Category: Uncategorized

Reboot and here’s what your desktop looks like after installing one of these.

zsvcompany(dot)com
bcnproduction(dot)com
mojtechnology(dot)com
vaulimited(dot)com

All trojans — fake zlob media codecs.

The main page will show an error; as is standard practice these days, the binaries are actually downloaded from a subdirectory (usually something like /download(dot)php?id=4082).

Detection by all engines is very poor on these (Sunbelt Sandbox report on zsvcompany here, VT results here). We will have detections out shortly.

Alex Eckelberry
(thanks Bharath)

Interesting stuff.

Many people these days depend on Bayesian filters to protect them from the ever present email scourge that is spam. Unlike older technologies, these programs’ claim to fame is that they learn the spam patterns automatically, and more importantly, learn personalized spam (bad) and ham (good) email patterns.

Like many others, I wrote a Bayesian filter to protect me from unwanted email, which I called dbacl. My implementation functions as a Unix command line text classifier, with special email support, and can be used with procmail.

People are often astonished at how well statistical mail filtering works after they first try it, and it’s tempting to imagine that such programs actually understand the emails being delivered, rather than merely matching patterns.

Now chess has always been a popular gauge of intelligence that everyone can understand, so if we put all these ideas together, then the question “Can a Bayesian spam filter play chess?” seems like a fun experiment with a lot of appeal.

Link here.

Alex Eckelberry
(thanks Greg)

A spam is making the rounds, attempting to lure people to a site which sells “legal buds” (F-Secure did a bit of analysis on one variant of this spam back on the 26th).

The website was registered on November 1st and is basically a landing page for another website, thebudshop(dot)net — registered on the 30th of October.

Obviously, to those who are misguided enough to believe that one is able to buy marijuana online, I have some news for you: You’ll likely get nothing if you try, or if you do, it’s going to a bag of oregano or something else equally innocuous.

Pot is an illegal substance that cannot be purchased in any way in this country (with the obvious exceptions). And who knows, you might even get a rather rude knock on the door from your local authorities if you try…

Alex Eckelberry

Wired has a story today on the “The 15 Dumbest Apple Predictions Of All Time”.

Side note: of interest to me was this one:

Sony To Buy Apple
“Within the next two months, Sony will acquire Apple. … Sony will be the white knight who will step into the picture.” — former Apple VP Gaston Bastiaens, in January 1996.

I was working for Gaston at that time and remember him saying something to this effect. I treated his belief with a mixture of respect (given Gaston’s background) and some disbelief (“why the heck would Sony buy Apple?”). Whatever.

Alex Eckelberry
(Thanks Greg)

We infected a system with mmcodecs (a relatively new fake codec variant) and have some screenshots to share with you.

You can see mmcodecs in this Google search result here (obviously, don’t go and install it):

So we install it and get a merry bunch of mayhem, with home page hijacking, desktop hijacking, a rootkit and more.

We gets a rootkit –– a DNS changer, no less!

It wants to sell us Safe-Strip (a rogue antispyware program). It really wants to sell us this program!

And it wants to sell us SystemErrorFixer (courtesy of Innovative Marketing). It really wants to sell us this program too!

Well, enough of that fun.

Sunbelt Sandbox results here, VirusTotal results here (pdf).

Alex Eckelberry and Patrick Jordan

(One of our employees apparently manifesting his favorite pastime.)

(The jailhouse girls: Paris, Nicole and Lindsey)

(I know, it’s really gross.)

Faithful blog readers will recall that every year, we go a bit crazy with Halloween. We’ve managed to keep this tradition in, even as we’ve grown to be a much bigger organization. Employees show up in their most outrageous costumes, then the company parades down the local coffee shop, and then back to the office for a costume judging and gluttonous amounts of pizza.

Well, Sunbelters did a pretty good job this year too. You can see pics here.

Alex Eckelberry

This new Mac trojan? Well, it’s actually fairly important news.

I don’t mean to sound breathless about it. As far as we know, it’s not widespread. But this is the first targeted, real attack on Mac users by a professional malware group.

As one of our security researchers put it:

“This is pretty groundbreaking, actually. Not from the standpoint of ‘malware can exist on Mac too’ (everybody who’s not a moron knew that), but really from the fact that this actual malware created by real malware groups, not one of those useless proof-of-concept of ‘malware can exist on Mac too’.”

Yet the chorus of yawns from the security space is deafening:

While security experts agree that such a piece of malware would pose a very serious threat to users, it remains unclear just how far the reported trojan has spread.

Representatives for McAfee, Symantec, and Trend Micro all told vnunet.com that their researchers had been unable to find the trojan in the wild or obtain a sample from Intego. A spokesperson for Symantec noted that Intego “has a tendency to overhype things. “

Well, putting aside the fact that it took us under 3 minutes to find the Trojan simply by doing a simple Google search, this shouldn’t be viewed as overhype (although one part of the article certainly is overhype: “the tool allows the attackers to redirect web traffic. Users attempting to visit Paypal, Ebay or certain banking sites for instance will be directed to a phishing website instead.” Nah.)

I don’t know much about Intego, a Mac antivirus company. But when I showed our resident Mac guru this Trojan, his reaction was real surprise. In his words, “I’ve been using Macs since 1989. This is the first time I’ve seen something like this.”

This is a good story.

Again, I’m not trying to overhype. Mac users, hungry for pr0n, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the Touch and IPhone, running OS X.

The sole driving force behind malware these days is money. And this is simply a new market for these bad guys.

Let’s not ourselves in the security space get complacent.

Alex Eckelberry

As a follow-up to my earlier blog post today, here is a screenshot of that new Mac trojan:

Not surprisingly (it is, after all, a Mac piece of malware), VirusTotal has zero detection on this one.

Alex Eckelberry
(Thanks Robert and Francesco)

Update: Screenshot posted here. More commentary here.

Also, some useful information here at MacWorld.

Consider the fake media codec — a plague on on Windows PCs these days. Almost always on porn sites, it lures you with something that looks like this:

or this:

And so on.

Well, it’s come to the Mac. One variant of the fake Codec, DNSChanger, is now being seen on Mac porn. From Intego:

A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file.
Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe” Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

Is there any childlike schadenfreude on my part? You tell me. For years, we’ve heard snorts of derision from Mac users about the poor security of PCs. Yet that attitude (as we know from our history books) is a bit dangerous, because it creates a false sense of security.

Now, Mac users will need to be a bit more careful out there (‘cause when Joey wants his pr0n, he wants it now!). On the heels of the release of Leopard, we now find that there is no perfect protection against social engineering, even for a Mac user.

(Note that I have a Mac among the many computers at my house.)

Alex Eckelberry
(Hat tip to Brian Krebs.)

If you don’t mind… SC Magazine is holding their annual Reader Trust 2008 Awards. Voting opens October 16 and closes on November 2.

Sunbelt Software Ninja Email Security          *vote here*
(more info)

Sunbelt Software CounterSpy Enterprise         *vote here*
(more info)

Thanks!

Alex Eckelberry

Somewhat technical overview but good stuff. John Levine comments:

Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year, with both upgrades to the underlying engine and a variety of applications, most of which involve sending spam. (If you’ve gotten pump and dump spam with the message in an MP3 audio file, that’s Storm’s latest campaign.)

Enright says that although Storm’s peer-to-peer control structure makes it harder to map than centrally controlled botnets, its P2P design is relatively simple, and is similar enough to the eDonkey network that he could adapt tools designed for eDonkey to map Storm. While it’s never possible to find the exact size of a P2P network since nodes are constantly going on and off line, his statistics suggest that Storm consists of hundreds of thousands of nodes, not millions. While that’s a lot, it’s in the same range as other botnets. What really sets Storm apart is its operators’ skillful social engineering that constantly comes up with new tricks to get people to click on links that infect their Windows PCs.

You can see the preso here (via John Levine’s blog).

Alex Eckelberry
(Thanks Francesco)

This thing is quite realistic. And if you click “Download”, you get an offer to install a nasty little Trojan (Sunbelt Sandbox report here).

The trojan, “updateKB890830.exe”, downloads from a site that looks like a Microsoft url, so it’s all quite realistic to the user.

This was reported to MySpace by a number of individuals and it’s gone now (incidentally, the MySpace abuse team reacts quite well to submissions at abuse(at)myspace.com).

Alex Eckelberry
(Hat tip to Randall Mueller for finding this one)

Here’s a sample we received today, sent to our controller.  That link to the “complaint document” loads something that should not be considered as anything even remotely safe.

We’ve certainly seen these before, but just a reminder for all to be careful out there.

Alex Eckelberry

Two men (on italian and one russian) have been arrested in Italy. Reportedly, by using exploits that target vulnerabilities in the browser, they were able to install premium-rate dialers on 67,000 computers and make 6 million Euros (about $8.5 million).

More here (in Italian, alas).

Alex Eckelberry
(Thanks Francesco)

Sunbelt researcher Patrick Jordan found a style of popup this morning after infecting a system with some spyware.

It’s nothing near even the old “Eliza” program, nor any other chat bot. This one is only interested in selling a cash advance.

I made a little YouTube vid below.

Alex Eckelberry

Casey Sheehan, who runs our core antimalware team (the group that is developing our next-generation antimalware engine here at Sunbelt), had an interesting presentation at VirusBulletin in Vienna, entitled “Pimp my PE: taming malicious and malformed executables” (PE is the file format used for programs, DLLs, etc. in Windows). PE files have a specific, documented structure. Malware authors often perform deliberate malformations to confuse antivirus engines. This paper deals with that challenge:

Abstract
A foundational requirement in the security world is the capability to robustly parse and analyze Windows Portable Executable files. Coping with the full spectrum of PEs found in the wild is, in fact, quite challenging. While white files are typically well structured, malicious files can be quite difficult to analyze, often due to deliberate malformations intended to stymie static analysis. In this paper we will survey and attempt to classify some common and interesting malformations we have studied in our work at Sunbelt Software. We will analyze PE structural information, discuss the PE specification, and highlight specific hurdles we have overcome in the course of developing a parsing facility capable of dealing reliably with the full range of images found in the wild, especially malware. We will also cover specific problems we faced along the way, examine structural heuristics we’ve developed in the course of classifying common malformations, and include a discussion of some interesting tools and techniques we’ve developed.

The subject matter is highly technical, but for those interested, I’ve posted the following files:

Paper: (pdf)

Presentation: (pdf) (ppt)

Referenced program, PeSweep.exe, here
(270,336 bytes; MD5 283668a022766c1505debd540d7dae91)

Alex Eckelberry

In March of last year, Paul and Robin Laudanski and I started PIRT — the Phishing Incident and Response Termination squad. I can remember the scepticism and negativity when we started this task, by the “professionals”.

What Paul and Robin have done since then is nothing short of amazing. And they don’t get a dime for it. And neither do any of the volunteers who work on takedowns.

From PIRT evolved MIRT — Malware Incident and Response Termination. Now, there is SIRT — Spam Incident Response and Termination.

This is not trivial work.

Yesterday, Paul posted this on Castlecops:

Since May 2006, our Phishing Incident Reporting and Termination team has directly prevented more than $80 million in credit card losses, and indirectly an additional $75 million by working with our partners. We’ve shut down not only phish sites, but drops all the while preserving evidence for law enforcement. And we need your help by donating your time as handlers to keep on investigating phish crimes so we can continue to prevent even greater numbers.

PIRT right now is receiving around 47,000 unique phish submissions per month. Our PIRT handlers are doing amazing work and trailblazing new roads in phish investigations and intelligence.

There are few people I have met in my life who are as genuine, kind-hearted and hard-working as Paul and Robin. Feel free to leave a comment congratulating them and all of their volunteers, here or on this blog.

Alex Eckelberry

Our friends over at Network Instruments have a letter you can send to the FCC about Verizon’s plans to let some customer data loose.

Link here.

Alex Eckelberry

This is a first — a reputable security vendor practicing comment spamming?

I’m flattered it’s on my blog, of course.

IP info.

Alex Eckelberry

Update: Looks like I’m not the only one.

It’s officially over (no surprise, we all knew it was coming).

I’m not going to bother with an obit, I don’t have the time. But we can all recall that it was a very profitable operation for the founders, despite what some might consider a relatively small fine to the FTC.

These four men: Alan Murray, Daniel Kaufman, Josh Abram and Rodney Hook, in three years, personally received over $28 million.

(Source: Ben Edelman)

Direct Revenue acted in an outrageous manner, as can be readily observed from the documented evidence seized as part of the NY Attorney General’s investigation. Out of all the big spyware/adware vendors, they were one of the worst offenders.

Rest in peace? Nah. Too nice.

Alex Eckelberry