The Legacy Sunbelt Software Blog

A federal court decision might prompt Web-based businesses to make their customers respond in some way indicating they have read a Web site’s “terms and conditions.”

A federal judge in the Eastern District of New York has ruled that web retailer Overstock.com can’t enforce a $30 restocking fee found in its online terms and conditions because there was no evidence that customers even saw the agreement.

The decision came in a court action brought by customer Cynthia Hines who was charged a $30 restocking fee by Overstock.com after she returned a vacuum cleaner. Overstock.com had a link on the bottom of its web page that lead to its “terms and conditions” and said users consent to be bound by them by merely using the site.

U.S. District Court Judge Sterling Johnson, Jr. made the rather significant decision that Overstock.com’s “browsewrap” agreement was not adequate.

“Browsewrap” agreements are those terms and conditions that are simply posted and the act of browsing the site infers that you agree to them. That’s opposed to “click-wrap” agreements in which users must click a button that says “I agree,” or some similar mechanism indicating consent.

Overstock.com’s 13-pages of “terms and conditions” are the usual nightmare of legalese. At 5,541 words, it’s the size of a serious short story and getting into the territory of a novella.

It almost seems like it was written with lots of meaningless padding to intimidate a reader by its size. It begins: “This website – http://www.overstock.com (the ‘Site’) is being made available to you free-of-charge. The terms ‘you’, ‘your’, and ‘yours’ refer to anyone accessing, viewing, browsing, visiting or using the Site.”

Wow! They give you their definition of “you.”

See story here.

Tom Kelchner

Our good friends at Kaspersky labs have done an interesting analysis piece on Induc – the malware that infects Delphi system files then passes itself along in anything created by the infected compiler.

When Induc was first discovered around the middle of August, Denis Nazarov at Kaspersky did a blog piece on it. Then several weeks later the Kaspersky folks wrote a longer analysis and concluded that Induc had some new features. They also concluded that it might have been around for many months before it was detected – possibly as far back as November 2008. And, there could be millions of copies of it around. Fortunately, it has no malicious payload.

“. . .as far as we know, no-one’s tried to directly infect the service files of a compiler before. This approach is so unusual that it doesn’t fit anywhere in our current classification system. Induc isn’t a virus in the strict sense of the word, because it’s doesn’t directly infect files. It modifies a single system file rather than every file which it finds. Induc can’t be called a worm, and it can’t be called a Trojan either, even though it does possess certain hallmarks of such types of malware. So Induc really is something new.”

Since Induc was included in programs when they were compiled, whitelisting companies have some big problems on their hands trying to sort them out.

The folks at Kaspersky also noticed something else interesting: banking Trojans, probably from Brazil, containing Induc. That means malware writers in Brazil have infected compilers. Delphi is popular in that country.

See Kaspersky analysis here.

Vipre detects Induc as Virus.Win32.Induc.a (v)

Tom Kelchner

One of the joys of our fantastic global communications network called the Internet is the twisted prose that comes out of translation engines. They take the well-chosen words of some hard-working person on the opposite side of the world and turn them into a form of Engrish that is only bit more readable than the original text of Beowulf, but really funny.

Here is some of the translated text from a glowing (I think) recommendation of the Sunbelt Personal Firewall. It was originally written in an alphabet that we’re guessing is in use somewhere between the Persian Gulf and India:

“Now, it is called the Sunbelt Personal Firewall. Not all firewalls are the word-for-word. This firewall was discussed in olden days on my blog. They be analyse in effectiveness. That cannot be stressed adequate.

“The Sunbelt Personal Firewall blocks unwanted movement that is entering – but it also monitors what leaves from your conveyance.

“Outgoing dope may be your hush-hush evidence. It could be that your computer has been compromised and is instantly a district of a bot action. That avoirdupois arrange you up as a schnook of uniqueness swiping. Your computer could be district of a bot spamming action.

“This offers expires on September 17, 2009. A benign firewall, which monitors the communicative movement, intent discharge you an additional maybe at contagious some infection that has occurred on your conveyance.

“The Sunbelt Personal Firewall is extraordinarily a give-away at ten dollars.

“At this cost, the Sunbelt Personal Firewall is affordable to undisturbed unpleasantness strapped students at this period of year. Yes, it is just ten dollars when you using our association and the coupon standards SPFLOCKERGNOME when you categorize your codify.”

Site here.

Just another piece of glowing praise for Sunbelt products from a fan. Thanks Chris.

I mean, could we have made that up?

Just remember: “The Sunbelt Personal Firewall is extraordinarily a give-away at ten dollars.”

Thanks to Stu Sjouwerman

Tom Kelchner

Scammers are using a fake Facebook page with a fake “Flash Player” update window to infect victims’ machines. Visiting various malicious sites results in:

Clicking on the “update” installs Trojan-Downloader.Win32.CodecPack.2GCash.Gen that can then install a variety of stuff, none of it good.

Trojan-Downloader.Win32.CodecPack.2GCash.Gen has been around since December.

Thanks to Patrick Jordan

Tom Kelchner

We’ve renamed our popular newsletter VistaNews to Win7News. If you’re interested in tips, tricks, tweaks and other general information this promising new OS from Microsoft, you can subscribe here.

Alex Eckelberry

Researchers at the SANS Internet Storm Center have reported finding exploit code that will crash Vista (SP 1 & 2) and Windows 7. It also could affect Windows Server 2008. The vulnerability it exploits is in the Windows Samba file-sharing mechanism.

A malicious agent need only send one malicious packet to a machine through port 445 to bring on the BSOD, they said. Port 445 is used for file sharing.

Obviously, a work-around is to shut port 445 at the firewall.

Since home users are inclined to use file-sharing and not to have firewalls, there are a lot of vulnerable machines out there. The vulnerability can be used for denial-of-service attacks at this point, but those rarely make money. We can be sure the dark side is working hard to figure out how to “monetize” it.

See story: “New flaw causes ‘Blue Screen of Death’ on Vista, Windows 7”

SANS Internet Storm Center note.

Tom Kelchner

Antivirus Pro 2010 is the latest rogue from the WinReanimator family. This rogue is also pushed through Braviax infection.

Thanks to Maleka for the heads up.

Fake Windows security Center

Sites involved

Antivirusp2010 com
Antivirusp-2010 com
Avirus2010 com
Antivirus-pro-2010 com

Bharath M N

Mozilla has had a good idea: checking for outdated Adobe Flash installations during the Firefox update process.

The mechanism hasn’t been announced by Mozilla, but a researcher found that the upcoming releases of the Firefox browser (3.5.3 and 3.0.14) will keep track of Adobe Flash plug-ins and prompt users when updates are available. The check will occur when users update their browser.

Currently, Firefox users can check for updates by checking Tools | Add-ons. A yellow “update” arrow icon will appear in the pop-up window if any updates are available for any add-ons they are running.

It’s been estimated that four out of five web surfers are using an unpatched version of Flash. In July, a Trojan was found that targeted the code used by Adobe Flash (vs. 9 and 10) and Adobe Reader and Acrobat (9.1.2). The malcode was embedded in PDF files.

Story here “Mozilla to protect Adobe Flash users – Update”

Tom Kelchner

Windows IT Pro and SQL Server Magazine are having their yearly Community Choice Awards Vote. This is always fun and interesting to participate in.

They want to hear from IT pros, data base administrators and developers about what you think the best products and services are in a given category.

Here’s how it works: using the online form, vote for each of the products you’ve used and would recommend to others. This is a quick and easy survey.

And if you could do me a big favor, please vote for VIPRE Enterprise in the second question called “Best Anti-Virus/Anti-Malware Product.”

Survey here.

Thank You So Much!

Laurie Murrell

Patrick Jordan drew our attention to this rogue security product this morning.

Rogues, of course, are fake anti-malware products that confuse victims into believing they are legitimate security software, when actually they infect their computers or do nothing for the purchase price. The “Protection System” rogue takes this confusion one step further by actually searching for a LEGITIMATE anti-malware application on the victim’s computer and tricking him into uninstalling it.

During installation, the Protection System rogue will generate the following message if it detects MalwareBytes.

If a victim clicks “OK,” it will call the MalwareBytes uninstaller and uninstall the software.

After the install, it then asks for your email address.

Then a “thank you” appears as if you actually had purchased the rogue.

To read our white paper “How to Tell If That Pop-Up Window Is Offering You a Rogue Anti-Malware Product” click here.

Tom Kelchner

There has been a curious lack off outrage at Microsoft’s announcement that it will launch a “mandatory upgrade” of Windows Live Messenger (mid-Sept.for Messenger 8.1 or 8.5 and late Oct. for 14.0). The point is to make fixes necessary because of vulnerabilities in the Microsoft Active Template Library. Microsoft tried to fix those in July in Internet Explorer and Visual Studio and in the August patch cycle fixed five more vulnerable apps.

The “net freedom” ethos (anarchy?) has always been widespread, but recently it’s even gone one step further with political parties forming up in Europe that advocate the freedom to steal music and software (oh, sorry, “copyright reform”) as the centerpiece of their platforms. “Pirate” party? Do they know what real seagoing pirates actually do?

Microsoft did a masterful job phasing in the changes over the next few months, encouraging voluntary upgrades and dazzling users with cool new features: “Add a profile picture or video, display a personal scene in the chat window, update the status message with your news, add a favorite link, or add what song you’re listening to.”

“And Photo sharing. Photo sharing lets you share and comment on pictures while you’re chatting.”

Are “mandatory upgrades” the next big thing in computer security? It’s not a bad idea given that a vast amount of malware lives and propagates worldwide on the unpatched PCs of Typhoid Marys who never update anything.

Microsoft notice here.

Tom Kelchner

Web surfers in search of news of California wild fires are being served up Trojan downloaders from malicious sites taking advantage of the high news profile of the situation.

Steve Bass, who is near Altadena, Calif., sent us a note:

“We’ve discovered that if you conduct an “Altadenablog” search on Google right now, it will point you to several sites that will try to load malware on your computer. It’s pretty insidious — it will not allow you to surf away nor shut off the browser unless you click the “Yes” button on the “Download antivirus software now!” box. We have a Mac and know a few hacker tricks to shut down a recalcitrant browser, but others might not be so lucky.”

Another dangerous search string is: “Altadena Fire Hottest Info” Steve said.

In another email he wrote: As you know, we’re in the thick of it. No danger right now, but street is smoky.”

Patrick Jordan followed up with some research.

His comments:

“This is one of the groups of sites which is changed everyday and the Trojan downloader is the Trojan-Downloader.Win32.CodecPack.2GCash.Gen

“They use switching terminal sites as they are the urls not seen in transmissions that can remain static for days but rotating to the newer 2GCash Fake Codec sites.”

Thanks to Steve Bass

Tom Kelchner

Watching kids growing up shows you some sobering stuff about learning. Probably the foremost one is that you usually have to get hurt before you REALLY learn.

There were two high-profile news stories in the last few days that emphasized some computer security concepts and nobody actually got hurt.

Story one: someone mailed a fake fraud alert to some small credit unions with two CDs of “training material” that were believed to contain malcode. The personnel who received them immediately did the right thing: notified the National Credit Union Administration, which quickly sent out a real fraud alert. The casual news reader learns: “Whoa! Bad guys can MAIL CDs with malware that can compromise networks or computers.”

Story two: the governor’s office in West Virginia received five HP laptop computers that they didn’t order. They checked with their IT staffs then called state police, suspecting the machines contained Trojans. The FBI is investigating that incident and similar ones in about 10 other states. The casual news reader learns: “Whoa! Bad guys can mail ENTIRE COMPUTERS that can compromise networks or computers.”

The first story turned out to be part of some penetration testing by a Columbus, Ohio, testing group checking the security at the credit unions. They found that security practices were good.

We have yet to learn what’s lurking on the laptops in the FBI’s possession besides Vista, Office 2007 and 20 Gb of crapware.

The point was made: malware can arrive in any storage media, not just via the Internet.

Story one here.

Story two here.

Tom Kelchner

Microsoft updates this week will contain code to check for pirated versions of Office XP, Office 2003 and Office 2007. It’s the next phase of the “Office Genuine Advantage” (OGA) program which will throw up a nag screen that says “This copy of Microsoft Office is not genuine” if it finds a pirated version.

Theft by software pirates is vast. It was estimated that 41 percent of the software on machines throughout the world in 2008 was pirated – a $50 billion loss to manufacturers and resellers.

There’s a good story about it here.

And here.

Just like in physics, any big move like this by a legitimate manufacturer of popular software is sure to have and equal but opposite reaction on the dark side. We wish Microsoft luck with OGA, but still we predict:

— A news story in the next few weeks about somebody’s discovery of a mechanism to defeat or sidestep OGA security.

— The availability of patches, or entire reverse engineered Windows operating systems and Office versions that suppress or evade the OGA nag screens. The pirated apps will probably attempt to evade updates. The net result will be that they also will avoid patches for newly discovered vulnerabilities.

— Trojanized Windows Office versions that are distributed as apps that evade the Windows Genuine Advantage mechanisms.

— Malicious spam advertising the above.

— Yet more bot-riddled machines in China.

Tom Kelchner

Internet users might be getting more security savvy and are getting better at identifying phishing emails.

Phishing spam is down significantly, according to two recent reports, one by Russian anti-virus company Kaspersky and the other by IBM’s Internet Security X-Force.

Phishing, the attempt to lure victims into revealing banking web site passwords or other sensitive information, is largely aimed at PayPal and eBay customers, according to Kaspersky researchers. They said 60 percent of the phishing emails they monitored were attempts to steal login information for those two businesses.

The Kaspersky researchers said in their report that in the first quarter of this year, phishing emails made up .78 percent of email traffic. In the second quarter it fell to .49 percent.

The IBM X-Force researchers reported that phishing made up .2 – .8 percent of spam emails during sampling periods in the first half of last year. It was .1 percent of spam in the first half of this year.

Besides Internet users being more security conscious, other reasons for the drop could be the success of anti-phishing measures in anti-malware products or banking Trojans could be replacing phishing, they also said. IBM estimated that 55,000 people still lose their confidential information to phishing every month.

Kaspersky report here.

Story on IBM report here.

Tom Kelchner

Zango adware has been out of sight for a while. It’s back with a new twist: using a fake codec to install its pain-in-the-butt software. The lure for the codec: an alleged porn video viewer.

Here’s researcher Patrick Jordan’s narrative:

“Any site that runs a fake codec scam or other social engineering scam to get users to infect themselves — those sites directly and indirectly associated are put into my sites listings and Zango just made it!

“From a rotational site I use to get the standard fake codecs and dischargers, today I found one of the re-directs going to a fake codec page advertising porn movies and the normal ‘No video player found.’

“What I got was a pop-up for a DreamMediaPlayerSetup.exe coming from prompt-zangocash.com.”

“Even just going to the main site url will also give a type of fake scanning then tell you not to close the window until installation is complete.”

Sites in the same IP all come under the same email user name with two different aliases:

Andrej Zolotov jcc_parker @ yahoo.com
Dmitry Ivanov Private person jcc_parker @ yahoo.com

216.12.161.18

coolvideoss.com
evideofreak.com
hidevideozz.com
innovavids.com
paradisios.com
pornntubxxx.com
pornotubxxx.com
porntubxxx.com
pvideoguide.org
qualivids.com
reliable007.com
videoguidez.com
videolifezzz.com
youvideoss.com
youvideozz.com

Our last blog entry, from April, about Zango being sold at fire-sale prices is here:

Thanks Patrick

Tom Kelchner

The question has come up and the answer is “no.” No, VIPRE and other Sunbelt software have not been infected by Virus.Win32.Induc.a.

For a virus with no malicious payload in 2009, Virus.Win32.Induc.a has certainly made the headlines. It’s probably the fact that it is an innovative idea. Maybe an update will make it malicious, but it does nothing now.

According to Sunbelt Vice President of Threat Research and Technologies Michael St. Neitzel, Delphi is used by developers much more in Europe and Russia than in the U.S.

According to St. Neitzel: “This is a real challenge for anti-virus vendors and those on the receiving end. When AV scanners start identifying applications as infected with Win32.Induc, it’s an open question whether or not the scanners can clean them.”

“If they can’t, the original developers are going to be required to get the infection out of their Delphi compilers, recompile the applications and get the clean code back to their customers. Given there could be different versions of the infected applications in circulation, this is going to be a real nightmare for some companies to deal with,” he said.
See story here:

Tom Kelchner

Four software pirates in China were sentenced to several years in prison and fined for running a web site that distributed, FOR FREE, 10 million copies of Windows XP over five years, according to the Shanghai Daily newspaper.

According to prosecutors, the four used a web site to distribute copies of Windows XP that were reverse engineered to remove anti-copying measures and renamed “Tomato Garden.” They made more than $400,000 selling advertising on the site.

Story here.

And here.

Since these pirated copies of Windows never got updated, they helped established a vast reservoir of computers wide open to new and old exploits. One can be sure those machines have been used to set up some of the huge botnets that prey on all of us.

So, the Windows XP copies that these guys gave away were a gift of the 21st century the way smallpox-infected blankets were a “gift” in the 18th.

Tom Kelchner

Two women have begun a small treatment program for Internet addiction near Fall City, Wash., called the reStart: Internet Addiction Recovery Program.

The two — Cosette Rae, a clinical social worker, and author Hilarie Cash — believe their center is a first in the U.S. They started it after treating a large number of people dependent on gaming, gambling, chatting, texting and other Internet-related activities.

The 45-day treatment program at the five-acre Heavensfield costs $322 per day.

Discussions of Internet addiction usually range from the amused (”so, who isn’t?”) to the dismissive (“just go outside and play”) and the entire concept is controversial.

Commentary on addiction or excessive use of new substances or activities has been around for a long, long time. One of Nuremberg artist Albrecht Durer’s most profound prints is his “Melancholia,” which shows a pretty depressed looking angel surrounded by intellectual apparatus and tools of the day (1514). And Hogarth’s social commentary on the drinking habits of his fellow Englishmen in his “Beer Street” and “Gin Lane” prints is a condemnation of the gin, a newly-available intoxicant in 1751. So, even those hundreds of years ago, people were trying to figure out “how much of this is really healthy?”

Today, the answer for malware writers is pretty simple: “you need to do a lot less coding and play a lot more World of Warcraft!” And when you need a break, fly over to Heavensfield. (“Resurrection in 45 days!”)

Story here.

XP mode in Windows 7 is a little bit different. It runs in a virtual environment. The implications in that are pretty big for anti-virus companies since the anti-virus application you are running in Win7 mode doesn’t protect the XP mode partition and vise-versa.

Here at Sunbelt Software the quality assurance group just tested the Win7 XP mode and found that VIPRE runs just fine.

According to Curt Larson, VIPRE/CounterSpy Product Manager:

“XP mode acts like a virtual environment in W7. Scanning in XP mode only scans files in the XP mode session, it does not scan on the W7 box itself. Two copies of VIPRE were installed, one in XP mode, one in W7, both performed properly.

“We are thus compatible with XP mode. Our company policy is a single-user license applies to one box, and any VM sessions on that box. A single-user license is set up to allow multiple installations on one box with W7 and XP mode both running.

“Short answer: ‘We’re compatible with XP mode in W7. License applies per box, not per instance of VIPRE on a box.’”

Tom Kelchner