Month: September 2007

We are releasing our next big release of CounterSpy Enterprise, version 3.0.

Greg Kras and I will be doing an overview over the web. It’s a really nice upgrade.

Fluff from our marketing department:

Join Sunbelt Software for an overview of the new features in CounterSpy Enterprise version 3.0. This new version continues to provide robust protection against complex malware threats for corporate environments while delivering several new features, including new management dashboards, reporting improvements, and console usability enhancements.

The web demo will be hosted by Alex Eckelberry, President and Greg Kras, VP of Product Management for Sunbelt Software on Wednesday, October 3rd at 2:00pm EDT.

Learn about the new features of this robust enterprise antimalware product including:

– New configurable management dashboards that allow administrators to easily create a customized “malware command center” that gives instant access to their most used reports and policy controls

– Reporting improvements that make it easier to schedule and customize the library of reports, and includes a new report scheduler and custom report editor

– Console usability enhancements that offer easier-to-understand alerts and customizable views

When: Wednesday, October 3, 2007 2:00 PM (EDT)

To register for this event please visit:

http://www.sunbelt-software.com/rd/?id=070928IB-CSE3-Web-Demo

Alex Eckelberry

Wow, we’ve talked about securing metadata in the past, but this one takes the cake.

Notes from a meeting of the World Motor Sports Council were released recently by the FIA. The document was redacted, as you can see from the example below:

However, as F1Fanatic found out, simply copying and pasting the text into another document reveals the redacted text. In this case, I simply copied the text into Word:

Nigel TOZZI

He was paid around 300 000 to 400 000 pounds per annum. Is that correct?

Apparently, the person responsible for redacting the document simply drew a black box around the sensitive text, not realizing that the underlying text was still available. I feel a bit sorry for the poor sod who did this. Simply copy-protecting the PDF would have prevented this type of thing from occurring.

The PDF (at the time of this posting) is still up, here. I’ve also archived a copy here.

Alex Eckelberry
(Thanks Francesco)

Thursday, we blogged that the ancient Stoned.Angelina virus had been found on some German notebooks made by Medion.  SecuriTeam has a round-up. 

It’s worth noting that a) virtually no PCs ship with floppies these days, making infection of other PCs highly unlikely and b) the fact that an antivirus program can’t remove an ancient boot sector virus such as this one is open to debate. 

The virus itself isn’t destructive.  And in Windows XP and Vista, you would have to have a floppy in the drive while the system is booting in order to get infected.  In a way, it’s more of a novelty to see such an old virus (which is no longer even on the Wildlist).  

However, the point is that if you’re infected, you would want to clean it, and a number of notebooks shipped from Medion with this virus.  BullGuard, the antivirus product included with the notebook, was initially unable to remove it, although the company has an update on its website which should do the job.

Here is more from Andreas Marx:

Introduction: Medion shipped some notebooks together with a boot virus from 1994 (!)… and it looks like quite some AV tools had problems with the detection and/or removal of this critter. For example, the AV software installed on the system reported this virus on every reboot, but was unable to remove it. 

To my surprise, Stoned.Angelina is working very well with Windows Vista (x86) — the system gets infected and it is still bootable.
Windows Vista won’t display any message or other kind of warning regarding the boot sector change (unlike Windows 98, for example.).

The virus is only able to spread to further disks when Windows [itself] is not yet started,…the virus can infect further disks at boot time, but not after Windows has been started.

Testing: First, we infected a PC with an installed Windows XP SP2 or Windows Vista with “Stoned.Angelina”, which is quite easy to perform — you only need to “forget” an infected floppy disk in the A: drive and try to boot from it. The virus will instantly infect the system area of the hard disk. However, unlike some other boot viruses, Windows is still able to boot up and it won’t display a warning messages. The virus can infect further floppy disks as soon as it’s activated (on every reboot) and under DOS. As soon as Windows 2000, XP or Vista (or Linux or any other protected mode OS) is started, the virus code won’t be called anymore — the system is still infected, but the virus itself cannot spread further until the next reboot.

For our testing, we used the German versions of Windows and the currently available “2007” or “2008” consumer versions of some anti-virus software or security suites (in German language, using updates as of yesterday or today, 2007-09-14). We have tested a total of 10 products (on two OS): Avira AntiVir Personal Premium (v7), G Data (AVK) Total Care 2008, BitDefender Internet Security 2008 (v10), BullGuard Internet Security 7.0, Kaspersky Internet Security 7.0, McAfee Internet Security 2007 (the 2008 version is not yet released), Symantec Norton 360, Microsoft OneCare 1.6, Panda Internet Security 2008 (v12), Trend Micro PC-cillin Internet Security 2007 (the 2008 version is not yet released).

The following scanners were able to detect and successfully remove the “Stoned.Angelina” critter on Windows XP and Vista:

• G Data (AVK) Total Care 2008
• BitDefender Internet Security 2008 (v10)
• Kaspersky Internet Security 7.0

The following tools were able to detect and report the infection, but unable to handle it:

• BullGuard Internet Security 7.0 (updated information from BullGuard, here). 
• McAfee Internet Security 2007
• Trend Micro PC-cillin Internet Security 2007
• Avira AntiVir Personal Premium (v7) — BUT the scan of the system areas (master boot record) is disabled by default, so it has to be enabled or AntiVir wouldn’t report anything, as it’s not scanning this sector.

Two of the tools were able to successfully report and clean the virus on Windows XP, but they shred the system area on disinfecting a Windows Vista based system after the infection was found — this means that Vista wouldn’t start anymore after a “successful” cleaning and it has to be repaired (e.g. by booting from the installation DVD and selecting the option to repair the system, see the Bullguard website link above for details):

• Symantec Norton 360
• Panda Internet Security 2008 (v12) — BUT you need to start the tool with administrator rights or disable User Account Control (UAC) or Panda wouldn’t be able to scan for the virus on disk and report the system is clean, even if it’s indeed infected.

This leaves one tool — Microsoft OneCare 1.6 — which is completely unable to scan for boot viruses on disk (tested on Windows XP and Vista), so the user wouldn’t get a notification that his system is infected. As nothing is found, nothing can be removed, of course.

More links:

How to remove Stoned.Angelina
Aldi-Notebook mit Virus an Bord.
Viren-Alarm in Daenemark – auch in Deutschland Schaedling gesichtet. 
Virus auf Aldi-Notebooks: Ein Plagegeist aus alten Tagen. 

Alex Eckelberry

Latest Storm variant.

Virus Bulletin Conference: This week, the blog will be silent as I’m going with a bunch of other Sunbelters to the Virus Bulletin Conference in Vienna. If you happen to be there, drop by our booth and say hello.

One of our senior researchers, Casey Sheehan, will have a very interesting presentation, entitled “Pimp my PE: taming malicious and malformed executables” (PE is the file format used for programs, DLLs, etc. in Windows).

From the abstract:

A foundational requirement in the security world is the ability to robustly parse and analyse Windows Portable Executable files. Many malicious PEs currently found in the wild are actually quite difficult to analyse, due to packing and purposely malformed header structures…

This fast-paced, highly technical presentation will survey and attempt to classify some common and interesting malformations we have examined in our work at Sunbelt Software. We will analyse PE structural information and demonstrate how tolerant the Windows loader is to fuzzing this data. We will discuss the PE specification and highlight specific hurdles we have overcome in the course of developing a parsing framework capable of dealing reliably with modern malware…

Casey is one of our most senior developers and is responsible for the development of our VIPRE engine, and his insights are quite interesting for those involved in reverse engineering malware.

Incidentally, Alex Shipp, who was part of the team that helped me on the Julie Amero case, will also be presenting some of his thoughts on the case.

AVAR (Association of anti Virus Asia Researchers): We will also have a presence at AVAR 2007, where Chandra Prakash (who is in the process of finishing up our next-generation anti-rootkit technology for release this fall), will be presenting a paper on “Design of X86 Emulator for Generic Unpacking” (faithful readers will recall that Chandra presented a paper at AVAR last year as well).

While the title of the paper sounds rather dry, the subject of generic unpacking is a fairly interesting one to antivirus researchers. To oversimplify, here’s why: Since the vast majority of malware is “packed” (compressed) using tools such as FSG or UPX, antivirus engines need to unpack them to see if what’s inside is bad. Many antivirus engines perform “static” unpacking, where an antivirus researcher writes a separate signature for each piece of malware that’s packed. This is obviously time consuming and has disadvantages in detecting new variants (it’s easy to fool a static unpacker). The solution that’s come about is to implement generic unpacking, which runs the malware inside of an emulator, thus allowing easier detection by the engine.

At any rate, if you’re at either conference, feel free to say hello. It’s easy to spot us: we’re the ones causing all kinds of trouble.

Alex Eckelberry

I culled them down to the best, but there are still so many good (and funny) answers, I couldn’t decide which was best for the Lamer bus.  So vote for your favorite.   

Alex Eckelberry

Greeting card scams are all the rage. It’s a big part of how the Storm worm got so many happy participants.

In response to scams using American Greetings’ style emails, the company has changed their format.

Now, I’m glad to see something’s happening here, and it’s a start. But here are some points to consider.

Sender’s personal information is in the subject line
Ex. “John Smith has sent you an ecard from AmericanGreetings.com”

Ok. But since these spams are coming from infected machines, well, that’s easy to spoof.

“ecards@americangreetings.com” is the actual “from” email address with “Ecard from AmericanGreetings.com”as the “from” display name.

Please. That’s so trivial to spoof, it’s a joke. That’s not even a security recommendation. That’s just a dangerous piece of advice.

Sender’s name and email address are included in the body of the email

Right, but again, these are sent from infected machines and can simply use the address book of the infected user. (It’s true that this would only apply to the names that the sender had in their address book, not in other email addresses the infected system/spam zombie might be ordered to send to. But nevertheless, people seem to click on “a friend sent you a greeting card” anyway, regardless if it’s from someone they know or not: Just witness the Storm worm’s ubiquity.)

American Greetings’ changes will help a wee bit, and I am glad they’re doing at least this. But it’s going to take a lot more to fix this problem.

Alex Eckelberry

Free copy of CounterSpy to the person who comes up with the best caption for this picture.  

Alex Eckelberry
(Credit to Michael Hale Ligh for letting me use this picture.)

Computer maker Medion has shipped notebooks with a rather ancient boot sector virus that you don’t see much of — Stoned.Angelina.

Link here (alas, in German).

Alex Eckelberry
(Thanks to Andreas Marx for the heads-up).

The Transportation Authority of the City of Marin County is hacked to pieces, serving malware and porn.

Here’s the website:

But here’s a sampling of what’s actually hidden away there on their servers, which a simple Google search provides (warning: graphic content).

Click on one of those links, and you get redirected to a porn site pushing malware:

Ok, so this happens and we see it all the time. I contacted them today by email, but another security researcher here also tried vainly to contact them yesterday. As she tells me “I sent them 2 emails and left a message on their voice mail at the number on the site. They have not responded and the site is still hacked up the ying-yang today.”

Here’s a suggestion: If you have a public facing site, make it easy for people to contact you. And read the emails when they come in.

We had better luck today with a government agency. We emailed the contact, and were provided with a phone number. A pleasant call was had, and they are working to clean their site (the only problem being the site is hosted somewhere else). But at least we got someone.

Alex Eckelberry

Gromozon (here as “Newtech, Inc. Panama”), one of the most notorious pieces of spyware out there, is digitally signed by Thawte (part of Verisign). This isn’t the first time spyware has been signed by a certificate authority.

VirusTotal results for this “signed” piece of garbage here.

Alex Eckelberry
(Credit to Sunbelt researcher Francesco)

Update: Verison has notified me that the cert is being revoked.

The latest scam which sends people to trustedprotection(dot)com. Notice the fake “Windows antivirus” popup.

Patrick Jordan

Zango apparently sends a press release to all kinds of press people, including blogger Chris Boyd (aka Paperghost).

Let me get this right……you decided to send a press release to me……Paperghost……known for my enthusiastic response to all things Zango…..who happens to work for an Instant Messaging Security Company…..to tell me about how awesome Zango’s new adverts….that look like Instant Messaging Notifications……will be?

Link here.

Alex Eckelberry

Back in the antediluvian times of the industry (that is, before the flood of the Internet and the ubiquity of Windows), I used to be a product manager. In my opinion, it’s probably the best job you can ever have in a software company, but its downside is represented by the PM’s motto of “accountable for everything, responsible for nothing”.

So I enjoyed this article by David Pogue, who relates some tales of his dealings with PMs.

The product manager (P.M.) is an interesting beast, sort of a crossbreed: somebody who knows a lot about the product and its target audience, as the engineers and programmers do, but who’s also there to promote the product, as the P.R. people do. (Just as the P.R. person is a gatekeeper for the P.M., the P.M. is a gatekeeper for the engineers if the questions get too tough.)

Link here.

Memories…. I recently came across this old article from 1994 when I was a product manager in the old PC DOS days. No, I’m not old. Just a bit creaky around the edges.

Alex Eckelberry
(Thanks, Phil)

What’s the Network Projector?
One of the new features in Vista of which many users are unaware is the ability to connect to a projector over the network, to give presentations from a PC without having to directly connect the computer to the projector. A network projector is connected to the local area network via wired or wireless technology and you can connect your Vista computer to it by using its URL (web address) or its UNC name (the network path and name). from a PC without having to directly connect the computer to the projector. A network projector is connected to the local area network via wired or wireless technology and you can connect your Vista computer to it by using its URL (web address) or its UNC name (the network path and name). You can also ask Windows to automatically search for a connected projector.

You set up the connection from Start | All Programs | Accessories | Connect to a Network Projector. Your presentation is sent over the network to the projector using the Remote Desktop Protocol (RDP), which is encrypted for better security. You can even connect to more than one projector at a time, and give your presentation to groups of people who are in two different locations, from your own third location. To find out more, click here.

How to use the Cipher command to wipe data from your disk
As you probably know, when you delete files off your Windows XP or Windows Vista computer, those files aren’t actually gone. The only thing that happens is that the “pointer” to the deleted files is removed and the space on the hard disk is marked as available to put new data. But until new data is put in the same location as the deleted data, the deleted data remains on the hard disk and can be recovered by hackers and other malicious users.

What you need to do is “wipe” the data off the hard disk. You can do this by using the cipher command that comes free with Windows XP and Windows Vista. Here are the instructions, compliments of Tom Shinder:

1. Close all programs.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type cipher /w:driveletter:foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space. For example, if you have a deleted files in folder c:SECRET, you would enter cipher /W:C:SECRET

The wiping process can take a long time, so be patient. Once the files are wiped by the cipher utility, no one will be able to recover your deleted information from your hard disk.

Order Microsoft hot fixes without calling Support Services
Hot fixes are released to address specific problems and Microsoft recommends that you install them only if you’re actually experiencing the problem (unlike security updates and service packs). Until recently, to get a hot fix you had to call Microsoft support services. Now they’ve made it easier by providing a web site where you can order hot fixes you need by filling out a hotfix request submission form, and someone from Microsoft will contact you via email. Go here to find out more.

Zune gets cheaper: Apple’s not the only one cutting prices
If you’ve been waiting around to buy new electronics products, last week was a good one for you. In addition to the iPhone price cut, Microsoft dropped the price of their Zune music player by $50, to $199. Read more here.

What happened to that rebate?
Unopened rebate applications found in dumpster… (thanks Martin M.).

New Windows Live Suite available
On September 5th, Microsoft released a new version of their Windows Live services that can be installed as a suite rather than having to install each program individually. The suite includes Windows Live Mail, Version 8.5 of Windows Live Messenger, Windows Live OneCare Family Safety, the Windows Live Toolbar, the excellent Windows Live Writer blogging program, and the first public beta of Windows Live Photo Gallery for sharing pictures on Windows Live Spaces. Check it out here.

Evaluating the credibility of Wikipedia entries
Wikipedia is a vast resource for information about all sorts of things, but its strength – the fact that anyone can enter or edit the information – is also its biggest weakness. How do you judge the credibility of what you read there? Now a professor has come up with software that purports to do just that, based on the reputations of the contributors. If it works, it sounds like a step in the right direction. Read more about it here.

September 11 Marks a light Patch Tuesday
Patch Tuesday falls on September 11 this month, reminding us that vigilance when it comes to security is important on many different fronts. This month sees relatively few patches being released by Microsoft; only five security bulletins are expected with only one of them labeled as critical. The critical patch deals with a vulnerability in Windows itself, while there are also patches for Windows Live Messenger and MSN Messenger and Visual Studio. Read more here.

What can I do when my computer is losing time?
QUESTION: My Vista computer doesn’t seem to keep time properly (like a watch that’s going bad). It seems to lose time. Is there anything I can do? Thanks! – A. R.

ANSWER: Your Windows Vista computer is able to synchronize its clock with a time server on the Internet. But if you find that your computer time isn’t right, maybe you need to change your time server. Here’s how you do it:

1. Click Start and then click Control Panel
2. In the Control Panel, click the Classic View link on the left side of the Window
3. In the Classic View Control Panel Window, double click the Date and Time icon.
4. In the Date and Time dialog box, click the Internet Time tab.
5. On the Internet Time tab, click the Change Settings button.
6. Click Continue in the User Account Control dialog box.
7. In the Internet Time Settings dialog box, click the Server down arrow and select another time server. The default is time.windows.com. Try using time.nist.gov first and see how that works for you.
8. Click OK in the Internet Time Settings dialog box.
9. Click OK in the Data and Time dialog box.

Can’t install WMP 10 on XP with SP2
If you try to install Windows Media Player version 10 on an XP computer with Service Pack 2, you may get an error message that says “This version of Windows Media Technologies is incompatible with this version of Windows.” That may be because you have Windows Media Format 11 installed, and must uninstall it before you can install WMP 10. If that’s not the issue, there is another resolution. For the “how to” in both cases, see KB article 914223.

How to log onto XP if you forget your password
A forgotten password can keep you from being able to log onto your Windows XP computer. But you may be able to reset the password and access the account again – if you have a password reset disk that you created beforehand or if you know the password to an administrative account. For more info, see KB article 321305.

Logon screen not available when you remove a second monitor in Vista
If you have two monitors on your Vista computer and happen to remove one while the computer is in hibernation or sleep mode, you might find that when the computer resumes, you can’t see the logon screen and thus can’t log on to the computer. Ouch. Luckily, there is a hotfix for this problem. To find out more, see KB article 932339.

Deb Shinder

We’re all happy when prices drop, right? Well, not quite all of us. Apple caused quite a backlash last week when they decided to cut the price of the iPhone by $200. You’d think that would be a good thing but it made a lot of customers mad – specifically, those who who had already bought a phone at the higher price.

According to a story in the Washington Post at least one iPhone owner who felt gypped by the price cut proclaimed that he would never buy another of the company’s products.

I can understand their frustration. If I had shelled out $599 for something and a few weeks later, it was selling for $399, I’d be annoyed. In fact, I have been annoyed when that’s happened to me on several occasions. But I accepted a long time ago that when it comes to the technology market, you can pretty much count on the fact that the price you pay today for most electronics and computer equipment will be lower if you wait a while.

The iPhone folks are acting as if they’re the only ones who’ve ever been caught in this kind of situation. Yet when I got my Samsung i730 Windows Mobile phone from Verizon a couple of years ago, it was $600. Last spring, Verizon was offering the same phone for $299. It never occurred to me to swear off Verizon and Samsung forever. I just figured that $300 difference was the price I paid to have the device when it was brand new.

And it’s not like they weren’t warned. A number of industry insiders speculated that the price would come down fairly soon and advised those who didn’t just absolutely have to be on the cutting edge to wait a few months before buying. I even wrote an article for Tech Republic titled “Ten Reasons Not to Buy an iPhone (at least, not yet).” One of those reasons was the high opening price. I opined that the next version of the phone, which was rumored to be coming out as soon as this December, would cost less and (I hope) address some of the problems with the current version, such as the non-user replaceable battery.

Besides, I thought Apple fans had plenty of money to throw around. Otherwise, why would they pay so much more for computers with specs so much lower than what they could get in a PC for the same price? Seriously, though, anyone who’s been around the computer world for any length of time (and phones like the iPhone and the i730 are computers) knows that drastic price drops are the order of business over both the long and short term.

It’s that “short term” part that seems to be rubbing so many people the wrong way. They aren’t complaining so much about the fact that prices went down as the fact that they went down only ten weeks after the phone’s release. And I admit that most of us didn’t see it coming quite that quickly.

Apparently Apple didn’t see all these angry responses coming, either. Steve Jobs himself found himself apologizing for the price cut, and Apple is offering a $100 credit at the Apple store to customers who bought the phone at the higher price. Whether that will appease the angry mob is yet to be seen. Meanwhile, Wall Street reacted to the price cut with a corresponding drop in Apple’s share prices.

What about all those people who didn’t rush out to stand in line and buy an iPhone on the first go-round? Will this price cut motivate them to buy one now? Or will they think twice and wait, hoping it will go even lower? Personally, I’d need to see more changes than just a lower price before I’d buy one. A removable/replaceable battery is non-negotiable for me, and the limited support for Exchange server is another deal breaker with the current model.

I’m a Windows kind of person, and will most likely go with a Windows Mobile 6 device when I replace the venerable i730 – but I’ll never say never. Apple does make gorgeous products, and if iPhone 2.0 offered full Exchange support, a user- friendly battery, and worked on Verizon’s EV-DO network, I would be mightily tempted.

What about you? Did you buy an iPhone when they came out at the end of June? If so, are you angry about the price cut? How angry? If not, will the price cut motivate you to buy one now, or is $399 still too much to pay for a cell phone? Are you waiting for a new version with better features? What features would Apple need to add for you to want one of their phones? Or do you think the whole concept is silly? Are Apple customers justified in feeling cheated, or are price cuts always a good thing, even if some people get burned? Would you get angry if Microsoft announced they were dropping the price of Vista?

Deb Shinder

SC Mag’s Jim Carr interviewed me about about the Bank of India hack.  Podcast here.

Alex Eckelberry

Note: Fellow blogger Loren criticizes my example of hacks in educational institutions. My only answer:  Google, at least as of today (warning: link contains graphic content).

Professor Ross Anderson gives an excellent video on malware, phishing and spam, called “Searching for Evil”. Highly recommended viewing.

From the abstract:

Computer security has recently imported a lot of ideas from economics, psychology and … all » sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.

Evildoers online divide roughly into two categories – those who don’t want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected?

Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I’ll describe a number of dubious business enterprises we’ve unearthed. Recent advances in algorithms, such as Newman’s modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution. I’ll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.

Speaker: Ross Anderson Ross Anderson is one of the top security researchers in the world.

Alex Eckelberry
(Thanks Rob)

In July, we wrote about Suntasia Marketing (also known as Strategia Marketing) and their misleading tactics. The company is now apparently in receivership, and in August, the Receiver published a preliminary report — which provides some very interesting reading if you’re interested in this kind of stuff. It details the high rate of refunds and returns, the misleading sales tactics and the poor quality of the products sold.

In summary, it appears that while the receivership defendants have a strong compliance function, the overall marketing goal is to obtain, often with misleading tactics, consumer banking information that is utilized to market and obtain payment for memberships and services of questionable value or utility. The Temporary Receiver will continue to suspend operations pending instructions from the Court.

The document also details the company’s assets and liabilities, including an outstanding loan on an 80 foot Lazzarra yacht.

Alex Eckelberry
(Hat tip)