The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
I’ve always felt that company CEOs should blog — but based on how many others in my position blog, I seem to be in the minority in this opinion. Well, my hats off to McAfee’s newest blogger, CEO David DeWalt.
Welcome to the world of blogging, Dave 🙂
And extra merit points for posting your email address directly in the blog for feedback.
Alex Eckelberry
Through a joint promotion with PC Mag, we’re giving out 20 issues of PC Mag included with every purchase of CounterSpy. Link here.
Alex Eckelberry
Download: Internet Connectivity Evaluation Tool
Here’s a new free tool from Microsoft that will check your Internet router/NAT device to determine whether it supports advanced features such as face to face collaboration with Windows Meeting Space in Vista. The tool can be run on an XP or Vista computer. You can download it from the Microsoft web site here.
Is Vista a “slow pig” when it comes to copying files?
A number of users have complained that sometimes the Vista file copy process is slow or stops responding, and an article on Slashdot last week played up the problem.
I’ve not experienced the problem myself but apparently quite a few people have, and Microsoft has a hotfix to correct it, which you can get from Customer Support Services. There’s more info in KB article 931770.
CompUSA closing many stores
CompUSA was once “the” place to go to buy computers and computer accessories, but now many people buy at discounters such as Fry’s Electronics or over the Internet, where you can almost always find lower prices and good service from sources such as Newegg.com. Now CompUSA is closing about half of its stores. The process began in February and is still ongoing. You may still be able to get some good deals at the “going out of business sales.” Here’s a list of locations that are closing.
Court rules in favor of media server that copies DVDs
A company that makes a home media server that allows user to “rip” their DVDs to disk was sued by the DVD Copy Control Association for allegedly violating its licensing contract. A California judge ruled in favor of the defendant. Read more about it here.
Manage your digital photos in Vista
Many of us have amassed large collections of digital photos, and Vista makes it easier to manage and find them. One of the most useful new features is the ability to add “tags” to your pictures. These are keywords that can be used to sort and search. The tags are stored as metadata within the file, along with other details about the graphic.
To add a tag to a photo, right click the photo file and select Properties. Click the Details tab, and then click Tags. A field will appear that says “Add a tag.” You can type in the keyword(s) you want to associate with the picture here. Then, in the Tags column of Explorer (in a folder that contains pictures), you can click the down arrow to sort or stack by tags.
How to join a domain in Windows XP Professional
If you take your laptop to work with you, you may need to join it to the company domain in order to log onto your company network account. Here’s how:
Note that Windows XP Home computers cannot join domains.
User Q&A: What happened to all that space on my hard disk?
“Hi there. I bought a new hard drive, got a great deal on what was supposed to be a 750 GB drive – BUT when I installed it in the computer, it says there’s only 686 GB. I could understand maybe a small difference but that’s a lot of gigabytes that got lost somewhere. This seems like false advertising to me, as I didn’t get all the space I paid for. I’ve seen the same thing every time I bought a hard drive. Can you explain? Thanks. – T.W.”
Well, the problem comes from the difference in the way computers and disk manufacturers calculate drive capacity. Computers “think” in binary math (base 2), where kilobytes, megabytes, gigabytes, terabytes, and so forth is an increment of 2 to the 10th power (1024).
Humans are used to thinking in base 10, where hundreds, thousands, millions, etc. are incremented by 1000. So hard drive manufacturers use a more familiar system in which they “round” a kilobyte to 1000 bytes, a megabyte to 1000 kilobytes, and a gigabyte to 1000 megabytes. So the drive manufacturer advertises a drive that has 750 billion bytes as a 750 GB drive, but that’s not how the computer sees it because it’s dividing by 1024 instead of by 1000.
Is it false advertising? Well, technically, maybe so. But since just about all hard drive makers do it this way, it has become the standard. On the other hand, just to confuse matters a little more, manufacturers don’t use this system for other storage media, such as flash memory cards. There, what you see is what you actually get: flash cards usually actually have the amount of space advertised, although formatting does reduce the amount of usable space on both hard drives and flash cards. For a more detailed discussion of all this, click here.
You get an error message when you sync offline files in XP
If you get an error message stating that files of this type cannot be made available offline when you try to synchronize offline files on an XP computer, this may be caused by a problem with client-side caching. There’s a hotfix available. To find out how to get it, see KB article 890671.
Poor video quality with interlaced mode on Vista computers
If you configure your video settings to use interlaced mode on a Windows Vista machine, you may find that the video is jerky and of poor quality. To fix this problem, you need to download a free update package. There are versions available for both 32 bit and 64 bit Vista. To get the download, see KB article 932649.
Until next week,
Deb Shinder
We have confirmed that with Friday’s definitions set #526, CounterSpy version 2.1 users may encounter problems opening a command prompt box or running programs that open command prompts.
Active Protection (AP) in CSC 2.1 with this definition set will erroneously report that CMD.EXE is a trojan (Trojan-Proxy.Agent.CL), then attempt (and fail) to quarantine the file. Although the quarantine action will fail, these AP prompts can become tiresome, especially if a program that is dependent on running a component from a command prompt fails.
This bug is fixed in today’s definition update, definition #527. To access the update, simply update your definitions in CounterSpy.
Please note that on-demand scans of the PC are unaffected by this glitch and CSC will not detect CMD.EXE during a Quick Scan or Full Scan. This glitch affects only CounterSpy 2.1’s Active Protection. Also, our testing indicates that CounterSpy 1.5 is completely unaffected by this glitch.
We sincerely regret the error.
Alex Eckelberry
I’ve written before about the “scan and scare” tactics used by antispyware companies (similar are the “scan and find errors” used by registry cleaners). And recently, Larry Jaffe, our outspoken editor of CounterSpy News, also wrote about this and received mail by the ton. It’s a burning hot topic in the minds of users.
Here’s how it works: You download a “free trial”, which scans your drive, finds a bunch of terrifying things on your PC, demands payment in order to clean your system. And it works even better when the antispyware product has false positives.
It’s even something that the reputable Robert Vamosi at CNET mentions in his antispyware roundup recently:
The free trial copy … will not remove any spyware found until you purchase the full product. We think this is wrong, and a crude way to force sales.
He’s absolutely right. It is wrong.
But this model is, in fact, implicitly driven by places like download.com, TuCows, etc., which base a large part of their revenue model by selling manufacturers higher visibility.
Here’s why: For every download, a developer will get a certain percentage of people actually buying the product. So, if you get 100 downloads, you might get 2 people who buy the product, a conversion rate of 2%. And that 2%, by the way, holds pretty standard throughout the industry.
But many companies in the antispyware space (and earlier, in the registry cleaner area) learned that by scanning the machine, but refusing to clean until paid, their conversion rates soared. I spoke with an antispyware vendor a while back who told me that by using the “scan and scare” tactics, they were able to get a conversion rate of almost 30%. Another conversation with a commissioned affiliate of an antispyware vendor said that their tests showed a 10x higher conversion rate when they moved to the scan-and-scare model.
And so there’s the reason why virtually the entire industry has moved to this model: the conversion rates are astounding — especially in security. It really pays to scare the crap out of people.
Our conversion rates? Maybe 2%, because we refuse to do the scan-and-scare thing — we provide a fully functional trial version. But that means that for every million downloads of CounterSpy, we get (maybe) 20,000 sales. If we were on the “scan-and-scare” model, that number would likely increase to something like 200,000 sales. The difference in math is staggering.
This puts companies like Sunbelt at a considerable disadvantage over the competition, for the reason that the competition can buy up vast amounts of ad space and pay-for-download programs on places like CNET and TuCows, virtually guaranteeing themselves a healthy return.
Look at the math — a pay-per-download program at a major download site might cost you as high as $1.00 per download, getting you listed in a premier location, driving huge download numbers. If you’re getting a 2% conversion rate on a $20 product, you’re losing money. But if you’re getting a 20% conversion rate, you’re making money hand over fist. By using these types of marketing practices, you win. So even highly reputable companies like WebRoot have moved to the scan-and-scare model, because of the sheer difference in numbers.
Another hidden secret of the antispyware business is that independent “review” sites rank products higher based on the commission paid. We had one major review site offer us a high spot in their review if we promised a higher commission — and then, he would only list us a “#2”, because our price point was too low ($19.95, vs. $29.95 for the “#1 player”). This is why for reviews, your best bet is to look at user reviews and reviews by reputable organizations, like PC Mag, PC World, CNET, etc. Sleazy? Yes. But it’s the nature of the business, and it’s something that very few people know about.
It has been rumored that a major state attorney general’s office was sniffing around the scan-and-scare practices in the registry cleaning business. Perhaps they need to look at it for the antispyware side of the business.
In the meantime, you can trust that we will always offer a fully-functional trial version. To hell with the money.
Alex Eckelberry
The folks at SecurityLab have a hoax up which uses XSS (Cross Site Scripting). It teaches a valuable security lesson, while having some fun.
Link: http://www.securitylab.ru/news/extra/293608.php
Alex Eckelberry
(Hat tip to Gadi Evron)
This exploit is something of concern.
Some updates:
CounterSpy: CounterSpy detects the Ani exploit as “Trojan-Exploit.Anicmoo.ax (v)” in definition set 526. Incidentally, VirusTotal coverage as of 1:30 CET today here.
Ninja: Since email is a potential attack vector, securing that area is important. The full version of our Ninja Email Security product includes two AV engines — Authentium and BitDefender. However, many customers only run the antispam portion of Ninja. So while the BitDefender AV engine in Ninja does detect these malformed .ani files, this will only be useful to customers if they’re using Ninja’s AV functionality.
However, Ninja does include intelligent attachment filtering, which looks past the extensions of many file formats to see what type of file is actualy bein sent. So we just posted an updated set of SMART definitions for anyone using Ninja 2.1.xxx which will allow you to create an attachment filtering rule to block .ani files regardless of what they have been named. In this way even if you’re not using Ninja’s AV functionality you can still block these files from getting to your users.
Alex Eckelberry
I’ve talked about unfortunately-named products before, but this absolutely takes the cake.
There’s a new product out called a Browser Condom.
The description:
It’s and [sic] advanced technology that allow [sic] you to run any kind of software in your computer without a risk of be [sic] infected with any kindof [sic] virus, spyware, trojan and any kind of malware. (VTD) , Virtually Transmitted Diseases.
The icon of the product is, well, a condom wrapper.
Why the name? Was he inspired by the pictures of the Klik Revenue boys exuberantly playing with condoms? Or the picturesque city of Condom, France?
I’m being good, really: There’s so much room for so much humor here, it’s difficult to contain oneself.
But I run a respectable blog here, people. So I’ll let you do the dirty work: Comment away…
Alex Eckelberry
(A copious acknowledgment to Paperghost, who blogged first about this.)
A surprising post at SANs this morning:
A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability (CVE-2007-1765) depending on the actions and settings of the email client.
The surprising element is that read in plain text mode makes some of the clients more vulnerable and actually only offers real added value -for this vulnerability- for Outlook 2003.
Alex Eckelberry
Greg Kras and I will be giving a preview of our new CounterSpy Enterprise 2.0 next Tuesday. (This is the version of CounterSpy designed for business use.)
If you want to take a look, please join us:
A First Look at CounterSpy Enterprise 2.0
When: Tuesday, April 3, 2007 2:00 PM (EDT)
To join the day of the event please visit:http://www.sunbelt-software.com/rd/rd.cfm?id=070330EB-CSE_Webcast
Meeting ID: 92SSQC
Attendee Meeting Key: XR*mw9Z
Audio: Toll free: +1 (800) 416-4956
Toll: +1 (978) 964-0050
Participant code: 104764
Alex Eckelberry
There is spam out there that tries to get you to download IE 7. It’s fake, of course. When you click on the image, you are then offered to download a trojan (Sunbelt Sandbox analysis here, VirusTotal results here). Antivirus coverage is mediocre.
And just for fun, check out the source code of this spam.
Alex Eckelberry
I’m going to give you a sneak peek of a very cool skunkworks project going on over at Mayhemic Labs.
One thing that a lot of people have commented on (and particularly the good folks over at F-Secure) is that phishers register domains using words like “Chase”, “ebay”, etc. This makes it easier to foil their victims (such as having a URL like “chase-banking-center.com).
Of course, a great idea is to have the domain registrars simply refuse to register domains with these names (or at least trigger a review of a suspicious domain before allowing it to register). However, that’s not always easy to get done.
But what if new suspicious domain registrations were automatically tracked in a format that allows everyone to see what’s going on?
That’s just what Ben Jackson did over at Mayhemic Labs: He developed a “Domain Tracker System” to track domain registrations by using DomainTools’ Domain Mark reports.
Called the Crow’s Nest, it aggregates submissions of domain mark reports containing keywords that would be likely used in a phishing domain. The system processes these reports and adds them into a database. The submitter (or other volunteers) can then flag domains that look suspicious. These domains are then monitored for activity. Every 6 hours registration and DNS records are checked to see if the domain is hosted and or still registered. If the site is hosted, the user can then check the site and see if something phishy is going on, and if so, notify the parties affected.
For now, this site is only being used by security researchers. There’s also lots of people who helped him in this, and when it goes public, I’m sure he’ll thank those that don’t mind being publlicly acknowledged.
Expect this site to be public in a few weeks. And then those Phishers will feel a whole lot of hurt.
Alex Eckelberry
The folks over at McAfee have written today about a new zero day, and it doesn’t look pretty. Our team is on high alert for this exploit and we are actively hunting for any sites which are using it.
From McAfee:
Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a
fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.
The ani file format is an animated cursor format. We have exploit code and it’s not pretty
We’ll post more information as we get it.
Alex Eckelberry
Our advanced research provides us with a vast amount of new security research (URLs, malware samples, etc), and now it’s available to other companies and researchers. As a complement to our CWSandbox automated malware analysis suite, we provide to technology and business partners three data feeds from our Threat Center (feeds are only available to vetted professional security researchers and recognized security companies).
These feeds are an extraordinarily valuable resource to assist in analyzing, protecting and remediating malware threats.
Feed #1: Malware Sample sharing
Frequency: Daily
Provides: New samples downloaded each day, in a dated daily zipfile that is double-compressed and password-protected. Each sample is named its md5sum, followed by .EX$. This is not sent in email, as the file size is prohibitive. Only new samples (by md5) will be posted each day, all of which will be Microsoft Portable-Executable (PE) files.
Feed #2: XML Reports
Frequency: Immediate upon submission from any existing source to our CWSandbox database (i.e. very frequently).
XML reports are sent as email attachments. While the size of the attachments is small (typically 20K to 200K), the total volume of email is high (can be several thousand per day) so a specific email account or alias for receiving these should be used.
Provides: XML reports of every sample scanned through the CWsandbox. No frills email format with a text or an HTML result and XML report attached to it.
Feed #3: Distilled URLs and IPs
Frequency: Daily
Provides: New malware URLs in a daily text digest. URLs provided either come from our research center, from URLs that have been reported as malware that day, or that have been downloaded in the CWsandbox by Trojan downloaders. Vendors are responsible for sorting malware from other behavior (i.e. phish submissions, ad rotationals, potential false positives). We advise downloading EXE files first with tools like Wget and Grep, then sorting the list to fit the role.
If you’re interested in finding out more, contact Chad Loeven.
Alex Eckelberry
Yesterday’s Weekly TechTips had two errors. The correct link for Shutdown day is shutdownday.org. And the link for “How to install the upgrade version of Vista on a wiped disk” is here.
We regret the errors.
Alex Eckelberry
Test your memory
Recently Tom (my husband) started experiencing some weird problems with his primary computer. Windows would reboot by itself for no reason, programs wouldn’t install, etc. After a lot of weeping and wailing and gnashing of teeth, he was able to track down the problem: some of his memory had gone bad for some reason. He switched it out with the RAM from another computer and the problems magically disappeared. Memory problems can emulate many other problems, though. If you suspect you might have bad memory, you can use Microsoft’s Windows Memory Diagnostic to test your RAM for errors. Check it out here.
Computer Shutdown Day: Was it a big bust?
Saturday, March 24 was declared Computer Shutdown Day by, well, the folks at shutdownday.org (warning: you may find some of the words/content on that site offensive). The idea was for everyone to go 24 hours without using their computers. I admit it: I didn’t do it, and based on the amount of spam that came in, I wasn’t the only one. Did you shut down for the day? If so, was it a good experience or a bad one? Or were you one of the many folks I talked to who said that, despite a fair amount of publicity, they had never heard about the effort? Great idea, or just silly?
Should you buy software on eBay?
eBay can be a good place to find a bargain, but sometimes those “great deals” are just a little too good to be true. The risk is especially high when it comes to buying software, since it can be impossible to know whether the programs you’re buying or legal or not, and some may even have embedded viruses or spyware. A “gray” area is the selling of OEM versions of software, which are supposed to be bundled with hardware. Read more about the problems here.
Why is the Apple pot calling the Vista kettle black?
Sure, the Apple commercial is cute. You know, the one where the dashing, “hip” guy representing the Mac shakes his head in amazement as the nerdy PC guy’s “bodyguard” – who presents Vista’s User Account Control (UAC) protection – throws up “Cancel or Allow?” dialogs whenever PC tries to do/say something. If you haven’t seen it, you can view it here.
Cute, but is it really a fair representation of the difference in intrusiveness between Vista’s and OS X’s security? My good friend George Ou says maybe not. Read his take on it here.
Installing the wrong program no longer kills my computer
You may hear some folks complain that their favorite third party programs don’t work on Vista. And it’s true that a lot of the “little” applications and utilities, especially freeware, haven’t yet been updated to work with the new OS. I’ve tried a fair number of such programs to find that they either wouldn’t install or wouldn’t work after installation. But something I noticed and really appreciated is that not one of these failed installations hosed my computer. Instead, I just got an error message or the program refused to run. The rest of the operating system was unaffected. That’s a welcome change from earlier versions of Windows. The infamous “blue screen of death” is a thing of the past – and I’m not sorry to see it go.
How to install the upgrade version of Vista on a wiped disk
You qualify to buy the upgrade version of Windows Vista because you have a copy of XP, but you don’t want to run the upgrade and have all that old code floating around in your Vista installation. Upgrades are notorious for having more problems than clean installs so you’re perfectly willing to bite the bullet and go through all the configurations to get your preferred settings back. But will you also have to pay more for a full copy of Vista? According to Adrian Kingsley-Hughes at CNET, here’s how to do a clean install of Vista with the upgrade copy.
How to change the system/boot drive letter in XP
If you break a mirror volume or for some other reason the drive letter of your system and/or boot drive gets changed so that the drive now has the wrong letter (not the one assigned to it when you installed the OS), you’ll find that the Disk Manager won’t let you change the letter of those drives. This is to protect you from making changes that render the OS unbootable, and you should make those changes only if the drive let gets changed as described above. To do so, you have to edit the registry. Be sure to back it up first.
You’ll need to restart the computer for the change to take effect. Be very careful about renaming drive letters of system/boot drives.
Possible security vulnerability in Windows Mail
Vista includes a brand new built in email program, Windows Mail, which takes the place of Outlook Express. It has some impressive features, but it’s possible that it can be exploited by attackers who send malicious links in email, to allow them to run applications on the user’s computer without permission. Read more about it here.
How to aggregate the bandwidth of two modems.
If you’re in one of those unfortunate areas where broadband Internet connections aren’t available, it’s possible, if you have two phone lines, to use two modems and get double the bandwidth from a dialup connection. If your ISP supports a feature called Multi-link, you can indeed install two modems in your computer and combine the bandwidth of two physical links into one Internet connection. Here are the instructions for using it with Windows XP Home or Professional edition.
Erase files from a CD-RW disc in XP
If you have a CD recorder installed on your computer and it supports CD-RW (rewritable) discs, you can erase the data on a CD and use it again for something else. You don’t even need third party CD burning software to do it. Just following the instructions in KB article 306641.
Gain access to the System Volume Information folder in XP
XP deliberately makes it difficult for you to access the System Volume Information folder, which contains data used by the System Restore feature. It’s a hidden system folder and there’s one on each partition on your computer. How to access it depends on whether your XP computer is using FAT32 or NTFS. For instructions in both cases, see KB article 309531.
Deb Shinder
Last week, I ran across this article from the Associated Press about how the anonymity (or perception of same) that we have on the Internet leads some people to say and do things they would never say or do in their “real life” relationships.
It’s a phenomenon I’ve discussed here before, but some of the responses to last week’s blog post (which I’ll quote – at least those that are fit for a family forum) brought that fact home again. Some people get downright mean when they’re communicating electronically, and it’s hard to believe that all of them act that way in their offline lives.
Now, this is by no means a universal thing. It seems as if being online often has an effect similar to imbibing alcohol. You know how some folks, when they drink, still act pretty much the way they do when they’re sober but a little more relaxed, while others get all happy and funny and still others turn vicious? Likewise, people are affected differently by the act of slipping into an online persona.
For instance, there’s a person I had known in the “real world” for many years and had never been at all close to. I found her loud and abrupt and often rude, avoided her socially whenever possible but stayed connected to her because of other mutual relationships. Then we found ourselves exchanging email – and the person she became in her written messages was like someone entirely different. The negatively I had come to expect from her in response to everything I said was gone. Her messages were polite and friendly and thoughtful, and for the first time, we become friends of a sort.
But I’ve seen the opposite happen too many times, watching in amazement as someone I had always liked turned into an online monster, flaming people left and right, using language I’d never heard them speak, taking offense at the slightest disagreement.
When I write on a controversial subject, I expect to get lots of replies from those who disagree with my opinions. And after many years at this, I expect that a certain number of those won’t be very nice about it. In fact, I know a lot of writers – and their publishers – who feel the more heated the responses, the better; it always means a higher hit count and for every reader who says “I’m unsubscribing because I think you’re an idiot,” three more start reading because after all, it’s human nature to crave a little spice now and then, both in our food and in our discussions.
In fact, quite a few media personalities of all political persuasions have built multi-million dollar careers by ranting and raving on every topic. Those who have become household names get lots of hate mail, but their books keep selling, their radio and TV shows keep getting top ratings, and the money keeps pouring in.
When they’re espousing ideas we don’t like, we think of them as hotheads. When their philosophies and ideologies match our own, we tend to see them as brave souls who “tell it like it is.” Abe Lincoln said you can’t please all the people all the time, but pleasing half the people and making the other half mad as heck seems to be a formula that works very well for those with thick skins and a penchant for fame and fortune.
Maybe one reason for the popularity of extremists is the very fact that most people don’t dare express themselves that strongly in their own everyday lives. Expressing every negative thought that crosses your mind tends to have a less than positive impact on career growth, marital happiness, budding friendships and other real life circumstances that are important to most of us. So traditionally, we’ve let the professional ranters speak for us.
The Internet has made it easier for ordinary folks to let their hair down and pull out all the stops and express all those secret, nasty feelings themselves. The phenomenon of “flaming” – launching personal attacks on others out of proportion to whatever the flamer is responding to – first gained a foothold in newsgroups and mailing lists. It’s carried over to blogs, where you don’t even have to give your opponents the opportunity to respond if you don’t want to. And on the ‘Net, you can say mean things without risking your reputation by using a “screen name” that gives no clue to your real identity.
But has the Internet really made people meaner and less civilized? There have always been times and places where people say cruel things (listen in to any group of teenagers discussing those outside their clique). Some people just aren’t very nice, in general. And some people who generally are nice get carried away with their emotions when they feel very passionately about a subject. I’m not so sure that, deep down, people are any meaner today than they were a few decades or centuries ago (after all, they often gunned one another down in the streets in the Old West, and look at all the beheadings and such in Medieval times). But the ‘Net has made it easier to do your dirty work more anonymously and to spread it to a wider audience.
What do you think? Are you surprised at the nastiness that sometimes comes out in online discussions? Do you say things in email that you wouldn’t say in person, or do you know others who seem to turn into a different person when communicating online? Do you think the Internet is causing us to become less civilized?
Deb Shinder
Recently, I wrote about the massive amount of crap comment spam pages in Live Italy, directing users to potential malware sites.
Fellow blogger Didier Stevens pointed out something really interesting to me: He did an analysis last fall on how many people actually click on these sites. How? He used the infamous AOL data, a veritable fount of fascinating information for researchers.
And he found that about 1% of AOL users were landing on these sites. Link here, with another related story here.
So…multiply 1% against the universe of computer users… that’s a lot of people hitting illegitimate sites (these sites may be pushing snake oil, cell phones — whatever — or malware).
Alex Eckelberry
