The Great Years: 2004-2010
My first professional job in the software business was with Borland in 1987.
This is admittedly painful for many Borland alumns. But I suppose all things must come to an end.
It was a heck of a company. I learned the software business there, acquired many of the guiding moral principles that are still with me today — and I had a lot of fun.
Alex Eckelberry
Over the past several months, researchers have seen a small number of phishing attempts taking advantage of a feature in older versions of IE called MIME Sniffing. It’s a weak attempt to bypass spam and phishing filters, by having a non-HTML link in an email.
It’s a pretty dumb hack, frankly. But it’s mildly interesting to observe.
Basically, a phisher takes advantage of a vulnerability in IE versions 4 through 7, where you can have the web server tell the browser that the content type is a particular type of file (jpg, png or gif), but actually render an HTML page (or whatever else).
What’s happening is that IE is “correcting” what it assumes is a mistake. The technique is explained in detail in this Heise article (thanks DJ).
Today, I saw an interesting phish, with the following URL:
acceghsh.nxt.ru/img/6.jpg?nin.ey.it/ws/e$ISAPI.dll?Sign&ru=http%3A%2F%2Fwww¬.it%2F
Or more simply,
acceghsh.nxt.ru/img/6.jpg
(the text string after the ? being simply garbage made to look like a querystring).
So, let’s use a simple tool like web-sniffer to see what’s going on here:
As you can see on the top of the screen, the server is telling the browser that it’s a JPEG file. But when we look at the content, it’s HTML.
And IE 7 will render it as HTML, because it’s assuming the web server made a mistake, and is correcting the “error”:
Nifty, eh?
Let’s take a look at the same page in Firefox:
This whole MIME sniffing thing has been handled in IE 8. It’s the older versions of IE that display the page incorrectly.
Alex Eckelberry
(Hat tip to N)
Not the most surpising news, but there’s SEO search poisoning going on using swine flue keywords.
Using the search term “Swine flu protection”, 8th result:
Using “swine flu statistics”, 2nd result:
Clicking on the link leads to a fake malware scan page (currently dead).
Alex Eckelberry
(thanks, Adam)
When corporations try to control a message they don’t like, they can at least do it with some sense of style or panache. I mean, people, take your lessons from ExxonMobil. Or the Tobacco Institute!
Instead of sending some guy to rip apart a tradeshow booth.
Do they ever learn?
Alex Eckelberry
Our friends over at Network Instruments have done their annual State of the Network study. Nothing very surprising, but some mildly interesting stats.
The study shows marked increases in virtualization — 75% of the respondents now use virtualization, and by 2011, 60% of applications are expected to be running on virtual machines, up from 27% this year.
VOIP is also proceeding at a strong pace. I do hope companies that implement VOIP understand the security issues…
You can read the study here.
Alex Eckelberry
I’m honored — truly.
Alex Eckelberry
Well, sort of.
There’s so much malware these days (our own repository is over 22 million samples) that managing it can be quite challenging.
We routinely scan our repository to optimize our VIPRE engine, and a few days ago, the server croaked and the chip smoked. Literally.
(One thing I’d never experienced before was the stench of a fried CPU. Even after a full day, one of our IT guys brought it upstairs and it stunk to high heaven.)
If you’re curious, this was a XEON dual-core 3.2 with 3 gigs of Ram. 6 TBs of DAS, in a Dell 2650 chassis. I suppose a newer system would have shut down automatically at a high temperature, but this was an older server.
Alex Eckelberry
VIPRE was selected for the upcoming TechEd show…
After carefully evaluating close to 200 individual product entries, our panel of judges has selected the finalists for the Best of TechEd 2009 Awards.
Link here.
And if you’re going to TechEd, we’ll be at booth 111, and we’ll be giving out all sorts of prizes and such.
Alex Eckelberry
I didn’t realize it, but Feedburner feeds on this blog had died with the transition to Google.
It’s all good now.
Alex Eckelberry
With the growth of “clean DNS” services (primarily OpenDNS, which boasts over 10 million users), it was only a matter of time before scammers would catch on.
Enter Trusted-DNS, a service which purports to provide a “clean DNS”. In fact, it’s a dns changer that will likely redirect users to bad sites.
Looking at the download, we see some interesting things. It starts off calling: GetAdaptersInfo, which is used to check the current DNS settings.
Other strings and functions it uses include:
00402040 – DnsFlushResolverCache
00402058 – dnsapi
00402060 – DhcpNotifyConfigChange
00402078 – dhcpcsvc
00402084 – DhcpNameServer
00402094 – NameServer
004020A0 – SYSTEMCurrentControlSetServicesTcpipParametersInterfaces%s
0040219A – SHSetValueA
004021A6 – SHLWAPI.dll
004021B4 – GetAdaptersInfo
004021C4 – iphlpapi.dll
004021D4 – _snprintf
004021DE – ntdll.dll
004021E8 – WS2_32.dll
And so on.
Alex Eckelberry
Ok. You’re worried about Swine Flu and you want to find a local company that has something that will prevent it. You “turn on the Internet” and do a Web search for the terms “anti-virus” and “Clearwater, FL.”
What’s the first thing that pops up? “Antivirus and Antispyware Software – Anti-Malware & Email …” Sounds like a serious business! You click on that link and find a phone number.
You go right to the top and call Vice President for Threat Research and Technologies Michael St. Neitzel: “Hello. Does Vipre protect against the Swine Flu?”
Sunbelt Software Vice President for Threat Research and Technologies Michael St. Neitzel will then explain that Vipre is an anti-COMPUTER-virus solution.
I’m not making this up! Someone just did this!
Yea, it’s sadly funny, but it’s also an indication of the very high level of concern about the spreading strain of Swine Flu influenza. This thing is a potential pandemic. Public health authorities are worried that it POSSIBLY could mutate into something deadly.
Spammers saw this coming on Monday.
Spam with headlines claiming that celebrities (Salma Hayek, Madonna) have caught the disease are peddling generic Tamiflu – or stealing the credit card numbers of those naïf enough to make a purchase from one of the nearly 300 newly-registered domains with a “Swine Flu” twist in their name. Cisco’s IronPort anti-spam service says Swine Flu spam is now four percent of global spam.
Spam that preys on public fears generated by big news stories is now a genre. Seriously, just delete the alarming e-mails, wash your hands a lot and don’t sneeze in elevators.
See Information week’s coverage here.
There is a vast amount of malcode out there that uses the autorun function to install itself, and that group includes Conficker. We found over 900 variants listed on one of our fellow AV vendors’ sites and over 1,000 listed on another.
Microsoft’s site shows a graph of its monthly detections of AutoRun malware in the last year and a half. It looks like the outline of a dragon. The end of its tail is on the ground (near zero) from July of 2007 to January of 2008, and the top of its head, from November of 2008 to March, 2009, is at 225,000 detections per month.
The company has announced that it will disable the AutoRun function in AutoPlay for USB drives in Windows 7 and back port the change to supported Windows versions. AutoPlay will still work for CDs and DVDs, however.
When the malcode writers started using the autorun.inf file on USB drives several years ago, it was like Déjà vu all over again. Remember the days when you could infect your “home” computer by starting it up with a “floppy” disk in the drive? Well, floppies and discs fell by the wayside along the years with the expanded use of CDs and DVDs, but the dragon came back to bite us in the USB drive.
Koobface, a worm which steals Facebook or MySpace credentials and spams their credentials, is certainly alive and kicking.
Here’s a run occurring right now. You get a message from a friend:
Which leads to a Facebook page:
Which, when clicked, pushes a fake video codec that downloads Koobface:
And yes, my wife just got one from a friend. He was rather surprised when I called him…
Alex Eckelberry
RSA 2009 has been a great show this year. More than 450 exhibitors are showing their stuff at this year’s RSA Conference in San Francisco. eWEEK Labs’ Cameron Sturdevant has been scouring the expo floor to find the most compelling products for the enterprise. VIPRE Enterprise and Shavlik’s NetChkProtect were included.
View the slideshow here.
Zango Inc., the irritating adware firm that was fined $3 million by the U.S. Federal Trade Commission in 2006 has been sold at “fire sale prices” to video search engine company Blinkx PLC, it was announced yesterday.
The company was notorious for its weasel-word excuses and explanations of the intrusive adware it distributed. It also was famous for (unsuccessfully) suing anti-virus Kaspersky Labs and PC Tools in 2007 in an attempt to intimidate them and force them to stop cleaning Zango code out of victims’ computers.
Zango was first named 180 Solutions when it was begun in 2004. It employed more than 200 people at its peak, but laid off 118 of them last year. Two other major adware firms, Claria (which distributed Gator) and DirectRevenue have closed in the past. A third, WhenU, was bought out by a Canadian company, which has continued to perform installations of WhenU’s software, though the company is definitely a shadow of its former self.
Chris Boyd, of Facetime Security, and Ben Edelman, a security researcher at the Harvard Business School, extensively documented Zango’s offensive practices over the years. The company basically installed adware on victim’s computers without permission, served porno advertising without notifying victims and profiting from the distribution of pirated material, according to Edelman’s research.
Edelman told Computerworld that the company failed because:“Zango could never get over its history of non-consensual and deceptive installations.”
See the Computerworld story here.
We found two new rogue security products using the same name “Extra Antivirus”
One of them belongs to the Virusdoctor family of rogue security products.
This rogue uses the same site that was earlier used by Extra Antivir. Like its predecessors this rogue also uses Google Code site as a free way to host its installers.
The other Extra Antivirus rogue is from WinSpywareProtect family of rogue security products.
This rogue uses the same home page and fake/scare scanner page template used by Extra Antivir.
Sites Involved:
206.53.61.74 Extraantivir com
94.75.209.11 Extrantivirus com
195.88.81.117 dl.exstra-scanner-av com
195.88.80.208 Int.extro-reports net
Bharath M N
AV Antispyware is the latest rogue from WinSpywareProtect family of rogue security products.
Sites Involved:
64.191.12.38 Av-antispyware com
195.88.81.74 Files scanner-antispy-av-files com
195.88.81.116 dl scan-antispy-4pc com
195.88.80.207 Int reporting32 com
Bharath M N
Cris Godfrey, our QA Manager, got inspired enough about VIPRE to get the product logo tattooed on his arm.
Sunbelt employee gets VIPRE tattoo
(If the video doesn’t show on your browser, click here.)
You can see photos and some more video on my Flickr stream here.
Alex Eckelberry
