The Legacy Sunbelt Software Blog

The Fourth Ammendment of the Constitution protects against “unreasonable searches and seizures”.  (For the reasons why the Fourth was created, see this article).

Over 50 federal agencies are either currently or planning to perform data matching and mining, in some cases for anti-terrorism reasons.

So does this violate the Fourth?

According to an article in a forthcoming Georgia Law Review by Daniel Steinbock of the University of Toledo, it seems it might. To wit: “The most striking aspect of virtually all anti-terrorist data matching and data mining decisions is the absence of even the most rudimentary procedures for notice, hearing, or other opportunities for meaningful participation.”

Alex Eckelberry
Presidnet

Are friends, family and boyfriends the root of spyware infestations? Security researchers the world over have noticed a trend when it comes to spyware and virus infections–the Other Person Syndrome (OPS). 

 

Invariably, researchers who encounter a severely infested machine will notice that infection may not have necessarily come from the primary user. Instead, they come from a boyfriend, the babysitter, kids or a friend who “just used the computer for a bit”. 

 

The lesson here is obvious:  People bring their own bad habits into your computer and can wreak havoc.  

 

Of course, this is all anecdotal, but there’s a big fat grain of truth in there. A while back, I did some spyware de-infestations on a couple of neighbor’s systems.  One had a babysitter who would come over to sit their child, and the machine would start getting all funky with spyware.  Another had two teenage daughters, who were active on the ‘net (oh man, that was a bad infestation — really bad).  I believe that the kids and the sitter were responsible for the infestations.

 

Eric Howes, who gave me the idea for this blog entry, says more to support this position:

 

“I’ve cleaned a lot of my students’ PCs over the years. Most of them have been females. And every single one tells the same story: ‘My PC was running fine until my boyfriend visited this weekend. He used it for a few hours. And now my PC is deluged with porn pop-ups and something trying to dial out from my modem.’ It’s the same story every single time. And if the boyfriend happens to be under 25 years of age, you can be sure the PC is riddled with porn dialers.

 

He points out that “Caroline” is now telling that very story at BroadBandReports:  

The strange thing is, that for the past 3 years, I have not had a problem.  The occasional mydoom was getting stopped by norton antvirus and the odd thing popped up here or there. It has been in the past few months I keep getting problems.

 

It came to a head when I was on holiday and my boyfriend was using my PC – and he said he got 6 consecutive alerts of viruses coming through email.all got stopped apart from smitfraud. so when he could not eradicate it, he purchased Xoftspy and another program which he was told would get rid of it.

 

Since then, Norton rarely reports email alerts and NEVER reports anything on virus scans – I have always used liveupdate every day or so.

Now, We Know for A Fact That Men are Inherently Bad (an argument supported by empirical evidence).  But I think the problem is much larger than just men.  We see people getting infected in all kinds of places; you might find spyware on horoscope sites, lyric sites and wrestling sites.  Of course, playing on the dark edges of the internet (the two Ps — porn and piracy) certainly increase your chances of infecting your pristine machine, but there’s plenty of stuff out there for everyone—naughty or nice.  

 

What should you do apart from the normal type of security things?  Primary users on their computers should set up accounts with Restricted Access to avoid the dreaded OPS.  You as an administrator can control what’s installed, but when someone else wants to use your PC, put them on a Restricted Account.  Password protect your own Administrator account.

 

Heck, it IS your computer, after all.

 

Alex Eckelberry

 

Contrary to your probable first impression, Zotob is NOT the third bastard child of Haruk the Klingon. 

In fact, it’s a nasty new worm that uses a vulnerability in Plug and Pray, allowing a remote attacker to control a Windows system remotely.

Windows 2000 systems are particularly at risk, although XP and 2003 Servers have a risk of infection.

According to Sans:

“The worm will download the main payload from the infecting machine. Once a machine is infected, it will become an ftp server itself. It will scan for open port 445/tcp. Once it finds a system with port 445 listening, it will try to use the PnP exploit to download and execute the main payload via ftp.

Important facts so far:
– Patch MS05-039 will protect you
– Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
– Blocking port 445 will protect you (but watch for internal infected systems)
– The FTP server does not run on port 21. It appears to pick a random high port.”

Patch those systems!

Note that in certain rare cases, Zotob can infect a Windows XP and Windows Server 2003 systems, if the computers were set up to enable Null sessions.  See PC World article here.

Alex Eckelberry 
(Tip ‘o the hat to Eric)

Oy vey, if people would only read this blog or contact us before jumping to conclusions.

iDefense, which was recently acquired by Verisign, has analyzed the code for the keylogger we reported on and has released a statement that they have determined “it’s not CoolWebSearch code”.

Of course it isn’t.

Hello, people, we never said it was CoolWebSearch. The call back to the remote server was found during a CoolWebSearch infestation.

Furthermore, when we finally got a hold of the keylogger, we clearly stated that the keylogger is a new variant of the Dumaru/Nibu trojan (and a nasty piece of work).

Also, all the infections we’ve found are on unpatched Windows systems. Link here.

Alex

CNET article reports that the feds are funding development on ways to spy on VOIP traffic.

Well, if you think they don’t already do that with POTs lines…

Alex
Thanks to BoingBoing

 

Another website for security professional to keep in their arsenal.

From the alert:

The new National Vulnerability Database (NVD) from the National Institute of Standards and Technology (NIST) will make it easier for system administrators and other security professionals to learn about vulnerabilities and how to remediate them. The NVD is a comprehensive database that integrates all publicly available U.S. government resources on vulnerabilities and provides links to many industry resources. NVD is built upon a dictionary of standardized vulnerability names and descriptions called Common Vulnerabilities and Exposures.

Updated daily, NVD currently contains information on almost 12,000 vulnerabilities. It allows users to search by a variety of characteristics, including vulnerability type, severity and impact; software name and version number; and vendor name. NVD also can be used to research the vulnerability history of a product and view vulnerability statistics and trends.

Alex Eckelberry
Thanks to beSpacific

Word on the street: Webroot just snagged McAfee’s Senior VP of Corporate Development, Seksom Suriyapa, to become Sr. VP of Business Development over at Webroot.

Why interesting? It shows the continuing and growing legitimacy (and market share gains) of antispyware companies in a space that should be owned by the AV companies.  Replacing the AV companies’ hegemony in security is a new breed of innovative security companies like Webroot and PC Tools (and I daresay Sunbelt).

Mr. Buggy whip: Meet your friend, Mr. AV.

Alex Eckelberry

 

Here is their statement from their website.

———————————-————————————————————
News Update (2005-08-09):

As you may have heard, there is a new spyware identity theft ring out there:
http://news.yahoo.com/s/zd/20050808/tc_zd/157623
http://sunbeltblog.blogspot.com/

For some obscure reason, they keep claiming that it has something to do with coolwebsearch. It does not. We urge anyone who has any evidence on this actually being linked to us to come forward and let us know. If one of these people is actually working for us, we will contact the FBI and release his information immediately. In addition we will of course close his account and withhold his or her payment for violation of our rules, as we have done with all the so called “hijackers”.

Our lawyers are currently thinking of suing yahoo and all the other places who posted this article with “CoolWebSearch” in it as the name of the so called exploit for slander. Please get your facts straight before doing these things.

For reference purposes, this is how you find out whether or not a site is related to coolwebsearch: you click a link and you track where the redirections go. If it goes through the CWS ip, which is currently 66.250.74.152, or the domain coolwebsearch.com then it’s CWS, otherwise, IT’S NOT! There are dozens of hijacker outlets out there, and they are all called “CoolWebSearch” by those who do not bother to check their facts before posting articles on news sites.

———————————-————————————————————

Please. Sunbelt has never said this keylogger was coming from CWS.  We said exactly the following: “This keylogger is not  CoolWebSearch.  It was discovered during a CoolWebSearch (CWS) infestation, but it actually is its own sophisticated criminal little trojan that’s independent of CWS.”

Alex Eckelberry

 

SSA-Keylogger cleaner has been updated to reflect some new variants. Link here.

Alex Eckelberry

Update: Information on the types of systems infected here.

Update:  I just spoke with Mike Wood, VP of Research at Lavasoft— this is not the same variant of the trojan as we found (they have also updated their database to the one we have been discussing).  However, they have some really interesting data so we are hoping to collaborate.

Very interesting, a comfirmation (finally) of the kind of stuff we found. Lavasoft just posted a research note on a trojan and a server which look very similar to the one we found.    Good stuff and well done to these guys. We’re pinging Lavasoft (currently closed as they are in Sweden) to find out more.   Different variant or the same one?  We should hopefully know more soon.   

 

Alex Eckelberry
President

Update: Click here for more information on the types of systems infected.

Press release here.

We have issued an immediate security fix to thwart the newly identified spyware keylogger uncovered by Sunbelt’s Research Team. This is the keylogger that is behind the identity theft ring.

The spyware keylogger, named Srv.SSA-KeyLogger, is a backdoor program that, among other things, secretly steals data from users’s internet sessions, including logins and passwords from online banking sessions, eBay, PayPal, and other programs that use html forms to collect personal information.

It is a new variant of a family of existing trojans generally known as Dumaru or Nibu. We believe Kaspersky has this described as Win32.Dumador.df, but it is doubtful if many other antispyware or antivirus applications have definitions for it (McAfee, Panda and Symantec don’t catch it, but there are a number of AV programs that do, like Kaspersky and BitDefender — and

Lavasoft may have the fix).

Update: Most AV vendors have this thing now.

As we’ve written before, this keylogger was identified as a result of one of Sunbelt’s lead spyware researcher’s earlier discovery of a massive online identity theft ring in which thousands of unsuspecting computer users’ personal data had been compromised.

In a sense, the news is not the keylogger itself–these are a dime a dozen these days. The news is that it was one of the rare times that a security company has been able to stumble onto such an extraordinary cache of compromised end-user data.

Anyway, to protect users from this harmful keylogger, new definitions are being added for both the CounterSpy and CounterSpy Enterprise antispyware products.

Updates to the consumer edition of CounterSpy are available immediately, while customers of the enterprise edition will receive the updates shortly upon completion of platform testing by Sunbelt.

Protecting yourself against this keylogger: On Thursday, Sunbelt will be offering a free detection and removal tool on its website specifically targeted at this keylogger.

As an alternative, users can immediately download the two week trial version of CounterSpy, which provides free scanning and remediation for this keylogger and a large number of other spyware threats.

More details on the Srv.SSA-KeyLogger will be posted on Sunbelt’s Research Center

Sunbelt is sharing data on the keylogger with other major security companies to insure the industry has the information necessary to react rapidly to this threat.

CounterSpy Definition Updates that have this threat signature:

CounterSpy Consumer 1.0.29 – 216
CounterSpy EnterPrise 1.5.x – 217
CounterSpy Consumer Beta 1.5.x – 217

Alex Eckelberry

Update: Fix and new data here. Also, to understand the types of systems infected (all of them were unpatched XP systems, click here).

Ok, we have the latest on this identity theft ring. And it’s pretty interesting.

Remember that all we found was the cache of data from the thieves — we didn’t have the actual keylogger that was responsible for it. We had a keylogger we had found that was similar and provided us some clues, but not this specific one that was reporting all this data back.

So we had to find the keylogger. That entailed trying to actually get a hold of a machine.

Last night, we finally got an infected machine and were able to figure out what’s going on.

Briefly:

– It’s footprint is extremely small — about 26k.

– It seems related to the CoolWebSearch gang, but that is still not certain.

– It is related to the Dumador/Nibu family of trojans. The keylogger executable is winldra.exe.

– It runs under Internet Explorer (IE), so for the average user, it will generally go undected if you’re using a software or hardware firewall. So much for my ranting about the need to run a software firewall.

– It turns off the Windows firewall.

– It steals data in the IE Protected Storage area.

– It steals data from the Windows clipboard

– As is normal with Dumador/Nibu variants, it steals logins and passwords from a number of programs: WebMoney, Far Manager and Total Commander; and modifies the host file to stop access to Trend Micro, Mcafee.com, Symantec.com, Etrust/Computer Associates, AVP, Kaspersky, F-secure, etc.

Since one thing it does is steal the IE Protected Storage Area, you can protect this data by turning off all the AutoComplete stuff in IE.

So far as we know, this keylogger is not detected by a number of the major AV companies. We are coming out with a fix in the next several hours which will be available a) to customers running CounterSpy (or the free trial) and b) through a free application we will make available.

Of course, we will be sharing data on this keylogger with AV vendors and antispyware companies, so definitions should start to propagate out from a number of other sources as well.

I will keep this blog updated as we get more data.

Alex

Update: See latest blog entries to get the latest info on this little bugger.

I’ve got some people asking me what to do to verify that they don’t have this keylogger.

The FBI is acting very aggressively on the matter, which then puts us in the odd position of needing to remain quiet about the details. This is a different type of trojan than others, because of the fact that researchers were able to see the data coming in.

So get a software firewall in place that has outbound protection. Try Sygate’s free one. Most antispyware or antivirus programs will not likely have caught this thing (as of 8/10, Symantec, McAfee and Panda don’t detect it, but there are a number of others that do, like Kaspersky and BitDefender. Lavasoft may have a fix as well, and we have shared the data with WebRoot and other security companies).

Then, update to the latest patches in WindowsUpdate. We’ve found that your chances of getting infected go up dramatically if you’re not patched.

Note that a software firewall is not a guarantee, due to the way this thing operates.

This keylogger is not CoolWebSearch. It was discovered during a CoolWebSearch (CWS) infestation, but it actually is its own sophisticated criminal little trojan that’s independent of CWS.

An antispyware or antivirus program will likely not catch it—and to our knowledge, there are none out there that can detect this thing through a scan of the system. So if you think I’m trying to sell CounterSpy through this news, find another conspiracy story to go after. We had one infected user we found who was quite sophisticated and ran all kinds of scans with various products, to no avail.

Anyway, we’re working on a free fix to get out to people which will be ready in the next 24 hours. But really, for the time being, just get a software firewall in place. It really will help block this thing from being able to do anything (with the caveat noted above).

If you find you’re infected, turn off the computer and start calling your banks, paypal, eBay, credit card companies, whatever.

Oh, and for AV? If you’re on a budget, just use Grisoft’s free one.

Alex Eckelberry

The new AIM beta shows BIG ADS! 

 

Ah well.

Alex Eckelberry

This article in CNET discusses ways that Microsoft will be optimizing Vista to make computers run like new.

The big ideas?  Background defragmentation and pre-loading commonly used components into memory.

Are you kidding?

I’ve spent years in the PC utilities space and from my experience:  Defragmentation alone doesn’t do the trick and pre-fetching commonly used components won’t do the trick.  Might help but it’s no magic bullet.

In my opinion, defragmentation is largely useless with the speed of today’s hard drives, unless maybe you have a he fragmentated system. To me, the problem has little to with hardware or caching.  The problem has to do with all the junk that people install on their systems. 

Users download smiley icons for their email or some adware program.  Or, they install one of these antivirus suites (aka 10 pounds of crap in a five pound bag) and get an immediate performance hit. 

A billion items in the tray icon are good indicators that the user is on a mission to slow their system down.

Of course, some bloat you just can’t control, like cookie or history bloat.  That’s normal.

A re-architecting of Windows might help, but it’s way too late for that. I admit to being a little nostalgic for the old DOS days, but that’s wishful thinking.

The biggest barrier to Windows operating smoothly is software developers.  I remember when coders would rejoice at saving a few k in memory in a program.  Elegance was in the craftsmanship and artistry of programming (when I was Borland, Philippe Kahn used to refer to it as “software craftsmanship”).  Now, with most of the big software companies outsourcing their stuff offshore with huge teams of programmers working in high level languages—or new programmers entering the workforce who have only really been exposed to VB or C#, you’re going to get bloat. 

So there’s a tradeoff—speed of application development against elegance.  Not all is bad, because fast hardware is so cheap.  

We used to have a joke when I was working in performance utillities. Create a Windows speed booster with a simple mission: It would wipe the drive clean and reainstall Windows.  Performance gains could be guaranteed.

Not a bad idea, after all.

Update: I got an email from a friendly fellow who said that I was unduly criticizing defragmentation — that he notices a slowdown in a week if he doesn’t defrag.  He says I should say defragmentation is “relatively insignificant”

Hmm… I’m a wee skeptical, although I will agree that significantly fragmented systems should see some speed improvement with defragging. See this article from PC World a couple of years ago (“The PC World Test Center’s tests reveal that defraggers don’t actually improve performance. And Steve Gibson, president of PC consulting firm Gibson Research Corporation, confirmed our findings”).

What do you think? Post a comment.

Alex Eckelberry

Update: Information on the types of systems infected here. Information on the fix here.

Apologies that we couldn’t post more information — we simply ran out of time. This has been a pretty intense project and in the middle of it, I also had to go out of town. I am currently blogging from a remote location.

Computer World got the scoop on the story, and the author is largely correct. InformationWeek also got it.

We also shared this information with a very small number of trusted security experts, including Suzi Turner at Spywarewarrior. You can see her reaction here.

Here is a quick idea of what happened: Patrick Jordan, our most senior CoolWebSearch (CWS) expert, was doing research on a CWS exploit. During the course of infecting a machine, he discovered that a) the machine he was testing became a spam zombie and b) he noticed a call back to a remote server. He traced back the remote server and found an incredibly sophisticated criminal identity theft ring. (Jordon, previous to being employed by Sunbelt, was known to the security community as WebHelper)

Note that we are still trying to ascertain whether or not this is directly related to CWS.

The scale is unimaginable. There are thousands of machines pinging back daily. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again (note that while thousands of machines are pinging back, the amount that are being logged into the keylogger file is less than that, but still significant). The server is in the US, but the domain is registered to an offshore entity.

It is very sophisticated, however, we aren’t sharing a lot of data for obvious reasons. We are in contact with the FBI.

The types of data in this file are pretty sickening to watch. You have search terms, social security numbers, credit cards, logins and passwords, etc.

In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money. One particularly poignant moment was a family in Alabama whom I contacted personally last night and warned them of what was going on. This was a family where the father had just had open heart surgery, and they had very little money. Everything personal was recorded in the keylogger — social security numbers, their credit card, DOBs, login and password info for their bank and credit card companies, etc. We were able to warn them in time before they were seriously hurt.

But there is only so much we can do without bringing in extensive external resources. The scale of this thing is massive. As I’ve mentioned before, the keylog file itself grows and grows and then is removed, only to replaced by a new one. So we are taking down the files as rapidly as possible to save the information. Maybe some law enforcement group can use this information to warn people.

People who ask me what to do get a simple answer: Get a software firewall in fast. Just any decent free one will do the job.

I may be posting samples of the keylog files later but the effort is in the redaction…

Alex

An update on the massive identity theft ring we discovered earlier. The FBI has responded to us and they are working on the case. It looks like they were working on the case when after we sent originally sent the data in, but we didn’t get any response from them at the time indicating they had received our data.

I will be providing more later as well as some (redacted) samples of what the files look like.

This was discovered by Patrick Jordan, a senior staff researcher here. Patrick is a veteran of spyware, and even he admits to never having seen something like this before. It’s pretty staggering.

Alex Eckelberry

Update: Fix here. And information on the types of systems infected here.

In some recent research into a spyware exploit, our research team has discovered a massive identity theft ring.

We also found the keylogger transcript files that are being uploaded to the servers.

This is real spyware stuff — chat sessions, user names, passwords, bank information, etc. We have confirmed that this data is valid. Highly personal information, including even one fellow who has a penchant for pedophilia — all logged in detail and returned a webserver.

Note that there is a LOT of bank information in here, including one company bank account with over US$350,000 and another small company in California with over $11,000 readily accessible. This list goes on and on and on. Of course, there’s also eBay accounts and much more.

We have notified the FBI, but no response just yet. We have notified a few of the parties involved. (Update: It looks like they were working on the case when after we sent originally sent the data in, but we didn’t get any response from them at the time indicating they had received our data.)

If anyone has any other ideas, send ’em to us. Right now, we’re sitting upon literally thousands of pages of stolen identities that are being used right now.

Alex Eckelberry

Well, the user community seems to think so.  By clicking on the results of our SunPoll, you can see that about 80% of the people who clicked on the survey felt that WeatherBug should be detected by antispyware programs.  Note that this survey is totally unscientific.

(You can vote yourself by going to our front page and going to the SunPoll).

Blog Herald writes about spyware being hosted on Blogspot blogs (Blogspot is the public view of Google’s Blogger).  Ben Edelman wrote about this months ago as well.

Yes, we’ve seen this as well. However, I want to make it clear that this does not mean Blogger hosts spyware or that having a blog will create spyware or any other such nonsense.   Blogger just hosts a blog, and people can put all kinds of junk on it.

How can you get a spyware from a Blogger site?  Just press NextBlog on the navigation bar on a Blogspot blog.  NextBlog randomly goes to another blog, and if you’re lucky, you’ll hit one with a spyware payload!  Couple of spyware sites we found are http://everiimoment(dot)blogspot(dot)com/ or http://3verlastin9lov3(dot)blogspot(dot)com/ (don’t go there unless you’re in a VMware session).

Note that a recent check of NextBlog (which is actually just a link to the URL www.blogger.com/redirect/next_blog.pyra?navbar=true) didn’t give us any spyware activity on a number of tests.  We were seeing it last week but not this week.  Go figure.

Here’s what these pages might look like:

However, a lot of what you see when you press Next Blog on Blogger is junk search engine sites, whose whole purpose is to create links that increase search engine results or to get people into a Blogger site and present Google adwords. 

Like this:

My suggestion to the Blogger folks is to perhaps have a button on the Navbar panel which says “Report site”.  This would be useful for reporting any type of naughty site.

Note that there’s spyware out there, but then there’s mental diarrhea like this site.

There’s no accounting for taste.

Anyway, just be aware and I would caution people from using the NextBlog button.

Update:  The venerable Andrew Clover makes a very good point in the comments here.

Alex Eckelberry