Month: October 2007

(One of our employees apparently manifesting his favorite pastime.)

(The jailhouse girls: Paris, Nicole and Lindsey)

(I know, it’s really gross.)

Faithful blog readers will recall that every year, we go a bit crazy with Halloween. We’ve managed to keep this tradition in, even as we’ve grown to be a much bigger organization. Employees show up in their most outrageous costumes, then the company parades down the local coffee shop, and then back to the office for a costume judging and gluttonous amounts of pizza.

Well, Sunbelters did a pretty good job this year too. You can see pics here.

Alex Eckelberry

This new Mac trojan? Well, it’s actually fairly important news.

I don’t mean to sound breathless about it. As far as we know, it’s not widespread. But this is the first targeted, real attack on Mac users by a professional malware group.

As one of our security researchers put it:

“This is pretty groundbreaking, actually. Not from the standpoint of ‘malware can exist on Mac too’ (everybody who’s not a moron knew that), but really from the fact that this actual malware created by real malware groups, not one of those useless proof-of-concept of ‘malware can exist on Mac too’.”

Yet the chorus of yawns from the security space is deafening:

While security experts agree that such a piece of malware would pose a very serious threat to users, it remains unclear just how far the reported trojan has spread.

Representatives for McAfee, Symantec, and Trend Micro all told vnunet.com that their researchers had been unable to find the trojan in the wild or obtain a sample from Intego. A spokesperson for Symantec noted that Intego “has a tendency to overhype things. “

Well, putting aside the fact that it took us under 3 minutes to find the Trojan simply by doing a simple Google search, this shouldn’t be viewed as overhype (although one part of the article certainly is overhype: “the tool allows the attackers to redirect web traffic. Users attempting to visit Paypal, Ebay or certain banking sites for instance will be directed to a phishing website instead.” Nah.)

I don’t know much about Intego, a Mac antivirus company. But when I showed our resident Mac guru this Trojan, his reaction was real surprise. In his words, “I’ve been using Macs since 1989. This is the first time I’ve seen something like this.”

This is a good story.

Again, I’m not trying to overhype. Mac users, hungry for pr0n, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the Touch and IPhone, running OS X.

The sole driving force behind malware these days is money. And this is simply a new market for these bad guys.

Let’s not ourselves in the security space get complacent.

Alex Eckelberry

As a follow-up to my earlier blog post today, here is a screenshot of that new Mac trojan:

Not surprisingly (it is, after all, a Mac piece of malware), VirusTotal has zero detection on this one.

Alex Eckelberry
(Thanks Robert and Francesco)

Update: Screenshot posted here. More commentary here.

Also, some useful information here at MacWorld.

Consider the fake media codec — a plague on on Windows PCs these days. Almost always on porn sites, it lures you with something that looks like this:

or this:

And so on.

Well, it’s come to the Mac. One variant of the fake Codec, DNSChanger, is now being seen on Mac porn. From Intego:

A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file.
Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe” Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

Is there any childlike schadenfreude on my part? You tell me. For years, we’ve heard snorts of derision from Mac users about the poor security of PCs. Yet that attitude (as we know from our history books) is a bit dangerous, because it creates a false sense of security.

Now, Mac users will need to be a bit more careful out there (‘cause when Joey wants his pr0n, he wants it now!). On the heels of the release of Leopard, we now find that there is no perfect protection against social engineering, even for a Mac user.

(Note that I have a Mac among the many computers at my house.)

Alex Eckelberry
(Hat tip to Brian Krebs.)

If you don’t mind… SC Magazine is holding their annual Reader Trust 2008 Awards. Voting opens October 16 and closes on November 2.

Sunbelt Software Ninja Email Security          *vote here*
(more info)

Sunbelt Software CounterSpy Enterprise         *vote here*
(more info)

Thanks!

Alex Eckelberry

Somewhat technical overview but good stuff. John Levine comments:

Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year, with both upgrades to the underlying engine and a variety of applications, most of which involve sending spam. (If you’ve gotten pump and dump spam with the message in an MP3 audio file, that’s Storm’s latest campaign.)

Enright says that although Storm’s peer-to-peer control structure makes it harder to map than centrally controlled botnets, its P2P design is relatively simple, and is similar enough to the eDonkey network that he could adapt tools designed for eDonkey to map Storm. While it’s never possible to find the exact size of a P2P network since nodes are constantly going on and off line, his statistics suggest that Storm consists of hundreds of thousands of nodes, not millions. While that’s a lot, it’s in the same range as other botnets. What really sets Storm apart is its operators’ skillful social engineering that constantly comes up with new tricks to get people to click on links that infect their Windows PCs.

You can see the preso here (via John Levine’s blog).

Alex Eckelberry
(Thanks Francesco)

This thing is quite realistic. And if you click “Download”, you get an offer to install a nasty little Trojan (Sunbelt Sandbox report here).

The trojan, “updateKB890830.exe”, downloads from a site that looks like a Microsoft url, so it’s all quite realistic to the user.

This was reported to MySpace by a number of individuals and it’s gone now (incidentally, the MySpace abuse team reacts quite well to submissions at abuse(at)myspace.com).

Alex Eckelberry
(Hat tip to Randall Mueller for finding this one)

Here’s a sample we received today, sent to our controller.  That link to the “complaint document” loads something that should not be considered as anything even remotely safe.

We’ve certainly seen these before, but just a reminder for all to be careful out there.

Alex Eckelberry

Two men (on italian and one russian) have been arrested in Italy. Reportedly, by using exploits that target vulnerabilities in the browser, they were able to install premium-rate dialers on 67,000 computers and make 6 million Euros (about $8.5 million).

More here (in Italian, alas).

Alex Eckelberry
(Thanks Francesco)

Sunbelt researcher Patrick Jordan found a style of popup this morning after infecting a system with some spyware.

It’s nothing near even the old “Eliza” program, nor any other chat bot. This one is only interested in selling a cash advance.

I made a little YouTube vid below.

Alex Eckelberry

Casey Sheehan, who runs our core antimalware team (the group that is developing our next-generation antimalware engine here at Sunbelt), had an interesting presentation at VirusBulletin in Vienna, entitled “Pimp my PE: taming malicious and malformed executables” (PE is the file format used for programs, DLLs, etc. in Windows). PE files have a specific, documented structure. Malware authors often perform deliberate malformations to confuse antivirus engines. This paper deals with that challenge:

Abstract
A foundational requirement in the security world is the capability to robustly parse and analyze Windows Portable Executable files. Coping with the full spectrum of PEs found in the wild is, in fact, quite challenging. While white files are typically well structured, malicious files can be quite difficult to analyze, often due to deliberate malformations intended to stymie static analysis. In this paper we will survey and attempt to classify some common and interesting malformations we have studied in our work at Sunbelt Software. We will analyze PE structural information, discuss the PE specification, and highlight specific hurdles we have overcome in the course of developing a parsing facility capable of dealing reliably with the full range of images found in the wild, especially malware. We will also cover specific problems we faced along the way, examine structural heuristics we’ve developed in the course of classifying common malformations, and include a discussion of some interesting tools and techniques we’ve developed.

The subject matter is highly technical, but for those interested, I’ve posted the following files:

Paper: (pdf)

Presentation: (pdf) (ppt)

Referenced program, PeSweep.exe, here
(270,336 bytes; MD5 283668a022766c1505debd540d7dae91)

Alex Eckelberry

In March of last year, Paul and Robin Laudanski and I started PIRT — the Phishing Incident and Response Termination squad. I can remember the scepticism and negativity when we started this task, by the “professionals”.

What Paul and Robin have done since then is nothing short of amazing. And they don’t get a dime for it. And neither do any of the volunteers who work on takedowns.

From PIRT evolved MIRT — Malware Incident and Response Termination. Now, there is SIRT — Spam Incident Response and Termination.

This is not trivial work.

Yesterday, Paul posted this on Castlecops:

Since May 2006, our Phishing Incident Reporting and Termination team has directly prevented more than $80 million in credit card losses, and indirectly an additional $75 million by working with our partners. We’ve shut down not only phish sites, but drops all the while preserving evidence for law enforcement. And we need your help by donating your time as handlers to keep on investigating phish crimes so we can continue to prevent even greater numbers.

PIRT right now is receiving around 47,000 unique phish submissions per month. Our PIRT handlers are doing amazing work and trailblazing new roads in phish investigations and intelligence.

There are few people I have met in my life who are as genuine, kind-hearted and hard-working as Paul and Robin. Feel free to leave a comment congratulating them and all of their volunteers, here or on this blog.

Alex Eckelberry

Our friends over at Network Instruments have a letter you can send to the FCC about Verizon’s plans to let some customer data loose.

Link here.

Alex Eckelberry

This is a first — a reputable security vendor practicing comment spamming?

I’m flattered it’s on my blog, of course.

IP info.

Alex Eckelberry

Update: Looks like I’m not the only one.

It’s officially over (no surprise, we all knew it was coming).

I’m not going to bother with an obit, I don’t have the time. But we can all recall that it was a very profitable operation for the founders, despite what some might consider a relatively small fine to the FTC.

These four men: Alan Murray, Daniel Kaufman, Josh Abram and Rodney Hook, in three years, personally received over $28 million.

(Source: Ben Edelman)

Direct Revenue acted in an outrageous manner, as can be readily observed from the documented evidence seized as part of the NY Attorney General’s investigation. Out of all the big spyware/adware vendors, they were one of the worst offenders.

Rest in peace? Nah. Too nice.

Alex Eckelberry

Hot and fresh, serving Zlob trojans:

ebwmanufacture(dot)com
dmqfirm(dot)com
ictprivate(dot)com

Even though these sites usually show a 403 error, they are serving Zlobs (this is now fairly standard practice for Zlob sites now — show a 403 on the main page, but serve malware off of a subdirectory). For example, one link that actually downloads malware would be something like ebwmanufacture(dot)com/download(dot)php?id=4082.

Obviously, don’t go to these sites unless you want to infect yourself with malware.

Alex Eckelberry
(Thanks to Sunbelt researcher Patrick Jordan)

Earlier today, Zango announced the purchase of SmartShopper.

Why?

Our research leads us to believe that one major reason may be as a way for Zango to get an imprimatur of credibility. SmartShopper is in the TRUSTe Trusted Download Program, a fact that the SmartShopper folks are quite proud of, showcasing it prominently on their website. (Incidentally, and of some concern — SmartShopper is not listed on TRUSTe’s main list of trusted applications, but is, in fact, in the Trusted Download program. This is the second occurrence we’ve observed of “quiet” listings in TRUSTe. Correction — faulty memory on my part — this is the only one, which we did write about earlier. )

It’s also no secret that Zango is trying hard to get a Trusted Download certificate for itself. However, will it make any difference, especially in light of the huge sums of money a vendor must pay (reported to be in the hundreds of thousands, or millions of dollars)? Probably not. I doubt any advertisers will care. We’ve found that advertisers are quite leery of Zango in general. I doubt Trusted Download will help them.

However, having SmartShopper in their portfolio of applications will allow Zango to point proudly at a product they own in the Trusted Download program. And it’s even in the realm of possibility that by having a Trusted Download like SmartShopper, they could use this as a future way to get Zango on more desktops (by bundling with SmartShopper or by offering SmartShopper users a download of Zango).

It’s worth noting that Zango is primarily gaining new users through Seekmo, its porn branch. In other words, new user acquisition occurs from users downloading porn in exchange for free ads, not for funny videos of a cat jumping up and down. They need everything they can to gain legitimacy.

Alex Eckelberry

Reported on TechCrunch:

Everyone’s favorite love-to-hate spyware company Zango has acquired browser based comparison shopping engine Smart Shopper for what we’ve been told by two people related to the company (but unconfirmed directly) for $9 million.

Link here.

Alex Eckelberry

Faithful blog readers will recall “Jane”, who sent us an apoplectic, foul-mouthed rant, mistaking us for the makers of WinFixer WinAntivirusPro.

The letter was entertaining in its creative use of epithets.

However, I had sent her an email explaining that we weren’t related to the WinAntivirusPro band of miscreants, and her reply was significantly more civil, albeit still entertaining:

Dear Mr. Eckelberry;

Thank you for your courteous and helpful response to my potty-mouth- rant. And my apologies to you and other staff at Sunbelt.

This elusive WinAntivirus thing has really been a bother; I use my computer for research and writing. Recently, when I submit a query to Google, I get the nasty WinAntivirus screen that will not go away. It’s to a point where I really don’t know who to trust. I am aware that there are several available programs that represent that they will remove that WinAntivirus stuff, at a price. Then, my own internal computer tells me that the reptiles responsible for the WinAntivirus may be profiting from the sale of the removal programs. It’s all very confusing.

I want to find these WinAntivirus folks quite soon, and I hope they have a 1-800 number.

I work at an inpatient psychiatric facility, where even the most deranged and psychotic patients are entitled to unrestricted access to a telephone. Some of these poor souls are just lonely, and looking for a kind voice to listen to their rantings. Such as the folks that answer the phone at WinAntivirus. Do you, by chance have that number? That would make me feel a whole lot better.

Thanks, Jane

I have advised her that there really is no way to contact these WinAntivirus folks… Although, the idea of using psychiatric patients en masse to harrass a vendor is a curious and novel approach to lodging complaints.

Lest you think it’s all over, however, “Gary” sent an email yesterday through our Media Relations link which is a wee bit confused:

Conversation: Media Inquiry – Sunbelt Software Research Center
Subject: Media Inquiry – Sunbelt Software Research Center

Jason, I don’t know what connection you may have with “pointroll cookie”.

This complaint is not directed at you personally, BUT I DO NOT WANT AND I RESENT WITH FIRE IN MY EYE THE INTRUSION AND INVASION OF MY COMPUTER BY “POINTROLL COOKIE”!!
PLEASE!! IF YOU CAN, R E M O V E ALL DATA PRETAINING TO “POINTROLL COOKIE” FROM MY COMPUTER NOW AND FOREVER!! I CAN NOT MAKE IT MORE PLAIN. YOU WILL NOTICE THAT I AM USING CAPS. POINTROLL COOKIE, GET OUT AND STAY OUT OF MY LIFE FOREVERRRRRRRRR!

SINCERELY, GARY (removed)

Of course, we have no association with the Pointroll cookie and we’re still scratching our heads over exactly what Gary means. We’ve sent an email trying to get more clarity.

Clarity, of course, is sometimes a rare commodity in this business.

Alex Eckelberry

Memories…