The Legacy Sunbelt Software Blog

Scammers peddling rogue security products have apparently mastered search engine optimization (SEO) techniques in order to move their malicious sites to the top of the list when users search for top news stories.

The rapid rise of malicious URLs in search results during the recent flurry of news stories about the Samoa earthquake and tsunami drew the attention of Roger Thompson, chief research officer for anti-virus specialists AVG.

Thompson said “When we looked, we found [attackers] had five or six of the top ten results on the Google search results page, well above even places like CNN and The Guardian on queries like Samoan Tsunami.

This is growing larger on the threat landscape. It means we’ll all need to look twice at URLs when we search for current news topics and keep in mind the possibility of malicious links even from the big search engines like Google and Yahoo.

Story here.

Tom Kelchner

Michael St. Neitzel, Sunbelt VP of threat research and technology, described VIPRE MX-V at the University of Florida Information Technology Security Awareness (ITSA) Day this week. It was the first public demonstration of the MX-V behavioral detection technology used inside Sunbelt’s VIPRE Antivirus + Antispyware.

ITSA in Gainesville was attended by professional IT workers from the University Florida as well as those from education government and business in the area.

Video here.

Video editing by Alex

Tom Kelchner

Comcast has begun an experimental program in the Denver area to warn customers whose PCs have been turned into spam-spewing bots. The infected ones will see a browser pop-up warning them that their machine contains malware.

I don’t want to sound like a whiner, but why didn’t ISPs start doing this, oh, say, four years ago when the number of bots in the wild exploded?

This is really terrific, Comcast should be commended and I hope other ISP (ALL ISPs) do something similar, but why did it take this long? Spam email, and a whole load of it is from botnets, is now estimated to be near 90 percent of email traffic.

The story on the CNET news site says: “For years, security experts have complained that ISPs are uniquely positioned, and should do more, to help customers combat security problems. But ISPs have been reluctant to assume additional responsibilities that are not central to their core service offering and for which they would then have to maintain a standard, going forward.”

See story here.

Tom Kelchner

Oct. 9 Update:

Brian Krebs, in his Washington Post column “Security Fix” today dug into more details of the Comcast plan, including the possibility of fake warnings. He reported:

“The primary challenge to this program, aside from actually helping customers rid their PCs of bot infections and keep them clean, may come from the criminals themselves. One of the most persistent threats to Internet users today are rogue anti-virus programs that use fake security alerts to trick consumers into downloading malicious programs or at the very least paying for worthless software.

“(Jay) Opperman (Comcast senior director of security and privacy) said Comcast is attempting to combat this potential scam by including a link in the banner alert that explains “How do I know this notice is from Comcast?” Among the answers they will list is that Comcast will be sending affected users an e-mail alert at their primary account at the same time as the browser alert is displayed.”

See story here.

Kara here (she runs our separate Rogue blog) posted a bunch of screen shots here.

Alex Eckelberry

Microsoft Office Help’s ad-supported model is getting more intrusive.

This is help.  For the program you purchased. 

Hello!

Alex Eckelberry

 

Sunbelt Software hired an independent test lab recently to compare the performance of VIPRE Enterprise against the enterprise products two leading competitors, Symantec and McAfee. We were very pleased with the results.

The test found that VIPRE Enterprise significantly outperformed the competing products, with its lower system resource usage and faster scanning speed. The test included antivirus scanning performance and system resource utilization.

See Sunbelt news release here.

Tom Kelchner

A Sunbelt researcher today found a ThreatNet scan result from a machine with six identifiable malware threats on it. One of them Trojan.Brontok, had 102,793 traces. That was on one machine!

Alert for things that might be going wrong, he emailed several other analysts:
“Just trying to understand, how is that possible?”

Yep it was possible. Even old threats can overrun a PC if it doesn’t have proper malware protection.

ThreatNet is an early warning system made up of tens of thousands of VIPRE and CounterSpy users who have set their machines to send Sunbelt a record of malcode that they detect. ThreatNet helps us detect virus outbreaks.

Trojan.Brontok is a detection for a group of mass-mailing worms that spreads by sending copies of themselves via e-mail attachments. It gathers e-mail addresses from infected machines in order to propagate.

It disables security applications, spreads through USB drives and has been used in denial of service attacks.

Thanks to Eric Howes and Adam Thomas

Tom Kelchner

The Federal Trade Commission commissioners unanimously approved guidelines that require bloggers to reveal that they’ve been paid or otherwise compensated for writing product reviews (read: have conflicts of interest.)

The new rules, which will go into effect Dec. 1, carry penalties of $11,000 for each violation.

Blogging product reviews has become a major cottage industry. If a blogger gets several free cases of disposable diapers or a $10,000 firewall appliance in exchange for a review, it might just be a good idea if readers were made aware of that fact.

The FTC guidelines on endorsements and testimonials haven’t been updated since 1980.

Story here.

Tom Kelchner

Nice work guys.  Link here.

Alex Eckelberry

One more reason to be careful with the information you share on social networking sites.

Thanks Alex.

Thanks Patrick.

Tom Kelchner

Short answer: when you buy a Lenovo machine.

The editor of Consumerworld.org and Mouseprint.org, Edgar Dworsky, has found that some computer makers are charging “shipping, handling, and fulfillment fees” after Microsoft promised customers free upgrades to Win7 when they purchase PCs with Vista installed.

Microsoft began the Windows 7 Upgrade Option Program in June and said those who purchase a machine between June 26, 2009 and Jan. 1, 2010, will get the upgrade free.

Some manufacturers are giving the new OS free to some customers and charging others varying amounts from $11.60 to $17, Dworsky said.

See Computerworld story here for a list of who charges what.

Tom Kelchner

For those who spend a lot of time behind Google, there are some new features to play with improve your efficiency at work.

After a search results are presented, the “show options” control displays more ways to narrow your search by types of info (videos, blogs, etc.), time (past 24 hours) and whether you already visited the page.

The “Timeline” shows a graph of the periods in history mentioned in the results.

And the “wonder wheel” presents you with related searches.

See story: Google offers search refinements

Tom Kelchner

This month is the Department of Homeland Security’s sixth annual National Cybersecurity Awareness Month and the theme is “Our Shared Responsibility.”

The point of the “theme” is “to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good ‘cyber hygiene’ and to protect themselves and their families at home, at work and at school.”

The DHS page is full of really good basic computer security information and suggestions.

If you’re reading this, you are surely aware of at least one anti-virus company (Sunbelt) and the need for anti-malware protection. That’s a really big part of “our shared responsibility.” If you know somebody who is new to the Internet, you might pass along the link to the DHS Cyber Security Month page and tell them it’s a great place to start learning about protecting themselves. (Link here.)

Tom Kelchner

I check my mail cubbie today (something I actually rarely do anymore, what with all these internets having killed the postal service), and find a simple letter.

Inside is a folded napkin and a hotel room key.

The napkin has a note that says, in what appears to be female writing:

Let’s meet…

www.accepttheinvitation.com/alexeckelberry

So I’m thinking of all the times a beautiful woman has sent me a hotel room key with a note on a (perfumed) napkin.

Never.

I go to the site, and there’s a door, which I have to open.

And then I’m in some kind of restaurant.

You choose your dinner, and after a while, you see this:

Well, I suppose the whole thing is a bit creepy, especially when out of the blue, I get a follow-up email from some dude.

Creepy? Good marketing?

I suppose a bit of both.

Alex Eckelberry

One spammer, having a conversation with himself on my blog — as two different identities.

Alex Eckelberry

Jon Oberheide, a security researcher and PhD candidate at the University of Michigan, has gone public with an application (exploit?) to disable the censorship capabilities of Green Dam Youth Escort. It’s called Dam Burst.

According to the Oberheide web site, Dam Burst (v 1.2, tested on Green Dam 3.17), doesn’t need administrative privileges to disable Green Dam censoring functions.

His site notes a security benefit: “As a pleasant side effect, disabling the Green Dam components within a running process actually increases the security of the end host as the vulnerable code paths within the Green Dam software are no longer exploitable by an attacker.”

Sunbelt Software considers Green Dam to be spyware and our official description is:

Green Dam is system monitoring and content filtering software that blocks disapproved content on the local PC as well as incoming and outgoing network traffic.

About two weeks ago, schools in China were removing the Internet monitoring software because it was interfering with educational software. (Sunbelt Blog entry here.)

In mid August, Chinese Minister of Industry and Information Technology, Li Yizhong, reversed the requirement that all computers were required to have it, but Green Dam was to be installed just on school computers and those in public places. (Sunbelt Blog entry here.)

If you’d like to read the whole crazy story, search for “green dam” in the search box on the bottom of the right column on the Sunbelt Blog page.

Green Dam has been SUCH a fun disaster to write about.

Tom Kelchner

A university study has found that two out of three Americans do not care for online tracking by advertisers. And, once they find out how the marketing folks track them on the Internet, even more object.

The study, believed to be the first conducted by someone outside the advertising industry, was carried out by researchers at the University of Pennsylvania and the University of California, Berkeley. They hired a survey company who contacted 1,000 adults who use the Internet and interviewed them for 20 minutes each.

According to the study, 66 percent of those interviewed said they did not like tailored advertising. When they told that web sites might track their behavior, another 7 percent said they did not like it. And, when asked about being tracked by other web sites, an additional 18 percent objected.

Ninety two percent of those surveyed said they would support a law that required Web sites and advertising organizations to delete information about them on request.

Marketing trade groups, who point out that advertising pays for a lot of Web content, are working on a set of practices, like notification that site visitors are being tracked, in order to avoid government regulation of their practices. Meanwhile, there have been indications that Congress and the U.S. Federal Trade Commission might be about to step in to protect consumer on line-privacy.

See story here: “Two-thirds of Americans object to online tracking”

Thanks Alex.

Tom Kelchner

A banking Trojan named URLZone (Finjan) exploits a hole in the major browsers on Windows machines to show victims a fake balance on their banking web site as it steals cash and sends it to the account of a money mule, according to Finjan researchers.

Victims will continue to see the fake balance in their accounts and not notice the theft until they obtain their balance at an ATM machine, check with a computer that is not infected or get an overdraft notification.

URLZone, which is loaded onto victims’ computers by malicious .pdf files or JavaScripts, exploits a vulnerability in Firefox and Opera as well as Internet Explorer 6, 7 and 8 browsers. It has been used to steal more than $400,000 from customers of German banks recently, according to Yuval Ben-Itzhak, Finjan chief technology officer.

Ben-Itzhak said “It’s a next generation bank Trojan. This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems.”

Story here.

Patrick Jordan found this one today:

The rogue Alpha AntiVirus page used to hijack a browser copies the Firefox warning screen:

Looks like the Firefox warning page (in Internet Explorer), but with a difference. Clicking leads to this:

Which goes to the payment screen:

The AlphaAV lineage:

XP Antivirus (2007)

AntiVirus 2009 (2008)

AntiVirus 360 (end of 2008)

Total Security (January 2009)

Personal AntiVirus (January 2009)

Total Security (2009)

What makes research on these rogues very challenging is the fact that they swap the download web sites about every six hours.

Thanks to Patrick Jordan

Tom Kelchner

Researchers in the Sunbelt Manila office have reported that the entire staff has been accounted for and flood waters are receding. Half the staff members are in their homes and unable to reach the office. The Sunbelt facility is on the 17th floor and has electricity.

The Sunbelt headquarters in Tampa Bay, Florida, has been in touch with various staff members by email.

Staffer Alejandro Mendoza III sent the following:

Here are some photos taken from my apartment. I am at Pasig Green Park Village and fortunately, my place is on the 3rd flr. Our village near joey, aldous, reggie, reggie and berman

When we woke up at around ll am, water is already waist deep. We were not worried at all since the place does not usually get flooded. We no longer have electricity at around 1 pm.

By 4 pm, the place is already at chest deep. At this point, things start to get scary. We could no longer go out and evacuate because the water level is higher in the main road so we opted to stay in our apartment. Those who are staying in single story houses began to move to our place.

Inside the first floor of our apt. our place is higher than the road so the water level is still knee deep at this point

By 11 pm the murky water has already covered the first floor and cars are now completely submerged. Water level on the street is about 6 feet or deeper. You can only see the trunk of the Chevrolet.

By 8:30am 9/27, water is still at shoulder deep. People have to use an air bed as lift-raft to go out and check our other neighbors.

Water slowly subsided and by 8 pm, water is still waist deep.

Aldous de los Santos sent this account at 1:44 p.m. Sept. 28 (local time)

Water in my area has receded this morning.

I plan to come by the office this afternoon to recharge cell phones and laptop computer.

We are fixing and cleaning a lot of things in the apartment. Roads going out are muddy but passable.

I’m saving battery of my laptop that I can only go online from time to time.

I’ll see if I need to get a power generator for the house in case the power will take weeks to be restored since I heard that some areas are still in waters.

We have only little updates on the news since we are saving batteries.

No TV, we can only get updates from the net and radio.

(View from los Santos’ apartment during the flooding.)

(And when it peaked.)

Tragic flash floods and landslide always happen in PH =(

I only watched from news and visited the place after it has happened, and this is my first time to experience being really involved. I think what I have experienced is still minor compared to other subdivision and provinces. The photos I took are within my area.

I wanted to go to office to take some pictures, since we are in a higher floor, I can get a good view. But I have to stay with my family while the water is high.

–Aldous

News today on Philippine flooding. 100,000 homeless and 240 dead.

To help the victims of the flooding, go through the Philippine Red Cross (URL here.)”

Tom Kelchner