The Legacy Sunbelt Software Blog

It’s become the latest craze in security blogs — show how search for a celebrity or current event leads to malware through Google searches.

I’ve done it myself, quite a bit. And I do think it provides a public service.

But the reality is — it’s massive, it’s constant, and the search terms are all over the place.

For example, there is a current blackhat run on Google that is using a dizzying amount of search terms. Here’s a list of terms that I’ve found. There are more.

2010 Military Pay Charts
Aileen Quinn
Amelia Earhart
Anglicanism
Arsenio Hall
Astate
Banco Del Tesoro Venezuela
Bedava Ingilizce
Bianchini .
Bitty Schram Fired
Black Parade
blackberry storm 9520
Blast Off
Bobblehead .
Bravo project runway .
Cafe World
cfnm youtube
Charlie Manuel
child stuck in balloon
Chris Cooley Blog .
Chris Mckendry
Christian Audigier
Collin Wilcox Paxton
Collin Wilcox Paxton .
Comcast Tickets
Cookie Johnson Jean Line
Crucisatorul Potemkin
Daniel Maldonado
David belle parkour video
Deadspin Espn
Dining
Dodsworth
Donovan House Washington Dc
Download Windows 7
Droid Does
Ed Hardy
Electron configuration berkelium
En Clown I Mina Kl??der .
Facebook Live Feed Vs News Feed
Fagacious
Fbi 10 Most Wanted
Female snake charmer costume
Figure roller skating .
Florida Sex Offenders By Zip Code .
Folkston Ga
free porn tube 8
Funny halloween pictures
Gardien
Glee Episode 9 Preview
Gossip Girls .
H1n1 Vaccine Canada
H1n1 Vaccine Side Effects
Halloween Escape Walkthrough .
Hardgame2
Hide Away
Honda Center Anaheim
House Season 6 Episode Guide
Hulk Hogan
Jay Mohr
Jayson Werth Married
Jeff Dunham Tour Dates 2009
Jeffrey Chiang Texas
Jodie Sweetin .
Joe Klein Obama Thesis
Jonathan Broxton
Künstler Cutlery Knife Set By Connoisseur .
Kyrie Irving Twitter
Levi Jones
Lil Wayne Pleads Guilty
Lindsay Lohan E Namorada .
Losing It With Jillian Michaels
Marine Corps Marathon
Marni Phillips Photos
Married With Children .
Matthew Shepard Story
Mikelle Biggs
Min Lieskovsky .
Natalie Portman
New York Yankees
Obama thesis paper
Once Bitten Movie
Organic Baby Food Recall .
Orionids Meteor Shower
Patchwork Nation
Phillies
Phish Tickets
puerto rico explosion
Rajon Rondo Ripped .
Rebel Efi Crack
Secret Girlfriend Wiki
sharona monk
Somewhere Else
Sommer Thompson Missing
supernatural season 5 episode guide
sweetest day 2009 .
The Bunny Ranch
The Jeff Dunham Show
The Perfect Storm Movie .
The Vampire Diaries 7
Tnmmu.ac.in
Tourettes Pete
Uss Freedom
Villisca Axe Murders Wiki .
Wachovia Center Philadelphia
Wapa Tv
Week 7 Football Picks
week 7 football picks .
When You Have No One No One Can Hurt You
Who The Hell Is Wolf
Windows 7 Free Upgrade For Vista .
Windows 7 Release Date
Winter Time
Wombat Day
Y94
Zac Hanson
Ladybugs Good Luck
40 Under 40 Fortune
Ali Kay
California City Element
hot pussy sex
International Paper Franklin Va
Jacksonville News
Jammers
Lil Wayne Going To Jail 2009
Metal Rayonnant
Obama Mit Speech
Path Accident
Psystar
Robin Thicke Wife
Shaq
Somer Thompson Missing

Using any one of these search terms will land you in trouble.

For example, let’s search for Bx 82mf1r:

First four hits are malware links, all compromised sites (the links only work with with Google as a referrer, going to them directly will just land you on a harmeless CNN page). You can see that Google catches the first site. The next three aren’t caught.

(Notice the /?p in the url? That’s generally the Windows Enterprise Defender rogue — thanks Patrick, for pointing that out.)

The rest of the search terms have varying degrees of success in getting to the first page of Google’s results. But in order to find them, we just do a little Google Dorking. Notice that all the malware sites use “/t” in the url. So, we just do a Google search, usingthe inurl operator to narrow down the malicious links.

Hence, we might search for Project Runway with the following search command (just to get more malware links):

project runway inurl:/?t= inurl:runway

And we see all kinds of nasty stuff.

You get the picture. Blackhat SEO is alive and well on Google, contributing to the profits and merriment of both legitimante antivirus vendors and malware authors. Unfortunately, the user doesn’t come out that well in the whole thing.

Alex

Farida Waziri, head of Nigeria’s Economic and Financial Crimes Commission, has announced that her agency, aided by Microsoft, has begun a large-scale crackdown on the email scammers who have made Nigeria infamous to Internet users for 20 years.

Waziri, speaking at a National Conference of Black Mayors convention in Las Vegas, said her commission has arrested 18 people and shut down 800 email accounts linked to scams.

She said the operation, dubbed “Eagle Claw,” will be fully operational in six months with the capacity to shut down 5,000 fraudulent email accounts and send 230,000 advisory emails to victims each month.

“It will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails,” she said.

This has the potential for reducing Internet fraud coming out of a historic hot spot. Nigeria, like developing nations everywhere, has an uphill battle to fight, with limited resources, against crime and corruption. It’s good to see Microsoft lending some technical assistance.

Nice work Ms. Waziri and Microsoft.

If Operation Eagle Claw works, maybe Nigeria can farm her out as a consultant to Russia. They could call it “Operation Bear Claw.” Then she can come to Florida and go after the spam industry here. (Operation Armadillo Claw?)

ArsTechnica story here.

See BBC story here.

Tom Kelchner

CNET UK is reporting that copies of Windows 7 have been mailed to customers in the UK several days before the official release date (tomorrow). According to the CNET UK blog, Microsoft allowed it in anticipation of a postal strike by carriers with the Royal Mail.

This means that for the next few days, Internet users in the UK can expect:

— Spam, both malicious and non-malicious, with Windows 7 themes (“REVERSE ERECTILE~DISFUNCTION WITH WINDOWS 7!”)
— Twitter tweets and Facebook mail with links to sites where you can download something infectious that has a Windows 7 title
— Trojaned copies of Win7 from P2P networks
— About a dozen rogue security programs with names like “WINDOWS 7 PROTECTOR GUARD SECURITY COP SCOUT”
— A few dozen reviews with titles like: “Windows 7 is probably better than VISTA,” “Windows 7 – so when is the first service pack?” and “How long can you milk Windows XP?”

CNET UK story here.

Tom Kelchner

For the second year, Computer Weekly will be holding its IT blog awards, to “discover which bloggers are best meeting the needs of IT professionals in the UK.” The Sunbelt Blog has been nominated.

Oct. 27, after the Computer Weekly folks come up with their short list, all our fans in the IT public in the UK will get to vote.

The way they describe it: “The shortlists will be published in full online, with links straight to each blog (as we did last year) to make it easy for you to check out the top blogs and Twitter users before making your choice.

“Once the votes are in and the count complete, the winners will be announced at a celebratory event on Wednesday 25 November at Shoreditch House, a private members’ club that is one of London’s hottest venues.”

ComputerWeekly page here.

Tom Kelchner

Ok, we’re not going to mention Microsoft’s VISTA now.

Windows 7 will become available Thursday. Reviews based on the beta and release candidate haven’t been too bad, but the world will be waiting to see if computer users buy it quickly, wait a year, wait until the first service pack or whatever.

Here at Sunbelt Software we’re ready. Sunbelt’s VIPRE, VIPRE® Enterprise and CounterSpy Enterprise™ have all been certified as “Windows 7” compatible by Microsoft.

Story here.

The WebUser site ran an interesting history of the Windows operating system versions with brief little thumbnail descriptions

Tom Kelchner

A Massachusetts stock broker will pay a $100,000 penalty to the Securities and Exchange Commission for failing to have security software or procedures when intruders stole account information of hundreds of customers and began making transactions with it.

Commonwealth Equity Services LLP of Waltham, Mass., agreed to pay the penalty for failing to have anti-malware software on its reps computers or written security policies to deal with security breaches. Securities brokers and registered investment advisors are required by SEC regulations to have written procedures to protect customer information.

In 2008, intruders stole the login information of a company employee and accessed the Commonwealth Equity network, ordering stock trades from eight accounts and stealing login information for 368 customers. Company staff noticed the unauthorized trades and stopped them, but the incident caused $8,000 in damage.

Story here.

Tom Kelchner

Rogue researcher S!Ri (blog here) just blogged about catching some rogue affiliate web sites ripping off his content to boost their search engine rankings. The game is a good glimpse into the rogue security software distribution world.

Rogue creators put up web sites, just like legitimate businesses, to sell their fake security products online. They use Trojans in spam email attachments and other nefarious means to frighten victims into believing that their machines are infected, then offer to sell their products (which really do nothing) to fix the bogus problems.

In the web advertising world, one can post advertising for other businesses on one’s site and be paid for visitors who “click through.” These are called “affiliate” sites. Just like legitimate businesses, there are affiliate sites that drive business to pages that sell rogue security products.

These affiliates use search engine optimization to drive up their ratings to draw unsuspecting web browsers, posting content about rogue security products. They may have hundreds of web sites that draw browsers looking for information about rogue products then pass those visitors along to rogue download sites and make money for their pass throughs. To attract visitors, they need content related to rogues, so, they pull content from S!Ri’s research blog.

On Friday, S!Ri invented a rogue name — “Secure Shield” — made a fake graphic of a user interface and posted it on his blog (here.) Today he blogged about how quickly the affiliates scraped his content and put it on their pages: ten minutes in one case. (Blog entry here.)

His blog has seven screen shots of affiliate pages carrying his invention.

Yea, it’s like Chinese boxes or Russian dolls: a fake on a researcher’s site that is stolen by an affiliate site that sends traffic to a site selling (fake) security software.

Thanks S!Ri. Thanks Patrick.

Tom Kelchner

The history of advice about Vista:

2006-7: It’s pretty buggy, wait till they get the kinks out

2007: It’s such a resource hog, wait until you buy your next (bigger, faster) machine and get it free rather than spend the cash for new RAM, etc.

2008: The economy is so bad, WinXP will hold you over and maybe they’ll get more bugs out by the time you can afford it.

2009: Windows 7 is going to be out shortly, why not wait and skip VISTA entirely.

2009 (second half) Whoa! Windows 7 looks pretty nice! Look how fast it starts!

Information Technology Intelligence Corp. of Boston (partnering with Sunbelt Software) found that half of the 1,200 companies they surveyed expect to move to Windows 7 in the first year it is available. Eleven percent of those surveyed said they expect to install it after the first service pack.

Windows XP, which has been around for eight years, will be supported until 2014.

Story here.

TRE AntiVirus is a new rogue application from WiniGuard family.

A few days ago this gang left a Hidden message in their code for Sunbelt.

Kara recently called this gang as lazy after watching a series of clones from this gang. (A total of 28 clones using the same GUI)

Now it looks like they have responded to Kara’s post by pushing a new rogue with a new GUI.

This rogue also uses the same code below the hood but with a new GUI.

Bharath M N

Software piracy and its relationship to the spread of malware has been a topic this week.

Monday, the Business Software Alliance released a report that estimated the “staggering” number of Internet users swapping software through P2P networks has resulted in 41 percent of applications on computers today being unpatched. (Their report “Software Piracy on the Internet: A Threat to your Security” here.)

Friday, Ofcom, the UK’s independent regulator and competition authority for communications industries, issued a report that said surveying showed 55 percent of people 16-24 said they believed “file sharing through downloading shared copies of copyright music and films” should be legal. Although Ofcom didn’t ask specifically, one can be sure that the 55 percent probably feels the same way about downloading “free” software from P2P networks.

A third of adults thought piracy should be legal as well. The survey showed 42 percent of adults thought it should be illegal, 33 percent said it should not be illegal and 25 percent were not sure. (story here.)

Dancho Danchev, writing on the ZDNet blog (here) pointed out an interesting, though dismal, fact: maybe piracy doesn’t matter.

In spite of the free security updates available by nearly all software vendors, a huge number of users rarely install them. Applications are patched even less than operating systems. He cites information from IBM and Secunia.

So, it is possible that all those pirated operating systems and applications are unpatched and wide open for bot and other malware infections (like Conficker recently), but it doesn’t really matter since a vast number of Internet users don’t update ANY software, legitimate or pirated.

Tom Kelchner

Alex noticed this really good paper this morning and highly recommends it. It’s one of those rare, concise (10 pages) and very well written pieces that come along every once in a while. It gives a good overview of recent advances in malicious code and the strategies that have been developed by the dark side to steal information and money.

The author, David Dittrich, goes into just enough detail about developments in the last decade such as the dropper, social engineering attacks and complex command and control mechanisms. The 14 papers and articles he cites in the footnotes could be a small library on the subject themselves.

His conclusions include:

— Using a form of modal sandboxing to fight droppers that take advantage of users viewing blog posts

— Better mechanisms for policing public domain shareware

— Segregation of personal-use/enterprise-use machines (to make whitelisting easier)

— Attack-specific education and training for users

— A more sophisticated and aggressive approach to combating cyber-crime, acknowledging that it will take time to develop: “We are years away from being able to safely engage in aggressive self-defense on the Internet.” He also suggests that the federal government should assume more responsibility for countering cyber threats. He quotes a December 2008 paper by the Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency, “Securing Cyberspace for the 44th Presidency:”

“We have deferred to market forces in the hope they would produce enough security to mitigate national security threats. It is not surprising that this combination of industrial organization and overreliance on the market has not produced success. As a result, there has been immense damage to the national interest.”

Dave Dittrich is an affiliate information security researcher in the University of Washington’s Applied Physics Laboratory.

The full title is: “Malware to crimeware: how far have they gone, and how do we catch up?” It can be found on the University of Washington’s site here (via Schneier).

Tom Kelchner

It’s just really good to see simple, uncomplicated mechanisms that make it easy to put computer security measures in place BEFORE you get hit with some damn malicious thing turns your machine into a spam-spewing bot or steals everything you own.

Quite frankly, Microsoft Patch Tuesday is a great, simple idea and Adobe hitching its security wagon to that was brilliant.

Mozilla just made public another simple-and-sound security device: Firefox Plug-in check (http://www.mozilla.com/en-US/plugincheck/#why-update )

The page presents a list of your plug-ins and a color-coded button that tells you if you need up update one of them.

Plug-ins from third-party applications can be security vulnerabilities when they’re out of date and often they aren’t updated when the application they serve are patched.

Mozilla says it’s planning an automatic plug-in updating function.

Tom Kelchner

Is Family Guy, one of great comedy shows, to be co-opted by Windows 7?

The Microsoft-sponsored variety show, whose working title is “Family Guy Presents: Seth & Alex’s Almost Live Comedy Show,” is a mix of live-action “Family Guy” musical performances, animated shorts and celebrity guest appearances, and is part of an all-Seth MacFarlane night on Fox. The software company wouldn’t elaborate on what exactly the Microsoft integrations would look like or possible scenarios in which Windows 7 could play a starring role, but said Crispin’s copywriter and art director on the Windows campaign were working closely with Mr. MacFarlane and Ms. Borstein.

“You’ll see us deeply integrated into the content … you’ll hear a lot about how Windows 7 can help you simplify your PC — it’s simple, fast and easy to use,” said Gayle Troberman, general manager of consumer engagement and advertising at Microsoft. She went on: “Think about metaphors and examples we might use, talking about how simple things are. We’ll be evoking the cast of ‘Family Guy’ in some interesting ways that integrate the product messages.”

Link here (via GMSV).

Alex Eckelberry

True story, just came in as feedback from a reader of Sunbelt Security News (SSN):

I was reading your latest issue of SSN and the article about scanning iPods reminded me of an incident I had this past Spring. I had purchased (several months prior to this incident) a “refurbished” iPod from a reputable seller and plugged the USB cable into a machine I had just reformatted.

I had everything nicely installed BUT I forgot to disable the USB “auto-play” function. Thankfully I was also trialing VIPRE on this same machine at the time since as soon as I plugged in the cable VIPRE immediately grabbed an autorun.inf file. I had VIPRE scan the entire iPod and it found several traces of a worm. I submitted the files to Virus Total and (thankfully) VIPRE was only one of a handful to detect the malicious autorun.inf file.

So I guess the moral of my story is to remember that iPods can also store files like any other portable USB memory devices and to be careful with “refurbished” memory devices even if they come from a reputable dealer.

Really enjoy reading SSN. Keep up the good work!

Edward

Alex Eckelberry

Two very influential people have made public comments recently that could lead to widespread distrust of the Windows operating system for online banking.

Last week, FBI Director Robert Mueller related in a speech in San Francisco that he had received a phishing email that tried to steal his banking credentials and nearly fell for it. As a consequence, he is not doing his banking on line. (Speech text here.)

This week, Washington Post columnist Brian Krebs, who writes the “Security Fix” column and is among the most influential writers in the computer security space, wrote that businesses should simply stop doing their banking online from machines with the Windows operating system.

He wrote: “The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.”

“…regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim’s Windows computer,” he wrote.

“While there are multiple layers of protection that businesses and banks could put in place, the cheapest and most foolproof solution is to use a read-only, bootable operating system, such as Knoppix, or Ubuntu.”

Krebs column here.

Krebs has done a series of columns recently about small and medium-size businesses, non-profit organizations and schools losing tens of thousands of dollars to cyber thieves using banking Trojans to provide access to their bank accounts and transfer funds to money mules.

The implications of this loss of trust have been mentioned by other significant observers in the computer security world. David Kennedy, Manager of Risk Analysis at Verizon Business, wrote in his weekly intelligence summary for his company’s customers: “Reports the FBI director’s spouse refuses to allow on-line banking is a serious indictment of on-line trust and we will be tracking related reports of trust erosion, especially by high-profile individuals, groups and companies.” (Kennedy summary here.)

Tom Kelchner

Reasons to pirate software:

1. it’s free

Reasons not to pirate software:

1. some pirated copies don’t even work correctly.
2. you have a moderate risk of getting malicious code with it.
3. you don’t get updates, you could become a victim of identity theft, your machine will be vulnerable to a lot of malware and will probably become part of a spam-spewing botnet that makes money for organized crime.
4. if you make a large enough collection of pirated software available via P-2-P, the men in blue suits might come knocking on your door and you could get sued for several hundred $K.
5. you’ll be part of a collective of people worldwide who steal almost a trillion dollars each year.

This message comes to you from the Business Software Alliance.

Story here.

BSA report, “Software Piracy on the Internet: A Threat To Your Security,” here.

Tom Kelchner

A large number of web sites devoted to recruiting money mules made their appearance over the weekend.

There were 14 of the 28 with top-level domains in China and seven in the Cocos Islands (Australian territory.)

Lotta financial services firms locating in the Cocos. Yes sir. That place is becoming a real world business hot spot.

ccn-group.cc
ccn-groupco.cc
ccn-groupco.cn
ccn-groupsvc.cn
cronos-group.net
cronos-groupinc.cn
cronos-groupinc.com
cronosgroupsvc.cn
fairline-group.cc
fairline-group.cn
fairline-groupinc.cc
fairline-groupinc.cn
landgroupinc.cn
landgroupinc.net
land-groupsvc.cn
land-groupsvc.com
margin-group.cc
margin-groupco.cc
margin-groupco.cn
margingroupinc.cn
phoenixgroupco.cn
phoenix-groupmain.cn
stargroupinc.cn
star-groupinc.net
star-groupsvc.cn
star-groupsvc.com
summit-groupinc.cc
summit-groupinc.cn

Thanks Alex

Tom Kelchner

A blogger named Dave Kleiman on the SANS blog site just shared a very cool technique for cataloging all the USB devices plugged into a network.

Dave said on the blog that he used Microsoft’s Log Parser (link here) to collect standard registry keys:

HKLMSYSTEMControlSet001EnumUSBSTOR
HKLMSYSTEMControlSet001EnumUSB
HKLMSYSTEMMountedDevices
HKLMSYSTEMControlSet001ControlDeviceClasses{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Log Parser allows an operator to run scripts, which in his case, allowed him to retrieve the registry keys and the host name for each as well as other information.

Blog post here.

Thanks for the tip Alex.

— Tom Kelchner

Britain has 4.2 million closed circuit TV cameras videoing the average citizen 300 times per day. About the only comfort most citizens of Albion have is that nobody has time to watch all those cameras all the time.

But now a group of entrepreneurs has come up with a great scheme to snatch away even that tiny shred of privacy: recruit Internet users (first from the EU, then the world) to compete for cash prizes by watching the live video and report crimes to local camera operators.

The business, called Internet Eyes, is running a trial operation in Stratford-on-Avon and expects to go nationwide in Britain in November.

As background, the UK has seen its violent crime statistics rise in recent years. Conservatives (the Opposition party since 1997) and tabloid newspapers hammer on that. There could be some statistical issues with those numbers (compiled by the Conservatives) since a street fight is logged as a violent crime there, whereas in other countries it’s only considered a violent crime if there is an injury.

Guardian story here.

According to comparative date from the United Nations, the U.S has a homicide rate more than three times higher then the UK (42.8 per 100k in the U.S. and 14.1 per 100k in the UK.)

Numbers here.

Tom Kelchner

In my talk at the University of Florida (video link here) i pointed out how important correct error handling in Emulation/Virtualization is. Today we got new ZBot samples and they are using exactly that to avoid generic emulation / unpacking. I had 5 min time to take a couple of Screenshots and to add some comments to it. So here is a closer look to the tartup-code of these ZBots.

They call the API function “SwitchDesktop” from User32.DLL with wrong Desktophandle on purpose. The Desktophandle is always wrong – see the code at “results in invalid handle”.

Usually this API functions sets it’s return code ( Non-Zero for Success ) in register EAX. So they move this result to the stack and since EAX is 4 bytes (unsigned long) you see there a sub of the stackpointer with 4. Alone that code passage is highly obfuscated code and you won’t see that with normal compilers, because there’s no need to push EAX on the stack if you pop it afterwards without any changes in between.

So, they pop EBX (read: the value in EAX is now in EBX) and compare that with Zero. Remember: This function should return Zero, because it got an invalid handle on purpose. Basically this API must return as “Sorry can’t do that, i don’t know that handle – ERROR”. Most emulation systems using so called “Dummy-API’s”. There they just return always true or always false.

Our Behavior-based Virtualization (MX-V) knows such tricks and decrypts the executable and finds interesting stuff inside the file. For example a mutex that gets created after decryption and right before process enumeration (all done in unicode) that hints that the authors of this malware do know about AVIRA Antivirus. But look for yourself:

[VVS] User32:SwitchDesktop – Desktophandle: 7C910208 ERROR: Unknown Handle!
[VVS] Kernel32:GetPrivateProfileIntA – AppName: KeyName: FileName: ”
[VVS] Kernel32:VirtualAlloc – rtx=130000, va=0, sz=1334F, at=3000, p=40
[VVS] Kernel32:VirtualProtect – lpAddress = 00400000, flNewProtect = 00000040 OK
[VVS] Kernel32:IsBadReadPtr Entry – READ ACCESS!
[VVS] Kernel32:IsBadReadPtr Entry – READ ACCESS!
…decompressing here (very simple encrypted)…
[VVS] Kernel32:IsBadReadPtr Entry – READ ACCESS!
[VVS] Kernel32:GetUserDefaultUILanguage – is: English, USA
[VVS] advapi32:OpenProcessToken Entry – OK
[VVS] [ApiDef]: LookupPrivilegeValueW
[VVS] Advapi32:AdjustTokenPrivileges – OK
[VVS] close_emu_handle: 00420000
[VVS] [ApiDef]: GetUserNameW – OK
[VVS] Kernel32:GetCommandLineA – OK
[VVS] Kernel32:CreateMutexW – creates mutex named ‘_AVIRA_21099‘ OK
[VVS] Kernel32:CreateToolhelp32Snapshot – OK, flags: 2, procId: 0
[VVS] [ApiDef]: Process32FirstW NumParams:2 STD_CALL
…process enumeration and continue…

Michael St. Neitzel