Month: January 2008

Yup, satisfies the requirement for “simple”.

Alex Eckelberry

Err… a big Italian bank, Fineco, gives these instructions for creating a password. It’s in Italian, but Francesco here did some translation:

“to verify the security of a password, it is sufficient to put it in any search engine (such as Google): if it returns less than 10 results, it means it is a good password”

And then they have examples of how many search results should determine a good password!

pippo = 767,000 -> very bad password
05Fineco = 30 -> good password
F1n3co = nessuno -> excellent

See for yourself. A machine translation to English of the site is here.

This is just beyond nutty.

Alex Eckelberry

Well, it seems the firestorm of protest has had its effect: Snopes (apparently) is no longer pushing Zango. This seems to have changed yesterday evening (the last time I confirmed the popup was at about 4 pm EDT yesterday).

There were lots of comments on this one.

I did notice a fair number of comments saying something to the effect that “hey, the site has every reason to monetize its traffic through advertising”, etc.

So I have to make a few points:

1. I have no problem with advertising.

2. I have no problem with sites using advertising to pay their bills.

3. I do have a problem with a site consistently pushing one particular popup that pushes adware.

Again, it’s not like this popup was occurring on some limited basis, or part of a series of ads. This was a consistent campaign that showed up regularly, for a long time (probably over a year).

I’m glad Snopes has (apparently) changed it’s position. Now, we have to work on a few other sites… 😉

To all of you who helped, thank you. I do think this will make a difference in reducing the amount of adware in the wild.

Alex Eckelberry

Update: It’s official.

I am a big fan of Snopes, and use the service routinely when getting some typical hysterical email from a friend.

But for a long time now (probably at least a year), I’ve noticed that they are in bed with Fastclick, which in turn constantly serves one annoying ad on Snopes:

That ad, “Do you want to block Junk Emails?” is for a Zango product — adware (VirusTotal report here). And by running this ad, Snopes, which is highly reputable, is providing an implied endorsement of the product.

Well, here is what your screen may look like after you install this pile of crap (incidentally, with miserable notice and disclosure):

I contacted Snopes about six months ago to complain, but they ignored my message.

Note that:

1. This is one of only two (corrected: more than two, but this particular one is certainly constant and predominant on the site) popups that constantly come up on the Snopes site (the other one is for a registry cleaner, and that’s probably another story when I have time). It’s not like a one-off bad popup that happens in a rotation with other popups. This particular popup is there practically every time you visit Snopes (see for yourself).

2. This would mean that Snopes is getting paid well for these popups (either pay-per-click or by page views). Advertisers like Zango don’t pay to run ads that don’t get a good response. And likewise, a site like Snopes won’t waste valuable ad inventory on poorly-paying ads. And I firmly believe that the fact that the ads do well is because of Snopes’ credibility.

In other words, Snopes is pushing adware because it makes them money. And I believe it’s a lot of money.

And that’s not an urban legend. It’s shameful.

Alex Eckelberry

Update: Snopes has apparently stopped pushing Zango. More here.

Update 2: It’s official.

Not Robert LaFollette this time, but John Jacobson, our IT director (who is getting really good):

Taken locally.

Nice work, John!

Alex Eckelberry

Since late last week, we have been observing a fair number of spams with a Trojan payload, purporting to be a money transfer notification from Western Union. The spam looks like this (the attachment in this screenshot has been stripped by a scanner — the actual attachment should read “Western Union Information.exe”:

The text may read something like this:

Dear Mike

Total of #3750 has been transferred by western union

MTCN number is 007-188-6024.

Enclosed is the western union sheet

Robert

or

Dear Mike

Total of $3750 has been transferred by wetern union

The MTCN number is 007-188-6024.

Enclosed is the transfer sheet

I hope this settles my transfer

Robert

The payload is Trojan.Perfloger (there are many other descriptions. A VirusTotal scan is here).

After the Trojan is executed, the user sees a text file:

But that, of course, is the least of their problems.

An analysis of the program is on the Sunbelt Sandbox, here.

Alex Eckelberry

Remember Julie Amero? Well, The Julie Group may have to start evaluating another project.

This time, the story is in Florida — and at a school that’s not too far from our own Sunbelt headquarters.

A school cop at Gulf Middle School, John Nohejl, created a MySpace page to educate kids about safety (with the support of the school). Well, as Wired puts it:

Gulf Middle School resource officer John Nohejl didn’t have porn on his MySpace profile, and he didn’t link to porn. But one of the 170-odd people on his friends list, which seems mostly populated by students at his school, had a link to a legal adult site. Now the New Port Richey Police Department and the Florida attorney general’s elite cyber crimes unit are investigating him for making adult content available to underage children.

From press reports, the adult site linked seems to have been Amateur Match Free Sex, an Adult Friend Finder type of site. It’s well known to anyone on MySpace that affiliates of these types of outfits have been known to do bad things on MySpace (AFF recently settled with the FTC for such behavior). It could have even been a link in the comment of a Friend.

Oh, and after this broke, it was found that the school’s site itself had a link to gay porn. The principal is “outraged”. As Kevin Poulsen at Wired points out, does that mean he gets criminally investigated as well?

This is silly. To criminally investigate an officer because three clicks away from his MySpace page there’s a link to an adult website? (Incidentally, the principal is Stan Trapp and a list of school staff member emails is here.)

At least one thing is heartening — the good folks over at the Florida Cybercrimes unit have their own MySpace page. They may quickly see how ludicrious this whole thing is.

Alex Eckelberry

My earlier blog post about the growth of malware has been getting some attention.

There’s a slight clarification needed, which Andreas just pointed out to me:

Could you please change the wording slightly to point out that the numbers are *not* cumulative, but that we’re speaking only about the *new* variants per year, without including the previous numbers?

Again, the numbers are not cumulative… I’ll update the original post.

Alex

If you haven’t gotten an invitation to join NotchUp lately, you’re probably in the minority.  One person on a list I’m part of has counted 17 invitations in the past 14 hours. I’ve gotten a few. 

Curious, I decided to see how the sign-up process goes, to see if it’s spamming your address book (I was silently praying that my address book wasn’t going to get spammed, but hoped my friends would forgive me in the interest of research). 

Well, there’s no outright spamming going on that I can see.  You get through a few screens, and then you’re given the option to import your LinkedIn profile.  I did that, and it offered to bring in my LinkedIn contacts. I did that too, and got the screen below (the incentive to invite contacts is a 10% referral fee).

As you can see, while your contacts are opted-in by default, it’s quite easy to deselect them, or press Cancel.  I made sure to deselect the contacts, pressed Cancel and no one from my list was sent an invitation (however, I can see how someone could accidently invite friends).

As social networking grows, we’re all going to get a lot more invites, notifications and other Bacn.  But when it comes to your friends, take extra care to think if they would actually like to get such an email or not.  

At any rate, expect to see a lot more of these NotchUp spams over the next week.

Alex Eckelberry

Earlier this week, Lavasoft confirmed in a lengthy post that it is in negotiations with IAC to bundle the Ask Toolbar. The rationalization for Lavasoft is that by doing this bundle, they have the opportunity to work with IAC in making real change in toolbar distribution. This would ostensibly benefit the community.

I have no beef with Lavasoft. Pre-CounterSpy, I used AdAware to remove infections from systems, and recognize and respect them them for their tremendous contributions to making the Internet safer. Lavasoft’s CTO, Joe Wells, is also a good friend who used to work for us in developing our antivirus technology. I even enjoyed a good evening of jazz at Vienna’s Birdland not too far back with Lavasoft folks, and I’m generally biased positively to Scandinavians in general, having been brought up in that part of the world.

Nevertheless, IAC is a company with a past (and spyware expert Ben Edelman adds some additional thoughts on their current status). I have written about my thoughts previously, so it’s not worth re-hashing.

In my view, there is only one reason to bundle a toolbar, and that’s for money. Getting into bed with someone in the hopes of making them more moral… I’m not so sure. So to my friends at Lavasoft — please don’t take offense. I’ve been outspoken on this issue and I’m more than willing to hear more of your side of the story.

Readers — your comments are welcome.

Alex Eckelberry

Interesting data from Andreas Marx at AV-Test.org. This chart shows the growth of unique samples (by MD5) per year.

(Data below):

Year # of unique samples (MD5)
1985 564
1986 910
1987 389
1988 1,738
1989 2,604
1990 9,044
1991 18,384
1992 36,822
1993 12,287
1994 28,613
1995 15,988
1996 36,816
1997 137,716
1998 177,615
1999 98,428
2000 176,329
2001 155,528
2002 199,049
2003 178,825
2004 142,321
2005 333,425
2006 972,606
2007 5,490,960

It’s worth noting that these numbers are also increasing because of variants — i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it’s not like there’s over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.

Nevertheless, this is a good representation of the staggering load of malware that anti-malware folks are under. Like most companies, we’re processing gigabytes of malware daily. Our automated systems like our Sandbox help; but in the end, manpower plays a key role in being ahead of the game. There’s the HUMINT aspect, like hunting down new malware and tracking IPs and locations of the bad guys; but also reverse engineering and specialized code and signatures created for difficult malware. And, there’s difficult coding needed to deal with rootkits and the like.

It’s why being a security company (especially in AV or antispyware) these days is a whole new game. No longer can a company compete with a few folks in the lab and a group of good programmers. They’re out there: Little companies with small teams working an antispyware or antivirus product, but it’s hopeless. A small platoon won’t win this war. You need a brigade.

Alex Eckelberry

Update: Just to make sure everyone understands, these numbers are not cummulative.

Some complained about the PDFs in yesterday’s blog post.  I’ve gone ahead and posted the results of Andreas Marx’s testing in XLS format, here.

If I have time, I may do further analysis.

Alex Eckelberry

A collection of ITCI’s most popular articles of 2007.  Useful link here.

Alex Eckelberry
(Thanks Glenn)

As always, good stuff from Andreas Marx of Av-Test.org:

We have just finished a new comparison test of AV software. All products (in the “best” available Security Suite edition) were last updated on January 7, 2008 and tested on Windows XP SP2 (English).

First, we checked the signature-based on-demand detection of all products against more than 1 Mio. samples we’ve found spreading or which were distributed during the last six months (this means, we have not used any “historic” samples.) We included all malware categories in the test: Trojan Horses, backdoors, bots, worm and viruses. Instead of just presenting the results, we have ranked the product this time, from “very good” (++) if the scanner detected more than 98% of the samples to “poor” (–) when less than 85% of the malware was detected.

Secondly, we checked the number of false positives of the products have generated during a scan of 65,000 known clean files. Only products with no false positives received a “very good” (++) rating.

In case of the proactive detection category, we have not only focussed on signature- and heuristic-based proactive detection only (based on a retrospective test approach with a one week old scanner).

Instead of this, we also checked the quality of the included behavior based guard (e.g. Deepguard in case of F-Secure and TruPrevent in case of Panda). We used 3,500 samples for the retrospective test as well as 20 active samples for the test of the “Dynamic Detection” (and blocking) of malware.

Furthermore, we checked how long AV companies usually need to react in case of new, widespread malware (read: outbreaks), based on 55 different samples from the entire year 2007. “Very good” (++) AV product developers should be able to react within less than two hours.

Another interesting test was the detection of active rootkit samples. While it’s trivial for a scanner to detect inactive rootkits using a signature, it can be really tricky to detect this nasty malware when they are active and hidden. We checked the scanner’s detection against 12 active rootkits.

Having such a multi-faceted test methodology is important — an antivirus engine could, for example, have extraordinarily high detection, but high false positives. And, a retrospective test allows you to see how well an antivirus’ heuristics work. It’s good to look at all the parameters in order to judge efficacy.

I’ve put the test results into PDF. You can see the main results here and the details of the test of signature detection here.

Alex Eckelberry

A fake MS update spam seen in the wild today.

Payload is IRC.Backdoor.Trojan (VT results here).

Alex Eckelberry

Good tips from Matt Cutts:

Here are three easy but important ways to protect yourself if you run a WordPress blog:

1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:
   

   AuthUserFile /dev/null
   AuthGroupFile /dev/null
   AuthName “Access Control”
   AuthType Basic
   <LIMIT GET>
   order deny,allow
   deny from all
   # whitelist home IP address
   allow from 64.233.169.99
   # whitelist work IP address
   allow from 69.147.114.210
   allow from 199.239.136.200
   # IP while in Kentucky; delete when back
   allow from 128.163.2.27
   </LIMIT>

   I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.

More here.

Alex Eckelberry

Got this note from a technology-saavy and faithful blog reader. Even he got nailed with this.

No matter how careful one is, it can still happen. Somehow, some one, got my debit/visa card info and placed a small $11.89 charge against my account. I check my account on a regular basis, and while small, it still grabbed my attention. I almost said, to myself that perhaps I bought something and forgot about it. The name of the company stood out though. “Infinity and Sons” with a GA id and phone #.

So I checked out Infinity and Sons into my Yahoo search and found a lot of references to some song lyrics. But in there, there were two listings under “WhoCalledMe” and “800Notes”. On both of those they mention the company in conjunction with unknown charges on peoples accounts. In one forum there was a post by “MGD” which referred to articles on DSLreports. I went and investigated that and was astounded at what I found. This is a small part of a Web Templates fraud that appears to go back to Russia through several money laundering banks.

This person “MGD” has done some in-depth research into this. I found it interesting reading. Of course i called my bank and told them of the charge and then of what I found out. The fraud division was interested in my minimal research and I got them the following links. They are refunding me the charge and are replacing my card. The pure inconvenience of having to carry cash with me, while I wait for my card is annoying, but it is for my protection mostly, and I do have my wife’s card that I can at least use at the ATM.

The main article is here, and the part that lists Infinity and Sons is here.

There are several long pages, but I really wonder how many of these that they get away with. There are also some case histories that show where even the people that run these ‘template’ websites are being duped as well.

Maybe you know of this, but I was amazed at the organization and complexity of this and that it just keeps on growing.

Very interesting. Any other tales out there about this outfit?

Alex Eckelberry

Faithful readers will recall a Trojan that had a pay-by-phone extortion scheme.

The payment processor sent me this yesterday:

I have just found your blog entry about our company being involved in pay-by-phone extortion.

I can say that this is clearly against any terms we have with our merchants that use our convenient phone billing option for accepting online payments.

We where not aware of these issues as described in your blog nor did we receive complaints about this from customers using our payment service.

I guess they thought this was pretty pointless.

I wish we would have caught this sooner, we have instantly blocked any visitors directed to our payment platform from this merchant, furthermore we have requested the online payment services that was used to pay this merchant to block his accounts, furthermore we are looking into what legal procedures that we can follow from his actions although that is a very difficult path to follow.

I have attached a screen shot from the merchant site showing his account is terminate in case we have been replaced already if you go back to check.

As you may understand this blog entry you have on your website is very damaging toward our company, our goal is to provide a convenient method of paying for all the people that do not have a credit card, but wish to be able to shop online as well, would there be any chances you can either update or remove your blog entry with the latest details I just provided you?

If you have any questions I will be happy to answer them all.

Best Regards,
Pin 2 Enter

It appears that the payment processor is correct, and that the payment scheme is no longer in effect. However, if any security researchers out there see otherwise, let me know. We were seeing the payment scheme off the site backdoor-guard com.

Alex Eckelberry

“Ever been prosecuted for tracking spam? Running a traceroute? Doing a zone transfer? Asking a public internet server for public information that it is configured to provide upon demand?

No? Well, David Ritz has. And amazingly, he lost the case.

Here are just a few of the gems that the court has the audacity to call ”conclusions of law.” Read them while you go donate to David’s legal defense fund. He got screwed here, folks, and needs your help.

“Ritz’s behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law.” You might not know what a zone transfer is, but I do. It’s asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota.”

Link here (via Technocrat).

Alex Eckelberry

A brand new rogue.

Home page:

Typical fake dialog box:

Fake scan:

Application:

This program creates fake “infection files” These files are placed into the document and SettingsUserAcctLocal SettingsTemp directory (list here). Here is an example of what is actually inside one of these fake files:

Payment is done through Bucksbill:

Alex Eckelberry
(Credit to Bharath and Patrick Jordan)