Category: Uncategorized

A collection of ITCI’s most popular articles of 2007.  Useful link here.

Alex Eckelberry
(Thanks Glenn)

As always, good stuff from Andreas Marx of Av-Test.org:

We have just finished a new comparison test of AV software. All products (in the “best” available Security Suite edition) were last updated on January 7, 2008 and tested on Windows XP SP2 (English).

First, we checked the signature-based on-demand detection of all products against more than 1 Mio. samples we’ve found spreading or which were distributed during the last six months (this means, we have not used any “historic” samples.) We included all malware categories in the test: Trojan Horses, backdoors, bots, worm and viruses. Instead of just presenting the results, we have ranked the product this time, from “very good” (++) if the scanner detected more than 98% of the samples to “poor” (–) when less than 85% of the malware was detected.

Secondly, we checked the number of false positives of the products have generated during a scan of 65,000 known clean files. Only products with no false positives received a “very good” (++) rating.

In case of the proactive detection category, we have not only focussed on signature- and heuristic-based proactive detection only (based on a retrospective test approach with a one week old scanner).

Instead of this, we also checked the quality of the included behavior based guard (e.g. Deepguard in case of F-Secure and TruPrevent in case of Panda). We used 3,500 samples for the retrospective test as well as 20 active samples for the test of the “Dynamic Detection” (and blocking) of malware.

Furthermore, we checked how long AV companies usually need to react in case of new, widespread malware (read: outbreaks), based on 55 different samples from the entire year 2007. “Very good” (++) AV product developers should be able to react within less than two hours.

Another interesting test was the detection of active rootkit samples. While it’s trivial for a scanner to detect inactive rootkits using a signature, it can be really tricky to detect this nasty malware when they are active and hidden. We checked the scanner’s detection against 12 active rootkits.

Having such a multi-faceted test methodology is important — an antivirus engine could, for example, have extraordinarily high detection, but high false positives. And, a retrospective test allows you to see how well an antivirus’ heuristics work. It’s good to look at all the parameters in order to judge efficacy.

I’ve put the test results into PDF. You can see the main results here and the details of the test of signature detection here.

Alex Eckelberry

A fake MS update spam seen in the wild today.

Payload is IRC.Backdoor.Trojan (VT results here).

Alex Eckelberry

Good tips from Matt Cutts:

Here are three easy but important ways to protect yourself if you run a WordPress blog:

1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:
   

   AuthUserFile /dev/null
   AuthGroupFile /dev/null
   AuthName “Access Control”
   AuthType Basic
   <LIMIT GET>
   order deny,allow
   deny from all
   # whitelist home IP address
   allow from 64.233.169.99
   # whitelist work IP address
   allow from 69.147.114.210
   allow from 199.239.136.200
   # IP while in Kentucky; delete when back
   allow from 128.163.2.27
   </LIMIT>

   I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.

More here.

Alex Eckelberry

Got this note from a technology-saavy and faithful blog reader. Even he got nailed with this.

No matter how careful one is, it can still happen. Somehow, some one, got my debit/visa card info and placed a small $11.89 charge against my account. I check my account on a regular basis, and while small, it still grabbed my attention. I almost said, to myself that perhaps I bought something and forgot about it. The name of the company stood out though. “Infinity and Sons” with a GA id and phone #.

So I checked out Infinity and Sons into my Yahoo search and found a lot of references to some song lyrics. But in there, there were two listings under “WhoCalledMe” and “800Notes”. On both of those they mention the company in conjunction with unknown charges on peoples accounts. In one forum there was a post by “MGD” which referred to articles on DSLreports. I went and investigated that and was astounded at what I found. This is a small part of a Web Templates fraud that appears to go back to Russia through several money laundering banks.

This person “MGD” has done some in-depth research into this. I found it interesting reading. Of course i called my bank and told them of the charge and then of what I found out. The fraud division was interested in my minimal research and I got them the following links. They are refunding me the charge and are replacing my card. The pure inconvenience of having to carry cash with me, while I wait for my card is annoying, but it is for my protection mostly, and I do have my wife’s card that I can at least use at the ATM.

The main article is here, and the part that lists Infinity and Sons is here.

There are several long pages, but I really wonder how many of these that they get away with. There are also some case histories that show where even the people that run these ‘template’ websites are being duped as well.

Maybe you know of this, but I was amazed at the organization and complexity of this and that it just keeps on growing.

Very interesting. Any other tales out there about this outfit?

Alex Eckelberry

Faithful readers will recall a Trojan that had a pay-by-phone extortion scheme.

The payment processor sent me this yesterday:

I have just found your blog entry about our company being involved in pay-by-phone extortion.

I can say that this is clearly against any terms we have with our merchants that use our convenient phone billing option for accepting online payments.

We where not aware of these issues as described in your blog nor did we receive complaints about this from customers using our payment service.

I guess they thought this was pretty pointless.

I wish we would have caught this sooner, we have instantly blocked any visitors directed to our payment platform from this merchant, furthermore we have requested the online payment services that was used to pay this merchant to block his accounts, furthermore we are looking into what legal procedures that we can follow from his actions although that is a very difficult path to follow.

I have attached a screen shot from the merchant site showing his account is terminate in case we have been replaced already if you go back to check.

As you may understand this blog entry you have on your website is very damaging toward our company, our goal is to provide a convenient method of paying for all the people that do not have a credit card, but wish to be able to shop online as well, would there be any chances you can either update or remove your blog entry with the latest details I just provided you?

If you have any questions I will be happy to answer them all.

Best Regards,
Pin 2 Enter

It appears that the payment processor is correct, and that the payment scheme is no longer in effect. However, if any security researchers out there see otherwise, let me know. We were seeing the payment scheme off the site backdoor-guard com.

Alex Eckelberry

“Ever been prosecuted for tracking spam? Running a traceroute? Doing a zone transfer? Asking a public internet server for public information that it is configured to provide upon demand?

No? Well, David Ritz has. And amazingly, he lost the case.

Here are just a few of the gems that the court has the audacity to call ”conclusions of law.” Read them while you go donate to David’s legal defense fund. He got screwed here, folks, and needs your help.

“Ritz’s behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law.” You might not know what a zone transfer is, but I do. It’s asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota.”

Link here (via Technocrat).

Alex Eckelberry

A brand new rogue.

Home page:

Typical fake dialog box:

Fake scan:

Application:

This program creates fake “infection files” These files are placed into the document and SettingsUserAcctLocal SettingsTemp directory (list here). Here is an example of what is actually inside one of these fake files:

Payment is done through Bucksbill:

Alex Eckelberry
(Credit to Bharath and Patrick Jordan)

Got this from someone today:

If any of you are headed overseas armed with your new iphones, watch out. If you let it download data it can really cost you. After a 36 hour trip to London they suspended my service when it hit $3,500 for data charges. Since then I’ve retroactively added their best data plan and am still looking at a $600 plus bill. Even so, the plan allows for a measly 50mb per month (I burned 120mb and don’t even remember looking at much besides the NYT) and is only good in certain countries.

Anybody know a consumer protection beat writer?

Gulp. Any other similar experiences out there?

Alex Eckelberry

Our good buddy Bill P got pitched to bundle a toolbar with his product, WinPatrol. Unlike some others out there, he firmly passed, passing up loads of money:

I crunched the numbers and sure enough the revenue I could receive by including the toolbar would be huge. My overhead is low and the free version of WinPatrol has many thousand downloads even on the slowest day. If I chose to include the Ask.com tool bar I could probably retire comfortably by the end of the year.

Unfortunately, a number of people think I’m a really, good guy and I respect their opinion. For the last ten years WinPatrol has had a flawless reputation. I know myself, I really hate companies that install additional software that I didn’t ask for. It’s not only rude, it’s just wrong.

Right on, Bill.

Alex Eckelberry

Today, we released version 5 of iHateSpam.  Initially, this release will support Outlook, and by the end of the quarter, we’ll have support for Outlook Express and Thunderbird (for now, people wanting spam protection for Outlook Express should download iHateSpam 4). 

Upgrades to this new version are free for current iHateSpam customers under a maintenance plan.

This new version was developed in partnership with our friends over at Cloudmark, and it is light years ahead of our prior version (which, frankly, had gotten long in the tooth).

There’s a long, long story behind iHateSpam.  It was the first security product I launched shortly after coming to Sunbelt in 2002, and I have lots of memories with this little tool (and a few tales to tell, but that’s for another time).

Feel free to take it for a spin.  It’s a really nice desktop antispam solution, and it’s priced to be a no-brainer.  Product page link here, company PR here.

Alex Eckelberry

Patrick Jordan

First, we have a complete rip-off of the PC Tools site, pushing the rogue security program SpyShredder.

Then, courtesy of our friends at F-Secure, we have this application for the Mac which finds malware on any machine (Mac, Windows, whatever), even when there is no malware there. In fact, what is finding is completely bogus.

And check out these amazing results on what I thought was a Windows XP system:

Alex Eckelberry
(Thanks Adam)

Back in 2003, when we first shipped our antispam product for businesses, iHateSpam for Exchange, we built it to be specifically designed for Microsoft Exchange. Then, when we came up with iHateSpam’s successor, Ninja Email Security, we again focused on tying very closely into Exchange.

Hooking tightly into Exchange has real benefits to the administrator. For example, since we’re on the Exchange box, we’re seeing every email in the organization, so we could then do things like intra-company attachment filtering.

However, we found that a number of admins were using our Ninja product on Exchange, but also running a box on the gateway to “pre-filter” to reduce the load on Exchange — often, cheap boxes. And this makes sense — with 90% of email traffic being spam, it makes sense to keep as much load off the Exchange server as possible.

We thought we could do a better job of it, and so we started working on our product — evaluating the competition, seeing what was out there.

A dominant theme in our research was something like this: A company takes a bunch of open source software, puts it on some cheap hardware, and ships it. Certainly, there were exceptions. At the high end of the market, you have companies like IronPort, which builds beautiful technology on top of Dell hardware. But it’s very expensive stuff.

We don’t like expensive.

Now, there are a few core components in an email security appliance:

– The operating system. In most cases, you’ll see Unix variants, but in some, you’ll see Windows server boxes.
– Mail server software. This handles the job of actually delivering the email. Often, SendMail is used for this task.
– An antispam engine (often, SpamAssassin, a solid antispam engine)
– An antivirus engine (often, ClamAV)
– The hardware itself

In other words, what a number of companies will do is simply take a hardened version of Linux, put SpamAssassin and ClamAV on top of it, add a few enhancements, make a UI to pull it all together, throw it on a box and ship it.

Now, that model is fine, but we didn’t agree with many aspects of it (for starters, why not just do it yourself at that point?).

So what could we do that could really give the competition a run for their money?

First, we could start with the hardware. Instead of using low-cost, disposable hardware, we would partner with Dell, which makes outstanding server hardware (you can argue about their desktop systems, but their servers are an entirely different game). By doing so, we would be able to get solid quality hardware, as well as provide our customers, at no charge, Dell onsite service with a guaranteed four-hour turnaround time. It costs me more. But it’s better.

Then, we took an excellent Linux variant, CentOS, and hardened it for enterprise-grade security.

Then, our software would be carrier grade, not a bunch of apps thrown together in a box.

Our mail server — the most important component — was going to be top notch. So we partnered with MessageSystems, a leading developer of mail server software that’s used by carriers (for example, Verizon is one of their customers). This software is rock-solid, and is also blindingly fast.

Then, we partnered with our friends at Cloudmark to for the antispam component; and BitDefender for the antivirus component (we’ll add our own AV engine later this year, after our AV certifications are complete). Cloudmark is the Rolls-Royce of antispam products, with low false positives and a high catch rate; BitDefender is one of the best antivirus engines on the market.

And instead of some UI that looks like it was made to run on an old Dec VMS system, Robert LaFollette, our creative director, worked to make something that was elegant, powerful and simple. We wanted to make it easy to use, realizing that a lot of admins don’t have the time or patience to go through pages of documentation.

We didn’t go for having all the possible bells and whistles in the first release. We focused on providing solid email security that won’t break your budget (or the delivery of your email).

So there you have it: Ninja Blade, our first hardware product. And the price is very, very low: $1,995 for the base model (up to 500 users), with an additional $599 for the first year of updates and upgrades. Prices go up from there for larger sites.

If you want to see the UI, I have a real-live box that you can play on. Simply go to demo.ninjablade.com, and use the user name “admin” and password “ninjablade”. Have fun! (The server gets reset periodically, so just try again in a few minutes if the link doesn’t work.)

More corporate propaganda here, and the product website here.

Alex Eckelberry

Bear with me — we’re testing the new Ratings feature available with Haloscan.

If everyone thinks the whole idea is stupid, I’ll drop it. 

Alex Eckelberry

Last night, I did one last quick email check before calling it a night and saw a message from a friend who works with a small non-profit. She’d forwarded the Barbara Moratek spam, greatly concerned about it. I took a quick look, and got a blog post up so that at least people searching the name would be warned. I didn’t think it would elicit much reaction.

This morning, I took a look at the comments and was just disgusted to see all the comments from non-profits that had been targeted by this scam. These were the people who Googled the name and found my blog post. What about the others who didn’t?

How sick to target people who are working with no money to help others in need.

Oh, that’s bad, bad karma.

Alex Eckelberry

codeczang(dot)net

Pushes both Windows and Mac TrojanDNSChanger.

Mac: codeczang(dot)net/download/codeczang1123.dmg
Windows: codeczang(dot)net/download/codeczang1123.exe

And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Patrick Jordan

There is a new scam going around where small non-profit organizations are being targeted by a “Barbara Moratek” of the “Ivete Foundation“.

The email looks something like this:

———
From: B. Moratek- Ivete Foundation [mailto:bmoratek@ivetefoundation.org]
Sent: Thursday, January 10, 2008 5:42 PM
To: <redacted>
Subject: Information for prospective donors

Would you have additional information for prospective donors or volunteers other than what is on your website? Thank you in advance.

Warm regards,

Barb
Barbara Moratek
Vice President, Director of Grant Programs
Ivete Foundation
Phone-
Fax- 800.397.7205
Web- www ivetefoundation.org

The spam email is likely some type of 419 scam.

However, Googling “Barbara Moratek” shows a bunch of links pushing fake codec Trojans and other junk sites (many on Blogger).

It’s likely that malware sites are taking advantage of the fact that people will be googling this name to find out more about it, by stuffing pages with the term “Barbara Moratek” (spamdexing), having purchased or otherwise acquired “zeitgeist” keywords (meaning, loading sites up with current “hot” keywords and then using them to lure people to their site).

Our research is continuing, but we felt it prudent to get a blog post up so that people googling this name will hopefully have some kind of warning.

Alex Eckelberry

Gizmodo’s take on CES (thanks Steve). For CES veterans, it’s funny. (Thankfully, I didn’t go this year.)

And getting from Here to There (via beSpacifc).

Alex Eckelberry

Since some may ask, we have had the MBR rootkit (Trojan-Spy.Madlo) in our defs since around mid-December.  Through our primary infection tracking system, Threatnet, we believe that current in-the-wild propagation is very light to practically non-existent.

It still doesn’t mean it’s still not a very serious potential threat. 

Alex Eckelberry