The Legacy Sunbelt Software Blog

French researchers have found that large amounts of content on BitTorrent is supplied by a relatively small number of people according to a paper presented at the Usenix Workshop on Large-Scale Exploits and Emerging Threats in San Francisco.

The researchers from French National Institute for Research in Computer Science and Control found a way to monitor the actions of BitTorrent users for more than three months, collecting IP addresses used by nearly 150 million people and identifying two billion copies of the things they downloaded, many of them copyrighted.

The vulnerabilities they found in BitTorrent enabled them to find the IP addresses even when users went through the Tor anonymity service. Tor has urged users not to use BitTorrent in the past.

The paper “Spying the World from your Laptop — Identifying and Profiling Content Providers and Big Downloaders in BitTorrent” was written by Stevens Le Blond, Arnaud Legout, Fabrice Lefessant, Walid Dabbous and Mohamed Ali Kaafar from the Institut National de Recherche en Informatique et en Automatique.

The institute operates from eight locations throughout France under the authority of the French Research Ministry.

News story: “Researchers spy on BitTorrent users in real-time”

This has implications for BitTorrent users on two fronts: security and liability for illegal downloading. If I was a betting person, I’d wager that the two will converge in some very interesting and malicious way shortly.

Tom Kelchner

I was in the local library at the weekend, and noticed something a little bit odd at the computer terminal section. A flash drive was sticking out of one of the PCs – more often than not, this is evidence of shenanigans and computers that really should be locked down a little better. Sure enough, this was lurking on the drive:

As you’ve probably already guessed, anyone using this program should consider changing their Facebook password as soon as possible. This is what you see when you fire the program up:

As the program loads, a website also pops in the background to give it an attempted air of legitimacy:

“this is a program that allows you to visit Facebook from school or work”.

Yes. Of course it is. The program now asks the end-user for their name, email and password, then pops up a reassuring “loading soon” message:

This is where the smoke and mirrors kick in, with a fake (yet reasonably convincing) list of “things I’m really loading up for you, honest”:

As you can see, the “loading” process goes horribly wrong at the “Search bar” stage – from here, the end-user is only ever going to see one screen and it isn’t the one telling them they’re now logged into Facebook.

The failed login is blamed on a firewall, and the stolen login credentials are placed onto the flashdrive in the same location as the executable.

All the attacker needs to do at this point is reclaim their flashdrive, take it home and do various horrible things to the stolen accounts. Always be careful when logging into services at libraries, webcafes, school and work – your alarm bells should be ringing loud and clear whenever you see a flashdrive poking out of a public computer.

We detect this as “Trojan.Infostealer”. Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional testing.

Christopher Boyd

For the first time, Microsoft’s share of the browser marked has slipped below 60 percent, according to figures from Net Applications, a Aliso Viejo, Calif., web app and metrics firm .

Browser market share:

Microsoft — 59.95 percent
Mozilla’s Firefox — 24.59 percent
Google Chrome — 6.73 percent
Apple’s Safari — 4.72 percent
Opera — 2.30 percent.

Story here.

Tom Kelchner

Google has released the results of a year-long study of 240 million web sites that said 15 percent of the malware detected was related to rogue security applications. The study was released at the Workshop on Large-Scale Exploits and Emergent Threats at the Usenix conference in San Jose, California.

In the study, done between January 2009 and February 2010, Google researchers said they found 11,000 web sites distributing the rogues.

In Sunbelt’s ThreatNet detections top-ten list for April, a VIPRE detection for a loader (FraudTool.Win32.SecurityTool {v}) for rogue security product SecurityTool made it to the number 10 spot. That’s a first. ThreatNet is made up of tens of thousand VIPRE and CounterSpy users who report detections of malicious code that is detected in their systems.

Google said it was having some success in the year filtering malicious URLs more quickly.

Story here.

Tom Kelchner

For the second time recently, a security researcher has pointed out that running machines without administrative privileges could significantly improve security.

Mikko Hypponen, the head of research at Finnish AV company F-Secure in an interview with The Inquirer, said a great way to stop a lot of malware would be to take administrative rights away from online users.

“Most wouldn’t notice (although those who did would be incandescent with annoyance) and most malware would be stopped from functioning. It should have been done already,” he said.

The only drawback might be that the next generation of computer professionals would have a harder time learning how their machines, networks and the Internet work.

Last month we blogged about the story when a security firm made a similar call:

“Los Angeles security firm BeyondTrust has released an analysis of Microsoft’s 75 security bulletins last year. They came to the startling conclusion that if users had operated their computers without administrative rights they would have eliminated 64 percent of their risk from Microsoft vulnerabilities!”

Mikko Hypponen interview here.

— Tom Kelchner

A spokesman for Australian Communications Minister Stephen Conroy has said that legislation that would set up a $120 million Internet censorship system requiring ISPs to block pornography (and information about euthanasia) will not be introduced before Australia’s upcoming elections, possibly October.

Labor party Prime Minister Kevin Rudd stirred up massive controversy when he made an election promise to block “illegal content” on the Internet including pornography.

Critics have said that the censorship wouldn’t be effective, would slow downloads and suppress the free flow of information.

Story ‘ere: “Rudd retreats on web filter legislation”

Last month someone leaked the secret 2,300-page Internet filter blacklist that had been drawn up by the Australian Communications and Media Authority. It showed that the government understated the number of banned Web pages when it said the list was 1,300 pages long.

The list included Web sites of some legitimate businesses including two bus companies, online poker sites, a number of Wikipedia entries, Google and Yahoo group pages, a dental practice and a tour operator.

Story here: “Australia’s Web blacklist leaked”

The Australian Broadcasting Corporation web site has the transcript of a very good debate of the issue on its web site: “Internet filter policy under fire”

One wonders why a government is willing to spend $120 million to require ISPs to block sites that deliver pictures of naked ladies (and suicide advice) but not the ones that steal billions every year pumping spam, downloading malicious code, selling fake medicine or stealing banking and credit card information.

Tom Kelchner

Our good friends at Sophos anti-virus company have released their tabulations of the geographic distribution of spam relaying computers. It isn’t news that the U.S. has the most (13.1 percent) but it IS big news that China has dropped off the Sophos top 12 list.

Graham Cluley at Sophos blogged: “The latest ‘dirty dozen’ stats from Sophos, examining the top twelve countries which are relaying spam from compromised computers, show that China has dropped off the list.

“A new dirty ‘gang of four’ – South Korea, Brazil, India and their ringleader USA – account for over 30% of all the spam relayed by hacked computers around the globe.”

It’s been generally accepted that the U.S. has always led the pack in this statistic because it was the first country out of the chute with adoption of PCs and Internet usage. Along with large numbers of machines on fast internet connections comes bot infections (responsible for a load of spam.) Basically, the botnet operators go looking for victims with good machines on fast connections.

Although the U.S. has been in the “dirty dozen” for some time, a longer view shows that it’s less bad than three years ago.

Sophos figures from April of 2007 show that the U.S. was responsible for 19.8 percent of the world’s spam relaying machines. So, by 2010, the U.S. had 6.7 percent less – that’s nearly one third less – of the world’s spamming computers.

It’s just a numbers game though. The ugly fact is that the spammers haven’t gone away, they’ve simply set up shop (or infected machines) in countries that are “coming on line” with more machines with faster Internet connections in the general population. In the Sophos figures, India has risen to second place (7.3 percent) from 11th in 2007 and Brazil rose to third place (6.8 percent) from 9th in 2007. South Korea which has had great Internet connectivity remained in fourth place, although its share dropped from seven percent to 4.8 percent.

The top twelve spam relaying countries

In top 12 in 2007, but not in 2010

Sophos 2007 figures here.

Sophos 2010 figures here: “China slides off list of top spam-relaying nations”

Tom Kelchner

[Editor’s note: communications have been restored]

All Internet and land line communication at Sunbelt Software went down as of 10:15 a.m. today.

Verizon and Time Warner Internet and land line service in most of Clearwater, Fla., has been blacked out and is expected to be restored by mid afternoon today (EST).

Time-Warner technicians tell us their splicers are repairing a fiber ring that was damaged by a repair crew at the Intersection of Drew Street and Betty Lane. The crew was working on overhead lines when their equipment accidentally damaged a box containing fiber cable equipment.

(Thanks to the Dunedin Public Library for Internet connectivity.)

Tom Kelchner

Update 2:15 p.m.

Photos from the scene:

Repair crew at work

Damaged box:
Damaged cables:

(Photos by Dan L.)

When “doc” stands for “don’t open contents”

Brian Ross, one of our Sunbelt malware removal specialists found this little gem – a malicious file that arrives as an attachment in spam and takes advantage of the newly-discovered launch vulnerability in .PDF files.

It uses a script in a PDF file to install a back door that starts up whenever Internet Explorer is launched. The infected svchost.exe file that it drops has been around for a while, but using a malicious PDF file to drop it is the interesting new twist. We’ve seen other reports of similar malware out there today.

It’s detected by VIPRE as Expoit.PDF.LaunchExe.

The malicious attachment looks innocuous enough.

Named “doc.pdf,” it displays a popup when opened asking if you would like to launch an external file. Choosing “Do Not Open” opens the pdf doc. If you choose “Open” several cmd windows display quickly so you can’t see the text they carry.

If you choose “Do not Open,” you can see that there is text above the viewable text in the popup window:

The script loads the PDF document as a text file, looking for strings within that text, dumping it into other VBS files and executing them.

The script appears to create an array, write data to a file named “game.exe” and run it as another vbscript. The result is an entry in the registry that will launch the bogus svchost.exe in “c:program filesmicrosoft common” whenever explorer.exe is started.

Prior to the PDF document being open, neither “C:Program FilesMicrosoft Common” nor “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe” existed. These items were added following execution of the PDF doc. Details below:

The registry before the threat installs:

And after:

Registry export of the infected key is below:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe]

“Debugger”=”C:\Program Files\Microsoft Common\svchost.exe”

[bottom line] don’t click on attachments in spam. [/bottom line]

Thanks Brian.

Tom Kelchner

Fixes WMS on Win2K server

Microsoft has reissued Security Bulletin MS10-025 – the one it pulled last week.

MS10-025 was aimed at fixing a vulnerability in Windows Media Services running on Windows 2000 Server that could allow remote code execution if an intruder sent a specially crafted transport information packet to a system.

Jerry Bryant, Microsoft Response Communications group manager, said last week on the company’s TechNet site: “Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.”

MS10-025 here.

Tom Kelchner

The Honeynet Project blog is carrying an article about a new botnet that appears to be a revival of the Storm Worm network that died out in 2007 — once one of the biggest on the Internet.

They said Steven Adair from Shadowserver found that the new botware uses the same configuration file (C:WINDOWSherjek.config) as Storm. The new version, however uses an HTTP-based command-and-control channel instead of peer-to-peer.

This is good news if you enjoyed the penis pill, dating service and on-line pharmacy spam that Storm was pumping out three years ago.

Honeynet project blog here.

The Register story “Infamous Storm botnet rises from the grave” here.

Tom Kelchner

“Narcissistic Vulnerability Pimps”

Is it just my perception or are there a diminishing number of good rants on the Internet?

“Admin” on the Verizon Security Blog posted a really great one last week that deserves comment.

“Admin” is David Kennedy who has been with the research group(s) of NCSA/ICSA/Verizon Business for about 15 years. I worked for him. He took the literary form of the rant to levels that have only rarely been reached in the history of human thought. His rants were so awe inspiring that we began documenting them in a “Best of Kennedy” document.

But I digress.

Last week he posted a blog piece “Redefining ‘Security Researcher’”. In it he decries “researchers” who ignore the traditions of responsible disclosure and reveal vulnerabilities in applications or operating systems for the questionable glory of it.

He writes:

“Ugh; we really need to clean up our language. This begins with setting a few principles and regularly using more accurate descriptors in our publications and daily conversations.”

. . .

“We at Verizon Risk Intelligence do hereby adopt and resolve to faithfully use the following definitions:

“Security Researcher: One who studies how to secure things and/or how things are not secure in order to find a solution.

“Security Practitioner: One who applies the findings of the Security Researcher in order to make things more secure.

“Narcissistic Vulnerability Pimp: One who – solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure (or increases risk).

“Criminal: One who actively subverts security without authorization or deliberately creates ways for others to do so.

“It’s time to draw a line in the sand. If you too are tired of seeing criminals elevated to a podium of legitimacy and bestowed the same job title you possess, join us. We’d be grateful to have the company.”

Tom Kelchner

“Finders keepers” isn’t exactly a legal concept

Many bloggers and commentators are making much of the fact that San Mateo police served a search warrant on the home of Gizmodo blogger Jason Chen and confiscated computers, servers and other equipment, probably as a result of his postings about the capabilities of the lost prototype Apple 4G iPhone.

Gawker Media, which owns Gizmodo, made public the fact that it paid $5,000 for the prototype iPhone which was accidentally left in a bar by one of Apple’s software engineers last month.

Gawker publisher, Chief Operating Officer Gaby Darbyshire, has claimed that the search was unlawful because Chen is a journalist and protected by shield laws.

Tech Herald story here.

New York Times coverage here.

The claims that Chen is a “journalist” and protected by shield laws is so far off base it’s absurd. If a journalist COMMITS a crime he isn’t protected under any shield law. Shield laws only protect them from punishment for failing to reveal their sources.

Chen and Gawker basically presented the prosecution with a prima facie case. They publicized the fact that Gawker paid $5,000 for the iPhone and had physical possession of it. Chen appears in a video with it.

If you find something and keep it, that falls under laws with names like “theft of property lost or mislaid.” And if you buy something you know was stolen, well, that’s “receiving stolen property.”

Gawker and Chen really should have known that something as valuable as a prototype next-gen iPhone was high profile enough that there was going to be some legal action. And along with a conviction will be restitution for damage to Apple that could be in the range of millions of dollars.

Shield laws are intended to protect journalists working in the public interest – which generally translates to investigating government misfeasance, malfeasance or nonfeasance.

Publicizing the fact that you paid for a stolen prototype so you can scoop the world and reveal its feature is way-not public interest. It’s just dumb. It’s world-class dumb. It’s “lets-invade-Russia-in-October” class dumb.

This isn’t about protecting the rights of journalists/bloggers, it about breaking the law to get a scoop.

Tom Kelchner

Make big money! $.80 to $1.20 per 1,000

People in China, Bangladesh and China are bidding on jobs solving CAPTCHAS so spammers can create new email accounts, but the work is a bit tedious, according to a story in the New York Times. Many brokers and middlemen who manage the service for spammers and do the hiring are finding it difficult to make a profit.

CAPTCHAS is an acronym for “completely automated public Turing test to tell computers and humans apart” and are used by Web email providers to prevent spammers from using automated agents to create new email accounts to send spam.

Macduff Hughes, an engineering director at Google said “It can’t be helped that paid human solvers will be able to solve CAPTCHAS. Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve CAPTCHAS proves that the tool is working.”

“Story here: “Spammers Pay Others to Answer Security Tests”

Well, it’s at least good to know that all that irritating spam is providing spending money for adolescents in third world countries. But that’s a little bit like saying that the upside to the Irish potato famine was that it made work for businesses that sold coffin hinges.

Tom Kelchner

It’s not the Mayan calendar – it’s the end of address space that could do us in.

IPv4 addressing protocol (32 bits) allows for four billion IP addresses. You’d think that four billion of anything would be enough, but it isn’t. It’s predicted that some time in the next year or two we’re going to run out of them.

IPv6 (128 bits) allows for 3.4 times 10, 38 times. That’s actually 340.3 undecillion. It’s a lot. Every Internet user on earth could get an IP address for each of his teeth, his cat’s teeth and his toaster and it wouldn’t even put a dent in the possible range.

Sean Michael Kerner, writing on the Enterprise Working Planet web site has done a feature “IPv4’s Last Day: What Will Happen When There Is Only IPv6?” that foresees the American Registry for Internet Numbers (IRIN) and the other four regional Internet registry organizations doling out smaller blocks of addresses as fewer and fewer become available.

Sunbelt Software Sales Engineer Phil Owens doesn’t foresee the end of anything, he foresees the beginning of a market for IPv4 addresses as enterprises sell off the address space they don’t need.

So, the long-anticipated switch over to IPv6 will really happen NOT when ARIN runs out of IPv4 addresses, but when the IP addresses for sale get more expensive than switching networks over to IPv6.

Since those IP addresses could be “dirty” — used in the past — the new users could get unwanted traffic on them too. And that’s another reason to switch to IPv6.

So, the IPv4 world will end with neither a bang nor a whimper. It will just limp along, like the owner of a Dodge Dart, making the fixes with aftermarket and junk-yard parts, doing anything possible to hold off that inevitable day when he will be forced to buy another junker and have a car payment.

Unless the Mayan calendar gets us first.

Tom Kelchner

As part of our ongoing series of what $5 can get you on Fiverr (#1, #2) , our third VIPRE jingle has been released.

This time, in the blues.

Alex Eckelberry
(Note that we have no relationship at all with Fiverr, although at this point they should be paying us for all the free PR we’re giving them.)

An acceptable use policy doesn’t enforce itself

The inspector general of the U.S. Security and Exchange commission has run 33 investigations in the last five years of agency employees viewing and collecting Internet pornography instead of working, the Associated Press has reported.

In one instance, a senior attorney at the SEC headquarters in Washington, D.C., spent as much as eight hours per day downloading porn, filling his hard drive then burning files to DVDs, which he kept in his office. He resigned.

In another case, an accountant amassed a porn collection on his hard drive using Google images to avoid network web filtering which blocked his browsing porn web sites more than 16,000 times in a month. He received a 14-day suspension.

Seventeen employees who were under investigation were considered at a senior level and made salaries up to $222,000.

The SEC IG said there were two cases in 2007 and 16 in 2008. The massive economic downturn began in mid-2007 and exploded late in 2008.

Story here: “SEC staffers watched porn as economy crashed”

Tom Kelchner

Your friend on Facebook might be someone else

VeriSign iDefense researchers said they have monitored an underground web forum where a hacker has advertised 1.5 million Facebook accounts for sale. The iDefense group believes the person going by the handle “kirllos” is in Eastern Europe since he posts in the Russian language. The forum he posts in also is used by black market operators in Eastern Europe.

Kirllos is offering the login information for Facebook accounts with 10 friends or fewer for $25 per 1,000 and those with 10 friends or more at $45 per 1,000.

Compromised Facebook accounts can be uses in a variety of social engineering schemes and may succeed because Facebook users put too much trust in messages and posts that appear to come from friends’ accounts.

Story here.

Tom Kelchner

A first for Microsoft

A court in Shanghai has handed down a guilty verdict against the Dazhong Insurance company for using pirated copies of Microsoft software. The company was told to pay $318,000 in damages.

It is the first time that Microsoft has brought a successful legal action against a Chinese company for copyright infringement.

Story here.

Although the billions Microsoft loses to software pirates each year is bad enough, it’s believed that pirated software can be a serious malcode vector as well. A 2006 study by marketing intelligence firm IDC found that 25 percent of counterfeit software tried to install malcode when it was downloaded.

Media Surveillance, a German anti-piracy firm, said last year that one of its studies found 32 percent of pirated copies of Windows and hacks contained malcode.

Last year Microsoft launched an anti-piracy campaign that included educational initiatives and enforcement actions in over 70 countries to raise awareness of counterfeit software and to protect consumers.

Story here.

Tom Kelchner

Update:

According to English language People’s Daily Online, a news outlet of the Chinese Communist Party:

“Evidence used in court showed that Dazhong Insurance used at least 450 copies of pirated software and violated software piracy laws in nine categories. Microsoft demands that Dazhong Insurance should halt the use of pirated software.”

Story here: “Microsoft gets compensation for software piracy in China”

There’s a site you may have seen being pinged around on Twitter today, called ismycreditcardstolen(dot)com. This is what it looks like:

Yes, alarm bells were ringing for me too. “If you fear your credit card info has been stolen, enter it here and you can find out for free“. (Emphasis mine). “Avoiding fraud has never been easier!”

Oh boy.

Anyway, there’s a nice looking yellow padlock and a big green tick which always means something like this is safe, right?

As it turns out, you just failed a test – or so the above text claims. It seems this site has been set up to warn people about the dangers of phishing, giving some hints and tips in relation to phish attacks and also providing a link to the Anti-Phishing Work Group’s Website. The site also mentions it doesn’t send your card details anywhere, and this appears to be the case.

Not sure I’d want to ever be in a situation where I had to take the word of a random third party in relation to something like that, but there we go.

There’s an About page, which lists the people who created it, along with the following message:

“The purpose of this site is to educate users about the dangers of phishing. You can learn more at the Anti-Phishing Working Group’s website.”

Unfortunately(?) most people won’t get to see the “reassuring” messages, as the site has itself been blocked by Firefox for…..phishing.

I’d like to be able to say I hadn’t seen that coming a mile off, but that would make me a gigantic liar. Having credit card in your domain is always going to smell faintly of “suspicious” to various security groups and anti-phish orgs, and having Whois data hidden by privacy services doesn’t help either.

NEVER enter your card details on sites such as the above, because you may not get off as easily next time. While the concept is – perhaps – an interesting one, the waters are muddied too much to be able to make sense of it.

The “Reported web forgery” blocks are a testament to that…

Christopher Boyd