The Great Years: 2004-2010
(Dear Friends)
Wonderful. Spam email in the Irish language: as usual the grammar was screwed up.
Dermot Harnett, who wrote about it from the Symantec blog theorized that the verbiage was generated by translation software. “…the structure of the sentence is incorrect, which indicates that it is a literal translation from English.”
Blog piece here.
Tom Kelchner
Our analyst Adam Thomas came across this ugly new social engineering technique when he analyzed the DefenceLab rogue security product.
It does the usual scare-ware stuff: a fake scan and fake “Windows Security Center” alert:
Then it directs the potential victim to a Microsoft Support page, but injects html code into the page in his or her browser to make it appear as though Microsoft is suggesting the purchase of the rogue.
This is the real Microsoft page:
This is what it looks after DefenseLab changes it:
Thanks Adam
Tom Kelchner
Bit.ly, the URL-shortening service that sees much use by the Twittering set, has announced that it will begin checking shortened links with input from Sophos, Verisign and Websense. The service generates 40 million shortened URLs per day.
Malicious operators have been using shortened links to disguise the URLs of malicious sites that download malcode or are used in spam or phishing schemes.
Bit.ly filtering is expected to be in place by the end of the year.
Story here.
Tom Kelchner
This is a new one: bribeware. They’ll pay you a dollar to install their product.
Nice idea, but unfortunately in this case it comes bundled with malware. We detect it as C4DLMedia, a group of installers that include adware and agents that change browser home pages. It’s considered a “moderate” risk.
I wonder if Microsoft considered this for VISTA.
C4DL Media might have a marketing problem with the dollar bribe though. In places where a dollar is worth enough to make this worth the effort there probably isn’t any Internet connectivity.
Thanks to Adam Thomas and Eric Howes for the research.
Tom Kelchner
The amount of counterfeit software infected with malcode has increased significantly since 2006, Microsoft said. A 2006 study by marketing intelligence firm IDC found that 25 percent of counterfeit software tried to install malcode when it was downloaded. Media Surveillance, a German anti-piracy firm, said one of its studies recently found 32 percent of pirated copies of Windows and hacks contained malcode.
Microsoft said the number of complaints it receives annually from people who unknowingly purchased pirated software doubled to 150,000 last year.
The company has begun an anti-piracy campaign in 75 countries called Consumer Action Day.
Story here.
Microsoft has made available information about counterfeit software and its fight against the problem here.
Tom Kelchner
Both the enterprise and consumer versions of VIPRE 4 are now in beta.
VIPRE 4 includes an integrated firewall, HIPS, IDS, NIPS and all kinds of other goodness.
VIPRE Enterprise features a completely new console, with new functionality to deal with large enterprise environments.
If you’d like to get the beta (or get more information), simply go to beta.sunbeltsoftware.com and register.
Alex Eckelberry
For years there has been a collective wisdom about creating strong passwords. Briefly:
— don’t use a word found in the dictionary
— don’t use a word found in the dictionary with a “1”or other number after it
— create a password containing eight characters or more
— use a mix of letters, numbers and punctuation
— don’t write your password on a Post-it note and stick it under your keyboard
For user names the big rule is: change any default username or password as soon as you install an operating system or application.
Three people at Microsoft, Francis Allan, Tan Seng and Andrei Saygo, just posted an interesting piece on the company’s Threat Research and Response blog confirming most of the above. They reported what they observed while running a honeypot for almost a year, collecting information from real, in-the-wild, dictionary-based attacks.
Here were the most common user names and passwords used by attackers (in order):
User names:
Administrator
Administrateur
admin
andrew
dave
steve
tsinternetuser
tsinternetusers
paul
adam
Passwords:
password
123456
#!comment:
changeme
F**kyou (they didn’t really use the asterisks)
abc123
peter
Michael
andrew
matthew
They said that one attacker ran more than 400,000 user name and password combinations in one attack.
Blog piece “Do and don’ts for p@$$w0rd$” here.
Some ideas for strong passwords:
— use phrases (i.e. “Ubuntu_is_my_cat”)
— use patterns on the keyboard (i.e. zse45rdx – start with “z” go up and to the right, right one letter then back down). You can write down the first character and remember the pattern, thus, not really breaking the rule about writing passwords on a Post-it note and sticking it under your keyboard.
Tom Kelchner
Researchers are monitoring a massive spam campaign from the Zbot/Zeus botnet purporting to be instructions for signing up for H1N1 vaccinations with the U.S. Centers for Disease Control (CDC).
Clicking on a link in the spam messages takes potential victims to a CDC-look-alike page where they are instructed to download a “profile” — a form to get the vaccination. The downloaded file makes their machines part of the Zbot (or Zeus) botnet. Those who don’t click on the link can also get infected by an IFRAME exploit on the page that uses vulnerabilities in unpatched Adobe applications.
Email security company AppRiver said it was seeing about 1.1 million such spam messages per hour Tuesday. That rate had slowed to about half that by yesterday, they said.
Story here.
Tom Kelchner
“He searched for UFOs, aliens and creatures from outer space.
Brad Niesluchowski has resigned from the Higley Unified School District in Gilbert after allegedly downloading software that seeks out alien life forms.
‘We support educational research and certainly would have supported cancer research,’ said Higley superintendent Denise Birdwell. ‘However, as an educational institution we do not support the search for E.T.’”
So he put Seti@home on 500 machines in the school. It’s hardly “searching for ET”. The luddite superintendent, however, would seemingly have been ok if the same technology was used to search for a cure for cancer.
I would also question whether this cost the school over $1 million.
Idiocy.
Alex Eckelberry
(Thanks, Jay)
I’m happy to say that in the latest comparatives testing by Virus Bulletin (this time, on Windows 7), VIPRE received the VB100 award in its first time entering the test.
More from our propoganda department here.
Alex Eckelberry
Cameroon, with a country domain of “.cm,” is the most dangerous place to go on the web, according to AV company McAfee.
The McAfee researchers checked over 27 million sites worldwide and found 5.8 percent contained malicious mechanisms (browser exploits, excessive pop-up windows, malicious downloads or phishing). They found that 36.7 percent of the domains in Cameroon carried such malcode.
McAfee theorized that malicious operators choose Cameroon for their sites because the domain “.cm” would be where potential victims could end up if they mistyped a URL, leaving the “o” out of “.com.” Setting up sites with similar URLs to take advantage of such errors is called “typo squatting.”
The top five (bad) domains were:
— Cameroon “.cm”
— PR of China “.cn”
— Samoa “.ws”
— Philippines “.ph”
— (the former) Soviet Union “.su”
Story here.
When browsing the web, Internet users should use caution whenever they see a link to any of those country domains, especially for e-commerce sites. Holding the mouse cursor over a link in an email or on a web site will show the URL.
For shortened URLs, a page like LongURL http://longurl.org/ will show the complete URL.
Tom Kelchner
Researchers at Virus Bulletin have written about a theoretical technique for improving spam filtering: combining the action of several filters.
The researchers sent about 200,000 emails to 14 anti-spam products. No legitimate email was blocked by more than four of the 14. They suggested that a hypothetical filter that tagged an email as spam if five or more of the 14 called it spam would result in 99.89 percent successful filtering with no false positives.
Their conclusion is that enterprises might consider using more than one anti-spam product and anti-spam vendors might consider sharing information.
At Sunbelt we have been doing this for a while. In our VIPRE Email Security for Exchange enterprise software solution we use the Cloudmark antispam engine and the Mail-filters engine as well as Real-time blackhole lists.
Info on VIPRE for Exchange here.
VB story here.
Tom Kelchner
The gang that distributes the PCScout rogue security product (see description in Sunbelt Rogue Blog here. ) has set up a fake abuse reporting site apparently to collect email address. Patrick made the connection.
Entering information results in an error screen, but the information goes somewhere.
privacy-protect.cn is described on malwareurl.com here.
Tom Kelchner
FreeBSD has issued a patch that may or may not be the final fix for a vulnerability that allows someone with local access on a network to run binary code with the help of the FreeBSD run-time link editor and gain root access.
Intruders could possibly use other vulnerabilities (such as one in a web application) to exploit the vulnerability.
German researcher Nikolaos Rangos posted information about the flaw on Full Disclosure mailing list. It affects FreeBSD versions 7.1, 7.2 and 8.0. FreeBSD is an open-source operating system.
Story here.
FreeBSD advisory here.
Tom Kelchner
Researchers with the Honeynet Project have created a graphic user interface (GUI) that plots a wide variety of data and give a visual representation that can make it easier to detect attacks.
The new GUI is part of the open-source Picviz tool. The developers say the graphic display is rendered from “traffic logs, database logs, SSH logs, syslogs, IPtables logs, Apache logs, and other sources.”
Picviz is described in a Nov. 25 paper “Know your tools: use Picviz to find attacks” by Sebastien Tricaud of The Honeynet Project and Victor Amaducci of the University of Campinas (Unicamp) (paper here.)
Picviz available here.
Here is a Picviz graphic rendering of traffic indicating an OpenVPN session.
The red displays the line of the VPN session (data taken from tcpdump.)
(More info on wallinfire site here.)
Story here.
Tom Kelchner
Washington Post columnist Brian Krebs did a great piece “Eight tips for safe online shopping.” His list:
1. Shop with a credit card, not a debit card
2. Keep track of your receipts.
3. Shop from a locked-down PC.
4. Look for the SSL sign/padlock in the browser’s address bar.
5. Avoid bargain-basement shopping online.
6. Double-check those shipping policies.
7. Read the fine print (Being in a hurry when you make a Web purchase can cause you to ‘sign up’ for unwanted offers).
8. Shopping online at work could be hazardous to your career. (If your employer’s acceptable use policy precludes shopping during working hours, you might find yourself on the “downsize” list.)
Column here.
Tom Kelchner
If you’re searching for videos of the infamous Adam Lambert AMA kiss, Ortiz vs. Griffin or Jennifer Lopez at the AMAs, a twist in fraud has come to YouTube, this time in the form of a fake message on a video itself telling the user to go to another site.
This message has nothing to do with YouTube. In fact, it’s pushing users to a dodgy site, watchama2009. tk, which is actually a front for Satellite Direct TV.
Alex Eckelberry
(Thanks, Calvin)
Someone put up a fun site in October. The “Mystery Google” search page gives you the search results of the person who did a search before you. The results can be… ahem… interesting. I tried it out with the word “Russia.”
Here was the previous person’s search. I’m not sure what was up, but I sense a bit of hostility:
Unfortunately, this could be used by rogue security product vendors or other malicious operators to direct victims to their sites. They’d only need to set up sites with drive-by malware then create an automated agent to do a whole lot of Mystery Google searches for terms that would hit those sites.
So, if you play with it, be careful where you go after the first screen.
Here is the whois info:
Domain Name: mysterygoogle.com
Registrant Contact:
mysterygoogle.com Private Registrant
A Happy DreamHost Customer
417 Associated Rd #324
Brea, CA 92821
US
+1.2139471032
mysterygoogle.com@proxy.dreamhost.com
Record created on 2009-10-02 10:13:25.
Record expires on 2010-10-02 10:13:25.
Thanks to Alex and Chaim Rieger on funsec
Tom Kelchner
Britain has stored the DNA profile of 5.9 million people, which is about 10 percent of the country’s population. It’s been estimate that as many as one million of those whose information is in the database since it was started in 1995 have never been convicted of a crime.
The group Genewatch has pointed out that the database contains records on 30 percent of the country’s black population – a much higher proportion than the general population. Records of about one million children are also stored..
The government announced earlier this month that DNA records of adults who were not convicted of any crimes would be removed after six years. Terror suspects’ details, however, would be kept indefinitely. Data from juveniles who were found not guilty of any serious crime would be kept for three years — six years if they are 16 or 17 years old.
Previously, the government kept for life DNA samples from anyone arrested by police in England, Wales and Northern Ireland.
The European Court of Human Rights has called the life-time retention policy “blanket and indiscriminate.” In Scotland, the DNA profiles of those arrested for serious crimes are kept for three to five years. Profiles taken in more minor cases have been destroyed.
Defenders of the system point to successful investigations. Matches were found at 390,000 crime scenes between April 1998 and September 2008. Last year investigators found 17,614 matches, including those in 83 murder investigations and 184 rape investigations.
Story here: The Big Question: Why is Britain’s DNA database the biggest in the world, and is it effective?
Tom Kelchner