Category: Uncategorized

We’ve seen a number of examples lately of legitimate security companies being advertised through malware.

It is important to note that this advertising is not from the companies themselves. It’s coming through affiliates (meaning,people who make commissions sale they refer).

1. Advertising through Trojan DNSChanger
We have observed both StopZilla and PC Tools being marketed in search redirects from Trojan DNSChanger infections. A video through Vimeo is available below; unedited raw video is available here (video taken on 1/22/2008).

Trojan DNS Changer video from alex eckelberry on Vimeo. Click here for a higher quality version

(Apologies for the poor voice recording quality.)

2. Advertising in LOP

Symantec and Zone Labs products have recently been observed being advertised through popups in CiD (Circle Development, aka C2 Media or Lop.com).

(Observed on 2/6/2008)

3. Advertising in SurfSidekick

Ben Edelman also recently observed a full-screen popup of the Symantecstore.com site while running SurfSidekick.

Traffic flowed as follows: From SurfSideKick (aka Deluxe Communications) to Traffic-Director to Digital River to Symantecstore. Ben was kind enough to provide a screen-capture and a full packet log.

(Observed on 2/3/08)

Affiliate programs are a great way to spread the word on your product, but they need to be monitored carefully for abuse.

Alex Eckelberry
(Additional credit to Adam Thomas at Sunbelt for creating the video)

My good friend and colleague Randy Abrams at ESET showed me their new SysInspector last week when I was in DC, and it is cool little utility.

From their description:

ESET SysInspector is an application that thoroughly inspects your computer and displays gathered data in comprehensive way. Information like installed drivers and applications, network connections or important registry entries can help you to investigate suspicious system behavior be it due to software or hardware incompatibility or malware infection.

I’ve installed it and am still learning it. But it looks like a potentially great new tool for analyzing troubled systems.

You can download a free beta copy here.

Alex Eckelberry

If you’re interested in the subject of malicious banner ads hitting the web (in the form of malicious swf ads), MSMVP Sandi Hardmeier is keeping track of a number of them at her blog. These ads promote rogue antispyware programs.

Good work, Sandi. Keep it up.

Alex Eckelberry

In a classic “Thank You For Smoking” spin, Zango CTO KeithKen Smith has responded to my post on Snopes pushing adware:

To be sure, Snopes was pushing Zango: in exactly the same way that it continues to “push”, oh, let’s see, umm, QuickBooks, the Oreck Air Purifier, eBay, a call spoofing service (served up helpfully by Google), and an e-tutorial service for kids who aren’t doing well in school. In other words, Snopes.com serves ads, and makes money from those ads.

This is sophistry at its best and ignores the key fact: This pop-under ad was pushed consistently (at least in my geographic region) and could have easily been turned off through the Fastclick UI. Furthermore, this was one of several pop-unders — it was not a banner ad or a Google adword (which the site has plenty of).

As I’ve said before, I have no problem with advertising. I do have a problem with constantly pushing this type of ad. I did notify Snopes months ago, and they ignored my notification. Perhaps they considered my email spam, perhaps they never saw it, perhaps they didn’t understand it — whatever — but the ultimate point is, it was an ongoing campaign that was prominent on this site.

Later, after ending the original post with “these aren’t the droids you’re looking for” ”Nothing to see here folks. Move along” (yes, he really does say that), Keith then pushes the old “we give great content in exchange for loading your machine up with crap”:

Zango uses desktop advertising to help keep the content we DO install FREE. In other words, if you install our SpamBlockerUtility, you really do get an anti-spam engine that you would otherwise have to pay money for. And yes, while you have it installed, we will show you some targeted ads, a trade-off that we describe no less than three separate times during the install process. But you really (honestly, truly) do get the anti-spam software that the ad referred to.

This is disingenous. You may get a spam blocker, but what you get in return is patently awful.

And the notice and disclosure? Zero, by today’s standards. It’s buried in a massive EULA, as Harvard researcher Ben Edelman has confirmed independantly. We’re back to 2004 all over again.

Remember that almost two years ago, Zango trumpeted it’s new notice and disclosure, promising:

It’s important to us that consumers understand our products and that they provide full, informed consent before installing our software. Is this the last of our efforts in improving the user experience? Absolutely not.

Now, apparently because this spam blocker is part of their “Hotbar” acquisition, that notice and disclosure is not required.

Zango has a real problem. By our own research, 80% of its business comes from seekmo, the porn side of its business. They need more “legitimate” customers but have an increasingly difficult time getting them. We believe that the company is having a very difficult time actually spending their ad dollars to promote their product, since so few sites will take on their ads.

And now, with Snopes no longer pushing a Zango ad, it’s even harder.

And, separately, Snopes responds:

Reader CD got a response from Snopes, which he reports as following:

Thank you for inquiring about the possibility an advertisement that violates our acceptable advertising guidelines at www.snopes.com/info/faq.asp#ads may have been displaying to some visitors to our site.

We have temporarily removed from our site *all* advertisements from the agency that handles the ad in question while we investigate if and how such an ad was indeed being served to some of our visitors.

We don’t ever knowingly run adware or malware on our site — that’s not who we are or who we’d ever want to be.

Ok, I’ll give the Mikkelsons the benefit of the doubt. It’s possible that the advertisements we observed were based on geolocation, and it’s quite possible that the they never knew that the ad was pushing adware.

I wouldn’t stop using Snopes. It’s a good service. I’ll keep checking the site, but I really doubt you’ll ever see anything like this happen again.

However, one part of the strategy of the Antispyware Coalition to reform the business is “public shaming” — that is, to shine light on bad practices. Snopes has learned a hard lesson. They’ve stopped pushing these ads, and the internet community is a bit of a better place now.

And that, folks, is a good thing.

Alex Eckelberry

Audio and slides from the recent Antispyware Coalition Public Workshop are now up.  Link here.

Alex Eckelberry
(Thanks Harriet)

(Thanks to Bill Pytlovany for the image)

I was up in DC on Thursday for the Antispyware Coalition’s Fourth Public Workshop. I moderated a panel entitled “CSI Spyware: Can Investigators Stay Ahead of the Bad Guys?”. I was fortunate to have really great panelists: Chris Boyd, FaceTime Security Labs; Lance James, Secure Science Corporation; Cindy Southworth, NNEDV; and Luke Erickson with the FTC.

Chris Boyd put a bunch of pics of his trip on Flickr (including pictures of Lance James doing a very good job on the piano), and Bill Pytlovany blogged about it a bit here.

Hopefully someone taped the thing so we can put up a vid of some of the parts of the conference.
Update: Link to audio and slides here.

Alex Eckelberry

I was traveling so I guess I missed it — the TSA now has a blog.

Link here (http://www.tsa.gov/blog/).

Alex Eckelberry
(Hat tip)

See in the wild.

What is 7 + 3?

Answer: *

To combat spam, please solve the math question above.

Yup, satisfies the requirement for “simple”.

Alex Eckelberry

Err… a big Italian bank, Fineco, gives these instructions for creating a password. It’s in Italian, but Francesco here did some translation:

“to verify the security of a password, it is sufficient to put it in any search engine (such as Google): if it returns less than 10 results, it means it is a good password”

And then they have examples of how many search results should determine a good password!

pippo = 767,000 -> very bad password
05Fineco = 30 -> good password
F1n3co = nessuno -> excellent

See for yourself. A machine translation to English of the site is here.

This is just beyond nutty.

Alex Eckelberry

Well, it seems the firestorm of protest has had its effect: Snopes (apparently) is no longer pushing Zango. This seems to have changed yesterday evening (the last time I confirmed the popup was at about 4 pm EDT yesterday).

There were lots of comments on this one.

I did notice a fair number of comments saying something to the effect that “hey, the site has every reason to monetize its traffic through advertising”, etc.

So I have to make a few points:

1. I have no problem with advertising.

2. I have no problem with sites using advertising to pay their bills.

3. I do have a problem with a site consistently pushing one particular popup that pushes adware.

Again, it’s not like this popup was occurring on some limited basis, or part of a series of ads. This was a consistent campaign that showed up regularly, for a long time (probably over a year).

I’m glad Snopes has (apparently) changed it’s position. Now, we have to work on a few other sites… 😉

To all of you who helped, thank you. I do think this will make a difference in reducing the amount of adware in the wild.

Alex Eckelberry

Update: It’s official.

I am a big fan of Snopes, and use the service routinely when getting some typical hysterical email from a friend.

But for a long time now (probably at least a year), I’ve noticed that they are in bed with Fastclick, which in turn constantly serves one annoying ad on Snopes:

That ad, “Do you want to block Junk Emails?” is for a Zango product — adware (VirusTotal report here). And by running this ad, Snopes, which is highly reputable, is providing an implied endorsement of the product.

Well, here is what your screen may look like after you install this pile of crap (incidentally, with miserable notice and disclosure):

I contacted Snopes about six months ago to complain, but they ignored my message.

Note that:

1. This is one of only two (corrected: more than two, but this particular one is certainly constant and predominant on the site) popups that constantly come up on the Snopes site (the other one is for a registry cleaner, and that’s probably another story when I have time). It’s not like a one-off bad popup that happens in a rotation with other popups. This particular popup is there practically every time you visit Snopes (see for yourself).

2. This would mean that Snopes is getting paid well for these popups (either pay-per-click or by page views). Advertisers like Zango don’t pay to run ads that don’t get a good response. And likewise, a site like Snopes won’t waste valuable ad inventory on poorly-paying ads. And I firmly believe that the fact that the ads do well is because of Snopes’ credibility.

In other words, Snopes is pushing adware because it makes them money. And I believe it’s a lot of money.

And that’s not an urban legend. It’s shameful.

Alex Eckelberry

Update: Snopes has apparently stopped pushing Zango. More here.

Update 2: It’s official.

Not Robert LaFollette this time, but John Jacobson, our IT director (who is getting really good):

Taken locally.

Nice work, John!

Alex Eckelberry

Since late last week, we have been observing a fair number of spams with a Trojan payload, purporting to be a money transfer notification from Western Union. The spam looks like this (the attachment in this screenshot has been stripped by a scanner — the actual attachment should read “Western Union Information.exe”:

The text may read something like this:

Dear Mike

Total of #3750 has been transferred by western union

MTCN number is 007-188-6024.

Enclosed is the western union sheet

Robert

or

Dear Mike

Total of $3750 has been transferred by wetern union

The MTCN number is 007-188-6024.

Enclosed is the transfer sheet

I hope this settles my transfer

Robert

The payload is Trojan.Perfloger (there are many other descriptions. A VirusTotal scan is here).

After the Trojan is executed, the user sees a text file:

But that, of course, is the least of their problems.

An analysis of the program is on the Sunbelt Sandbox, here.

Alex Eckelberry

Remember Julie Amero? Well, The Julie Group may have to start evaluating another project.

This time, the story is in Florida — and at a school that’s not too far from our own Sunbelt headquarters.

A school cop at Gulf Middle School, John Nohejl, created a MySpace page to educate kids about safety (with the support of the school). Well, as Wired puts it:

Gulf Middle School resource officer John Nohejl didn’t have porn on his MySpace profile, and he didn’t link to porn. But one of the 170-odd people on his friends list, which seems mostly populated by students at his school, had a link to a legal adult site. Now the New Port Richey Police Department and the Florida attorney general’s elite cyber crimes unit are investigating him for making adult content available to underage children.

From press reports, the adult site linked seems to have been Amateur Match Free Sex, an Adult Friend Finder type of site. It’s well known to anyone on MySpace that affiliates of these types of outfits have been known to do bad things on MySpace (AFF recently settled with the FTC for such behavior). It could have even been a link in the comment of a Friend.

Oh, and after this broke, it was found that the school’s site itself had a link to gay porn. The principal is “outraged”. As Kevin Poulsen at Wired points out, does that mean he gets criminally investigated as well?

This is silly. To criminally investigate an officer because three clicks away from his MySpace page there’s a link to an adult website? (Incidentally, the principal is Stan Trapp and a list of school staff member emails is here.)

At least one thing is heartening — the good folks over at the Florida Cybercrimes unit have their own MySpace page. They may quickly see how ludicrious this whole thing is.

Alex Eckelberry

My earlier blog post about the growth of malware has been getting some attention.

There’s a slight clarification needed, which Andreas just pointed out to me:

Could you please change the wording slightly to point out that the numbers are *not* cumulative, but that we’re speaking only about the *new* variants per year, without including the previous numbers?

Again, the numbers are not cumulative… I’ll update the original post.

Alex

If you haven’t gotten an invitation to join NotchUp lately, you’re probably in the minority.  One person on a list I’m part of has counted 17 invitations in the past 14 hours. I’ve gotten a few. 

Curious, I decided to see how the sign-up process goes, to see if it’s spamming your address book (I was silently praying that my address book wasn’t going to get spammed, but hoped my friends would forgive me in the interest of research). 

Well, there’s no outright spamming going on that I can see.  You get through a few screens, and then you’re given the option to import your LinkedIn profile.  I did that, and it offered to bring in my LinkedIn contacts. I did that too, and got the screen below (the incentive to invite contacts is a 10% referral fee).

As you can see, while your contacts are opted-in by default, it’s quite easy to deselect them, or press Cancel.  I made sure to deselect the contacts, pressed Cancel and no one from my list was sent an invitation (however, I can see how someone could accidently invite friends).

As social networking grows, we’re all going to get a lot more invites, notifications and other Bacn.  But when it comes to your friends, take extra care to think if they would actually like to get such an email or not.  

At any rate, expect to see a lot more of these NotchUp spams over the next week.

Alex Eckelberry

Earlier this week, Lavasoft confirmed in a lengthy post that it is in negotiations with IAC to bundle the Ask Toolbar. The rationalization for Lavasoft is that by doing this bundle, they have the opportunity to work with IAC in making real change in toolbar distribution. This would ostensibly benefit the community.

I have no beef with Lavasoft. Pre-CounterSpy, I used AdAware to remove infections from systems, and recognize and respect them them for their tremendous contributions to making the Internet safer. Lavasoft’s CTO, Joe Wells, is also a good friend who used to work for us in developing our antivirus technology. I even enjoyed a good evening of jazz at Vienna’s Birdland not too far back with Lavasoft folks, and I’m generally biased positively to Scandinavians in general, having been brought up in that part of the world.

Nevertheless, IAC is a company with a past (and spyware expert Ben Edelman adds some additional thoughts on their current status). I have written about my thoughts previously, so it’s not worth re-hashing.

In my view, there is only one reason to bundle a toolbar, and that’s for money. Getting into bed with someone in the hopes of making them more moral… I’m not so sure. So to my friends at Lavasoft — please don’t take offense. I’ve been outspoken on this issue and I’m more than willing to hear more of your side of the story.

Readers — your comments are welcome.

Alex Eckelberry

Interesting data from Andreas Marx at AV-Test.org. This chart shows the growth of unique samples (by MD5) per year.

(Data below):

Year # of unique samples (MD5)
1985 564
1986 910
1987 389
1988 1,738
1989 2,604
1990 9,044
1991 18,384
1992 36,822
1993 12,287
1994 28,613
1995 15,988
1996 36,816
1997 137,716
1998 177,615
1999 98,428
2000 176,329
2001 155,528
2002 199,049
2003 178,825
2004 142,321
2005 333,425
2006 972,606
2007 5,490,960

It’s worth noting that these numbers are also increasing because of variants — i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it’s not like there’s over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.

Nevertheless, this is a good representation of the staggering load of malware that anti-malware folks are under. Like most companies, we’re processing gigabytes of malware daily. Our automated systems like our Sandbox help; but in the end, manpower plays a key role in being ahead of the game. There’s the HUMINT aspect, like hunting down new malware and tracking IPs and locations of the bad guys; but also reverse engineering and specialized code and signatures created for difficult malware. And, there’s difficult coding needed to deal with rootkits and the like.

It’s why being a security company (especially in AV or antispyware) these days is a whole new game. No longer can a company compete with a few folks in the lab and a group of good programmers. They’re out there: Little companies with small teams working an antispyware or antivirus product, but it’s hopeless. A small platoon won’t win this war. You need a brigade.

Alex Eckelberry

Update: Just to make sure everyone understands, these numbers are not cummulative.

Some complained about the PDFs in yesterday’s blog post.  I’ve gone ahead and posted the results of Andreas Marx’s testing in XLS format, here.

If I have time, I may do further analysis.

Alex Eckelberry