Category: Uncategorized

Back in early March, we had blogged about iBill information possibly being leaked on the ‘net.

Wired has since made the following modification to their story:

Editor’s note: Since publication of this article, iBill has spoken with Wired News. The company now says that the purportedly stolen database did not originate with iBill, and only three of the more than 17 million entries match past iBill customers. Asked to respond, Secure Science says it no longer believes that iBill was the source of the data. Read the full story.

Link here.

Alex Eckelberry

Yesterday we wrote about some security scam hijack sites. 

Here’s some more for you to block: 

IP: 70.86.246.35
17webplace(dot)com
aurealm(dot)com
authorsontour(dot)com
beepwear(dot)com
carterobregonlaw(dot)com
cma2004(dot)com
coloreal(dot)com
ideagenerationmethods(dot)com
indiahcsl(dot)org
interacttheatre(dot)com
poliblog(dot)com
praxispost(dot)com
salestaxsimplification(dot)org
samchampion(dot)com
sapsapphire-emea(dot)com
scienceserver(dot)com
sputnikbook(dot)com
thresholdofvisibility(dot)com
uscmchicago2005(dot)com

All of these sites will attempt (after evaluating your computer’s OS and service pack level) to run currently patched exploits on your system to install Spyware Quake.

Do not visit these sites. 

Alex Eckelberry
(Data from Sunbelt’s Patrick Jordan and Adam Thomas)

Robert LaFollette, our creative director, took his wife down to the Everglades (about 3 hours south of us) to “shoot alligators” last weekend.  Not with a gun, but with a Canon digital camera (a 20D with a Canon 100-400mmL Pro Lens).

They stopped in a park for a bit and were sitting near a pond eating sandwiches, when Robert stepped a few yards away from his wife.  He heard a scream, and turned to find his wife running from a very friendly alligator lumbering over, interested in her sandwich.   Robert ran over and tried to distract the gator, to no avail.

Fortunately, some local fisherman threw some fish at the gator, and he went off to munch on the fish. Robert and his wife took off as quickly as they could. 

Now, it’s not usual for gators to get near people like this.  They actually aren’t much interested in humans (at least large ones).  However, just like any other animal, they start to see humans as a source of food when humans make the mistake of feeding them.  Robert was told later by the park ranger that the only reason the gator walked up in the first place was probably because the local fisherman had been feeding the alligators — an illegal offense.

Robert has more pics of the whole experience on his blog, here.

Alex Eckelberry

A brief research summary by Sunbelt’s Patrick Jordan on zllin(dot)info installing a security scam hijacker, PestTrap.  Link here (pdf). 

 

Alex Eckelberry 

The YapBroswer interview with Paperghost.

1) Why is Yapbrowser available to download again, when the application doesn’t actually work? (Any search made results in a page cannot be found message)?

YB: Because there on the main page was only a pattern i.e. only design of a site for a kind. And in general all sites are not completed. Partner program is in a test mode. Even the engine of site has not been installed on a site yet. On them there are no users and there is no traffic. This all is made for us, but not for for public. For public all would be tested and all links would appear in a working kind.

Link here.

Alex Eckelberry

Not sure if you caught this broadside by the EFF against the DMCA:

The DMCA Chills Free Expression and Scientific Research.
Experience with section 1201 demonstrates that it is being used to stifle free speech and scientific research. The lawsuit against 2600 magazine, threats against Princeton Professor Edward Felten’s team of researchers, and prosecution of Russian programmer Dmitry Sklyarov have chilled the legitimate activities of journalists, publishers, scientists, students, programmers, and members of the public.

The DMCA Jeopardizes Fair Use.
By banning all acts of circumvention, and all technologies and tools that can be used for circumvention, the DMCA grants to copyright owners the power to unilaterally eliminate the public’s fair use rights. Already, the movie industry’s use of encryption on DVDs has curtailed consumers’ ability to make legitimate, personal-use copies of movies they have purchased.

The DMCA Impedes Competition and Innovation.
Rather than focusing on pirates, many copyright owners have wielded the DMCA to hinder their legitimate competitors. For example, the DMCA has been used to block aftermarket competition in laser printer toner cartridges, garage door openers, and computer maintenance services. Similarly, Apple invoked the DMCA to chill RealNetworks’ efforts to sell music downloads to iPod owners.

The DMCA Interferes with Computer Intrusion Laws.
Further, the DMCA has been misused as a general-purpose prohibition on computer network access which, unlike most computer intrusion statutes, lacks any financial harm threshold. As a result, a disgruntled employer has used the DMCA against a former contractor for simply connecting to the company’s computer system through a VPN.

Link here via beSpacific.

Alex Eckelberry

 

“Martin”, a reader of this blog, dropped a rather interesting comment on the site today.

It’s a link to a discussing going on today at a webmaster community called crutop.  The forum link is here http://crutop.nu/Vbulletin/showthread.php?t=63868, and it appears safe enough to browse, although you always visit these at your own risk.

It starts off with one fellow mentioning Suzi at ZDnet’s post on YapBrowser yesterday.

In this forum, we have a fellow by the name of “John Helbert” who apparently represents YapBrowser, and makes this comment (translated from Russian—thanks Anna):

I’ve written earlier about Spyware Quake, a nasty rogue antispyware program that runs a protection racket on people’s PCs, forcing them to buy the product in order to get rid of “fake spyware”.   

There is a growing number of sites in the US using vulnerabilities in Internet Explorer to install this program. .

All these site are part of security scam hijackers we know of well, and have the same script in common in the head of their site code:

 

At the moment, the code leads to exploits and installs of Spyware Quake. Since last week, they have been taking over domains in blocks of IPs .   

The basic look of all the sites is something like this:

 

 They are using both the old Javascript and WMF (css.wmf) exploits to install themselves:

(Javascript exploit)

 

 (WMF exploit)

Of course, if your system is patched, not much will happen.

These sites are often available through search engines, such as this example of a bad site, gioiatours(dot)com (do not go to this site):

We have some new IPs of sites that are doing this behavior:  70.85.179.48  and 70.85.179..49. 

Server for the IPs

OrgName:  ThePlanet.com Internet Services, Inc.
OrgID:   TPCM
Address:  1333 North Stemmons Freeway
Address:  Suite 110
City:    Dallas
StateProv: TX
PostalCode: 75207
Country:  US

A list domains associated with these IPs is available (Excel and PDF).

 

Alex Eckelberry
(Data provided by Sunbelt senior researcher Patrick Jordan)

 

How to change maximum number of frequently used program shortcuts
When you use the same program frequently, it goes into the Most Frequently Used Programs section of the XP Start menu. By default, the eight most frequently used programs show up here. If you’d like XP to display more (or fewer) programs, you can change that. Here’s how:

1. Right click the Start button.
2. Select Properties.
3. On the Start Menu tab, click the Customize button.
4. On the General tab, under “Programs” in the middle of the page, set the number of programs you want to appear on the most frequently used menu. You can select from 0 to 30.
5. Click OK, and then OK again to exit the dialog boxes.

If you select a high number, you should also select “small icons” on the General tab so there will be room to display them all.

Great Resource for Understanding Security Bulletins
Each month, Microsoft releases a set of security bulletins on “Patch Tuesday,” along with a technical description of each bulletin. But for some folks, those descriptions are a little too technical and long-winded. Enter Randy Franklin Smith’s Ultimate Windows Security website, where he provides an explanation and his own personal take on each of the security bulletins soon after they’re released. Not only does he mostly de-jargonize the language in the bulletins, he also provides caveats and tips on how to determine whether you need to deploy them based on your particular situation. You can also subscribe to have the assessments sent to you each month via email.  Link here.

How to disable media sensing for TCP/IP
Windows XP contains a feature called media sensing that is used to detect whether your computer is physically connected to the network. If it senses that you’re disconnected, it will remove the bound protocols from your network adapter. If you don’t want this to happen, you can disable media sensing by following the instructions in KB article 239924 here.

Can’t open Office files in Internet Explorer
If you try to open an Office XP/2003 file in Internet Explorer 5.5 or 6.0, you might get an error message that says “414 Request – URI too large,” “404 Page Not Found” or “A DDE error has occurred.” This happens because the file or path name is too long. You can update IE with the appropriate service pack to fix the problem. For more information, see KB article 416351 here

XP Search doesn’t find Office files
If you try to search for files created by Microsoft Office programs with the extensions .doc, .ppt, .xls, etc.), you may find that the Search function doesn’t locate any files even though you know that such files exist on the hard drive you’re searching. This can happen when you’ve upgraded or removed Office. For a workaround to the issue, see KB article 312510 here.

Deb Shinder

The Internet community has done a lot of talking about copyright issues. After all, when you spend hours or weeks or months writing a brilliant piece of prose to post on the ‘net, you want to be sure that you get the credit for it.

But what about those less-than-brilliant bits of writing that you may have authored over the years? You know the ones I mean, don’t you? Those embarrassing newbie questions you asked on the tech newsgroup years ago. Those mailing list political exchanges that deteriorated into screeching screeds. Those passionate declarations of everlasting devotion emailed to what turned out to be the very temporary love of your life. Those complex philosophical essays that seemed so clever when you were pounding the keyboard at three in the morning after a few too many drinks and/or a lot too little sleep.

Far from wanting the credit, you probably wish those would just go away. I remember being advised, in my early years, to never send something that I’d written while in an emotional state without waiting a few days and reviewing it in the cold light of day. Since back then, sending a communication – whether a love letter or a letter to the editor or the filing of a lawsuit – meant putting it in an envelope, finding a stamp, and trekking down to the corner mailbox, it was easy advice to follow. Today, sending takes a single click of the mouse, and your words are out there in the wild, and out of your control. And you may not ever be able to take them back.

Even when what you’ve written isn’t particular incriminating, the seeming immortality of electronic communications can be annoying. Who, besides me, has had the experience of putting up a web page on the free server space offered by an ISP and then, after canceling the ISP account, finding it impossible to get that page removed? You end up with this fifteen year old, completely out of date page out there on the Web, which people find when they do a search on your name, containing all sorts of now-obsolete information about you.

Even if the ISP does take down your page, it may not be completely gone. Projects such as the Wayback Machine (www.archive.org/web/web.php) preserve copies of old web pages. Thought you’d gotten rid of that ugly old photo of yourself that used to be on your web site? Sorry, the Wayback Machine can take anyone back to that original version of your site that sports the picture you now hate. You’ve got to wonder if even Microsoft is a little embarrassed by what its web site looked like in 1996 (just type www.microsoft.com into the Wayback Machine and have a look).

What about all the email messages you’ve written over the years? Would you be completely comfortable knowing every one of them is still hanging around somewhere, ready to be exposed to the world? Think just because you deleted them from your machine, you’re home free? Not hardly. Many people use IMAP email servers (such as corporate mail servers) where the mail stays on the server instead of being downloaded to your machine. The advantage is that you can access your mail from different computers. You can delete messages from your mailbox on the server – but most email providers make backups to protect against loss of mail in case of viruses, attacks, hardware and software problems. That’s true if you use POP mail, too.

And never forget that every email message by nature has both a sender and a recipient. The person on the other end may well have saved the message you so desperately wish didn’t exist (or even forwarded it to others). There are ways to restrict some messages from being copied or forwarded by the recipient (for instance, using Microsoft’s Rights Management Services) but they require special software or configurations on both ends, and don’t prevent the recipient from doing a screen capture or even taking a photo of the message on the screen.

If you aren’t thrilled with the idea of having your Internet activity live forever, you’ll probably be interested to know that it may soon be the law. The U.S. Congress is considering legislation to make data retention mandatory. That means Internet providers would be required to record their customers’ online activities and keep those records for a specified amount of time (anywhere from six months to two years has been discussed). The European parliament has already approved similar laws. Read more about U.S. plans here.

States are also getting into the act. In Colorado, a Democrat in the state senate has proposed an amendment to a sex offender bill that would require ISPs to retain records of IP addresses assigned to each of their customers for 180 days, with fines up to $10,000 per incident for violation.

ISPs aren’t thrilled with the prospect of paying for storage space to keep huge amounts of data representing all their customers’ email, web browsing, chat activity, etc. And of course, if such requirements become law, they’ll pass the costs on to their customers and the price of Internet connectivity will rise. Privacy advocates are even more concerned that this is just one more step toward a “big brother” police state. But government officials play their two favorite fear factor cards: 1) it’s to fight terrorism and 2) it’s for the children (to fight child pornography).

These are both noble causes, but do they necessitate keeping all these records on everybody, including people who are not suspected of breaking any laws? Federal laws already require ISPs to retain records if a government entity requests them to do so, as would be done in the course of an investigation where law enforcement had reason to suspect wrongdoing.

For an example of what happens when the government has too much access to people’s private messages, click here.

It seems that in Iran, people who send SMS text messages containing jokes about their president, as well as jokes about sex or the country’s nuclear program, are being arrested. Is this where we want to go?

What do you think? Are critics of the data retention plans worrying over nothing? Are these drastic measures necessary to protect us from Internet criminals? Have you ever posted something on an Internet forum or sent an email that you’re now ashamed of or embarrassed about? Should ISPs have to bear the cost of warehousing customer data? Or should the government (i.e., the taxpayers) pay for it? Will more and more government regulations on service providers result in the Internet once again becoming a luxury only the wealthy can afford? 

Deb Shinder

Sunbelt Senior Spyware Researcher Patrick Jordon (aka WebHelper) has just been awarded Microsoft Most Valuable Professional (MVP).  He joins Sunbelt’s Eric Howes in this honor.

Congratulations Patrick!

 

Alex Eckelberry

 

After my blog post earlier today on a new rogue antispyware program, Spyware Soft Stop, our Eric Howes made a surprising discovery. 

Look at this screenshot:

As you can see, it found six files and identified them as various types of malware.

The problem is, not only are those files just junk files (not malware), but the Spyware Soft Stop application itself installed the files.

That’s right, this application planted the very files it claimed to detect as malware.

Unreal.

Alex Eckelberry

There is a new rogue antispyware on the loose, called Spyware Soft Stop (Whois).

If you have the misfortune to run an executable named “sss_bot.exe”, you’ll get presented with a fake (and poorly worded) security message:

What follows are more crafty screens designed to think you’re doing a normal Windows update:

And here’s the lovely app in all of its glory:

..

 Of course, numerous terrifying results (all false) that one can only “clean” by purchasing the program.

 Alex Eckelberry
(Thanks for the tip from some French friends)

Video News Releases (VNRs) are pre-made newsreels sent to TV stations, who in turn broadcast them as “news”.  The stations may or may not modify the VNRs, but they are always about one thing:  Promoting an agenda.  

VNRs are often thought of as coming from big pharmaceuticals or political parties.  While this is true (never trust a TV news spot for a new novel “drug”), VNRs are also used in a wide variety of other industries.   It’s even happening in high tech.

Take, for example, this clip from an antivirus company.  Watch the original VNR, then watch this version, which is what an actual TV station used.  (You only need to watch the first 15 seconds to get it).

Or take this clip from Intel (original and then as run on a TV station).

News?  No.  It’s just “good PR”.  A big player in the space is D S Simon Productions. 

You can see a whole bunch of other fake TV news here, and more information at the Center for Media and Democracy.

Alex Eckelberry

An article in BusinessWeek about the adware cash cow:

…Edelman shows how ads purchased for placement on Yahoo and partner sites by companies such as Cablevision Systems Corp. (CVC ) were also redistributed until they showed up as pop-ups. According to Edelman, Yahoo became blind to the trail of its own ads. One partner, Ditto.com, presented a Yahoo ad through another site, NBCSearch (not affiliated with the TV network). That company passed it along to one of its own partners. (NBCsearch and Ditto.com did not respond to requests for comment.) Sometimes, the ads showed up in pop-ups from spyware programs. In a prepared statement, Yahoo says it “takes the quality of its search ad distribution network very seriously. We are carefully investigating the claims that have been raised.”

Link here via MediaPost.

Alex Eckelberry

This is a completely worthless and, in fact, potentially dangerous application that pre-installs 180Solutions Zango and does nothing but apparently redirect you to a porn site.  A relationship to child porn is even suggested from posts by Andrew Clover (who calls it the “kidporn browser”) and PaperGhost.

You can see here the URL “microsoft.com” is redirected to this porn page:

More worrisome is a Russian document (related to the highconvert gang) that we uncovered on April 4th which suggests that the YapBrowser will be used for some very nasty spyware installs.  You can read the translated document here.

Some snippets:

Since we’ve already developed our own bot system we’ve decided to provide our partners with some convenient tools. We’ve invented Adware system. The idea of this system is to have software that will be installed on user’s PC by our Loader. After being installed on user’s PC this application will do anything necessary to show ads to the user. It can be some console, icons, messages, screen savers, home page replacements and so on. Programmers’ creative minds have no limits J There will be couple of versions of software – simple and aggressive and our partner will be available to choose the most appropriate for them.

 

..Create a mini-browser and install its icon to system tray. Every 10 minutes it will show pop ups (customizable) and if user clicks on tray icon this will invoke our mini-browser. Mini-browser will have a toolbar with a search bar and buttons and links and it will show our web pages. We will implement specific designs for that. (Pop ups and browser itself fits well for showing RRS or dating web sites).

…System messages with any possible content. They are very good to alert the user about some possible threat (virus for example, and it’s very good for advertisement). It’s possible to implement it in a form of “Blue Screen of Death”.  Please think about it and implement anything that is possible.

…Replace 404 error page, home page, search page and local page. Replacement will be done with local html page (local feed). Local pages will be loaded to user’s PC in multiple forms and different designs. They might look like this: www.yapsearch(dot)com

 

…Invisible clickers. Most appropriate for Dating web sites since they pay for every click as well as for RRS. However for this type of application we have to make sure that it doesn’t behave like clicking on all possible URLs but rather imitates the real user. Clicker will work with certain web sites according to the way it was set up.

 

…Replacement for Google, Yahoo, MSN. For example if user goes to Google web site and searches something from there then search results won’t be taken from Google but rather from our RRS. Think of how this can be implemented. This is very common these days so it’s possible to implement it.

 

…Change Security level to… Low (good for installing toolbars, dialers).

 

…This means that admin console [redacted] will provide every advert a link named “Adware Soft”. That’s exactly where new modules will be created. Advert will be able to select what functionality he wants. For instance if somebody doesn’t really want to completely kill user’s machines may choose only one function – replace 404 error messages, home pages and search page or to install our mini-browser only or desktop icons only or all the above.

…This means that admin console [redacted] will provide every advert a link named “Adware Soft”. That’s exactly where new modules will be created. Advert will be able to select what functionality he wants. For instance if somebody doesn’t really want to completely kill user’s machines may choose only one function – replace 404 error messages, home pages and search page or to install our mini-browser only or desktop icons only or all the above.

…Since our AdWare software will be delivered to the end users not only by our system then we must make it customizable for every partner. For example we can create a brand new web site.

 

…On that web side we will offer to adverts our software only and will ask for 30% share in installations. Advert will be able to build .EXE configured in a special way with all functions that he needs. Definitely 30% of his users will see our mini-browser with our content, not his.

 

Just stay the heck away from YapBrowser and Yapsearch(dot)com.  Nothing but bad can come from this.

 

Alex Eckelberry

 

Update:   From VitalSecurity: “Just been informed that Techdirthas just picked this up. …and Wayne Porterrevisits the ghosts of the past.”

People often get adware on their systems through their kids.  Children don’t read EULAs.  They want the funny “punch the monkey” video, so they click away.  That’s why advertising adware to children is considered a Bad Thing.

Last night, Eric Howes, Sunbelt’s director of malware research, was testing an application and did a search on “kids games”. He saw this advertisement:

Games for Kids
Free online games from Zango games. No trial periods, no locked levels, no purchase or subscription required. Get immediate, unlimited access to deluxe game versions for free.
www.zango.com

And checking again this morning, I see the following by simply searching “kids games” on Altavista:

Clicking the link takes you to the landing page on this second screenshot — note the keyword bid info in the URL. It’s quite apparent that 180 knows that they’re targeting kids, and Overture/Yahoo knows they’re doing it, too.  Logs here. 

Check this article (near the end) for Daniel Todd denying that 180 targets kids:

“There is a general misnomer that game sites are kid sites,” he said, adding that 180 Solutions doesn’t target children.

So what is the truth?

Alex Eckelberry

[As it turns out, adware vendors do use search engines to target kids. Direct Revenue’s business records indicate that it buys ads from both Google and Yahoo. And this article finds that many top search results and ads, for one top keyword, yield spyware and other unwanted software — and estimates that Google makes millions of dollars per year from these types of ads. (Thanks Ben).]

I got this through Donna (one of my favorite security blogs).

A recent patch, MS06-015, could cause some problems, such as:

•	Unable to access special folders like “My Documents” or “My Pictures”.
•	Microsoft Office applications may stop responding when you attempt to save or open Office files in the “My Documents” folder.
•	Office files in the “My Documents” folder are not able to open in Microsoft Office.
•	Opening a file through an application’s File / Open menu causes the program to stop responding .
•	Typing an address into Internet Explorer’s address bar has no effect.
•	Right-clicking on a file and selecting Send To has no effect.
•	Clicking on the plus (+) sign beside a folder in Windows Explorer has no effect.
•	Some third-party applications stop responding when opening or saving data in the “My Documents” folder.

And then there’s this little mention:

The VERCLSID.EXE process is flagged by Sunbelt Kerio Personal Firewall. Sunbelt Kerio Personal Firewall (http://www.sunbelt-software.com/Kerio.cfm) has a feature which flags any attempt by an application to launch another application for the user’s approval. Kerio is flagging Explorer.exe’s launch of VERCLSID.EXE. When this occurs, VERCLSID.EXE’s execution stops until the user clicks through Kerio’s notification dialog. Users can configure Kerio to allow VERCLSID.EXE to execute without prompting.

Well, it’s nice to be made famous this way, but the resolution is here, in KB918165.

Alex Eckelberry

I see so many compromised servers out there it’s not funny.  Phishing sites, malware, whatever.  

Many hacks are avoidable if people update the software on their web servers to the latest versions.  And then apply good security practices.

PHP, Apache, IIS, whatever you’re running, update it religiously.  

Suzi Turner writes a good post on the subject:

I’ve seen some statistics on phishing sites including estimates of how many of them were compromised sites.  The stats indicate that most of the sites are running older versions of Apache, really old versions in a lot of cases, and a high percentage have PHP. 

Link here.

Alex Eckelberry

A few days ago, a family member was having problems with her email. Since she uses AOL, I figured I’d download AOL Instant Messenger (which I had uninstalled in the past) and use that to IM her the location of a file I wanted her to download.

But as you know, AIM is gone, replaced by Triton, a big fat happy application.  

It also installs AOL Explorer, which you cannot remove through Add/Remove Programs.  And, of course, it puts that irritating “Try AOL Risk Free” entry in your Start menu.

AOL Explorer is basically a skin for Internet Explorer, and provides you no more security than IE.  And I already have IE and Firefox on my home machine, so why would I want a third browser?

Well, after a quick search on Google, I found an entry on Trikenit that explains the painfully obvious way to uninstall AOL Explorer:  You run the uninstallation program that’s located in the program files directory, under AOL, under Explorer.  Thankfully, that’s gone.

And, a comment on Trikenit’s blog alerted me to a place where I can find old versions of AIM.  I went right back to AIM 5.5 (which tries to pre-install WeatherBug and WildTangent, but you just need to opt-out of those if you don’t want them).

Alex Eckelberry