The Legacy Sunbelt Software Blog

There is an article in ComputerWorld that talks about how Finjan found a security flaw in the search engine.

Google promptly fixed it. 

Wow.  What an amazing concept.  Flaw found.  Flaw fixed.

Our experiences with Google have been equally satisfying. This company gets it.  Responsive and highly professional. 

Contrast that with Cisco frantically attempting to bludgeon Michael Lynn into silence and their keystone cops attempts to kill the information.  In that case, they were responsive in the beginning with Michael, but then things just got really weird. Of course, all they got was the Streisand Effect (a term TechDirt coined a while back).

(At some point, however, I will write about the ethics of releasing security information to the public, but that’s another discussion).

Article link here via Donna.

Alex Eckelberry

F-Secure reports:

“Spyware vendor Mindset Interactive shuts down their business

Favoriteman and NetPal nuisances have after several years stopped. The company behind it has closed and we can report they have moved out of their company offices. All related web servers are unreachable and the already distributed Spyware no longer functions.

Like many Spyware vendors, Mindset Interactive has used multiple names to distribute their Spyware. That is why termination of the company behind it is such a positive turn.

Mindset Interactive was behind Favioriteman also known as F1Organizer, ATPartners, SpyAssult and Window Help 4 Smart Browsing. They also constructed NetPal, which had a massive numbers of games as distribution channels.

F-Secure will keep Favoriteman and NetPal in detection to clean out the final filth.”

Actually, our research indicates that the death knell may not have clanged loudly, at least not yet.

Pinging addictivetechnologies.com (207.182.237.210) and mindsetinteractive.com (207.182.237.210) shows that the site is unavailable and whois for that IP number is under the hosting company, Velocity Networks.

But let’s look at some more:

IP:207.182.237.210
vistainteractivemedia.com
10 Corporate Park, Suite 315
Irvine, CA 92612

IP: 207.182.237.210
Mindset Interactive
5 Corporate Park Suite 160
Irvine, CA 92606

Here are the websites we can find associated with Mindset or Mindset executive Scott Walker

Dead sites:

Addictivetechnologies.net
F1organizer.com 
F1organizer.net 
Favorites1.com 
Favorites1.net 
Addictivetechnologies.com 
Mindseti.com 
Mindsetinteractive.com 
Freebiesrus.com  

But…

Live sites!

Idealbrowser.com
Broadnetsoftware.com 
Broadspring.com
Idealproductgroup.com
Vistainteractivemedia.com 
Vistainteractivemedia.net 
Flashgamejunkie.com 
Flashgamesjunkie.com 
Idealringtones.com 
searchenginebar.com
Reflexivesearch.com 

From what we can tell, they still own the sites and they still are assigned IP addresses.  Last year MindSetInteractive put up a sign that they were changing to Vistinteractivemedia.  They also have Broadspring.com along with Vistainteractivemedia that is running the RX toolbar bundled in Kazaa alongside Best Offers.

Finally,according to this site,  Aadcom was listed as part of the MindSet Interactive Group during their days with Direct-Revenue. Today a whois shows an email address for vistainteractivemedia and they share the same DNS servers and IP range. 

In short, not so fast…

Spyware researchers — contact me offline for more detailed information if you need it.

 

Alex Eckelberry
(Thanks to our Patrick Jordan for his extensive work on this project!)

The Sunbelt Underground Channel has a new video, Getting to Know Sunbelt Support.  See it here.

Point of pride:  All of our support is done here in the US and all of it is toll free.

Alex Eckelberry

I can’t believe it.  I was convinced they wouldn’t do it.

Apple link here.

Alex Eckelberry

CIO and PwC have released the Global State of Information Security 2005.

“It’s clear from the data that respondents spend most of their time in reactive mode: responding to incidents, deploying firewalls, and dealing with everyday nuisances like spam and spyware. Ironically, the most common proactive step respondents take is to develop business continuity and disaster recovery plans. So even their proactive steps are investments in reactive measures.

Having said that, a few numbers did pop out that suggest that the foundation is being laid for a time when information security may become more strategic. This year more companies employed security executives and focused on integration between physical and information than in the two previous years…”

“…There’s a sudden and dramatic rise in companies monitoring their employees. The upsurge, part of a trend toward more surveillance both in public and in private, can be attributed to several factors.”

“Information security is getting more money, but exactly how much and from where isn’t always clear. It’s more evidence of a lack of strategic direction.”

Alex Eckelberry
(Thanks to beSpacific)

Check WindowsUpdate, lots of patches today.

Follow-up from my previous post on Microsoft getting into security software, the outspoken John Dvorak weighs in with this thoughts.

“Does Microsoft think it is going to get away with charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system? Does the existence of this not constitute an incredible conflict of interest? Why improve the base code when you can sell “protection”? Is Frank Nitti the new CEO?

…Microsoft has stayed away from the antivirus, antispyware game for a long time because it knew that there was this inherent conflict of interest unless it gave away such software for free. After all, the exploits utilized by malware are possible because of flaws within the Microsoft code base. There is no incentive to fix the code base if it can make additional money selling “protection.”

It was also obvious that Microsoft was so far behind the curve with antivirus software that it would embarrass itself if it entered that game, although it did quietly come up to speed over the years. But that still begs the question: Why protect the users when you can fix the code?”

I don’t entirely agree with John, but it’s an entertaining article nonetheless.

Alex Eckelberry

 

On the heels of a well intention but flawed study that showed that the annual risk of ID theft was $24 billion, we now have a new terrifying statistic:  26.7 million Americans will become victims of identify theft.

“In a recent study … of the top 2,000 known spyware threats, they found that 15 percent of spyware is actually stealing all the information typed on an infected computer, by logging the information the user types and then transmitting it to the spyware’s creator. This method is called “key logging,” and was the cause for five percent of the identity theft cases last year.”

OMG.  This is really hyper-inflated data.  There are no definite statistics on the prevalence of keyloggers, but I can assure the ostensibly quaking public that it is far, far less than 15% of all users.   It is a very small number.

I’m talking keyloggers here, people.  Stuff that actually steals your bank data, ebay accounts, passwords, etc.   Not stuff that grabs search terms and displays contextual advertising.  That may not be not nice, but it’s not stealing your credit cards.

Yes, we’ve discovered a LOT of keyloggers, over 25 in just the past few months.  But all of them were on unpatched Windows XP systems, and the actual volume of users infected, while not insignificant, was in the range of perhaps thousands on a cumulative basis. 

Now, there are risks out there, and I suppose I should have a sense of gleeful avarice to see others do free marketing for the industry; but on the other hand, the industry can’t go overboard.  Our duty as technologists is to not scare the public off the Internet—rather, provide the education and the tools to help people be safe—and lobby for the infrastructural changes that will effect a safer online experience.

Alex Eckelberry

Well, not Warcraft/World of Warcraft per se, but an an application called the “Warden Client”, downloaded on the fly from Blizzard servers.

From Rootkit.com:

“I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time…

Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses – usually in the 0x0040xxxx or 0x0041xxxx range – this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can’t blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called ‘privacy’ and Blizz has no right to be opening my excel or PGP programs, for whatever reason.”

Alex Eckelberry
(Thanks Dan)

 

Update:  Well, this certainly was a roasty hot subject.  I should clarify that Blizzard uses this technology to find “cheaters”, which this fellow defends here.

I originally found this on Lazy Genius.

This is cool. Joanna Rutkowska has developed a new rootkit detection tool — System Virginity Verifier. Download link.

You can read about it at Rootkit.com. She also has a powerpoint presentation here.

“The idea behind SVV is to check important Windows System components, which are usually altered by various stealth malware, in order to ensure system integrity and to discovery potential system compromise.”

She has other tools on her download page.

Note: This is a technical tool intended for an advanced user. If you’re just getting in to rootkits, I would start with the Sysinternals Rootkit Revealer.

Alex Eckelberry

Article here.

“A better solution might sound like a radical one: for Congress to do nothing.”

He’s right that Can Spam was basically garbage (never having it legislated in the first place might have actually reduced spam, not increased it, because Can Spam made it legal to “spam” so long as you met certain requirements).  

The fundamental problem is the patchwork quilt of state legislation that a Federal bill would resolve. The difficulty is that a Federal bill might very well create a “safe harbor” for adware companies that consumers might not actually approve of.

Alex Eckelberry
(Thanks, Ben)

 

Google launched their beta RSS reader today, Google Reader (requires a Gmail account).

I took a quick spin and it’s pretty cool.  However, I’m a die-hard RSS Popper junkie and it’s going to be hard to switch to a web-based reader.  Nevertheless, check it out.  

Alex Eckelberry
(Hat tip)

If you subscribe through BlogJet, you probably haven’t been getting your subscriptions to this blog. My apologies, it was an inadvertent error on my side.  Ping me offline if you are still experiencing problems.

Alex

 

CNET writes this article questioning if the Department of Homeland Security’s Cybersecurity functions are in danger of becoming another FEMA disaster — e.g. reacting sluggishly to a cyber threat.

Well, the answer to me is “of course”.  We expect this vast bureaucracy run by a former lawyer to protect us from a national cybersecurity threat?  We’re on our own here folks.  We’re going to have to take responsibility for our national cybersecurity…and guess what… I think we’ll do a fine job of it judging from what I’ve seen in the security community.  

Alex Eckelberry

As I’ve written earlier, I often joke that some of these Internet security suites are worse than spyware.  A nasty spyware application does a number of notable things: It pummels you with popups and slows your system down. Internet security suites pummel you with popups (aka security warnings) and slow your system down. But worse, they have the audacity of charging you an arm and a leg.  See Security on the Cheap for my thoughts on the whole matter.

Rob Pegoraro’s latest article in the WashingtonPost proves the point:

…the complexity of the Symantec and McAfee suites seems to cause them to fail in ugly and destructive ways, according to readers who have written in to complain about these problems week after month after year…Most important, the latest McAfee and Symantec suites just don’t work all that well.”

(By the way, I disagree with Rob’s positive assessment of the Windows firewall in his article, but that’s a different issue.)

When Microsoft announced that they would be getting into the antivirus client-side business earlier this year, one major security company CEO was quoted as saying “we’re going to give Microsoft a whoopin!”.  My first thought was “wow, that is going to be one large can of whoopass—I mean literally”.  Some of these suites are just appalling in their size and bloat. 

Microsoft getting into security software is really not cool.  They are hurting their developer ecosystem, and I am tired of Microsoft constantly pushing its way into the space of its developers on one hand while gland-handing on the other (see this video for what I mean).  

Now, Stu Sjouwerman has this to say in our enterprise-focused newsletter W2knews, commenting on the business market for antivirus:  

“So Redmond is going head-to-head with the AV community at last. Well, they are going to have a tough time. Basically everyone is already AV-equipped so this is a replacement market. They will have to be a LOT better than existing AV players, and that is going to be hard. And they cannot drop their prices too much, as that will cause the antimonopoly lawsuits to come out of the closet. Good luck Redmond. You are going to need it. More about Ballmer’s announcement at MS PressPass.”

Microsoft may have a tough time of it on the business side, but on the consumer side, some of the companies making security suites are just giving Microsoft a helping hand.  Security companies, mine included — rally, circle the wagons, hide the children, get out the big guns and write the best damned code that you can.   

Alex Eckelberry

Update:  <sigh> What I wrote earlier was propaganda done independently by our sister company’s UK office, and is not in line with Official Company Propaganda.  Official Company Propaganda is a deal where we provide this information monthly to a Big Security Magazine. 

Here is the Official Top 10 List, as provided by our Chief of Propaganda.  The data are pulled from the 15th of one month to the 15th of the next month and are identified as high risk threats with the percentage based on number of times each threat was found divided by the number of scans run. These threats are classified high risk or severe based on method of installation among other criteria.

 

Threat Name	Description	Percentage Found
ABetterInternet.Aurora	Opens popup ads on the desktop based on a user’s surfing history, may disable or uninstall other software, and thwarts uninstallation through the use of resuscitator code.	5.27%
iSearch.DesktopSearch	Removes the user’s access to use Windows Search and replaces it with C:WINDOWSisrvsdesktop.exe.	5.26%
IST.ISTbar	Internet Explorer Hijacker that modifies home pages and searches without a user’s consent.	5.00%
ABetterInternet	Shows advertisements based on  web pages viewed and web sites visited.	4.84%
180search Assistant	Logs the web pages visited and uploads the data to its servers.	3.87%
ShopAtHome	Installs itself in the Winsock layer of the computer and redirects users to merchant sites in order to take affiliate fees from them automatically without user knowledge.	3.86%
IST.SideFind	Installs an Internet Explorer browser helper object that includes extra buttons for adware.	3.68%
eXact.BargainBuddy	BargainBuddy is a Browser Helper Object that watches the pages the browser requests and the terms a user enters into a search engine web form. If a term matches a preset list of sites or keywords, BargainBuddy will display an ad.	3.21%
CoolWebSearch	CoolWebSearch is part of a strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc.	3.18%
IST.PowerScan	IST.PowerScan is advertised through ordinary web pop-ups, and can be installed with help from the the ISTBar adware. It monitors a user’s browsing habits and distributes the data back to the author’s servers for analyses.	2.99%

Our Chief of Propaganda wasn’t happy.  Naughty Alex!  Naughty Naughty Naughty!!!! 

Old post follows for historical context.

Fwiw — from our propaganda department.  Link here.

The top ten most prevalent threats are:

IST.ISTbar	9%
Claria.DashBar	7%
AvenueMedia.DyFuCA	7%
ABetterInternet	5%
IST.SlotchBar	5%
iSearch.DesktopSearch	5%
ABetterInternet.Aurora	5%
WebSearch Toolbar	5%
IST.SideFind	4%
180search Assistant	4%

But what’s cooler is that you can see, in real-time, what the current top threats are as reported by our ThreatNet community.  Just go to this link.

Alex Eckelberry 

A family member has been emailing me, raving about the new AOL Explorer.

Ok, it’s slick.  It has tabbed browsing.  It has desktop search. It has built-in spyware scanning. It has built-in WhoIs if you want to check the owner of a website. 

In short, it’s a pretty hot little browser.

But it’s still built on Internet Explorer, so it’s NOT an IE replacement.  It’s basically a really nice enhanced version of IE. 

Let’s compare.  InsultMonger.com, which urges you to install Zango through a Zango-built Flash overlay, looks like this in IE:

Here’s what that same page looks like in Firefox:

And here’s what that same page looks like in AOL Explorer:

In other words, it’s still IE. If you’re sticking with IE, that’s not some terrible thing, but if you’re moving to an alternative browser for security purposes, you’re probably one step better with AOL Explorer over IE, but you’re still better off using Firefox, Opera or whatever else (maybe even Flock, whenever it ships).  

Alex Eckelberry

A closed Blockbuster store gave out the equivalent of free money by apparently dumping a tasty cache of confidential customer data on…the sidewalk.

Following on the heels of their distasteful marketing of the “No Late Fees” campaign, one truly does wonder. (By the way, I recently rented from Blockbuster and actually found the new “No Late Fees” program to be consumer-friendly—it was just that the ad campaign was misleading, as you still got charged if you didn’t return the video.)

Throwing out critical customer data on a sidewalk, though, is completely inexcusable.

Alex Eckelberry
(Hat tip)

There’s this box that some dealers are installing in cars. If you haven’t made your payment, it shuts the car down. Targeted at customers with poor credit, it’s a way for “buy here, pay here” dealers to reduce their risk (did you know that car sales slang for a person with poor credit is “a roach”?).

One such box is made by Payment Protection Systems. Video example here.

In a sense, it’s not much different than the Repo Man coming to get your car if you don’t make your payment. But there’s some hint in this article that this might become more prevalent — remember that modern cars are basically computer-controlled systems.

Alex Eckelberry
(Hat tip to Catherine)

In just a few days, we get the FTC going after a spyware distributor, the Dutch nailing a group of naughty gents running a zombie army, other naughty boys get caught in England for creating a worm, 10 people got nailed for identity theft, the Tsunami hacker gets nailed, and eXact gets served a class action lawsuit.

Busy busy busy busy…

Alex

Update: The Tsunami hacker thing — that’s not a good catch. I’ve blogged about it here. This guy did not deserve what he got.