The Legacy Sunbelt Software Blog

Jasper Johansson, co-author of Protect Your Windows Network, wrote me about the weird hosts file that we found out there.

“…it is a really dumb mistake on my part. The concept itself is sound, but the file is horribly flawed. I received it from a friend of mine with the comment that it would block spyware sites. Of course, if you can enumerate them, it would. Unfortunately, being stressed to get the book finished I did not test it like I should. I just trusted his judgment, which turned out to be horribly suspect. The file did not block spyware sites as much as it blocked sites that he considered “annoying.”

After publication we realized the problem and worked with the publisher to fix it. The first two print runs were relatively small and in the third run this file was removed. We instead put a link in there to the one from mvps.org, at http://www.mvps.org/winhelp2002/hosts.htm. That one is sound, and regularly updated.

Sorry for any inconvenience this has caused. I saw your blog post just now and posted a comment to it with this information in it. I really am sorry. I wish I had taken the time to evaluate this file just like I tested all the other software I wrote for the book …

I got the Safari site taken down too. Thanks for letting me know about it. I really am sorry for any trouble this caused… Jesper M. Johansson” 

Dr. Johansson is a highly respected security guru, a Senior Program Manager for Security Policy at Microsoft.  Clearly, this was on oversight in the 11th hour heat of getting a book out.  

In short, an honest and forgivable mistake.  Fortunately, the distribution of the rogue hosts file is probably limited. 

You gotta feel for this guy.

Alex Eckelberry

Are you ever curious about how those scammy little stocks advertised by spam actually do?

Check out this site, Spamstocktracker.com.

Hot Stock	Purchase $	Current $	Today	Stock Fell	Purchase Date
WYSK.PK	$0.160	$0.039	0.00	75.63%	May 05, 2005
FCDH.PK	$0.410	$0.0011	+0.0004	99.73%	May 06, 2005
IGTS.PK	$0.030	$0.018	-0.003	40.00%	May 06, 2005
NDIN.PK	$0.085	$0.008	0.00	90.59%	May 06, 2005
AGMG.PK	$0.030	$0.006	+0.0005	80.00%	May 09, 2005
CITC.OB	$2.060	$0.71	0.00	65.53%	May 10, 2005
MOGI.PK	$0.247	$0.125	-0.015	49.39%	May 10, 2005
IFXH.PK	$0.360	$0.10	+0.01	72.22%	May 10, 2005
EOGI.PK	$0.055	$0.018	+0.0015	67.27%	May 10, 2005
LMMG.OB	$0.053	$0.058	+0.007	UP 9.43%	May 11, 2005
LDTI.OB	$3.200	$0.40	0.00	87.50%	May 11, 2005
NCSH.OB	$2.410	$1.40	-0.06	41.91%	May 12, 2005
TSHO.PK	$0.380	$0.36	0.00	5.26%	May 20, 2005
SLXI.PK	$0.360	$0.12	-0.01	66.67%	May 20, 2005
PHXI.OB	$0.006	$0.0003	0.00	95.00%	May 20, 2005
EHPC.PK	$0.040	$0.0023	-0.0009	94.25%	May 20, 2005
VNBL.OB	$0.171	$0.084	+0.001	50.88%	May 24, 2005
MPLK.PK	$0.055	$0.005	0.00	90.91%	Jun 01, 2005
CALB.OB	$0.185	$0.031	-0.0055	83.24%	Jun 01, 2005

Alex Eckelberry
(Tip of the hat to John Murrell)

Some of these are pretty trite (“only communicate with people who are on your Contact List or Buddy List) but some are useful.

Link via Donna.

Alex Eckelberry

On the heels of the Groundbreaking SunbeltBlog Article Security on the Cheap, PC Mag publishes their list of free schtuff. 

Cheap at twice the price!

Alex Eckelberry
(The Reigning King of Cheapskates)

Musd read.

Alex Eckelberry
(Thanks Suzi, Ben) 

CNET News.com votes the Sunbeltblog one of the top 100 blogs.

Now this really puts me under pressure 😉

Alex

 

Link here.

US non-profit IT company MITRE today announced the Common Malware Enumeration Initiative. Headed by the United States Computer Emergency Readiness Team (US-CERT) and supported by an editorial board of anti-virus vendors and related organizations it should provide a neutral, shared identification method for malware outbreaks.

During a virus outbreak, participants on the CME board request an identifier from an automated system by providing a sample of the virus and as much additional information as possible. An identifier in the format ‘CME-N’ where N is an integer between 1 and 999 is generated and distributed to the other participants. The participants then disseminate the CME identifier to their contacts in the industry and reference the CME identifier on their web pages, in their product, or when speaking to the press.

Mark Harris, director of SophosLabs at Sophos, one of the CME Editorial Board members, commented: “Historically, regulating virus naming has proven difficult for security vendors, because of the need to issue threat protection as quickly as possible to customers. We encourage more anti-virus vendors to participate in this initiative, which will benefit customers involved in securing their computers from malware attack without disrupting the serious work of rapid virus analysis and protection.”

More information on CME is available at http://cme.mitre.org

Alex Eckelberry
(Thanks Jason)

If you go to this link, you get a hosts  file filled up with all kinds of antispyware companies and sites! (For those of you unfamiliar with a hosts file, you can get a definition here.)

Using this hosts file will block most of the known universe of anti-spyware companies and websites. Companies like Lavasoft, Spybot and…Sunbelt.  And lots of community sites.

The parent directory has a readme file which lists the contents of the directory as including “a HOSTS file to block spyware”.  GULP.   From the Readme, one gets that this HOSTS file is part of a companion CD for a book called “Protect Your Windows Network”, by Jesper M. Johansson and Steve Riley.

My guess is that this was once legitimate but the ftp site got hacked and this new hosts file was put up.  Who knows.  We’re trying to find out.

Do you laugh or cry?

Alex Eckelberry
(Another prop to our Adam Thomas)

Update:  I did a bit of checking into this.  It turns out we found out about this because a customer called in to our Support department because they were having update issues.  Jon Petita, the support engineer, noticed weird entries in the customer’s hosts file… and brought in our spyware research team, and that’s when Adam Thomas in research discovered this weird hosts file out there.  

We were hoping it wasn’t in use.  But at least one customer was found using it.  Thankfully, there was no spyware on his system.

I do hope that there aren’t more people who installed this wacko hosts file (although probably the worst that will happen is that they won’t be able to get to a bunch of antispyware sites and companies).  

 

Aye, our little naughty venal Sheriff is at it again. 

Look at this terrifying screen (the url is masked as the site returns a backdoor with Trojans, etc.):

(Click to enlarge)

Links point to SpySheriff download.

When you download the program, you get this odd little install screen which points to a EULA at www.spy-sheriff.com/eula.php.  The EULA, which you have to manually enter in the address bar to actually see, is actually a EULA for a completely different program — some kind of stock photography/font program.

Running the scan alerts you to cookies being “severe privacy risks”.  Trying to remove these dastardly threats, of course,  requires a purchase.

The irony is the program crashed when trying to do the purchase.

 

Alex Eckelberry
(Thanks to Adam Thomas here at Sunbelt for discovering this one)

 

 

Link here:

FTC Seeks to Halt Illegal Spyware Operation
Lure of Anonymous File Sharing Software Exposed Consumers’ Computers to Spyware

The Federal Trade Commission has asked a U.S. District Court judge to halt an operation that secretly installed spyware and adware that could not be uninstalled by the consumers whose computers it infected. The defendants used the lure of free software they claimed would make peer-to-peer file sharing anonymous. The agency alleges the stealthy downloads violate federal law and asked the court to order a permanent halt to them.

According to the complaint filed by the FTC, Odysseus Marketing and its principal, Walter Rines, advertised software they claimed would allow consumers to engage in peer-to-peer file sharing anonymously. With claims like “DOWNLOAD MUSIC WITHOUT FEAR,” and “DON’T LET THE RECORD COMPANIES WIN,” the defendants encouraged consumers to download their free software. The agency charges that the claims are bogus. First, the software does not make file-sharing anonymous. Second, the cost to consumers is considerable because the “free” software is bundled with spyware called Clientman that secretly downloads dozens of other software programs, degrading consumers’ computer performance and memory. Among other things, this accumulated software replaces or reformats search engine results. For example, consumers who downloaded the spyware may try to conduct a Google or Yahoo! search. Their screens will reveal a page that appears to be the Google or Yahoo! search engine result, but the page is a copy-cat site, and the order of the search results is rigged to place the defendants’ clients first. The bundled software programs also generate pop-up ads and capture and transmit information from the consumers’ computers to servers controlled by the defendants.

The FTC charged that the defendants have an obligation to disclose that their “free” software download caused spyware and adware to be installed on consumers’ computers. But instead, the FTC alleges, they hide their disclosure in the middle of a two-page end-user licensing agreement buried in the “Terms and Conditions” section of their Web site. In addition, the FTC alleges that the defendants deliberately make their software difficult to detect and impossible to remove using standard software utilities. Although the defendants purport to offer their own “uninstall” tool, it does not work. In fact, it installs additional software, according to the FTC’s complaint.

The FTC charges that the practices of Odysseus Marketing and Walter Rines are unfair and deceptive and violate the FTC Act. The agency will seek a permanent halt to the practices.

The defendants are based in Stratham, New Hampshire.

Alex Eckelberry
(Thanks Suzi!)

Interesting read in CSO magazine.  Link here via beSpacific (which also has other related articles on the subject).

In this article, the bank profiled has a fine-tuned system where it gets rapid notification of a new phishing attack, and then starts the process of getting the server shutdown.

There is also a hint that the bank may use “dilution”, a polite term for something bordering on a denial of service attack — putting in fake account information below the threshold of an illegal DOS—something like what you see with PhishFighting.com.

Alex Eckelberry 

Another one — this one against eXact. Link here.

Alex Eckelberry
(Thanks to Ben Edelman)

This site has lots of info.

There’s been discussion going around about among elite antispyware security forces about Google’s Toolbar being “whacked”. 

What’s happening is that some criminal gang out there is installing a hacked version of the Google Toolbar via stealth on a relatively small number of systems.  Ostensibly, this is to give them the aura of legitimacy for their own nefarious means (for example, getting people to think they’re using Google, when in fact, they’re using something else).

The important question is: Why is this different than stealth installs by adware companies? 

Why is this an important question?  Because adware/spyware companies will inevitably point to this install as being something that makes them innocent of stealth installs that occur from their own affiliates and distributors (“you see, it’s even happened to Google, we’re all the victims of rogue distributors”, etc.).   In fact, we’ve already had one adware company approach us on this issue.

There are vast differences between this single unauthorized install of the Google Toolbar and the massive number of illegal force-installs (to say nothing of the continuing installs with sub-standard, inadequate notice and disclosure) that have been going on for years by some adware/spyware companies.

For example:

1. This Google Toolbar install is completely unauthorized

The bad guys installing Google Toolbar are doing it without any  participation or knowledge on Google’s part whatsoever. The toolbar itself is not even being pulled from Google’s servers. It’s a hacked version being installed from the bad guys’ own servers. That’s quite a bit different from non-consensual adware installs, which sees the bad guys operating within adware companies’ own affiliate distribution channels and using adware companies’ own installers and servers to install software.

2. Google is the innocent victim here

At the heart of this rogue install is a HOSTS file hijack that directs network requests for Google to the bad guys’ own servers. Thus, these installs are being used to spoof Google and hijack traffic away from Google’s sites and services. Google derives no benefit whatsoever from these hijacks, even unintentionally or unwittingly. Rather, it suffers as a result of these hijacks, which exploit Google’s good name even as traffic is driven away from their sites and services. Again, this is quite in contrast to non-consensual adware installs, where adware most certainly does derive economic benefit from force-installs, which expand an adware company’s advertising base and drive traffic to its sites and services.

3. Google did nothing to incentivize these hijacks

Google is not paying for these installs and the motive behind them is not to get paid by Google, quite unlike non-consensual adware installs, which occur precisely because adware companies’ provide the economic incentive to perform stealth installs of adware software (best example: installs of adware/spyware through bot-nets).

Google’s hands are clean; the hands of a number adware company’s are most certainly not. We predict that no one in the security community will be wringing their hands over whether to target Google toolbar for detection and removal, because this install (including all the accompanying malware files) is easily distinguished from legitimate Google Toolbar installs.

Alex Eckelberry
(Thanks to Eric Howes for his extensive contribution to this post).

Now this will be rather interesting…

Live webcast today here.  10:30 a.m. PT/1:30 p.m. ET.

Alex Eckelberry

Check it out, our new CounterSpy News website.

http://www.counterspynews.com/

Alex Eckelberry

 

These are unsupported, undocumented… but might be useful to some out there.

To use this, open up a command prompt and go to the CounterSpy program files directory.  In version 1.5, this would be program filessunbeltcounterspyconsumer.

The command line would be Counterspy.exe, followed by one of the parameters:

These are command line switches you can use in CounterSpy version 1.5:

Counterspy.exe [-parameters] [-parameters]

-update: starts a check for updates, and if available, downloads them.  

-scan: scans the system with optional parameter.  

Optional scan parameters:   [-withMainUI]
                                          [-withUI]
                                          [-withResultUI]

So, for example, you could type Counterspy.exe -scan -withui -withresultui

Try it, pretty nifty. 

Alex Eckelberry

CNET writes on the new security features in Vista.

Our version 1.5 is now released.  News of it was trickled out to some forums last week but now it’s official.

This new version is primarily under-the-hood stuff.  We did a  lot of work to the spyware removal portion of the engine, as well as some minor work on the UI.

CounterSpy customers will be upgraded automatically over the next few weeks through the program (the reason that it doesn’t happen all at once is the massive bandwidth needs to upgrade so many people—our new OC3 is helping though).

If you have CounterSpy and are dying to get the new version right away, you can download it immediately by going here.

 

Alex

 

Check this out:  Google is now bidding to provide free wi-fi access to all citizens of San Francisco.  /. article here.

Alex Eckelberry