The Great Years: 2004-2010
There has been a bit of a debate over Steve Gibson’s recent postulate that the WMF exploit was possibly a backdoor deliberately put into Windows by Microsoft or a rogue Microsoft programmer.
From Steve in introducing his podcast on the subject:
Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn’t have the feeling of another Microsoft “coding error”. It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution “backdoor”. We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.
Link here.
Windows internals expert Mark Russinovich responds to Steve’s comments with a new blog entry, that puts the matter to rest: It is almost certainly not a backdoor: It is simply poor design:
The vulnerability is subtle enough that the WINE project, whose intent is to implement the Windows API for non-Windows environments, copied it verbatim in their implementation of PlayMetaFile. A secret backdoor would probably have been noticed by the WINE group, and given a choice of believing there was malicious intent or poor design behind this implementation, I’ll pick poor design. After all, there are plenty of such examples all throughout the Windows API, especially in the part of the API that has its roots in Windows 3.1. The bottom line is that I’m convinced that this behavior, while intentional, is not a secret backdoor.
Link here.
Alex Eckelberry
(Hat tip to Larry Seltzer)
Back in early December, I blogged about advertising in video games.
Well, Arstechnica writes about Subway’s advertising in Counter-Strike.
“That’s exactly what SUBWAY® found when one of its largest local advertising agencies tapped Engage to develop an in-game advertising strategy targeting men 18 to 34 in several designated market areas, including San Francisco, Las Vegas and Sacramento. The objective for the in-game campaign was to increase awareness around the SUBWAY® $2.49 daily special and drive sales from the restaurant’s heavy users.”
Link here.
Alex Eckelberry
(Thanks Jarrett)
Regarding my last post on PestTrap, I will be re-running the scans later tonight or tomorrow morning at virusscan.jotti.org and virustotal.com. I’m not confident in the scans we had posted earlier and have removed them for the time being.
Alex Eckelberry
SpySheriff is one of these nasty rogue antispyare applications that we’re all seeing out there.
They have a new variant, PestTrap, downloadable from pesttrap(dot)com.
(Virusscan.jotti.org and Virustotal.com results temporarily removed due to some uncertainties in the results… hopefully will repost later)
Alex Eckelberry
(Thanks Patrick Jordan)
Windows OneCare (as well as Vista) have two-way firewalls, unlike XP’s one-way firewall.
The OneCare team found out that a bunch of people had been turning off their firewall and decided to find out why:
Based on our investigation, there are four primary reasons people are turning off their firewall.
- Do not think a software firewall is necessary
- Do not like the (sometimes incessant) pop-up dialogs
- An application failed to install with firewall turned on
- An application fails to work with firewall turned on
More here.
Alex Eckelberry
Kids take to new technology like flies to honey. Among many older folks, it’s conventional wisdom that if you’ve been flummoxed by your computer, video recorder or other high tech gadget, the quickest and cheapest way to solve the problem is to call in a twelve year old to fix it. Lots of kids today grow up with a keyboard in one hand and a joystick in the other.
There are plenty of benefits to introducing kids to tech devices early. Using the devices becomes second nature to them, so the learning curve is less steep. Playing video games helps to develop hand-eye coordination. They learn multi-tasking skills from juggling several computer programs at once. Surfing the Web can expose them to a vast array of knowledge that wasn’t available to those of us who grew up without the availability of commercial Internet services, even in some of our best libraries. And kids can have a rich social life and meet a much more diverse group of people to which they might never be exposed in their own hometowns. They can also stay in touch with family members and friends, both local and those who live at a distance, much more easily.
Unfortunately, there are potential harmful effects, in addition to the positive ones. Many parents worry that violent video games may desensitize children to violent behavior in real life, and that the Web will lead them to pornography or hate groups as well as information for completing their schoolwork. The people your kids meet online can be good influences – or they could be pedophiles posing as other children to lure unsuspecting youngsters into their traps.
Some experts fear that even in the innocuous communications with people they know, kids may be exposing themselves to hidden ill effects. For example, one type of communication that’s very popular with teenagers is real-time chat. This includes Web-based chat, use of IRC (Internet Relay Chat) programs, Instant Messaging services such as those offered by MSN, AOL and Yahoo, as well as SMS messaging via cell phones.
In order to type their messages more quickly, kids often use a type of phonetic shorthand instead of grammatically correct, properly spelled sentences. For example: “R U going 2?” is much faster and easier to type than “Are you going, too?” This becomes an especially attractive option when using a small keyboard like those on cell phones.
But is this making kids illiterate? Educators, parents and others are divided on that question. Some folks argue that language is always evolving, and newer and more efficient spellings are a good thing. After all, a glance at a page of Olde English will show you that we don’t use the same spellings now that our ancestors used. . Other, more pessimistic folks say IM isn’t so much making kids illiterate as reflecting the growing illiteracy of younger generations.
Some researchers have concluded that teens are able to slip easily between the abbreviations and conventional spelling, but some teachers say they’re seeing the messaging lexicon show up in kids’ school work. Does Shakespeare lose something in translation to “2 b R not 2 b”?
Some experts say the problem is not the lingo itself, but the fact that kids are unable to differentiate between when it is and isn’t appropriate. Like slang and other informal language, what’s okay for chatting with peers is not acceptable when writing an essay – or applying for a job.
What do you think? Is the growing use of “Internet jargon” a problem, or is it just a fad that kids will outgrow as they get older? And if it is causing kids to be less literate, what can be done about it? Should parents prohibit their children from using IM and SMS? That was the solution of the father in this article here.
Deb Shinder
Pity the poor spammer.
Darren Brothers reports that Alex Polyakov, the target of his Kick a Spammer in the Nuts Daily retaliatory campaign, has cried uncle.
Brothers says he got a call early this morning from Polyakov. (Brothers has posted a WAV file of the call. I created a smaller MP3 version of the recording, which can be downloaded here.) On the tape, an excited Polyakov complains that Brothers’ “Refi Retaliator” program is “killing my business.”
Link here (with audio!) via Ferg.
Alex Eckelberry
Today, we announced two significant hires: Eric Howes, who is now our new Director of Malware Research and Joe Wells, who is joining us as Chief Scientist, Security Research.
Eric is a well known antispyware researcher and one of the most widely quoted authorities on the problems of spyware and adware. You’ll know his work on Spywarewarrior.com running the Rogue/Suspect Anti-Spyware list and his extensive work in antispyware testing. Eric has had an independent consulting relationship with Sunbelt since the fall of 2004, and dealing with him has been highly enjoyable. He is a truly valued addition to our team.
The second addition is veteran security expert Joe Wells as chief scientist, security research. Joe was previously the chief antivirus architect at Fortinet and is one of the most widely known authorities on malware threats — having worked in key R&D positions at Trend Micro, Symantec, Certus and IBM’s Thomas Watson Research Center. He is also the founder of the well-known Wildlist. You can see his full CV here. Joe has an amazing background and it’s been a rare treat and an honor to have spent time with him discussing our future plans. Oh, and talk about war stories – Joe has seen it all.
I’m truly thrilled to have these two new members of our team, as we see Sunbelt moving into new realms.
More corporate propaganda on Joe here and Eric here.
Alex Eckelberry
If you’re really worried about the WMF exploit and your old Windows 9x system, there is a new open source fix here (via funsec).
My advice? Don’t play around with unsupported hotfixes for something that, based the best data available, is not a significant issue. Keep your AV sigs updated and move on.
And remember that malware authors themselves are interested in market share. We’re increasingly seeing malware authors not even bother to have compatibility with this platform. It’s a real hassle to program low-level code for both NT kernel and Windows 9x. In other words, Windows 9x systems is a waste of time for them. See the OS platform trends here.
Alex Eckelberry
There is a very good blog writeup by Stephen Toulouse at Microsoft as to why WMF is not a “Critical” issue on the Windows 9x platform
It’s technical, but if you can wade through it, it’s well worth the read.
With WMF we want to be very clear: the Windows 9x platform is not vulnerable to any “Critical” attack vector. The reason Windows 9x is not vulnerable to a “Critical” attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record. Although the vulnerable code does exist in the Win9x platform, all “Critical” attack vectors are blocked by this additional step. The remaining attack vectors that we have identified require extensive user interaction and are not rated “Critical”. Again the “Critical” rating refers to code execution attacks that could result in automated attacks requiring little or no user interaction.
Link here through Larry Seltzer.
Alex Eckelberry
Our friends at SiteAdvisor (introduced to the world through Ben Edelman’s original article) have a new blog posting up about “download disasters”:
When we first started crawling the Web looking for bad downloads last year, we weren’t sure what we’d find. Today, a million Web sites and 140,000 download tests later, I can say with confidence that there are some great programs to be downloaded out there. I can say with equal confidence that there’s also plenty of train wrecks waiting to happen to your PC.
Link here with lots of pics.
Alex Eckelberry
We’re going to be a peripatetic crew over the next several months. You’ll see Sunbelters floating around at the Antispyware Coalition Workshop in DC (we still haven’t joined – link here to a somewhat dated post – but there’s good reasons to go and check things out), the upcoming RSA conference and InfoSec. We won’t have a booth at RSA but we will have one at InfoSec.
So look out for us and if you’d like to schedule a meeting, drop us a line.
Alex Eckelberry
Until Jan 6, 2006, Corypaints(dot)com was a kids site. The whois on Jan 1, 2006 shows it was a pending delete. It was taken over by a spyware gang that deals with porn.
Let’s take a look at the front page:
Never mind the kid’s content. It’s being pulled from old material.
Let’s do a search in google for “cory paints”, and these are the types of results you’ll get:
If you type the same search in, but instead with “site:corypaints.com”, you get links to corypaint(dot)com directories with really sick links (not for the faint at heart):
Private familysex video download
Free dad & daughter f—-
schoolgirl rapecom
Mother and teen son porn
Real rape scenes and stories
Clicking on these links results in an attempted WMF exploit to infect you with spyware.
The lengths these slimeballs will go to to infest a machine just boggle the mind.
Alex Eckelberry
(Thanks Sunbelt spyware researcher Patrick Jordan)
I’m gradually migrating feeds to Feedburner. Don’t worry — your Atom RSS feeds will work just fine for a long time. But if you’d like to get on my Feedburner feed, you ca get it from this link.
Alex Eckelberry
Sunbelt researcher Patrick Jordan has been researching a nasty group of sites, including toolbarbarcool(dot)biz.
These guys will do anything to get on your machine.
First, it tries to infect you through a (long patched) compiled help file (CHM) exploit.
If unsuccessful at that, it goes ahead and does a 2 for 1 special — it attempts to infect through both the WMF exploit and the Javascript exploit. Both of these exploits are fairly recent: The Javascript exploit was patched on December 12th, 2005 and the WMF exploit was patched on January 5th, 2006.
Video here.
Here are the URLs:
Iframecash(dot)biz
Toolbarbest(dot)biz
Toolbarbucks(dot)biz
Toolbarcool(dot)biz
Toolbardollars(dot)biz
Toolbarmoney(dot)biz
Toolbarnew(dot)biz
Toolbarsale(dot)biz
Toolbarweb(dot)biz
newtoolbar(dot)biz
Alex Eckelberry
Just for kicks and giggles, Patrick Jordan took apart a host file hijack that resulted in an obscenely accurate spoof of a Bank of America site — and a large number of other financial institutions.
Here’s how the Bank of America site looks like before the hijack:
Here’s what it looks like after. It’s very convincing:
(Notice the new IP number.)
Here are the host file modifications that were made:
O1 – Hosts: 216.32.94.147 www.bankone.com
O1 – Hosts: 216.32.94.147 bankone.com
O1 – Hosts: 216.32.94.147 halifax.com
O1 – Hosts: 216.32.94.147 www.halifax.com
O1 – Hosts: 216.32.94.147 halifax.co.uk
O1 – Hosts: 216.32.94.147 www.halifax.co.uk
O1 – Hosts: 216.32.94.147 www.bankofamerica.com
O1 – Hosts: 216.32.94.147 bankofamerica.com
O1 – Hosts: 216.32.94.147 www.paypal.com
O1 – Hosts: 216.32.94.147 paypal.com
O1 – Hosts: 216.32.94.147 www.lloydstsb.com
O1 – Hosts: 216.32.94.147 lloydstsb.com
O1 – Hosts: 216.32.94.147 www.lloydstsb.co.uk
O1 – Hosts: 216.32.94.147 lloydstsb.co.uk
O1 – Hosts: 216.32.94.147 www.bbvanet.com
O1 – Hosts: 216.32.94.147 bbvanet.com
O1 – Hosts: 216.32.94.147 www.bancopostaonline.poste.it
O1 – Hosts: 216.32.94.147 bancopostaonline.poste.it
O1 – Hosts: 216.32.94.147 www.poste.it
O1 – Hosts: 216.32.94.147 poste.it
O1 – Hosts: 216.32.94.147 www.credem.it
O1 – Hosts: 216.32.94.147 credem.it
O1 – Hosts: 216.32.94.147 www.creval.it
O1 – Hosts: 216.32.94.147 creval.it
O1 – Hosts: 216.32.94.147 www.gruppocarige.it
O1 – Hosts: 216.32.94.147 gruppocarige.it
O1 – Hosts: 216.32.94.147 www.rasbank.it
O1 – Hosts: 216.32.94.147 rasbank.it
O1 – Hosts: 216.32.94.147 www.bancagenerali.it
O1 – Hosts: 216.32.94.147 bancagenerali.it
O1 – Hosts: 216.32.94.147 www.garanti.com.tr
O1 – Hosts: 216.32.94.147 garanti.com.tr
O1 – Hosts: 216.32.94.147 www.kocbank.com.tr
O1 – Hosts: 216.32.94.147 kocbank.com.tr
O1 – Hosts: 216.32.94.147 www.disbank.com.tr
O1 – Hosts: 216.32.94.147 disbank.com.tr
O1 – Hosts: 216.32.94.147 www.cassarimini.it
O1 – Hosts: 216.32.94.147 cassarimini.it
O1 – Hosts: 216.32.94.147 www.unicredit.it
O1 – Hosts: 216.32.94.147 unicredit.it
O1 – Hosts: 216.32.94.147 www.chase.com
O1 – Hosts: 216.32.94.147 chase.com
O1 – Hosts: 216.32.94.147 www.southtrust.com
O1 – Hosts: 216.32.94.147 southtrust.com
O1 – Hosts: 216.32.94.147 www.wachovia.com
O1 – Hosts: 216.32.94.147 wachovia.com
O1 – Hosts: 216.32.94.147 www.wellsfargo.com
O1 – Hosts: 216.32.94.147 wellsfargo.com
O1 – Hosts: 216.32.94.147 www.barclays.co.uk
O1 – Hosts: 216.32.94.147 barclays.co.uk
O1 – Hosts: 216.32.94.147 www.barclays.com
O1 – Hosts: 216.32.94.147 barclays.com
O1 – Hosts: 216.32.94.147 www.barclays.pt
O1 – Hosts: 216.32.94.147 barclays.pt
O1 – Hosts: 216.32.94.147 www.barclays.pt
O1 – Hosts: 216.32.94.147 barclays.pt
O1 – Hosts: 216.32.94.147 online.cassarimini.it
O1 – Hosts: 216.32.94.147 www.bancacarim.it
O1 – Hosts: 216.32.94.147 bancacarim.it
O1 – Hosts: 216.32.94.147 www.citi.com
O1 – Hosts: 216.32.94.147 citi.com
O1 – Hosts: 216.32.94.147 www.citibank.com
O1 – Hosts: 216.32.94.147 citibank.com
O1 – Hosts: 216.32.94.147 www.etrade.com
O1 – Hosts: 216.32.94.147 etrade.com
O1 – Hosts: 216.32.94.147 www.neteller.com
O1 – Hosts: 216.32.94.147 neteller.com
O1 – Hosts: 216.32.94.147 tcfbank.com
O1 – Hosts: 216.32.94.147 www.tcfbank.com
O1 – Hosts: 216.32.94.147 hsbc.com
O1 – Hosts: 216.32.94.147 www.hsbc.com
O1 – Hosts: 216.32.94.147 hsbc.co.uk
O1 – Hosts: 216.32.94.147 www.hsbc.co.uk
216.32.94.147 is hosted in the United States.
I ran the trojan through Virustotal.com and a number of AV companies detect it. You can see the results below (“No virus found” means that the antivirus engine did not detect the trojan I submitted):
| Antivirus | Version | Result |
| NOD32v2 | 1.1362 | Win32/TrojanDownloader.Small.ARJ |
| Norman | 5.70.10 | W32/Downloader |
| Kaspersky | 4.0.2.24 | Trojan-Downloader.Win32.Small.arj |
| BitDefender | 7.2 | Trojan.Downloader.Smalldldr.A |
| DrWeb | 4.33 | Trojan.DownLoader.5860 |
| VBA32 | 3.10.5 | Trojan.DownLoader.5860 |
| AntiVir | 6.33.0.77 | TR/Dldr.Smalldldr.A |
| Avira | 6.33.0.77 | TR/Dldr.Smalldldr.A |
| Panda | 9.0.0.4 | Suspicious file |
| Fortinet | 2.54.0.0 | PossibleThreat |
| Ewido | 3.5 | Downloader.Small.arj |
| AVG | 718 | Downloader.Generic.OZZ |
| F-Prot | 3.16c | Could be infected with an unknown virus |
| Avast | 4.6.695.0 | No virus found |
| CAT-QuickHeal | 8 | No virus found |
| ClamAV | devel-20051123 | No virus found |
| eTrust-Iris | 7.1.194.0 | No virus found |
| eTrust-Vet | 12.4.1.0 | No virus found |
| Ikarus | 0.2.59.0 | No virus found |
| Sophos | 4.01.0 | No virus found |
| Symantec | 8 | No virus found |
| TheHacker | 5.9.2.071 | No virus found |
| UNA | 1.83 | No virus found |
| McAfee | 4672 | No virus found |
(Graphic here.)
Interested in more? Watch this video here.
Alex Eckelberry
We’ve written about VideoC before (a fake video add-on like Vcodec) It’s a scam that makes you believe you need to download a special plug-in to Windows Media Player in order to watch a video.
Then it infects you with a barrelfull of spyware.
But, like all spyware and adware, it’s fueled by commercial interests: A company called CodecCash is offering website publishers the opportunity to make money on videos, by offering this fake codec.
From their website:
The CodecCash(TM) system earns revenue each time movies on your website are viewed. Use your own content! Your users view 8 seconds of a movie, and then they click yes to download a full 30 seconds. We pay you whenever they click yes for the full 30 seconds. …Simple as that! We pay you $.15 for each movie viewing.
Well here’s an example of how this works. Let’s take the site a-137(dot)com. One clicks to view a video, gets the Windows Media Player…but then gets this message:
Clicking on “Show details and terms” takes you to this link. Buried in the text are these treasures:
In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to Codec Cash by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your computer Updates to Software.
and
Uninstalling the Software. In order to uninstall the Software, you will need to run the removal executable. You can get this program by contacting support@codeccash.com.
Ah, well, that’s a little misleading, isn’t it? Because if you lick that “Run” button, here’s what your system will look like in just a few seconds:
(Typical SpySheriff evil).
There’s a new start page too!
And even this fake Windows firewall message that pops-up intermittently:
(Clicking “Yes” goes to http://search4help(dot)net/search_own.php?pin=87649)
But it was especially entertaining to get this scrolling marquee popping up over the browser just out of the blue:
(It links to http://www(dot)teslaplus(dot)com/search.php?wmid=143&sub=87649)
In other words, a simple 30 second movie just ruined your day.
Alex Eckelberry
(Thanks to Sunbelt researcher Patrick Jordan).
A while back, Cassava Enterprises asked us to remove detection of one of their products, CasinoOnNet, from CounterSpy’s detection database. (Cassava Enterprises is a Gibraltar-based company that operates a number of online gambling web sites and makes and distributes software applications that allow customers to access and use its online gambling services. These gambling applications include CasinoOnNet, PacificPoker and ReefClubCasino.)
As is our practice, we subsequently performed an exhaustive review of their installation practices; methods of system reconfiguration; data collection, transmission and sharing practices; and notice, disclosure and consent.
Our conclusion was that, in fact, Cassava’s installation practices trip several of Sunbelt’s Listing Criteria, specifically in the areas of “Distribution and Installation” and “Notice, Disclosure, Choice and Consent”.
However, at the time Cassava submitted its request for a software review to Sunbelt, CasinoOnNet was classified as “Adware,” with a threat level of “Elevated” and a default action of “Quarantine.” Given the non-intrusive functionality of CasinoOnNet (as well as Cassava’s other gambling applications), this classification was unwarranted.
Nonetheless, Cassava’s unacceptable installation practices do make Cassava’s gambling applications a legitimate detection for Sunbelt to offer its CounterSpy users and customers, given that these installation practices make it possible that users could have unwittingly installed one of Cassava’s gambling applications.
In addition, CasinoOnNet was the only gambling application from Cassava to be detected by Sunbelt’s CounterSpy anti-spyware application (setting aside cookies). There are two others that also trip our listing criteria: PacificPoker and ReefClubCasino.
Thus:
1) We have reclassified CasinoOnNet as a Potentially Unwanted Software, with a threat level of Low and a default action of Ignore. (A default of action of “Ignore” does not mean that CounterSpy will not detect an application. It simply means that the choice of removal is left up to the user, as opposed to the program automatically offering to remove or quarantine an application.)
2) We have revised the description of CasinoOnNet in the CounterSpy database to more clearly define the characteristics and behavior of the program.
3) We will also add Cassava’s other gambling applications (PacificPoker, ReefClubCasino) to the CounterSpy database and handle these other applications in the same manner as CasinoOnNet.
In reclassifying Cassava’s gambling applications as “Low risk,” Sunbelt can continue to offer these detections to users, while still requiring users to affirmatively elect to remove Cassava’s gambling applications by changing the selected action in CounterSpy’s scan results from “Ignore” to “Quarantine” or “Remove.”
As a result of our classifications, users who knowingly installed Cassava’s software can continue to use the software without fear that it will be removed by default by CounterSpy, while users who want to remove the software can do so.
A full writeup from our research center is available here.
Alex Eckelberry
Check Windows Update…
Includes a fix for malicious fonts, patches for Exchange and Outlook.
More at CNET.
Alex Eckelberry
