The Legacy Sunbelt Software Blog

China is putting in place rules that would require a formal paper-based application system for those seeking domain name registration. The change would allow only businesses that have been licensed by the state to register domains. Ostensibly the move is to stop the distribution of pornography and other “bad stuff,” but some observers believe it’s simply one more attempt on the part of the Chinese government to stifle critical political comment.

It would seem as though this process could clean up one of the world’s worst domains for malicious Web sites, but there are some big, big loop holes, the usual percentage of corrupt officials being an obvious one.

Researchers at Trend Micro also found a very large vulnerability in the system. The process allows applicants to register domains immediately, but gives them five days to submit their documentation. So, malicious sites will be able to operate in the notorious .cn domain for five days before obtaining a new five-day domain. Five days is a long, long time for the Internet criminal underground.

Sunbelt researcher Patrick Jordan said he’s observed that some rogues and other malware use an elaborate system to point to a new malicious download site every few hours, often in a cycle as short as 6-12 hours.

Story here.

Trend blog here.

Tom Kelchner

The Wall Street Journal carried a piece about the theft of valuables from luggage and the luggage itself at airports. An increase seen in the last five years is being blamed on the bad economy and reduced security caused by cost-cutting measures. Airlines are not liable for the thefts under existing rules.

A spokesman for the Portland, Ore., airport said baggage thefts are up about 50 percent this year and a prosecutor in the Queens County, N.Y., district attorney’s office said “There’s been a tremendous increase in the last five years. It’s pretty bad—a lot is getting stolen every day.”

Laptop computers, iPods and electronic game systems are among the most popular items with thieves.

“Carousel thieves” – outsiders who simply steal other peoples’ baggage and walk out of the airport with it – are one threat. The other is theft by employees who take valuables from luggage, sometimes to sell on eBay. The insiders often switch routing tags to reroute the victim’s bags and confuse investigators.

Tips for avoiding losses:

— Don’t put valuables like jewelry or electronics equipment in luggage. Small items are the highest risk.

— If you can’t take valuables in carry-on luggage, ship them. You can insure items with shipping companies.

— Luggage locks are no protection. They’re easily opened.

— Report thefts immediately to the airline you’re flying on and the U.S. Transportation Security Administration.

— Put colorful tape or ribbons on your luggage to make it easily visible.

— For those who travel a lot with laptops: be sure valuable information is encrypted. Although most thefts are simply for the equipment, it isn’t out of the realm of possibility that thieves could try to exploit the contents of your hard drive if they can figure out a way to make money.

Story here.

Tom Kelchner

Project Honey Pot has reported that sometime in November it received its one billionth spam message.

“Every time Project Honey Pot receives a message we estimate that another 125,000 are sent to real victims. Our billionth message represents approximately 125 trillion spam messages that have been sent since Project Honey Pot started in 2004,” they said.

Their very well-written report contains a load of other information as well, like the fact that most of the spam in the world probably originated in the U.S., though the bot-infected machines that spew it out can be anywhere.

The report also said: “we’ve seen the word ‘Viagra’ spelled at least 956 different ways.”

Report here.

Tom Kelchner

Rogue anti-virus vendors yesterday used search engine optimization techniques to poison the Google search that resulted from visitors clicking on the Google Doodle – the art that periodically appears above the edit box on the Google front page.

The Doodle, a rendering of the Esperanto flag, was intended to draw attention to the fact that it was the 150th anniversary of the birth of Polish linguist L. L. Zamenhof who invented the Esperanto language.

Half of the sites that appeared as top hits in the Google search had been hacked and redirected visitors to malicious sites that presented scareware warnings and tried to sell rogue anti-virus products.

A researcher at Barracuda Labs was quoted as saying that malicious operators have been working hard recently to steal FTP login information. Getting access to Web sites via FTP would allow them to post code that would redirect visitors to other sites that would download the malware.

ComputerWorld story here.

Tom Kelchner

Friday we blogged about the three generations of the WiniGuard family of rogue security products that began in October of 2008. Friday, the 50th rogue in that line appeared. Analyst Patrick Jordan noted that there appeared to be a newly named clone added to the “genealogy” about every 48 hours. He’s been right.

Monday we found GuardPCS and today we found TheDefender. Its associated web site was registered Dec. 4.

Fraudulent operators behind the rogues seem to be doing two things to confuse Internet users and lure them into purchasing this worthless scare ware:

— “Borrowing” content from legitimate anti-virus company web sites, such as certifications and management team pages, for their own web pages.

— Distributing their rogues with different names and with redesigned graphic interfaces. They usually have web sites associated with the new name. They look like authentic security products, but, as the song said they “take the money and run.”

See our earlier blog entry about the WiniGuard family of rogues.

Thanks Patrick

Tom Kelchner

New rogue borrows massively from AV company sites

Our friend M.N. Bharath drew our attention to this web site associated with the new System Adware Scanner 2010 rogue security product. Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25.

It seems they also have recruited the entire management team from AVG anti-virus company as well. Right!

Compare the names on the Smart Systems Technologies rogue page. http://sysadscanner.com/about.php

with AVG’s: http://www.avg.com/us-en/management-team

If that isn’t enough to raise your suspicions, check out the Engrish on this page: http://sysadscanner.com/why.php

Thanks M.N.

Tom Kelchner

Don’t go there. There are a lot of rogue downloaders hiding in those links.

Thanks Adam

Update, 5 p.m. EST

Yahoo CEO Carol Bartz, speaking at the UBS Media and Communications Conference in New York, said the Tiger Woods sex scandal was a better traffic generator than the death of Michael Jackson, according to the ZDNet blog.

Tom Kelchner

The FBI has issued a warning about rogue security products, estimating the loss from the malware so far at $150 million.

The bureau also posted a link where victims can report the scams: the Internet Crime Complaint Center (IC3) at www.ic3.gov/default.aspx
FBI news release here.

Tom Kelchner

Case in point: findproper.org

These are the types of sites that are used to download from third party affiliate sites. If the setup.exe had run, it would have installed the AntiMalware rogue.

VIPRE catches and blocks the Trojan installer.

See Sunbelt Rogue Blog here.

Patrick Jordan

The third generation of WiniGuard gets a new clone every 48 hours

A new rogue security product called IGuardPC, that we added to detections today, is the 50th clone of the WiniGuard family of rogue security products. That makes WiniGuard the largest rogue family ever detected by Sunbelt researchers.

The WiniGuard family began in September of 2008. Operators behind it have added variants that our researcher Patrick has sorted into three generations. The latest generation gets a new clone about every 48 hours to stay ahead of public awareness and anti-malware detections. Most of them are being caught by existing VIPRE detections.

First Generation

The first generation of WiniGuard used the site winiguard.com. It was created Sept. 17, 2008, by the same group who probably began circulating rogues using macguard.net, which has the same IP address. WiniGuard installed five files.

Second Generation

SaveKeep, first found August 17, marked the beginning of the second generation. This was distinguished by the use of two files instead of five.

Third Generation

On Oct 17 the TREAntivirus rogue opened the third generation with a new GUI interface.

Today’s IGuardPC makes a total of 50 clones — the largest family we’ve ever found:

WiniGuard rogues by generations

First Generation
10/13/2008 WiniGuard
1/29/2009 WiniBlueSoft
2/20/2009 WinBlueSoft
5/17/2009 WiniFighter
8/12/2009 WiniShield

Second Generation
8/17/2009 SaveKeep
8/24/2009 Savesoldier
8/26/2009 TrustNinja
8/27/2009 SaveDefense
8/28/2009 SafetyCenter
8/29/2009 BlockDefense
9/3/2009 SystemCop
9/11/2009 SafetyKeeper
9/17/2009 SoftSafeness
9/18/2009 TrustWarrior
9/19/2009 SaveDefender
9/22/2009 SaveArmor
9/25/2009 SecurityFighter
9/26/2009 SecuritySoldier
9/28/2009 SecureVeteran
10/2/2009 SecureWarrior
10/5/2009 TrustCop
10/8/2009 SafeFighter
10/9/2009 TrustSoldier
10/13/2009 TrustFighter
10/19/2009 SoftCop
10/21/2009 SoftVeteran
10/23/2009 SoftStrongHold
10/27/2009 ShieldSafeness
10/28/2009 SoftBarrier
10/30/2009 BlockWatcher
11/1/2009 BlockScanner
11/2/2009 BlockKeeper
11/4/2009 BlockProtector
11/7/2009 SystemVeteran
11/9/2009 SystemFighter
11/11/2009 SystemWarrior

Third Generation
10/17/2009 TREAntivirus
11/11/2009 AnitAid
11/17/2009 LinkSafeness
11/17/2009 SiteVillain
11/18/2009 SecureKeeper
11/24/2009 KeepCop
11/26/2009 ReAntivirus
11/27/2009 RESpyWare
11/30/2009 AntiAdd
12/3/2009 AntiKeep
12/7/2009 AntiTroy
12/9/2009 SiteAdware
12/11/2009 IGuardPC

Research by Patrick Jordan

Tom Kelchner

There are some “interesting” similarities between the home page of the DefenceLab rogue and the web pages of some legitimate anti-virus companies.

Our good friends at McAfee alerted us to some of this then Patrick Jordan and Alex Eckelberry took a closer look at the Web site associated with the new DefenceLab rogue that we reported on earlier this week.

DefenceLab was the one that directs the potential victim to a Microsoft Support page, but injects html code into the page in his or her browser to make it appear as though Microsoft is suggesting the purchase of the rogue.

Here’s what we mean by “interesting” similarities:

The “Awards” page was lifted from AVG’s “Awards-References” page right down to a dead link to the ICSA site. (AVG really has ICSA certification and DefenceLab is really malware.)

DefenceLab: http://defencelab.com/about/awards
AVG: http://free.avg.com/ww-en/awards-references

The “License Agreements” also came from AVG:

DefenceLab: http://defencelab.com/about/license
AVG: http://free.avg.com/ww-en/eula

The “Company Profile” was lifted from the Mitnick Security Consulting LLC. site:

DefenceLab: http://defencelab.com/about/profile
Mitnick Security: http://mitnicksecurity.com/company.php

And guess where DefenceLab got its privacy policy:

DefenceLab: http://defencelab.com/about/privacy
Sunbelt: http://www.sunbeltsoftware.com/About/Privacy/

They did leave out one paragraph from Sunbelt’s text though:

“You may send an e-mail or letter to the following e-mail or street address requesting access to or correction of your personally identifiable information:

“Privacy Manager. . “

Tom Kelchner

Researchers at HCL Technology, a strategic partner of CA, found a hacked server on Amazon’s Web Services’ cloud infrastructure working as a command-and-control server for the Zeus botnet. The researchers said the intruders probably found a server — a “target of opportunity” — and hacked it to install their malware. The Zeus server has been removed. The Zeus botnet has been responsible for losses of over $100 million, mostly from bank fraud.

Security company Arbor Networks in August found a botnet using Twitter as a command-and-control channel for its bots.

In September, Symantec researchers found the Chinese-language Grups Trojan using the Google Groups newsgroup escape2sun to distribute commands.

Want to make any predictions?

InfoWorld story here. “Hackers find a home in Amazon’s EC2 cloud”

Register story from August: “Twitter transformed into botnet command channel”

Register: “Trojan taps Google Groups as command network“

Tom Kelchner

In addition to the several malware domain clearing lists available on the net, Paretologic has added their own, available at http://mdl.paretologic.com.

(We also have one, ThreatNet, available as a service to OEMs and security organizations).

Alex Eckelberry

Patrick Jordan found this malicious little nugget today: Internet Security 2010. It’s a rebranded clone of Advanced Virus Remover, a rogue security product that we first found in June (Sunbelt Rogue Blog entry here.)

It’s one of your run-of-the mill rogues, using run-of-the mill scare tactics, except its payment screen contains a static graphic that imitates the McAfee Secure certification.

A real “McAfee Secure” certification is a DAILY certification, it contains the date and its logo should look like this:

When you click on it, it should take you to the McAfee Secure rating verification page: https://www.mcafeesecure.com/RatingVerify that gives the name of the certified web site and the “Status.”

More info about the program here.

VIPRE catches the installer that is also the rogue’s exe module:

While the rogue is active it also blocks all other applications.

The list of download sites for Internet Security 2010 is the same VX Cactus group that ran the vxgame malware operations from Jan 2005 until Nov 2008:

193.104.110.50 buy-internet-security2010.com
193.104.110.50 downloadavr13.com
193.104.110.50 testavrdown.com
193.104.110.50 vscodec-pro.net
193.104.110.50 vsproject.net
193.104.110.50 white-xxx-tube.com
193.104.110.50 white-xxx-tube.net
193.104.110.50 xxx-white-tube.biz
193.104.110.50 xxx-white-tube.net
193.104.110.50 pc-scanner-2010.org
193.104.110.50 avrdownnew8.com
193.104.110.50 pc-scanner-2011.org
193.104.110.50 pc-scanner-2011.biz

Thanks Patrick.

Tom Kelchner

There were two news stories recently that seemed to coincide. In the first, Cisco issued an annual security report which said the two current targets of the Internet criminal underground are banks and social networks. Banks because, well, we all know what they keep there. Social networks are targets because that’s where weakly protected password databases are kept and the passwords they contain probably are used on a lot of other sites as well.

“Criminals have been taking note of the large crowds in social-networking sites,” a Cisco researcher said.

The Koobface worm, which targets Facebook, has infected more than three million machines since 2008. It steals networking credentials, logs in to the sites and sends messages to friends to lure them to malicious Web sites that download more copies of the worm.

The second story, in PC World, detailed a significant change in access control that Facebook has rolled out. The 350 million Facebook users now have more control over who can see their information. These changes actually have been in a beta stage since last spring. In addition to “everyone” (the default setting) they can limit their information to “friends,” “friends of friends” and now fine tune the process with a “customize” options which can limit access to one person for a post, picture or other item.

There will be a new icon of a lock next to the “share” button that users hit to send their updates to their friends. Clicking on that enables users to select the security level for their posts.

Facebook users might avoid sharing with “everyone” since that makes their pages available to anyone on the Internet, including non-Facebook users. Sharing with “everyone” also makes the material available to search engines.

They also can lock down their profile settings by clicking on “settings” (top of page, right) then “privacy settings” in the drop-down menu.

Stories here:

“Cyber crooks targeting banks-social networks: Cisco”

“Facebook Privacy Changes Go Live, Beware of ‘Everyone’”

Tom Kelchner

The SecurityTool rogue security product, which first turned up early in October, is still active and trying to avoid countermeasures by setting up 12-24 download sites per day.

It comes in two flavors

online scanner scam:

and fake codec scam:

For more information see the Sunbelt Rogue Blog

or malware descriptions.

It’s being detected by VIPRE as FraudTool.Win32.RogueSecurity (v

Thanks to Patrick Jordan for all that.

Tom Kelchner

Yes, that’s right: 3.6 zettabytes!

A report entitled “How Much Information” by the University of California in San Diego, released today, said the average person in the U.S. consumes 34 gigabytes of content and 100,000 words of information in a single day. That’s just at home.

The number of bytes we consumed increased at six percent per year from 1980 to 2008, the report said.

TV and video games are responsible for a big chunk of that. People are reading more too, since browsing the web is considered reading.

The report says “We estimate that an average American on an average day receives 11.8 hours of information a day.”

The project was funded by AT&T, Cisco Systems, I.B.M., Intel, LSI, Oracle and Seagate Technology, with early support from the Alfred P. Sloan Foundation.

The report didn’t mention security, but, basically a lot of that data needs some kind of security protection. “Ten years ago 40 percent of U.S. households had a personal computer, and only one-quarter of those had Internet access. Current estimates are that over 70 percent of Americans now own a personal computer with Internet access, and increasingly that access is high-speed via broadband connectivity,” the report said.

Yep, 3.6 zettabytes per year – that’s a 36 with 20 zeros. It really puts the security issue into perspective (if you can wrap your head around the concept of a “zettabyte.”)

NYT story here.

Univ. of Calif. study report here.
Tom Kelchner

I’ve been saying this for a long time. P2P networks are have the risk of accidently getting something you really don’t want…

Matthew White, of Sacramento, California, has found himself in a rather unfortunate situation; he’s been accused of downloading child pornography. On the advice of his public defender, White is pleading guilty in hopes of cutting his potential 20-year sentence down to three and a half years. After serving his time, White will have to serve 10 years of probation and register as a sex offender.

What makes this unfortunate is that the 22-year-old White claims he downloaded the child pornography on accident from the file-sharing service LimeWire. According to White, he was attempting to download a ‘Girls Gone Wild’ video two years ago, but when he opened the files, instead discovered images of underage girls. White claims to have immediately deleted the images and never looked back — at least until the FBI showed up at his door a year later.

Link here.

Alex Eckelberry

(Thanks, Herb)

SC Magazine has published a great feature story on the Conficker Working Group, an industry task force that has made major strides damaging the command and control channels of the worm that has infected 6.5 million computers worldwide since 2008.

The feature quotes Sunbelt Chief Technical Officer Eric Sites: “The Conficker Working Group is the greatest collaboration of top level security experts for specific malware research in industry history. The collaborative efforts of the Conficker Working Group are responsible for preventing a large scale attack.”

AV researchers in the group reverse engineered the worm code and found the domain-generation algorithm. They then were able to forecast websites that infected machines would be checking with and registered the domains before the attackers could.

“This will serve as a model in the future,” according to Rodney Joffe, SVP of domain name registrar NeuStar. “Within government, this is being pointed to as the model, or poster child, that collaboration within private industry really can work across borders. We were able to get collaboration in ways that had never been seen before.”

Story here.

Tom Kelchner