Month: December 2009

Researchers are monitoring a massive spam campaign from the Zbot/Zeus botnet purporting to be instructions for signing up for H1N1 vaccinations with the U.S. Centers for Disease Control (CDC).

Clicking on a link in the spam messages takes potential victims to a CDC-look-alike page where they are instructed to download a “profile” — a form to get the vaccination. The downloaded file makes their machines part of the Zbot (or Zeus) botnet. Those who don’t click on the link can also get infected by an IFRAME exploit on the page that uses vulnerabilities in unpatched Adobe applications.

Email security company AppRiver said it was seeing about 1.1 million such spam messages per hour Tuesday. That rate had slowed to about half that by yesterday, they said.

Story here.

Tom Kelchner

“He searched for UFOs, aliens and creatures from outer space.

Brad Niesluchowski has resigned from the Higley Unified School District in Gilbert after allegedly downloading software that seeks out alien life forms.

‘We support educational research and certainly would have supported cancer research,’ said Higley superintendent Denise Birdwell. ‘However, as an educational institution we do not support the search for E.T.’”

So he put Seti@home on 500 machines in the school. It’s hardly “searching for ET”. The luddite superintendent, however, would seemingly have been ok if the same technology was used to search for a cure for cancer.

I would also question whether this cost the school over $1 million.

Idiocy.

Alex Eckelberry
(Thanks, Jay)

I’m happy to say that in the latest comparatives testing by Virus Bulletin (this time, on Windows 7), VIPRE received the VB100 award in its first time entering  the test.   

More from our propoganda department here.

Alex Eckelberry

Cameroon, with a country domain of “.cm,” is the most dangerous place to go on the web, according to AV company McAfee.

The McAfee researchers checked over 27 million sites worldwide and found 5.8 percent contained malicious mechanisms (browser exploits, excessive pop-up windows, malicious downloads or phishing). They found that 36.7 percent of the domains in Cameroon carried such malcode.

McAfee theorized that malicious operators choose Cameroon for their sites because the domain “.cm” would be where potential victims could end up if they mistyped a URL, leaving the “o” out of “.com.” Setting up sites with similar URLs to take advantage of such errors is called “typo squatting.”

The top five (bad) domains were:

— Cameroon “.cm”
— PR of China “.cn”
— Samoa “.ws”
— Philippines “.ph”
— (the former) Soviet Union “.su”

Story here.

When browsing the web, Internet users should use caution whenever they see a link to any of those country domains, especially for e-commerce sites. Holding the mouse cursor over a link in an email or on a web site will show the URL.

For shortened URLs, a page like LongURL http://longurl.org/ will show the complete URL.

Tom Kelchner

Researchers at Virus Bulletin have written about a theoretical technique for improving spam filtering: combining the action of several filters.

The researchers sent about 200,000 emails to 14 anti-spam products. No legitimate email was blocked by more than four of the 14. They suggested that a hypothetical filter that tagged an email as spam if five or more of the 14 called it spam would result in 99.89 percent successful filtering with no false positives.

Their conclusion is that enterprises might consider using more than one anti-spam product and anti-spam vendors might consider sharing information.

At Sunbelt we have been doing this for a while. In our VIPRE Email Security for Exchange enterprise software solution we use the Cloudmark antispam engine and the Mail-filters engine as well as Real-time blackhole lists.

Info on VIPRE for Exchange here.

VB story here.

Tom Kelchner

The gang that distributes the PCScout rogue security product (see description in Sunbelt Rogue Blog here. ) has set up a fake abuse reporting site apparently to collect email address. Patrick made the connection.

Entering information results in an error screen, but the information goes somewhere.

privacy-protect.cn is described on malwareurl.com here.

Tom Kelchner

FreeBSD has issued a patch that may or may not be the final fix for a vulnerability that allows someone with local access on a network to run binary code with the help of the FreeBSD run-time link editor and gain root access.

Intruders could possibly use other vulnerabilities (such as one in a web application) to exploit the vulnerability.

German researcher Nikolaos Rangos posted information about the flaw on Full Disclosure mailing list. It affects FreeBSD versions 7.1, 7.2 and 8.0. FreeBSD is an open-source operating system.

Story here.

FreeBSD advisory here.

Tom Kelchner

Researchers with the Honeynet Project have created a graphic user interface (GUI) that plots a wide variety of data and give a visual representation that can make it easier to detect attacks.

The new GUI is part of the open-source Picviz tool. The developers say the graphic display is rendered from “traffic logs, database logs, SSH logs, syslogs, IPtables logs, Apache logs, and other sources.”

Picviz is described in a Nov. 25 paper “Know your tools: use Picviz to find attacks” by Sebastien Tricaud of The Honeynet Project and Victor Amaducci of the University of Campinas (Unicamp) (paper here.)

Picviz available here.

Here is a Picviz graphic rendering of traffic indicating an OpenVPN session.

The red displays the line of the VPN session (data taken from tcpdump.)

(More info on wallinfire site here.)

Story here.

Tom Kelchner