The Legacy Sunbelt Software Blog

Sunbelt Software has been included in Inc. Magazine’s third annual ranking of the 5000 fastest-growing private companies in the U.S. This is the third time that Sunbelt has been on an Inc. 500 or 5000 ranking.

“The Inc. 5000 gives a cross-industry picture of growing companies with cutting-edge business models, as well as older companies that are still demonstrating growth,” said Inc. 5000 Project Manager Jim Melloan.

“Sunbelt’s position as a leading provider in its industry, coupled with its history of year-over-year growth, makes it a prime example of the caliber of companies included on the list of the fastest-growing companies in the country.”

And now, a word from Alex (that would be CEO Alex Eckelberry):

“Over the past year, the pressures of the economic downturn have made Internet attacks more prevalent than ever, and financially motivated threats continue to rise. Thanks in large part to our VIPRE® next-generation anti-malware offering, Sunbelt gives enterprises and consumers the up-to-date computer security they need to be able to carry out their Internet activities in a safe environment. We continue to drive new innovations in the security industry and the honor of being included on the Inc. 5000 list is an indication that we’re staying on the right track.”

Read all about it here.

Tom Kelchner

The staff at the SANS Internet Storm Center has put together a good brief piece on how to prepare for and go through an outside IT audit. The philosophy is basically: work with the auditors rather than against them in order to get the maximum value from the process.

Text here.

Johannes Ulrich discusses it and adds some good comment in the Aug. 17 podcast.

Someone also left a great comment with the article: if the auditors find problems, you can always use them as leverage to get more budget.

The SANS Institute, in Bethesda, Md., provides information security training, certification and research. Its Storm Center is a cooperative venture in which volunteer members share intrusion detection information to spot and analyze worms and other fast-moving malicious software.

“Zombies are a popular figure in pop culture/entertainment and they are usually portrayed as being brought about through an outbreak or epidemic. Consequently, we model a zombie attack, using biological assumptions based on popular zombie movies. We introduce a basic model for zombie infection, determine equilibria and their stability, and illustrate the outcome with numerical solutions. We then refine the model to introduce a latent period of zombification, whereby humans are infected, but not infectious, before becoming undead. We then modify the model to include the effects of possible quarantine or a cure. Finally, we examine the impact of regular, impulsive reductions in the number of zombies and derive conditions under which eradication can occur. We show that only quick, aggressive attacks can stave off the doomsday scenario: the collapse of society as zombies overtake us all.”

From When Zombies attack!: Mathematical modelling of an outbreak of zombie infection (via GMSV).

Alex Eckelberry

NSS Labs has posted the results of its testing of the big six browsers for their ability to repel social engineering malware and phishing attacks. “The results are based upon empirically validated evidence gathered by NSS Labs during continuous 24×7 testing against fresh, live malicious sites” they said.

Social engineering threats caught:

— Microsoft Internet Explorer v8 (81 percent)
— Mozilla Firefox v3 (27 percent)
— Apple Safari v4 (21 percent)
— Google Chrome 2 (7 percent)
— Opera 10 Beta (1 percent)

Phishing threats caught:

— Microsoft Internet Explorer v8 (83 percent)
— Mozilla Firefox v3 (80 percent)
— Opera 10 Beta (54 percent)
— Google Chrome 2 (26 percent)
— Apple Safari v4 (2 percent)

Test results here.

Tom Kelchner

Jose Nazario, writing on the Arbor Network Security blog “Security to the Core,” has described a botnet that uses Twitter as a command-and-control channel. The bot owner sends update information in a tweet and RSS feeds send it to the botnet.

The tweeted update information is in the form of a shortened URL, which leads to one of several malicious web sites. Before they were taken down, Nazario found that the sites downloaded a packed .exe file that was an information stealer (Buzus) and packed .dll file loaded with URL’s where the .exe could phone home the information.

The mechanism seems to be the work of Brazilian ID thieves, he said.

Blog post here.

Tom Kelchner

No, that headline isn’t from the Onion.

Entire blog post here.

Xinhua story from July 16 here.

Sometimes a big story is eclipsed by a larger one. This is one of them.

The fact that China banned electroshock therapy for Internet addiction showed up in the later paragraphs of a lot of the same stories several weeks ago as the account of a Chinese boy getting beaten to death in a boot-camp style institution that was supposed to cure him of Internet addiction.

The bottom line in both stories is that in China the list of diagnostic standards for a lot of emotional and psychological conditions is kind of messy.

Apparently there are hundreds of institutions that make a lot of money “treating” kids who are diagnosed with “Internet addiction.” Internet addiction is defined as spending more than six hours a day at the computer. By that definition, it is claimed that 10 percent of the Internet-using public in China is addicted: 30,000. It was estimated that 3,000 had already been zapped.

I’m going to end this now without making any jokes about my friends who spend more than six hours a day on WoW.

GO OUTSIDE AND PLAY!

NY Times story here.

Tom Kelchner

The Chinese Minister of Industry and Information Technology, Li Yizhong, has said that the fiat that all computers sold in his country after July 1 were required to have Green Dam Internet censoring software was just a great big misunderstanding.

Green Dam will be installed in school computers and those in public places, but computer buyers are not required to install it on their own machines, he said.

Almost from the moment the Ministry of Industry and Information Technology announced the requirement in May, there was push back from a wide range of places.

A U.S. firm, Solid Oak Software, of Santa Barbara, said June 12 that code from its CyberSitter software was ripped off and used extensively in Green Dam-Youth Escort. It sent cease-and-desist letters to U.S. PC manufacturers who were expecting to install it for the Chinese market. The company also launched lawsuits in the U.S. and China.

The staff at the company that created it, Jinhui Computer System Engineering Com of Zhengzhou, China, got harassing phone calls, including late-night death threats.

Most observers assumed that Green Dam was to prevent Chinese Internet users from seeing content critical of the government. The Chinese government already operates a “Great Firewall” to filter Internet content (including politically sensitive sites) but it can be bypassed.

Politics aside, there are serious problems with Green Dam:
— It has the capacity to monitor keystrokes.
— It logs the URLs of sites the user has attempted to reach.
— It uses unencrypted data transfer from clients to company servers.
— OpenNet Initiative said Green Dam can monitor activities in addition to Web browsing and can shut down applications.
— The black-list update process is vulnerable to compromise
— Exploit code was posted that compromises Internet Explorer on computers running Green Dam. It uses a stack overflow in the browser process triggered by an overly long URL. It works on Microsoft’s latest Vista operating system too.

June 16 we blogged that we classify Green Dam as a surveillance tool with a rating of “moderate risk” and we recommend that CounterSpy™ and VIPRE® users quarantine it.

Story here.

Tom Kelchner

Nice list.

Find it here.

Thanks Alex, and Stu.

Tom Kelchner

A San Antonio, Texas, firm named PearAnalytics, whose company slogan appears to be “analytics, insights, intelligence” studied several thousand tweets from Twitter users and found that 40.55 percent of them were “Pointless Babble” (their caps, not mine.)

“Conversational” tweets were 37.55 percent, “Pass-Along Value” (retweets) was 8.7 percent, “Self Promotion” was 5.85 percent, “Spam” was 3.75 percent and “News” was 3.6 percent of the 2,000 tweets captured.

The study was a great idea, but the snotty name for the biggest category wasn’t exactly something you’d find in anthropology journals.

How about:
— “relationship reinforcing”
— “friendship building”
— “social linking”
— “pleasantries”

A boss of mine in the computer security field some years ago started writing and saying: “there is no privacy, get over it.”

None of us who worked for him could have anticipated the day when a marketing research firm would eavesdrop on Internet exchanges (yes, I know it’s public speech) and insult the people who just wanted to say “hi” or “I’m eating a sandwich” to their friends.

Sheesh! Lighten up! It’s a service named “Twitter.” You’re expecting maybe 140-character discussions of existentialism?

PearAnalytics report here.

Tom Kelchner

Imagine a country where:

— few people can afford computers and any kind of computer security software is usually beyond their means
— 80 percent of computers are infected with malware
— many desperately needed machines are disabled with viruses and in storage
— Internet connections, which are only dial-up, are so slow that AV updates take all day to download and one web page takes 10 minutes to load
— most installed operating systems are pirated, never updated and completely vulnerable

It sounds like the setting of a dystopian novel written in Czech about 1920. It isn’t. It’s Ethiopia — today.

The Guardian of the UK has run a story about the grim world of computing in one country in Africa where most people and organizations are powerless to defend themselves against malware. (Read it here.)

Tom Kelchner

For some reason — probably a dearth of big news in the height of vacation season — there’ve been a lot of retrospective articles on the security news sites we monitor. It’s a good day to read about the history of viruses and their explosive growth. It was kind of like stepping into a time warp or something. Stories about Slammer, Blaster, SoBig.

Then Patrick Jordan drew our attention to a piece he saw: a Trojan aimed at Macs that changes the Domain Naming System is circulating, according to Trend Micro. It claims to be a QuickTime Player update and carries the name “QuickTimeUpdate.dmg.” Users are prompted to download it when they try to view online videos from malicious sites.

Trend’s posting here.

Here’s our blog posting from the last time we saw this:

Sunday, December 16, 2007
Another DNSChanger codec variant to stay away from – codecnice

codecnice(dot)net:

Pushes both Windows and Mac Trojan.DNSChanger. Sample binaries: Mac: codecnice(dot)net/download/codecnice1126.(dot)dmg. Windows: codecnice(dot)net/download/codecnice1126.(dot)exe.

Not so nice . . .

As always, please don’t touch these binaries unless you know what you’re doing as they are live Trojans.

2007 post by Adam Thomas here.

Weird.

Tom Kelchner

Sunbelt has been listed as number 25 on the list of 100 medium-sized companies considered “best companies to work for in 2009” by Florida Trend and on FloridaTrend.com.

It’s an interesting time at Sunbelt. There’s major growth going on here. According to the folks in human resources, we’ve hired about 50 people since the first of the year.

The joy of working for small and midsize companies is the feeling that you’re helping to invent the place. That’s what drew me here in April; that and the year-round bicycling on great bike trails and the beach and the seafood and fresh fruits and fresh vegetables and Alex Eckelberry’s wild and crazy blog.

See the Sunbelt news release here.

Tom Kelchner

Whenever new technology comes along and makes our world nearly unrecognizable, there are always people who make art and explain it all to the rest of us. Charles Dickens explained it all after new technology – the guillotine – changed the world, mostly in France. Joe McKay, who appears to live in California, is just such a person for our “cyber” times.

A first glance gives the impression that he’s just an imaginative schlep with a cat, Ico, and a home page on mac.com. If you read further, however, it turns out he’s a cyber artist with a list of gallery shows going back nine years. He’s also a college professor who teaches at UC Berkeley and Stanford (MFA UC Berkeley, ’07 and BFA Nova Scotia College of Art and Design, ’93).

In addition to making gallery art and musical instruments with cell phones, McKay has been working on the problem of how to stop the advertising that gets sent to your Gmail recipients along with your emails.

His techniques include putting a reference to a major catastrophe in your email. Gmail’s “good taste” filter prevents the ads from appearing.

He also did some serious experimenting by using George Carlin’s famous “seven dirty words” in email text and subject lines to stop the ads. The mixed results, and his spread sheet, are just hilarious, and very practical.

See McKay’s “How to avoid Gmail’s Sponsored Links” here.

Tom Kelchner

Twenty four hours after the denial-of-service attack on Twitter, the web is just aglow with theories about what happened. There seems to be agreement that Twitter, which has been experiencing phenomenal growth in the last year, didn’t have the infrastructure to withstand a huge surge of traffic.

The Register, possibly the best source of hilarious headlines and slang in the history of writing (well, there is the Onion, but they make up the news), called it a “Joe Job.” That’s a distributed denial-of-service attack launched when some malicious entity social engineers a large number of people into visiting to a target web site. The surge in traffic brings the victim site down.

The chain of events then would be: Pro-Russian miscreants spam a lot of people with Tweets, possibly via a botnet, to visit the web site of Cyxymu, a pro-Georgia blogger. The surge in Tweets and people clicking links brings down Twitter. Facebook and LiveJournal are slowed, but not shut down. Possibly the attackers also use a botnet to attack at the same time.

Cyxymu’s site is down this morning.

So, in the worst tradition of journalism we will now report the speculation:

PC Magazine: “Did Koobface Cause the Twitter DDoS Attack?”

The headline says it all.

PC World: “Why Attack Twitter?”

Answer: Koobface or old-school hacker looking for fame or someone advertising the power of their botnet, which is for hire.

The Register: “Twitter meltdown raises questions about site stability”

The Twitter problems were collateral damage from a Joe Job attack on a blogger named Cyxymu who apparently is a very vocal pro-Georgia advocate who irritates a lot of pro-Russian folks in the war of words over South Ossetia and Abkhazia independence. Cyxymu has Facebook, Blogger and LiveJournal accounts. Aug. 8 is the one-year anniversary of Russia’s invasion of Georgia. (See “The Georgian Times” one-year-later story here.)

The Register credits the theory to Bill Woodcock, research director of the non-profit Packet Clearing House in San Francisco.

Researchers Patrik Runald at F-Secure and Graham Cluley at Sophos, disagree.

Associated Press: “Hackers attack Twitter, Facebook also slows down”

Agrees with Register.

The root causes then would be: bot-infected machines (not running anti-virus solutions) and Internet users clicking on links from strangers.

Tom Kelchner

Details few.

Story in the Wall Street Journal.

2:05 p.m. (EDT) — back on line

Believed to be distributed denial of service attack. Details still few.

Story in the Telegraph.

Confirmed DoS on Twitter status page.

Facebook and LiveJournal also under attack.

Story in New York Times.

Tom Kelchner

And now, from that fun-loving Finnish gang that discovered the ASN.1 network
standard vulnerabilities in 2001 – critical flaws in XML.

Researchers at Codenomicon in Oulu, Finland, have found critical flaws in open-source implementations of Extensible Markup Language (XML) that affect a huge array of applications used by nearly every sector of the computer-using population of planet Earth.

Ari Takanen, Codenomicon CTO, has said that the vulnerabilities are in every open-source XML library and a lot of them could let the dark side write exploits that could launch denial-of-service attacks or execute malicious code.

Applications affected include anything written with Java, Python or Apache Xerces.

Libraries built on C – and most are Takanen said – are a high risk. Exploits against those are significant since they can execute code.

Codenomicon briefed the Finnish Computer Emergency Readiness Team, which is contacting software publishers who have embedded the libraries in their products.

The principals of Codenomicon discovered vulnerabilities in the ASN.1 network standard in 2001 that many companies (and governments) struggled to fix for months.

The vulnerabilities can be used in exploits and victims could be social engineered into opening malicious XML files or sending malicious requests to Web services that depend on XML.

It is suggested that organizations keep aware of security updates from companies that provide the libraries they use.

According to the Codenomicon web site: “Founded in 2001, the company was spun out of the successful PROTOS test tools research of the Oulu University Secure Programming Group.

See story in Register.

Tom Kelchner

Typical Browser Hijacker for the Personal Antivirus rogue

All your grammar are belong to us.

Description of Personal Antivirus in the Sunbelt Rogue Blog here.

Thanks to Patrick

Tom Kelchner

Swedish based telecom TeliaSonera has cut Internet connections to the Riga, Latvia servers hosting Real Host Ltd., a bullet-proof ISP and host of the Zeus botnet which is suspected of stealing financial information from millions of PCs, 3.6 million in the U.S. Real Host also is believed to be a splinter of the Russian Business Network.

TeliaSonera provides telecommunication services in the Nordic and Baltic countries as well as Russia, Turkey and Spain, according to its web site.

Real Host joins the elite group of recently shutdown spam networks Atrivo, McColo and Pricewert.

Story here.

Researchers have discovered that micro-blogging service Twitter is apparently working on a system for filtering malicious URLs, including shortened ones, but it’s a work in progress.

We tried it.

It’s a work in progress.

Shortened URLs are handy in Twitter posts, which are limited to 140 characters. Unfortunately, they are also handy for spammers and botnet operators to obscure malicious links in email.

Mikko Hypponen, chief research officer at the F-Secure security company in Finland, blogged about Twitter’s filtering August 3. Twitter has made no announcement and researchers believe the company is working on the process.

This much is known about it at this point:

— it’s using Google Safe Browsing API to filter links to malicious Web sites listed on Google’s blacklists of sites connected to phishing and malware.

— it stops automatically registered or compromised legitimate accounts from Tweeting known malicious links.

— if the “www” subdomain is removed from a URL, it isn’t filtered.

— a URL with “http://” isn’t filtered.

— the system isn’t linked to StopBadware.org’s database of nearly 400,000 reported malicious sites

— an alert is triggered only for URLs shortened using bit.ly. TinyURL-shortened links are not filtered.

In July, the dark side discovered the potential of micro-blogging sites and the Koobface worm had a field day spreading through automatic Tweets generated from hijacked accounts.

The new system isn’t really advanced at this point, but, a work in progress is better than no security at all.

We’d really like to see Twitter’s system filter URLs with the StopBadware.org’s clearing house and maybe some of the Sunbelt Software ‘Threat Track™’ Data Feeds.

Our demo

To see just how bad the Twitter jungle was, we set up a Twitter account…

… and immediately got several followers, April and Lisa. Wow! Cute girls are interested in ME! April looks, well, sort of animated. She must be psychic though, since she put in a request to follow ME five hours BEFORE I set up my new Twitter account! (Do I hear someone whispering “bot”)?

I checked out her web site by clicking on the xurl.jp-shortened URL. It resolved to xxxblackbook.com. Hmmm, an adult dating web site. There certainly appear to be some uninhibited folks advertising for new friends there, but April doesn’t seem to be among them.

StopBadware.com said xxxblackbook.com was a place where you might want to tread carefully. Sunbelt Labs found that it was associated with malware. They have at least one unsatisfied customer on the ripoff report too.

So, clearly, Twitter’s filtering is a work in progress.

Story here.

F-Secure blog post here:

Tom Kelchner