rebranded clone of Advanced Virus Remover, a rogue security product that we first found in June (Sunbelt Rogue Blog entry here.)

It’s one of your run-of-the mill rogues, using run-of-the mill scare tactics, except its payment screen contains a static graphic that imitates the McAfee Secure certification.

A real “McAfee Secure” certification is a DAILY certification, it contains the date and its logo should look like this:

When you click on it, it should take you to the McAfee Secure rating verification page: https://www.mcafeesecure.com/RatingVerify that gives the name of the certified web site and the “Status.”

More info about the program here.

VIPRE catches the installer that is also the rogue’s exe module:

While the rogue is active it also blocks all other applications.

The list of download sites for Internet Security 2010 is the same VX Cactus group that ran the vxgame malware operations from Jan 2005 until Nov 2008:

193.104.110.50 buy-internet-security2010.com
193.104.110.50 downloadavr13.com
193.104.110.50 testavrdown.com
193.104.110.50 vscodec-pro.net
193.104.110.50 vsproject.net
193.104.110.50 white-xxx-tube.com
193.104.110.50 white-xxx-tube.net
193.104.110.50 xxx-white-tube.biz
193.104.110.50 xxx-white-tube.net
193.104.110.50 pc-scanner-2010.org
193.104.110.50 avrdownnew8.com
193.104.110.50 pc-scanner-2011.org
193.104.110.50 pc-scanner-2011.biz

Thanks Patrick.

Tom Kelchner

There were two news stories recently that seemed to coincide. In the first, Cisco issued an annual security report which said the two current targets of the Internet criminal underground are banks and social networks. Banks because, well, we all know what they keep there. Social networks are targets because that’s where weakly protected password databases are kept and the passwords they contain probably are used on a lot of other sites as well.

“Criminals have been taking note of the large crowds in social-networking sites,” a Cisco researcher said.

The Koobface worm, which targets Facebook, has infected more than three million machines since 2008. It steals networking credentials, logs in to the sites and sends messages to friends to lure them to malicious Web sites that download more copies of the worm.

The second story, in PC World, detailed a significant change in access control that Facebook has rolled out. The 350 million Facebook users now have more control over who can see their information. These changes actually have been in a beta stage since last spring. In addition to “everyone” (the default setting) they can limit their information to “friends,” “friends of friends” and now fine tune the process with a “customize” options which can limit access to one person for a post, picture or other item.

There will be a new icon of a lock next to the “share” button that users hit to send their updates to their friends. Clicking on that enables users to select the security level for their posts.

Facebook users might avoid sharing with “everyone” since that makes their pages available to anyone on the Internet, including non-Facebook users. Sharing with “everyone” also makes the material available to search engines.

They also can lock down their profile settings by clicking on “settings” (top of page, right) then “privacy settings” in the drop-down menu.

Stories here:

“Cyber crooks targeting banks-social networks: Cisco”

“Facebook Privacy Changes Go Live, Beware of ‘Everyone’”

Tom Kelchner

The SecurityTool rogue security product, which first turned up early in October, is still active and trying to avoid countermeasures by setting up 12-24 download sites per day.

It comes in two flavors

online scanner scam:

and fake codec scam:

For more information see the Sunbelt Rogue Blog

or malware descriptions.

It’s being detected by VIPRE as FraudTool.Win32.RogueSecurity (v

Thanks to Patrick Jordan for all that.

Tom Kelchner

Yes, that’s right: 3.6 zettabytes!

A report entitled “How Much Information” by the University of California in San Diego, released today, said the average person in the U.S. consumes 34 gigabytes of content and 100,000 words of information in a single day. That’s just at home.

The number of bytes we consumed increased at six percent per year from 1980 to 2008, the report said.

TV and video games are responsible for a big chunk of that. People are reading more too, since browsing the web is considered reading.

The report says “We estimate that an average American on an average day receives 11.8 hours of information a day.”

The project was funded by AT&T, Cisco Systems, I.B.M., Intel, LSI, Oracle and Seagate Technology, with early support from the Alfred P. Sloan Foundation.

The report didn’t mention security, but, basically a lot of that data needs some kind of security protection. “Ten years ago 40 percent of U.S. households had a personal computer, and only one-quarter of those had Internet access. Current estimates are that over 70 percent of Americans now own a personal computer with Internet access, and increasingly that access is high-speed via broadband connectivity,” the report said.

Yep, 3.6 zettabytes per year – that’s a 36 with 20 zeros. It really puts the security issue into perspective (if you can wrap your head around the concept of a “zettabyte.”)

NYT story here.

Univ. of Calif. study report here.
Tom Kelchner

I’ve been saying this for a long time. P2P networks are have the risk of accidently getting something you really don’t want…

Matthew White, of Sacramento, California, has found himself in a rather unfortunate situation; he’s been accused of downloading child pornography. On the advice of his public defender, White is pleading guilty in hopes of cutting his potential 20-year sentence down to three and a half years. After serving his time, White will have to serve 10 years of probation and register as a sex offender.

What makes this unfortunate is that the 22-year-old White claims he downloaded the child pornography on accident from the file-sharing service LimeWire. According to White, he was attempting to download a ‘Girls Gone Wild’ video two years ago, but when he opened the files, instead discovered images of underage girls. White claims to have immediately deleted the images and never looked back — at least until the FBI showed up at his door a year later.

Link here.

Alex Eckelberry

(Thanks, Herb)

SC Magazine has published a great feature story on the Conficker Working Group, an industry task force that has made major strides damaging the command and control channels of the worm that has infected 6.5 million computers worldwide since 2008.

The feature quotes Sunbelt Chief Technical Officer Eric Sites: “The Conficker Working Group is the greatest collaboration of top level security experts for specific malware research in industry history. The collaborative efforts of the Conficker Working Group are responsible for preventing a large scale attack.”

AV researchers in the group reverse engineered the worm code and found the domain-generation algorithm. They then were able to forecast websites that infected machines would be checking with and registered the domains before the attackers could.

“This will serve as a model in the future,” according to Rodney Joffe, SVP of domain name registrar NeuStar. “Within government, this is being pointed to as the model, or poster child, that collaboration within private industry really can work across borders. We were able to get collaboration in ways that had never been seen before.”

Story here.

Tom Kelchner

(Dear Friends)

Wonderful. Spam email in the Irish language: as usual the grammar was screwed up.

Dermot Harnett, who wrote about it from the Symantec blog theorized that the verbiage was generated by translation software. “…the structure of the sentence is incorrect, which indicates that it is a literal translation from English.”

Blog piece here.

Tom Kelchner

Our analyst Adam Thomas came across this ugly new social engineering technique when he analyzed the DefenceLab rogue security product.

It does the usual scare-ware stuff: a fake scan and fake “Windows Security Center” alert:

Then it directs the potential victim to a Microsoft Support page, but injects html code into the page in his or her browser to make it appear as though Microsoft is suggesting the purchase of the rogue.

This is the real Microsoft page:

This is what it looks after DefenseLab changes it:

Thanks Adam

Tom Kelchner

Bit.ly, the URL-shortening service that sees much use by the Twittering set, has announced that it will begin checking shortened links with input from Sophos, Verisign and Websense. The service generates 40 million shortened URLs per day.

Malicious operators have been using shortened links to disguise the URLs of malicious sites that download malcode or are used in spam or phishing schemes.

Bit.ly filtering is expected to be in place by the end of the year.

Story here.

Tom Kelchner

This is a new one: bribeware. They’ll pay you a dollar to install their product.

Nice idea, but unfortunately in this case it comes bundled with malware. We detect it as C4DLMedia, a group of installers that include adware and agents that change browser home pages. It’s considered a “moderate” risk.

I wonder if Microsoft considered this for VISTA.

C4DL Media might have a marketing problem with the dollar bribe though. In places where a dollar is worth enough to make this worth the effort there probably isn’t any Internet connectivity.

Thanks to Adam Thomas and Eric Howes for the research.

Tom Kelchner

The amount of counterfeit software infected with malcode has increased significantly since 2006, Microsoft said. A 2006 study by marketing intelligence firm IDC found that 25 percent of counterfeit software tried to install malcode when it was downloaded. Media Surveillance, a German anti-piracy firm, said one of its studies recently found 32 percent of pirated copies of Windows and hacks contained malcode.

Microsoft said the number of complaints it receives annually from people who unknowingly purchased pirated software doubled to 150,000 last year.

The company has begun an anti-piracy campaign in 75 countries called Consumer Action Day.

Story here.

Microsoft has made available information about counterfeit software and its fight against the problem here.

Tom Kelchner

Both the enterprise and consumer versions of VIPRE 4 are now in beta.

VIPRE 4 includes an integrated firewall, HIPS, IDS, NIPS and all kinds of other goodness.

VIPRE Enterprise features a completely new console, with new functionality to deal with large enterprise environments.

If you’d like to get the beta (or get more information), simply go to beta.sunbeltsoftware.com and register.

Alex Eckelberry

For years there has been a collective wisdom about creating strong passwords. Briefly:

— don’t use a word found in the dictionary
— don’t use a word found in the dictionary with a “1”or other number after it
— create a password containing eight characters or more
— use a mix of letters, numbers and punctuation
— don’t write your password on a Post-it note and stick it under your keyboard

For user names the big rule is: change any default username or password as soon as you install an operating system or application.

Three people at Microsoft, Francis Allan, Tan Seng and Andrei Saygo, just posted an interesting piece on the company’s Threat Research and Response blog confirming most of the above. They reported what they observed while running a honeypot for almost a year, collecting information from real, in-the-wild, dictionary-based attacks.

Here were the most common user names and passwords used by attackers (in order):

User names:

Administrator
Administrateur
admin
andrew
dave
steve
tsinternetuser
tsinternetusers
paul
adam

Passwords:

password
123456
#!comment:
changeme
F**kyou (they didn’t really use the asterisks)
abc123
peter
Michael
andrew
matthew

They said that one attacker ran more than 400,000 user name and password combinations in one attack.

Blog piece “Do and don’ts for p@$$w0rd$” here.

Some ideas for strong passwords:
— use phrases (i.e. “Ubuntu_is_my_cat”)
— use patterns on the keyboard (i.e. zse45rdx – start with “z” go up and to the right, right one letter then back down). You can write down the first character and remember the pattern, thus, not really breaking the rule about writing passwords on a Post-it note and sticking it under your keyboard.

Tom Kelchner