The Legacy Sunbelt Software Blog

This little gem is probably one of those diagnostic tools that — like BackOrifice and Metasploit Framework — in the right hands is a good diagnostic tool and in the wrong hands is a bad diagnostic tool:

http://www.serversniff.net/index.php

“ServerSniff.net – Your free “Swiss Army Knife” for networking, serverchecks and routing with many many little toys and tools for administrators, webmasters, developers, powerusers und security-aware users.

“Tools for webmasters and developers:

“Benchmarks and informations about servers, routing, IP-Stacks, encryption, security, nameservers and domains.

“Tools for powerusers:

“For powerusers ServerSniff.net offers computing Hashes for strings and files and simply a lot of information about servers, ssl-encryption, domains etc.

“ServerSniff.net gathers only public information about servers and networks from publicly available sources or from asking the servers directly.”

It doesn’t exactly build confidence when you find that the ServerSniff “terms of use and acceptable use policy” is a dead link: http://beta.serversniff.net/terms_of_use

Thanks Alex.

Tom Kelchner

Update 03/11:

Alert reader “Guest” pointed out a link where terms of use are available: http://beta.serversniff.de/terms_of_use. Looks like it might have been a typo.

Be on the lookout for websites offering up “free applications” which come with a nasty sting in the tail. Here’s a typical example: Appzkeygen(dot)com

If you like videogame consoles, you may be a fan of emulators (programs that ape long dead consoles, allowing you to play old games on your PC – we’ll avoid the murky legal minefield that comes with this practice and instead focus on the malware).

Below is a Playstation 2 emulator – no really, it is. Would they lie to you?

Probably best not to answer that question.

Download and run any of the above files – all hosted at movieutilitesonline(dot)com – and you’ll probably be wondering where the alleged emulator is that is “by far superior to all other PS2 Emulators released before it.”

A pair of files will be dropped onto your PC, including a randomly named executable in the Windows directory and xpysys.dll in your System32 Folder. You’ve actually wound up with Trojan-Downloader.Win32.CodecPack.2GCash.Gen, which is – as you’ve probably guessed from the name – a Trojan downloader.

In some cases, people have reported this particular attack resulting in rogue antivirus appearing on the compromised system – however, during testing nothing was downloaded onto the PC. This doesn’t mean it won’t happen, of course – and you’ll still have the downloader onboard. Trojan-Downloader.Win32.CodecPack.2GCash.Gen has been used in everything from fake codec scams to rogue AV hijacks in previous months, and is probably going to stick around for quite some time.

Paper Ghost

LifeLock, Inc., the company that GUARANTEED it would prevent customers’ identities from being stolen (for $10 per month) has agreed to pay fines totaling $12 million because the claims it made to promote its protection services were false, according to the U.S. Federal Trade Commission.

The company will pay $11 million to the FTC and $1 million to the attorneys general of 35 states. It is one of the largest FTC-state coordinated settlements, the commission said. The FTC will use the $11 million from the settlement and make refunds to consumers.

The FTC said in its release:

“The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

“New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.”

The FTC also said the LifeLock told customers that their personal data that it held was stored securely and encrypted, but it wasn’t.

FTC release here.

A federal judge ruled against LifeLock in a court action in California last year after credit reporting agency Experian sued them. Credit customers can place a free 90-day credit alert on their accounts through credit agencies. LifeLock was charging their customers $10 per month to place the alerts – which cost Experian huge amounts of money.

Story here.

Tom Kelchner

MS10-016: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)

MS10-017: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)

http://www.microsoft.com/technet/security/current.aspx

Tom Kelchner

There’s an angelically tinged infection doing the rounds at the moment that has more than a whiff of sulphur about it.

We can’t say for definite, but it looks like the point of this little angel is to turn your PC into a file storage area for an IRC channel since it dumps you into #music IRC channels and makes sure you can accept various media files.

Our tale begins with an Email, claiming you have a “funny picture from Facebook friends” waiting for you at Oast(dot)com:

This is what the end-user will download onto their system – an executable claiming to be a .gif:

Should they run the file, two things will happen. The first is that a rather charming image will appear on their desktop (courtesy of a hidden file called “Out.exe” which is dropped into the User Account Temp folder) – all part of the general ruse to make them think that yes, they really have been sent a “funny picture”:

The second is a little more sinister – an entire hidden directory (called tmp0000729b, dropped into the Windows Temp folder) arrives unannounced, laying the groundwork for an IRC invasion:

Yes, anyone blessed with the “vision” of those little angels is now part of a collection of IRC drones. If the end-user should hover their mouse over the seemingly empty system tray, they’ll actually discover the mIRC Daemon running in a hidden state:

As is typical for an IRC related hijack, everything is hidden away to keep the end-user from suspecting anything is wrong. Hidden mIRC tools, and seemingly deserted IRC channels are the order of the day. Shall we open up the mIRC client and play a little game of “Now you see it, now you don’t” in reverse?

Taken at face value, the above screenshots shows the victim sitting in an empty IRC channel. However, a quick highlight and…

…there they are, sitting beneath a pair of Admins in a #Music room.  You can set mIRC to accept and ignore certain types of files by default, and here the client is indeed set to disallow .exes, .dlls .bat and .scr files but allow normal files such as .wavs, .jpegs, .gifs and MP3s. The victim is placed into numerous #Music rooms like the one above on various IRC servers, so it’s a possibility the intention here is media sharing by way of compromised PCs.

Detections aren’t great at the moment (11/42 in VirusTotal)virustotal.com/analisis/9618c83546c16ae1dab70ca0d2e594c2dd41f622820d92e7bc9e22f2b3bc9f38-1267769547

We detect this as Trojan.Win32.Generic!BT, and as for the domain?

Yeah, we’ve got it covered. If you do happen to see the three angels appear on your desktop, you might want to disconnect from the Net and go get your PC cleaned up – all the Holy Water in the World won’t fix this one…

Paper Ghost

Hmmm. A new vector for malware: USB battery chargers. Wonderful.

The U.S. Computer Emergency Response Team (CERT) is warning that Energizer DUO USB battery chargers have been found infected with a Trojan that loads backdoor malware on a victim PC along with its battery monitoring software.

The charger copies a .dll file named UsbCharger.dll in the application’s directory and another named Arucer.dll in the Windows system32 directory. USBCharger sets a registry entry to autoexecute Arucer.dll when Windows starts.

Arucer.dll is a backdoor that communicates through TCP port 7777.

The charger has been sold worldwide for three years.

CERT notes that the Trojan contains Chinese language text.

Sunbelt detects it as Trojan.Arugizer.

CERT Vulnerability Note VU#154421 here.

PCWorld news story here.

Tom Kelchner

“Is Spyware Real?”

March 4, 2005: Sunbelt Software CEO Alex Eckelberry blogged his disagreement with comments made by AV pioneer Eugene Kaspersky about a new thing called “spyware.”

Alex quoted him as saying: “The term spyware is basically a marketing gimmick… Just to separate new ersatz-security products from traditional ones, just to push almost zero-value products to the security market.”

The Sunbelt CEO explained that spyware was real and traditional AV vendors were ignoring it: “The term ‘spyware’, obviously, is a broad term encompassing lots of different categories of malware. Really, what people mean when they say spyware is ‘adware’ — stuff that loads your machine up with junk ads, turns it into the equivalent of an electronic toaster, and makes your life hell.”

He also pointed readers to a March 1, 2005, PCWorld review that found that Sunbelt’s CounterSpy anti-spyware product caught 85 percent of a test set of 81 adware and spyware samples.

Today, five years later, more than 47,000 detections (of the total 13 million detections) in the VIPRE and CounterSpy signature database are classified as “adware.”

Sunbelt now sells a range of full-blown anti-malware products. They do much better than 85 percent detections and have VB100 certification as well.

Sunbelt Software has grown a bit in five years. VIPRE version 4.0 just shipped and the office space that held the entire company in 2005 is now mostly our server room.

Read 2005 blog post here: Is Spyware Real?

Tom Kelchner

Our good friends at F-Secure AV company have blogged about a new and significant malcode-delivery technique: publishing a web page with a .pdf file on it then changing the .pdf link to something malicious after search engines index the page.

What they found delivered a rogue security product (but of course.)

Nice work F-Secure.

FSecure blog piece here.

Yes, it’s one more creepy thing on the Internet, as if we need any more. The lesson for us all:
— be aware that it is possible,
— keep alert for the mechanism
— keep your AV protection running and updated. (Shameless plug: VIPRE version 4.0 came out this week. Check it out here. )

Tom Kelchner

Microsoft has issued an advance notification for Patch Tuesday next week. The company said it expects to issue two patches, one for Windows and one for Office. Both are intended to patch vulnerabilities that could allow remote code execution and both are rated “important.”

Microsoft Security Bulletin Advance Notification for March 2010 here.

Tom Kelchner

It’s time for your daily dose of “spot the fake program / avoid the fake program”.

What is it this time? Well, if you have family members who are into webcams and chatting you might want to point them to this writeup because a new challenger has entered the ring:

Yes, “Chat Cam” is a rather smart looking (and entirely fake) program designed to make end users think they’re taking part in a large community of webcam owners. Clearly, the creator had the recently launched Chatroulette in mind when they made this one (if you’re not familiar with it, Chatroulette is a site where you jump from webcam chat to webcam chat over and over again, all within one large community of strangers. In practice, you tend to mash the “Next” button endlessly as one “chat” after another fails to materialise). This is what Chatroulette looks like – you’ll notice the similarity as we move further into the writeup:

Meanwhile, this is what  our “Chat Cam” looks like when you fire it up – notice how slick it is, along with the well crafted options it gives the user to play with:

Did you notice the “online users” count at the bottom of those two screenshots?  Here it is again. Notice anything?

That’s right – it changes randomly, which is a particularly convincing touch. Note that Chatroulette also displays the number of users online in the top right hand corner. Hit the “Start a chat” button, and the application dumps you into a pretend conversation with any one of a large selection of usernames stored in the program database. It has a very similar feel to the Chatroulette chatbox:

Unsurprisingly, the webcam never loads – and the chat never gets beyond the first line or two of text. The fake bot “disconnects”, and the user is left to go right back and hit the “Start chat” button all over again. What’s particularly interesting here is that it apes the actual Chatroulette experience brilliantly – for me, anyway. When I tried it out a couple of days ago, every single chat I jumped into was a carbon copy of the above screenshot.

Of course, everything above is purely academic by this point – end users are doomed the moment they fire up the executable, as it’ll have been wrapped up tightly with a random infection file. There seems to be a bit of a trend for fake webcam apps mashed up with infection files at the moment – in particular, programs that do something similar to the above but loop fake “webcam footage” (usually ripped from Youtube videos) are very popular on underground forums.

Whatever you do, be wary of programs trying to cash in on the popularity of webcam chats with strangers – as you can see, fake a/s/l information is the least of your worries…

Paper Ghost

“…in that space one can easily indulge in depravity, lies, vulgarity…”

Here’s a sort of comment about the Internet that you don’t see much in the news.

The Russian government news service RiaNovosti is reporting that Patriarch Kirill of Moscow and All Russia (head of the Russian Orthodox Church), told school students in Moscow that “Nowadays the Internet is a kind of laboratory where an individual should be formed and where a character should be sharpened.”

“He also said the Internet has become ‘an examination on our authenticity, an enormous power challenge’ as in that space one can easily indulge in depravity, lies, vulgarity, and the desire to lash out with aggression and impunity,” the news service reported.

Story here: “Internet is examination for human race – Patriarch Kirill”

Created 1991, RiaNovosti traces its history back through various Soviet/Russian government news agencies to the 1941 Soviet Information Bureau. That bureau, (Sovinformburo) was set up by the USSR Council of People’s Commissars and the Central Committee to provide international news and coverage of military events and domestic life.

Its web site includes links to Pravda.ru’s space-aliens-land-in-Russia-type tabloid fare as well as pro-government news in eight languages. The “Strange but True” section is a scream (http://en.rian.ru/strange/)

Check out the piece: “Two-headed calf born in Estonia” A two-headed animal, once seen as a predictor of impending war, is now viewed as an omen foretelling an improving economy — at least according to the farmer who owns it. Maybe the U.S. Federal Reserve Board should get one.

Tom Kelchner

Right! A site registered in the state of “Taliban.”

You’re really going to go to a site with this registration:

Nice work SANS.

Thanks to Daniel Wesemann at SANS:
http://isc.sans.org/diary.html?storyid=8350

Tom Kelchner

The U.S. Census Bureau is warning of phishing and other scams that are using the 2010 Census as bait. Here is the warning from the bureau’s web site:

If you are contacted for any of the following reasons — Do Not Participate. It is NOT the U.S. Census Bureau.

Phishing:

‘Phishing’ is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, social security numbers, bank account or credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email and it often directs users to enter sensitive information at a fake web site whose look and feel are almost identical to the legitimate one.

Other Scams:

— The Census Bureau does NOT conduct the 2010 Census via the Internet

— The Census Bureau does not send emails about participating in the 2010 Census

The Census Bureau never:

— Asks for your full social security number

— Asks for money or a donation

— Sends requests on behalf of a political party

— Requests PIN codes, passwords or similar access information for credit cards, banks or other financial accounts.

More Census Bureau info on scams here.

Tom Kelchner

Microsoft Vice President of Trustworthy Computing Scott Charney, in a keynote address at the RSA security conference in San Francisco yesterday, called for quarantines on malware-infected PCs. His remarks were widely covered by a variety of web news outlets.

He compared the threat from infected PCs with the threat from smokers in public places and resulting bans on smoking because of second-hand smoke: “You have a right to infect and give yourself illness. You don’t have the right to infect your neighbor. Computers are the same way.” Charney didn’t discuss specific techniques.

The idea has been discussed before but usually stumbles on the issue of forcing ISPs to shoulder the expense and legal problems from enforcing quarantines.

Story here.

Tom Kelchner

Want a place to check the legitimacy of a charity?

http://www.charitynavigator.org/

“Founded in 2001, Charity Navigator has become the nation’s largest and most-utilized evaluator of charities. In our quest to help donors, our team of professional analysts has examined tens of thousands of non-profit financial documents. As a result, we know as much about the true fiscal operations of charities as anyone. We’ve used this knowledge to develop an unbiased, objective, numbers-based rating system to assess the financial health of over 5,000 of America’s best-known charities.”

Thanks Alex.

Update

U.S. Federal Trade Commission web site advises those making donations for victims of the Jan. 12 Haiti earthquake to read their web page of dos and don’ts:

http://consumer.gov/ncpw/helping-haiti-give-wisely/

and check the InterAction web site for a description of legitimate charities at: http://www.interaction.org/crisis-list/earthquake-haiti

InterAction is the largest coalition of U.S.-based international nongovernmental organizations focused on the world’s poor and most vulnerable people.

Tom Kelchner

In the same way that media event X guarantees Rogue Antispyware Y, a new and highly anticipated videogame that’s about ready to launch will similarly bring out the scams and fakes.

If you have any family members that like their PC games but perhaps aren’t clued up on their Internet fakeouts, you might want to warn them that no matter how cool the so-called “Battlefield: Bad Company 2” keygens look, they should steer clear:

There are a lot of these files being promoted on sites such as Youtube at the moment, and without fail all of them will give your PC a very bad hair day. It’s just not worth the risk…

Paper Ghost

It won’t work if you have a rootkit infection, but it won’t blue screen your machine either.

Microsoft has reissued Security Bulletin MS010-15 from last month to work around a problem that had occurred when a WinXP user attempted to install the patch on a machine that was infected with a rootkit. (blue screen, blue screen)

Jerry Bryant, Microsoft’s senior security communications manager lead, writing on the company TechNet blog said that the new installation packages for MS10-015 have new logic that will prevent the security update from installing on rootkit-infected systems. Microsoft also is offering guidance for those with infected machines and a scanning tool that can detect system conditions that will prevent the patch from applying itself.

Microsoft TechNet blog here.

We described the problem on the Sunbelt blog Feb. 11 “WinXP users: hold off on installing MS010–15.”

Tom Kelchner

We’re glad to see that world governments took our advice from the Sunbelt Blog last week and started taking down botnets. (Right!)

Police in Spain have arrested three people and shut down the Mariposa botnet, which was thought to have controlled 12.7 million machines in nearly 200 countries. The three were all Spanish citizens. Police identified them only by their handles and ages: “netkairo,” 31; “jonyloleante,” 30 and “ostiator,” 25.

Researchers have been working on taking down the botnet for nearly a year, according to reports.

Story here: “Authorities dismantle botnet with 13 million infected PCs”

Tom Kelchner

Communications security firm FaceTime of Belmont, Calif., has released the results of a survey (of 1654 people) that strongly indicates we are all using a lot of Web 2.0 applications at work and a third of our IT staffs aren’t aware of it. It was FaceTime’s fifth annual survey.

Social media and Web 2.0 apps are being used by virtually all end users (99 percent) to support business processes, but 38 percent of IT professionals surveyed think there is no social networking on their networks.

Web 2.0 and social media prevalence:

— Web chat: found in 95 percent of organizations
— Instant Messaging: reported by 40 percent of IT staffs
— Social networks: 27 percent of IT staffs
— Tools such as Twitter: used for work by 78 percent, according to end users.

The survey also found widespread use of Skype, file sharing, web conferencing and IPTV.

Fifty three percent of the end users surveyed said that newer Web 2.0 tools were “better than those provided by my employer.”

FaceTime said 69 percent of the organizations they surveyed reported at least one Web 2.0-related attack,

Story here.

Tom Kelchner

Here’s a new vector: exploiting a Windows vulnerability through an Internet Explorer help menu Visual Basic script: “get ‘em to hit F1 and you own ‘em.”

Microsoft is warning of a VBScript vulnerability in Internet Explorer (on Win2K, XP and Server03) that could be used to run malicious code. A malicious operator could create a web site that displays a specially crafted dialog box and prompts a victim to press the F1 key (help menu.) The exploit could then execute malicious code on a victim machine. (Windows versions that are not vulnerable are: Vista, Win7, Server08 R2 and Server08.)

Proof of concept code has been circulated, but Microsoft has said: “We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.”

The company said in its security advisory: “Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”

Microsoft Security Advisory 981169 here.

Tom Kelchner