Month: June 2010

Microsoft has issued an advance notification for patch Tuesday next week. There will be:

— Six bulletins affecting Windows (two critical, four important)

— Two affecting Microsoft Office (important)

— One affecting Windows and office (important)

— One affecting Internet Explorer (critical)

Jerry Bryant, Group Manager of Response Communications also said Microsoft will be acting on two Security Advisories:

— closing Security Advisory 983438 (Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege) with the June bulletins.

— addressing Security Advisory 980088 (Vulnerability in Internet Explorer Could Allow Information Disclosure).

June 2010 Security Bulletin Advance Notification here.

Tom Kelchner

Well-known predictor of the future Gartner is advising enterprises to start installing and testing Windows 7 this year and try to finish replacement of Windows XP by the end of 2012.

Microsoft will continue to support WinXP until April 2014, however, by the end of 2012 many newer applications written by independent vendors will not support XP, they said.

Michael Silver, a Gartner vice president, said: “In various Gartner polls and surveys, 80 percent of respondents report skipping Windows Vista. With Windows XP getting older and Windows 8 nowhere in sight, organizations need to be planning their migrations to Windows 7. Windows 7 has been getting positive reviews, and many clients report that they have plans to start their production deployments, but there are some that are still undecided about when to start and how quickly to do the migration.”

“Organizations wanting to do as much of the migration as possible though PC refresh or attrition, should begin by deciding on a start date,” according to Steve Kleynhans, Gartner research VP.

News release here: “Gartner Says Most Organizations Should Be Planning and Testing Windows 7 in 2010 and Try Eliminating Windows XP by End of 2012”

Tom Kelchner

Objective-C has been pegged as the tenth most-used computer language in the world, according to the TIOBE Programming Community Index.

TIOBE wrote: “Despite the fact that Objective-C only gained 0.08% last month, it has entered the top 10 for the first time. This is quite an achievement, especially if one bears in mind that only 13 different programming languages had a top 10 score since the start of the TIOBE index in June 2001. The main (and probably only) reason for Objective-C’s popularity is that it is the only language in which you can write applications for the iPhone or iPad. From a programming language point of view, Objective-C (born in 1986) offers no new interesting features.”

Index here.

I think it is safe to say that we’re going to see the growth of exploits (Trojans?) written in Objective-C and exploits targeting applications written in Objective-C. The target, of course will be iPhones and iPads and other devices that use apps created in Objective-C.

TIOBE says its name is an acronym for ‘The Importance Of Being Earnest,’ taken from the comic play written by Oscar Wilde in the 1890s. The site says: “By choosing this name, the founders of TIOBE Software emphasize their sincere and professional attitude towards customers, suppliers and colleagues.”

If you’ve ever read or seen the play, that name could hint at a wild and crazy corporate culture. The play is pretty whacky and Oscar Wilde was timelessly over-the-top funny.

Tom Kelchner

Lots of folks got clickjacked on this one:

Liking that leads to this:

Right.

And here’s another one to avoid: Amillionlikes

Thanks Bharath.

Tom Kelchner

The U.S. Federal Trade Commission has reached a settlement with CyberSpy Software, LLC, of Orlando, Fla., that requires that company to rewrite its keylogging software to give warning when it is being installed on a computer and stop a number of illegal practices.

The FTC in 2008 brought an action against CyberSpy that advertised its product as a “100% undetectable” way to “Spy on Anyone. From Anywhere.” The company provided the software to customers with instructions on how to send it to a victim disguised as another file which would secretly install the application. RemoteSpy then monitored key strokes and sent the information to a web site where the customer could download it.

According to the FTC: “The final Order bars the defendants from providing purchasers with the means to disguise the product as an innocent file or e-mail attachment. It also requires that they inform purchasers that improper use of the software may violate state or federal law. The final Order also requires the defendants to take measures to reduce the risk that their spyware is misused, encrypt data transmitted over the Internet, police their affiliates to ensure they comply with the order, and remove legacy versions of the software from computers on which it was previously installed.”

The order was entered in the U.S. District Court for the Middle District of Florida.

FTC news release here.

RemoteSpy has been in VIPRE detections since 2005. It can log chat conversations, keystrokes, website visited, application usage, windows viewed and documents opened

Tom Kelchner

Security firm Intego has found a downloader for spyware being installed by a number of applications and screen savers from download sites including MacUpdate, VersionTracker and Softpedia. The name: OSX/OpinionSpy.

Intego researchers said they found the malcode in the MishInc FLV To Mp3 media converter and screensavers created by 7art-screensavers:

Secret Land ScreenSaver v.2.8
Color Therapy Clock ScreenSaver v.2.8
7art Foliage Clock ScreenSaver v.2.8
Nature Harmony Clock ScreenSaver v.2.8
Fiesta Clock ScreenSaver v.2.8
Fractal Sun Clock ScreenSaver v.2.8
Full Moon Clock ScreenSaver v.2.8
Sky Flight Clock ScreenSaverv.2.8
Sunny Bubbles Clock ScreenSaver v.2.9
Everlasting Flowering Clock ScreenSaver v.2.8
Magic Forest Clock ScreenSaver v.2.8
Freezelight Clock ScreenSaver v.2.9
Precious Stone Clock ScreenSaver v.2.8
Silver Snow Clock ScreenSaver v.2.8
Water Color Clock ScreenSaver v.2.8
Love Dance Clock ScreenSaver v.2.8
Galaxy Rhythm Clock ScreenSaver v.2.8
7art Eternal Love Clock ScreenSaver v.2.8
Fire Element Clock ScreenSaver v.2.8
Water Element Clock ScreenSaver v.2.8
Emerald Clock ScreenSaver v.2.8
Radiating Clock ScreenSaver v.2.8
Rocket Clock ScreenSaver v.2.8
Serenity Clock ScreenSaver v.2.8
Gravity Free Clock ScreenSaver v.2.8
Crystal Clock ScreenSaver v.2.6
One World Clock ScreenSaver v.2.8
Sky Watch ScreenSaver v.2.8
Lighthouse Clock ScreenSaver v.2.8

“The spyware itself is not contained in these applications, but is downloaded during the installation process,” they said.

“The information provided with some of these applications contains a misleading text that users must accept explaining that a ‘market research’ program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning.

“The malware, a version of which has existed for Windows since 2008, claims to collect browsing and purchasing information that is used in market reports.”

In reality it installs a backdoor (port 8254); injects code into Safari, Firefox and iChat; finds personal data and transmits it in encoded form.

Intego blog here.

Paul Ducklin at Sophos AV dug in to the malcode a bit further – running one of the 7art screen savers. The app was bundled with something called PremierOpinion from VoiceFive Inc. Duicklin found that VoiceFive had the same address in Reston, Va., as notorious spyware distributor comScore. That group delivered spyware named MarketScore several years ago. Ducklin also found that the 7art domain was registered in Moscow, Russia.

Ducklin blog here.

Tom Kelchner

Five facing federal indictments in banking Trojan theft

Five alleged money mules have been indicted in federal District Court for the Eastern District of North Carolina in connection with the illegal May 2007 transfer of $450,000 from the bank account of the city of Carson, Calif. The cash was transferred after a banking Trojan (Talex) infected the computer of the city treasurer Karen Avilla. All but $44,000 was recovered.

According to the indictment, Jennifer Ann Woodard, Deago Larase Smith, Lance Corbett Holt, John L. Quinn II and Anthony Leonard Bobbitt will face federal charges of bank and communications fraud.

Indictment here.

Softpedia news story here.

There have been very few prosecutions of money mules, who are mostly recruited through work-from-home schemes. The mules provide organized crime groups in other countries with details of their bank accounts. The malicious operators, using banking Trojans, tap the bank accounts of their victims and transfer cash to the mules, who take a percentage. The mules then use untraceable wire transfers to send the money to the criminals out of the country.

On one hand, the mules can claim they were duped, but on the other hand the descriptions of the jobs they take are pretty suspicious to anyone with half a brain. They end up being the lynch pin in a process that siphons hundreds of millions of dollars from corporations, organizations and government groups.

Last month, the head of the FBI’s Cyber Crime section, Patrick Carney, told a Federal Deposit Insurance Corporation symposium in Arlington, Va., that the Bureau was planning to pursue the mules:

“We want to make sure that public understands this is illegal activity and one of the best ways we can think of to give that message is to have some prosecutions. We realize it’s not going to make the problem go away, but it should help raise awareness and send a signal,” he said.

Brian Krebs column: “FBI Promises Action Against Money Mules”

Tom Kelchner

The U.S. Federal Communication Commission has launched a program to give consumers software tools to test the speeds of their broadband services.

The commission is offering two tools, Ookla and M-Lab (both still in beta) that will test broadband services by transferring a temporary file and measuring performance of providers’ services.

The FCC-supplied tools will test:

“Download Speed: The speed at which data is sent from the testing server to your computer.

“Upload Speed: The speed at which data is sent from your computer to the testing server.

“Latency: The time it takes for data to be sent from your computer to the testing server and back (the ‘round trip time”’).

“Jitter: The variability in the delay between your computer and the testing server.”

The commission said “This beta version is the FCC’s first attempt at providing Americans with real-time information about their broadband connection quality. The FCC will continue to explore ways to improve user experience and the feature sets of these tests.”

Info here: “About the Consumer Broadband Test (Beta)”

Tom Kelchner

“Anyone else getting this crap today?”

Alert reader David McSpadden notified Sunbelt of the following spear-phishing attempt that was sent to users, appearing to come from their system administrator. [The PDF contains a link to the executable for the user to download.]

“If you already received this information before and action has been taken, then please ignore.

“This important information about a security vulnerability requires your immediate attention!

“All systems detected using Adobe products have been sent out this e-mail and are all requested to update their systems urgently.

“Kindly follow the instructions in the e-mail as forwarded below.

“Failure to comply will result in all financial and non financial loss to be a liability of the receiver.

“Please treat this e-mail as a matter of urgency. No further follow up warning will be sent.

“**This e-mail is a computer generated e-mail from admin@xxxx.com and does not require a reply**

“— On Fri, 5/28/10, Rxxxxxx Bxxxxxx <rbxxxxx@adobe.com> wrote: —
From: Rxxxxxx Bxxxxxx <rbxxxxx@adobe.com>
To: Administrator <admin@xxxx.com>
Subject: Adobe Security Update
Date: Friday, May 28, 2010, 11:24 AM

“Broadcast message:

“Adobe has issued a directive which states that all systems running their software should be patched for the latest security glitch.
The CVE-2010-0193 Denial of Service Vulnerability has recently been discovered on several systems running the previously released version of the software, which has been further documented on security sites such as http://www.securityfocus.com/bid/39524
It is strongly advised that all systems running the Adobe software is updated with the latest security patch to avoid further situations hampering the security and integrity of the system. Failure to follow the directive would mean that any loss which occurs due to the negligence will be a liability of the company and not Adobe. The link to update the system with the latest patch and instructions are provided below:

“Download the instructions here: hxxp://190.144.101.204/adobe/update.pdf (requires Adobe Acrobat Reader).
To update your system, download the installation file here: hxxp://190.144.101.204/adobe/adbp932b.exe (adbp932b.exe).
(Read first the instructions before updating the system)

“Your urgent attention is most appreciated,

“Rxxxxxx Bxxxxxx
Adobe Risk Management
xxx Park Avenue
San Jose, CA 95xxx-xxxx

Tel: xxx-xxx-3932
xxxxxx@adobe.com”

The executable tries to inject code into explorer.exe under the guise of an Adobe update (including a phony license agreement, below):

The main file is a self extracting EXE that drops code in TempIXP000.TMP as UNINST~2.EXE.

It has been associated with the iframedollars (rogue security product) primary downloader and about six other secondary’s which were first found in April. VIPRE detects it as Trojan.Win32.Generic.pak!cobra. Only seven out of 41 anti-virus products on Virus Total detect it.

Trojan.Win32.Generic.pak!cobra was the third most common detection in May according to Sunbelt’s ThreatNet statistics.

Thanks David, Patrick and Dodi

Tom Kelchner

If you like gunning down cowboys in the Wild West – and who doesn’t – then you may well have picked up Red Dead Redemption over the last couple of weeks, especially given that it’s one of the highest ranking games in years.

One of the most interesting aspects of the game is the treasure hunt, where you use cryptic clues and drawings to find landmarks in the gameworld to get your hands on bars of gold.

All in all, it’s a rather entertaining task. The problem is that there are plenty of opportunities to get stuck while looking for these bars of gold, and it seems the Rogue AV peddlers are living up to their reputation as no good pesky varmints.

A basic Google search for “Red Dead Treasure Map” gives us these three sites as the top results:

While the sites are flagged in Google for harming your computer, you can of course find these sites (and many more besides) riding high in other search engines too which means a potential lack of a warning message in Search results, and also a lack of warning if you’re using a browser that doesn’t have built in alerts.

Here’s a typical report for one of the sites mentioned – as you can see, it’s Rogue AV links all the way. While the last time the site mentioned in the report served malware was just yesterday (and a number of the sites are already being cleaned up) there are many links out there with around 25 potentially dangerous links in the first eight pages of Google alone.

Should the unwary user click into the middle link for example, they’ll find their browser minimises to a single prompt telling them their PC is “infected”, and when they hit OK they’ll see this:

We know from experience that no end of people will download and install the fake security software from these sites, and unfortunately many more will pay to unlock the completely useless “full version” into the bargain. Cue desktop looking like this:

At that point, I believe the chap in the stovepipe hat and the tape measure will do you a good deal on a wooden coffin. We haven’t seen other aspects of the game targeted by this Blackhat SEO campaign yet, but that doesn’t mean it won’t happen. Be on your guard and keep your six shooters ready…

Christopher Boyd

You might want to avoid the temptation to download and run a program being touted on Youtube as a Modern Warfare 2 Cheat Console, which I’ve seen spammed to a couple of gaming forums and a bunch of video sharing websites. Here’s one of the videos in question currently advertising it:

No surprises here that it’s actually a malicious program, and will drop a file called server.exe into your Application Data folder:

From there, endless calls go out to furz(dot)no-ip(dot)biz, although it’s currently out of action so whatever grand plan the creator had in mind isn’t currently materialising. Of course, the no-ip URL could come back to life at some point so it’s probably best not to get too complacent. VirusTotal detections were showing as 7/41 a day or two ago, but it’s gone up slightly to 13.

We detect this as Trojan.Win32.Generic!BT.

Christopher Boyd

— VIPRE Enterprise for Mac provides support for Mac OS X versions 10.5.6 and 10.6 and above.

— Designed with the Mac OS look and feel for a positive user experience.

— Users can run scheduled and on-demand scans and view quarantine and scan history.

— Definition updates are downloaded from Sunbelt across the Internet.

— VIPRE for Mac also detects and cleans any Windows-specific malicious threats that may find their way onto a Mac system.

— New customers can purchase VIPRE Enterprise for Mac as part of VIPRE Enterprise on a per-machine basis.

— Pricing includes the first year maintenance and starts at $28.36 per seat for 100 workstations with a sliding scale volume discount based on number of machines.

— VIPRE is compatible with 32 and 64 bit versions of Windows 2000, XP, Server 2003, Vista, Server 2008, Server 2008 R2 and Windows 7.

— 30-day evaluations of VIPRE Enterprise are available on Sunbelt Software’s website at www.sunbeltsoftware.com.

Alex Eckelberry, CEO of Sunbelt Software said: “This is our first step in our support for the Mac platform, and is specifically targeted at enterprise customers. We are also planning for a release of a consumer/home version.”

News release here.

Tom Kelchner

Next week at Tech.Ed, we will be having a drawing to win a VIPRE Ducati.

It’s a pretty nice bike…

(Our creative director, Robert LaFolette, took these pictures in the Sunbelt parking garage.  He also designed the logo and the design.)

Alex Eckelberry

Today, we announced our new VIPRE Enterprise Mac agent.

This client is initially for VIPRE Enterprise customers to use in mixed Mac and Windows environments.  However, we are in planning for a release for the consumer/home markets.   The agent is entirely built-in house, using the VIPRE technology. 

More shameless propoganda here.

Alex Eckelberry

Alert reader Greg D. Feezel the Director of Security and IT Risk Management at Snap-on Business Solutions sent us this screen shot, mistakenly concluding that his local weather station used Sunbelt’s VIPRE anti-malware and that they needed to upgrade.

Turns out it isn’t our VIPRE, but rather VIPIR (Volumetric Imaging and Processing of Integrated Radar) software distributed by Baron Weather Solutions that emulates analysis of radar data for television stations.

Greg wins no cigar, but he does get points for being alert for upgrades (something a few tens of millions of IE6 users worldwide would do well to emulate).

Thanks Alex.

Tom Kelchner