Month: March 2007

This exploit is something of concern.

Some updates:

CounterSpy: CounterSpy detects the Ani exploit as “Trojan-Exploit.Anicmoo.ax (v)” in definition set 526. Incidentally, VirusTotal coverage as of 1:30 CET today here.

Ninja: Since email is a potential attack vector, securing that area is important. The full version of our Ninja Email Security product includes two AV engines — Authentium and BitDefender. However, many customers only run the antispam portion of Ninja. So while the BitDefender AV engine in Ninja does detect these malformed .ani files, this will only be useful to customers if they’re using Ninja’s AV functionality.

However, Ninja does include intelligent attachment filtering, which looks past the extensions of many file formats to see what type of file is actualy bein sent. So we just posted an updated set of SMART definitions for anyone using Ninja 2.1.xxx which will allow you to create an attachment filtering rule to block .ani files regardless of what they have been named. In this way even if you’re not using Ninja’s AV functionality you can still block these files from getting to your users.

Alex Eckelberry

I’ve talked about unfortunately-named products before, but this absolutely takes the cake.

There’s a new product out called a Browser Condom.

The description:

It’s and [sic] advanced technology that allow [sic] you to run any kind of software in your computer without a risk of be [sic] infected with any kindof [sic] virus, spyware, trojan and any kind of malware. (VTD) , Virtually Transmitted Diseases.

The icon of the product is, well, a condom wrapper.

Why the name? Was he inspired by the pictures of the Klik Revenue boys exuberantly playing with condoms? Or the picturesque city of Condom, France?

I’m being good, really: There’s so much room for so much humor here, it’s difficult to contain oneself.

But I run a respectable blog here, people. So I’ll let you do the dirty work: Comment away…

Alex Eckelberry
(A copious acknowledgment to Paperghost, who blogged first about this.)

A surprising post at SANs this morning:

A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability (CVE-2007-1765) depending on the actions and settings of the email client.

The surprising element is that read in plain text mode makes some of the clients more vulnerable and actually only offers real added value -for this vulnerability- for Outlook 2003.

More here (via Donna).

Alex Eckelberry

Greg Kras and I will be giving a preview of our new CounterSpy Enterprise 2.0 next Tuesday. (This is the version of CounterSpy designed for business use.)

If you want to take a look, please join us:

A First Look at CounterSpy Enterprise 2.0

When: Tuesday, April 3, 2007 2:00 PM (EDT)
To join the day of the event please visit:

http://www.sunbelt-software.com/rd/rd.cfm?id=070330EB-CSE_Webcast
Meeting ID: 92SSQC
Attendee Meeting Key: XR*mw9Z
Audio: Toll free: +1 (800) 416-4956
Toll: +1 (978) 964-0050
Participant code: 104764

Alex Eckelberry

There is spam out there that tries to get you to download IE 7. It’s fake, of course. When you click on the image, you are then offered to download a trojan (Sunbelt Sandbox analysis here, VirusTotal results here). Antivirus coverage is mediocre.

And just for fun, check out the source code of this spam.

Alex Eckelberry

I’m going to give you a sneak peek of a very cool skunkworks project going on over at Mayhemic Labs.

One thing that a lot of people have commented on (and particularly the good folks over at F-Secure) is that phishers register domains using words like “Chase”, “ebay”, etc. This makes it easier to foil their victims (such as having a URL like “chase-banking-center.com).

Of course, a great idea is to have the domain registrars simply refuse to register domains with these names (or at least trigger a review of a suspicious domain before allowing it to register). However, that’s not always easy to get done.

But what if new suspicious domain registrations were automatically tracked in a format that allows everyone to see what’s going on?

That’s just what Ben Jackson did over at Mayhemic Labs: He developed a “Domain Tracker System” to track domain registrations by using DomainTools’ Domain Mark reports.

Called the Crow’s Nest, it aggregates submissions of domain mark reports containing keywords that would be likely used in a phishing domain. The system processes these reports and adds them into a database. The submitter (or other volunteers) can then flag domains that look suspicious. These domains are then monitored for activity. Every 6 hours registration and DNS records are checked to see if the domain is hosted and or still registered. If the site is hosted, the user can then check the site and see if something phishy is going on, and if so, notify the parties affected.

For now, this site is only being used by security researchers. There’s also lots of people who helped him in this, and when it goes public, I’m sure he’ll thank those that don’t mind being publlicly acknowledged.

Expect this site to be public in a few weeks. And then those Phishers will feel a whole lot of hurt.

Alex Eckelberry

The folks over at McAfee have written today about a new zero day, and it doesn’t look pretty. Our team is on high alert for this exploit and we are actively hunting for any sites which are using it.

From McAfee:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a
fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

The ani file format is an animated cursor format. We have exploit code and it’s not pretty

We’ll post more information as we get it.

Alex Eckelberry

Our advanced research provides us with a vast amount of new security research (URLs, malware samples, etc), and now it’s available to other companies and researchers. As a complement to our CWSandbox automated malware analysis suite, we provide to technology and business partners three data feeds from our Threat Center (feeds are only available to vetted professional security researchers and recognized security companies).

These feeds are an extraordinarily valuable resource to assist in analyzing, protecting and remediating malware threats.

Feed #1: Malware Sample sharing
Frequency: Daily
Provides: New samples downloaded each day, in a dated daily zipfile that is double-compressed and password-protected. Each sample is named its md5sum, followed by .EX$. This is not sent in email, as the file size is prohibitive. Only new samples (by md5) will be posted each day, all of which will be Microsoft Portable-Executable (PE) files.

Feed #2: XML Reports
Frequency: Immediate upon submission from any existing source to our CWSandbox database (i.e. very frequently).
XML reports are sent as email attachments. While the size of the attachments is small (typically 20K to 200K), the total volume of email is high (can be several thousand per day) so a specific email account or alias for receiving these should be used.
Provides: XML reports of every sample scanned through the CWsandbox. No frills email format with a text or an HTML result and XML report attached to it.

Feed #3: Distilled URLs and IPs
Frequency: Daily
Provides: New malware URLs in a daily text digest. URLs provided either come from our research center, from URLs that have been reported as malware that day, or that have been downloaded in the CWsandbox by Trojan downloaders. Vendors are responsible for sorting malware from other behavior (i.e. phish submissions, ad rotationals, potential false positives). We advise downloading EXE files first with tools like Wget and Grep, then sorting the list to fit the role.

If you’re interested in finding out more, contact Chad Loeven.

Alex Eckelberry

Yesterday’s Weekly TechTips had two errors. The correct link for Shutdown day is shutdownday.org. And the link for “How to install the upgrade version of Vista on a wiped disk” is here.

We regret the errors.

Alex Eckelberry

Test your memory
Recently Tom (my husband) started experiencing some weird problems with his primary computer. Windows would reboot by itself for no reason, programs wouldn’t install, etc. After a lot of weeping and wailing and gnashing of teeth, he was able to track down the problem: some of his memory had gone bad for some reason. He switched it out with the RAM from another computer and the problems magically disappeared. Memory problems can emulate many other problems, though. If you suspect you might have bad memory, you can use Microsoft’s Windows Memory Diagnostic to test your RAM for errors. Check it out here.

Computer Shutdown Day: Was it a big bust?
Saturday, March 24 was declared Computer Shutdown Day by, well, the folks at shutdownday.org (warning: you may find some of the words/content on that site offensive). The idea was for everyone to go 24 hours without using their computers. I admit it: I didn’t do it, and based on the amount of spam that came in, I wasn’t the only one. Did you shut down for the day? If so, was it a good experience or a bad one? Or were you one of the many folks I talked to who said that, despite a fair amount of publicity, they had never heard about the effort? Great idea, or just silly? 

Should you buy software on eBay?
eBay can be a good place to find a bargain, but sometimes those “great deals” are just a little too good to be true. The risk is especially high when it comes to buying software, since it can be impossible to know whether the programs you’re buying or legal or not, and some may even have embedded viruses or spyware. A “gray” area is the selling of OEM versions of software, which are supposed to be bundled with hardware. Read more about the problems here.

Why is the Apple pot calling the Vista kettle black?
Sure, the Apple commercial is cute. You know, the one where the dashing, “hip” guy representing the Mac shakes his head in amazement as the nerdy PC guy’s “bodyguard” – who presents Vista’s User Account Control (UAC) protection – throws up “Cancel or Allow?” dialogs whenever PC tries to do/say something. If you haven’t seen it, you can view it here.

Cute, but is it really a fair representation of the difference in intrusiveness between Vista’s and OS X’s security? My good friend George Ou says maybe not. Read his take on it here.

Installing the wrong program no longer kills my computer
You may hear some folks complain that their favorite third party programs don’t work on Vista. And it’s true that a lot of the “little” applications and utilities, especially freeware, haven’t yet been updated to work with the new OS. I’ve tried a fair number of such programs to find that they either wouldn’t install or wouldn’t work after installation. But something I noticed and really appreciated is that not one of these failed installations hosed my computer. Instead, I just got an error message or the program refused to run. The rest of the operating system was unaffected. That’s a welcome change from earlier versions of Windows. The infamous “blue screen of death” is a thing of the past – and I’m not sorry to see it go.

How to install the upgrade version of Vista on a wiped disk
You qualify to buy the upgrade version of Windows Vista because you have a copy of XP, but you don’t want to run the upgrade and have all that old code floating around in your Vista installation. Upgrades are notorious for having more problems than clean installs so you’re perfectly willing to bite the bullet and go through all the configurations to get your preferred settings back. But will you also have to pay more for a full copy of Vista? According to Adrian Kingsley-Hughes at CNET, here’s how to do a clean install of Vista with the upgrade copy.

How to change the system/boot drive letter in XP
If you break a mirror volume or for some other reason the drive letter of your system and/or boot drive gets changed so that the drive now has the wrong letter (not the one assigned to it when you installed the OS), you’ll find that the Disk Manager won’t let you change the letter of those drives. This is to protect you from making changes that render the OS unbootable, and you should make those changes only if the drive let gets changed as described above. To do so, you have to edit the registry. Be sure to back it up first.

1. Log on with an administrative account.
2. Click Start | Run and type regedt32.exe to open the registry editor.
3. Navigate to the following key: HKEY_LOCAL_MACHINESYSTEM
4. In the right pane, click MountedDevices.
5. On the Security menu, click Permissions and ensure that Administrators have full control.
6. Close regedt32.exe and run regedit.exe. Navigate back to the same registry key.
7. Locate the drive letter you want to change (such as DosDevicesC:), right click it and select Rename.
8. Rename it to the letter you want it to have (such as DosDevicesD:).
9. Close regedit.exe and run regedt32.exe again to change the permissions on the key back to Read Only.

You’ll need to restart the computer for the change to take effect. Be very careful about renaming drive letters of system/boot drives.

Possible security vulnerability in Windows Mail
Vista includes a brand new built in email program, Windows Mail, which takes the place of Outlook Express. It has some impressive features, but it’s possible that it can be exploited by attackers who send malicious links in email, to allow them to run applications on the user’s computer without permission. Read more about it here.

How to aggregate the bandwidth of two modems.
If you’re in one of those unfortunate areas where broadband Internet connections aren’t available, it’s possible, if you have two phone lines, to use two modems and get double the bandwidth from a dialup connection.  If your ISP supports a feature called Multi-link, you can indeed install two modems in your computer and combine the bandwidth of two physical links into one Internet connection. Here are the instructions for using it with Windows XP Home or Professional edition.

Erase files from a CD-RW disc in XP
If you have a CD recorder installed on your computer and it supports CD-RW (rewritable) discs, you can erase the data on a CD and use it again for something else. You don’t even need third party CD burning software to do it. Just following the instructions in KB article 306641.

Gain access to the System Volume Information folder in XP
XP deliberately makes it difficult for you to access the System Volume Information folder, which contains data used by the System Restore feature. It’s a hidden system folder and there’s one on each partition on your computer. How to access it depends on whether your XP computer is using FAT32 or NTFS. For instructions in both cases, see KB article 309531.

Deb Shinder

Last week, I ran across this article from the Associated Press about how the anonymity (or perception of same) that we have on the Internet leads some people to say and do things they would never say or do in their “real life” relationships.

It’s a phenomenon I’ve discussed here before, but some of the responses to last week’s blog post (which I’ll quote – at least those that are fit for a family forum) brought that fact home again. Some people get downright mean when they’re communicating electronically, and it’s hard to believe that all of them act that way in their offline lives.

Now, this is by no means a universal thing. It seems as if being online often has an effect similar to imbibing alcohol. You know how some folks, when they drink, still act pretty much the way they do when they’re sober but a little more relaxed, while others get all happy and funny and still others turn vicious? Likewise, people are affected differently by the act of slipping into an online persona.

For instance, there’s a person I had known in the “real world” for many years and had never been at all close to. I found her loud and abrupt and often rude, avoided her socially whenever possible but stayed connected to her because of other mutual relationships. Then we found ourselves exchanging email – and the person she became in her written messages was like someone entirely different. The negatively I had come to expect from her in response to everything I said was gone. Her messages were polite and friendly and thoughtful, and for the first time, we become friends of a sort.

But I’ve seen the opposite happen too many times, watching in amazement as someone I had always liked turned into an online monster, flaming people left and right, using language I’d never heard them speak, taking offense at the slightest disagreement.

When I write on a controversial subject, I expect to get lots of replies from those who disagree with my opinions. And after many years at this, I expect that a certain number of those won’t be very nice about it. In fact, I know a lot of writers – and their publishers – who feel the more heated the responses, the better; it always means a higher hit count and for every reader who says “I’m unsubscribing because I think you’re an idiot,” three more start reading because after all, it’s human nature to crave a little spice now and then, both in our food and in our discussions.

In fact, quite a few media personalities of all political persuasions have built multi-million dollar careers by ranting and raving on every topic. Those who have become household names get lots of hate mail, but their books keep selling, their radio and TV shows keep getting top ratings, and the money keeps pouring in.

When they’re espousing ideas we don’t like, we think of them as hotheads. When their philosophies and ideologies match our own, we tend to see them as brave souls who “tell it like it is.” Abe Lincoln said you can’t please all the people all the time, but pleasing half the people and making the other half mad as heck seems to be a formula that works very well for those with thick skins and a penchant for fame and fortune.

Maybe one reason for the popularity of extremists is the very fact that most people don’t dare express themselves that strongly in their own everyday lives. Expressing every negative thought that crosses your mind tends to have a less than positive impact on career growth, marital happiness, budding friendships and other real life circumstances that are important to most of us. So traditionally, we’ve let the professional ranters speak for us.

The Internet has made it easier for ordinary folks to let their hair down and pull out all the stops and express all those secret, nasty feelings themselves. The phenomenon of “flaming” – launching personal attacks on others out of proportion to whatever the flamer is responding to – first gained a foothold in newsgroups and mailing lists. It’s carried over to blogs, where you don’t even have to give your opponents the opportunity to respond if you don’t want to. And on the ‘Net, you can say mean things without risking your reputation by using a “screen name” that gives no clue to your real identity.

But has the Internet really made people meaner and less civilized? There have always been times and places where people say cruel things (listen in to any group of teenagers discussing those outside their clique). Some people just aren’t very nice, in general. And some people who generally are nice get carried away with their emotions when they feel very passionately about a subject. I’m not so sure that, deep down, people are any meaner today than they were a few decades or centuries ago (after all, they often gunned one another down in the streets in the Old West, and look at all the beheadings and such in Medieval times). But the ‘Net has made it easier to do your dirty work more anonymously and to spread it to a wider audience.

What do you think? Are you surprised at the nastiness that sometimes comes out in online discussions? Do you say things in email that you wouldn’t say in person, or do you know others who seem to turn into a different person when communicating online? Do you think the Internet is causing us to become less civilized?

Deb Shinder

Recently, I wrote about the massive amount of crap comment spam pages in Live Italy, directing users to potential malware sites.

Fellow blogger Didier Stevens pointed out something really interesting to me: He did an analysis last fall on how many people actually click on these sites. How? He used the infamous AOL data, a veritable fount of fascinating information for researchers.

And he found that about 1% of AOL users were landing on these sites. Link here, with another related story here.

So…multiply 1% against the universe of computer users… that’s a lot of people hitting illegitimate sites (these sites may be pushing snake oil, cell phones — whatever — or malware).

Alex Eckelberry

Last week, I blogged about the practice of buying up negative names as a defensive PR measure.

As a follow-up, I’m posting part of an email I got from a blog reader (who asked to remain anon).

In the year 2000 (no this isn’t a Conan O’Brien skit) 2600 Magazine ran an article in their print version about how Verizon (which was a brand new company at the time) was registering about 700 domain names along the same lines. The article included every single domain name the 2600 writers could find. I’ve been searching 2600 online and can’t find that exact article (I’m not sure if they put the print articles on-line or not) but I can find several references to it, and to the ‘cyber-squatting’ suit Verizon filed against 2600 and Emmanuel Goldstein for registering ‘verizonreallysucks.com’. Link.

While searching through 2600 for the right article I came across a PDF of a deposition Eric Corley (aka Emmanuel Goldstein) gave when sued by Ford for registering ‘fuckgeneralmotors.com’ and pointing it to Ford’s website. Link here and here.

In item 24 Eric/Emmanuel describes Carl Rove registering 30 some odd domain names like “bushsucks.com’ and Verizon registering 700+ domain names.

In that point he also references a ‘”Lucentsucks” case’. A quick search of ‘lucentsucks’ reveals that some jokester registered that domain and put up a porn site. Lucent sued but the case was dismissed due to Lucent’s failure to comply with the Anti-cybersquatting provisions. Which is a bit off topic… but perhaps is part of the rationale behind mass domain registration.

So as my loyal reader points out, there’s other people doing this and it’s been going on for some time [apparently at least since 1998 (Earthweb) but possibly earlier].

Any other examples out there you know of? Feel free to comment.

Alex Eckelberry

This came to me recently: A site threatening to sue us because we scan for their cookies in CounterSpy:

Company: Searchalot, Inc.
Company website: http://www.searchalot.com/ Contact name:
Gerald ODea
Product name affected: http://www.searchalot.com/ Product versions
affected: All Product is detected as: Cookie?
Software can be downloaded here: None
————————————————————
Brief description of software:
No software, and our site has absoultely no cookies. Please remove it
from your list or we will need to pursue this further with our law
firm, and you’ll be responsible for all of our legal fees.
————————————————————
Reason for submission:
to remove the searchalot.com site from your list as having some type
of bad cookie. we set no cookies on the site, so your description is
absoultely incorrect and it causing us to lose users. We will use the
emails from users having a concern about using our site, because of
your software, as evidence of lost revenue, and we will definitely
prevail in court.
————————————————————
Code: DEV_SPYWARE

Needless to say, they’re right, they have stopped pushing cookies pushed from that site, so we have taken them off.

But the idea of suing us because we scan for their cookies is just… out there. They need to listen to CookieMonstor disco and relax…

Alex Eckelberry

If you’re so inclined, vote for one of our products in the Info Security Product Excellence Awards this year.

Link here.

Alex Eckelberry

We’ve had a couple of updates to the Sunbelt Kerio Personal Firewall but they have not been delivered through the auto-update feature. It’s a reminder to check the website for the latest version.

The latest version is 4.3.744. You can get it here.

Alex Eckelberry

Well worth reading. Really.

Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS. Originally, this analysis intended to provide insight into the mechanisms used to steal that data, but it became an investigation into the growing trend of malware sold not as a product, but as a service. Eventually it lead to an alarming find and resulted in an active law enforcement investigation.

Link here.

Alex Eckelberry
(Hat tip to Richard Smith)

The good folks who run Omerta (a massive multiplayer text-based game) are beyond frustrated as they are being plagued by some slimeballs who are foisting off very dangerous spyware as Omerta’s.

What these pages install is a nasty piece of spyware, ProAgent (for one sample, Sunbelt Sandbox report here, VirusTotal results here).

Omerta players — be careful of any software for the game that’s not from the Omero folks themselves.

Alex Eckelberry

Something I’ve pounding the table on for some time…

But it took a car seat scandal to make them realize that they need to talk to experts in industry to understand how to test.

Jim Guest, president of Consumers Union, the nonprofit publisher of Consumer Reports, said in an interview yesterday that in the future, the magazine would consult with a broad range of experts, including those from the industry, for establishing protocols for complex tests, but it would still make its final assessments on its own.

Good! Security software testing is complex, and very few people have it right. But the people in the industry can really help magazines like Consumer Reports report accurately — and help consumers make the right choice.

Alex Eckelberry