Month: February 2008

Earlier today, we blogged that Familyguyx.net had self-righteously turned down Zango. To quote them:

Lot of updates coming up in March. – 2/20/2008
It looks like we are tagged as harmful website by Google. 70% of our traffic comes from direct visits and not from Google. Hopefully things clear up in the coming week.

Another news is that Zango wanted to pay us $500/day to run their software ads (we make a lot running their affiliate program $1/install), but we refused because we know it will degrade our website’s experience. We can be making $8000/day just from Zango but we refuse to do so! We are not joking, FGX receives 80,000 unique visitors a day and each install is $1. At 10% conversion, we can make $8000/day. We have even disabled all Zango ads from displaying from our ads providers. In one month, we can be making $xxx,xxx, but money is not everything. We hate to see people’s computers infested with spywares and adwares.

We are doing a complete redesign of the website. The new layout will promise to be kickass and the comment system will be upgraded to prevent people from spamming. There will also be a member system where everyone can contribute their family guy arts, reviews, writings, etc… Also the video system will also be changed to something more appropriate.

Well, upon some further research, it turns out that they are actually advertising Zango RIGHT NOW.

So I do hope they deliver on that promise to stop advertising Zango in March…

Sheesh.

Alex Eckelberry
(Thanks Adam)

familyguyx.net:

Another news is that Zango wanted to pay us $500/day to run their software ads (we make a lot running their affiliate program $1/install), but we refused because we know it will degrade our website’s experience. We can be making $8000/day just from Zango but we refuse to do so! We are not joking, FGX receives 80,000 unique visitors a day and each install is $1. At 10% conversion, we can make $8000/day. We have even disabled all Zango ads from displaying from our ads providers. In one month, we can be making $xxx,xxx, but money is not everything. We hate to see people’s computers infested with spywares and adwares.

Link here.

Alex Eckelberry
(Thanks Chris)

Yeah, it’s a joke. But have fun with the results. They are completely made up.

Just so long as no one takes it seriously 😉

Readwriteweb has a story today on Red Hat sending a cease and desist letter to DataPortability.org over their use of an “infinity” logo.

Here’s the DataPortability logo:

And here’s the Fedora logo:

Except I suspect they’re all on weak ground, because Dataproducts, a company that has been around for a long time, has been using a similar logo for years:

(Dataproducts was actually a customer of mine back in the mid-eighties, and the lead engineer on our Ninja product used to work for them. While they are not widely known, they made printers for mainframes, and apparently now they’re in the business of ink refills.)

Alex Eckelberry

Worth having on-hand before you install.  Link here.

Alex Eckelberry
(Thanks Matthew)

(Image credit:  Gadgetell)

There’s been a hoax for quite a while that Dell installs a hardware keylogger (Snopes entry here).

Incredibly, Gadgettell just has picked it up, yet again (via Donna).

One wonders.

Alex Eckelberry

The Taiwanese version of Nautica Apparel, Inc. has been compromised and is being used to install several pieces of malware on to victim computers.

A spam wave is on which attempts to lure potential victims to the site by offering a link to view a video of, err, “Paris”. A portion of the subject had to be removed since it is highly offensive:

Clicking through on the link, leads you to the compromised site on which the attackers are using the Neosploit exploit kit (visible in the picture below) in order to install several pieces of malware including a variant of the dangerous spam spewing malware Trojan.Srizbi.

DO NOT visit the aforementioned website as it is currently infected.

Adam Thomas

If you’ve ever dealt with venture capitalists (VCs) , or have spent time as one, you’ll get this humor (and see the “pitch” as well). In fact, you might spill your morning coffee, so put down that cup before going to this site (via Jeff Nolan).

Alex Eckelberry
(Who was himself once a VC, and hopes you don’t hold it against him.)

It was last week, on the 14^th, that Ben Edelman showed that C-NetMedia (not to be confused with CNET) was using highly deceptive advertising to lure people to its sites.

It’s still going on, despite press on the matter.

This morning, a search for SpyBot again shows C-NetMedia trying to trick people into thinking their site (spywarebot.com) is Spybot’s:

It’s just as bad on Yahoo, which skews toward a demographic that is arguably not as computer savvy as Google’s (providing a potentially better opportunity for deception).

And a search for Ad-Aware still has their ad for adwarealert.com. HIGHLY deceptive.

(And we all know that many people will click on the first result, not fully understanding that it’s a sponsored link.)

Then, look what these crooks are doing with Microsoft Antispyware (antispyware.com):

And that site, incidentally, sure looks like Microsoft’s site, as Ben Edelman pointed out:

(Image credit: Ben Edelman)

I’m sure there’s more, this is all I have time for right now.

I’m afraid it’s going to take the FTC to handle this one. Apparently the search engines aren’t self-policing on this one.

Alex Eckelberry

Interesting and potentially useful.

Some more info here:

Using the Erlang bit syntax it’s an easy task to unpack the tags of an SWF file. With this thought in mind erlswf has been specifically designed to analyse SWF Tags and ActionScript ByteCode for security issues such as the previously mentioned oversized branch offset or pattern matching against URLs loaded during runtime. The toolkit could also be used to implement a transparent proxy filter for exchanging pictures inside Flash files on the fly. Or if you had no choice but to accept prebuilt SWFs from a third party (e.g. ad hosters), it would still be possible to check for arbitrary conditions or restrictions respectively prior to delivery.

The other pure erlang SWF library eswf places emphasis on SWF construction and related data formats (AMF, ABC).

Source code is available on Google Code, here (thanks, fukami).

Alex Eckelberry

Always great reading Paul’s essays…

There’s a sort of Gresham’s Law of trolls: trolls are willing to use a forum with a lot of thoughtful people in it, but thoughtful people aren’t willing to use a forum with a lot of trolls in it. Which means that once trolling takes hold, it tends to become the dominant culture. That had already happened to Slashdot and Digg by the time I paid attention to comment threads there, but I watched it happen to Reddit.

Link here (and an explanation of Gresham’s Law here, in case you’re unfamiliar with it).

Alex Eckelberry

We’re running a vote over at the Sunbelt site, asking if you prefer best-of-breed point producdts or suites, for your security needs.

The vote is on the main page of our site, here.

So far, the point solutions are winning.

Alex Eckelberry

Rather entertaining. Link here (via Sophos)

Alex Eckelberry
(and thanks to Paul Ferguson for the link)

Clicking on the spammed link takes you to a page that tells you that you need to update your Flash player to view the card.

However, the cab file that downloads is actually malicious and installs a variant of small.lu (aka ntos or Monster Trojan). This is a very nasty data-stealing trojan. In fact, it’s an even more dangerous variant of Small.lu as it is using a rootkit to hide.

The American Greetings page is convincing, and the Active/X install is signed.

Very poor detection (4 out of 32 scanners) of the cab file itself (VT result here), and poor detection (5 out of 32 scanners) of the actual binary, “update.exe” (VT result here). (We will have detection in CounterSpy for this Trojan in short order.)

Alex Eckelberry
(Thanks Adam)

Our good friends over at Dorian Software are making version 6 of their UltraAdmin tool free.

From Dorian’s blog:

As promised, version 6 of UltraAdmin® is now available for download from the Dorian Software website. This version is being made available at no charge to any network administrator who wishes to use it. For those organizations and individuals that need priority support for the product, you can purchase it here.

You can see a list of UltraAdmin’s features here.

Alex Eckelberry

Again, pushing a spamzombie trojan (Trojan.Srizbi).

Alex Eckelberry
(Thanks Adam)

Ok, here come the letters and comments from angry fellow bloggers and readers.

Whatever. I have to call it like I see it.

Yesterday was a pretty bad day for the Bill of Rights. 68 Senators voted to pass S. 2248, a new law designed to replace the so-called “Protect America Act.”

• It permits the President to spy on Americans without a warrant.
• It grants retroactive immunity to telecommunications companies that collaborated with the Bush administration in previous warrantless spying, thereby creating an incentive for other companies to engage in similar crimes in the future (only Qwest Communications insisted on warrants).

Not a good day for the Constitution.

But that’s ok, American Idol is announcing their Top 24 tonight!

Alex Eckelberry

Creative headlines.  Not-so-nice malware payload, using, as usual, a Google redirect (VT report here).

Alex Eckelberry

It seems that when I report an abuse to abuse@myspace.com, something actually happens. (We’ve all learned to practically give up on abuse mailboxes. Yes, you have to report to them, but you also have to usually do all kinds of other things to get the offending party terminated).

I first learned about MySpace’s generic abuse mailbox when I was posting a while back on a private security forum, looking for takedown assistance. A fellow list member emailed me directly that he’d had (surprisingly) good success with it.

A bit skeptical, I started using that address and was surprised at the response time. This morning, for example, I reported three bad pages to MySpace at 11:18 am EDT. A bit more than 2 hours later, at 1:32 pm EDT, I got a report back from the abuse team that the pages had been taken down.

So while MySpace gets beaten up regularly, I have to admit — their abuse team is responsive.

Alex Eckelberry
(and if your experiences are otherwise, drop a comment)

We are seeing users get infected with Trojan.Zonebac, which can only mean successful exploitation by one of the current Adobe PDF vulnerabilities (we know of at least one vulnerability that is apparently being used in malicious banner advertisements). It’s likely not epidemic, but there has been an uptick.

Unlike earlier reports, this issue is now known to affect practically the entire population of Adobe users who aren’t running version 8.1.2. The following list from our friends at Symantec’s Deepsight is elucidating:

Vulnerable Systems
Adobe Acrobat 3D
Adobe Acrobat Professional 7.0.0
Adobe Acrobat Professional 7.0.1
Adobe Acrobat Professional 7.0.2
Adobe Acrobat Professional 7.0.3
Adobe Acrobat Professional 7.0.4
Adobe Acrobat Professional 7.0.5
Adobe Acrobat Professional 7.0.6
Adobe Acrobat Professional 7.0.7
Adobe Acrobat Professional 7.0.8
Adobe Acrobat Professional 8.0
Adobe Acrobat Professional 8.1
Adobe Acrobat Professional 8.1.1
Adobe Acrobat Reader 3.0.0
Adobe Acrobat Reader 4.0.0
Adobe Acrobat Reader 4.0.0 5
Adobe Acrobat Reader 4.0.0 5c
Adobe Acrobat Reader 4.0.5 A
Adobe Acrobat Reader 5.0.0
Adobe Acrobat Reader 5.0.10
Adobe Acrobat Reader 5.0.5
Adobe Acrobat Reader 5.1.0
Adobe Acrobat Reader 6.0.0
Adobe Acrobat Reader 6.0.1
Adobe Acrobat Reader 6.0.2
Adobe Acrobat Reader 6.0.3
Adobe Acrobat Reader 6.0.4
Adobe Acrobat Reader 7.0.0
Adobe Acrobat Reader 7.0.1
Adobe Acrobat Reader 7.0.2
Adobe Acrobat Reader 7.0.3
Adobe Acrobat Reader 7.0.4
Adobe Acrobat Reader 7.0.5
Adobe Acrobat Reader 7.0.6
Adobe Acrobat Reader 7.0.7
Adobe Acrobat Reader 7.0.8
Adobe Acrobat Reader 7.0.9
Adobe Acrobat Reader 8.0
Adobe Acrobat Reader 8.1
Adobe Acrobat Reader 8.1.1
Adobe Acrobat Standard 8.1.1

Non-Vulnerable Systems
Adobe Acrobat Professional 8.1.2
Adobe Acrobat Reader 8.1.2
Adobe Acrobat Standard 8.1.2

The one exploit we believe to be used in banner ads is very nasty one, which provides a wide open path to install the trojan on a user’s PC. Plenty of people have already reported on this thing, so I won’t bother to rehash what’s already out there.

But my advise is to update Adobe URGENTLY. Or get the FoxIt reader. This is a serious issue.

Alex Eckelberry