Month: August 2007

Hard to believe it’s already getting to the end of summer for many of you.

So here’s a vid of Mike Parsons in one of the greatest surfing shots ever taken. And yes, it’s real.

In my gangly younger days, I used to surf in California. But I think I would have run for the hills if I ever saw something like this.

Enjoy and have a great weekend.

Alex Eckelberry

You can see a video made by Roger Thompson of how the Bank of India infection looks to the user.

The vid’s a bit rough at the moment, and some of the bits are currently unreadable, but we’ll be editing it as we go, so clearer versions will soon be available, but it’s still interesting.

Video link here. Nice work, Roger.

It’s worth reiterating that fully-patched systems would not have been affected by this hack.

Alex Eckelberry

The Bank of India site is now clean, thanks to the hard work of a number people involved in security and takedown.

It’s worth checking the original blog, which was updated as we got more information through the evening.

The hack was related to the Russian Business Network (RBN) criminal gang. There has has been speculation as to whether the malware was installed through an exploit framework (Webattacker, MPack, Icepack), as it was encrypted in the same way as Webattacker. However, our good friend Roger Thompson (one of the top minds in the area of vulnerability research) believes that it wasn’t using a framework, but likely just now-patched stuff in MS06-042 (someone on a fully patched system would not have gotten infected by visiting this site). Research continues.

Thanks to all who helped!

Alex Eckelberry

We have discovered that the Bank of India’s site, bankofindia(dot)com is compromised and is serving malware. DO NOT VISIT THIS SITE.

The following code can be clearly seen on the site:

(Obviously, do not visit these sites that are in the HTML source).

Attempts are then made to load multiple pieces of malware.

Developing…

Alex Eckelberry

Update: The page is using exploits to install malware.

What we have seen so far:

Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz
Trojan-Proxy.Win32.Xorpix.Fam
Trojan-Downloader.Win32.Agent.ceo
Trojan-Downloader.Win32.Tibs.mt
Trojan-Downloader.Win32.Agent.boy
Trojan-Proxy.Win32.Wopla.ah
Trojan-Proxy.Win32.Wopla.ag
Rootkit.Win32.Agent.ea
Trojan.Pandex
Goldun.Fam
Backdoor.Rustock
Trojan.SpamThru
Trojan.Win32.Agent.alt
Trojan.Srizbi
Trojan.Win32.Agent.awz
Email-Worm.Win32.Agent.q
Trojan-Proxy.Win32.Agent.RRbot
Trojan-Proxy.Win32.Cimuz.G
TSPY_AGENT.AAVG (Trend Micro)
Trojan.Netview

Fully patched systems should be unaffected. More coming.

Update 2: We’ve cataloged over 22 pieces of malware. Mostly spam-related malware but we did find a pinch Trojan variant. More info coming as we get it. Biggest issue is the sheer volume of malware we’ve had to analyze.

Update 3: As I write this, it is currently 1:20 a.m EST (10:20 a.m. in India), and the malicious IFRAME is still located on the Bank of India website.

With that said, i just wanted to mention two other very dangerous information stealing Trojans included in this massive install of malware.

First, we are seeing a variant of TSPY_AGENT.AAVG. Trend Micro has an excellent write which you can read here.

Secondly, a variant of Trojan.Netview is being installed. Trojan.Netview is used to gather files from the infected computer as well as network shares. This characteristic is particularly dangerous in networked environments where infected users might have access to unprotected shares containing sensitive information.

The collected files are then uploaded to an FTP server located in Russia.

Of interest is the fact that Trojan.Netview is specifically searching for quarantine folders of antivirus programs. It is no surprise that this particular person had over a hundred items located in their quarantine folder:

Lovely little botnet controller we uncovered a while back:

There are several Help functions:

Roughly translated:

Refresh rate, the length of time (in minutes), through which work will be of investment in Gate of commands (more than the less load on the server)

Command syntax:
start DDoS- attack:
flood type of attack goal

Supported types of attacks :

– icmp
– syn
– udp
– http
– data

The targets may be set ip [???] or domain name, it is also possible to specify multiple goals extraordinary comma;

If you type syn attack, or udp data, the following goals can optionally specify the port number for the attack (or more ports extraordinary comma) if it is not specified, each package will be sent to a random port;

If you type attacks http, after a goal is an option to specify a script, which will be sent GET request (for example : http flood host.com index.php) if the parameter is not specified, the request will be sent to /

stop DDoS- attack:
stop

On fluderov options:

Fluderov packet size in bytes, and the time between sending packages in milliseconds. What time fewer and bigger size, the stronger the attack, but the more likely that the work will get because of exhaustion limit traffic

die:

die

Alex Eckelberry
(Credit to Sunbelt researcher Adam Thomas)

Your feedback helps me do a better job. Give comments and feedback! Multiple choices are fine.

Alex Eckelberry

Do you think someone might click on this thinking it’s a YouTube video?

If they do, they’ll get sent to this page.

And if they want to watch the video, they’ll get this:

Is this misleading? Or is it just good marketing? What do you think?

Alex Eckelberry

Last night, I got this targeted Better Business Bureau spam:

It’s targeted, like a similar one we saw in the past.

However, in the previous version, a document was attached, that used an embedded OLE in an RTF document. You had to actually go through some hoops to get infected.

This one is different. It points you to a website called “document-repository(dot)com”, which pushes you into downloading a file, Complaint_Details_363619942.doc2.exe.

The file, of course, is a trojan (Sunbelt Sandbox report here). Submitting the file to VirusTotal shows mediocre detection.

Alex Eckelberry

Earlier this week, we reported that Zango had backed off its case against PC Tools.

Now, Zango’s court case against Kaspersky was thrown out because Kaspersky enjoys immunity as a result of the Communications Decency Act.

You can see the decision here, at Ben Edelman’s site (who, as a consequence, has also updated his list of legal actions by adware/spyware companies).

Ben points to the relevant statutory language as being:

“No provider or user of an interactive computer service shall be held liable on account of … any action taken to enable or make available … the technical means to restrict access to the material described [i.e. material that the provider or user considers to be obscene, lewd, lascivious, … or otherwise objectionable].”

You can read this language yourself here. (Under Sec. 230).

This is very big news folks. Big news. This decision may have far-reaching consequences for security companies in the inclusion of malicious and/or potentially unwanted software in their software.

Alex Eckelberry

Possibly through the Blogger mail-to feature (where you can email in a blog post)?

But Blogger’s not the only one. For example, a Google search using the term “”this i not good. If this video gets to her husband” reveals lots of sites spammed with this particular exe: (correction — these appear to be sites discussing the spam.)

(Obviously, don’t download this exe — it’s the storm worm. Not a fun thing.)

Alex Eckelberry
(With credit to Cristian — many thanks)

Latest of many tactics.

Alex Eckelberry

Some samples, courtesy of TJ O’Grady:

Subject lines include:

Beta testers needed!
Can you help us out?
Could you give us a hand?

Alex Eckelberry

Painful to read. But funny in a sort of awful way.

8/27 8:26 AM. You are sending these emails to the wrong Bill.
8/27 9:55 AM. Please remove me from the distribution. Thank you!
8/27 9:57 AM. Please remove me from this distribution thank you
8/27 9:57 AM. Please remove me from the distribution list.
8/27 9:57 AM. Please remove me from the distribution. Thank you!
8/27 9:58 AM. DITTO
8/27 9:58 AM. Remove me also
8/27 9:59 AM. SUPER DITTO!
8/27 9:59 AM. Me too please
8/29 9:59 AM. Please remove me as well. Thank you!
8/27 9:59 AM. Me too
8/27 10:00 AM. Same here.
8/27 10:00 AM. Mee too. Thanks
8/27 10:00 AM. Please remove me as well. Thanks!

It gets worse from there on out. Link here.

Alex Eckelberry

Ben Edelman examines software from coupons.com.

I recently examined software from Coupons.com. At first glance their approach seems quite handy. Who could oppose free coupons? But a deeper look reveals troubling behaviors I can’t endorse. This piece summarizes my key concerns:

• Installing with deceptive filenames and registry entries that hinder users’ efforts to fully remove Coupons’ software. Details.
• Failing to remove all Coupons.com components upon a user’s specific request. Details.
• Assigning each user an ID number, and placing this ID onto each printed coupon, without any meaningful disclosure. Details.
• Allowing third-party web sites to retrieve users’ ID numbers, in violation of Coupons.com’s privacy policy. Details.
• Allowing any person to check whether a given user has printed a given coupon, in violation of Coupons.com’s privacy policy. Details.

Link here.

Alex Eckelberry

Controversial adware publisher Zango today conceded defeat by voluntarily withdrawing its proceedings against anti-spyware maker PC Tools. This news follows the courts denial of Zango’s application for a Temporary Restraining Order in June 2007.

Link here.

Alex Eckelberry

Microsoft WGA outage outrages users
Quite a few people were frustrated last week when they tried to validate their Windows software as genuine (which is required to download most updates) and were told they had pirated copies even though they knew their operating systems were legal. This was apparently due to the Windows Genuine Advantage (WGA) server being down. It’s fixed now, but not before annoying a lot of people. Read more here.

Sugar-powered battery? Sweet!
With more and more devices going mobile, we’re always on the lookout for new and better battery technology. Now Sony has developed a battery that’s powered by pouring sugar into it. It’s an innovative idea, for sure. Read more here.

Digital Pen: Cool tool or a solution in search of a problem?
Despite the popularity in today’s wired world of everything digital, the phenomenon of the digital pen has yet to reach critical mass. You probably know about Tablet PCs, but you might not have ever encountered a standalone digital pen and might not know just what to do with it if you did. Still, some companies are betting that these little devices will finally take off. Read more here.

Getting ready for the Gphone?
Rumors are floating around the web about Google building a phone handset that would be a direct competitor to Apple’s iPhone. True or false? Only time will tell. The company itself “can neither confirm nor deny.” Read more here.

How Vista’s Internet Explorer protects you from attack
The version of IE 7 that comes with Vista is different from the version you can download for XP. Specifically, it has better security because it takes advantage of Vista’s User Account Control (UAC) to run in IE Protected Mode. In Protected Mode, IE won’t allow files to be saved in locations on your computer where they could cause problems, and IE can’t make changes to system files without your explicit permission. This makes it a lot less likely that you’ll be a victim of a “drive-by download” that installs malware on your machine. You can read more about this new feature here.

How to take ownership of a folder in XP or Vista
Even if you’re an administrator on your XP or Vista computer, you might find that you get an “access denied” message if you try to open a folder that was created by a different user. However, you can fix this by taking ownership of the folder. Any administrator can take ownership. Here’s how:

1. Be sure you’re logged on with an account that has administrator rights
2. Right click on the folder you want to access
3. Select Properties
4. Click on the Security tab
5. Click on the Advanced button
6. Click on the Owner tab
7. In the list of Names, click on your name
8. To take ownership of the folder and all its contents, click on “Replace owner on subcontainers and objects”
9. Click OK and then click Yes

Can I get my Hotmail messages with Windows Mail?
QUESTION: When I use XP for my mail I used Outlook Express, and I still have two XP machines. Since OE is not available with Vista I am learning Windows Mail. In OE I was able to download my Hotmail account. Mail says I cannot do this with Hotmail. Do you know if there is a way to download my Hotmail into Mail? Right now, having to log into Windows Live Mail to retrieve it is a pain in the rear. – Dennis H.

ANSWER: It appears the Windows Mail program in Vista is about to be replaced by a brand new email client called Windows Live Mail, which handles POP, IMAP and Hotmail accounts. It can be installed on either Vista or on XP to replace Outlook Express. This was announced back in June. It’s still in beta, so you may want to wait until the final release, but it’s available to the public so if you’re the impatient type, you can download it here.

Some add-ons aren’t listed in the Manage Add-ons Dialog Box
If you open the Manage Add-ons dialog box from the Tools menu in Internet Explorer on an XP SP2 machine, you might find that some add-ons you know are installed aren’t listed. This prevents you from being able to disable those add- ons. That’s not good. Fortunately, there’s a fix available. Find out how to get it via KB article 888240.

Can’t restore XP SP2 after using an XP SP1 restore point
Here’s the scenario: you’ve restored your computer to a restore point when XP with Service Pack 1 was installed and now you want to restore to a later restore point that was made after SP2 was installed – but if you try to do so, you’re still stuck with XP SP1. There’s a fix for this one, too. You’ll find it in KB article 835409.

Deb Shinder

Last Saturday night, we threw a party for a group of people who have been friends of ours for over ten years – but some of them we had never met before. They’re members of a small private email list that “spun off” from a larger Internet discussion group back in the 90s, and when one of our fartherest-away members (from Australia) decided to visit us here in Texas, we took that opportunity to invite other list members from the states to all get together. We had a great time, and as usual when you get a bunch of avid ‘Net users together, the talk eventually turned to computers. During the course of conversation, one friend mentioned a co-worker of his who was wanting to get a new computer. An analysis of her needs and the reason she wanted to upgrade revealed that her present machine did pretty much everything she needed to do; her real complaint was with her small, outdated monitor. He pointed out that instead of spending a lot of money to buy a whole new system she didn’t really need, she could put the same amount or less into a high quality large screen monitor and vastly improve her computing experience.

When you really think about it, your monitor is one of the most important peripherals you’ll buy. For most of us, it’s the primary way we interface with the computer (the exception being the blind who must rely on software that can talk to them and tell them what’s on the screen). Although your processor and memory determine how well and quickly your computer performs tasks, it’s your input/output devices – the keyboard, pointing device and monitor – that greatly influence how pleasant or unpleasant the process of getting information into and out of your computer will be.

Yet I see people all the time who buy high end machines and then add a single 17 inch monitor almost as an afterthought. By limiting themselves in that way, they ensure that their computing experience is never quite what it could be. Sure, you can check your email or surf the web or even get work done on a small monitor – I do it on the road with my tiny Sony laptop and its 12″ monitor. Likewise, one can live fairly comfortably in a 500 square foot home; people in New York City, Tokyo and other places where housing is expensive are living proof of that. But it’s so much nicer to have more space to spread out in.

Think back (if you’re old enough) to the days before computers, when we had to get work done with pens and tablets and paper files in manila folders. You could write a report sitting at a little TV tray table, but it was much easier if you had a big executive size desk or dining table where you could spread out all your books and papers. That’s what a big screen monitor – or its often lower cost alternative, multiple smaller monitors – lets you do.

I know I’m not the only one who feels that way. A recent article on Slate at argues that upgrading your monitor is almost always a better choice that upgrading your processor. And now gigantic monitors that were once reserved for only the wealthiest are within the affordability range of more and more computer users.

Apple is probably responsible for starting this trend when they released their 30 inch Cinema HD display back in 2004. I’m not a big Apple fan (although I do have one Mac), but I lusted after that monitor every time I saw one. It was way out of my price range back then, but the price has dropped steadily and the current incarnation sells for $1799, not cheap but not outrageous either.

However, Apple’s no longer the only company with an affordable giant screen. Dell just recently dropped the price of their 30 inch UltraSharp model to $1499. One thing I like better about the Dell and some others is the ability to adjust the height of the monitor. And HP has a 30 inch model, the LP3065, for just $1399. Samsung’s Synchmaster 305T goes for $1271 on Amazon.

You don’t have to go quite that big to get more screen real estate, though. Many companies make 24 to 27 inch monitors that cost quite a bit less. Both Dell and Samsung have 27 inch models for around $1000 and a ViewSonic VX2835wm 28 inch monitor is selling for $679 on Amazon.

Of course, you want to look at more than just the screen size when you buy. Other important specs include the resolution (you’ll want at least 1920×1200 in a giant screen, or even 2560×1600 in a 30 inch), contrast ratio (the higher, the better; for example, the ViewSonic’s 800:1 is not as good as Dell’s 1000:1) and response time (lower is better; 6 milliseconds is pretty good).

Before you plunk down the bucks for a huge monitor, also be sure you have a video card that supports it. Most 30 inchers require a dual DVI card. Other problems with the supersized screens include the heavy weight and how to fit it on the desk. Although not weighing nearly as much as the old CRTs, a 30 inch can easily weigh in at 25 pounds.

As tempting as the huge monitors may be, it often makes a lot more sense both financially and logistically to buy several smaller monitors instead. You can end up with more total screen space for a lower price, the individual monitors are lighter and easier to move around, and you have more flexibility in arranging them (for instance, you can angle/curve them around you instead of having one big, completely flat surface, or even have a second row of monitors above, like this.

Another advantage of multiples is that you can turn on only as many monitors as you need. For instance, if I’m just going to do a quick check of my email, I only turn on one monitor, saving the electricity required to run the other two. With a giant screen, even if I only need to use a small part of the screen, the whole thing has to be turned on.

Of course, you have to have enough video cards to support the number of monitors you have. Most modern cards have either two DVI connectors or one DVI and one analog connector, so you can get two monitors to the card. So, for example, to hook up six monitors to your computer you’d need three video cards. That might mean you’ll need at least one regular PCI card, since few systems have more than two PCI x16 slots.

For most people, though, two cards are enough. I find three to be the optimum number of monitors for my work; I had four for a while but found that I rarely turned the fourth monitor on – I just didn’t usually need to spread out quite that much.

I like being able to reconfigure my monitor setup the way I want it at any given time. That’s why, much as I like the look of some of the sleek all-in-one computers that have the monitor and CPU in the same housing, I haven’t bought one. If that built-in monitor dies before the computer does, you have a problem.

Whichever way you do it – with one giant screen or several smaller ones – having more room to spread out your various application windows without having to click to bring one and then another to the forefront can improve your productivity more than you can imagine. It’s as if, after having viewed the world through a tiny porthole for years, one day you knock out the whole wall and put in a full size picture window. It changes your perspective completely.

What about you? Do you think bigger is better when it comes to monitors, or are you perfectly content with that 15 inch screen that came with the computer? If price were no object, would you prefer to work with a 30 inch behemoth of a monitor or three 19 inch ones? How many monitors, of what size, are ideal? Would you buy (or have you bought) an all-in-one where the monitor isn’t detachable from the rest of the system?

Deb Shinder

[My opinion? I recently got a very large monitor and I’m not sure I like it as much as my older one — it seems like more work to read from side to side — I would check the ergonomics for comfort if you’re looking at getting a larger monitor — Alex]

As you may know, Niels Provos and Thorsten Holz have written a book on malware, called “Virtual Honeypots: From Botnet Tracking to Intrusion Detection”.

Thorsten, along with Carsten Willems, was involved in the development of our very popular Sunbelt CWSandbox, which is used by many people involved in security research to analyze malware.

Security author Stephen Northcutt gives the book a great recommendation, calling the book a “breakthrough work”:

Simply put, this is the best security book I have read this year. A perfect blend of well researched information about honeypots as well as plenty of pragmatic how to do it. Well known respected authors that clearly know their stuff. A nice blend of network and system information to give the read the full picture. The reader will learn a lot of analysis and be exposed to a number of attack signatures. And the information is applicable. That was the huge eye opener for me! I thought honeypots were boutique at best, but the book shows clearly how to use them to augment your intrusion detection capability, to detect malware and to identify botnets. At the exact second the Storm botnet is raging, anti-malware products from Symantec, NAI, Trend Micro just are not getting the job done. A large organization with a low interaction honeypot like honeyd, collapsar or potemkin would be able to track what is happening in their network. In the same way, if you are running nepenthes or roleplayer you can identify (detect) the malware and understand how it is working.

Obviously the book cannot cover each tool in depth, Virtual Honeypots goes into detail for honeyd and nepenthes and serves as a manual to help you get started. This is thrilling reading to the very end, the final three chapters are case studies ( war stories ), tracking botnets and working with the CWSandbox. I absolutely recommend this book and expect that I will keep it near my workstation for the next few months. I read it the first time on airplanes, I live in Hawaii so each trip to the east coast is ten hours airplane time and it took about 20 hours for me to work through the book. I plan to read it at least one more time, but with a computer nearby to try to apply some of this. Hats off to the authors, Provos and Holz for sharing their knowledge with the community.

Thorsten tells us:

It’s worth noting that Chapter 12 deals with automated analysis of malware and the example is (of course) CWSandbox. Niels and I describe different techniques in that chapter and give several examples which are all based on CWSandbox output. Furthermore, the chapter on botnets could be interesting since many automated malware samples are bots. That chapter will be available shortly as free sample chapter. In general, the book is of course interesting 😉

You can find out more about the book at Amazon.com.

Alex Eckelberry

We made the Inc. 500 back in 2001, and now we’ve made the Inc. 5000 for 2007.  Press release here.

Alex Eckelberry

Saturday, I blogged about a new IRS phishing scam which uses a “survey”.   According to the source who sent the information to me, the phish didn’t appear to ask for financial information.

This does not appear to be the case.  Brian Krebs at the Washington Post has sent me an additional image which shows the phish does, in fact, ask for financial information.

Alex Eckelbery