The Legacy Sunbelt Software Blog

Security blogger Brian Krebs is reporting that some Windows XP users are reporting blue screen of death on reboot after installing Microsoft’s Tuesday patch KB977165 (MS010–15: “Vulnerabilities in Windows kernel could allow elevation of privilege.”)

“Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond,” he wrote.

Brian Krebs’ blog here.

Those trying to maintain Microsoft systems are caught in the cross-currents of the patching process: some patches might be buggy (think “delay”) but the dark side will be reverse engineering the patches as fast as they can (do it now.)

It almost seems like it would be a good idea for the users of Microsoft products to hold off about two days before installing the Patch Tuesday updates. That seems to be how long it takes for the word to get out – like this problem – that there are glitches in the updates.

The overwhelming number of Microsoft fixes are straightforward and urgently needed security measures. However, the massive complexity presented by the older flavors of the Windows operating system and service pack levels almost guarantees that there are going to be problems like this.

Possibly a good strategy would be phased updates especially for enterprise systems:

— Immediately install just the patches that fix vulnerabilities with in-the-wild exploits if you are running the vulnerable applications, modules, plug-ins, etc.

— Wait three days for all others

— Wait a week for non-critical (no reported exploits) updates to less-used flavors of Windows and less-used applications.

Meanwhile, have someone keep an eye on the security news sources to spot problems like this one.

Update:

Krebs’ blog carries some good, detailed advice for those whose machines have been disabled already by the glitch.

Computer World carried a story about the problem and noted:

“This was not the first time that a Microsoft update has incapacitated Windows PCs. Two years ago, a set of updates for Vista sent an unknown number of machines into an endless series of reboots. Similar problems stymied users who tried to upgrade to Windows XP Service Pack 3 (SP3) in May 2008, and others attempting to upgrade from Vista to Windows 7 last October.”

Update 02/12:

Today Softpedia carried a statement from Jerry Bryant, Microsoft’s senior security communications manager lead:

“We are aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165). However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages.”

Update 02/15:

Researchers have theorized that the TDSS rootkit was responsible for the blue-screen-of-death problems after Windows XP users installed Microsoft’s patch MS010-15 last week.

Microsoft acknowledged the problem in a statement: “In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating.”

News story here.

Update 02/16:

Our good friends at Symantec have posted more information on the problem and some instructions for recovering from the BSoD:

“Most of the time the driver chosen by Tidserv to be infected is “atapi.sys,” but that may vary depending on the hardware configuration. One of the very things the infected driver does when it is loaded by the operating system is to retrieve critical API addresses so that it can allocate memory to load the actual malicious code:

“These APIs are retrieved via hard-coded relative virtual addresses (RVAs) into the kernel module, which are calculated at the infection time. Microsoft recently released a kernel patch that addressed a non-related issue (MS10-015 / KB977165), which updates the kernel modules. They also released a blog about blue screen issues after applying this patch.

“What seems to have happened in Tidserv’s case is that after this update, the RVAs for the above mentioned APIs changed—therefore causing the infected drivers out there to call invalid addresses and, in turn, cause blue screens every time Windows boots up:

“Even worse, because the infected driver is critical for system boot-up, Windows will not boot in Safe Mode either. However, there is still hope for the users who get stuck in this infinite loop of BSoD, in the sense that they are not required to reinstall everything from scratch, but only the infected driver (from a known, clean source). And, here is an example for the most commonly infected system driver, atapi.sys:”

Symantec blog here.

Update 02/19:

SANS diary: MS10-015 may cause Windows XP to blue screen (but only if you have malware on it)

“Lucky for us the malware writers have addressed this issue and it shouldn’t happen again for those who are newly infected with this particular piece of malware. A shame really, as it was a convenient way in which to identify infected machines. If you did get the BSOD on your machine or on machines in your organisation, then you should consider the possibility that the machines are infected.”

Tom Kelchner

Jerome Segura at ParetoLogic blogged about this yesterday: a rogue security product with a web page that tries to imitate that of the German AV company Avira (check out the red umbrella and the type face.)

Hmmm. If this company has been providing “20 Years of Total Protection” how come its web site was just registered last year and why was it registered by a proxy service?

The fake:

Site registered last year to a proxy service.

Registrant:
   Domains by Proxy, Inc.
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

   Domain Name: SECURITY-ANTIVIRUS-SITE.COM
      Created on: 25-Feb-09
      Expires on: 25-Feb-10
      Last Updated on: 25-Feb-09

The real one:

Site registered in 1999, full identifying data in Whois record.

Whois Record

Registrant:
Avira GmbH
   Lindauer Str. 21
   Tettnang D-88069
   DE

   Domain Name: FREE-AV.COM

   Administrative Contact:
      Auerbach, Tjark              
      Avira GmbH
      Lindauer Str. 21
      Tettnang D-88069 DE
      +49 7542 500 300 fax: +49 7542 500 318

   Technical Contact:
      Network Solutions, LLC.                
      13861 Sunrise Valley Drive
      Herndon, VA 20171  US
      1-888-642-9675 fax: 571-434-4620

   Record expires on 26-Mar-2012.
   Record created on 26-Mar-1999.

Nice work Jerome.

Tom Kelchner

 

Peter Coogan at Symantec put up a very interesting blog post yesterday about a crimeware kit called SpyEye v1.0.7 (on sale now on Russian sites — $500) that has a module that will kill a Zeus bot infection on a victim’s computer so the bot created by SpyEye can take it over.

In September, Computer Weekly reported the Swedish telco Telia Sonera shut down the Internet connections of Latvian company Real Host after it was linked to the Zeus botnet. At the time, researchers said they believed Real Host’s servers had captured about 3.6 million PCs for the Zeus botnet.

They linked Zeus to a Russian gang named Rock Phish which is believed responsible for a massive amount of the phishing attacks aimed at stealing credit card and banking information.

The Zeus network took the hit and recovered, however, sending out massive malicious spam campaigns to infect more machines. One campaign carried an income tax topic in September and another had H1N1 as a lure in December.

Coogan said the SpyEye kit can also create crimeware with:
• keyloggers
• credit card modules
• daily email backup
• encrypted config files
• Ftp protocol grabbers
• Pop3 grabbers
• Http basic access authorization grabber

“If the use of SpyEye takes off, it could dent Zeus bot herds and lead to retaliation from the creators of the Zeus crimeware toolkit. This, in turn, could lead to another bot war such as we have seen in the past with Beagle, Netsky, and Mydoom.” he wrote.

He credits Mario Ballano Barcena with the analysis.

Symantec blog post “SpyEye Bot versus Zeus Bot” here.

Tom Kelchner

There’s a lot of stuff for sale today that is worth nothing, but the folks selling it usually aren’t so up front about it. It is odd that one “used” nothing costs $10 and “collectible” ones are $9.95. They’re probably the really good ones, like 1946 Christmas tree light bulbs in the shape of Santa Claus that still work.

There have been 30 customer reviews and they rate it with four stars out of five.

I wonder if it’s guaranteed. Is there a service plan available?

You probably don’t have to worry about a recall.

If it’s downloadable, be sure you scan it for malware.

http://www.amazon.com/This-Test-Product-Nothing-Will/dp/B000ZING44/ref=cm_cr_pr_product_top

Alex started my day by sending me the link. What a boss!

Tom Kelchner

“YOURLS is a small set of PHP scripts that will allow you to run your own URL shortening service (a la TinyURL). You can make it private or public, you can pick custom keyword URL. It comes with its own API.” http://yourls.org/

It’s installed on your web server (needs PHP 4.3 or better and MYSQL 4.1 with mod_rewrite enabled.)

“Benefits:

1. Not reliant on third party service
2. Sends link juice to your domain, not a service provider
3. Customize your short links
4. Build your brand (showing your URL)”

Story here.

Cool.

Thanks Andrew. Thanks Alex.

Tom Kelchner

 

At the ShmooCon hacker conference in Washington, D.C., last week two security researchers showed the very sensitive information that people inadvertently make available over peer-to-peer networks.

In their presentation, “Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals,” pen testers Larry Pesce and Mick Douglas said they found a lot of music, porn, malcode collections and the following:

— driver’s licenses, passport and tax return forms with Social Security numbers;
— someone’s will
— A retirement analysis form with savings account totals and income estimates;
— An IRS form with taxpayer identification number;
— A completed Turbo Tax form with personal information filled in.

The two have started The Cactus Project to help security specialists do similar research to help organizations tighten up the information they share over P2P. They list best-of-breed tools for conducting the research, including Mutella and the Gnutella Protocol on their site http://pauldotcom.com/cactusproject.html.

The Network World story quotes Douglas: “”We have to keep trying to educate people, but through this kind of research [security practitioners] can take steps to better protect their own organizations going forward.

Network World story here.

These guys are clearly having too much fun. Below is a quote from the pauldotcom.com site:

“I often say that we are in one of the only professions I know of which is destined to fail. You will have a breach and there will be compromises; you will get called out. In light of this reality I still find that information security professionals are a fairly happy lot. The trade-off for having the cards stacked against us is in that we get to work in one of the coolest fields.”  (http://pauldotcom.com/cactusproject.html)

Tom Kelchner

China Daily has reported that Chinese law enforcement officials raided a hacker training and resource operation in Hubei province with 12,000 members, shut it down and arrested three principals in November.

The paper said: “The three, who ran Black Hawk Safety Net, are suspected of offering others online attacking programs and software, a crime recently added to the Criminal Law. A total of 1.7 million yuan ($249,000) in assets were also frozen.

“Hubei province named Black Hawk Safety Net as the largest hacker training site in China, which openly recruited members and disseminated hacker techniques through lessons, Trojan software and online forum communications.

“Since it was established in 2005, the site had recruited more than 12,000 VIP members and collected more than 7 million yuan ($1.03 million) in membership fees. More than 170,000 people registered for free membership.”

The story also said: “According to a report released by the National Computer Network Emergency Response Coordination Center of China, the hacker industry in China caused losses of 7.6 billion yuan ($1.1 billion) in 2009.”

The New York Times reported that the shutdown actually occurred in November and quoted a noted China watcher as saying that the action was just “window dressing” since Chinese authorities have not shut down the well-known servers that were used to attack Google and other western companies recently.

Observers in the west have been trying to fathom the meaning of events in China ever since Marco Polo wandered there in the 13th century and lived to write a book about it. China is big, in some ways very disorganized and has a history of being strange to the rest of the world. It will be interesting to see if there are more take downs coming.

China Daily story here.

New York Times story here.

Update 02/09:

Dr. Johannes Ullrich of SANS said today on his Internet Stormcast that the Chinese press had reported that Black Hawk Safety Net was involved in using a botnet for denial-of-service extortion against Internet cafes. Authorities located them by tracing telephone calls. Ullrich described them as a “semi-organized group of script kiddies.”

Tom Kelchner

Sunbelt Software is supporting tomorrow’s Safer Internet Day, an awareness-raising initiative co-funded by the European Commission. Organizations in more than 60 countries are behind the campaign, this year focusing on the theme “Think B4 U post!”

New technologies have turned all of us, and mostly young people, into publishers of information, pictures, and videos. While bringing about new opportunities for personal expression and creativity, the same technologies can also conjure up embarrassing or even traumatic situations. For example, photos, once posted online, remain online and can be seen by anybody, even years after they have been posted. Therefore, children and teenagers need guidance to manage their online identity in a responsible way, to be in control of their own online identity.

“We are proud to be supporting Safer Internet Day. Whilst it is generally assumed that the latest generation will be the most technologically savvy, we see that children are taking increasingly liberties with their online identity and opening themselves up to a wealth of very real dangers,” explained Sunbelt Software CEO Alex Eckelberry. “By following this simple five point checklist they can enjoy the many social and academic benefits of the Internet safely.”

Sunbelt Software offers the following five-point checklist to both children and parents to enable a safer online experience:

1. Do not to open any emails that come from senders you don’t know. Many of those emails have luring titles like “You have won a lottery” or “Happy birthday, I have a present for you” and so on. Never open any attachments coming with such emails, as it is likely that in such cases you will install a virus or a worm in your PC.

2. Try to avoid suspicious websites, and if you accidentally enter one that seems strange, leave it immediately.

3. If pop-up windows alert you or ask you to agree to anything, immediately close them and never click on any button inside them.

4. Install antivirus software such as Sunbelt Software’s award winning VIPRE on your PC. This will protect your computer against viruses and other malware threats. Antivirus software needs to be regularly updated, and can provide added security such as content or website filtering.

5. Install a firewall, which will keep watch on all files that go in and out of your computer.

About Insafe

Insafe is the European Safer Internet awareness-raising network co-funded by the European Commission. It’s made up of national contact centers across the European Union and in Iceland and Norway, with partner organizations in Argentina, Australia and the US. Insafe aims at empowering users to benefit from the positive aspects of internet whilst avoiding the potential risks.

Further information is available at www.saferinternet.org or contact info-insafe@eun.org

Tom Kelchner

You’d think that a company trying to raise several hundred million with an initial public offering of stock would tell their affiliates to be on their best behavior for a while.

For example, maybe they’d discourage them from hacking government web sites to attract search engine hits on the word “bestiality,” then redirect browsers to the company’s site.

The sites:

The code:

Remember Adult Friend Finder? Penthouse Media Group (which also owns Penthouse magazine) purchased the online adult… ah… dating service in 2007 for $500 million. Well now they’re called FriendFinder Networks, Inc. In December, 2008 they filed with the U.S. Security and Exchange Commission for permission to make an initial public offering $460 million of stock.

That timing wasn’t too good given the near collapse of the global economy back then, so last month they amended their IPO filing in hopes of raising $220 million. Lead underwriters are Renaissance Capital and Ledgemont Capital Markets LLC. Co-managers are Merriman Curhan Ford and Lighthouse Financial.

See story “FriendFinder Still Sees IPO, But Less Capital Raised (FFN)”

In 2007 AdultFriendFinder.com settle an enforcement action by the Federal Trade Commission that charged that their explicit online pop-up ads violated federal law. The settlement bared them from “displaying sexually explicit online ads to consumers who are not seeking out sexually explicit content.” (Story here.)

Thanks Eric Howes.

Tom Kelchner

The U.S. Federal Trade Commission today announced that next Tuesday they will hold a news conference to make public details of “a law enforcement sweep cracking down on job and work-at-home fraud fueled by the economic downturn.”

The media advisory said that the news conference would feature the director of the FTC’s bureau of Consumer Protection David C. Vladeck, an assistant attorney general and the Ohio Attorney General. The advisory listed as “also attending” representatives of the U.S. Postal Inspection Service, Monster.com and Microsoft.

People who sign on as work-at-home employees from Internet ads (also called “money mules”) often are used as conduits for stolen funds that are transferred from the bank accounts of victim individuals or companies who have been scammed by phishing or spear-phishing. The money mules set up bank accounts into which stolen funds are transferred. They are instructed to keep a portion of the funds and wire the remainder to the scammers, who are generally outside the U.S.

In November, the FBI reported that it had been notified of about $100 million in attempted losses from such scams.

Prominent computer security blogger Brian Krebs ( http://www.krebsonsecurity.com/ ), formerly of the Washington Post, has reported extensively about losses from similar scams from small and medium size businesses in the last few months.

A blog piece he did in January “Top 10 Ways to Get Fired as a Money Mule” is not only a good description of the work-at-home scam, but is very funny as well.

FTC media advisory here.

Tom Kelchner

This is really bad for so many reasons.  It certainly doesn’t help their security.

And yes, it’s completely legitimate.

Alex Eckelberry

If you like VIPRE Enterprise, you can vote for it here for the Network Computing Awards 2010.

Alex Eckelberry

Mozilla yesterday posted a notice on its AMO blog (that’s an acronym for their add-on site addons.mozilla.org) that two add-ons have been found infected with Trojan code: Sothink Web Video Downloader v. 4.0 and all versions of Master Filer.

Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen and Master Filer contained Win32.Bifrose. According to the blog, Masterfiler was downloaded 600 times before it was removed from the site Jan. 25 and Sothink was downloaded more than 4,000 times before it was removed Feb. 2.

Mozilla said “AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.”

Blog post here.

Update 02/10:

It turns out that the Sothink Video Downloader 4.0 was NOT infected. It was tagged as malicious because of a false positive in the scanner that Mozilla used at the time.

Mozilla posted the following yesterday:

“Since that disclosure, we’ve worked with security experts and add-on developers to determine that the suspected trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware. The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan. Our estimate of 6,000 affected downloads has been revised to under 700. The Sothink Video Downloader has been re-enabled on AMO.”

Mozilla’s update here.

Tom Kelchner

Ok, it’s not my personal favorite color, but this is a new special being run for the Valentines Day weekend by our web team.  

Alex

Funny and too close to the truth:

When you finally do get through to an agent, you’ll hear something like: “Welcome to DSL technical support, my name is Larry how can I help you today?” You give Larry your account number and begin to explain your situation, knowing all the while that this is a formality. As soon as you stop talking he’ll begin the same dance you’ve danced every time you call tech support.You conclude your exhaustive rundown of your case history. There’s a beat, and then Larry responds, “I understand sir. Can you tell me. Is your computer plugged in?”

Link (Warning: off-color language).

Everything we aim not to be in our support.

Alex Eckelberry
(Thanks Jamie)

USA Today is reporting that federal law enforcement agencies have taken more than 170 complaints about Haiti earthquake relief scams. They expect more on social networking sites such as Facebook and Twitter. The scams include spam email, fraudulent web sites and in-person scams.

The story advises those wishing to check on the legitimacy of a relief organization to check the web site of the American Institute of Philanthropy ( http://charitywatch.org/ ), which rates charities.

The Institute says that charitable organizations should spend 75 percent of the cash they raise on their charitable work and no more than 25 percent on fund-raising expenses. Its web page lists several dozen legitimate charities providing relief for the victims of the Haiti earthquake here.

Story here.

Tom Kelchner

Wired magazine has run a story on a phishing scam in Europe, New Zealand and Japan that resulted in the loss of 250,000 carbon credit permits worth $4 million from six companies.

The phishing emails spoofed the German Emissions Trading Authority and said that the victim companies needed to re-register their accounts with the authority. When victims entered their information on a fraudulent web page from the link in the phishing emails the scammers accessed their accounts, transferred emissions credits to accounts they controlled then sold them. The amount the scammers made hasn’t been disclosed.

Wired cited information from the BBC and the German newspaper Der Spiegel.

Story here.

User education. User education. User education. User education.

Tom Kelchner

Psychologists doing research at Leeds University in the UK found that people who spend an excessive amount of time on the Internet show signs of depression, although they did not determine if the on-line behavior caused the depression or if depressed people spent more on line.

Catriona Morrison, the lead author, wrote in the journal Psychopathology: “This study reinforces the public speculation that over-engaging in websites that serve to replace normal social function might be linked to psychological disorders like depression and addiction.”

The research is the first such study of people in the west. The researchers analyzed the Internet use and depression levels of 1,319 people in Britain between the ages of 16 and 51. They concluded that 1.2 percent were “Internet addicted” and “spent proportionately more time browsing sexually gratifying websites, online gaming sites and online communities. They also had a higher incidence of moderate to severe depression than normal users.

“What is clear is that for a small subset of people, excessive use of the Internet could be a warning signal for depressive tendencies,” Morrison said.

Story here.

The “Internet addiction” headlines mostly have been from Asia recently, where marketeers have been trying to convince the public that 10 percent of them are Internet addicted and in need of rehab camps (complete with military-style discipline, beating deaths and electro-shock therapy) that cost thousands.

See our blog piece “China bans use of electroshock therapy” from August.

In the U.S., what is believed to be the first Internet addiction treatment center, called “reStart Internet Addiction Recovery Program,” opened last summer near Fall City, Wash.

See our blog piece “First Internet addiction treatment center opens in Washington state”

Tom Kelchner

VIPRE is among nine finalists in the Security Product of the Year category of the 2010 Network Computing Awards competition. Voting on the Network Computing web site will continue until Feb. 22.

“The Network Computing Awards were launched to recognise the companies, the products and the services that have most impressed the readers of the UK’s longest established computer networking publication.”

“Categories have been refined to recognise the hardware, software and managed services that can assist an organisation in operating securely, efficiently and responsibly in today’s world.”

Awards will be presented on 4th March at Guoman Tower Hotel, London.

More information here. 

Tom Kelchner

 

Our good friends at Broomfield, Colo., security firm eSoft have found an interesting scam to trick Internet users into installing the Hotbar adware: a fake Firefox download site.

The eSoft researchers are theorizing that an affiliate of Pinball Publisher Network (PPB). is responsible. Pinball bought the Zango assets after that pestilent operation failed last spring.

However Sunbelt Software Spyware Research Manager Eric Howes did some more digging and found that PPN offers the download file on a site they own so affiliates can send customers victims there for downloads.

The PPN home page notes that PPN is itself distributing the custom Firefox installer that PPN put together and digitally signed from this web site:

http://freesoftwaredl.com/

The PPN setup wizard says that the distribution of Firefox is “sponsored” by Hotbar. We’re wondering what that means. In reality, they’re taking a distribution of Firefox and infecting it with adware.

We blogged about the Pinball Publisher Facebook fan site last week.

eSoft blog piece here.

The real site to download a legitimate copy of the Firefox browser is here:
http://www.mozilla.com/en-US/firefox/personal.html?from=getfirefox

Tom Kelchner

Update 02/04:

PPN made and signed the installer that both PPN directly and their affiliates indirectly are distributing. That’s why PPN is responsible for what’s going on at the affiliate site that eSoft found — the affiliates are only promoting a download created and hosted by PPN itself. PPN itself is running a web page that promotes the same bundleware install that the affiliate site is offering.

Thanks Eric