Month: April 2010

Today, I’m pleased to announce a new partnership with Malwarebytes.

The details are in the press release, but basically the partnership is starting with a new portal for consumers to clean their systems (http://vipre.malwarebytes.org).  In addition to this initial first offering, we are also working together on a broad range of initiatives for sharing information on emerging threats, methods to mitigate risk, and other joint efforts.

Right now, the partnership is evolving in its nature, and I am very excited about the future opportunities to work with the team at Malwarebytes — a very impressive organization run by a brilliant hands-on CEO, Marcin Kleczynski.

Alex Eckelberry

ComputerWorld is carrying a good feature story on public wi-fi security practices that is worth reading whether you’re a road warrior who needs a place to work or just a regular schlep looking for Internet access and a caffeine buzz. (“Hot spot dangers: That Internet cafe could cost you way more than a cup of coffee”)

When you use a public Internet connection of any kind, you simply don’t know who is sniffing the network, looking for login information, personal data or sensitive documents. It would be a really good idea just not to work without an encrypted connection or do your banking or any transaction using credit/debit cards from these public places.

The ComputerWorld article has some interesting numbers from a 2009 Ponemon Institute study of security breaches suffered by 45 organizations. According to the study, “Cost of a Data Breach.” It said the cost of a data breach per compromised record was $204, up from $202 in 2008. The total cost per break-in was over $6 million.

If you’re communicating with your company network through a public hot spot the basic drill for beginners is:
— be aware that your unencrypted Internet traffic CAN be sniffed by anyone with the expertise and a connection to the wi-fi network
— be sure all software and operating system updates have been installed on your machine
— connect through your company’s VPN
— use air cards to avoid the dangers of a public network entirely if possible.

Encryption on the cheap

At minimum, if you MUST use a public hot spot and are not using an encrypted connection, it is fairly easy to encrypt the documents from many common applications before you email them. You can contact the recipient by phone and give him or her the password, or simply agree on a password in advance.

For Microsoft Word, Excel and PowerPoint:

Tools | Options

Click on the “Security” tab.

Fill in the edit box “Password to open”

By clicking on the “Advanced” button, you can choose an encryption scheme and key length. Choose a scheme that allows a 128 bit key (see below.)

If you’re expecting to send encrypted documents to someone while you’re on the road, it might be a good idea to do a dry run with a test document before you leave to make sure your systems are compatible and everyone knows how to do it.

There also are compression utilities that allow you to create encrypted archives with passwords. In the common WinRAR utility go to: File | Set default password

Enter your password.

Can this encryption be cracked? Yes, if the malicious operator who sniffs the files has some very considerable resources. But it isn’t especially easy. At least your data won’t be low-hanging-fruit.

Tom Kelchner

Update 04/22:

As Phil has pointed out in the comments (below), the RC4 encryption used in Office 2003 and before is no longer safe. See our April 22 blog entry: “A note (correction) from the crypto world on Internet Café security.”

As a bit of fun, we asked for a VIPRE jingle on Fiverr.

What we got was this.

So that’s what you get for $5 on Fiverr.

Alex Eckelberry

VIPRE premium has been granted ICSA certification! That includes ICSA certification for cleaning infected files as well as detections.

Curt Larson, Sunbelt Software VIPRE product manager said: “VIPRE was built with the consumer in mind to provide excellent endpoint protection without unnecessary features and functionality that slow down the performance of PCs. The ICSA Labs certification is a benchmark that confirms the reliability of Sunbelt’s powerful security product.”

Sunbelt designed VIPRE Antivirus Premium to focus on the core features that provide users with good, basic protection – desktop firewall, host-based intrusion prevention, malicious URL filtering and an intrusion detection system.

ICSA Labs, an independent division of Verizon Business, offers vendor-neutral testing and certification of security products.

VIPRE also has achieved VB 100, West Coast Labs and other certifications. To see them all, go here.

News release here.

Tom Kelchner

Actually your computer will run MUCH BETTER without this adware crap

Our researcher Adam Thomas found this little nugget while investigating a botnet that auto installed FLV Direct Player. As an added bonus, the player bundles Zugo Search adware on victims’ machines. FLV Direct is available freely on the web. The bot, however, uses an AutoIT script to script through the installation screens so the victim never sees the install:

It also changes the victim machine’s home page to bing.zugo.com.

Apparently this is some kind of affiliate operation – the malefactor affiliates get paid for installing LoudMo adware on the machines of unknowing victims and they just decided to do it wholesale with a botnet.

Affiliates also are spamming heavily on Twitter (and who else knows where else) trying to get people to install the FLV Player:

The FLV site (http://www.loudmo.com/products/flv/) describes their program:

“Use this free FLV Player to promote and target a wide variety of niches.

“Both affiliates and users will benefit from this free flash media player. Affiliates can boost revenue with the pay-per-install compensation method, while users will enjoy playing and saving flash videos from various tube sites. There is a completely transparent downloading process and the FLV player is easy to uninstall.

“FLV Player is a media player for MPEG-4 and Flash Videos (FLV). Most video sites on the web (including YouTube) stream FLV content. With the FLV Player, we offer an easy way to download and enjoy this content on your desktop. FLV Player comes with no viruses or spyware, and at just 2.12 Mb, it’s a quick download.”

One FINAL gimmick

When victims uninstall LoudMo, they get the above warning. Obviously it’s one last effort to scare them into leaving the adware on their machines.

VIPRE detects the player as Adware.Win32.FLVDirectPlayer (v) and the included adware as Zugo Ltd (v) or Zugo.

Thanks Adam and Matthew and Eric.

Tom Kelchner

In the UK, there’s a good chance you took out a loan with the Student Loans Company if you went to University. It’s been brought to my attention that there’s currently a number of sites being hacked and becoming hosts for rather nasty phishes.

So far, all of the phish pages we’ve seen look like the below. The scam begins with a page claiming to be a login for “Student Finance”, asking the victim to enter their customer reference number. The page steals design elements from legitimate Directgov websites and looks identical to the real thing:

Should the victim proceed, they’ll find they’re suddenly asked for every type of personal information you can possibly imagine:

Date of birth, National Insurance number, passwords, bank details….the works. Anyone falling for this is going to find themselves well and truly phished. When the victim presses the Save button at the bottom of the page, their details are sent to the phisher and they’re taken to the real Directgov student financess logout page:

This is designed to make the victim think that they’ve been on the real website (because the domain they’re now on is slc.co.uk), and that they’ve logged themselves out (to prevent them becoming suspicious that they might not have actually been logged in at all).

The screenshots above were taken from audiotype(dot)com(dot)au/direct.gov.uk which was the original domain a student friend sent my way (now offline), but a little bit of digging has revealed there’s a number of these sites that have been submitted to antiphish resource Phishtank:

As you can see, there’s one or two in March but the frequency of noted phishes increases in April. It’s probable this is a small selection of many more phish pages out there targeting students so be careful what you click and always check the URL of the site you’re on.

You don’t want to be getting into debt with the phishers too…

Christopher Boyd

Mr. Magnum Campbellin from Gabon would like to split UD$158,000,000.00 with someone! I wonder why his “funds manager” in London uses a hotmail account.

One of our execs here at Sunbelt Software got this in the (snail) mail.

Alex’s observation:

“Old school… I remember these back in the 90s. They would send them by mail and fax.

“So it looks like they’ve started back up again.”

Tom Kelchner

A study of web traffic from enterprises in the first quarter of this year has shown that YouTube videos used 10 percent of bandwidth – more than any other site. Facebook traffic used 4.5 percent, Windows update 3.3, Yahoo!’s image server Yimg 2.7 and Google searches 2.5 percent.

The study, by the Hong Kong-based security firm Network Box, analyzed traffic to and from 13 billion URLs.

The study also analyzed the number of hits:
— 6.8 to Facebook
— 3.4 to Google
— 2.8 percent to Yimg
— 2.4 percent to Yahoo
— 1.7 percent to DoubleClick

Simon Heron, a Network Box internet security analyst said: “The figures show that IT managers are right to be concerned about the amount of social network use at work. There are two real concerns here: firstly that employees will be downloading applications from social networks and putting security at risk; and secondly the amount of corporate bandwidth that appears to be being used for non-corporate activity.”

Network Box release here: “Business internet traffic increases to Facebook and YouTube”

The assumption here is that all this traffic is personal browsing and not work-related. That actually might be a more complicated issue than a first glance indicates. Certainly people use Google for work. I look things up a dozen times a day.

Twelve of my 26 Facebook friends are professional contacts. Keeping up with such professional contacts for possible recruiting is certainly a business function.

Yahoo is my backup email on those rare occasions that there are problems with the company email server. There are also business reasons to use an email account that is not linked to your company (at least in research activities in the AV industry it’s pretty common.)

YouTube? There are news- and business-related videos there too in addition to the Roomba-riding cats and “Sunbelt Software Research goes Bowling.”

No, seriously, there are legitimate business reasons for using social media. Really! Have you seen the “Standing Cat is Watching you” YouTube video?

Tom Kelchner

SonicWALL, a company I’ve had a lot of respect for in the past, has apparently decided to improve its revenue outlook by going after other software companies for alleged patent infringement.  Disappointing.

The patents are all over the place, and don’t mean much for our products.  We are asking them for more clarity as to how exactly our products allegedly infringe on their patents, as we are a bit confused. 

You can see the demand letter here (pdf). (I have redacted the attorney’s name from the document in the interest of professional courtesy.)

I assume they are sending this as a form letter to other security companies, so if anyone else has received one, please contact me.

Alex Eckelberry

Several interesting stories are beginning to appear about how people are using the Internet to cope with (or at least report what they’re doing as they DON’T cope with) the shutdown of air travel in the UK, Western Europe and Scandinavia because of airborne ash from the Eyjafjallajokull glacier volcano in Iceland.

1. The prime minister of Norway, Jens Stoltenberg, who is stranded in New York, is “running the Norwegian government from the United States via his new iPad” according to his press secretary.

“Norway Uses iPad to Run the Government During Icelandic Volcano”

2. Graham Cluley of Sophos has reported on his blog that about 600 Sophos employees were attending an annual sales kick-off at the Potsdamer Platz in Berlin Thursday and got stranded when all European modes of transportation were jammed by people trying to get home to the UK. He suggested that friends back home organize a Dunkirk-rescue-type operation and pick them up on the channel coast.

His blog piece contains a good map that shows the extent of the ash cloud that is preventing air travel.

“Hundreds of Sophos employees stranded in Berlin by volcano fall-out”

The Tech Herald is carrying great photos of the eruption. It says over 17,000 flights have been cancelled and it could be Sunday before the Sophos gang will be able to fly home to Oxford.

“In Pictures: The volcanic ash cloud forcing countless delays”

Tom Kelchner

Dr. Johannes Ullrich at SANS brought up a good point in his morning podcast (Stormcast 296 ) about widespread transportation shutdowns and disaster recovery planning.

The Eyjafjallajokull glacier volcano in Iceland, which has stopped all air travel in the UK, Western Europe and Scandinavia, of course is the case in point.

Those writing and updating disaster recovery plans should keep in mind the possibilities of just such widespread transportation shutdowns when they plan for personnel to operate remote (backup) network operations centers. If an enterprise’s plan calls for an IT crew to fly to a backup NOC and they can’t get there, what then?

Good observation.

The New York Times quotes Bill McGuire from Aon Benfield UCL Hazard Research Centre saying that the last Eyjafjallajokull eruption lasted more than a year. Aon is an insurance broker and risk management consultant.

Tom Kelchner

UK security firm Context Information Security Ltd., is making available a browser-based tool that will demonstrate clickjacking techniques that were discussed at a Blackhat Europe 2010 presentation.

On the Context site, they said “Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.

“Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice.”

“The tool is currently in an early beta stage, and works best in Firefox 3.6. Full support for other browsers will follow shortly.”

Context Ltd. piece here.

Tom Kelchner

Niels Provos of the Google Security Team has blogged about the rise of malicious web sites carrying rogue security products, which the Google team calls “Fake AV.” Google has been engaged in a constant battle against the sites because the operators who peddle them have been refining their techniques for poisoning Google search engine results in order to victimize Google users by drawing them to malicious download sites.

He wrote: “we conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months, and the research paper containing our findings, ‘The Nocebo Effect on the Web: An Analysis of Fake AV distribution’ is going to be presented at the Workshop on Large-Scale Exploits and Emergent Threats (LEET) in San Jose, CA on April 27th.”

He went on to say: “Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period.

“Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly.”

Provos advises Web users not to purchase the rogues when they pop up their persistent, screaming warnings and instead, remove the malicious code from their machines.

“In the meantime, we recommend only running antivirus and antispyware products from trusted companies. Be sure to use the latest versions of this software, and if the scan detects any suspicious programs or applications, remove them immediately,” he said.

Google Online Security Blog piece here.

How do you know what is an “antivirus and antispyware product from a trusted company?”

Check out the Sunbelt paper “How to Tell If That Pop-Up Window
Is Offering You a Rogue Anti-Malware Product.”

There are 2,279 rogues in VIPRE detections. For a description of the latest rogues that Sunbelt has found, check out our Rogue Blog here.

Tom Kelchner

I once heard a great story about the sparse historical record of the world of the “common man.” An “average Jacques” who lived a block or two from the Bastille in Paris apparently didn’t hear the commotion when over 8,000 French revolutionaries spent all day storming the prison in 1789. So, his diary entry for the biggest day in the history of democracy, unfolding in his very own neighborhood, was something like: “Not much happened today. It rained.”

Most of the 55 million daily Tweets that the library of congress is beginning to store may be nothing more than 140-word-or-fewer observations that “not much happened today. It rained,” but there also is other stuff in there that will be a gold mine for future historians and observers of culture. And that could be kind of scary if you wrote it.

The Times quoted Fred R. Shapiro, associate librarian and lecturer at the Yale Law School, “This is an entirely new addition to the historical record, the second-by-second history of ordinary people.”

Most tweets are public and available to anyone who subscribes, so archiving them ALL is certainly no big new exposure. Plus, the collection, for the moment, is only available to bona fide scholars. It does, however, give one pause knowing that they are being preserved in a searchable database. Will it ALWAYS be reserved for scholars? Selling subscriptions could provide a nice revenue stream for some future cash-starved government.

Just as some Facebook and Myspace users have learned, employers and busybody keepers of the public morals are ready at any time to go looking for evidence of past discretions.

Story here: “Library of Congress Will Save Tweets”

Tom Kelchner

Short answer: an infinitesimally small amount.

If you have any sympathy for musicians you’ll buy their CDs from their web sites or at their performances. That’s pretty much the conclusion you’ll draw from a great attempt at quantifying musicians’ pay rates in the online music business(es) by David McCandless of InformationIsBeautiful.net.

McCandless tried to determine how many songs or CDs a musician would need to sell in various ways to make the U.S. minimum wage ($1,600 per month). It was a tough project. He wrote: “As ever, this was incredibly difficult to research. Industry figures are hard to get hold of.”

The musician’s best deal: press and sell the CDs yourself (143 per month).

Second best deal: sell them on eBay (155 per month).

Worst deal: Spotify stream (4,540,020 per month).

Obviously Spotify makes the music available globally and selling CD’s from your own web site involves much less exposure. But four million a month?

McCandless acknowledges that his numbers are crude, but they are certainly an indication of what musicians face. It’s a good data point in the debate about piracy and the efforts of the Pirate Party to give creators less and consumers more.

Also, it’s another indication of why the successful working musician’s business model has always boiled down to: “work a lot of weddings and don’t quit the day job.”

McCandless blog here: “How Much Do Music Artists Earn Online?”

Tom Kelchner

The Telegraph, one of the biggest newspapers in the UK, hasn’t had a good time of it lately where their website is concerned. Vulnerabilities were found back in March 09 involving database access, and it seems a hacking group has gone in and defaced two subdomains.

These are the two subdomains in question:

shortbreaks(dot)telegraph.co.uk
wine-and-dine(dot)telegraph.co.uk/site/index.php

They appear to have been compromised by “R.N.S. – Romanian National Security”. Here’s a screenshot, both defacements are identical:

Both pages play some music – “The Lonely Shepard”, from a .ru domain (you’ll also notice a link to a Top Gear clip hosted on Youtube – it seems this is in relation to comments made in an episode of Top Gear about Romania). Running it through Google Translate gives us this, which is somewhat garbled – we’ve had an update in the translation thanks to a post in the comments which makes sense of the Google Translate results:

“We are sick and tired of seeing how some “garbage” like you try to mock our country. [And try] to create [for us] a completely different picture compared to the real one, and calling us “romanian gypsies” [,] broadcast s****y tv programs like TopGear.”

If you had the nerve to angry an entire country, know that we will not stop here! Romania

Guess What, Gypsies aren’t Romanians, morons.”

We’ve notified The Telegraph, and hopefully the pages will be back to normal soon.

Christopher Boyd

Along the same lines of the Northwestern Bank compromise last week, the Branson Lakes Area Chamber of Commerce is also compromised, serving exploits.

(Do not visit the exploit sites below unless you know what you’re doing.)

GET-hxxp://www.bransonchamber. com
GET-hxxp://mumukafes.net/trf/index. php
GET-hxxp://333.gosdfsdjas.com/index. php
GET-hxxp://333.gosdfsdjas.com/l. php?i=1

|
|
V

Zbot config and drop:
GET-hxxp://agreement52.com/cnf/shopinf. jpg
POST-htxx://agreement52.com/shopinf/gate. php

Also, checks into server “67.231.246.218” on port 553

Serves a Zbot trojan.

Alex Eckelberry
(Thanks Adam and Francesco)

Update 4/15/2010: The situation is now resolved. The site is no longer serving exploits.

“Faceparty is a UK based social networking site allowing users to create online profiles and interact with each other using forums and messaging facilities similar to email” – Wikipedia

Faceparty does things a little differently to other social networking sites, however. Unlike most places where you register a username and password then start telling people how your farm is doing, to join Faceparty you need to send a text message to the tune of £25 / $38(!) and then enter your one time use password onto this page (warning: quite a few swearwords, because the site is indeed down with the kids).

As you can imagine, obtaining these passwords has become a bit of an obsession for some people. Scroll down on that link, and you’ll see the following:

“facepartypassword(dot)com, got mine free today woohoo!” posted by “Chelsea Davies”, who somewhat suspiciously lists their own URL as the very same domain.

Shall we take a look?

Yes, despite the passwords costing £25, this random website will “create a profile 100% free” – and all you have to do is fill in the desired username, password and email address.

This is what you see next:

Yes, it all goes wrong very quickly. You have to click your way through no less than five advert banners, each of which will take you to websites sporting people who seem to have forgotten to put some clothes on. Remember – “If you don’t click all the banners, you WILL NOT be sent the password!”

I don’t know about you, but I’m not entirely convinced here. Once you hit the Next button (just out of shot), this appears:

As you can see, they really want you to keep clicking that Fling banner advert. And wait, only a page earlier they were saying you didn’t have to join – now you do?

Someone is probably raking in a fortune in affiliate signups / clickthroughs here. Can you guess what happens when you hit the “Get Faceparty Password” button?

Sure you can. It doesn’t involve passwords, I can tell you that much – instead, you’re redirected to a specific profile on a site called Adultwork(dot)com, which advertises the services of more people who like to take their clothes off.

A few days later, and (amazingly enough) the email address I used to jump through hoops on the Facepartypassword(dot)com site still hasn’t had a password sent through to it. When I revisited today a new page was appearing at the start of the “signup process”, too:

Yes, a £3.00 / $4.60 text message will get you your “Keycode”, or you can join Fling.

Again.

The thing that particularly caught my eye was that for a split second when visiting the site, a page will flash up before you’re taken to the first form to fill in. If we get all technical (and by technical, I mean reload the page then hit the Stop button on your browser as fast as you can) you’ll see this graphic, with two links at the bottom of the page that will send email to the site owners:

“Share the password”? “Sell your profile”?

Oh boy.

Christopher Boyd

Virus Bulletin Reactive and Proactive (RAP) testing

Sunbelt Software’s VIPRE engine was among the top AV products for reactive and proactive detection in April in Virus Bulletin testing.

Virus Bulletin’s RAP Testing measures products’ reactive and proactive detection abilities against the most recent malware that has emerged around the world.

The test measures products’ detection rates across four distinct sets of malware samples. The first three test sets comprise malware first seen in each of the three weeks prior to product submission. These measure how quickly product developers and labs react to the steady flood of new malware emerging every day across the world. A fourth test set consists of malware samples first seen in the week after product submission. This test set is used to gauge products’ ability to detect new and unknown samples proactively, using heuristic and generic techniques.

Thanks to Virus Bulletin for permission to use the graphic.

Tom Kelchner

It seems spammers on Twitter are using some curious methods to get their message across (thanks to David Cawley for pointing me in the right direction).

Check this out:

Yes, that is vaguely peculiar. Here’s another one:

The spammers are using a system of writing that involves jumbling up the middle letters in the words, which means they’re still readable. There’st some confusion as to whether or not this “system” was developed through research at Cambridge University – this person says “yes”, while this person says “no”.

I have no idea either way, but to be honest I’m more curious as to why the spammers are doing it. I know Twitter keeps an eye out for malicious URLs and the like, but I don’t believe they determine if an account belongs to a spammer based purely on the words they use. This could be a monumental waste of time on the part of the spammers, although if nothing else it did make me sit up and take notice.

If that was the purpose of the switcharound, they’ve failed there too – rather than clicking on the XXX dating site link they’re promoting, I’ll be reporting them to the spam department. Not sure they’ll get much satisfaction from rearranging the word “Banned”…

Christopher Boyd