The Legacy Sunbelt Software Blog

A year-long international investigation concluded in the last few weeks with 700 police in Romania launching raids and taking into custody 70 people from three gangs. Those arrested were part of a four-year long wave of Internet auction fraud that victimized 800 people and netted over $1 million (US).

Yesterday Romanian Police released information on the raids which were organized by prosecutors at the Directorate for Investigating Organized Crime and Terrorism. The police served 101 warrants in 12 Romanian cities.

The suspects are charged with incidents in which money was stolen from victims in Austria, Canada, Denmark, France, Germany, Italy, New Zealand, Spain, Sweden, Switzerland and the United States.

The FBI and Secret Service from the U.S. assisted in the investigations, they said.

Last month FBI Director Robert Mueller said in a speech at the RSA conference that his agency had worked with the Romanian National Police to arrest more than 100 Romanian suspects in the past 18 months.

The auction fraud included phony sales of electronics equipment, luxury cars, airplanes, motorcycles and laptop computers as well as fake gold and platinum Rolex watches.

Gary Warner’s blog “CyberCrime and Doing Time” has great coverage including links to videos and Romanian-language sites.

Tom Kelchner

VIPRE Enterprise Premium was winner of Security Products magazine 2010 GovSec Award in the IT Software Security category.

Sunbelt Software CEO Alex Eckelberry’s comments: “Sunbelt created VIPRE Enterprise Premium to provide a superior security solution for small and large enterprises, including state, local, and federal government networks that would prevent the spread of malware capable of threatening critical infrastructure and systems. This award highlights the fact that Sunbelt’s VIPRE Enterprise Premium delivers reliable endpoint protection against the evolving threat landscape and ensures the maintenance of a strong and secure network.”

The magazine announced the winners at the 2010 Government Security Expo & Conference to recognize outstanding products in the government security space.

VIPRE Enterprise Premium is an advanced anti-malware engine that merges the detection of viruses, worms, spyware, Trojans and bots into a single, efficient and powerful system. VIPRE draws its data from the world-class research of its Sunbelt Labs malware research and analysis division. It is the fastest engine on the market today that uses the fewest resources, due to its proprietary technology that helps it keep up with the evolutionary nature of malware creation and attacks against the endpoint.

Sunbelt Software news release here.

Tom Kelchner

Rob VandenBrink has written a piece on the SANS web site Diary (“The Many Paths to Security Awareness”) with an interesting take on the very large topic of computer security awareness.

“Security Awareness does not mean the same thing to everyone in a company,” sums up his point.

“From a Security Awareness perspective the blanket term ‘end user’ grows to encompass many audiences – not only folks with basic desks and phones, but developers, senior managers, salespeople, engineers, health-care professionals, all kinds of people with different concerns, different goals, and a different set of reasons/excuses for exceptions to one thing or another,” he wrote.

Rob’s piece also offers a link to a survey that’s trying to find out what phase of security people from various “audiences” are trying to bolster.

There often is a feeling among technical people that user education is pointless because “they never get it.” It’s hard to argue with that dismal assessment in the face of the fact that possibly more than a fourth of those connected to the Internet have no functional security on their machines (Netherlands-based SurfRight December survey ). The success of every form of social engineering and spam advertising also speak pretty badly about the level of “clue” on the Internet.

But, cursing the darkness never works and lighting a few candles might help a lot of people. Every day there are tens of thousands of new Internet users going on line for the first time. They need to learn about the threats out there and precautions they can take. Rob seems to be investigating the possibility that people on every level of every type of organization are contributing to that effort.

On the Sunbelt Blog we’re aware of those “audiences” as we try to present stories of all levels to our readers, from the very specific descriptions of rogues and all the malicious stuff that Chris Boyd finds in the gamers’ world to summaries of BIG new stories of the day, such as Google and its wrestling match with the censorship issues of the government of the Peoples’ Republic of China.

Always in the backs of our minds are the less technical “home users.” We realize that isn’t a really precise term, but everybody seems to have a mother, aunt, uncle or child that IS one. For them we also write a daily summary http://www.sunbeltsecurity.com/ThreatLevel.aspx that tries to describe the latest threats.

So, good job Rob. We’ll look for the results of the survey.

Tom Kelchner

“Shadows in the Cloud” hang over the otherwise sunny PRC

A spokesperson for the Chinese Foreign ministry has tried to minimize a report from investigators in Toronto that hackers based in China breached computers of the Indian Government and others and downloaded classified material.

The Information Warfare Monitor and the Shadowserver Foundation extensively documented an eight-month investigation that revealed a network of infected government and military computers. The net was controlled from servers in China and stole a variety of classified documents. They posted their 52-page report, “Shadows in the Cloud: investigating cyber espionage 2.0” today on scribd.com

“Shadows in the Cloud” describes the researchers’ findings that hackers based in Changdu, China, penetrated the systems of the office of the Dalai Lama, Indian government, Indian military and agencies of the United Nations.

They wrote in the report: “We have no evidence in this report of the involvement of the People’s Republic of China (PRC) or any other government in the Shadow network. But an important question to be entertained is whether the PRC will take action to shut the Shadow Network down. Doing so will help to address long-standing concerns that the malware ecosystems are actively cultivated, or at least tolerated, by governments like the PRC who stand to benefit from their exploits through the black and grey markets for information and data.”

The Chinese government denied any involvement and tried to minimize the investigation. In a story on the Peoples’ Daily online – the news outlet of the Chinese Communist Party – Jiang Yu, a spokesperson for the Chinese Foreign Ministry, said “Some reports have, from time to time, been heard of insinuating or criticizing the Chinese government…I have no idea what evidence they have or what motives lie behind.”

“Hacking is an international issue and should be dealt with by joint efforts from around the world,” she said.

“China refutes hacking accusation, urges int’l cooperation”

Urging “International Cooperation” when China gets caught red handed must be the standard formula at the Foreign Ministry.

The People’s Daily site carried a “related reading” list of earlier denial stories, including one from as far back as 2007 in which Jiang Yu’s response was “Hacking is an international problem that torments China, too. We are ready to strengthen cooperation with other countries, including the US, in countering Internet crimes.”

“Chinese military scholar denies fresh hacking allegation”

If you have something on a computer you think the Chinese government might be interested in you might SERIOUSLY harden your network and consider some very good encryption. And user education about spear phishing wouldn’t hurt.

Tom Kelchner

A blog contributor who goes by the name of “jeremy” has continued to research the possibilities inherent in the recently discovered .pdf-file weakness that could enable the execution of code. Jeremy posted earlier this week that he had created a proof of concept .pdf file that could spread to other .pdf files on a system or network (which makes it a worm).

“Within the proof of concept I infected a single benign PDF file from another PDF file, but this proof of concept could easily be modified to recursively traverse a users computer directories to find and infect all PDF files on that users computer and/or accessible to that user at the time of execution with any payload of my choosing.” He wrote on the SudoSecure.net site.

He also wrote: “This should really make you think twice even before you open up PDF files that have resided on your computer for years, as they could soon be utilized against you if an attacker chose to do so.”

Stevens chose the responsible disclosure route after he found the “feature” of .pdf that allowed running executables. Foxit pushed out Foxit Reader 3.2.1 to patch the problem Sunday. Adobe Reader pops up a warning, so, at least the process is visible.

When we blogged about it last week we suggested:

“It would be a good idea to READ any notification that pops up when you open a PDF file and DO NOT let yourself be social engineered into disregarding warnings about launching executables.”

Jeremy wrote about some other malicious possibilities: “Well I can think of some really nasty phishing attacks this style of attack could be utilized for. Just think if you landed on one of the oh so common web exploit packs or if the PDF was crafted to look like an official banking document that provided instructions to verify your information by entering it into the targeted URL. Hmm since arguments can be passed here is another thought. The PDF document itself could be an official looking banking document with a form embedded that allowed a user to fill out his or her information within the PDF document itself. At the bottom of the form a submit button calling the Launch action to execute Firefox or Internet Explorer while passing the information via URL arguments to an attackers happy to receive, parse, and store server. ”

The .pdf weakness was publicized by Didier Stevens on his blog last week.

Tom Kelchner

It was only a matter of time before the merest of “iPad” mentions on sites such as Twitter would result in autospammed messages like this:

These bots will fire a message claiming “we need someone to test and keep one iPad” (or simply “Free iPad here”) to anyone discussing the latest gadget to hit the streets, sending you to various promotional sites like the one below:

You’ll have to fill in a big chunk of personal information and “receive the incentive gift package by completing two reward offers from each of the Top, Prime and Premium reward offer page options…completion of reward offers most often requires a purchase or filing a credit application and being accepted for a financial product such as a credit card or consumer loan.”

Me? I’ll wait for the sales, thanks.

Christopher Boyd

Tomorrow the UK’s Information Commissioner’s Office (ICO) gets the power to fine businesses up to £500,000 for significant breaches of the country’s Data Protection Act.

News site V3.CO.UK quoted Information Commissioner Christopher Graham in January: “As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people.”

They also wrote that “The new powers have been welcomed by many in the industry, who have hitherto seen the ICO as a largely toothless watchdog.

“Jonathan Nugent, a solicitor with PricewaterhouseCoopers Legal, argued that they should help to tackle the threat of continued data breaches.”

Commentators said the new powers should prompt IT departments to seriously review their procedures to be sure they are in compliance with good data safety practices. Enterprises also should begin or expand employee training to be sure customer’s personal data is safeguarded.

The Commissioner’s Office was granted the fining power by action taken by the Secretary of State for Justice in January. Initial provisions for the power to impose fines were in a 2008 Criminal Justice and Immigration Act.

Story here.

— Tom Kelchner

I’m almost certain this shouldn’t be on the Nokia.de webspace, lurking under the “online.nokia.de” subdomain:

Don’t worry though, Admin – they “just changed your index”.

This isn’t the first time Nokia domains have come under attack. The above defacement – by an Albanian hacker called “Spammer” – seems eager to let the webmaster know they can help with the bugs, but I’m pretty sure an email would have been just as useful. Nokia.de have been notified of the defacement, but I’ve had no word back as of yet.

Christopher Boyd

Mozilla.org has made public a report that says its Firefox browser has 30 percent market share worldwide. Assuming it’s true, that is a six percent increase since a news story last November.

The Mozilla Metrics report 1Q2010 says the browser has 39.2 percent penetration in Europe (152.7 million users) and 29 percent in the U.S. (100 million users.) Mozilla claims 350 million users worldwide. Adoption is quickest in Russia (20 percent increase in the first quarter) the report said.

Mozilla Metrics Report here.

In November, ZDNet reported the following browser adoption statistics:

“Internet Explorer 6 is the most commonly used web browser, according to web analytics firm Net Applications. At the time of writing, IE 6 had 23 percent of the market, while IE 7 and 8 each held 18 percent. Rival browser Firefox 3.5 had 14 percent, while Firefox 3 had 9 percent. Overall, Internet Explorer had 65 percent market share, while Firefox had 24 percent.”

Tom Kelchner

Don’t run your PC with admin privileges

Sometimes in life you know something is a risk, but you don’t know how BIG a risk it is until somebody actually checks it out. There was a German scientist in Russia who repeated Ben Franklin’s kite-in-the-thunder-storm experiment but didn’t live to write up his results.

Los Angeles security firm BeyondTrust has released an analysis of Microsoft’s 75 security bulletins last year. They came to the startling conclusion that if users had operated their computers without administrative rights they would have eliminated 64 percent of their risk from Microsoft vulnerabilities!

That’s a NO COST way to eliminate 64 percent of risk!

The key section in their report:

“By examining all of the published Microsoft vulnerabilities in 2009 and all of the published Windows 7 vulnerabilities to date, this report quantifies the continued effectiveness of removing administrator rights at mitigating vulnerabilities in Microsoft software.

“Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:

• 90% of Critical Windows 7 vulnerabilities reported to date
• 100% of Microsoft Office vulnerabilities reported in 2009
• 94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
• 64% of all Microsoft vulnerabilities reported in 2009”

BeyondTrust apparently has made risk management through eliminating unnecessary privilege a successful business model. Their site is here: http://www.beyondtrust.com/

Setting up a non-admin account for normal use has been good advice for years. Maybe this report will help emphasize it to a lot of users who wouldn’t have thought it important enough to bother with.

Tom Kelchner

This is an interesting historical quirk, more than anything else – but I thought it merited a blog post. If you’ve seen me rattling around the Internet pre-Sunbelt, you might be aware I have a bit of a sparring history with a company called 180 Solutions / Zango.

Or, as The Register once put it:

“…its chief tormentors – Ben Edelman, an assistant professor at the Harvard Business School, and Chris Boyd, former security researcher at Facetime Security – continued to document evidence of malpractice by Zango years after the FTC settlement.”

Anyway. While looking for random things to play with on Download.com, I noticed this:

A nice collection of Zango files. Quite a few installs too, from the looks of it with one program alone totalling 2,326 downloads. All of the files were added on 10/01/2004, which could either be the 10^th of January or the 1^st of October, depending on whether or not you’re a confused Englishman like myself.

Here’s an obligatory close up shot of one of the pages:

“In exchange for free access to games, users are shown 2–3 websites while browsing online”. All of the Zango files offered up are pretty tame, but I find it a little surreal to think that all of these files have remained on Download.com through the years while this, this, this, this and, well, all of this took place.

You can still download the files and run them (assuming your security software doesn’t block it, of course) but no program will spring to life – instead, you’ll see the following message appear in a browser window:

Yes, all of the programs appear to be dead which is a shame as I was really looking forward to playing David Vs Goliath. Or not, as the case may be…

Christopher Boyd

Scum on the run

Security blogger Brian Krebs is reporting some good numbers that show spammers are no longer registering their domains in China (.cn) since that country started requiring actual on-paper registrations and business licenses, which precludes anonymous registration.

AND their new top-level domain of choice, Russia (.ru), is going to make life for sca/spammers difficult there. “Russia’s Coordination Center for domain registration will require individuals and businesses applying for a .ru address to provide a copy of a passport or legal registration papers.” Krebs wrote.

Krebs had statistics from researchers at the University of Alabama at Birmingham which he cross checked with data from computer forensics investigator Andy Fried of the Internet Systems Consortium, in Redwood City, Calif. Fried found the same radical shift from .cn to .ru registrations.

So, where next?

The big question hovering over all of this is: “where are they going to go next? What rogue state is going to smell money and let them in for a price?”

That might not be entirely a bad thing. Spam exists because it’s an incredibly cheap way to advertise. Raising the cost of doing business just might reverse its explosive growth. Funny how markets operate.

Krebs blog here: “Spam Site Registrations Flee China for Russia”

Tom Kelchner

Tom Gallagher, senior security test lead with Microsoft’s Trustworthy Computing group, was extensively quoted in news stories today as he described how his group found 1,800 software flaws in Office 2010 by running millions of “fuzzing” tests.

According to ComputerWorld, “Microsoft was able to find such a large number of bugs in Office 2010 by using not only machines in the company’s labs, but also under-utilitized or idle PCs throughout the company. The concept isn’t new: The Search for Extraterrestrial Intelligence (SETI@home) project may have been the first to popularize the practice, and remains the largest, but it’s also been used to crunch numbers in medical research and to find the world’s largest prime number.

“’We call it a botnet for fuzzing,’ said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team.”

“Fuzzing” was in the computer security news headlines last week after Baltimore, Md., researcher Charlie Miller won the CanSecWest security conference Pwn2Own hacking contest for the third time. Miller said he’d used fuzzing to find 20 security vulnerabilities in Adobe Reader, the Apple Safari browser, Mac OS X and PowerPoint. He declined to tell the companies about the flaws but demonstrated his fuzzing technique told them to use it themselves.

If fuzzing, which obviously can find 1,800 software bugs at a crack, becomes extensively used Charlie Miller might be in line to become the first cyber saint! A computer security landscape without vulnerabilities would be a different country indeed.

Note to the darkside: don’t worry, there’s still social engineering.

ComputerWorld story: “Microsoft runs fuzzing botnet, finds 1,800 Office bugs”

Sunbelt Blog: “Firefox, IE8 and Safari hacked at CanSecWest“

Tom Kelchner

The number for the rest of the world might be 26 percent

There is a story making headlines on the computer security news sources today about estimates that 4.4 percent of Chinese Internet users have no anti-virus software, up from 3.9 percent last year. That’s about 17 million machines. The numbers came from surveying by the China Internet Network Information Center (CNNIC) and China’s National Computer Network Emergency Response Technical Team (CNCERT).

CNNIC said it estimated that 384 million people in China use the Internet

Story here.

I went looking for figures for the rest of the world. Similar surveying doesn’t exactly pop out of Google, but I did find one story.

Netherlands-based security company SurfRight released results of a study they did in December. “32 Percent of Computer Users Still Infected, Despite Presence of Anti Virus Program”

They scanned 107,435 machines and found that 28,607 had no up-to-date AV: that’s 26.6 percent without functional anti-virus software.

Of course, SurfRight didn’t break out the group that has no AV installed at all as opposed to those who have it but haven’t updated it.

In any case, they all should be installing VIPRE.

Tom Kelchner

Good God! A 419 scam email from someone in grade school!

From: FBI AGENT [mailto:hal-eduserv@att.net]
Sent: Wednesday, March 31, 2010 7:34 AM
Subject: FBI AGENT

Hello honest people………

We got your contact from our Microsoft data-base system. This is to inform you all that have lost money to Scammers in Africa, Europe and USA. We hear by inform you there is quick opportunity for you mostly on lottery. My name is FBI brad Martins I assure you am doing all I can to get your lost money back in 2 days . I know what scam means. I work with the global scam Fither in CA 93535.we have all the global scam computer to trace all Scammers Name and location. Reply back to us. We just caught a scammer now, and we found some money with him, we are returning it back to those involves. This mean your money will be refund back to you.Get back to the FBI through this email for immediate response scamtrack2010@gmail.com

Thanks Larry.

Tom Kelchner

Spyware/DDoS malware combo

Google’s security team member Neel Mehta has blogged about yet one more spyware attack on Google users from Asia. This time forces in Vietnam apparently are trying to spy on and stifle dissent from those opposed to the expansion of bauxite mining in the country’s central highlands. The dissenters are opposed to the environmental impact, the involvement of Chinese in the venture and the displacement of people who live in the mining area. Bauxite is the ore that aluminum is extracted from.

Chinese attempts to spy on dissident’s Gmail accounts made headlines in January. At that time, Google said it would pull its operations out of China because of a wave of hack attacks from China on it and more than 30 other companies, mostly in Silicon Valley. The attacks were largely based on spear phishing and exploited an Adobe .pdf vulnerability to plant Trojans. An investigation by Google showed that the attackers were trying to download information from the Gmail accounts of Chinese dissidents and steal source code. (Sunbelt Blog: “Google might leave China” )

The malcode that Google just found infects Vietnamese language keyboard software that has been downloaded worldwide. Mehta says the spyware also is capable of participating in distributed denial of service attacks against bloggers opposed to the mining.

Mehta advised those who think they may be infected to run scans on their machines since the malcode is in the detections of leading AV vendors.

“New technology like our suspicious account activity alerts in Gmail should also help detect surveillance efforts. At a larger scale, we feel the international community needs to take cybersecurity seriously to help keep free opinion flowing,” he said.

Google Security Blog here.

Tom Kelchner

Apple has issued Security Update 2010-002 (Mac OS X v10.6.3) that fixes 100 enumerated vulnerabilities in:
— Mac OS X 10.5
— Mac OS X 10.6
— Mac OS X Server 10.5
— Mac OS X Server 10.6

The 400 MB+ download takes a while, so, be prepared.

Info here: http://support.apple.com/kb/HT4077

Tom Kelchner

It seems I prompted an exploration of infection related search terms in Google Trends over on the Forbes.com Firewall blog. “Malware” is becoming a sort of catch-all term for end-users, slowly replacing the various types of Ad/Mal/Spyware classifications.

Article here – worth checking out the comment by Andy Hayter, Anti-Malcode Program Manager of ICSA Labs, too. Of course, I like to think I might have contributed in some small way to certain search terms going the way of the Dinosaur…

Christopher Boyd

Didier Stevens, security professional and blogger, has found a “feature” in the PDF file format that makes it possible to package an executable in a PDF file which will run in Foxit PDF reader or run in Adobe Reader with a bit of social engineering.

“With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).”

“…preventing Adobe Reader from creating new processes blocks this trick,” he said.

“In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader.”

Stevens has made available a proof-of-concept sample and said he notified Adobe’s product security incident response team.

Until this is solved, it would be a good idea to READ any notification that pops up when you open a PDF file and DO NOT let yourself be social engineered into disregarding warnings about launching executables.

Stevens’ blog piece here.

Thanks Trip.

Tom Kelchner

Update 04/02:

Foxit issued an update to fix the problem (Foxit Reader 3.2.1): http://www.foxitsoftware.com/downloads/index.php

Update 04/06:

The patch fixed Foxit’s vulnerability to the POC code written for it, but now it’s vulnerable to the POC exploit written for Adobe! Story here.

MS10–018

If you’re using Internet Explorer versions 6 or 7 it wouldn’t be a good idea to miss this one. “Actively exploited” for drive by down loads from malicious web sites sums it up.

There’s something in it for IE8 as well.

See our post yesterday: “Microsoft out-of-band patch tomorrow” 

Tom Kelchner