Category: Uncategorized

Dollar Revenue, describes itself as:

…one of the best pay-per-install affiliate programs on the Internet. DollarRevenue provides revenue opportunities to affiliates who have entertainment/content websites, offering them an alternative to traditional advertising methods. DollarRevenue offers high payouts per install and converts Internet traffic from any country into real income.

Well, downloading the file “vsl02.exe” (VirusTotal results) from the Dollar Revenue site  — currently located at content(dot)dollarrevenue(dot)com — results in a blizzard of transmissions from advertising sites. 

Sunbelt researcher Patrick  Jordan was able to see over 2,000 transmissions in the course of running a video (movie here).  You can see the list of transmissions here.

Just what is going on here?

Alex Eckelberry

 

Ah, good old Sanford “Spamford” Wallace, the erstwhile Spam King, who became a spyware guy.  And who is now in deep trouble.

An operation that deceptively downloaded spyware onto unsuspecting consumers’ computers, changing their settings and hijacking their search engines, has been halted by a federal court at the request of the Federal Trade Commission. The judge has ordered the operators to give up to more than $4 million in ill-gotten gains. The court also ordered a halt to another spyware operator’s stealthy downloads and barred the collection of consumers’ personal information, pending trial.

Link here. 

Alex Eckelberry
(Thanks Suzi!).

A follow-up to my earlier musings about BlueSecurity:  The company, under a DDoS attack by spammers, redirected its blog to Six Apart (TypePad and LiveJournal).  Well, this then knocked Six Apart offline for almost eight hours.

Internet security company Netcraft said on Thursday that Blue Security temporarily dealt with the distributed denial-of-service (DDoS) siege by redirecting traffic to its journal at blog host Six Apart, knocking out that company’s TypePad and LiveJournal services.

Link here.

Alex Eckelberry

Does that crap stock spam you get actually have an effect on stock prices?  I’ve blogged on this subject earlier, about a site called Spam Stock Tracker, which shows that ownership of stocks marketed through spam are a money losing proposition.

Earlier this week, I posted an stock spam message from a company called Cyberhand (Pink Sheets: CYHD).

This stock spam pounded out on Tuesday, and a look at the chart shows that something has been going on, at least on an intraday basis:

So, it seems the spam is working to raise this stock price—on a very short term basis. And this is corroborated by Univeristy of Mannheim researcher Thorsten Holz, who said in a discussion group recently:

“together with a researcher from another German university, I took a closer look at stock spam recently. We could show that such spam messages indeed influence the traded volume and also the stock price.”  

The research paper is here.    

Harvard researcher Daniel Peng also looked at this issue and found:

“…stock spam is highly correlated with short-term spikes in trading volume and long-term falling stock price. I was unable to find any reliable evidence of short term price trends.”

Link here (thanks to Jose)

My guess is that  penny stocks jump up immediately when sent and then decline down (as you can see from the above Cyberhand graph).  

I’m not sure these studies took into consideration the actual buy and sell prices on the stock. The last price is different than what you can actually sell it for, because of the Bid (how much you pay to buy the stock) vs. the Ask (how much the dealer will pay you for it). The Bid and Ask is set by the market makers (the dealers who actually hold inventory in the stocks).  Then, you have to take out the effect of commissions. 

So can you make money rushing out and buying the stock when a stock spam hits?  “Not that easy. Especially since an event study only gives abnormal returns. If the overall market goes down, you statistically loose less than the market, but that’s nevertheless a loss. And since pennystocks are not very liquid, there are further limitations…,” says one of the study’s co-authors, Thorsten Holz.

All in all, this whole Internet stock scam business is pretty disgusting.

Alex Eckelberry

 

 

Interesting, I’ll try and get more information on this one.

NetRatings announced today it has filed patent infringement lawsuits against WhenU.com, Inc. and 180solutions, Inc. as part of the company’s patent enforcement program commenced in early 2005. Under the program, designed to protect the company’s investments in its patented technologies related to the collection, analysis and reporting of computer usage and activity, NetRatings has signed licensing agreements with three companies: Visual Sciences LLC, SageMetrics, Corp., and Omniture, Inc., and has complaints pending against three additional companies: Coremetrics, Inc., Sane Solutions, LLC, and WebSideStory, Inc.

Link here (thanks David)

Alex Eckelberry

Their site just went up, with this message:

The Blue Independence War

Today is Israel’s Independence Day. It’s a public holiday in Israel, but all of us in Blue Security are working. But we are glad we’re working. We’re helping the community fight the Blue Independence War. We fight for our freedom from spammers and cyber criminals. This is our big chance to reclaim the Internet. We must not let it slip from our hands.

Some desperate spammers are doing its worst to harm our community. They’d like us to back off, and agree to get their spam silently. Needless to say, that is not going to happen. We’re not here to listen to their vile threats and fraudulent advertisements…

You may still be able to get the whole post, here.

Alex Eckelberry

Blog reader Stan posted a comment on my earlier blog on BlueSecurity with an interesting article as to how the service works.  Link here.

Alex Eckelberry

BlueSecurity makes an antispam product called Blue Frog.   Their antispam method involves creating a sort of “Do Not Spam” registry.  As part of this service, they contact spammers to get you off their lists.  I have no idea how the product works, since I’ve never used their application (and can’t as the site is down).  And it seems to be popular.

However, BlueSecurity has apparently made some spammers quite grumpy.  Yesterday, blog reader László Stadler started forwarding me some baffling spams.  Here’s an excerpt of one:

Today, the BlueSecurity database became known to the worst spammers worldwide. Within 48 hours, the database will be published on the Internet, and your email address will be open to them all. After this, you will see the spam sent to your mailbox increase 10 – 20 fold.

BlueSecurity was illegally attacking email marketers, and doing so with your help. Many websites have been targeted and hit, including non-spam sites. BlueSecurity’s software has been fully analyzed, and contains an abundance of malicious code. This includes: ability to send mass mail to users; the ability to attack websites with Distributed Denial of Service attack (DDoS); the ability to open hidden doors on any machine on which it is running; and a hidden auto-update code function, which can install anything on your computer and open it up to anyone.

You can view the different spams here, here and here.  And Wired had an article today on the situation. 

I contacted BlueSecurity about this yesterday and got this reply from Eran:

Hi Alex
You can keep this mail as a collector’s item 🙂
As you may already know, many spammers had already listened to the voice of reason and chose comply with the Registry (see our recent blog posts at http://community.bluesecurity.com for more details). We already have 6 of the top 10 spammers, responsible for over 25% of world spam (over 50% of illegal spam), either complying or approach us to start the process of compliance.

This one is trying another approach – something we expected to happen as some spammers may choose to try and avoid removing our members’ addresses from their lists.Our recent successes with some of the world’s top spammers had probably caused other spammers to panic. This particular spammer is using mailing lists he already owns that contain your email address and is now sending such messages to everyone on his list. 

Sorry for the inconvenience,

Now the BlueSecurity site appears to have been a victim of  DoS attack.  It is unavailable.

Curious, I tried to test the application.  But since the site is down, I can’t get registered to the service.

Any ideas out there as to what is going on?

Alex Eckelberry
(Thanks Ferg for the Wired link)

Update:  More here and here.

There’s been this rash of really irritating image spam lately, difficult for spam filters to catch because of its nature. 

For example, if you look at this spam:

and view the HTML source, you see the following:

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML><HEAD>
<META content=”MSHTML 6.00.2800.1106″ name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2><IMG alt=”” hspace=0
src=”cid:000001c66dfc$24202377$7a47e8c8@legunj.hqyivu”
align=baseline
border=0></FONT></DIV>
</BODY></HTML>

Not necessarily a lot for a spam filter to go off of, unless you simply want to ban HTML emails (not entirely practical for most…).

So, we are killing it with a regex expression in our Ninja messaging security product, which looks like this:

^s*?<!doctypes+?htmls+?publics+?”[^”]+?”s*?>s*?<html>s*?<head>s*?<metas+?[^>]*?contents*?=s*?([“‘])[^1]*?1s*?names*?=s*?[“‘]?GENERATOR[“‘]?s*?>s*?<style[^>]*?>.*?</styles*?>s*?</heads*?>s*?<bodys+?bgColors*?=s*?S{7,7}s*?>s*?<div[^>]*?>.*?<fonts+?faces*?=s*?arials+?sizes*?=s*?2*?>[^<]*?<imgs+?alts*?=s*?([“‘])2s+?hspaces*?=s*?0s+?srcs*?=s*?([“‘])cid:[^@]{30,30}@[^3]*?3s+?aligns*?=s*?baselines+?borders*?=s*?0>s*?</font>s*?</div>s*?</body>s*?</html>s*?$

Alex Eckelberry

People have been asking why, all of a sudden, they can’t go to a web site with Internet Explorer unless they type in the full address (with the “http” in front) — when normally they could just just type www.whateverdomainname.com and IE would put in the “http” part.  

This is one of the most commonly reported problems caused by the update referenced in Microsoft security bulletin MS06-015.

There’s a registry edit that will fix it; you’ll find instructions here, along with a list of the various problems the patch causes.

Also, Microsoft has re-released the patch that is causing these problems. It’s been completely re-engineered; the new update should be installed automatically if your system is set to use the automatic update service. You can read more here.

Deb Shinder

How to prevent XP from creating a bridge between networks
Windows XP has a feature called network bridging that allows you to connect two networks together. If you attach two networks to your computer (for instance, you have a wired Ethernet adapter and a wireless network adapter installed on the computer), by default XP will bridge the networks so you can access one from the other. This is convenient but less secure, so you may want to prevent bridging. Here’s how:

1. When you run the Network Setup Wizard, you’ll get a message that your computer has multiple connections. Click “Let me choose the connections to my network.”
2. Click Next.
3. In the “Select the connections to bridge” dialog box, uncheck the boxes for all but one of the listed network adapters.
4. Click Next and finish the wizard. A bridge will not be created.

Update:  See this comment for more information.

How to change the location for Office source files
If you installed Microsoft Office from a share on a network server instead of a local installation CD, the path from which you installed will be remembered and this is the location Office will look for source files if you later need to do a repair or reinstallation or add a feature that you didn’t originally install. If the source files have moved or that server is down, you’ll get an error message when you try to perform any of those operations. If the Office source files are at another network location now, you can change the path. Here’s how:

1. On the client machine, log in as an administrator.
2. Click Start | Run.
3. In the Open box, enter: MSIEXEC /i admin pathMSI file REINSTALL=ALL REINSTALLMODE=vomus /qb
4. Click OK.

Note: “admin path” is the full path where the new installation source files are located. “MSI file” is the Windows installer file for Office. It’s also possible to do this programmatically. For information, click here. 

What is svchost.exe, anyway?
If you’ve ever taken a look at the running processes tab in your XP Task Manager (or better yet, use Sysinternals Process Explorer), you’ve probably seen at least one instance of a process called svchost.exe. Sometimes there’ll be several running at once. What is it and what does it do? If you always wondered, wonder no more. Instead, go to KB article 314056 and read “A description of Svchost.exe in Windows XP Pro.”

Temporarily deactivate the kernel mode filter driver
To help you troubleshoot certain file-related problems such as problems copying or backing up files, or program errors that happen when you work with files from network drives, you may need to deactivate XP’s filter driver that runs in kernel mode. Note that this should be done only temporarily, because it loosens security and makes you more vulnerable to attack. For more information and instructions on how to disable the filter drivers, see KB article 816071.

USB devices don’t work after restart
If you have one or more USB devices attached to the USB port or a USB hub attached to your XP computer, you might find that some or all of the devices don’t work after you restart the computer and you don’t get any kind of error message. This can happen when the device(s) need more power than the USB port/hub can provide. For some tips on how to correct the problem, see KB article 885624.

Deb Shinder

Last week, I discussed the ongoing dilemma of how to keep your private communications private, and how the Skype VoIP service may offer some protection in a world where regular phone calls can be easily wiretapped. Many of emailed me to offer your opinions and experiences.

Some of you see government monitoring of our email, phone calls and other communications as a necessary evil for the safety of the population as a whole. Rick B. said “as with all laws the few that need the control of law force the rest of us to live in a more controlled environment than we would otherwise desire.” Others, such as Jeff B., agree with Thomas Jefferson’s statement that “I would rather be exposed to the inconveniences attending too much liberty than those attending too small a degree of it.”

Cliff G. echoed the opinion of several of you, saying “Somehow I doubt that the NSA is wasting their time on my banal communications, and if they are I really don’t care what they think of my personal ramblings. The more paranoid — and grandiose — may nurture such fantasies of self-importance.” And Ernie J. said, “First of all, we need to understand that NSA is not listening to all phone calls but just ones to or from potential bad guys or countries. Secondly, I think it’s worth a sacrifice of complete privacy in order to prevent terrorist attacks.”

On the other hand, the majority who wrote (about 2/3) agreed with Sean T. that the pendulum has swung too far towards removing privacy in the name of the war against terrorism. He said, “The “War on Terror” is a real thing, but our politicians seem to go for the easy solution or fail to think through the consequences of poorly written laws (DCMA and Patriot come immediately to mind).”

Lionel T. said “I don’t care if the the government wants to listen to my calls to my children, however if I am willing to pay for a service that keeps those calls private then they should be. If the government wants to listen then should have good reason and can articulate that in a warrant.” And Becky C. summed it up thusly: “Good men are doing nothing and evil is starting to triumph by eroding our rights. Shame on us for allowing it.” 

Deb Shinder

In the Brave New World of many of numerous science fiction stories, a totalitarian world-wide government uses implanted microchips to control the minutia of its citizens’ lives. Twenty-five years ago, the theme made for entertaining, if somewhat far-fetched sci-fi. Today it doesn’t seem that far-fetched at all.

The technology is certainly here. Chips are routinely implanted in animals for various purposes. RFID (radio frequency identification) tags are placed in the ears of livestock so farmers can know which cattle are theirs, replacing traditional methods of branding. Veterinarians offer products such as HomeAgain and 24PetWatch, chips that can be implanted in pets to store owner identification, medical information, etc. 

In 2004, it was reported that a number of government officials in Mexico, including the Attorney General, had been implanted with microchips that function much like electronic keycards to allow access to secure areas. The difference is that you can’t forget or misplace this key, and it would be difficult (although not impossible) for someone to steal it.

That was also the year the Food and Drug Administration approved the use of RFID chips by hospitals to identify patients.

Then in 2005, Tommy Thompson, the governor of Wisconsin and former U.S. Security of Health and Human Services, announced that he was having an RFID chip injected into his arm to provide quick access to his medical history and records. Although this announcement made big news, we’ve not been able to find verification that he ever went through with the procedure.

This year, “chipping” made the news again when a company in Ohio used RFID chips implanted in workers to control access to certain rooms. The company’s CEO said the chips are no different from ID cards.

A number of bars and private clubs, in places as diverse as Barcelona, Spain and Glascow, Scotland have offered to let customers pay their tabs via an implanted RFID tag.

Most of these examples have used chips marketed by VeriChip, a Florida company that makes the chips, which are about the same size as a grain of rice and can be easily injected under the skin, usually into the fatty tissues of an arm or leg. It’s a safe medical procedure, done with only local anesthetic. They push the chips as a solution to problems ranging from lost dogs to kidnapped children to wandering Alzheimer’s victims.

The technology being used for these applications is a “passive” one – that is, the chip just stores information and transmits it over a short range (a few meters). To access it, you need a special scanner. The next logical step is a more active chip that can transmit over longer distances. Some chips can be tracked by satellite, and some companies have announced plans to incorporate a Global Positioning Satellite (GPS) transmitter into implanted chips, which would allow for the implanted person to be tracked wherever they go in the world. Chips could also record a person’s movements and activities and store the log on the chip itself or send it to a monitoring station.

Certainly this technology could offer lots of advantages. As an access control method, it would be much harder to tamper with or steal than keys, passwords, smart cards and the like. It’s cheaper than biometrics. As a medical information store, it could provide emergency workers with instantaneous, valuable information about a person’s health history that might save lives. As a law enforcement aid, it could prove or disapprove the whereabouts of accused persons. It could also make it much easier to keep track of (and thus keep safe) animals, children and mentally disabled people.

But where does it stop? How much of a step is it from allowing parents and pet owners to keep tabs on their charges to allowing employers to keep track of their workers and then to allowing governments to keep track of all of us, all the time? Of course it will happen in increments. Who’s going to argue with implanting a tracking chip in a sex offender who’s been released from prison? Or implanting chips in soldiers going to war, so they can be more easily located if they’re wounded? Or in children, for their own safety? And so forth.

As chips become more widely used for these noble purposes, they’ll also become more accepted by the public. Employers can require implanted chips that act as time cards, logging when workers start and stop work. Who could object? After all, it’s voluntary; if you don’t like it you can work somewhere else – at least until all companies are routinely using this method. Chips could also replace passports. Again, you don’t have to get one if you don’t want to leave the country. Except that if it works for passports, it will probably soon be extended to drivers’s licenses. I guess you can just not drive, but we all know we’re headed toward requirement of a national ID card. Having that info “chipped” will probably be voluntary. In the beginning. But if national security is at stake …

The problem is that it’s hard to make a case that chips are bad. Like any technology, they can be used for good or evil. Here are some of the uses (many of them commendable) that were proposed by Digital Angel, a company that makes RFID and GPS implants for pets, fish and livestock.

However, the idea of such technology in the hands of government makes many privacy advocates very nervous – especially in conjunction with other political and social trends. For instance, most babies are born in hospitals today, and all children are required to have immunizations before attending schools. Since the implant procedure is a simple injection, it would be very easy for health care personnel to implant chips immediately after birth or in early childhood without the recipient even knowing it was being done. And with many in the U.S. advocating government takeover of the healthcare system (and nationalized healthcare already in place in many countries), well, you can see where this could go.

Chips could also be used to further political agendas. Conrad Chase, director of the Barcelona nightclub that uses the VeriChip payment system, has been quoted as saying all gun owners should be required to have a microchip implanted in their hands to own a gun. A “smart gun” could be designed so that it wouldn’t fire unless in the hands of someone with a chip. This could give the government almost complete control over who does or doesn’t have the ability to ability to defend themselves with a firearm. On the other side of the aisle, the Patriot Act gives the government broad powers that bother many people, such as the ability to access library records. If an implanted chip were required to check out library books, that information would be much easier to obtain as it would always be with the individual.

In response to all this, some lawmakers are trying to ameliorate the possible damage. A state representative in Wisconsin has introduced a bill that would prohibit requiring anyone to have a chip implanted or doing it without their knowledge.

What do you think? Do the benefits of implanted chips outweigh the dangers? Are implants okay for kids, animals, and the elderly? Should implants always be voluntary or is it fine to mandate chips for prisoners and parolees? Should implanted chips be banned by the FDA? Should be government have control over implants? Under what circumstances – if any – would you have yourself implanted?

Deb Shinder

VirusTotal, along with Jotti, are key tools in malware research.  You can submit a malware sample and find out if any other security companies are catching it, and what they are referring to it as.

Many, but not all, AV vendors participate in these scanners.  Last night, Ziv Mador at Microsoft announced that Microsoft will be joining VirusTotal.

Hi, this is Ziv Mador again from the Microsoft Anti-Malware team. This week, the folks over at VirusTotal added the Microsoft anti-malware engine to their service. VirusTotal is a free service that enables users to submit suspicious files to be scanned by several anti-malware engines. If you choose, files that are not identified as malicious are sent to the vendors who supply the anti-malware engines to this service to be analyzed. As of April 27, the Microsoft anti-malware scanner is included in the set of scanning engines used by VirusTotal. This scanner is based on the same technology found in Windows Live OneCare, the Windows Malicious Software Removal Tool, and Microsoft Antigen, and includes our full antivirus set of signatures. We are glad to be participating in this community opportunity.

Link here.

Alex Eckelberry
(Hat Tip to Jose)

“Winning the War on the Spyware Battlefield”
Join renowned spyware researcher and Sunbelt’s Director of Malware Research, Eric Howes, for an engaging discussion on the scope of the spyware problem.

Hosted at the Microsoft office in Ft. Lauderdale on Thursday, May 18th.

Click to Register.

Alex Eckelberry

The blog style has been updated. Let me know what you think — good, bad, indifferent.

Alex

 

We won a rather nice award today — the Network Computing Well-Connected Award.

Security Winners – Antispyware
Winner: Sunbelt Software CounterSpy Enterprise 1.5 Getting rid of spyware is a difficult task, but to do it well, antispyware tools must reduce administrative load. In our tests, Sunbelt’s CounterSpy Enterprise performed remarkably well from an administrative perspective. This product can be deployed and updated more efficiently than any other product we reviewed, and it integrates seamlessly with Active Directory. Policy configuration, exclusion lists and status reporting were all top-notch.

Link here.

Alex Eckelberry

 

Botnet controllers are getting quite sophisticated.  And as we can here, even visually appealing.

Check out this botnet controller that our Adam Thomas just found. 

Here’s the main control page:

Here’s the reports page. 

 

It’s even translated into multiple languages, as not all hackers speak perfect English:

There’s also some handy-dandy code we discovered there for html code injection, which is used for phishing. 

Then, we found the stolen data.  Credit card numbers, passwords, the works, from countries all over the world.  Sick stuff.

The botnet lives off a bunch of really ugly malware, with the following file names (Virustotal links included). 

iexplore.exe
ieschedule.exe
ib14.dll
smss.exe
ieserver.exe
preredir.exe
harvest.exe
ieredir.exe

Current virus detection is pretty weak on this set of malware. 

Of course, the trojans look perfectly legitimate:

 

Alex Eckelberry 

 

Earlier this week, I blogged about a site doing a bunch of different exploits, depending on what you are running. 

One of the things the site will do is detect if you have Firefox, and attempt to exploit it, using the InstallVersion.compareTo() vulnerability. 

There are actually a number of sites running this exploit, and one of our researchers, Adam Thomas, was kind enough to take some pictures. Going to a site with an older version of Firefox got him just a bucket-load of spyware.

A Haxdoor variant was installed (seen above as detected by F-Secure’s Blacklight)… and a typical rogue-antispyware security install with a bunch of fake security messages.

Hijacked browser…

And this is nifty — there’s even this Local Security Authority Service pop-up message (above). Clicking OK aborts the system shutdown and…brings you to this page:

And you get the usual fake and hysterical security messages:

As a final dash of spice, the malware is redirecting attempts to navigate to security relates websites such as Kaspersky.com, Symantec.com, F-secure.com,  etc.to Microsoft.com!   

On another test system, Adam got UnSpyPC (a rogue antispyware application) and a Haxdoor install, among other things.

Now, the Faithful (and admittedly few) Readers of My Blog are demigods when it comes to security, so most of you are running a patched version of Firefox (basically, any version 1.05 or higher).  But checking browser stats on this site does show that there is a very small number of you that aren’t updated to a safe version. Very, very few AV vendors detect this exploit, as you can see by clicking here.

Alex Eckelberry
(And, thanks again for the tip from some French friends)

New form of corporate spyware (not related to the well-known mouse company):

In early May, a new on-demand service called Genius is going to launch that will let sales folks rack the performance of their e-mail marketing campaigns by letting them spy on  the subsequent online actions of their marks.  The way it will work is that Genius will set up so-called ghost URLs that mirror your company’s Website for you to put in your marketing e-mails.  So when someone clicks on the URL, everywhere they go and every action they take on the Website is recorded and tied back to their e-mail address. 

Link here.

Alex Eckelberry
(thanks Leslie)