Month: September 2005

Rootkit resources

Eric Howes, who consults with us on spyware issues, writes this about rootkits:

Windows rootkits are malicious programs that use some fancy low-level programming tricks to hide themselves and other files and directories from Windows. When a rootkit is running on your machine, you won’t be able to see it (or the other files it’s hiding) through Windows Explorer. And neither will other standard Windows applications either. They’re effectively invisible, even to Windows itself.

Rootkits are attractive and useful to malware, spyware, and adware creators because rootkits can hide malicious files that take control of users’ PCs and prevent those files from being easily removed. Spyware and adware authors have been especially aggressive is using rootkits to conceal their software on victims’ PCs. The best example is SearchMiracle/Elitebar, which uses a rootkit to hide dozens of files and directories within the Windows directory. Once SearchMiracle/Elitebar is installed, it is very difficult to remove, and users’ PCs are deluged with mysterious pop-ups that seem to come from nowhere.

As with other aspects of malware, rootkit creators and anti-malware companies are now in an arms race of sorts, with rootkit creators finding ever more clever ways to hide their code within Windows and anti-malware vendors scrambling to improve their applications to detect these newer breeds of rootkits.

Some links: 

Microsoft Strider Project
(note: contains links to plenty of white papers and such)

Microsoft Rootkit Webcast

News articles
http://www.eweek.com/article2/0,1759,1829744,00.asp
http://www.eweek.com/article2/0,1759,1816972,00.asp
http://www.securityfocus.com/columnists/358
http://www.viruslist.com/en/analysis?pubid=168740859
http://www.eweek.com/article2/0,1895,1841266,00.asp

Anti-rootkit tools for Windows (Note: Most of these are complex programs that require an experienced user).

Blacklight

IceSword

Microsoft – Malicious Software Removal Tool  

RootkitRevealer

UnHackMe

Alex

Spyware: The $24 billion question? No way.

First, we had wild tall tales of the spyware business being a $2 billion industry (the actual amount is closer to $500 million).

Now we have the risk of spyware theft pegged at $24 billion.

John Bambenek at the SANS Internet Storm Center writes that over $24 billion is at risk of theft from spyware in the US. Methodology here. Article here.

John is a highly respectable and sharp guy, but I don’t buy it (and to his defense, his work on this is very preliminary).

The thesis is based heavily on a spyware vendor’s estimate that 7% of machines they surveyed contain “system monitors” that would include keyloggers.

Add in the population out there and the active bank accounts, and you’ve got $24 billion.

I’m sorry.  I don’t buy it.  First, I don’t buy that 7% of the machines out there have keyloggers.  “System monitors” could include a range of programs.  But if I took 100 people and actually found out what they have on their system, I would be very surprised if 7 had keyloggers.

First, there’s SP2.  In just the past few months, we’ve found well over 20 variants of the vicious Winldra.exe keylogger (also known as the dumaru or nibu trojan).  This is the nasty bugger that got all the press a few months back.  Guess what: Not one machine running it had SP2.  They all had older unpatched systems.  It’s darned hard, if not impossible, for these keyloggers to get on your system if you’re running SP2. 

Second, there’s the question of definition.  The vendor in question had a general definition of “System Monitors”, which is “range in capabilities and may record some or all of the following: keystrokes, e-mails, chat room conversations, instant messages, Web sites visited, programs run, time spent on Web sites or using programs, and even usernames and passwords. The information is transmitted via remote access or sent by e-mail. Keyloggers are included in this category of spyware.”

Ok.  So there’s a lot more than just keyloggers in this definition.

You want to see what’s on people’s machines? You can see our live ThreatNet stats which shows what is actually being removed by clicking here.  Of course, this is also unscientific, since it only includes a population of CounterSpy users.

The correct thing to do here would be to get several hundred PCs on an nth sample basis, and actually do a formal audit.  Ignore things like cookies. Find out what’s really on the machines that is real adware/spyware/trojans etc.  And then you can start to develop an accurate thesis.

Alex Eckelberry
Hat tip to Donna

Kazaa says it don’t install no spywares!!

Kaz

hey … Kazaa sez no spywares!!!

Saying “No spyware” is apparently something that Sharman has justified here and here. Sharman has apparently convinced themselves that the definition of Spyware is (drumroll):  a keylogger! 

So Direct Revernue recently did a deal with them.

And now you get Best Offers when installing Kazaa.

So I installed Kazaa and checked the EULA for Best Offers.  Check some of this text out:  

“This software will collect information about websites you access and will use that information to display ads (e.g. pop-ups, search results) on your computer while you surf the web. These adverts are branded with the company name. If you view adult content, the ads may contain adult content.

…the Software may, without any additional notice to you, perform the following: display pop-up ads and various other ad formats of third party advertisers; display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable information regarding your Internet browsing and usage habits; redirect certain URLs, including your browser’s default 404-error page; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities. The Software generally on average will display less than approximately twenty pop-up ads or other ads in other formats during a twenty-four hour period, subject to your cookies not being erased or cleaned, which would distort our ability to count how many ads we have provided to you.

The ads that the Software provides may contain adult content if the Internet web pages you are viewing contain adult content.

…Best Offers does not require you to provide any personally identifiable information …the Software does collect certain types of non-personally identifiable information about individuals who install and use the Software (e.g., IP host address, pages viewed, browser type, clickstream data, ISP and other non- personally identifiable information). None of the information collected is used by Best Offers to identify you personally. The non-personally identifiable data Best Offers does collect is used to provide you the appropriate ads at the appropriate time, as well as to monitor the performance and distribution of the Software.

 

Additionally, we may share non-personally identifiable, aggregated information with our business partners solely in connection with the provision of services to each other. The use and collection of your information by the Software is in accordance with Best Offers’ privacy policy located at www.bestoffersnetworks.com/privacy.php and is incorporated as part of this Agreement…”

 

So, hmm… we’re getting your IP address and your pages viewed and we’re not spyware since it’s not personally identifiable.  Ok, whatever, another discussion.

 

But then check out this little freakazoid:

 

“…There are third parties who are unaffiliated with Best Offers and who may in the future, attempt to install applications or functions onto your computer without first obtaining your consent, or who may have already done so. Some of these third parties may attempt to install a virus, worm, trojan horse and/or other malicious and unwanted agent onto your computer. In order to ensure the safety of your computer, Best Offers may remove the virus, worm or trojan horse from your computer.

 

These third parties may also attempt to insert particular domain names into your browser’s list of “trusted sites,” make host file changes or manipulate your network communication functionality without first obtaining your consent. By doing so, such third parties may obtain access to your computer as a means to install unwanted or damaging components on your computer.

 

You understand and agree that Best Offers may flush the list of all trusted sites in your browser from time to time. Thereafter, you may need to re-designate as trusted sites certain web sites that you had previously designated as trusted sites. Best Offers believes this a benefit to you because it enhances the security of your computer and provides you with the ability to choose whether or not to install certain components on your computer.

 

Some third parties may attempt to disrupt network communications to and from your computer to Best Offers’ servers. This may include the manipulation of either your DNS configuration, or your computer’s host file. If Best Offers believes that a third party is impeding your network communications, we reserve the right to correct the conflict in order to preserve proper communication.”

Wow.

Alex Eckelberry

 

Anonymity on the ‘Net: Is it a Good Thing?

Deb Shinder wrote this in our WXPNews newsletter.

By the way, it’s a heck of a good newsletter, and I would highly recommend subscribing to it.

For many, the Internet is a “place” in cyberspace where they can shed their day to day to identities and be whomever or whatever they want to be. According to the old cartoon, “on the ‘net, nobody knows you’re a dog.” And nobody knows, unless you tell them, whether you’re young or old, male or female, black or white, married or unmarried. This carries with it the potential for getting jobs or making friendships without any of the preconceived prejudices that go with dealing with people in the “real” world. It also carries with it a lot of dangers and temptations.

As a technical writer, I do most of my work over the Internet. I have long term business relationships with people I’ve never met in person. In hiring me for a writing gig, nobody cares whether I’m a pert young pipsqueak or a dottering old lady (I’m actually somewhere in between). They’re only concerned about whether I can write the articles and be relied upon to get them in on time.

My husband and I met and got to know one another online before we ever got together in person. We each found out what the other was like on the inside before dealing with physical issues. It seems to have worked pretty well, we’re still together after more than a decade of marriage.

However, the anonymous aspect of Internet communications has its dark side, too. I know people who use it to escape from their own realities, who create whole new personas that they don when they go online. Some say this is a healthy outlet, but I’m not so sure. One thing I do know is that other people, who believe these imposters’ stories, sometimes end up getting hurt. I’ve known more than one friend who thought he/she had met the love of his/her life on the ‘Net, only to find out that to the other person, it was all a joke. In some cases, the “beloved” had lied about marital status, job, age, looks, even gender.

But it’s not just in matters of romance that ‘Net anonymity can cause problems. It also makes it easy for someone to smear another’s reputation without the victim ever having a chance to face his/her accuser or even know what provoked the smear campaign. Subtle innuendos or wild accusations against public figures get circulated widely with no original source (or a false one) given. And strangers who are upset by something you say on a mailing list, on a discussion board or on your Web site can set out to systematically destroy your reputation and credibility.

This is annoying and frustrating when it happens on a personal level. When the person with a grudge decides to try to damage your career, it’s absolutely infuriating. I write regular monthly articles on network security issues for a Web publication. Like many tech sites, this one solicits feedback from readers, in the form of a ranking system where each reader gives each article a rating from 1 (poorest) to 5 (best).

My articles have generally pulled in rankings between 3.5 to 5. Recently, however, I noticed that my latest article had a ranking of 1.3. Wow, I thought, I’d better go back and reread that. What had I said to deserve such a low score? Had I made some gigantic technical error? Had I worded something in such a way as to inadvertently be offensive? I couldn’t find any such gaffes upon reviewing the article, but then I noticed that the low score was based on almost 200 votes. Now that was strange – the article had only been posted for a couple of days, and the usual pattern is about 20 votes of the course of 3 months or more.

I went back and started looking at my previous articles on this site – and found that almost all of them had hundreds of votes and their rankings, previously averaging around 4, had all fallen into the 1s. Then I took a look at the voting system itself. The site owners had created a mechanism designed to discourage voting more than once. The purpose, I assumed, was to keep authors from giving themselves a bunch of 5s to increase their own rankings. But as I played with the system, I discovered that the “one vote” mechanism was based on cookies. To defeat it, all you had to do was clear your browser each time and you could vote as many times as you wanted.

I looked at the articles of other authors on the site and discovered that their ranking still followed the old pattern – each article had only 20-30 votes total after being posted for several months. It seemed pretty obvious that someone had mounted a targeted effort to lower the rankings on all of my articles. Who? Why? I have no idea. The site owners saw the pattern, too, and removed the bogus ratings, but the person who did this is free to do it again, to me or someone else.

Of course, the most popular abuse of anonymity on the ‘net is in the form of spam. For that reason, identity authentication solutions such as the Sender Policy Framework (SPF) and Microsoft’s Sender ID have been developed. If these systems become widespread, it would be much more difficult to send e-mail anonymously – or at least, to get it through to most recipients.

Of course, it wouldn’t address anonymity in chatrooms or when posting to Web sites. However, some have proposed broader based authentication systems that would assign everyone user credentials, which would be required to access the ‘Net through any computer. This would eliminate the ability to get around present identification systems such as IP address tracking by using public computers in libraries, Internet caf�s, etc. It’s a long way from becoming reality, but if Internet users continue to abuse the ‘Net’s anonymity features, it will probably be a part of the Internet of the future.

Of course, this solution poses its own concerns. Will free speech be stifled if we all know that every opinion or question we post electronically can be traced back to us? Or will such accountability just deter people from saying things on the ‘Net that they shouldn’t have been saying in the first place? Is someone who won’t sign his/her name just a coward? Or are there legitimate reasons to disguise your identity?

What do you think? Should we have a way to track and identify everyone who posts on a Web site, sends e-mail, engages in online chat or otherwise communicates over the network? Or should people have the right to hide their identities if they want to? Let us know your opinions (anonymously or not) by emailing me.

Deb Shinder

This keylogger thing

There’s been quite a few of these Winldra variants we’ve been finding (this is the keylogger behind the identity theft ring we stumbled onto a while back).

One thing: 

Not one of the machines we found infected were running Windows XP Service Pack 2.  ALL of the infestations are occurring on older Windows XP systems.

This thing can be installed through one of many different exploits, *.CHM, Java.Encoded links, Mime 64Base encoded links, Unicoded, javascript encoded scripts : %3F, U00##, etc.  Most, if not all, of these exploits were fixed even prior to SP 2.

During one test, I went to a site that installed the keylogger.  Windows XP SP2, no problem.  Didn’t even touch the machine. Unpatched — zing! Instantly infected.

To those that insist on not upgrading to SP2, you are nuts.  Sorry, it’s the plain truth.  You’re playing with fire.

Alex
(Thanks Patrick)

 

Rumours of a new SpySheriff leaves some antispyware people baffled

We saw a report at DSL Reports from Lavasoft (and an attendant blog entry) about a new variant of rogue antispyware program SpySherriff on that might be on the loose.  

It is reported to “delete Ad-Aware, Spybot and possibly other Anti-Spyware / Antivirus software”.  <gulp>

This put our spyware team on a wild goose chase, only to discover that this thing is likely a chimera.  We were able to find a copy of SpySheriff on a site, but it looks like the same old program.  At that same website, however, one researcher here was infected with a nasty worm (probably unrelated and the infection was also due to running a naked XP system — unpatched, no SP2).

Lavasoft is a highly respectable outfit and I have every reason to believe they are getting user reports so we are really curiosu about this one. 

If anyone sees this thing out there, let us know.  So far, we have not observed it in the field but one never rests in the antispyware business 😉

Alex

 

Intermix: The daytime series continues

Intermix’s plans to sell to Rupert Murdoch were challenged by Brad Greenpan (Intermix’s former CEO), who made a counter-offer for Intermedia.  Intermix has rejected the offer, citing the following reasons:

  • Mr. Greenspan’s proposal does not compare favorably to the pending transaction with News Corporation. Mr. Greenspan would provide cash liquidity for only approximately one-half of the common stock held by Intermix’s stockholders, with the remaining stockholders continuing to hold equity securities in a post-transaction concern with a diminished public equity float.
  • The proposal entails a number of significant and unacceptable risks, including uncertainty relating to financing for the transaction. Freemyspace, LLC would need to raise over $300 million to complete the acquisition. Mr. Greenspan has indicated that these funds will be provided by “several private equity investment firms” that may provide commitments to fund the acquisition only after they have been provided with detailed financial data regarding Intermix that is not currently publicly available. Mr. Greenspan has not identified any of his potential sources of funds and the Intermix board is unable to assess whether they are credible funding sources.
  • The proposed transaction with Mr. Greenspan offers significantly less certainty of closing and would, even if consummated, take months to complete (in comparison to the transaction with News Corporation, which could be completed in a matter of days, subject to the approval of our stockholders).
  • Although existing stockholders would retain an equity interest in a portion of Intermix, the proposal does not provide any operating plan for Intermix, other than to indicate that Mr. Greenspan would propose to cause Intermix to sell off “non-core assets,” focus on the Myspace.com business and ask the management team of Intermix’ subsidiary, MySpace, Inc., to become the executive team of Intermix.
  • The return of Mr. Greenspan to a control position over Intermix could create morale issues with a significant number of Intermix employees, including members of MySpace’s management, and potentially harm the company’s business, particularly in light of the fact that when Mr. Greenspan was removed as Intermix chairman and asked to resign as chief executive officer, the company’s common stock traded for less than $2 per share, the company was struggling with an accounting restatement, its common stock had been delisted from the NASDAQ Small Cap Market, it was the subject of an informal investigation by the Securities and Exchange Commission, various stockholder lawsuits relating to the restatement had been filed, and the company was losing money. 

Alex Eckelberry
(Thanks, Ben)

Note:  I had inadvertently titled Intermix as “Intermedia” in a previous version of this blog.  Apologies.