The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
I was followed around recently by Robert LaFollette, our creative director, for a video tour of Sunbelt.
So if you’ve ever wondered what it’s like here at Sunbelt, click here to watch the movie. There’s a big version and a small one. If you can handle the download, get the big one.
Oh, and there’s some extra footage after the final title sequence…
Alex Eckelberry
President
Motion Computing preinstalls CounterSpy with their L-Series tablet PCs.
Clarification: In order to get CounterSpy pre-installed, you need to buy the MotionPak, a $35 option. It includes a bunch of software, including Microsoft OneNote, Alias SketchBook Pro, Farstone VirtualDrive and more.
Alex Eckelberry
From CIBC:
“Yesterday after the close, Microsoft announced the acquisition of privately held Teleo, a provider of voice over Internet protocol (VoIP) technology. Teleo’s technology was designed to enable users to make PC-to-PC, cell phone, and land line calls. Through the acquisition, Microsoft plans to combine Teleo’s technology and expertise with its existing VoIP investments to further develop the product and service offerings of MSN. Terms of the deal were not disclosed. Internet content providers such as Yahoo!, Google and AOL (Time Warner) have moved aggressively to bolster their VoIP technologies as part of their service offerings. While Microsoft already has an existing VoIP service with its MSN Messenger service, we believe this acquisition as another sign of Microsoft playing catch up with the ‘Net leaders. (BR)”
This is a really, really bad scene right now with our neighboring states of Mississippi, Alabama and Louisiana (we’re in the Tampa Bay area of Florida, and were unaffected by the storm).
The situation in New Orleans is devastating. We’re talking about a city that will be shut down for quite some time.
Powerful pictures here.
Give if you can. Quick and easy with the Red Cross donation form.
Alex Eckelberry
From the Better Late than Never department.
(This is a variant that we also found of the identity theft ring we’ve been, umm, chatting about for a while.)
Alex Eckelberry
Kansas City Economic Development webserver hacked (article here).
“It looked like it was being used as a drop box for a variety of cyber vagrants,” Ballew said, adding that the unauthorized traffic included mostly software programs and encrypted files.
…
But he said the agency had learned a lesson from the incident.
“In this day and age, Web hosting is something you ought to leave to professionals,” he said
Alex Eckelberry
Correction, from Mark: “A common mistake: Kansas City is the name of two cities, the larger of the two is Kansas City, Missouri; across the state line is the much smaller Kansas City, Kansas. In this case, the EDC is part of Kansas City, Missouri.”
Well, he just ruined my headline!
If you’ve considered getting away from IE, the folks over at Opera are offering free registration keys.
Alex Eckelberry
(Tip of the hat to SpywareInfo)
Well this was a rather pleasant surprise. We just won eight Windows IT Pro Reader’s Choice awards.
(Windows IT Pro is one of the leading enterprise IT mags.)
Alex Eckelberry
Last week, Secunia published an advisory on a new vulnerabilities found in Windows. An exploit can take advantage of a weakness in Regedit, allowing a hacker to put a long string in the registry to hide a command. News.com advisory picked it up on Friday.
From Secunia: “The weakness is caused due to an error in the Registry Editor Utility (regedt32.exe) when handling long string names. This can be exploited to hide strings in a registry key by creating a string with a long name, which causes this string and any subsequently created strings in the key to be hidden. Successful exploitation e.g. makes it possible for malware to hide strings in the “Run” registry key. However, these hidden strings created after the string with the overly long name will still be executed when the user logs in.”
However, someone actually has to get in to your system to implant this registry key. So it’s not a “run for the hills” type scenario, despite breathless reports to the contrary. But it is something to take note of.
Two SANs bulletins, here and here. “An overly long registry entry can be added, but won’t be shown by regedit and regedt32. Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well…This allows to add hidden entries under the famous HKLMSoftwareMSWindowsCVRun. Entries that you can’t see with regedit, but that will just as faithfully get run at startup. ” This can happen right now on fully patched systems.
In other words, a hacker can implant a long string into the Run section of the Registry. Regedit can’t actually “see” it. When you re-start your computer, it will happily run.
This vulnerability has been confirmed on fully patched Windows 2000 and XP systems. Other systems may be at risk.
Here is what you can do right now. Run this tool from SANS which will tell you what extra long entries you have in the registry. It looks for values in excess of 254 characters. (Another option is to open up a command prompt (Start/Run/Cmd) and type “reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRun”, but I wouldn’t bother with that).
And wait for the patches to come forth from various vendors.
Alex Eckelberry
(Tip o’ the hat to Eric Howes)
Here’s a video taken last week by one of our spyware researchers of an exploit-driven installation of multiple malware and adware apps from a pornographic website
It’s from a child porn site and the disgusting images and the URL have been obfuscated (the website is being reported to the authorities).
The site is clearly linked with the very nasty vxiframe(dot)biz crew (purveyors of fun things such as Cool Web Search browser hijacks and the rest).
The researcher surfed to the site in question and immediately get hit with a security exploit that hijacked his browser, installed Spy Sheriff, and dropped a spam zombie/bot (not visible in the video) on his system. His browser window was then closed.
After a short bit he was presented with a combination of nags and ActiveX Security Warning prompts for CrazyWinnings (with Internet Explorer closed, mind you). The EULA for that installation is here.
Most users will never see that EULA, however, or the links to multiple other EULAs for the apps to be installed, which include:
– DirectRevenue/ABI/Aurora
– 180search Assistant
– SurfSidekick
– BullsEye Network
– ShopAtHomeSelect
Every time he cancelled the install he was presented with a nag to allow the install (all the while Spy Sheriff was warning him from the System Tray that his PC was infected).
After finally caving to the CrazyWinnings nag/prompt combo, his PC was deluged with the aforementioned adware. 266 new files (including 77 executables and 24 DLLs) were dropped on his PC and 516 new Registry keys were created.
180 Solutions did indeed pop up a prompt (called a “CBC Force Prompt”), but read the language of that prompt carefully and consider the context in which it is presented.
He chose “Cancel”.
He was then confronted with this warning that unless he allowed the installation to continue, he may lose acces to a program he recently installed, as well as free games, music, toolbars, etc.
So he allowed the install, as one would assume users would, out of fear that their PCs or internet connections might break.
This installation was initiated by a security exploit, driven by a combination of bullying nags and warning prompts, and greased with false and deceptive claims from the parties involved. At no point was he ever shown a clear, conspicuous, and truthful description of the software to be installed, and at no time was meaningful consent ever gained to the installation of the software.
So!
Apart from the fact that 180Solutions’ and Direct Revenue software is being installed along a spam zombie and installed through a security exploit (both of which they will blame on a rogue distributor), why did DirectRevenue and 180solutions consent to the CrazyWinnings distribution, when notice and disclosure is so obviously poor (no EULA shown to the user, EULA contains only links to EULAs from multiple other adware vendors, etc.)?
(For the record, installation logs and copies of all files installed from that exploit have been archived.)
Alex Eckelberry
If you have a few minutes and you’re curious about bluetooth security, watch this presentation by digital media analyst Phil Leigh with Martin Herfut, founder of Trifinite, a non profit group that specialies in bluetooth security.
Alex Eckelberry
Off topic: When people hear that we’re in Florida, they almost inevitably assume that we’re in South Florida (e.g. Miami). We’re actually in Tampa Bay (Clearwater), which is a completely different place. Set on the Gulf of Mexio, it’s a charming area, which doesn’t get nearly as hot as our southern neighbor and even has mildly chilly winters—so north-easterners don’t have to throw out their sweater collection.
We often relocate people from other parts of the country to work for Sunbelt, and one such hire was Robert LaFollette, our Creative Director. He set up a blog which details his new life down here, but most stunning is his collection of photographs. Check out his blog at here and his photography website here (not all of the pics are from Tampa–many are from his home state of Ohio and other places).
Alex Eckelberry
According to Paul Thurrott:
“We complain when Microsoft restricts certain features and functionality to only the latest product versions, so this report should be seen as good news. Although Microsoft Internet Explorer (IE) 7.0 will include Phishing Filter, a feature that helps protect users from scam Web sites, Microsoft believed that the feature was important enough to make it available to IE 6.0 users (via a plug-in for the MSN Search Toolbar) before IE 7.0’s release. (It’s due any day now, I’m told.) If you’re not into the MSN Search Toolbar but want antiphishing features, check out Netcraft Toolbar, which is what I use. There’s also a version for Mozilla Firefox.”
He likes NetCraft. I downloaded it once and disliked it almost immediately (maybe it’s gotten better). As I’m sure you’re tired of hearing, I’m a fan of Cloudmark’s antiphishing toolbar available here. I’ve also played with FraudEliminator and it’s quite good too.
Update: More info at News.com
Alex Eckelberry
If you followed my last blog on this, a group of 13 kids who “hacked” into their schools computers were going to get charged with felonies from the luddite school officials.
We learned today that the kids have been offered a deal .
From Newsday:
“In meetings with students over the last several days, the Berks County juvenile probation office has quietly offered the students a deal in which all charges would be dropped in exchange for 15 hours of community service, a letter of apology, a class on personal responsibility and a few months of probation.”
Well that’s nice.
For background, check out the kid’s perspective of how this all started (I love it that they set up their own website).
Alex Eckelberry
(This blog will be updated as I change my mind, think of better things to say or just for the heck of it).
Alternative titles: “The Four Pillars of Internet Security”, “Dirty little secrets of the software world”, “Steal this software”. Or more appropriately: “There goes Alex again, burning bridges in the software business”.
People have sometimes asked me the seemingly simple question: “What do I do to protect myself on the Internet”?
Well, first off, a large number of the people we see getting hid very badly by spyware have older unpatched Windows systems–meaning, they are running Windows XP in practically its native original state, without security patches. So, making sure you’re running the latest security patches is quite important.
Trite bromides like “get yourself antivirus programs, a firewall and an antispyware program” wear thin. The response is invariably one of confusion: “What antivirus program?”, “What firewall?”, “Is a hardware firewall enough?”, and so on.
The simple fact is good internet security is based on what I call the Four Pillars of Internet Security. They are:
• Firewall protection
• Antivirus
• Antispyware
• Patching
With these basics, your internet experience is dramatically safer. Antispam, antiphishing tools, content inspectors and the rest are often necessary, but not absolutely necessary.
Now, you don’t have to pay through the nose for “security suites” that are sometimes, well, ten pounds of crap shoveled into a five pound bag. If it was a cost issue, people wouldn’t care. They’d shell out the bucks to get a good solution, and if they didn’t, we could all smirk and say “see, I told you so, if you’d just spent $80 on a security suite, you would still have a wife, a car and money in the bank.”
(I often joke that Internet security suites are worse than spyware. Spyware does a couple of notable things: It pummels you with popups and slows your system down. Internet security suites pummel you with popups (aka security warnings) and slow your system down. But worse, they have the audacity of charging you an arm and a leg.)
Introducing Security on the Cheap
I make my living making and selling software, so my interest is always to have you pay for it. But for those who want to save a buck or two, I’ve got my Security on the Cheap guide below. Getting these (mostly) free basics in now will make your internet experience dramatically more secure:
(Realize that most of the free solutions mentioned are gratis for only types of certain people, like home users. Check the terms of the licensing agreements.)
Get an antivirus program. Grisoft’s free antivirus is pretty decent. There’s the free AntiVir and the free Avast. Want to pay? Kaspersky’s is excellent but a wee pricey ($40), and I’m personally a bit fan of NOD32. Might want to try AOL’s new freebie as well. Or the free BitDefender (which I believe is unfortunately an on-demand scanner only — no real-time protection). If you want other suggestions, ask your friends or download the various trial versions out there.
Get a software firewall: You don’t have to spend money on a good firewall. My personal favorite: The Kerio firewall, which is a totally biased statement since it’s my product. However, another option is the ZoneAlarm personal version, free and good. (Sygate used to be great but has been discontinued).
Get an Antispyware tool: In my completely biased opinion, I of course recommond mine (CounterSpy), but WebRoot’s SpySweeper is a very solid product. (PC Tools makes an outstanding product as well, but to be blunt, I’m not a fan of their marketing tactics.)
Now, I understand and forgive you if you don’t want to spend $20 on a commercial antispyware program 😉 So here’s the low-down on the free ones: Microsoft’s free one is ok, but not great. The two other free ones are Spybot and Adaware. Spybot is behind in the spyware race and I’m not sure if Lavasoft is still the product it used to be. Things have changed — threats have gotten very hard to remove. The real scoop? The free Yahoo toolbar Norton Antispyware on-demand scanner is quite good, and it’s no longer using the old PestPatrol engine.
Patching: The final leg of the Four Pillars of Security is getting your security patches from Microsoft. You would be amazed at how many people haven’t updated to the latest patches.
That’s the list of the really important security programs. Here’s a host of other little tools you can get that will make your experience even safer:
Antiphishing. Microsoft and Firefox now have antiphishing in their latest versions, but you can also get the free Netcraft antiphishing toolbar.
Antispam. Some would argue that a spam filter is vital for security. Actually, it really isn’t if you’re relatively intelligent, since spam is more of a nuisance than anything else and if you can stand deleting messages, you don’t need one. But that being said, spam is a royal pain, and a good antispam tool is a lifesaver.
Here’s my advice: Use the Outlook 2003 junk mail filter. It’s mediocre but free if you have Outlook 2003. Other options: Find out if your internet service provider has spam protection (Earthlink’s is actually decent). Otherwise, I’m afraid you’ll have to shell out some bucks. I have one, iHateSpam for $20. Cloudmark (incidentally, a business partner of ours) also has a very good one. Shop around, but you’ll find there’s a lot of junk out there, believe me.
Misc. tools. Paranoid and want to check for rootkits? Download the incredibliy confusing but powerful SysInternal’s Rootkit Revealer. Or F-Secure Blacklight. Got a tough job cleaning spyware? Get HijackThis. Want to help protect against spyware? Download the free IE Spyad by Eric Howes (who incidentally does consulting work for us). Want to lock-down what sites your kids can visit? Get either CyberPatrol (a wee pricey) or CyberSitter (a good value). Or buy this bundle at Dell.
Also, Micheal Horowitz wrote to recommend Javacool’s SpywareBlaster (not to be confused with a rogue app of the same name. I would also add WinPatrol to the “Security on the Cheap” list.
And then, of course, there is your operating environment. If you can live with it, Linux or Macs are infinitely safer than PCs. Don’t want to migrate to another OS? Then at least get Firefox, which will add a lot of security to your browsing experience.
And a final miscellaneous tip: Primary users on their computers might think of setting up accounts with Restricted Access. You as an administrator can control what’s installed, but when someone else wants to use your PC, put them on a Restricted Account. Password protect your own Administrator account. However, in some cases, it can be a hassle, as Michael Horowitz points out here. Vista will offer improved functionality in this area.
That’s it for now. Feel free to comment if you have any other ideas or opinions.
Alex Eckelberry
Update: PC Mag publishes their list of free stuff.
If this is true, it’s completely disgusting.
Alex Eckelberry
Patch your systems.
From Microsoft Watch: “Users running certain configurations of Windows XP Service Pack (SP) 1 beware: That pesky Zotob worm that hit Windows 2000 users last week could affect your systems, too. This week, Microsoft issued a new advisory on the expanded Zotob threat. Windows XP SP2 users are not vulnerable to the Zotob attacks, Microsoft said.”
We discovered a new variant of the identity theft keylogger (a dumaru/nibu variant). We have since updated our free tool to scan for this keylogger. You can find it here.
Counterspy and CounterSpy Enterprise definitions will be updated shortly.
The SSA-KeyLogger spyware should only be installed on Windows XP, Windows 2000/2003. If you do find your PC to be infected, please call our tech support dept immediately at 877-673-1153.
Alex Eckelberry
Update: Important information here on the keylogger.
We found a document this morning while researching some spyware. Written in Russian, we have the translated version here. Fascinating reading. The document was dated May 16. Note that the document has been broken into pieces by the translator — it is not in this sentence-by-sentence format.
The reference to iFrame is ostensibly to the various Internet Explorer Iframe exploits (which affects unpatched systems).
Alex Eckelberry
The Center for Democracy and Technology (CDT), which is organizing the antispyware consortium, is now supporting a modified version of the broadcast flag.
“An array of non-profit groups including the Electronic Frontier Foundation, Public Knowledge, and the American Library Association spent years fighting the idea of a ‘broadcast flag,’ a federal regulation that would have outlawed many digital TV receivers and tuner cards starting July 1…In May, a federal appeals court unceremoniously tossed out the Federal Communications Commission’s regulations.
But now one non-profit advocacy group is breaking ranks with its usual allies and handing Congress a road map to reinstating the broadcast flag. The idea is to reduce piracy of digital TV by prohibiting the manufacture of computer and video hardware that doesn’t sport copy
protection technology”
CDT conflict of interest? “A now-deleted Web page, saved in February 2003 by Archive.org, shows that Time Warner, Disney, and Vivendi (an owner of NBC Universal) have been supporters. Though for the record, a CDT spokesman said Tuesday that only Time Warner (that is, AOL) currently is providing cash.”
IMPORTANT UPDATE AND CORRECTION:
It appears the post by Declan McCullagh at Politech (from which the content of this blog was framed) was innacurate. According to an email to me from a high-ranking official of the CDT:
1) The sponsor page mentioned [above] was not deleted. It is still online, but we stopped linking while we are redoing our Website, precisely because it was outdated and included companies that no longer fund us. We hope to have a new one up sometime next month.
2) Content companies hate our copyright position. That is why they (Disney, Universal, etc) stopped funding us. As you know AOL is a member of ASC and other CDT working groups. Therefore, Time Warner supports us. Our funding on copyright is almost entirely funded by the MacArthur Foundation.
3) CDT DOES NOT support the broadcast flag. The paper was saying that Congress SHOULD NOT support a broadcast flag, however, since they are working on it, they should at least consider fixing the completely broken current proposal.
In other words, no story here.
Alex Eckelberry
Tip o’ the hat to Ben Edelman