The Great Years: 2004-2010
We’ve been running a snap poll on our site since Friday asking about Office 2007. Admittedly non-scientific, but we find it to be a fairly good “quick” read on big questions.
There were a lot of clicks on the poll. And since readers of our site tend to skew toward enterprise system administrators, it’s a wake-up call to Microsoft to kill the dammed ribbon in Office 2010.
Alex Eckelberry
Earlier today, I wrote a blog post cautioning against the rising hysteria over the current DDoS attacks.
Now, in direction contradiction to the opinion of security experts, Rep. Peter Hoekstra (R-Michigan) says the US should conduct a “show of force or strength” against North Korea.
This enterprising fellow is pushing for the United States and United Nations to action based on… nothing. We have not heard or seen a credible shred of evidence that North Korea is behind these attacks.
Compounding the bizarre state of affairs, a ABC News commentator Mike Malone beats the drum for cyberfear, linking dying children, his dislike of “hackers”, and sort of blames South Korea but then has this oddball statement:
Yeah, right. As if all of those millions of middle-class teenaged private owners of broadband connected laptops all over that electricity black hole called the People’s Republic of North Korea spontaneously decided to hack the Web sites of another country’s government and largest corporations.
Which is mystifying, because that’s not how this botnet (or pretty much any other one) works — these machines are not in North Korea, they’re all over the place.
We learned a harsh lesson not so long ago on military action based on flawed intelligence and hysteria. Let’s not repeat the same thing again.
Alex Eckelberry
Hype and hysteria is normal in the AV business. After all, it’s been an intrinsic part of the business model since the Michelangelo virus. However, I get quite concerned about stuff like this when it could be used as a justification for war. South Korea, already on pins and needles because of its bellicose and nutty northern neighbor, is now suspecting that same country of launching a “cyber” war.
This is nuts.
I know of not a shred of evidence that this bot is from North Korea. It would take considerable research to ascertain the original source (the relevant IPs to the malicious code are in several places — Florida and Germany).
What happened here is trivial stuff in the security world: A bot got on between 60,000 to 100,000 PCs, and started launching DDoS attacks.
BFD. This hasn’t happened before? Russian politicians have to run their political campaigns on social networks because they are so used to being DDoSed during political campaigns. This is common stuff in the malware world.
Through underground channels, one can contact a botmaster (someone who “owns” all these infected machines), and pay them to DDoS whomever. It’s a felony, but it doesn’t mean it doesn’t happen. Or, one can gain control of a command and control (C&C) server and start DDoSing. This is what that kid who was DDoSing CastleCops did — he found a C&C by accident (they are out there, we’ve stumbled upon them not a few times in our research), went to his local library and started DDoSing CastleCops.
And no, one does not have to run out and frantically buy AV software. MyDoom and its variants are well-known pieces of malware that have been out for years. Detections are pretty robust; if you have a recently updated AV product, you should be fine. And remember, millions of people aren’t infected with this bot — the count of infected systems is less than .01% of the entire PC universe.
A far, far more critical issue is the current DirectShow exploit — now that is something to get worried about.
(Incidentally, Brian Krebs is keeping a good tally of the situation, and also links to this excellent overview by Hauri.)
Alex Eckelberry
Microsoft has released a slick website promoting Office 2010.
Cute videos but virtually no detail.
Let’s hope that Office 2010 fixes the major UI mistakes made in the development of Office 2007 (for heavy keyboard users like me, Office 2007 is an experience beyond painful).
Alex Eckelberry
(thanks Donna!)
I noticed a swath of comment spams on my blog today. That’s no surprise, it’s usually for some junk product or service.
But in this case, it advertises products coming from the PC Tools division of Symantec.
Bummer.
Alex Eckelberry
The moderately large botnet distributed-denial-of-service attacks on government web sites in the U.S. and Korea on July 4 and continuing this week were probably NOT the work of North Korean intelligence forces, according to researchers who have analyzed the attacks.
In spite of South Korea’s contention that their country’s rival to the north was to blame, apparently it was the work of a fairly unsophisticated intruder who used the five-year-old Mydoom worm to launch the attack from a botnet of about 50,000 machines mostly in Asia.
The worm was first identified by Sunbelt Software in January, 2004, as Email-Worm.Win32.Mydoom.gen (v). Its variants have always been detected by Sunbelt’s malware analysis technology, MX-V™, included in the company’s VIPRE™ antivirus product line. MX-V is a compact, high-speed virtualized Windows environment integrated into VIPRE, which performs rapid behavioral analysis of potential malware.
Mydoom is a mass-mailing worm and generally arrives in spam email as an attachment carrying file extensions of .bat, .cmd, .exe, .scr or .zip. If an Internet user activates it, the worm sets up a back door on a system and allows the botnet owner who sent the email to control the infected computer. The infected machine, added to a botnet, can then be used to send spam email to propagate the worm. It also can be used to launch denial-of-service attacks. It will install on most Windows operating systems, including Windows 95, Windows NT, Windows 98, Windows 2000, Windows Me, Windows XP, and Windows Server 2003.
It’s been considered a low-level threat and has been detected by most major antivirus products since it first appeared in 2004.
Tom Kelchner
All because of those darned internets.
The backstory (including a pretty good response from United).
Alex Eckelberry
(Thanks, Rob)
Good ole Koobface worm is back. This time it’s on Twitter.
Here’s how it works:
1. you get a tweet from a friend with the text:
2. you click the link and go to a Facebook page with a video
3. you run the video
4. you get infected. Then every time you log into Twitter, Koobface sends similar tweets to all your friends to infect them.
Story here.
Oh, yes. If you get infected, don’t bother spreading it to Alex Eckelberry. Someone was nice enough to email his family the Koobface variant in April (see his blog piece here.)
Tom Kelchner
Kara here has been maintaining, on her own, a blog of rogue antivirus and antispyware products. You can see it here at rogueantispyware.blogspot.com. Of course, it’s promotional about our products (obviously) but it does keep up with many of the latest threats.
Nice work Kara!
Alex Eckelberry
No.
But Microsoft should be (and assuredly is) concerned.
The Google Chrome OS is a lightweight OS initially targeted at the netbook market, but ultimately usable on any desktop PC. It’s not for mobile phones or other small devices — that’s Android (although the two will share components).
But the use of Chrome all comes down to one question: Are users willing to give up their Microsoft applications? Are business users willing to give up interoperability with the rest of their organization, with the wealth of business applications designed for the Microsoft environment?
I’ve bought two netbooks so far. Both were running Windows, because I need Microsoft Office (particularly, Powerpoint, for my presentations on the road). No, I don’t want to run StarOffice or some other solution (like Google Docs). I need perfect operation, every time. I actually once saw a Linux die-hard do a presentation by flipping through a PDF — it was silly. Businesses have always been the major driver of the microcomputer, because people use their business machines and then want to go home and use their home machines in a similar environment (using the same files, etc.). Macs themselves are wonderful (the most wonderful operating system out there IMHO), but there are also practical considerations. People who use Macs in a business environment are the early-adopter types, but the platform has never gotten to massive scale simply because of interoparabiliy (and cost).
I’m as much a fan of Linux, Macs and all the rest as anyone else. But I am also a pragmatist.
Ultimately, the success of the Chrome OS will depend on the third party applications available for it. This is helped by the fact that it’s *nix based is very useful, as applications are easy to port. The fact that Google has some applications already developed is helpful. But it is very, very hard to get any real headway on Microsoft. (Years ago, I was the product manager for an ill-fated operating environment, DESQview (and its big sister, DESQview/X). A different time, and different circumstances, but I will say that getting application support is always a major issue with any operating system.)
Remember, despite Linux dominating the netbook market, the minute Microsoft started offering XP Home on these machines, was the minute that the tide changed. Windows XP now has over 90% market share on netbooks, and I don’t expect that to radically change any time soon.
The whole cloud argument — well, that’s a wonderful buzzwords. I’ve also heard the same arguments about cloud-based computing for many years, whether it was ASPs, , etc. There are very useful aspects to the cloud, but excitable non-technical types tend to get a bit starry-eyed around this stuff when it’s not entirely deserving of mass adulation. It’ s just an alternative method of storage, but is deeply constrained by infrastructure (the speed of your connection, the availability of a connection, and so on).
Alex Eckelberry
Alex Eckelberry
Did you notice something today when you opened up your Gmail account? It’s no longer in “beta”, ending one of the longest betas known to mankind.
Alex Eckelberry
This is serious and is ITW.
Killbit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
“Compatibility Flags”=dword:00000400
More at SANS here, plus CSIS writeup here (if you don’t “taler Dansk”, then use this Google Translate link).
Best solution? Don’t use IE for now.
Alex Eckelberry
Update: Microsoft info here.
It’s probably superstition, but it seems that news stories comes in bunches. Today’s theme is: “governments across the planet try to deal with Internet pornography”:
— The Green-Dam saga continues. China delayed indefinitely the requirement that new computers have an installation of Green Dam-Youth Escort filtering software to protect young people from pornographic and violent Internet content. The big question seems to be: “will the delay be temporary or permanent.” They really should just make the filtering voluntary AFTER they get rid of the political censorship issue and AFTER they resolve the copyright-infringement issues and AFTER they fix the vulnerabilities in it. But I digress.
— The Ukraine has made illegal the possession of pornography except for medicinal purposes. I just don’t know what to say about “medicinal purposes” except that it’s going to generate another category of spam that will probably give a whole new meaning to “Canadian pharmacy.”
— In the U.S., several adult-content web sites appear to be collateral casualties of the take down of the Pricewert ISP by the Federal Trade Commission. Some are reporting the loss of $5,000 per day. Some are scrambling to find their web site content, since the Federal court and FTC confiscated Pricewert’s servers. I guess the lesson here is: don’t do business with businesses that do illegal stuff.
— The Georgia (USA) Bureau of Investigation is warning that an email containing a six-minute child porn video is circulating in the Stone Mountain area. The video may be might be a 2005 clip from the Dominican Republic that has been known to investigators. There are conflicting news reports, but at least one says it’s being spammed by malware. Possession of the video on one’s computer is a felony in the U.S. Investigators are telling Internet users to delete the email on sight (Subject line: “VERY Disturbing! TAKE CARE OF YOUR KIDS/ they should kill this man, do not open if your [sic] sensitive… click video link.” )
Pornography has been a complicated issue since, well, forever. There are paintings in the ruins of Pompeii of “adult” nature that were buried in the year 79. In the quaint 1950s in the very Puritan U.S., there were “nudist” and “art photo” magazines that pushed the legal envelop and “men’s” magazines explored how much of a woman’s anatomy they could show and still stay at least one millimeter away from the legal limit.
In the U.S., porn enthusiasts probably won the battle when courts as high as the U.S. Supreme Court found themselves completely unable to define the difference between pornography and free speech. In 1964, U.S. Supreme Court Justice Potter Steward wrote the legendary articles of surrender, saying that he couldn’t define pornography, but “I know it when I see it.” Shortly after that, the VCR went on sale and it was REALLY “game over” for the anti-porn side.
The result has been a legal shadow world and very lucrative gray economy that turned into a terrific environment for scams, fraud, rogue anti-malware products and thieving computer malcode. Yes, there is a load of pornography out there on the Internet that is perfectly legal, sold by perfectly legal businesses with secure servers. Governments in conservative places will always try to fight it. They will only ever have very limited success. Sex will always be a very shiny lure.
The bottom line: if you see any advertisement on the web or in your email for “adult” anything, it simply will never be truly safe to go there.
Links to stories:
“Yushchenko signs porn law despite widespread opposition”
“Web-Hosting Firm’s Shutdown Costing Adult Affiliate Operator $5K a Day “
“GBI: Open This E-Mail, Go Directly to Jail (Possibly)”
Tom Kelchner
The Chinese government’s Ministry of Industry and Information Technology announced today through the Xinhua news agency that there would be an indefinite delay in the enforcement of a rule requiring the installation of Internet filtering software Green Dam-Youth Escort on all new computers sold in the country. The rule was to go into effect tomorrow.
Green Dam was officially described as an application to protect children from harmful content on the Internet. Researchers, however, discovered that two thirds of the “harmful” terms it filtered had political connotations.
The Chinese government will install Green Dam in school and Internet cafe computers after tomorrow. It also will provide free downloads for anyone who wants it, Xinhua said.
The filtering software has drawn fire from many quarters:
— China only notified PC makers of the regulation on May 19 and only made the edict public in June. Many manufacturers said they couldn’t comply with the July 1 deadline in such a short time.
— Solid Oak Software of Santa Barbara said that code from its CyberSitter software was used extensively in Green Dam-Youth Escort and sent cease-and-desist letters to U.S. PC manufacturers to stop them from installing Green Dam. Solid Oak said it would launch lawsuits in the U.S. and China July 1.
— Jinhui Computer System Engineering Co. of Zhengzhou, the company that won the Chinese government’s $6 million contract to write the application, has received more than a thousand harassing phone calls, including late-night death threats.
— Jinhui patched one vulnerability in Green Dam, but the application remained open to remote exploitation and a working exploit was published on the Internet.
— The U.S. protested that installation of the application would violate China’s agreement with the World Trade Organization.
— Leaders of 22 international business groups last week notified Chinese Prime Minister Wen Jiabao that Green Dam was a threat to privacy and free speech and hardly in keeping with China’s “professed goal of building an information–based society.”
— The European Union also protested to China, saying that the Internet filter was designed to limit free speech.
For news coverage, link here.
Tom Kelchner
Interesting article:
Have you used your credit card at merchants specializing in secondhand clothing, retread tires, bail bond services, massages, casino gambling or betting? Your credit card issuer may be taking note — and making decisions about your creditworthiness based on your purchasing behavior. The reason: Buying used clothing or retread tires may be an indication of financial distress and a preamble to missed credit card payments or defaults.
Alex Eckelberry
Sunbelt is excited to be working with StopBadware.org, the collaborative initiative to combat viruses, spyware, and other bad software. Sunbelt will participate in the effort as a data partner to provide information to support and encourage website owners and web hosting companies in cleaning up and protecting their sites.
This morning, StopBadware.org launched a new, richer report interface—integrating the new Sunbelt Software data—to its searchable Badware Website Clearinghouse. The new reports allow security researchers, law enforcement, site owners, and other interested parties to see a site’s current and past badware activity, along with basic information about the site. Sunbelt joins Google in contributing data to the project, which is based at Harvard University’s Berkman Center for Internet & Society.
Read the press release here.
Laurie Murrell
The domain, complete with Matrix-like animation, is running “Unique Pack” exploit package version 2.
Subject: Who killed Michael Jackson?
Date: Tue, 30 Jun 2009 08:14:46 -0300
From: x-files
Reply-To: xxxxx@xxxx.com
To: xxxxx@xxxx.com
Michael Jackson Was Killed…
But Who Killed Michael Jackson?
Visit X-Files to see the answer:
hxxp://xxxx.xxxxx.com.mx/x-files
Thanks to Sunbelt Malware Researcher Adam Thomas
Tom Kelchner
