Month: March 2008

Typically looks something like this (there are variations).

Jose at Arbor has a writeup on it here, saving me the work.

And poor detection on one sample I picked up (VT).

Alex Eckelberry
(Additional thanks to Lance James)

Not major news, but there’s a new Pandex campaign going around (Pandex is a trojan that turns your machine into a spam zombie).

Typical spam email looks like this:

(Image thumbnailed due to offensive content.)

The URL typically points to a compromised site hosting the trojan. The trojan has also been observed as an attachment to the same email.

Virus detection is fairly weak on at least one of the samples we checked. (one sample: VT and Sandbox report).

Alex Eckelberry

As chaos broke out at Heathrow Terminal Five, BA bosses were throwing a party to congratulate themselves on a job well done.

A free buffet, doughnuts and soft drinks were laid on at the T5 Celebration Party as BA managers enjoyed music from a string quartet. Staff were also given boxes of chocolates and commemorative T5 pens.

Meanwhile the new terminal was in meltdown with flights cancelled, bags lost and staff unable to find parking spaces.

And as thousands of passengers faced misery, BA Chief Executive Officer Willie Walsh gave a speech at the party thanking his team for their good work.

Link here.

Alex Eckelberry
(hat tip)

Wow.

…the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site’s web application security practices – or the lack of…

And…

USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu.

Link here.

Alex Eckelberry
(Thanks Francesco)

Interesting article about what apps crash in Vista.

Microsoft (NSDQ: MSFT) wields incredible power in the computer industry. Still, when it comes to the image of its flagship operating systems, it is greatly at the mercy of third-party software developers. When users sit down to use Windows, the code written by Microsoft sometimes doesn’t matter as much as the bugs left behind in poorly written applications and drivers. If a crash does happen, the average user is more likely to blame “that crummy Windows” than to figure out it’s a bug with a device driver.

We rarely get to hear Microsoft’s side of the story on this; it doesn’t want to publicly berate partners about software quality. Occasionally, though, some unvarnished truth gets through. For example, the folks at Ars Technica have been digging around in the Microsoft e-mails released as part of the “Vista Capable” lawsuit. Those e-mails had some revealing information about the causes of Vista woes.

According to the Microsoft e-mails, Nvidia’s drivers alone caused 28.8% of the crashes seen in Vista during the report period. (The report says only that it covers 2007, but it likely does not cover the entire year.) Microsoft drivers come in second at 17.9%, ATI is third with 9.3%, and Intel takes fourth place with 8.8%. Webroot Software, makers of an anti-spyware application, was next with 2.9%. All the other drivers, from hundreds of companies listed on the report, plus “Unknown”, make up the other 32.3% of the crashes.

Link here.

Alex Eckelberry

Here’s a new one: Google Adwords phishing.

According to the folks over at CSIS, the email reads like this:

Dear Google AdWords Customer!

In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and submit your billing information. Your account will be reactivated as soon as you have entered your payment details. Your ads will show immediately if you decide to pay for clicks via credit or debit card. If you decide to pay by direct debit, we may need to receive your signed debit authorization before your ads start running, depending on your location. If youchoose bank transfer, your ads will show as soon as we receive your first payment. (Payment options vary by location.)

Thank you for choosing AdWords. We look forward to providing you with
the most effective advertising available.

Sincerely,

The Google AdWords Team

More here (no, it’s not transliterated Klingon, it’s Danish). CSIS says these are all fast-flux on Chinese domains.

Alex Eckelberry
(Additional thanks to Mike at Shadowserver)

Just for grins and giggles, here’s some new rogue security products designed to extort money from you.

March:

unigray(dot)com
spymaxx(dot)com
spywatche(dot)com
pcprivacytool.com 
thelastdefender(dot)com
thespybot(dot)com
spywareisolator(dot)com
pc-cleaner(dot)com
pc-antispyware(dot)com
MalwareWar(dot)com
DataHealer(dot)com
 
These can all be removed with the free trial version of CounterSpy.

Alex Eckelberry
(Credits:  Patrick Jordan, Bharath)

The phish basically says “I’m a student in Abidjan (the Ivory Coast), and I need money for school.  Please send it to me.”

(Please, no jokes from French people saying that this will work on Belgians, and vice-versa.)

Alex

Still trying to get my mind around this one:

…one of my close contacts has confirmed there is someone going around either hijacking, hacking or phishing user accounts on Facebook, then randomly uploading pictures of child torture to their funwall…

So far, I have one definite confirm on at least two accounts that were taken over (most likely by the same individual), one of which had the child torture pictures uploaded to it and the other – well, it wasn’t child torture but it nearly cost someone their marriage, according to my friend.

Link here.

Paperghost (the author) just updated me with this:

apparently the pics were placed on the hacked accounts funwall, which of course means anyone would see the pics simply by visiting the profile, instead of having to navigate to the albums

So far, no confirmation or screen shots.

If true, this is very messed up.

Alex Eckelberry

Follow-up to my previous blog entry:

In what must be the fastest turnaround in corporate history, Abary told me that the $49.99 charge is dead. “We didn’t intend that to happen,” he said, blaming the snafu on an internal miscommunication. “We’re removing the $49 charge,” he told me. Beginning this spring and rolling out to all products through the end of the year, there will be no charge to order a custom-configured Sony VAIO computer, and you will be able to opt out of every trialware application, without exceptions.

Link here.

Good for them.

(Now, see if you can say this post’s headline 10 times perfectly.)

Alex Eckelberry
(Thanks Angus)

No news in having another trojan doing typical host redirects, but in this case, we found the use of Google’s name to be mildly interesting: A new variant of Trojan.Delf from the Loadscc gang changes your host file to redirect to a fake Google page. The fake Google page pushes a SpywareIsolator, a rogue antispyware program.

O1 – Hosts: 124(dot)217(dot)251(dot)147 google.dk
O1 – Hosts: 124(dot)217(dot)251(dot)147 google.se
O1 – Hosts: 124(dot)217(dot)251(dot)147 google.co.nz

and so on…

Resulting infection if one follows the suggestion above:

Alex Eckelberry
(Thanks Patrick Jordan)

Sony launches a new option, which will give you a $50 discount on your purchase if you choose to crapify it. On Engaget, here.

In other words, they’re charging $50 to not crapify your computer.

I have a Vaio and actually really like Sony product. However, someone has their head screwed on backward to think this idea is going to fly. It shows such a complete disconnect from the market.

Sony got a good start appealing to enthusiasts, with beautiful hardware design. But I can only imagine some freshly-minted MBA product manager coming up with this brilliant idea to “monetize” crapware. I hope that same bozo who thought up this absurd idea will be so fired.

Of course, there’s always the free PC Decrapifier. But that doesn’t beat a clean machine to start.

Alex Eckelberry
(Thanks Robert)

A relatively new naughty little worm courtesy of Seedcorn Advertising (IM-Worm.TopInstalls.A) does nothing noticeable upon infection, but if you’ve got ICQ, Yahoo IM, AIM or MSN Messenger, it automatically sends all of your buddies a link to an installer for a full infest of bundled adware/malware from our dear friends at.

Example:

Alex Eckelberry
(Thanks, Patrick Jordan)

So Spitzer did some naughty stuff and got caught.

Sad, pathetic, and stupid.

I’m not a big Spitzer fan boy. I’m disturbed at the “take no prisoners” actions that occurred on Wall Street. Yes, there were real problems and illegalities there that needed fixing, but one could argue that some bad may have actually come of it.

However, there are a couple of comments I’ll add to the general melee over his resignation:

1. He was the first AG to go after adware companies, serving as an inspiration to other law-enforcement agencies (including the FTC). One could argue that the work behind this was Justin Brookman’s (Brookman worked for Spitzer as an Assistant AG), but needless to say, Spitzer was the boss in charge.

In the same vein, his agency provided wonderful fodder for this blog with published internal paperwork and emails showing criminal acts by Direct Revenue.

The work he did in this area (and Brookman’s) is commendable.

2. A critical and potentially very scary back-story may be that, as USC professor Jon Taplin alleges, this is the first big public example of NSA’s domestic wiretapping program.

From a WSJ article on this program (via Taplin):

The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people’s communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks.

Alex Eckelberry

CNET does a first peek at the beta, here. And a user review here.

Feel free to join our beta, by going to beta.sunbeltsoftware.com. We need all the testers we can get to pound out the bugs.

There’s an interesting paper out by Veronique De Rugy of George Mason University, with some disturbing statistics as to how much money we’re spending right now as a nation on security. This does not included DOD spending — just the Department of Homeland Security:

TSA will receive $7.1 billion this year, most of which it will spend on screeners at all US airports. However, the probability of attacks in the style of 9/11 dropped close to zero in the few months after the attacks when airlines installed—at relatively low cost—simple cockpit barricades. In theory then, another 9/11 type of attack cannot happen. Since September 2001, however, screening every bag of every airline passenger to prevent another 9/11 type of attack will cost taxpayers over $34 billion by the end of FY2009. Furthermore, screening checked bags does not necessarily reduce the probability of the destruction of airplanes since screeners do not systematically check carry-on bags, air freight, or people for explosives.

This year CBP officers processed over 422.9 million individuals at the ports and found 209,000 aliens to be inadmissible. As this number represents 0.05 percent of all the people being processed, it means that the cost of stopping one person at the border is enormous. While the cost might be worth it, DHS makes no attempt to measure the performance of this program and determine whether it is giving Americans an efficient use of their homeland security dollars.

and

…The absence of any furtherattacks on American soil does not necessarily mean that the country’s security has significantly improved. It could just mean that we have not been attacked. Unfortunately, many studies have shown that the government is using a substantial portion of new homeland security spending for politically motivated items that are unlikely to have any effect on terrorism. Six years after the 9/11 attacks, homeland security contains as much pork barrel spending as any program in Congress. Both Congress and the states spend homeland security grants on pet projects that have nothing to do with homeland security. As state officials fight over who will get the biggest share of the money and Congress fights yesterday’s battles, who is planning for tomorrow?

It is extraordinary to me that Jack Welch, a revered and supremely accomplished business executives, worked very hard to effectively run a conglomerate with 50,000 employees (and it took him years to get it right). Michael Chertoff, whose management claims prior to running DHS was largely as a lawyer, is expected to run an organization with over 100,000 employees. How this can even possibly run efficiently is beyond me. Furthermore, with constant fear-mongering, Congress is happy to continue to fund so much waste that it would make even ill even the most wanton and dissolute spendthrift.

This is just a disaster waiting to happen.

Link here (pdf).

Alex Eckelberry
(Hat tip to beSpacific)

Andreas Marx has published a new set of tests of antivirus products.

From Andreas:

The number of unique malware samples received by AV-Test.org increased from 333,000 in 2005 to 972,000 in 2006 and reached 5,490,000 in 2007. During January and February 2008 alone we found more than 1.1 million samples spreading in the internet.

Therefore, we thought it is a good idea to start a new test of anti-malware software in order to see how well the tools are currently performing, given the masses of malware “in the wild”. All products were tested in the best available 2008 security suite editions in English language (this includes AVG Internet Security 8.0 and ESET Smart Security). The tools were last updated on March 1, 2008 and tested on Windows XP SP2 (English).

A comprehensive review should not only concentrate on detection scores of the on-demand scanner, as this would give a user only a very misleading and limited view of the product’s capabilities. When comparing the security of cars, we would not only focus on the safety belts, but also check the ABS system (anti-lock braking system), one or more airbags, crush zones, the ESP (electronic stabilization program) as well as constructional changes and many other features which make a car secure. The different detection types have to be taken together to make a valid statement about the whole detection mechanisms: neither static nor proactive detection mechanisms alone can catch all malware.

It is important to have good heuristics, generic signatures and dynamic detection and prevention in place to be able to handle new unknown malware without any updates. It is crucial to have good response times, to be able to react to new malware, when proactive mechanisms fail to detect them. It is essential to have good static detection rates, to be able to handle already known malware, even before it is executed on a system. So comparing single features makes less sense, as we should think about the fact that a user has not bought an AV product to find some viruses and report them, but he has actually bought a service to keep his system malware-free.

You also do not need to shop for a new product even if the tool you are currently using has some limitation in certain categories. For example, if you have a very fast PC, the slow-down caused by a multi-engine product might be less noticeable. If the proactive detection is not so good, you have to update your scanner more frequently and you may want to use a behavior-based product such as Norton Antibot. If your scanner is not good in catching ad- and spyware used in our test, you might consider using a dedicated anti-spyware application. If the detection of active rootkits is worse, you might want to use specialized anti-rootkit detection and removal tools like GMER. However, not all stand-alone products can work properly together, so an integrated security suite from one vendor might fit best for the users which are currently not running an anti-virus tool or want to buy a new one, as the license for the current one will expire soon.

In case of the actual testing, we first checked the signature-based on-demand detection of all products against more than 1.1 million inactive samples we’ve found spreading or which were distributed during the last two months which means, we have not used any “historic” samples. We included all malware categories in the test: Trojan Horses, backdoors, bots, worms and viruses. Instead of just presenting the results, we categorized the products this time, from “very good” (++) if the scanner detected more than 98% of the samples to “poor” (–) when less than 85% of the malware was detected. (Ed: For the US version, I have changed this to letter grades — A, B, C, etc.)

Not only malware (intentionally malicious software) poses a threat to the user, also possibly unwanted applications like ad- and spyware has to be detected. A collection of more than 80,000 inactive samples was used for this test. We used the same ranking criteria as for the malware detection rates. While we have tested security suites, we want to emphasis that free (personal) editions of AntiVir and AVG exist which offer only very limited ad- and spyware detection rates (less than 15%).

Besides, we checked the number of false positives the products generated during a scan of 100,000 known clean files. This includes common files from different Microsoft Windows and Office versions as well as other well-known products and drivers. Only suites with no false positives received a “very good” (++) rating.

All products require quite some resources (this includes, but is not limited to memory and CPU power) on the installed system. It is important that the slow-down caused by the security suites is not too heavy, because in this case, an annoyed user might simply deactivate the virus guard and leave his system in an unprotected state.
Especially products with more than one scanning engine are usually performing slower than the tools with just one engine. A good trade-off between the required scanning time and the detection rates is therefore important.

In case of the proactive detection category, we have not only focused on signature- and heuristic-based proactive detection (based on a retrospective test approach with a one week old scanner). In addition to this, we also checked the quality of the included behavior based guard (e.g. Deepguard in case of F-Secure, Sonar in case of Norton/Symantec products and TruPrevent in case of Panda). We used 3,500 samples for the retrospective test as well as 20 active samples for the test of the “Dynamic Detection” (and blocking) of malware.

Furthermore, we checked how long AV companies usually need to react in case of new, widespread malware (read: outbreaks), based on 55 different samples from the entire year 2007 and 3 samples seen in 2008. “Very good” (++) AV product developers should be able to react within less than two hours and we found a reaction time of more than 8 hours unacceptable and thus, “Very poor” (–).

Another interesting test was the detection of active rootkit samples. While it is trivial for a scanner to detect inactive rootkits using a signature, it can be really tricky to detect such nasty malware when they are active and hidden. We checked the scanners detection against 12 active rootkits.

Detection is only one point, removal and remediation is extremely important, too. It is usually not desirable to reinstall and setup a system after an infection has been detected, since this costs time which in turn costs money. Therefore, we checked if the security software was able to scan for and remove 20 active malware samples from the system, cleaning all files (or deleting the components), repair the registry traces and undo the ‘hosts’ files changes.

In order to get a more comprehensive impression of the products, one should not only look at this test, but also compare the results of various tests and the products’ performance over time and their on-going development. We have not reviewed more “subjective” criteria like the usability, support, (online) backup features and the like.
Therefore, we would suggest trying these features with a trial version which is usually available as web download from vendor’s website before buying a security suite.

I have put these on my site, in a number of different ways:

My version, which I believe is simpler for American readers, as it uses a letter grading system. Grades here, spyware/adware tests here, malware detections here (HTML). Excel spreadsheet here.

Andreas’ original spreadsheet is here.

Alex Eckelberry

Just a bit of irony that I got today from my colleague Juha Kauppinen. Macvirus.org, a website dedicated to “keeping an eye on Mac viruses”, has had their discussion forums seeded with vast amounts of forum spam pushing various junk and lots of hardcore porn, including a number pushing malware (fake codecs).

Here’s one pushing fake codecs for both Mac and Windows platforms (the site serving the fake codec simply detects your user agent and delivers the appropriate malware). I picked up a couple of samples: Mac Virustotal report here, Windows Virustotal report here.

Hmm… a Mac virus being pushed on a Mac forum.

In fairness, the site looks like it hasn’t been updated in a long time. Still, rather embarrassing for these folks…

Alex Eckelberry

Hi all, Adam Thomas here from Sunbelt’s malware research team. I wanted to post a brief follow up to Alex’s earlier blog post re: the wave of “3D Screensaver” spam that we have been seeing.

Further investigation into this malware points back to the infamous malware loading group “Loads.cc”. Interestingly, the Loads.cc web site was taken off-line in late January after suffering a DDoS attack from a rival malware gang which utilized a Barracuda bot-net to perform its task.

While the “Loads.cc” domain (which is used by affiliates to sign up to have their malware installed by the botnet and monitor statistics) is no longer working (it resolves to 127.0.0.1), we were able to easily discover a new domain in use thus proving that Loads.cc is back in operation:

This malware gang is responsible for the distribution and installation of massive amounts of malware: Spambots, keyloggers, DDoS bots, adware and rootkits. The the whole kitten kaboodle. So, it cannot be stressed enough that this is very dangerous malware and to stay away from these Trojaned screensavers.

After installing the “screen saver”, the malware announces it’s presense by using an HTTP GET request for a PHP script. This PHP script (manda.php) may or may not return a URL of additional malware to for the bot to retrieve and install – malware that other authors have paid loads.cc to install.

GET http: //[removed].info/admin/manda.php?id=[user_id]&v=scr

The malware is then copied to the following location where it silently sits awaiting commands from the C&C server:

%HOMEDRIVE%Documents and SettingsLocalServiceLocal SettingsApplication Datacftmon.exe

Traversing to the “admin” directory reveals this slick looking login page:

Also hiding out on the same domain is (potentially) another pay-per-install affiliate program:

The fun never ends . . .

Over the past 24 hours, we’ve have seen a rash of malicious spam pushing screensavers that are, in reality, backdoor trojans (VirustTotal report here, with very poor detection by most engines). It is unknown how widespread these spams are.

Both of the sites that we have observed hosting these screensavers appear compromised. One is already down, and we are in the process of attempting to get the other one taken down.

Clicking on the link brings the user to a very realistic “3d screensaver” page:

Of course, installing one of these screensavers will not actually avail oneself to the ostensible benefits of watching Santa’s Home or the Matrix. Instead, one may get a rather nasty surprise.

Alex Eckelberry