Category: Uncategorized

The CDT has published a list of deceptive music sites.

They include infamous sites such as allcoolmusic.com, freemusicnow.cc and allmusicdownloads.com.

As you know, there are people out there who actually believe that by signing up with these services, the music is somehow legit.  Of course, these are basically pirate sites.

Alex Eckelberry

Robert LaFollette, our creative director and a professional photographer, took some great pictures during the holiday.

He made an HDR photo that’s one of the best I’ve ever seen – shot on Christmas Eve on nearby Honeymoon Island.

Here’s his description of the picture:

Photomatrix was really quite easy to use, but to get the best results, one needed to get some specifics done right while out capturing the scene. Over the holiday break, I decided to study some more in HDR, so I set out to see what I can find.

While hiking on the trails at Honeymoon Island, Florida, I came across a scene that I have seen a hundred times before, but never attempted to capture it, for I knew the results would not be as good as I saw them. This time however, I met the challenge head-on. Typically, when one tries to photograph a landscape that has a lot of detail, and if the light is not right, the results look like it was taken with a point-n-shoot that we all have seen.

One of the tricks to a successful HDR photo, is of course knowing what you need. So, in this case, I had several tools to call upon to get the shot I was looking for. Those tools of course was my camera, wide angle lens, tripod, bubble level and remote release. The next trick is to set your camera at f/22, ISO 100, and once I get everything set up and the lens focused, switch the lens into manual focus so that is won’t change the focus point during your captures.

The reason for all this preparation is that you need to take at least 3 different shots, but the more the better. To do this, there are several different ways to accomplish this. The first, and perhaps the easiest, is to us your cameras AEB (Auto Exposure Bracketing) setting, whereas you will take 3 different exposures. Another way is to use your cameras Exposure Compensation, where when you take each frame, you expose the scene differently. Lastly, you can take the exposures manually. The end result will be one frame -1, the next at 0 and the last at +1 in exposure reading.

Of course, a steady tripod so that each frame is exactly the same, which is also true for the focal length, so one you get everything set up, the only thing you need to do is expose each frame differently. Also, keep in mind the Rule of Thirds for your composition, for without it, the shot will not be as dramatic!

For my shot, I used 5 frames, -2, -1, 0, +1 and +2, for the more frames you have, the more data you have to work with. Once you take all your shots, you are ready to assemble them in Photomatix.

I took all 5 of my frames (which I shot as RAW files), and ran them through Photomatix. Here, you can tweak the settings to get the desired results, which after you play around with them a bit, you can get the hang of just what they do and how they affect the output.

To learn more about how to use the software, here is a great tutorial on HDR photography that will explain everything. So the next time you want to try something new, give HDR a try, for once you see it’s powers, you will be addicted for life!

We’ll start with the shot with just one exposure:

And here are the five frames used to generate the HDR:

And here is the final image, produced in Photomatix:

(Another link here.)

There’s no special photoshopping going on here. Other than some small modification to the clouds (to compensate for their movement during the shot), it’s just Photomatix doing the work. It makes my playing around with Photomatix look infantile.

Robert also took some other great pics on the same day:

Incidentally, Robert did teach me one trick which has made me (a rank amateur) a much better photographer. I have a Canon Rebel XTi, and he taught me to simply shoot in Aperture Priority Mode (AV mode), playing with the ISO settings to compensate for light. It’s a wonderful trick that will enable you to consistently take great pictures, without worrying yourself over a lot of the technical details. It works for well over 90% of the pictures you might take.

And shifting off on a slight tangent — I like my Rebel XTi, but one camera I seriously considered when I was shopping last year (again, as a rank amateur) was the Nikon D40. I found out recently that Nikon’s ad agency, McKann Erickson, gave out 200 D40s to the residents of Georgetown, South Carolina and then put the results up on a website. It’s a great piece of PR (I’m not recommending one camera over another, I just found the effort interesting).

Finally, I hope all of you had a wonderful holiday!

Alex Eckelberry

I’m sure you all know by now that there’s a storm out there.

And some new malware sites recently popped up very recently:

Rogue antispyware pushers:

gatemc(dot) com

Sample: gatemc(dot)com/gatevc(dot)php?id=icn02 redirects to push the fake trojan VirusRanger:

gatedl(dot)com

Sample: gatedl(dot)com/gatech(dot)php?pn=srch0p23total7s2 redirects to push various trojans, made to look convincingly like a Windows dialog box:

Also, add protectionalerts(dot)com (sample at protectionalerts(dot)com/2/01-byu8kl/xp/index(dot)php) and ahomepcsafety(dot)com as new fake security scam pages.

And another new site, toolbaractivity(dot)com pushes fake antispyware (sample: toolbaractivity(dot)com/go.php?step=1, resolves to rdr(dot)hitmngr(dot)com/accs=147 and step=2 resolves to antispyshield(dot)com/advid=177)

Fake codecs:

avsmanufacture(dot)com (sample avsmanufacture(dot)com/download(dot)php?id=4075)
sysprocedure(dot)com (sample: sysprocedure(dot)com/download(dot)php?id=1737)

Fake 404 page:

dnserrortool.com (examples have been observed at either dnserrortool.com/ie6/ dnserrortool.com/ie7).

Please don’t go downloading and playing with these trojans unless you know what you’re doing. They’re real and quite dangerous.

Alex Eckelberry
(Thanks to Patrick Jordan)

Here.  (And just a clarification — the review mentions an antivirus engine built-in to CounterSpy.  In fact, the AV engine in CounterSpy is very basic, and is primarily used to improve the antispyware functionality of CounterSpy.  However, we are releasing our standalone AV product in Q1, called VIPRE, which will include all the functionality of CounterSpy but have full AV protection as well.   It will be a very inexpensive upgrade for any CounterSpy user.)

Alex Eckelberry

Seems every time I mention a security vendor bundling with Ask, I get a comment storm. Well, that’s good. This is a important issue and is worthy of debate.

I find the various arguments and statements quite interesting. There’s a lot of passion out there on this issue. You can see the latest storm here. here. Feel free to add your two cents.

Alex Eckelberry

First one, now another. Is this a trend? And what’s with pre-checking this option?

(You can see a post by a user on ZA’s forum here.)

Feel free to leave your comments as to what you think of this (let’s hope it’s not as rowdy as the last time).

Alex Eckelberry
(Thanks Suzi)

Clarification: This is not the full Ask Toolbar. It’s a subset which only offers the pop-up blocking. Nevertheless, you still get the Ask Searchbar, and it is pre-checked prior to install.

codecnice(dot)net:

Pushes both Windows and Mac Trojan.DNSChanger. Sample binaries: Mac: codecnice(dot)net/download/codecnice1126.(dot)dmg. Windows: codecnice(dot)net/download/codecnice1126.(dot)exe.

Not so nice . . .

As always, please don’t touch these binaries unless you know what you’re doing as they are live Trojans.

Adam Thomas

If you enjoy a bit of irony, have a gander at the Amazon.co.uk reviews (and comments) on the inexpensive Bic Crystal ballpoint pen. It seems some writers (British and non) are having a bit of fun with this trusty implement.

Some selections:

Very good if you need to write on paper.

Writes well – but it’s unmusical

A sad disappointment (it doesn’t have an inkwell)

A good product, but instructions could be clearer.

And, of course, a limerick and a poem.

Alex Eckelberry
(Hat tip to John Murrell)

(See update below.)

An article today on InfoWorld, entitled “Don’t be a phishing vigilante”, casts a bright light on Cyveillance (a firm which does consulting for banks, etc. on security).

The article indirectly slams PIRT, the CastleCops-founded group which does takedown of phishing sites.

While there have been some funny examples of people who have gone to great lengths to hoodwink phishers and other online fraudsters — and some people have even turned the pursuit into a full-time hobby, new research shows that playing games with the cyber-thieves just might not be a good idea.

Note that “full-time hobby” points to Castlecops.

The idea that a group like PIRT is some type of “hobby” is more than false, it’s actually a bit heartbreaking when I think of the thousands of hours of volunteer work done by vetted security professionals at PIRT, who do takedowns everyday, and have saved millions of dollars for consumers. People like Gary Warner, who certainly has earned his chops as a security professional. Or Robin and Paul Laudanski, the founders of PIRT, who are both highly regarded Microsoft Security MVPs. While I’m no longer an active part of PIRT, I feel quite protective of the volunteers there — who are amazing given the level of profesionalism of their work and the fact that it’s all done out of a passion for helping people (for no monetary gain).

I agree that phishing termination (or even going to a phishing site) should only be done by people who know what they’re doing. There is a real danger going to these sites, because of exploits and malware. But to put a broad stroke on it only serves the for-profit vendor highlighted in this blog.

I have a lot of respect for Cyveillance, as well as the article’s authors, Victor Garza and Matt Hines. Hopefully, this is only a misunderstanding.

Feel free to post your comments on their blog.

Alex Eckelberry

Update:

Got this from our friends at Cyveillance (edited for brevity):

The interview focused on individual consumers who find it humorous to provide bogus information to phishing sites…The point of the story was that these individuals could actually expose themselves to malware simply by accessing the site.

Cyveillance strongly supports the role of CastleCops in the battle against phishing and online crime.

And Matt Hines posts a nice clarification on his blog:

OK, I’ve been getting some feedback re the link to CastleCops and feel the need to clarify a bit.

I really only included the link to their site because they’re the best example of an organized group going about this sort of infiltration and takedown approach to fighting phishing.

To be fair, it is far from a “hobbyist” operation. More like it is made up of
real IT sec pros who want to help take out some of the baddies in their free
time, which is a really cool effort in general.

The post itself was aimed more at individual consumers who seem to feel that
they can frustrate the phishers by filling out their forms with curses and the
like, but who are getting infected by drive-bys (as highlighted in the
advice/research of Cyveillance).

My intent was not at all to discourage CastleCops or take anything away from
what they do, I personally think it is a really admirable and cool thing that
they do.. so, I’m pulling the link and apologize to any of the fine people
involved with CasteCops, again, my intent was not to detract from or discourage
their efforts (or imply that Cyveillance had done so).

Thanks, and sorry for the confusion! (it’s good to know people are actually
clicking on those links though!)

Rock on CastleCops!

Matt Hines

Looks like we’re all good now. And thanks to Cyveillance and Matt Hines for the clarifications!

codecpretty(dot)net

Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codecpretty(dot)net/download/codecpretty1123(dot)dmg. Windows: codecpretty(dot)net/download/codecpretty1123.(dot)xe. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Adam Thomas)

Self promotion time:

Sunbelt Software today announced it has been named a finalist in the SC Magazine Award program for outstanding achievement in information-technology security. Both Ninja Email Security™ and CounterSpy Enterprise™ were named in the Reader Trust Awards’ Best Email Security and Best Anti-malware categories of the competition.

Link here.

Our Ninja email security product won the SC Magazine Reader’s Trust award for Best Email Security solution earlier this year. I’m keeping my fingers crossed to have at least one of our products in 2008.

Alex Eckelberry

Faithful readers of my blog will recall the extraordinary footage I posted of Mike Parsons surfing a huge wave.  

Last week was legendary in this regard at the famous Mavericks, with some of the biggest surf ever seen.  Sadly, two fisherman and a surfer died that day in the water.

You can see footage of surfers braving some of the scariest and nastiest surf I’ve seen here (via Jeff Nolan).  

Alex Eckelberry

Distributes Zlob Trojan.

A sample can be accessed from Xyzsolution(dot)com/download(dot)php?id=4154. And please — don’t touch this binary unless you know what you’re doing, as it is a live Trojan.

Patrick Jordan
Malware Research

Various, the parent company of Adult Frriend Finder (the porn-popping scourge of the internet), has been bought by Penthouse Magazine.

While the influx of free and low-cost video has hurt the sale of pornographic videos, the chief executive of the Penthouse Media Group remains so bullish on the sex-related entertainment industry that he is investing $500 million in a group of social networking sites.

Marc H. Bell, chief executive of Penthouse Media, said the company had acquired Various Inc. and its subsidiaries as part of a plan to expand its reach. Various operates more than 25 networking sites and says it has a member base of more than 260 million consumers, about 1.2 million of them paying subscribers.

Ny Times link here (Thanks Gregg).

As I’ve said before, AFF’s growth has been fueled by the aggressive use of shady affiliate marketing. With high payouts to affiliates, aggressive pornographic creative materials (including video porn ads) and an apparent blind eye to the gross practices of slimey affiliates (including fake pages on MySpace, advertising in malware, etc.), the company has grown rapidly. I can only hope that Penthouse understands what it’s getting into, including the fact that it’s unknown whether or not the AFF’s high growth can continue with the FTC’s oversight on its practices.

Some previous Sunbelt Blog posts on AFF: Use of video porn. Comments on potential acquisition. Web 2.0 AFF spam. AFF ads seen in hacked university sites. Comment spamming on my blog (and here too). Advertising in adware. Comments on FTC settlement.

Alex Eckelberry

Distributes Zlob Trojan.

A sample can be accessed from abcdperformance(dot)com/download(dot)php?id=107. And please — don’t touch this binary unless you know what you’re doing, as it is a live Trojan.

Patrick Jordan
Malware Research

Same codec, new site: codechot(dot)net

Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codechot(dot)net/download/codechard1123(dot)dmg. Windows: codechot(dot)net/download/codechard1123(dot)exe. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Patrick Jordan)

For many security researchers, our sandbox has become part and parcel to their daily routine.

It’s a very powerful tool — you can submit malware and get a detailed description of what it does. Some people simply upload malware and use our reports for analysis, others formally license the sandbox for their own use (customers range from corporate security departments to other security software and hardware companies). We also license data feeds that come out of our research, which can be quite valuable in creating signatures or blocklists.

The sandbox never sleeps and it processes a lot of malware — here is a screenshot I took this afternoon of the status of our various internal sandbox systems:

(I’ve masked the MAC address and IP numbers for obvious reasons.)

It can be interesting to watch this screen and just view what’s going on. Clicking “Sample” leads to a report of what was submitted. For example, clicking #4 gives brings me a report on a submitted program. I can also see its network activity, and this particular one is chatting back to an IP that’s had a dubious history — 66.220.17.200.

So feel free to submit samples to the sandbox and use it for your own research. The main URL is http://www.sunbeltsandbox.com/

Alex Eckelberry

Shopping a new Dell system for home this morning, I had a few questions on the Dell Live Chat.

I really like the fact that the customer service rep has offered her personal email as “your contact at Dell”.  Little things like this make all the difference.   Good job, Dell.

Alex Eckelberry

A new fake codec: codecpretty(dot)net

Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac:
codecpretty(dot)net/download/codecpretty1123(dot)dmg; Windows:
codecpretty(dot)net/download/codecpretty1123(dot)exe. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Adam Thomas)

As a follow-up to my post this morning on Adult Friend Finder’s settlement with the FTC (where I pointed out that a significant problem with AFF is its affiliate channel), we have these two comment spams that appeared on my blog just this morning (thumbnailed due to graphic content):

These were posted on one blog that had as its topic AFF’s use of porn in advertising, and another about AFF ads appearing on MySpace (I’ve left the comments intact, just broken the links.)

So what is ourfriendfinder? It’s an affiliate of AFF. And the ad on that page is decidedly not even PG 13. It’s practically X-rated.

Incidentally, that ad is being served by AFF (from adserver.adultfriendfinder.com/banner.cgi?lang=english&size=500×500)

(I’ve also saved the page source of ourfriendinder here.)

So let’s go back and look at the FTC settlement:

The settlement bars the defendant from displaying sexually explicit ads to consumers unless the consumers are actively seeking out sexually explicit content or unless the consumers have consented to viewing sexually explicit content. It requires the defendant to take steps to ensure that its affiliates comply with the restriction, and end its relationship with any affiliates who do not comply. It also requires the defendant to establish an Internet-based mechanism for consumers to submit complaints. Finally, the settlement contains bookkeeping and record- keeping requirements to allow the Commission to monitor compliance. [My emphasis in text.]

In these two cases, these were comments spammed on blog posts certainly not providing “sexually explicit content”.

Well there you have it. As I’ve maintained, ain’t nothin gonna change until AFF thoroughly cleans up its sleazy affiliate channels.

Alex Eckelberry