The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
Great Leap Backward.
“Development and administration of Internet culture must stick to the direction of socialist advanced culture, adhere to correct propaganda guidance,” said a summary of the meeting read on the news broadcast.
“Internet cultural units must conscientiously take on the responsibility of encouraging development of a system of core socialist values.”
Link here.
Alex Eckelberry
(Hat tip)
The sentencing in the Julie Amero case has been rescheduled to May 18th. More here.
Alex Eckelberry
(I am no longer discussing this case publicly as I am part of a forensic team working with the defense. I also won’t be blogging about this case in any detail until it’s finished.)
Internet Laws: the Good, the Bad and the Ugly
For a long time, lawmakers left the Internet alone. Not anymore; state and federal governments are introducing legislation left and right to try to tame cyberspace. Some of these regulations (such as the moratorium on new taxes) are good. Others, not so much. For a good synopsis of the best and worst laws affecting the Internet, see Eric Goldman’s article here.
Windows XP Back by Popular Demand at Dell
(Alex says: “Oh, thank you!) Dell announced last week on their web site that consumers will now be given the choice between XP and Vista with more desktop and laptop models. Read more here.
Get The Classic Menu Back in Office 2007
Not everyone is happy with Office 2007’s new “ribbon” interface. Some people (like me) like it; others don’t. Well, in another case of “you asked for it, you got it,” a Chinese developer has come up with an Add-on for Office 2007 that reportedly gives back the standard toolbars in Word, Excel and PowerPoint. I installed it today on the “tank” (our monster laptop) and so far, no problems. It does indeed restore the menus on a Menus tab, and you still have the ribbon tabs, too – the best of both worlds. I’ll be testing it more next week and will report any problems, but if you’re in hurry, you can download a free trial at your own risk here.
Fix Outlook 2007 Performance Problems
I like Office 2007 but I don’t like the way Outlook slowed down when I upgraded. I get hundreds of messages per day and most of my business is conducted via email; I’m also heavily dependent on my calendar. Outlook is the interface in which I “live” for a good part of every day, so performance problems in that application cost me time – and money. And I’m not the only one who’s been experiencing this problem. Well, there’s good news: Microsoft recently released an update that helps to fix some of Outlook 2007’s performance issues. I installed it on both my desktop and my laptop (the latter suffered most from this problem) and noticed immediate improvement. If you’ve been disappointed in Outlook’s performance, give it a try. You can read more about it and find links to the download here.
Does Windows Mail Censor your Messages?
I received a question from a reader who said Windows Mail won’t allow him to send outgoing email messages that contain four letter words. I’ve tried to duplicate the problem, but haven’t been able to do so – my test messages with bad words went right through. My guess is that Chris’s messages are being blocked either by his or the recipients’ ISP or local spam filters. But if you’ve had the same problem with Windows Mail and can send messages containing the same words from another email program, please let us know.
New Help Format in Vista
Instead of relying on static Help information installed when the operating system is installed, Vista defaults to Online Help, so that when you ask for help on a topic, you’ll get the latest updated content from the Microsoft servers (assuming your computer is connected to the Internet). If you’re offline, you can still use Help content stored on your hard disk. The Help and Support window has a down arrow in the lower right corner that you can click to select either Online or Offline Help.
The bad news is that Vista won’t open the old style Help files (.hlp format) that you might still have around for some applications. Previous Windows operating systems included the WinHlp32.exe program that’s used to open them, but Vista doesn’t. However, if you need it, you can download and install the program in Vista. You’ll find it here.
How to Set Password Expiration in XP Home
For better security, you can force users to change passwords periodically. In XP Pro, passwords expire every 42 days by default, but there is no default expiration period in XP Home. However, you can set one using the command line. Here’s how:
Note this also works for Vista (all editions) and XP Pro.
Easier Way to Set Password Expiration in XP Pro
You can change the password expiration period in XP Pro by using the Group Policy Editor. Here’s how:
How can I get Vista to stop being an overprotective mother?
Vista’s “overprotective” behavior is one of the biggest complaints I hear. Just like with an overprotective mom, User Account Control (UAC) really is for your own good – but if you want to take the risks, you can disable the prompts.
This is done through the Local Security Policy settings in Vista Business, Enterprise and Ultimate editions. At the command prompt or in the Search/Run box on the Start menu, type secpol.msc to open the LSP console. Vista will, of course, ask for your permission to continue (but this could be the last time). In the left pane, expand Local Policies, then click Security Options.
In the right pane, scroll down to User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode. Double click it, and on the Local Security Setting tab, click the down arrow in the drop-down box and select Elevate Without Prompting. Now, when you’re logged on with an administrative account, you won’t get that annoying “are you sure?” dialog box (and you also won’t know when programs are elevating privileges). Click OK, and you’re done.
Recover from corrupt registry that prevents XP from starting
If your XP computer won’t start because of corruption in the registry, this Guided Help article will help walk you through the process of resolving the problem. Find out more in KB article 307545.
Folder doesn’t open when you click it in the All Programs list in Vista
If you click a folder to open it in the All Programs list in Windows Vista and it won’t open, this could be because the folder is stored in a certain location. There is a hotfix available to fix the problem, but you have to contact Customer Support Services to get it. For more info, see KB article 932404.
Until next week,
Deb Shinder
Last week, Deb Shinder posted a wee bit of a rant on Open Source.
Reaction was fast and, as can be predicted, a range of emotions were shown.
We had lots of feedback in the Comments section. And Deb also got emails, which she’s summarized here:
Many of you use a combination of commercial and open source products; even adamant Windows fans are likely to have one or more favorite open source or freeware programs. And some who use open source extensively admitted that they use it because it’s free, not because it’s better.
Jim M. said, “I tried using Mandrake (now Mandriva) for a couple of years on a computer that I literally built out of trash can parts aka Frankenputer. I am considered and alpha geek by most who really are, but when I got a better spare, I went back to XP. I simply have less trouble. I use Firefox, Thunderbird, and several other either Open Source or freeware with adequate results.”
Fernando A. said, “I believe that Open Source software perfectly suits the academic world, giving students the opportunity to deal with the nuts and bolts of technology. Sometimes it also is the only choice in thin pockets environments such as non-profit organizations, underdeveloped countries, etc. But when it comes to business, I prefer commercial software because I have a counterpart (corporate or individual) who is responsible for it in terms of warranty (and not only money-back), support, etc. I think that investing in commercial software is part of the value chain.”
Some of us who rarely or never use open source, however, are still glad it’s around. As Chuck M. put it, “The one good thing about Open Source apps is that they put pressure on the ‘Big Boys’ to keep their prices reasonable and to make more of an effort to keep their customers happy with them and the support of their product.”
Locutus Borg (who just might be a Star Trek fan) took issue with my statement that no one is forced to use Windows. He said, “While there are some options to emulate Windows or at least the APIs inside Linux already, none of them are up to the task of real gaming yet. Any gamer is totally stuck in Windows if they want to play more than solitaire, unfortunately.” And Herb W. said, “All in all, I would rather move to a platform that MS doesn’t own, but until I can and still do the everyday things I require … I’m a bit stuck.”
I don’t know; to me this sounds like saying, “Well, I’d like to drive an economy car but darn it, until they make one where all my friends and I can party sip champagne and watch TV and spread out on the leather seats in the back, facing each other, I’m stuck with this stretch limo.”
On the other hand, not all Linuxes are created equal, and some are obviously more user friendly than others. Ridge K. said, “I have been working with the Ubuntu Linux distribution, and it really is pretty remarkable. You can, pretty painlessly, take a door-stop quality, 7-year-old PC and turn it into a very functional computer.” And Ed G. said “You’re actually spreading propaganda about compiling kernels and writing drivers on Linux. I downloaded and installed Fedora Core and Ubuntu, and both work “right out of the box”. My “propaganda” is just based on my own experiences, but I have to admit that Ubuntu is a distro I’ve never tried; maybe I’ll give it a go next time I get an urge to experiment with Linux.
Dave C. offered an interesting observation: “MS … started out when things were done more on an individual level and are playing catchup to a networked world. Linux started out in a network world and is trying to make things work for an individual.” Good point, and does help to explain some of the differences.
Geoff notes that, “some of the open source fervor is just part of the ABM (anybody but Microsoft) movement. I agree that MS has done some stupid things and there are better alternatives in some situations, but they have mastered the “Good Enough”. In many ways, the Mac is a better platform, but the PC is “good enough” and much more open… At the opposite end is Linux. I think it is also ‘Better’ at some things, and is even more open, but also suffers in areas where the Mac excels. I think of the Mac and Open source as opposites, with Windows in the middle. With most things, people are most comfortable in the middle.”
Thanks to all of you who wrote on this topic.
Alex Eckelberry and Deb Shinder
malwarealarm(dot)com downloads a variant of rogue antispyware application SpySheriff.
Here’s an interesting thing. By traversing through scanner(dot)malwarealarm(dot)com/, we see a cornucopia of vile and misleading pages used in advertising by these enterprising criminals.
When the online scanner does a “system scan”, it’s just pulling file names from scanner(dot)malwarealarm(dot)com/5/fileslist.js (you can see the contents here). In other words, no scan is actually occurring, just file names are being displayed.
Not very surprising, but pretty sick, eh?
Alex Eckelberry
(Thank to Sunbelt researchers Patrick Jordan and Adam Thomas)
They’ve been doing it for years. Here’s a recent version.
Blown up, we see:
(Yes, I know, slow news day.)
Alex Eckelberry
Another spam making the rounds this morning. Adam Thomas in our research department did a quick analysis of it and what it does to a system is not pretty (without the help of my staff, there is no way I could do the blog volume I do).
So, taking a look at the source, we see that it’s directing to http:/ /gooffhere(dot)com. There are no pictures of Paris Hilton as promised by the email, but we do see two IFRAME’s in the source code of the page:
1. hxxp:/ /81(dot)29(dot)241(dot)160/in(dot)php?2856985855 – exploit
Loads:
hxxp://81(dot)29(dot)241(dot)160/launcher(dot)php?uid=2856985855&domain_id=2 (downloads a binary, a Trojan Downloader for iframebiz)
Loads:
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=1 (downloads a binary)
Loads:
hxxp://pornstar-photos(dot)com/adv/windows_update(dot)exe
Loads:
hxxp://adultvideodot(dot)com/harre/1471548324/1/player(dot)php?m=ms53bxy=&id=1176
hxxp://xfuzrplryy(dot)com/dl/loadadv693(dot)exe (IFRAMEDOLLARS Trojan Downloader)
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=2 (binary – Fake Alert Trojan – BraveSentry)
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=3
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=4
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=5
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=6
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=7
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=8
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=9
hxxp://iframebiz(dot)com/exe(dot)php?uid=2856985855&domain_id=1&exeid=10
2. hxxp://www(dot)kozirodstwo(dot)com/cgi-bin/n/nnn(dot)cgi?p=driv
The Trojan above makes a request back to the controlling server for a configuration file, which will contain a download link (or links) for additional malware.
hxxp://www(dot)kozirodstwo(dot)com/c(dot)php?l=us&d=d9abb07e934440e1b3a6a395976f7d53&ver=3(dot)5(dot)3&rvz1=26916&rvz2=0004604046 (config)
In the parameters above, we see that they are passing along an MD5 hash probably for record keeping. Each link can only be used once, but we can modify the hash a bit in order to see the configuration file which returns:
hxxp://kozirodstwo(dot)com/top/abc1006def(dot)exe
Now, this is a known malware domain. They use a new exploit framework called NeoSploit.
Upshot? If you have an unpatched systems (or unpatched systems without adequate protection) and you click on this spam, you’re in a world of hurt.
Alex Eckelberry
(Credit to Adam Thomas for the real work)
This is truly remarkable. We’re in the Tampa Bay area, about 250 miles from Waycross, GA.
Now, there’s a huge fire up in Waycross. And through an odd quirk in the wind patterns, we’re getting the smoke. I just stepped outside and it was pretty rough — just a carpet of smoke throughout the area. The picture below doesn’t do the situation justice, but here’s an example:
Alex Eckelberry
(Credit to Robert LaFollette for the picture, and here’s a panorama he did as well.)
Yesterday I had a post on a nasty new image spam making the rounds that immediately infects an unprotected system with the WMF exploit. A picture of Paris Hilton, it wasn’t a nude image per se but did show an extremely small portion of her, well, nude parts. I received a complaint about this and have since modified the image. Before all the Europeans pile in <grin> and complain about us “Puritan Americans”, let me just say that for many, it’s more of a problem that people view this blog at work and don’t want the stuff on their system. I understand this.
I do always try and keep this blog on a PG-13 rating and want to make sure everyone knows that we won’t publish images that are offensive, or if they are offensive, we will block out the offending areas.
Alex Eckelberry
Alex Eckelberry
(Thanks, Patrick)
Malware Stopper, a new variant of SpySheriff.
Update: Add malwarepanacea(dot)com to your blocklist as well — another SpySheriff variant.
Alex Eckelberry
(Credit to Patrick Jordan)
A new set of spam uses the WMF vulnerability as an exploit — right in the spam. Simply viewing the spam in the preview pane will exploit a system (if you’re not patched or don’t have adequate AV protection).
The picture on the left is a normal image. That “picture” on the right (with the red x) is a fake WMF image which triggers the exploit. The source of the spam (with malware links) is here.
Alex Eckelberry
We market a number of SDKs (Software Development Kits), which allow developers to integrate things like antispyware/antivirus technology, packet filtering, firewalls, etc. into their own products. But Joe Wells has come up with a different type of SDK that only an engineer cum sci-fi writer could think up:
The Story Development Kit. It allows others to build stories around the world he’s created in his book, StormScape.
Original!
Alex Eckelberry
We’ve been getting complaints from customers that one of our competitors has apparently been scraping the web to see who our customers are and then has been attempting to get the customer to move over to their solution by providing misleading information.
Here’s a couple of examples of emails I’ve received:
“By the way, I just had a voicemail from Herb Shelton at Webroot software. He said he got my name … from the Sunbelt website. He was doing a salespitch for Webroot, apparently, telling me how much better Webroot was than Sunbelt.”
“FYI, [redacted] called me this a.m. He said he was contacted by Chris Garrison from Webroot who left him a message saying he saw that he was a customer of Sunbelt and he would like to speak with him about enticing him to move over to Webroot…”
So we sent a letter, no response and we just got a report again today of this happening.
I’m a little baffled, frankly, that a competitor would resort to scraping names of customers from case studies and the like and then contact them. Are things really that bad out there? Is there that little new business to generate, rather than resorting to these kind of tactics?
It’s actually kind of funny in a sort of tragic way. An antispyware company spying…
Whatever.
Alex Eckelberry
Georgetown professor Carol Quigley, in his extraordinary book Tragedy and Hope (one of the greatest books on modern history you’ll ever find, in my opinion, and a book I highly recommend reading) made the observation that a key part of understanding the British government is that, despite appearances otherwise of convention and practice, it is a nation completely bereft of a constitution.
And that is no more evident in the new talking cameras.
I’m so revolted by the notion of camera’s barking at citizens to pick up a misplaced coffee cup or piece of litter that it’s difficult to put my feelings into words. Nevertheless, Britons have acquiesced, tacitly or otherwise, to this extraordinary intrusion on their privacy. A once great country that was a beacon of democracy and hope for many countries is now becoming a police state. Silly histrionics on my part? Not really. It’s the simple truth.
Alex Eckelberry
(Hat tip)
Picture of the day (thanks Andy).
Bonus! The Power Washers Network (PWN). (Thanks Dan).
Alex Eckelberry
We just released CounterSpy Enterprise 2.0. This is our “enterprise” version of CounterSpy which allows system administrators to control spyware and other malware threats throughout their organization.
This new version incorporates our new “hybrid” antispyware engine, which merges classic spyware detection and remediation with our new VIPRE technology (VIPRE incorporates both traditional antivirus and cutting-edge antimalware techniques). This combination of technologies provides faster scanning with less system resources than the previous version.
Lots of new stuff in this release.
I did a webinar yesterday on the product, as well as a discussion of our philosophy with regard to malware (as well as current trends, etc.). I highly recommend viewing it. You can see it here (unfortunately, the few websites I visited during the presentation weren’t recorded due to some glitch in the recording system, but the rest is fine).
This is a hot release and I’m really proud of our team here.
Corporate propaganda here.
Below is more information for current customers who are upgrading:
Licensing: If you’re currently under maintenance this is a free upgrade and your existing license key will work fine in CSE 2.0
System requirements: The system requirements are here and should be reviewed prior to deployment.
Upgrading to the CSE 2.0 Server and agent: The direct download link to the CSE 2.0.2171 installer is here. Upgrading the CSE server to version 2.0 is supported for versions 1.5 and higher. The upgrade process for the server is extremely simple, just download the release and run it on the server. All existing information will be upgraded and migrated to the 2.0 installation. Remember to upgrade to .NET 2.0 on the server first and reboot if prompted.
After upgrading the server all your existing agents will continue to function as normal with the exception of Active Protection. Since the Active Protection component is significantly different the 1.8 agents will cease to offer Active Protection until upgraded to version 2.0. All other functions such as definition updates, scheduled scans and reporting will operate as normal. Additionally you will see that in the CSE 2.0 console that the “Last Scan Complete” column will show “Never Scanned” until a scan is completed by the agent after the server upgrade was completed.
Upgrading the CSE agents to 2.0 is supported for versions 1.5 and higher. Once the CSE server has been upgraded the simplest way to update the agents is by setting them in the policy(s) to automatically check for software updates. This setting is located under the “Advanced” button on “Agent” tab of the policy. If you have more than a 100 agents on a single policy you may want to create a copy of the policy, set it to automatically upgrade the agents and then move a 100 agents at a time to the new policy so as to not overload your network with upgrading agents.
New Features Overview:
New Engine – The agents are now using a new scanning and removal engine which now includes Sunbelt’s new VIPRE technology. This new engine is faster and requires less system resources while at the same time has improved detection for more sophisticated threats such as rootkits. Additionally, the engine includes FirstScan, which is our new scan and remove on-boot technology designed specifically to detect and remove the most deeply embedded malware before it can run or install. Triggered through a CounterSpy system scan, FirstScan will run at the system’s boot time, bypassing the Windows operating system, to directly scan certain locations of the hard drive for malware, removing infections where found.
New Active Protection – The active protection system had been completely replaced with a new kernel-level component. The new system offers real-time blocking of threats from being executed while also being able to prompt the user to take action if suspicious behavior is detected. Additionally the administrator can create their own custom defined list of allowed and denied applications.
Automated Deployment Service – It is now possible to have CSE automatically deploy agents to the network. At a policy level this feature can be enabled and the admin can specify any combination of machine lists, IP addresses, IP ranges, IP subnets, and AD queries to be resolved and deployed to without admin interaction. The traditional methods of deployment such as console push and MSI packages are still included.
New User Features – The new agent now has many more options that can be exposed to the user at the discretion of the admin. The features include the ability to pause a scan that is in progress or disable active protection. As well, the end user can now be allowed to view the scan results and manage his own quarantine using a new end-user UI. Agents can still be run in a completely silent mode with no end-user interaction.
Incremental updates – This new engine fully support incremental updates so definitions can be released more often with less bandwidth impact and shorter download times for end-users that use CounterSpy at their home office.
New Agent Features – The new agent includes all of the above features as well as several other technologies. The agents can now go over the Internet to obtain definition updates if their CSE server is unreachable. They can also be set to throttle the rate that they download definition files and updates from CSE server so as to not saturate slower network connections. Advanced scheduling options now allow the agent to start scans at randomized times and make up for missed scheduled scans.
New Console Features – The administrative console for CSE has been redesigned to include more information. The admin can now tell at a glance when an agent last scanned and print from any of the customizable agent grids. The console to server communication has been reworked and optimized to respond quickly even under heavy usage. Advanced features, such as the Agent Recovery Mode which allows agents removed from the CSE server to automatically attach back to the server, are exposed to the admin.
New Server Features – The services for CSE have all been consolidated into a single process which increase the performance while at the same time decreasing the memory and CPU requirements. Additionally the new service has been ported over to .NET 2.0 which also increases the efficiency. The new CSE server component is not only compatible with the new agents but backwards compatible with the older 1.5 and 1.8 agents so upgrading can be done in stages.
Alex Eckelberry
Well, maybe.
“That document has mistakes in it that are sufficient to show that it’s impossible that this operation could be real,” Eisner told ABCNEWS.com. “Anybody, you or I, could have taken this and fact-checked this thing and we would have learned that this was nonsense. We would have learned that the organization in the letterhead hadn’t been in existence for many years, that the person who signed it last served in that post in 1989 and that the court in Niger had been renamed in 1990.”
If the CIA had done a Google search on the documents, it could have altered the course of history, according to Eisner and Royce.
Link here.
Alex Eckelberry
(Hat tip)
Image spam has been routinely breaking antispam engines. Now, a new pump-and-dump image spam type is on the loose, attempting to bypass the filters.
The “classic” style:
The new style:
We might expect more of these, depending on their success rate.
Alex Eckelberry
Searching Google for “Virginia Tech”, one sees the following sponsored search result:
It’s not a news item. It’s an ad for the Starware toolbar. While a fairly innocuous toolbar as these things go, it has had a history of poor installation practices and is listed in our database.
So… Isn’t this just a bit tasteless?
Alex Eckelberry
And a hat tip to Zae