The Legacy Sunbelt Software Blog

Our analyst Dimiter Andonov has developed a tool to decrypt files encrypted by Data Doctor 2010 that at least one blog reader found very useful:

george
Can vipre recover mp3 and jpg files that were encrypted by this very annoying ransomware?
Today, 5:11:00 AM

[This user is an administrator] Tom Kelchner
Hi George.

We have a tool available to do just that. Go to:
http://www.sunbeltsecurity.com/DownLoads.aspx

Today, 11:16:12 AM

george
You are the best! It’s working great…just to find a way to make a batch out of it for the thousands of files that need it.
THANKS
Today, 2:11:33 PM

How to use dd2010_decrypter.exe to do batch processing:

1. Place the encrypted files in a directory (i.e. c:encrypted_files)

2. Copy dd2010_decrypter.exe into another directory and FROM THAT DIRECTORY, run the following command:

for %f in (“c:encrypted_files*.*”) do dd2010_decrypter.exe %f %f.decrypted

All files in the encrypted_files folder will be processed and the new decrypted files will have the same name but their extension will be “.decrypted.”

CAUTION: be sure you put ONLY files that are to be decrypted into the target directory before you run dd2010_decrypter.exe

Our Dec. 18 blog post Data Doctor 2010 will make you sick

Thanks Dimiter.

Update 01/07:

We’ve just posted a page with detailed directions for using the Data Doctor 2010 file decrypter:

http://www.sunbeltsecurity.com/DownLoads.aspx

Update 01/08:

Our good friends at F-Secure have posted a very good, detailed analysis of Data Doctor 2010. It can be found at: http://www.f-secure.com/weblog/archives/00001850.html

Tom Kelchner

California software company Cybersitter LLC, has sued the People’s Republic of China and seven computer manufacturers in U.S. Federal court for stealing 3,000 lines of its Internet filter software code and using it in last year’s Green Dam fiasco in China.

The suit, “Cybersitter v. the People’s Republic of China,” was filed in U.S. District Court, Central District of California (Los Angeles). It also names Acer, Lenovo, Sony Corp., Toshiba, Asustek Computer Inc., Benq Corp. and Haier Group as defendants.

Last spring, The Chinese Ministry of Industry and Information Technology issued the requirement that all computers connected to the Internet in the country run Green Dam Youth Escort filtering software to allegedly protect users from pornography and other objectionable content. However, bloggers familiar with China who read through the Green Dam black list found that it contained about 2,700 words related to pornography and about 6,500 “politically sensitive” words. (See our June 16 blog entry: “Green Dam = Spyware”)

The ministry had bought the rights to the Green Dam application for one year through a no-bid $6 million purchase from Jinhui Computer System Engineering Co. of Zhengzhou.

Cybersitter said last June that code from its software was used extensively in Green Dam-Youth Escort and sent cease-and-desist letters to the U.S. PC manufacturers who were expecting to install it for the Chinese market. Cybersitter is now suing China and those companies.

Greg Fayer, Cybersitter’s attorney said in a news release today: “This lawsuit aims to strike a blow against the all-too-common practices of foreign software manufacturers and distributors who believe that they can violate the intellectual property rights of small American companies with impunity without being brought to justice in U.S. courts. American innovation is the lifeblood of the software industry, and it is vital that the fruits of those labors be protected at home and abroad.”

Cybersitter news release here.

Bloomberg news story here: “China Faces U.S. Piracy Suit for Web-Filter Software “

Tom Kelchner

Seal Shield, a Jacksonville, Fla., company that makes washable computer keyboards and mice, said it will introduce the world’s first washable cell phone at the Consumer Electronics Show in Las Vegas this week.

The company’s washable mice, keyboards and TV remotes can be cleaned in a dishwasher.

This might be good. I have three 20-something step children who have discovered that cell phones as we have come to know them do not survive being dropped in toilets.

Story here.

Company web site here.

Tom Kelchner

There has been extensive news coverage this week of Adobe’s plans for ramped-up security in its popular Reader, Acrobat and Flash Player applications, especially the Reader and Acrobat updates promised next week.

A vulnerability that was publicized in December in Reader and Acrobat allows an attacker to execute arbitrary code with a specially crafted PDF file using ZLib compressed streams. In a short time, proof-of-concept code was made public. In the past week, anti-virus companies began intercepting malicious .pdf files that exploit the vulnerability to install a back door on victims’ machines.

Adobe applications were targets of malware earlier in 2009 too and at least one anti-virus company predicted that in the coming year Adobe products probably will be exploited frequently.

The good news for the company is that Adobe’s products are so popular that they’re drawing the attention of the dark side. The bad news is… well, pretty much the same thing.

Brad Arkin, Adobe’s director of product security and privacy, apparently has been available to anyone with a blog who wants to talk about Adobe’s security ramp up, including this very detailed interview on Kaspersky’s Threatpost blog.

The real takeaway for the average computer user is that Adobe is making major changes in their security practices. Releasing patches on Microsoft’s “Patch Tuesday” each month — something they began in 2009 — being a significant one. Arkin has said, the company will launch a beta trial of an updater this month and it should find its way into default installs of Adobe Reader and Acrobat shortly.

Users will be able to opt out of the automatic updates. That feature will be handy for the information technology staff which is responsible for updates enterprise-wide.

It’s a good approach and Reader and Acrobat users should keep alert for the updates and instructions for configuring their installations.

Congratulations Adobe for being so popular you’re in the cross hairs of malicious operators worldwide… I think.

eWeek story here: Adobe Keeps Focus on Security in 2010 as Attackers Circle

Tom Kelchner

The massive growth of gold farming – the exchange of real money for virtual goods – might result in an increase in gaming Trojans and other malware aimed at gamers in the future.

A well-respected researcher has described the incredible growth of “gold farming,” an significant industry and source of employment in China and other parts of Asia. He estimates there are 400,000 people, working for gold farming companies. They spend as much as 12 hours per day playing online games in order to accumulate virtual goods which can be sold to some of the 50 million on-line game players world wide for real cash.

Richard Heeks, the chairman of development informatics at the University of Manchester in England has been studying the effects of digital technology on international development for 30 years. Scientific American magazine (the paper edition) carried an article by Heeks in its January 2010 edition “Real Money from Virtual Worlds.” It appears to be an updated version of a 2008 paper available on the university’s web site.

The gold farmers – mostly young men – can earn as much as a factory worker in their native China. Although they live in Spartan dormitories and work long hours, they appear to like the work, Heeks said.

The 60,000 to 100,000 gold farming companies worldwide are making $200 million to $3 billion annually, he estimates in the Scientific American article. This is a great source of income and employment in developing countries (one of Heeks’ points).

Perhaps it’s time to start thinking a lot more seriously about the value of virtual goods in online games. Gaming Trojans and other related spyware are going to be a more and more serious malware threat as the dark side realizes the value of the stuff gamers stay up all night to accumulate.

Heeks’ 2008 paper on the university web site:

Current Analysis and Future Research Agenda on “Gold Farming”: Real-World Production in Developing Countries for the Virtual Economies of Online Games

Tom Kelchner

Here’s one more reason not to order drugs from on-line pharmacies, in case the possibility of wasting your money on fake pills, having your credit card account sacked by thieves or poisoning yourself isn’t enough.

The U.S. Food and Drug Administration has posted a warning about extortion artists posing as FDA agents, threatening those who have purchased drugs on line and demanding that “fines” of $100 and more be paid by wire transfer, usually to the Dominican Republic.

The FDA said the victims, who usually had purchased drugs from Internet sources or telepharmacies, were contacted buy scammers who identified themselves as FDA agents or law enforcement officer from other organizations. The scammers tell their victims that ordering drugs via the Internet or by phone is illegal and they will be prosecuted if they don’t pay fines immediately.

The agency points out that their agents never contact offenders that way and only a court can impose fines.

The FDA said in the release: “Anyone receiving a telephone call from a person purporting to be an FDA or other law enforcement official who is seeking money to settle a law enforcement action for the illegal purchase of drugs over the Internet should refuse the demand and call the FDA’s Office of Criminal Investigations Metro Washington Field Office at (800) 521-5783 to report the crime.”

FDA news release here.

Tom Kelchner

Mike Cardwell, an IT consultant in Nottingham, UK, reported on his blog finding a Y2010 bug in Spam Assassin. He found an error in a rule that Spam Assassin folks thought they fixed.

“I think a lot of systems will be experiencing false positives on their ham because of this at the moment. It is a particularly high scoring rule considering that the default threshold is 5.0,” he wrote.

For further information see: SpamAssassin Rule: FH_DATE_PAST_20XX

Thanks Alex.

Tom Kelchner

Jerome Segura, a Security Analyst at ParetoLogic of Victoria, B.C., Canada, just posted a nice piece on computer security practices with a different perspective in his “Malware Diaries” Blog.

He begins his list of security tips by considering four classes of users:

— pre-baby boomers
— early and late baby boomers
— 70’s – 80’s users
— 90’s to present

then makes further distinctions by level of security knowledge and awareness:

— extra-cautious (paranoiacs)
— those who somewhat understand
— those who are over-confident
— security conscious folks.

His “ABCs of online security” is a list of 11 practices that could create a sound security consciousness for everyone, but especially for all those non-technical home users out there.

“- Today’s computers are connected to the Internet and are therefore much more at risk than their ancestors.

“- The Internet is fun but also dangerous.

“- People don’t know what they do and can easily be duped.

“- The more cool stuff, the more risks.

“- The right choice of software and hardware can protect your computer but will not make it 100 percent safe.

“- Updates should be applied religiously.

“- If you aren’t sure about something, check it. Files and Websites can be analyzed prior to opening.

“- Computers are not demons but they can be zombies.

“- Browsing to a site (ANY site) can infect your computer.

“- Backups are your best friends.

“- Virtual Machines are an acceptable way to have an affair (and get infected) behind your computer’s back.” (I think he means “an acceptable way to experiment with potentially malicious sites and files.”)

There’s always been a tendency among the technoroti to look down their noses at non-technical users. Personally I don’t think there has been enough effort put into public education on computer security. It’s way too common to blame the victims and that just doesn’t work. The money they spend for rogue anti-malware products and the cash siphoned out of their bank accounts help fund the criminal groups that prey on all of us.

When it comes to computer security, we’re all in this together.

The U.S. Computer Emergency Readiness Team (US-CERT) has a great page of security documents for all levels of users: http://www.us-cert.gov/cas/tips/

Sunbelt has two white papers that dig into the details of the two biggest threats on the Internet today. They’re written for non-technical users:

Malicious spam:
http://www.sunbeltsecurity.com/dl/What_s%20%20in%20your%20spam%20bucket.pdf

Rogue security products:
http://www.sunbeltsecurity.com/dl/Is%20it%20a%20real%20anti%20malware%20product.pdf

Tom Kelchner

Gunter Ollmann, VP of research for Damballa security firm in Atlanta, has blogged about the underground service industry that has sprung up to support botnet and malware groups. He found “botnet support” and “malware quality assurance” sites. There’s 24×7 support with ticketing systems.

One site features forums, a variety of services (including distribution), hacking tools and remote access Trojans.

The bad news is that the cybercrime underground is so well developed that it can support such related businesses.

The good news: wow, what a great place for law enforcement agencies to set up sting operations and distribute utilities with back doors and key loggers. Legitimate AV companies can leave out of their detections the Fed’s spyware and the dark side will be forced to come up with their own anti-spyware scanners. Then the Feds can get into polymorphic code and fast flux and rogue security applications. It would be a whole alternative universe!

Gunter Ollmann blog here.

Update 12/31:

It didn’t take long for the next development in this story to appear: “Virus Scanners for Virus Writers.” It’s the second entry in Brian Krebs new blog “Krebs on Security“

Krebs, who wrote the popular “Security Fix” column in the Washington Post for 15 years, left that post this week.

Tom Kelchner

Hong Kong-headquartered security firm Network Box reported that an analysis of web-based threats showed that phishing doubled in a month, probably because of the number of potential victims — people shopping on line in December.

Network Box said that its analysis of web-based threats showed that 57 percent of the threats in December were phishing attacks. In November they pegged that number at 28.3 percent.

The company predicted that the increase in Phishing would continue into January.

Story here.

Tom Kelchner

From a site that is hacked and serving phishes:

What’s mildly interesting is the types of phishes — “speciality phishes” that are not your typical banking/finance scam.

These are phishes that are highly targeted, in this case at email systems of tiny Hamiltom College (not the first time I’ve seen this), the religious site cfaith.com, Saginaw Valley State University, and Villanova.

Hamilton.edu:

cfaith:

SVSU

and Villanova

Alex Eckelberry

It’s the time of year to make predictions. I only have one: in 2010, governments around the world will BEGIN to increase their efforts to do something about the massive malware threat that every Internet user on the planet faces.

It’s going to be controversial and difficult legally and technically. It’s going to cost serious tax money, political capital and diplomatic work to counter this crime wave that is like nothing the world has ever known.

At this point, 90 percent of email is spam, organized crime groups commonly siphon cash from the bank accounts of individuals and businesses on other continents, search engines are regularly harnessed to lure those browsing the web into purchasing fake security products and malicious applications are being created faster than legitimate software.

China has made two huge, stumbling attempts. One, Green Dam-Youth Escort, unfortunately was mixed up with state censorship and sullied by a sleazy company whose idea of software development was “borrowing” a U.S. company’s code. The other, China’s attempt to require “on-paper” domain registration and limiting them to registered businesses, possibly could make it harder to set up malicious sites, but, it too is drastically flawed.

The U.S. Federal Trade Commission has had some noteworthy successes against spammers. European governments are seriously going after digital pirates and Nigeria has arrested a few dozen 419 scammers and promises a lot more.

So, there is motion.

There is no shortage of predictions this month.

Other people in the computer security sector have been making a lot more predictions and posting them. I thought it would be interesting to sort them by topic and compare them. I’ve summarized them as briefly as possible and listed the URLs of the original texts at the bottom of this blog post.

Application level attacks
— Adobe software, especially Acrobat Reader and Flash, will become top hacking targets. [McAfee]

Banking Trojans
— Banking Trojans will become more sophisticated. [McAfee]

Botnets
— Fast flux botnets will increase [Symantec]
— Botnet controllers will switch to less vulnerable methods for command-and-control (such as peer-to-peer networks). [McAfee]
— Botnets are becoming more self-sufficient. [WebUser]
— “Malware will not evolve.” Botnets will not get any more sophisticated, there will be no mass outbreaks and highly targeted attacks will remain on the fringe. [Cooper/Verizon]
— There will be a shift in botnet-related crime from black markets to grey markets with more partner programs for DoS attacks and malware distribution. [Kaspersky]

CAPTCHA
— CAPTCHA technology will improve. Businesses in emerging economies will hire people to defeat it and generate accounts for spammers. [Symantec]

Cyber crime
— There will be more successes in the fight against all forms of cybercrime in 2010. [McAfee]
— Breaches will increase, especially against mid-sized businesses. [Cooper/Verizon]
— Microsoft’s legal efforts will pay off with at least one major arrest. [Cooper/Verizon]
— China will continue to be blamed for everything. [Cooper/Verizon]

File sharing networks
— There will be a shift from attacks via the web and applications to file sharing networks. [Kaspersky]

Malware development
— Malware will become more sophisticated and remain one step ahead of increasingly sophisticated security programs that will be developed to deal with it. [Kaspersky]

Operating system exploitation trends
— Mac and mobile malware will increase. [Symantec]
— HTML 5 and Google Chrome OS will make opportunities for malware writers. [McAfee]
— Google Wave will be exploited extensively but Google’s Chrome OS will not. [Kaspersky]
— Specialized malware will increase (i.e. ATMs, voting machines, public telephone voting connected with reality television shows and competitions). [Symantec]
— iPhone and Android (and related third-party software) will be malware targets. [Kaspersky]
— Nothing significant will happen to non-PC devices such as telephones, PDAs and Macs. [Cooper/Verizon]

Phishing
— Spear phishing will increase. [McAfee]
— URL-shortening services will be used extensively for phishing. [Symantec]

Reputation-based security
— Reputation-based security will come into prominence. [Symantec]

Rogue security software
— Rogue security software vendors will expand their distributions. [Symantec]
— There will be a decrease in the number of rogue security product schemes. [Kaspersky]

Social engineering
— Social engineering will become the primary attack vector. [Symantec]
— There will be an increase in the level of security consciousness among consumers. [Cooper/Verizon]

Social networking services
— Social networking third-party applications will be targets for fraud. [Symantec]
— Social networking sites will face more sophisticated threats as user bases grow. [McAfee]
— An increased number of applications on social networking services will be exploited because of the level of trust between friends. [McAfee]
— Facebook, Google, Twitter, TinyURL and other services will gain more control over criminal content. [Cooper/Verizon]

Spam
— More organizations will begin selling unauthorized email address lists to spammers. [Symantec]
— Spam volume will fluctuate. [Symantec]
— Instant messaging spam and attacks will increase. [Symantec]

Virtualized environments
— Virtualization will not be a target. [Cooper/Verizon]

Windows 7
— Windows 7 will be a major hacking target. [Symantec]
— Windows 7 (though not IE8) will be more robust than expected. [Cooper/Verizon]
— New vulnerabilities in Windows 7 as well as third-party software (i.e. Adobe and Apple) will be the main cause of exploitation. Although, if Win7 is secure, it will be a quiet year. [Kaspersky]

Kaspersky Lab 2010 cyber threat forecast
http://www.kaspersky.com/news?id=207575980

McAfee
http://mcafee.com/us/local_content/white_papers/7985rpt_labs_threat_predict_1209_v2.pdf

Symantec
http://www.symantec.com/connect/blogs/don-t-read-blog

Verizon business services (Russ Cooper, creator of NTBugtraq)
http://securityblog.verizonbusiness.com/2009/12/15/2010-security-predictions/#more-434

WebUser (UK):
http://www.webuser.co.uk/news/blog/cammjones/436323/what-will-the-web-bring-in-2010

Tom Kelchner

Adam Lambert may have stolen the show, but Sunbelt Software was at the American Music Awards too.  You can see pictures here.  John-Erich Mantius, who runs global consumer software here, was representing us. 

(Finally got around to blogging this, yeah, I know I’m late…) 

Alex Eckelberry

Atif Mushtaq, a researcher at FireEye security company, has coordinated a global effort to take down of one of the top 10 botnets – Mega-D.

PC world said the botnet controlled 250,000 machines in a massive network that was responsible for nearly 12 percent of world spam according to Message Labs statistics.

Mushtaq and those working with him coordinated their efforts with Internet service providers to isolate the Mega-D command-and-control servers in Israel, Turkey and the U.S.

The researchers shared their information with U.S. federal law-enforcement agencies and said the federal agencies should begin similar research and takedowns on a full-time basis.

Story here.

“Top 10 botnets and their impact” (December 9)

Tom Kelchner

Researchers examining the directories of the URLs of some of the latest Koobface runs may stumble upon a Christmas greeting, directed at the security community:

Alex Eckelberry
(with thanks to a researcher who prefers to remain anonymous)

Twitter was disrupted Thursday night by attackers who hacked Twitter’s domain name servers and rerouted Twitter traffic as well as posting their own banner on the micro-blogging services page. The service returned to normal by Friday morning.

Technology blog Mashable, attributed the attack to a group claiming to be the “Iranian Cyber Army.” Judging by the graphic they left, it appeared to be a hacktivist attack.

Story here.

Twitter blog.

Defacement graphic here.

Tom Kelchner

Our researcher Adam Thomas came across a new piece of ransomware today, an encryption trojan via our old “friends” iframedollars. It encrypts the files on your hard drive very rapidly if you’re unfortunate enough to be victimized by it.

It arrives through drive by downloads from malicious web sites. It’s also packaged with other malware.

1. The victim receives a message that the system is shutting down due to “Unrecognized disk driver command.”

2. His system is then re-booted to safe mode and a message is displayed: “Windows has recovered from a serious error. Some files can be corrupted. Disk checking is strongly recommended.”

3. Attempting to access a file, the victim receives the message “Unable to open the file due to data corruption”. The repair file button downloads Data Doctor 2010, which of course runs in trial mode. It does, however, offer to repair one (1) file for you so you know it is “legitimate.”

And, the pitch: pay $89.95 for a lifetime license. Additionally, these slime have the audacity to tack on a $1.50 activation fee.

Nice work Adam

Update: Jan. 6, 2010:

A blog reader has asked if we have a way to decrypt the files that Data Doctor 2010 encrypts. We have posted a tool that will do that. Go to: http://sunbelt-software.com/support/dd2010_decrypter.rar

Update 01/08:

Our good friends at F-Secure have posted a very good, detailed analysis of Data Doctor 2010. It can be found at: http://www.f-secure.com/weblog/archives/00001850.html

Tom Kelchner

Laptop computers captured from insurgents in Iraq contained software that enabled them to intercept video feeds from the unmanned drones that are seeing expanded use in the Middle East, according to the New York Times.

The drones, used by the U.S. military to monitor insurgent activities in Iraq and Afghanistan, also can be used to deliver air-to-surface missiles.

Thursday, the Wall Street Journal broke the story that insurgents were using Sky Grabber, open source software that costs $26, and a satellite dish to intercept the transmissions. Sky Grabber was designed to download satellite transmissions of movies and music.

Pentagon officials said transmissions from the drones can be encrypted, however, unencrypted feeds have been commonly used when troops on the ground with older laptops or handheld controllers need direct feeds from the drones or piloted aircraft. The military knew that the unencrypted signals could be intercepted, but made the decision not to encrypt local links for the sake of economy.

The U.S. military has been expanding its use of the video feeds to troops and is rapidly upgrading their equipment to take the encrypted transmissions.

Story here.

Tom Kelchner

The Internet Storm Center blog just ran a piece about a malware vector that hasn’t been discussed enough: the Google Cache.

An ISC blog reader named Greg recounted that he was browsing for information, found a site that was down and pulled up the Google cached page to get what he wanted.

The site was down because of a malware infection and the cached page, with hidden iframes intact, sent him to a malicious site that offered a rogue security product.

ISC blogger Daniel Wesemann wrote “The badware is currently delivered through the domain todolust-dot-com. The EXE changes about twice per hour, and has very low AV coverage (Virustotal). Microsoft and Sunbelt are currently the only two AV tools on Virustotal that do not seem to be perturbed by the rapid morphing of the EXE, and keep catching it reliably.”

ISC blog here.

Dancho Danchev wrote about the cached-malware vector two years ago.

Tom Kelchner

Yesterday we blogged about the most recent rogue security product in the WiniGuard family, TheDefend. Patrick Jordan had observed that a new clone was appearing about every two days. Overnight the pace picked up and loyal blog reader Fatdcuk let us know about yet another. He left us a comment: “SysDefence went live about 3 hours ago. They’re flying off the conveyor belt today.”

Patrick analyzed it and plunked it in the WiniGuard family, and our detections, as SysDefence.FakeSmoke.

The GUI is identical to TheDefend except the name.

Thanks Fatdcuk. Thanks Patrick.

Tom Kelchner