The Great Years: 2004-2010
It’s become a sort of intermittent tradition here to upload buckets of screen shots of rogue antivirus programs.
So here’s a perspective for 2009, loaded on my Flickr account.
Acknowldgement to Patrick Jordan, in our malware research team.
Alex Eckelberry
The holiday shopping season will kick off in earnest on Friday – named “Black Friday” because that’s the date that many businesses traditionally go into the black for the year.
Another tradition is an uptick in Internet fraud, scams and hacks.
Social engineering will probably be the biggest danger to look for. Just like any other shopping day of the year, if the deal seems too good to be true, it probably is.
Expect rogue security products to be “on sale” in spam email, messages from social networking sites or web sites. To check if a product is a rogue, just search for its name on the Sunbelt Rogue Blog page here.
Fraudulent sites that are set up to steal your credit card and other identity information are also a serious threat.
Search Engine Optimization techniques will be big this year. Internet thieves will be pushing their sites high into the placement of search engine results. So, if you go looking for something like “black Friday sales” in a search engine, take a look at the URL before you click on it.
I just did it and found one listing with an “.fm” top-level domain. Interesting. Who in the Federated States of Micronesia is holding a major holiday sale? Malicious sites often are registered in such places because of a lack of regulation.
The .cn top level domain is another one to keep an eye out for. It’s the domain for China. A vast number of compromised machines there are used for all kinds of scams.
Another easy trick: do some research and check how long the web site you’re considering purchasing from has been in existence. Cut and paste its URL into http://www.whois.net/ and look for the line “created on…”. If a site has been created in the last few days, be very careful. Legitimate sites certainly can be registered and go on line at any time, however, malicious sites are usually new. They get taken down as soon as their ISPs discover fraud or malware, so, they don’t last long.
Basically, to protect yourself:
— Use common sense: it the deal seems to be too good to be true, it probably is.
— Don’t make on-line purchases from untrusted sites.
— Keep the anti-virus scanner on your PC up to date with the latest signatures if you don’t have the auto-update feature turned on. If you don’t have AV, Sunbelt Software is offering Black Friday and Cyber Monday specials on VIPRE. Read about them here.
— Be sure your Windows operating system has the latest updates.
— Be sure your web browser is updated. It would be best to upgrade to Internet Explorer 8 since unpatched vulnerabilities have been reported in IE 6 and 7 in the last few days.
— Be sure your Adobe Acrobat or Reader are up-to-date. There have been a number of recent vulnerabilities reported in them.
— Don’t make purchases from sites that are advertised by spam email.
Tom Kelchner
You don’t often (if ever) see emails asking for login credentials to a tiny (albeit respectable) college.
Given that Hampshire College has under 2,000 students, one wonders exactly what the phishers are aiming for.
Alex Eckelberry
Sunbelt is offering a Black Friday special for those of you anticipating those usual holiday-linked malware attacks: a single one-year subscription license for VIPRE for $9.95.
Go to www.vipreantivirus.com/blackfriday to take advantage of this deal.
Also, on Cyber Monday (November 30th), Sunbelt is offering a one-year, unlimited, home site license subscription for $19.95. The Cyber Monday special pricing is only available on Monday, November 30, 2009. Go to www.vipreantivirus.com/cybermonday for more information.
Full company propoganda here.
Tom Kelchner
Windows IT Pro has VIPRE Enterprise named as the top antimalware product, chosen by system administrators (the “Community Choice” award).
Our good friends at ESET and Trend also made the cut:
Eric Howes drew my attention to this application several weeks ago and I’ve been using it to analyze End User License Agreements (EULA) ever since.
To work it, you click “analyze,” cut and paste the text of a EULA into a text box “License Agreement to Analyze” and click the “analyze” button. It will find key words and phrases and display them in a nicely organized fashion with an “Interest Level” rating (0=low interest, 10=something you should probably think about). Click the icons to the right of the ratings and it pulls up and highlights the text in the “License Agreement Text” text box.
It flags the relevant text under the categories:
— advertising
— privacy; web bugs
— privacy; Zip/postal code
— promotional messages
— third party
— without notice
Clicking on any of those headings in the display drops down a list of “hits” that you can explore further.
There aren’t any “help” menus and some of their terms could use further definition (“a healthy read” apparently means that the EULA isn’t too short or too long), but it’s mostly intuitive.
EULAlyzer doesn’t really say something is “good,” “bad” or “ugly” but it does draw your attention to text that should be of “high interest” to you.
You can analyze instantly a 20-page EULA and discover statements like: “When individuals use the Internet, the Network uses such persons’ Individual Information to show advertising for products and services in which those users have expressed an interest, whether directly or indirectly.”
“Expressed an interest… indirectly” sounds to me like either browser monitoring or verbiage from the middle school dating scene.
Go here to get the freeware, or buy the “pro” version.
Tom Kelchner
A new spam campaign is currently hitting mailboxes.
Samples include:
Text:
Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:
A link points to a site, pushing a download.
The download is actually a Zbot installer (VT results showing fairly weak detection).
Alex Eckelberry
There are a huge number of news stories in Chinese and a few in English on the Web today about a worm that apparently is spreading rapidly in China. The Inquirer is quoting the National Computer Virus Emergency Response Centre in Tianjin, China, saying that Worm_Piloyd.B is spreading rapidly, that it infects exe, html, and asp files and blocks attempting to fix them. The centre’s English web page seems to be about a week behind, so, we couldn’t get the original notice.
The Inquirer said Piloyd probably was being used to expand a botnet.
Western AV companies have listed detections for the malware since last summer or fall. Names include:
AVG: Worm/Generic.AOFP
F-Secure: Worm.Generic.90951
Kaspersky: Net-Worm.Win32.Piloyd.g
Microsoft: TrojanDownloader:Win32/Jadtre.A
Sophos: W32/Autorun-ASW
Sunbelt: Trojan-Downloader.Win32.Sfn!cobra (v)
Symantec: Adware.Lop
TrendMicro: WORM_STRAT.GEN-3
VIPRE and a number of the others catch it with heuristic detections.
Story here: “China warns of a new virus”
Tom Kelchner
PCAuthority just carried a great feature “Top 10 issues overloading IT managers,” that everyone should read. Nearly all of us who work with these demon machines depend on the IT folks. There are a lot of things we can do to make their lives easier (or at least not make their lives more hellish.)
The ten issues are:
10. Cloud integration (is waaaay complicated and must be done right. Integrating with local resources is both a technical and management issue.)
9. Internal/external data breaches (Think new technology, new hacks, external bad actors and internal bad actors. Oh yea, and consider the clueless twits who click on malicious attachments in spam.)
8. OS migration (W-I-N-D-O-W-S-7. This is really ugly if the enterprise opted out of Vista. Migration from WinXP to Win7 is serious work.)
7. Patch deployment (A big job that is made bigger by more users plus more work stations plus more software plus virtualized machines times more malware that is more dangerous.)
6. Remote workers (Those using their own machines are a real pain.)
5. Compliance (Regulatory acts like Sarbanes-Oxley and HIPAA as well as local and federal laws mean that most companies are holding onto more data.)
4. Over management by non-IT staff (They just don’t understand, especially the sales folks who promise customers the impossible.)
3. Virtualization (This offers great benefits and great complexity)
2. Storage (Adding drives isn’t the answer.)
1. Budget constraints (recession = do more with less.)
The writers also give honorable mention to:
— Web management (Regulating on-the-job gaming, porn browsing, Facebook, Twitter and such should be a management responsibility.)
— Integration of Web 2.0 tools (Blogs, wikis and social networks are useful internal tools, but they are work for IT)
As I write this, our IT staff is struggling to replace a major email server. Of course it started acting up late Saturday night.
Tom Kelchner
Buzz wrong!
URL leads to banking Trojan downloader
Tom Kelchner
Let’s see, have we heard this point-counterpoint before?
Statement: “64-bit Windows has some of the lowest reported malware infection rates in the first half of 2009,”(Joe Faulhaber of the Microsoft Malware Protection Center).
Counter statement: yes, but pretty soon that’s going to change.
Statement: 64-bit Windows is a different operating system, so, the malware writers don’t know how to write code that can run in it.
Counter statement: yes, but that doesn’t mean it’s any more secure. It just has a smaller market share, so it’s more efficient for malware writers to go after the more common OS. They could if they wanted to.
Statement (opposite side taking the offensive): What about Trojans?
Counter statement: yes, but that’s social engineering. It isn’t based on the weakness of the operating system, it’s based on weakness in the human factor.
Statement: “Infection rates for the 64-bit versions of Windows XP and Windows Vista are lower than for the corresponding 32-bit versions of those platforms, a difference that might be attributable to a higher level of technical expertise on the part of people who run 64-bit operating systems.”( Microsoft Security Intelligence Report)
Counter statement: “This difference may be expected to decrease as 64-bit computing continues to make inroads among mainstream users.” (same report)
Gee, this almost sounds like the argument about Apple’s various operating systems that’s been running since about 1995. (Oh! Did I say that out loud?)
Here’s a perspective from Sunbelt Software Chief Technical Officer Erick Sites:
“Most malware uses some type of driver or thread injection. None of these (existing) types of malware are going to work on a 64-bit system. It’s not because 64-bit is any more secure, which is what Microsoft is hinting at.”
Computer World story here.
Tom Kelchner
Wow. Patrick Jordan just noticed that the new rogue security product EchoAntivirus 2010 is pretty pricey! $99.99.
VIPRE is a much better buy at $29.95
And VIPRE is a real product!
Tom Kelchner
Washington Post columnist Brian Krebs is reporting that the U.S. Food and Drug Administration (FDA) is moving to shut down 136 Internet pharmacy web sites that have been selling counterfeit drugs or those not approved by the FDA.
The FDA office of criminal investigations has sent warning letters to the site operators and notified their ISPs that they were selling the pharmaceuticals illegally.
According to his column, the sites, which claim to be in the U.S. or Canada, are really in India and have connections to Russia. Those notified by the FDA are all affiliates of Rx-commission.com, one of dozens of pharmacy affiliate organizations. Rx-commission.com chiefly attracts customers to its sites by search engine optimization techniques.
There could be as many as 55,000 such pharmacies on the web.
Krebs column here.
Clearly this is a daunting task, going after all 55,000 sites. The FDA has joined the U.S. Federal Trade Commission and the FBI in this country in taking on the vast amount of Internet lawlessness and there seems to be motion in other countries as well.
Police in Estonia last month arrested some of the men indicted by an Atlanta, Ga., grand jury in the $9 million hack of credit-card processing vendor RBS. Police in Hong Kong and Netherlands also were part of the investigating team and helped arrest two people for withdrawing RBS WorldPay funds from ATMs in Hong Kong.
Also last month, the head of Nigeria’s Economic and Financial Crimes Commission announced the arrest of 18 scammers and shutdown of 800 email accounts they were using. She promised a continuing crackdown.
Tom Kelchner
Chat networks and blogs are being used to lure movie fans to malicious sites promising: “Watch New Moon Full Movie,” according to LastWatchDog.com blogger Byron Acohido.
The much anticipated movie “New Moon” is due to open tomorrow.
The malicious operators are using search engine optimizations techniques to lure “New Moon” fans to sites with malicious downloads of a rogue security product and bot malware. If a victim goes to the site he or she is told to download a viewer called “streamviewer” to watch the movie. The download is a Trojan and they get infected.
For those who’ve already infected themselves, he quotes Sunbelt Chief Technical Officer Eric Sites:
”For anyone whose PC is already hopelessly infested with scareware and/or other infectious programs, Sunbelt Software’s free deep scanning tool could be a godsend. VIPRE Rescue can neutralize many of the nastiest scareware promos, rootkits and keyloggers lurking on your hard drive, and bogging down your machine’s performance.
“VIPRE Rescue makes it easy to wipe out infections on a nearly inoperable computer, often times enabling successful repair, as well as installation of necessary security applications to prevent these infections from happening in the future.”
LastWatchDog.com post here.
Tom Kelchner
Hard drive lifetime
Good estimate – three years, maybe more. Higher rate of failure in the first year. (Clearly, mileage varies with usage)
Many of us have experienced the failure of a hard drive or we’ve known someone who did. It’s the life experience that answers the question: “how often should I back up my files?”
Manufacturers publicize the expected lifetime for hard drives. It’s called Mean Time to Failure (MTTF). There have been studies that suggest they either overestimate or underestimate the expected life time, though.
A paper given at the 5th USENIX Conference on File and Storage Technologies in 2007, “Disk failures in the real world: What does an MTTF of 1,000,000 hours mean to you?” suggests that drives have about a three-year average lifetime. However, there is a slightly a more complex picture of their life cycle.
Bianca Schroeder and Garth A. Gibson of Carnegie Mellon University, said their research suggested that the average lifetime of about three years could be expected, however, they also found a “bathtub-shaped” curve. Drives failed at a higher rate in their first year of use, failed at a slower rate for years 1-5, then failed at a higher rate after five years.
Schroeder and Gibson studied data on about 100,000 disks from large production systems.
Paper here.
Since the most common part of a machine to fail is the hard drive (power supplies are up there too) it is instructive to look at stories on rates of machine repairs.
Laptop lifetime
About a third will fail in three years with one chance out of three that you cause the failure by doing something like dropping it down the steps.
San Francisco-based SquareTrade, which bills itself as the “largest independent warranty provider” published a study of 30,000 laptops this week. They summarized their findings:
“Looking at the first 3 years of ownership, 31% of laptop owners reported a failure to SquareTrade. Two-thirds of this failure (20.4%) came from hardware malfunctions, and one-third (10.6%) was reported as accidental damage.”
Study here.
Desktop lifetime
There is a seven-21 percent chance your machine will need repairs in the year.
PC magazine did a survey of readers’ experiences with desktop computers and ask if the respondent’s machine needed repairs “in the last year.” This is really a customer satisfaction piece, but, we can pull some rough numbers from it on rates of repair
Article here.
Now, go backup your files.
Tom Kelchner
Infosecurity magazine is quoting Manchester, England, news sources as reporting that the Metropolitan Police Central e-Crime Unit has arrested a man and a woman and charged them with distributing the Zbot Trojan.
Infosecurity wrote: “the Zbot trojan has become one of the most virulent trojans in recent months with Sunbelt Software reporting incidences as 25% up during October compared to the month before.”
Zbot uses a wide variety of social engineering tricks to spread through a variety of methods, including spam email and Web downloads. It created a large botnet that collects information about victim’s credit card, banking and social network logins.
Story here.
Tom Kelchner
Our Sunbelt Sales Director Debbie Graves alerted us to a great blog piece about the state of computer security from securosis.com. It falls firmly into the “glass half full” camp (by a toe length, anyway.) It’s a great read.
The blogger, “Rich” raises an interesting point about organizations hiding the real cost of losses.
He also is a master of the long, breathless and funny sentence. Example:
“If the industry was failing that badly all our bank accounts would be empty, we’d be running on generators, our kids would all be institutionalized due to excessive exposure to porn, email would be dead, and all our Amazon orders would be rerouted to Liberia… but would never show up because of all the falling planes crashing into sinking cargo ships.”
And his point…
“Security, and security professionals, aren’t failing. We lose some battles and win others, and life goes on. At some point the world feels enough pain and we get more resources to respond. Then we reduce that pain to an acceptable level, and we’re forgotten again.
“That said, I do think life will be more interesting once losses aren’t hidden within the system (and I mean inside all kinds of businesses, not just the financial world). Once we can tie data loss to pain, perhaps priorities will shift. But that’s for another post…”
Blog piece here: http://securosis.com/blog/
Thanks Debbie, thanks Rich at Securosis.com
Tom Kelchner
The FBI is warning that its agents are investigating a growing number of spear phishing attacks on legal firms and public relations companies.
Criminals are turning to those two industries because of the large amount of highly confidential information on company networks, often with details of international negotiations.
Spear phishing is a term for malicious email that specifically targets a company or person in the company. Trojan horse programs, usually carrying rootkits, are emailed as attachments. The emails also could contain links to web sites that download malcode that makes data accessible. Victims who click on the attachments to open them or follow the links, trigger malware that gives intruders access to the company network.
The investigators believe that international organized crime is involved in the attacks and are suggesting that companies consider removing sensitive documents from storage accessible by the Internet.
New York Times story here.
Tom Kelchner
The U.S. Senate Committee on Commerce, Science and Transportation today is looking into deceptive “loyalty” discount programs – those that offer discounts and coupons to customers for a monthly fee. Marketing companies Webloyalty, Affinion and Vertrue and the retailers Continental Airlines, FTD and Classmates.com that let them charge customers’ credit cards, are in for a closer look.
The Committee is investigating reports that the marketing companies’ charges are showing up on credit card accounts of people who never ordered the service. Shoppers commonly encounter the marketing companies’ pitch in pop-up-windows when they make online purchases. The ads only ask for e-mail addresses, hiding the details of the monthly charges in small print. The retailers then supply the marketing companies with credit card information.
The committee has been investigating the businesses for six months. Recently Webloyalty and Affinion said they would change their advertising to require customers to submit the last four digits of their credit cards to confirm that they want to become members.
Also expected in the hearing today are the results of a study the committee has completed which includes how much money the retail partners are paid by the marketing companies.
These “enrollment” schemes can be really tricky. I inadvertently got roped into two of these things in the last three years. I like to think of myself as being pretty savvy after researching and writing about malware and the Internet underground for 15 years, but they got me. Yep, twice: once on a software company web site and another with a travel and reservation site. They’re good.
CNET story here.
Tom Kelchner
The expected hacks for Windows 7 activation have been publicized and utilities called “RemoveWAT” and “Chew-WGA” are circulating.
They join the grimy world of cracks and key-gens – oft-Trojanized applications that defeat activation passwords or other security on legitimate software. It’s an ugly world on the sites that distribute them. We go there.
WGA stands for “Windows Genuine Advantage” Microsoft’s antipiracy software. The company replaced that with “Windows Activation Technologies” (WAT) in Windows 7. Thus the names of the cracks.
Trojanized versions of RemoveWAT and Chew-WGA soon will be available on websites and file-sharing networks near you. Look for them (or maybe we should say “look out for them.”)
Computerworld story “Hackers outwit Windows 7 activation” here.
Tom Kelchner