Month: February 2010

A survey of 54,000 households (129,000 people) commissioned by National Telecommunications and Information Administration (NTIA) last year found that 30 percent of U.S residents did not use the Internet at home or at work.

The study, based on Census Bureau work, found that 64 percent of households had connections. In 2007, only 51 did.

The NTIA researchers found that of those without connections, 38 percent said they didn’t need Internet and 26 percent said it was too expensive. In rural areas, 11 percent said they didn’t have any Internet access available. In urban areas, one percent said they couldn’t get it.

Story here.

Report here.

Tom Kelchner

Fake program trading is a popular way to spend time on hacking forums. An endless stream of wannabe hackers want to get even with somebody, or take over a specific account but don’t have the technical skills to create a convincing looking application and get the job done.

What do they do?

Trawl around on forums looking out for “fake program collections”. These collections take the form of ready-made (fake) programs, designed to fool the end-user into thinking they’re doing something useful. In reality, the program will just infect the user and send their data back to base / lurk in the background / cause a small fire that becomes the biggest story of the year on local TV.

The difference between these programs and those already out in the wild is that they come free of any infection – it’s up to the recipient to add that malicious aspect further down the line. Think of the fake program collection makers as artists, plying their trade in return for forum reputation points instead of a nice exhibit in a gallery somewhere.

The problem is, these things are so widespread now that every wannabe on the block can now have their shiny looking infection file made to order. Some hackers have effectively “retired” from infecting people and spend their days making fake programs for reputation points and the occasional sum of cash. Does this increase the number of people getting involved in infection spreading? Possibly – it certainly doesn’t help reduce that total, at any rate.

Previously dumps of fake collections I’ve seen tended to pan out at around ten to twenty fake programs in a bundle, max. Today I came across a huge haul of around 150 fake programs, ready and waiting to be bound to something nasty.

As you can see, there’s something for everyone in there. Fake Xbox point generators, lots of videogame keygens, “cracked” versions of editing / multimedia software – even something that fails to load but still manages to play the Super Mario Bros theme tune in the background. As you might expect, the “convince me” factor of some of these programs leaves a lot to be desired but these three particularly stand out for various reasons.

The Good:

Well, that’s pretty convincing. Numerous (recent) movies highlighted, a tab bar going back to 2007, volume and control buttons at the top….someone desperate to see a film may well fall for this.

The Bad:

Well, this is underwhelming. The supposed “TV” aspect consists of two static photographs that you can flip back and forth – I’m not sure anybody would bother to bind anything to this apart from a self destruct switch but you never know.

The…er…wait, what is this?

You just can’t get away from that film, can you?

Chris Boyd (PaperGhost)

Computer games have been gaining in popularity probably at an exponential rate since the invention of the Etch-A-Sketch. The release of the next Xbox version or Nintendo model is headline news. And we all know people who spend more time in the virtual reality of World of Warcraft than they do in this world.

It’s easy to think of on-line games and the games played from consoles as, well, just games. That changed some time ago. That little (now very big) world has at least as many serious malware and social engineering threats as the other parts of the Internet.

Chris Boyd (AKA PaperGhost) the UK security researcher that Sunbelt Software just hired, made an hour-long video of a presentation he gave at a SecTor.ca conference: “Game Over Man, Gamers under Fire.” (link to the video is halfway down page.)

He goes into quite a bit of detail about game console networks, payment systems, malicious software, denial-of-service attacks, cheats and social engineering. He also stresses the often overlooked point — where consoles are concerned – that although logins are still ultimately lost via phishing, there are sophisticated and blended attacks on the console and online gaming environment to reach that stage of trust in the first place.

Also, many companies now drop consoles onto their network via recreation rooms, with no inkling that the wrong move in an online gaming session could potentially open up players to targeted distributed denial-of-service attacks — not a good thing for a corporate network to attract!

Boyd lists the safe practices for gamers:

— NEVER give someone your system logins in exchange for ANYTHING.
— Don’t buy cheats, many sellers are malicious.
— Avoid the game cheats and other things that are sold on Youtube videos.
— If you have an account with a gaming company, remove your credit card number from the account if at all possible and don’t sign up for automatic renewal.
— Use pre-paid cards to pay for accounts rather than your credit card.
— Use aliases when you sign up for accounts.

He concludes in the video: “These [games] aren’t as safe and secure as people will try to make out that they are.”

The video is a good way for gamers to get up to speed on the huge number of threats out there.

Nice work PaperGhost.

Tom Kelchner

Rob VandenBrink at SANS has done the world a GREAT service. He’s put together a blog piece that breaks down the different types of services that are commonly referred to as “the cloud.”

They include:

— Colocation Services
— Host as a Service (HaaS) / Infrastructure as a Service (IaaS)
— Computer as a Service (CaaS) or Desktop as a Service (DaaS)
— Platform as a Service (Paas)
— Software as a Service (SaaS)
— Private Clouds

It’s a very nice, quick read:

Defining Clouds – ” A Cloud by any Other Name Would be a Lot Less Confusing”

Tom Kelchner

Omegle.com is a one-to-one anonymous chat service that continues to grow in popularity. While you can find numerous tales of non malicious AI bots “chatting” with Omegle users, here we have an example of how that same concept can be applied in a rather more malicious fashion.

From around January of this year, a number of individuals on various forums have been creating Omegle Chat Spreader tools. These programs have been specifically designed to send malicious URLs to Omegle users in chat sessions with what they believe to be a real person.

As you can see from the screenshot:

…there are numerous options where your spam messages are concerned – along with the intended infection URL, you can use the default messages that appear on entering, during and leaving the conversation:
“Download this sliedshow of me f*****g my self”
“check out this sexy pic of me”
“enjoy the slide show byee”

…or you can add up to six custom messages of your own, and (cleverly) also watch the spambot in real time via the browser window on the right. If you think your spambot isn’t performing well, you can adjust performance on the fly, either by altering the messages or the timing of the messages to make your bot look more like a real person. In the above screenshot, you can see how the tool combines your name and age as a chat message to the victim.

In this next screenshot, you can see it sending whatever infection link the attacker has placed in the “Download URL” box, complete with interaction from the victim (in red):

The program has been designed as a “fire and forget” package, which means the attacker can simply set it up and leave it running on their PC. Does it get victims?

You bet. A random shot from a hacking forum – there are many more like this:

“I went to the shop and when I returned I had at least five to ten people”?

Oh dear. Be careful what you click on in Omegle land, as this type of package is sure to become more popular as the weeks pass by.

Chris Boyd (PaperGhost)

The U.S. Federal Trade Commission (FTC) today announced actions against nearly 70 work-at-home and job-placement scammers by federal and state agencies. The commission is calling the combined investigations “Operation Bottom Dollar.”

The FTC filed seven cases against scammers and said there were actions in four older scam cases. The Department of Justice brought 43 criminal actions. A number of them involved help from the U.S. Postal Inspection Service. The Postal Inspection Service brought one civil action and state attorneys general brought 18.

The actions were announced at an FTC press conference today that included officials from the FTC’s Bureau of Consumer Protection, a federal assistant attorney general for the civil division of the department of justice and Ohio’s attorney general.

In one of the cases, scanners victimized more than 100,000 people. FTC obtained a court order temporarily barring operators from continuing their deceptive, tactics and froze their assets pending a court order that would allow the agency to try to return money to victims. Authorities executed search warrants and arrested the two operators of one business.

At the press conference the FTC announced actions against:

Government Careers Inc. (action in U.S. District Court for the District of Arizona) which ran ads on Web sites and charged victims $119 for study materials to help them obtain federal government jobs which never materalized.

Real Wealth, Inc. (U.S. District Court for the Western District of Missouri) conned more than 100,000 people by selling booklets that told how they could earn money by applying for government grants and working from home mailing postcards and envelopes.

Darling Angel Pin Creations (U.S. District Court for the Middle District of Florida, Tampa Division) claimed on the Internet and in newspaper advertisements that by purchasing a starter kit for $22-$45 they could earn up to $500 per week assembling angel pins. Those buying into the scam were required to have one of their assembled angel pins approved by the company before they could make any money. The company, however, rejected nearly all the angel pins consumers submitted.

Abili-Staff, Ltd., (U.S. District Court for the Western District of Texas, San Antonio Division) sold work-at-home opportunities online and pre-screened lists of jobs, telling consumers they could access the lists after paying a fee ranging from $29.98 to $89.99.

Entertainment Work, Inc. (U.S. District Court for the Southern District of Florida) sold memberships in a Web site that was supposed to list jobs as movie extras, jobs on television, or jobs in print media. Trial memberships cost $19.95 to $24.95, and automatically converted into annual memberships for an additional fee of $80. The company failed to disclose that to cancel their membership, people would have to pay an additional fee or undertake a burdensome process.

Independent Marketing Exchange, Inc. (U.S. District Court in the District of New Jersey) sold a variety of work-at-home scams including envelope, postcard and mystery shopper.

Preferred Platinum Services Network (U.S. District Court for the District of New Jersey) sold a work-from-home scheme in which victims were charged an enrollment fee of $80-$90 so they could earn money by labeling postcards describing a “mortgage accelerator” which did not exist. Criminal authorities served search warrants on the business and arrested the husband-and-wife team running it, charging them with mail fraud.

Since last summer, the FTC also has settled or litigated four law enforcement actions stemming from employment and work-at-home scams:

Job Safety USA. Principal Wagner Ramos Borges (U.S. District Court for the District of Maryland Greenbelt Division) offered phony jobs to people seeking maintenance and cleaning work.

Career Hotline, Inc. (U.S. District Court for the Middle District of Florida) took money from job seekers after guaranteeing them jobs that paid at least $25,000 per year.

Penbrook Productions (U.S. District Court for the Central District of California) enticed consumers to become “certified” rebate processors making $225 per hour.

International Marketing and principal Zolio Cruz Carrion (U.S. District Court for the District of Puerto Rico) was cited for contempt for failing to comply with a 2008 order in a scam in which he promised Spanish-speaking consumers substantial income for stuffing envelopes. “The court granted the FTC’s motion to hold Cruz in contempt for failing to comply with an earlier order and briefly jailed him for contempt. It also prohibited him from marketing any business, employment, investment or work-at-home opportunity,” the FTC said.

The commission also announced partnerships with Monster.com, Microsoft’s Bing and Craigslist. Those groups will provide information to help job seekers recognize job scams.

The FTC has produced a consumer education video in English and Spanish are available at
http://www.ftc.gov/jobscams and http://www.youtube.com/ftcvideos.

FTC account here: “FTC Cracks Down on Con Artists Who Target Jobless Americans”

It’s pretty obvious that if somebody wants money from you before he will hire you, there is a really good chance it’s a scam (or not much of a job.)

Tom Kelchner

Chris Boyd (left) with Sunbelt Software CEO Alex Eckelberry at RSA 2008

Chris Boyd (AKA Paperghost), a spyware and privacy researcher based in the UK, has joined the Sunbelt Software research team and will be contributing to the Sunbelt Blog. Chris is a Web 2.0 security specialist with a significant background in the exploits and hacks in online computer games.

He was the former Director of Malware Research at Facetime, a Belmont, Calif.-based Web 2.0 and unified communications security firm. He is a five-time Microsoft MVP, CNET Top 100 Blogger and has been responsible for numerous discoveries in security. He has spoken at computer security conferences including RSA, ASC and InfoSec Europe.

He has specialized in investigating the scams of adware vendors such as Direct Revenue and Zango. Evidence he uncovered was used in the 2006 New York Attorney General v. Direct Revenue case.

He has presented his research on his web site Vitalsecurity.org since 2004.

When Boyd isn’t researching security issues he’s listening to Mahler and indulging his interests in videogames, anything Batman related, collecting old consoles and watching Hong Kong cinema on which he did a dissertation for his BA(Hons) in fine art.

Tom Kelchner

The Common Weakness Enumeration Compatibility and Effectiveness Program has just posted its annual “2010 CWE/SANS Top 25 Most Dangerous Programming Errors.”

Just as the title says, it’s an attempt to pin down the software errors that are the most dangerous. The code is where all the vulnerabilities we deal with start. A vast number of attacks are successful because of security weaknesses in the operating systems and applications we use. Failure to patch is one of the chief ways to make yourself a victim to malcode.

The page focuses on different groups who may use its data and has suggestions for:

— Programmers new to security
— Programmers who are experienced in security
— Software project managers
— Software Testers
— Software customers
— Educators
— Users of the 2009 Top 25

“The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.”

The list has been put together by the SANS Institute, MITRE and many top software security experts in the US and Europe.

Here at Sunbelt Software, we pay close attention to it.

Tom Kelchner

A judge in Nanterre near Paris has issued a warrant for U.S. Cyclist Floyd Landis who had his 2006 Tour de France title revoked after he tested positive for performance-enhancing drugs.

The court wants to question Landis about a 2006 hacking incident in which a Trojan was installed in the computers of the Châtenay-Malabry lab which did the urine tests that resulted in Landis losing the 2006 Tour title and being barred from cycling for two years.

During the aftermath of the doping scandal, Landis launched a very shrill media campaign against the lab, questioning its testing procedures.

The Châtenay-Malabry lab filed a complaint in 2006 charging that its computer data had been stolen. The information was used in Landis’s defense, sent to other labs and given to news outlets. An investigation at the lab found a Trojan had installed a back door that gave someone access to the system. Investigators believe the Trojan arrived in an e-mail sent to the lab from a computer using the same IP address as Landis’ coach Arnie Baker.

Baker and Landis deny the charges.

Story here.

Tom Kelchner

Shortly after Google introduced its Buzz social media tool last week the security community lit up about its disastrous lack of privacy controls. Setting up an account opened up your contacts and everyone could see who you’d been in frequent contact with.

More than one commentator was shocked that Google would structure a product with so little concern for security. A piece in InfoWorld, entitled “Why Google Has Become Microsoft’s Evil Twin,” was especially hard hitting. Robert X. Cringely wrote: “The backlash over Google Buzz reveals an even bigger problem: The people behind the people’s search engine are deeply out of touch.”

“When you first go into Google Buzz, it automatically sets you up with followers and people to follow. … The problem is that — by default — the people you follow and the people that follow you are made public to anyone who looks at your profile. In other words, before you change any settings in Google Buzz, someone could go into your profile and see the people you email and chat with most …” he wrote.

Cringely also said that people he knew at Google were completely dumbfounded at the criticism.

By last Saturday Google had made some fixes and Todd Jackson, Product Manager of Gmail and Google Buzz wrote on the Official Gmail Blog:

“We’ve heard your feedback loud and clear, and since we launched Google Buzz four days ago, we’ve been working around the clock to address the concerns you’ve raised. Today, we wanted to let you know about a number of changes we’ll be making over the next few days based on all the feedback we’ve received.”

By Thursday Google had made changes:

— They made the Buzz checkbox for choosing not to display personal information easier to find,
— replaced the auto-follow model (Buzz automatically sets users up to follow people they email and chat with) to an auto-suggest model,
— removed the automatic connection for public Picasa Web Albums and Google Reader shared items and
— added a tab to Gmail Settings to make it possible to hide Buzz from Gmail or disable it.

We commonly hear the “home user” criticized for being oblivious to security and privacy measures (failure to update, clicking on links and attachments in spam, poor password selection, posting personal information in public places and on, and on, and on.) You’d think that all the smart people at Google would have been more conscious of the problem. It’s great that they immediately made the fixes needed, but, it was shocking that it happened in the first place.

Generally, most people have a warm and fuzzy feeling about Google, or did. This episode is just one more wake-up call. We are all responsible for our own online security. We all have to keep up with current threats and can’t trust big institutions like Microsoft and now Google, to be some kind of parent figure.

Tom Kelchner

The clever folks at SANS have made public the beta version of a whitelist hash database that enables you to look up the MD5 or SHA1 hash of a file to see it has been checked as NOT malcode by a reliable authority. The tool is based on the “National Software Reference Library” from the National Institute of Standards and Technology (NIST). The NSRL database normally comes as a download or CD and isn’t as convenient as a web site lookup.

Among other uses, this could be pressed into service to check a file that might be part of a standard package or a system file that has been tagged as malicious by a malcode scanner if you suspect a false positive. Or, if you’re simply suspicious of a file that isn’t detected by your anti-malware scanner this could be a check.

You can also put in a file name to find its whitelisted MD5 hash.

Windows 7 files are not in the database as of this writing, according to Dr. Johannes Ullrich at SANS.

Tool here: http://isc.sans.org/tools/hashsearch.html

SANS description here.

Tom Kelchner

A new user in the Netherlands became the 60 millionth person to sign up with LinkedIn, the professional social networking site.

Facebook says it has 400 million users of whom half log in every day.

Both are fabulous tools for communications and socializing, but making members’ identities and personal information so easily available carries some big risks. Our good friends at Sophos have pointed out that information can be harvested from LinkedIn for spear phishing. The site can contain enough information to be a virtual company directory.

There are unexpected exposures too. Imagine linking to a recruiter you’re having conversations with and being able to see the other people he or she is linked to – like your subordinates – or your boss! That spills just a bit too much info on all of us.

LinkedIn story here.

Tom Kelchner

A lot of Facebook members are becoming fans of “I don’t care about your farm, or your fish, or your park, or your mafia!!”

This is basically a privacy issue I suppose.

Shortly after noon today there were about 4,000 Facebook members joining every 10 minutes!

If the surge continues it might become a Facebook denial-of-service issue!

http://www.facebook.com/pages/I-dont-care-about-your-farm-or-your-fish-or-your-park-or-your-mafia/207382931457?ref=nf

Update:

The Wall Street Journal reported on this last night about 10 p.m. At that point they said 2,000 people were joining per minute.

“Backlash Against Social Games Brews On Facebook”

Tom Kelchner

When you spend your day scouring the Internet (and Sunbelt labs) for news about computer security topics you cover a lot of territory. Once in a while you just have a weird day. You run into a lot of strange stuff. Today is one of those days.

Yahoo’s tech blog is carrying a story about a man in Santa Fe, New Mexico, who is suing because he has “electromagnetic sensitivity” and can’t live in his own home because of the radiation from his neighbor’s wi-fi network.

He says in his suit that her cell phone, fluorescent lights and dimmer switches also cause “life-threatening reactions, which include heart arrhythmia.”

I hope nobody tells him that people use Wi-fii to log onto to the Internet and everybody knows that’s full of viruses and bots. And there’s no frost in Santa Fe to kill the bots either.

And don’t get me started about the deadly flux fields from those refrigerator magnets.

“Wi-fi ‘sensitivity’ draws lawsuit from next-door neighbor”

Update:

Whoa boy! There some history there. Plaintiff Arthur Firstenberg has been at this for a while.

http://en.wikipedia.org/wiki/Arthur_Firstenberg

Tom Kelchner

Bruce Schneier, in his blog Schneier on Security http://www.schneier.com/ drew attention to this great interview with an ex-Nigerian-419 scammer on the Scam-Detective site.

It’s a fairly long piece and gives a pretty good view of the Nigerian scam industry run by organized crime, how it sucks in young people who have good computer and English skills and pays them a huge amount of money ($75,000 per year in this case) to scam victims they view as white, greedy and rich.

I’ll just quote one section and the conclusion of the three-part interview:

Scam-Detective: How did you find victims for your scams?

John: First you need to understand how the gangs work. At the bottom are the “foot soldiers”, kids who spend all of their time online to find email addresses and send out the first emails to get people interested. When they receive a reply, the victim is passed up the chain, to someone who has better English to get copies of ID from them like copies of their passport and driving licenses and build up trust. Then when they are ready to ask for money, they are passed further up again to someone who will pretend to be a barrister or shipping agent who will tell the victim that they need to pay charges or even a bribe to get the big cash amount out of the country. When they pay up, the gang master will collect the money from the Western Union office, using fake ID that they have taken from other scam victims.

John: The biggest thing I can say is to delete the emails and never to reply. Once you reply your email address will be put on a list and sold to other gangs, even if you never reply again. It just tells them that the address is real and that somebody reads email going to that address. If they can’t get you with 419 (advance fee fraud) they will try phishing or viruses to get your banking details and take your money that way.

I used lots of different stories to get people to send money. I used the dying widow story a lot, saying that I was an old lady dying of cancer and had fallen out with my children. I wanted to give my money to charity and didn’t trust them to carry out my wishes, so was looking for someone outside of the country to make sure it went to the right place. So whatever the story is, make sure you delete the email, because you can be sure it is a scam.

Another thing is not to put email addresses anywhere on the internet. If it is on a guestbook or message board, or on a website anywhere then the foot soldiers will find it and put it on their list.

Tom Kelchner

‘Tis the season for Zbot spam

Thanks Eric K. Thanks Trip A.

Update:

(Sunbelt Analyst) Francesco Benedini wrote:

The page runs multiple exploits by the way, so you’d better not visit it without proper care.

Tom Kelchner

Security blogger Brian Krebs is reporting that some Windows XP users are reporting blue screen of death on reboot after installing Microsoft’s Tuesday patch KB977165 (MS010–15: “Vulnerabilities in Windows kernel could allow elevation of privilege.”)

“Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond,” he wrote.

Brian Krebs’ blog here.

Those trying to maintain Microsoft systems are caught in the cross-currents of the patching process: some patches might be buggy (think “delay”) but the dark side will be reverse engineering the patches as fast as they can (do it now.)

It almost seems like it would be a good idea for the users of Microsoft products to hold off about two days before installing the Patch Tuesday updates. That seems to be how long it takes for the word to get out – like this problem – that there are glitches in the updates.

The overwhelming number of Microsoft fixes are straightforward and urgently needed security measures. However, the massive complexity presented by the older flavors of the Windows operating system and service pack levels almost guarantees that there are going to be problems like this.

Possibly a good strategy would be phased updates especially for enterprise systems:

— Immediately install just the patches that fix vulnerabilities with in-the-wild exploits if you are running the vulnerable applications, modules, plug-ins, etc.

— Wait three days for all others

— Wait a week for non-critical (no reported exploits) updates to less-used flavors of Windows and less-used applications.

Meanwhile, have someone keep an eye on the security news sources to spot problems like this one.

Update:

Krebs’ blog carries some good, detailed advice for those whose machines have been disabled already by the glitch.

Computer World carried a story about the problem and noted:

“This was not the first time that a Microsoft update has incapacitated Windows PCs. Two years ago, a set of updates for Vista sent an unknown number of machines into an endless series of reboots. Similar problems stymied users who tried to upgrade to Windows XP Service Pack 3 (SP3) in May 2008, and others attempting to upgrade from Vista to Windows 7 last October.”

Update 02/12:

Today Softpedia carried a statement from Jerry Bryant, Microsoft’s senior security communications manager lead:

“We are aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165). However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages.”

Update 02/15:

Researchers have theorized that the TDSS rootkit was responsible for the blue-screen-of-death problems after Windows XP users installed Microsoft’s patch MS010-15 last week.

Microsoft acknowledged the problem in a statement: “In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating.”

News story here.

Update 02/16:

Our good friends at Symantec have posted more information on the problem and some instructions for recovering from the BSoD:

“Most of the time the driver chosen by Tidserv to be infected is “atapi.sys,” but that may vary depending on the hardware configuration. One of the very things the infected driver does when it is loaded by the operating system is to retrieve critical API addresses so that it can allocate memory to load the actual malicious code:

“These APIs are retrieved via hard-coded relative virtual addresses (RVAs) into the kernel module, which are calculated at the infection time. Microsoft recently released a kernel patch that addressed a non-related issue (MS10-015 / KB977165), which updates the kernel modules. They also released a blog about blue screen issues after applying this patch.

“What seems to have happened in Tidserv’s case is that after this update, the RVAs for the above mentioned APIs changed—therefore causing the infected drivers out there to call invalid addresses and, in turn, cause blue screens every time Windows boots up:

“Even worse, because the infected driver is critical for system boot-up, Windows will not boot in Safe Mode either. However, there is still hope for the users who get stuck in this infinite loop of BSoD, in the sense that they are not required to reinstall everything from scratch, but only the infected driver (from a known, clean source). And, here is an example for the most commonly infected system driver, atapi.sys:”

Symantec blog here.

Update 02/19:

SANS diary: MS10-015 may cause Windows XP to blue screen (but only if you have malware on it)

“Lucky for us the malware writers have addressed this issue and it shouldn’t happen again for those who are newly infected with this particular piece of malware. A shame really, as it was a convenient way in which to identify infected machines. If you did get the BSOD on your machine or on machines in your organisation, then you should consider the possibility that the machines are infected.”

Tom Kelchner

Jerome Segura at ParetoLogic blogged about this yesterday: a rogue security product with a web page that tries to imitate that of the German AV company Avira (check out the red umbrella and the type face.)

Hmmm. If this company has been providing “20 Years of Total Protection” how come its web site was just registered last year and why was it registered by a proxy service?

The fake:

Site registered last year to a proxy service.

Registrant:
   Domains by Proxy, Inc.
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

   Domain Name: SECURITY-ANTIVIRUS-SITE.COM
      Created on: 25-Feb-09
      Expires on: 25-Feb-10
      Last Updated on: 25-Feb-09

The real one:

Site registered in 1999, full identifying data in Whois record.

Whois Record

Registrant:
Avira GmbH
   Lindauer Str. 21
   Tettnang D-88069
   DE

   Domain Name: FREE-AV.COM

   Administrative Contact:
      Auerbach, Tjark              
      Avira GmbH
      Lindauer Str. 21
      Tettnang D-88069 DE
      +49 7542 500 300 fax: +49 7542 500 318

   Technical Contact:
      Network Solutions, LLC.                
      13861 Sunrise Valley Drive
      Herndon, VA 20171  US
      1-888-642-9675 fax: 571-434-4620

   Record expires on 26-Mar-2012.
   Record created on 26-Mar-1999.

Nice work Jerome.

Tom Kelchner

 

Peter Coogan at Symantec put up a very interesting blog post yesterday about a crimeware kit called SpyEye v1.0.7 (on sale now on Russian sites — $500) that has a module that will kill a Zeus bot infection on a victim’s computer so the bot created by SpyEye can take it over.

In September, Computer Weekly reported the Swedish telco Telia Sonera shut down the Internet connections of Latvian company Real Host after it was linked to the Zeus botnet. At the time, researchers said they believed Real Host’s servers had captured about 3.6 million PCs for the Zeus botnet.

They linked Zeus to a Russian gang named Rock Phish which is believed responsible for a massive amount of the phishing attacks aimed at stealing credit card and banking information.

The Zeus network took the hit and recovered, however, sending out massive malicious spam campaigns to infect more machines. One campaign carried an income tax topic in September and another had H1N1 as a lure in December.

Coogan said the SpyEye kit can also create crimeware with:
• keyloggers
• credit card modules
• daily email backup
• encrypted config files
• Ftp protocol grabbers
• Pop3 grabbers
• Http basic access authorization grabber

“If the use of SpyEye takes off, it could dent Zeus bot herds and lead to retaliation from the creators of the Zeus crimeware toolkit. This, in turn, could lead to another bot war such as we have seen in the past with Beagle, Netsky, and Mydoom.” he wrote.

He credits Mario Ballano Barcena with the analysis.

Symantec blog post “SpyEye Bot versus Zeus Bot” here.

Tom Kelchner

There’s a lot of stuff for sale today that is worth nothing, but the folks selling it usually aren’t so up front about it. It is odd that one “used” nothing costs $10 and “collectible” ones are $9.95. They’re probably the really good ones, like 1946 Christmas tree light bulbs in the shape of Santa Claus that still work.

There have been 30 customer reviews and they rate it with four stars out of five.

I wonder if it’s guaranteed. Is there a service plan available?

You probably don’t have to worry about a recall.

If it’s downloadable, be sure you scan it for malware.

http://www.amazon.com/This-Test-Product-Nothing-Will/dp/B000ZING44/ref=cm_cr_pr_product_top

Alex started my day by sending me the link. What a boss!

Tom Kelchner