Month: April 2006

VirusTotal, along with Jotti, are key tools in malware research.  You can submit a malware sample and find out if any other security companies are catching it, and what they are referring to it as.

Many, but not all, AV vendors participate in these scanners.  Last night, Ziv Mador at Microsoft announced that Microsoft will be joining VirusTotal.

Hi, this is Ziv Mador again from the Microsoft Anti-Malware team. This week, the folks over at VirusTotal added the Microsoft anti-malware engine to their service. VirusTotal is a free service that enables users to submit suspicious files to be scanned by several anti-malware engines. If you choose, files that are not identified as malicious are sent to the vendors who supply the anti-malware engines to this service to be analyzed. As of April 27, the Microsoft anti-malware scanner is included in the set of scanning engines used by VirusTotal. This scanner is based on the same technology found in Windows Live OneCare, the Windows Malicious Software Removal Tool, and Microsoft Antigen, and includes our full antivirus set of signatures. We are glad to be participating in this community opportunity.

Link here.

Alex Eckelberry
(Hat Tip to Jose)

“Winning the War on the Spyware Battlefield”
Join renowned spyware researcher and Sunbelt’s Director of Malware Research, Eric Howes, for an engaging discussion on the scope of the spyware problem.

Hosted at the Microsoft office in Ft. Lauderdale on Thursday, May 18th.

Click to Register.

Alex Eckelberry

The blog style has been updated. Let me know what you think — good, bad, indifferent.

Alex

 

We won a rather nice award today — the Network Computing Well-Connected Award.

Security Winners – Antispyware
Winner: Sunbelt Software CounterSpy Enterprise 1.5 Getting rid of spyware is a difficult task, but to do it well, antispyware tools must reduce administrative load. In our tests, Sunbelt’s CounterSpy Enterprise performed remarkably well from an administrative perspective. This product can be deployed and updated more efficiently than any other product we reviewed, and it integrates seamlessly with Active Directory. Policy configuration, exclusion lists and status reporting were all top-notch.

Link here.

Alex Eckelberry

 

Botnet controllers are getting quite sophisticated.  And as we can here, even visually appealing.

Check out this botnet controller that our Adam Thomas just found. 

Here’s the main control page:

Here’s the reports page. 

 

It’s even translated into multiple languages, as not all hackers speak perfect English:

There’s also some handy-dandy code we discovered there for html code injection, which is used for phishing. 

Then, we found the stolen data.  Credit card numbers, passwords, the works, from countries all over the world.  Sick stuff.

The botnet lives off a bunch of really ugly malware, with the following file names (Virustotal links included). 

iexplore.exe
ieschedule.exe
ib14.dll
smss.exe
ieserver.exe
preredir.exe
harvest.exe
ieredir.exe

Current virus detection is pretty weak on this set of malware. 

Of course, the trojans look perfectly legitimate:

 

Alex Eckelberry 

 

Earlier this week, I blogged about a site doing a bunch of different exploits, depending on what you are running. 

One of the things the site will do is detect if you have Firefox, and attempt to exploit it, using the InstallVersion.compareTo() vulnerability. 

There are actually a number of sites running this exploit, and one of our researchers, Adam Thomas, was kind enough to take some pictures. Going to a site with an older version of Firefox got him just a bucket-load of spyware.

A Haxdoor variant was installed (seen above as detected by F-Secure’s Blacklight)… and a typical rogue-antispyware security install with a bunch of fake security messages.

Hijacked browser…

And this is nifty — there’s even this Local Security Authority Service pop-up message (above). Clicking OK aborts the system shutdown and…brings you to this page:

And you get the usual fake and hysterical security messages:

As a final dash of spice, the malware is redirecting attempts to navigate to security relates websites such as Kaspersky.com, Symantec.com, F-secure.com,  etc.to Microsoft.com!   

On another test system, Adam got UnSpyPC (a rogue antispyware application) and a Haxdoor install, among other things.

Now, the Faithful (and admittedly few) Readers of My Blog are demigods when it comes to security, so most of you are running a patched version of Firefox (basically, any version 1.05 or higher).  But checking browser stats on this site does show that there is a very small number of you that aren’t updated to a safe version. Very, very few AV vendors detect this exploit, as you can see by clicking here.

Alex Eckelberry
(And, thanks again for the tip from some French friends)

New form of corporate spyware (not related to the well-known mouse company):

In early May, a new on-demand service called Genius is going to launch that will let sales folks rack the performance of their e-mail marketing campaigns by letting them spy on  the subsequent online actions of their marks.  The way it will work is that Genius will set up so-called ghost URLs that mirror your company’s Website for you to put in your marketing e-mails.  So when someone clicks on the URL, everywhere they go and every action they take on the Website is recorded and tied back to their e-mail address. 

Link here.

Alex Eckelberry
(thanks Leslie)

Worldspan, a provider of electronic services to travel agencies, is suing  Orbitz for $50 million for breach of contract, including alleged misappropriation of data. 

The lawsuit, filed in the Cook County Circuit Court of Illinois (case number 2006L4255), alleges (among other things) that Orbitz has been “abusing and exceeding” access to Worldspan’s electronic systems by improperly accessing data about seatmaps on certain flights that Orbitz customers were considering booking through Orbitz.

Orbitz also allegedly misappropriated other data gathered by Worldspan, including data related to airline taxes and surcharges in connection with airline tickets, and data providing a comparison of available flight routing options and associated prices. Orbitz then allegedly used this information to process requests from Orbitz’s customers.

This is on the heels of other legal issues for online travel agencies not paying adequate hotel taxes.

Alex Eckelberry
(Thanks David)

From the IE blog:

We’re excited to announce our new site at www.ieaddons.com. The site has two objectives: to make it easier for users to find valuable add-ons and to promote our partners who develop add-ons. On the new site we partnered with CNET to compile an extensive list of add-ons that make browsing with IE more productive, fun and safe. At the same time, we’ve worked to streamline the search and download process, added web feeds for the most popular and newest add-ons, and included editorial and user reviews to provide as much feedback to you as possible before you install an add-on. Customers can access the add-on site from the “Tools” menu and from the “Manage Add-ons” interface..

Link here.

Alex Eckelberry
(Thanks Scott)

Large retailers like WalMart, Target and Costco are investigating the benefits of using biometrics for customer payments. One of these days soon, you may be able to pay at the checkout counter by inserting a finger into a fingerprint reader, circumventing the need to write a check or carry a credit/debit card around with you (any of which could be lost). Some people see it as an invasion of privacy, while others see it as a way to thwart identity thieves and other fraudsters. For the retailers, transaction costs can be reduced. We can only hope they might pass some of the savings on to us, the customers. Read more about it here.

 

How to enable connections to a SQL server on XP SP2
If you’re trying to use a Windows XP client computer with Service Pack 2 installed to connect to a SQL server, you may find yourself unable to connect. That’s because SP2 automatically turns on the Windows firewall, which by default blocks the ports that SQL uses. You can solve the problem by creating an exception in Windows firewall for SQL. Here’s how:

• Click Start | Run.
• In the Run box, type firewall.cpl
• Click OK
• In the Windows Firewall dialog box, click the Exceptions tab, then click Add a Program.
• In the Add Program dialog box, select an instance of SQL Server or browse to its location by clicking the Browse button. For example, the default instance of SQL Server 2000 is stored in Program FilesMicrosoft SQL ServerMssqlBinnSqlservr.exe.

If you’re using Multiprotocol, after creating the exception for each instance of SQL Server, you need to enable ports on the firewall and modify the registry after creating the exceptions. For instructions on how to do so, see KB article 841251 here. 

How can I get rid of Google search history?
Is there a way to “hide the evidence” of the terms you’ve searched for on Google?  The short answer is yes – but how to do it depends on how you do your Google searches. If you search from the Google web site, the search terms that are saved in the dropdown box aren’t saved by Google itself, but by your Web browser. If you use IE, this is saved as a “form” (like other forms that you fill out on the Web). To get rid of the contents of this drop-down list, do the following:

• In IE, click the Tools menu and select Internet Options…
• Click the Contents tab.
• Click the AutoComplete button.
• Click the Clear Forms button.

Note that this will clear the autocomplete information saved by all Web forms, not just Google’s.

If you use the Google toolbar on your browser, it’s even easier. Just click the little down arrow on the toolbar right after the Google logo, and click Clear Search History.

How to configure file sharing in Windows XP
You know that you can share your files with other users on the network. But how do you manage different levels of access to your shared folders? And what are some of the problems that crop up with file sharing and how can you fix them? KB article 304040 explains how to use the Simple File Sharing interface, how to turn simple file sharing off, provides some guidelines for sharing files and tells you how to troubleshoot known problems. Link here.

How to perform a clean reboot so automatic services won’t interfere with games
Gamers may find that some of the programs Windows automatically starts when you boot up normally can interfere with certain games such as Flight Simulator, Halo, Age of Mythology and others. You can do a “clean reboot” that only loads basic services and devices by following the instructions in KB article 331796 here.

XP stops responding if you install Service Pack 2
Service Pack 2 has been out there for a while now, but if you haven’t yet done the upgrade, take note of this if your computer uses a VIA processor. Some models of this processor cause XP to hang up with a “Please wait …” message when you install Windows XP with SP2 or upgrade to SP2. There are workarounds; one of them involves editing the registry so be sure and back it up first. The instructions for both workarounds are in KB article 893356 here.

Computer hangs if maximum log file size is set incorrectly
If you change the maximum log size settings to their maximum and don’t apply the changes correctly, the log files can get too big, resulting in the use of too much memory which causes the system to hang. For instructions on how to set the log files correctly, and what to do if this happens to you, see KB article 329095 here.   

Deb Shinder

From our dear friend “Alexander Morozov”.  Block away.

arcyp(dot)com
jadfair(dot)com
nisiet(dot)com
phbrink(dot)com
watcomm(dot)com
campco(dot)net
lipreferred(dot)com
mega-chem(dot)com
vrstandard(dot)com
accessibletransport(dot)com
halloweenoutreach(dot)com
hangerhandler(dot)com
hargraveranch(dot)com
daphna-jewels(dot)com
smart4all(dot)com
westtexasonline(dot)org
handwave(dot)com
tidelinecharter(dot)com
fotosansimon(dot)com
jimuldoons(dot)com
webtendency(dot)com
gonzales-ca(dot)com
3dme(dot)com
agrivir(dot)com
legacyart(dot)com
modereko(dot)com
fanatticrecords(dot)com
hclperot(dot)com
kiddefender(dot)com
kotanikinya(dot)com
www(dot)arcyp(dot)com
www(dot)jadfair(dot)com
www(dot)nisiet(dot)com
www(dot)phbrink(dot)com
www(dot)watcomm(dot)com

Registrant:
Morozov, Alexander
  Capital Collect Services, LLC
  2505 Main Street, suite 231
  For 7539381
  Stratford, CT 06615
  US

Patrick Jordan and Adam Thomas

Link here.

Update: And with free phone support?  That’s unusual. “I guesss Microsoft really is taking the browser war seriously. It’s offering phone support with the latest release of Internet Explorer 7.”  Link here.

Worried that someone may be eavesdropping on your phone calls? Landlines and cell phones can easily be wiretapped. Some Voice over IP transmissions can be intercepted. But it appears Skype-to-Skype calls may be the most secure means of voice communication, since they’re encrypted with 256 bit keys. This is a good thing for privacy advocates, but may not sit as well with government and law enforcement agents, who see it as an opportunity for terrorists and other criminals to go undetected. Read more here.

Skype was one of the first popular computer-based VoIP services. It’s now owned by eBay, and it allows you to make free voice calls and send Instant Messages from your computer to another computer. You can also pay a per-minute fee to make calls to regular landline phone numbers and cell phones through a service called SkypeOut. And there’s also a service called SkypeIn, where you’re assigned a regular phone number for your Skype account so people can call you from landlines and cell phones. You have to download and install the Skype program, which is available for Windows, Macintosh OS X, Linux and even Pocket PC. You can get the software here.

According to this article, Skype calls are impossible – or at least very difficult – to eavesdrop on (this doesn’t apply when you use Skype to call landlines and mobile phones because the call can be intercepted when it enters the regular or wireless phone system).

Skype uses 256 bit AES encryption, a U.S. government standard, and uses 1024 bit RSA to negotiate the AES keys. But does NSA have a “backdoor” into AES? Some folks think so although there’s no real proof. The ACLU published this interesting article about what the NSA may be able to do; although it doesn’t specifically mention the encryption schemes they can crack, it offers insight into their data mining practices here.

Up until the late 1990s, there were strict laws in the U.S. controlling the export of encryption software to other countries. This software was actually classified as “munitions.” Use of encryption never really caught on with regular computer users, in part because it required installation extra software such as Pretty Good Privacy (PGP) and in part because encrypting your data was seen to call more attention to it, providing a red flag to the government and others that there must be something “juicy” involved.

It’s not just the encrypted nature of the calls that could make Skype attractive to criminal types. As with most VoIP services, you can get phone numbers in any area code no matter where you actually live. So you might live in New York and have a phone number with a San Francisco area code, making it more difficult to determine where you really are. And of course, you can use that number when you’re traveling, from many different places.

In fact, the problem is that just about anything that provides privacy for regular folks also helps the bad guys conceal what they’re doing. And that’s resulting in a lot of laws that are stripping us all of the last remnants of privacy that we had – and that’s not just a matter of concern for those with something to hide. It subjects us all to the risk of identity theft.

For example, we have always used our PO box for credit card correspondence to prevent the possibility of thieves stealing our mail from the curbside box and getting our credit card information from statements or sending in responses to the free offers of new cards without our knowledge. We recently closed our PO box 20 miles away (near our old residence) and opened a new one close to where we live now. But when we went to change the address with our credit card company, they wouldn’t accept a P.O. box. Supposedly this is because of Patriot Act requirements. Now I don’t mind giving them my street address for their records (well, okay, I do mind because of the many times companies have had this sort of customer information hacked, but I understand it). However, to not allow us to have a separate mailing address is ridiculous – and we’re canceling that card because of that, along with the fact that they send us “blank checks” several times a month that anyone could fill in to charge to our card. We have a credit card with another company (AAA) that does allow us to use a mailing address.

This is just one example of how new laws are eroding our privacy. Will Skype be outlawed – or forced to change its technology so messages aren’t encrypted – in the name of fighting terrorism? We’ve got to wonder.

What do you think? Much ado about nothing, or are the current trends dangerous to our well-being? Should we crack back down on the export of encryption, or is that futile since many of those plotting against us may be inside our own borders? When you make a phone call, does it matter to you if the NSA is listening, or do you figure it’s worth the sacrifice of a little privacy if it helps prevent further terrorist attacks or catches a drug dealer?

Deb Shinder

These attempt to install SpyFalcon.

beautyinpantyhose(dot)com
bitchesdepot(dot)com
superbteenies(dot)com
watchmoresmut(dot)com
cutandsexy(dot)com
powertraf(dot)com
teenpornthumbs(dot)com
chhits(dot)com
lust-movies(dot)net
t-redirect(dot)com
 

Patrick Jordon

Sorry for the whacko blogger issues today, posts were simply not showing up after being published. Should all be fine now. 

Blogger has its moments…

Alex

 

The Netword Agent (netword.com) is a browser toolbar and add-on that enables users to perform searches on keywords (“networds”) either through the toolbar itself or the browser URL address bar. Although users can define their own “networds” or “keywords” (which are then used as an alternative form of bookmarks), the search results returned for most “networds” are, in fact, paid-for advertising of one sort or another.

The company had approached us about our listing of their product in our CounterSpy database.  Subsquently, we performed an exhaustive review of the product and the company’s practices and as a result, we will be changing the product’s classification from “Adware” to “Low Risk Adware,” and will be changing the default action presented to users from “Quarantine” to “Ignore.” This ensures that although CounterSpy will still detect Netword, users must affirmatively elect to let CounterSpy remove the program by changing the action themselves from “Ignore” to “Quarantine” or “Remove.”

We have elected to continue detecting the application because of concerns surrounding the inadequate disclosure of the advertising functionality of the program. See our report here  for more details.

Alex Eckelberry

What chutzpah but this fake lottery is almost humorous.  From a spam email received today:

FROM THE VICE PRESIDENT
MICROSOFT LOTTERY INTERNATIONAL
PROMOTIONS PRIZE AWARD
REF Nº: MIC25003189SP05
BATCH Nº:1007581906

ATTN WINNER, 

We wish to congratulate you over your success in our MICROSOFT LOTTERY INTERNATIONAL WORLD GAMING BOARD computer balloting Sweep stake held on the 15Th April 2006. This is a Millennium scientific computer games lottery in which email addresses were used. It is a promotional program aimed at encouraging Internet users; therefore you do not need to buy ticket to enter for this draws.

Your email address name attached to a ticket number 042091690 with serial number 932306 drew the lucky numbers 82148814575 which consequently won the lottery in the 1st category. You have therefore been approved for a lump sum payout of
THREE HUNDRED AND FIFTY THOUSAND EUROS ONLY (350,000.00 Euros) this is from total prize money of 1,000,000.00 Euros distributed to winners from 1st to 3rd and consolation awards categories.

CONGRATULATIONS:
Your fund is now deposited with our correspondence Bank .Due to mix up of some numbers and names, we ask that you keep your winning information confidential until your claims has been processed and your money Remitted to you. This is part of our security protocol to avoid double claiming and unwarranted abuse of this program by some participants. All participants were selected through a computer ballot system drawn from Microsoft users from over 20,000 company, and 3,000,000 individual email addresses and names from all over the world. this promotional program takes place every three years.

To begin your claim please contact your claim agent Mr. David Lopez For processing and remittance of your prize fund into your designated bank account.

LIBERTY SEGUROS COMPANY
Contact person: Mr. David Lopez
(Legal Department Officer)
Email: legaldepliberty@netscape.net
Tel: 0034 676799031
Madrid Spain

Note: All prize funds must be claimed before the 8Th of May 2006 after this date all funds will be returned to the MINISTERIO DE ECONOMIA Y HACIENDA as unclaimed. In order to avoid unnecessary delays and complications, please endeavor to quote your reference and batch numbers in every correspondence with us to your claim agent. Furthermore, should there be any change in your address do inform your claim agent as soon as possible. Congratulation once again from all members of our staff and thank you for being part of our promotion program.

Yours Sincerely,
Sandra Garcia
Vice President,
MICROSOFT LOTTERY INTERNATIONAL

NOTE; ONLY REPLY TO YOUR CLAIMS COORDINATOR TO CLAIM YOUR CASH PRIZE.

There’s a sucker born every minute…

 

There are a number of sites out there using a large number of different exploits to install malware on system.  

For example, one site that masquerades as the Red Cross installs nasty malware using one of the following exploits:

MS03-11
MS04-013
MS05-002
MS05-054
MFSA2005-50  (Firefox vulnerability)
MS06-006

You can see a screen shot of the admin console with the success by exploit:

There are other similar consoles we ran across as well showing similar types of statistics.

This site claims exploit efficiency of 7%, a number that’s not trivial. Even unpatched Firefox are getting hit here.

Just a reminder that just because you use Firefox, you still need to keep updated with the latest patches.  And as far as running IE, well, you know what you need to do. 

More detailed stats are available here (pdf), from the same page.

Alex Eckelberry
(Thanks for the tip from some French friends)

Handy.

 

Link here via gHacks.

Alex Eckelberry