Category: Uncategorized

Zappos

Mildly off-topic, but CNET has an article about online retailer Zappos getting into electronics and other products. It’s worth a quick read if you buy a lot online.

I do a lot of shopping online, and bar none, Zappos is absolutely, hands-down, the best internet retailer I’ve ever dealt with. The customer service is just flat-out amazing, and you really get the idea when you’re dealing with them that the CEO’s customer-oriented approach has filtered through the whole organization. Plus, they have a blog which is just as odd as mine. And the CEO, like me, is accessible by email and actually answers it.

Now that they’re getting into other areas, I’ll plan on looking to them to buy other things.

Alex Eckelberry

Google Groups Porn Malware Invasion Continues Unabated

Wow, what a cluster f*. Hundreds of thousands of pages, if not over a million.

Examples (warning: graphic language):

Googlegroups12388888

Googlegroups12388888a

Most of these push videos that push fake codecs.

But it’s not just malware. There’s spam-a-plenty:

Googlegroups12388888b

And there’s also splogs pushing malware, not as porn, but just off of keywords. Here’s a search for “Symantec Download”:

Googlegroups12388888c

Click on a link, and you get this page:

Googlegroups12388888d

That file being pushed, setup.exe, is a trojan.

Or, let’s use the search term “McAfee download”:

Googlegroups12388888e

(I’m not picking on these AV companies, if you do similar searches for Sunbelt products, you’ll hit these types of things as well.)

These slimeballs are using all kinds of keywords. Here’s some more, like Blackberry Ringtones and Free Messenger Download, returning spam links:

Googlegroups12388888f

Googlegroups12388888g

Or how about keeping it simple, and just saying “free download”? Malware!

Googlegroups12388888h

I’m not making this up. Crank up a virtual machine and try these searches yourself.

Last week, I was quoted as saying that this invasion is due to Google’s CAPTCHA being broken, and this was rebutted by another. I beg to differ: A large part of this is most certainly caused by bots uploading stuff, breaking the CAPTCHA. They may not break it all the time, but they do break it probably 10% of the time. That’s enough to upload a ton of garbage.

This has to, has to stop.

Alex Eckelberry

Will Baywords be a new haven for malware pushers and spammers?

Blog2348881234888

BayWords is a new effort by the folks at PirateBay to have an uncensored blog.

In their words:

“Many blogs are being shut down for uncomfortable thoughts and ideas. We will not do that. Our goal is to protect freedom of speech and your thoughts. As long as you don’t break any Swedish laws in your blog, we will defend it”.

Ok, that’s cool. My only concern: Will this mean they will not bother policing the site for splogs and malware sites? We’ve seen Storm on blogger, and we sure do see a lot of spam sites on there as well. The old free speech thing has its limits. Let’s hope they police it for bad stuff.

Alex Eckelberry

Some new fake codec sites

Some new fake codec and malware sites. IP number followed by URI.

85.255.118.179 swfutility (dot) com (fake codec)
85.255.120.107 flwcoupler (dot) com (fake codec)
85.255.118.213 secureinstruct (dot) com
85.255.116.210 softhomepage (dot) com
85.255.118.214 safetyalertings (dot) com
85.255.118.210 gatece (dot) com
85.255.118.34 gateds (dot) com

Patrick Jordan
Sunbelt Malware Research

Sunpoll: Majority believe Windows is in trouble

Interesting results from our non-scientific poll here (you can vote yourself on the front page of our site). This is after Gartner basically said that the End is Nigh. Certainly, videos like this don’t help the cause.

I could wax lyrical on the good and bad about Windows, vs. Mac, vs. Linux, but that’s a long post which I don’t have time for.

However, I will make the observation that Apple has no chance of making real gains on Windows without decoupling their OS from their hardware. Why Apple won’t do this is beyond me. Who cares about higher revenue from selling hardware? It’s the profit that matters — I’d rather sell something with a 99% gross margin (like Windows), than sell hardware at a gross margin of 35%. And I’d rather take over the world than be satisfied with single-digit, albeit growing, market share. (Fill me in if you know more — I’m certainly not an expert on Apple’s internal thinking, although I may need to become one.)

Is the end really near for Windows? Let me know your thoughts.

Alex

Blue Jeans Cable — maybe all the rest of us can learn something from this

Having been the recipient of my fair share of cease and desist letters, I can only admire Blue Jean Cable’s CEO Kurt Denke’s response to a cease and desist letter from Monster.

Denke is a former litigator, and his closing paragraph is pretty much the Way Things Should Be:

After graduating from the University of Pennsylvania Law School in 1985, I spent nineteen years in litigation practice, with a focus upon federal litigation involving large damages and complex issues. My first seven years were spent primarily on the defense side, where I developed an intense frustration with insurance carriers who would settle meritless claims for nuisance value when the better long-term view would have been to fight against vexatious litigation as a matter of principle. In plaintiffs’ practice, likewise, I was always a strong advocate of standing upon principle and taking cases all the way to judgment, even when substantial offers of settlement were on the table. I am “uncompromising” in the most literal sense of the word. If Monster Cable proceeds with litigation against me I will pursue the same merits-driven approach; I do not compromise with bullies and I would rather spend fifty thousand dollars on defense than give you a dollar of unmerited settlement funds. As for signing a licensing agreement for intellectual property which I have not infringed: that will not happen, under any circumstances, whether it makes economic sense or not.

I say this because my observation has been that Monster Cable typically operates in a hit-and run fashion. Your client threatens litigation, expecting the victim to panic and plead for mercy; and what follows is a quickie negotiation session that ends with payment and a licensing agreement. Your client then uses this collection of licensing agreements to convince others under similar threat to accede to its demands. Let me be clear about this: there are only two ways for you to get anything out of me. You will either need to (1) convince me that I have infringed, or (2) obtain a final judgment to that effect from a court of competent jurisdiction.

Pwned.

Link here.

I subscribe to exactly the same philosophy, and we’ve responded in the same fashion to the C&D’s we’ve received. If we’re wrong, we’ll fix it immediately. But if we feel we’re in the right, and that there are real business or customer issues at risk, we won’t propitiate and we’ll fight back hard.

What’s sad is when lawyers call the shots in a company. Nothing against lawyers (really, I even have one in my family), but they often don’t have the broad business sense to look at something from the bigger picture. They unnecessarily scare people in a company (especially those who aren’t experienced). And that results in sometimes mindblowingly terrible business decisions. And sometimes, taking a friendly and reasonable approach to a potential legal issue can win you serious props.

Alex Eckelberry
(hat tip)

PC Tools slams “top threat” lists

Our friends down under don’t like lists:

The problem, according to the Australian company, is that the lists — which are now regularly issued by almost every security software company — measure volumes rather than the underlying danger of a particular type of malware.

PC Tools, itself an anti-malware vendor in the same space, dismisses them as being “of no practical use for the security industry or consumers,” and, not surprisingly, advocates its own ThreatExpert analysis system that cross-references volume with other factors such as the design complexity of a threat, its innovation, and its payload.

Examples of threats that regularly turn up on some lists but which pose relatively little danger include the four year-old Netsky, and the packer NSAnti, which itself is merely a means of hiding malware, and shouldn’t even appear on such lists at all, the company said.

“Threat analysis is highly complex. There was a time when volume alone was an acceptable indicator of the level of threat. But the threat landscape has changed significantly and there are a number of additional parameters, besides volume, which are equally, if not more important in identifying and classifying top threats,” said PC Tools CEO, Simon Clausen.

They have a point. But irritating pieces of malware, like Srizbi (315,000 bots active) and Storm (85,000 bots active), have great exposure in security circles but aren’t nearly as widespread as, say, fake codecs. Fake codecs are a plague, and frankly, probably provide a lot of bread and butter money to security companies.

So what do we do? I suppose categorizing based on complexity is a reasonable idea. But these “top 10” lists are useful, to gauge prevalence, and they should not be thrown out. Look, would we want Billboard Magazine to list “most complex or interesting bands” rather than “most sold bands”? There’s room for both.

Alex Eckelberry

People still give passwords for chocolate

Phot_5
Hmmm… if I give her my password, I’ll get chocolate… but maybe a phone number too…

Now, considering chocolate in Europe is about 100x better than American chocolate, this may come as no surprise:

A survey by Infosecurity Europe of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.

This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy. The researchers also asked the office workers for their dates of birth to validate that they had carried out the survey here the workers were very naïve with 61% revealing their date of birth. Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)

Link here.

Alex Eckelberry

Bill of Responsibilities? Err, I don’t like the sound of that at all

If you carefully parse this article, you might get a bit concerned. Comcast is proposing a new “Bill of Rights and Responsibilities” for p2p file sharing.

As Jeff Nolan astutely observed: “How much you want to bet that at some point the responsibilities include ‘verifying your (ISP) customers have rights to the content they are distributing’?”

Link here.

Alex Eckelberry

Blogged to death

This is silly. A New York Times article talks about the unbearable stress of being a blogger.

A growing work force of home-office laborers and entrepreneurs, armed with computers and smartphones and wired to the hilt, are toiling under great physical and emotional stress created by the around-the-clock Internet economy that demands a constant stream of news and comment.

So, are we now going to have yet another disorder proposed for the DSM, of Blogging Anxiety Disorder? I’m glad Battelle concurs (with counterpoint here).

People work themselves to death in all industries. Blogging just happens to make the process far more enjoyable (and sometimes, even lucrative).

Alex Eckelberry

Robert Preatoni speaks about his arrest, his future

Back in November, you may recall that WabiSabiLabi founder Robert Preatoni was arrested in what can only be described as mysterious (or even bizarre) circumstances.

He’s finally talking (a bit) about the arrest.

The case for which I was arrested it’s actually a huge case and believe me, no single news agency was able to picture it completely right. Probably, nobody will ever be able to picture it completely right as it’s a case involving a hundred of arrested people, the Italian Secret Services, the US Secret Services, some Italian corrupted police and financial police officers, some Italian and US investigation companies, a multi-billionaire struggle between Telecom Italia and Brasil Telecom, an extraordinary rendition (kidnapping) of a presumed Islamic terrorist, and last but not least, the suicide (but many say murder) of a Telecom Italia Security top manager. Aside this, the various attempts of the Italian government to take over the control of the Italian main telecommunication carrier.

Link here (via NetworkWorld through Donna).

Alex Eckelberry

Google Groups continues to be inundated with malware-pushing porn

As we’ve seen before, this continues to be a problem on Google Groups: Fake posts pushing porn that pushes malware (fake codecs).

A simple search of Google Groups using the search term “porn” shows just an extraordinary number of these sites (you can try it if you like, but realize the risk).

For example, here is a search looking for posts with the keywords “porn video” in the last month, showing 256,000 hits (warning: graphic content):

Porngooglegroups

A spot-check shows that the vast majority of these are posts pushing malware (fake codecs).

Porngooglegroups1

Porngooglegroups2

And so on.

This really needs to get cleaned up. There’s a reason why so many of the threats that we see users getting infected with are invariably fake codec related.

Alex Eckelberry

Anonymity and Dirty Tricks

I’ve seen fair amount of this stuff in my career. Just always be careful when reading community reviews on sites like Amazon.com…

With this context in mind, last week we ran across a couple of negative user reviews on Amazon.com that seemed out of character. They seemed especially out of character given that both posters had posted 5-star reviews of Parallels Desktop for Mac, prior to posting less-than flattering reviews of VMware Fusion. After a little investigation via LinkedIn, based on the user names that the reviewers posted under, we found that these reviews were not from actual users but from employees of a competitor, Parallels.

More here.

Alex Eckelberry

Heads-up: Dangerous new customized IRS scam steals data

This afternoon, we got a highly customized email purporting to come from the IRS, which of course, does nothing more than load malware.

The email is made out to a key financial contact here at Sunbelt (name obfuscated for this post).
As you can see, it’s quite convincing. (Incidentally, “Sunbelt Software Distribution, Inc.” is no longer our company name, it was recently changed to simply Sunbelt Software. But that’s a side note.)

Irscam1238888

Attached to the email is a zip file, which has a .scr file in it:

Taxrefundimage12388

Once clicked, the.scr file downloads several other files and reaches out to several servers including the “Office of the Attorney General – California Department of Justice” – where a PDF file is downloaded from and opened using your default PDF viewer. In this case, we got a PDF from the following location:

http://ag(dot)ca(dot)gov/cms_pdfs/press/n1478_complaintat&tunauthorizedchargesfinal_tbf2.pdf?id=1594

Odf123777778

The entire purpose of this PDF is to make things look official. Otherwise, it’s meaningless, and does not appear to be malicious.

Interestingly, the id parameters for the PDF change with each install (increase in number) and the link is not indexed and the name of the PDF corresponds to the nature of the attack. And, interestingly, the malware set’s its user agent to:

Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en;) Gecko/30060309
Firefox/1.5.0.7

This raises the question: Is this California .gov website compromised in some fashion to serve the pdf? We simply don’t know at this juncture, but this does look suspicious.

Then, a number of other URLs are contacted to download malware, and the user is left with keylogger on their system. It also appears that malware is downloaded from a number of compromised sites.

Alex Eckelberry
(Additional credit to Sunbelt’s Adam Thomas for his invaluable help)