Month: January 2009

A bit of VIPRE roadmap

I just wanted to give you all a quick heads-up to some things we’re doing to VIPRE.

If all goes to plan, we will start beta-testing our new 3.2 core engine next week. This is not an upgrade to the product itself, rather simply an upgrade to our detection engine (which comes as an automating update to the defs). We expect to go live on this new engine sometime in mid-February.

This new engine has some important new enhancements for the detection of both existing malware, and new, unknown threat/variants.

First, we have dramatically improved the GenScan technology (a method of doing pattern analysis on files).

Secondly, we have added a lot of improvements in our detection methods overall. Lots of little things, too many to list.

But finally, the big news will be our release of our new proprietary MX-Virtualization technology (MX-V).

As a bit of background, VIPRE uses a number of different techniques to detect the presence of malware, including classic signature detection and heuristics. MX-V adds to this arsenal an extremely compact virtualized Windows environment to test for the presence of malware.

The rapidly evolving sophistication of malware makes classic detection methods increasingly obsolete, as new strains of malware use highly complex obfuscation techniques designed to hide from even the most sophisticated analysis systems. Primary among these methods is the use of compression systems (“packers”) that require antivirus vendors to create specialized de-compression methods (“unpackers”) to analyze a file. The necessity to continue to add specialized unpackers to a virus engine is one of the major challenges faced by antivirus companies today. It also creates an additional danger for users faced with new threats, since antivirus companies are unable to create signatures rapidly enough to meet the onslaught of new obfuscation techniques.

In the MX-V system, malware is executed in a virtual Windows environment that mimics many of the core Windows functions — registry, file system, internet connection, mouse clicks, etc. The actions of the malware are then analyzed for behavioral characteristics common to malware, or to look for certain malware signatures. By analyzing malware in this fashion, VIPRE is able to detect many types of malware without the necessity of creating a constant stream of dedicated unpackers and signatures for each variant of a piece of malware.

Technically, MX-V is an extension of VIPRE’s built-in emulation, which uses a method known as Dynamic Translation (a form of binary translation) to break the performance barrier of standard emulation. (Classic CPU emulation is generally unable to achieve a speed higher than 10 MIPS, making it unusable for large-scale use.) Dynamic Translation is a technology which recompiles, on-the-fly, large parts of a program in order to boost performance up to 400 MIPS. It is the use of Dynamic Translation that makes Vipre’s built-in emulation, and the MX-V layer that is an adjunct to it, capable of rapidly analyzing systems for the presence of malware.

MX-V’s main appeal is its ability to enhance the detection of completely new variants or families of malware. In my opinion, it’s a significant technology.

Again, we expect to begin beta-testing this new engine sometime next week, and it will be open to testers. I’ll let you know when it’s up.

Separately, we expect to have a product upgrade in the next several weeks that will add some additional under-the-hood functionality to help detection and removal of malware. It’s not related to the above new core engine update, but it also will continue to improve VIPRE’s detection and remediation.

In Q2, we will be shipping VIPRE 4.0 and VIPRE Endpoint Protection (VEP) for Enterprise (to be marketed as “VIPRE + Firewall” in the consumer edition). VIPRE 4 will add some nice additional features to the existing product; VIPRE Endpoint Protection will add a firewall, HIPS, IDS, and a number of other nifty features. VIPRE 4.0 will be a free upgrade if you’re under maintenance; VEP will have a nominal upgrade charge to additional functionality.

As always, feel free to post any questions, observations, or comments. And for those of you who are helping us spread the word on VIPRE, thank you for all your help!

Alex Eckelberry

Leopard looking for a new home

Leopard (not to be confused with the Apple OS) is a really interesting program language for kids developed by Brandon Watts. It uses extremely simple methods to create highly complex programs, very useful for teaching the basics of programming to kids (or anyone else who wants to learn programming, for that matter).

Brandon partnered with Weatherbug several years ago, where Weatherbug offered a co-branded version of the development program for use by kids.

The partnership with Weatherbug is now at an end, and Brandon is looking for a new home for the program. If you have any ideas, feel free to contact Brandon.

Alex Eckelberry

Free VIPRE PC rescue program

Vipre_pc_rescue

Useful if you’re trying to disinfect a system.

“The VIPRE PC Rescue Program is a command-line utility that will scan and clean an infected computer that is so infected that programs cannot be easily run.

The VIPRE PC Rescue Program is packaged into a self-extracting executable file (.exe) that prompts the user for an “unpack” or installation location, then starts the scanner and performs a quick scan. The user can start the program either by opening it via windows or from the command line.

Virus definitions are included, and the program is self-running once executed. The initial scan, and all subsequent scans, include Rootkit Detection. Four command line options are available, enabling the program to perform a boot scan during the next start-up, perform a deep scan, log the events, and disabling the rootkit.

Detections are consistent with the full VIPRE, and the VIPRE PC Rescue Program is designed to disinfect a system so infected that a user cannot install VIPRE.”

Download link here.

Alex Eckelberry

Corporate hype

Partnership with Zenith Infotech, an MSP, to offer VIPRE Enterprise:

Sunbelt Software … today announced that the company’s VIPRE Enterprise™ product has been chosen by Managed Service Infrastructure and Business Continuity Solution leader Zenith Infotech Ltd. as a client and server security, antivirus and antispyware option for Total Desktop Care solution. The Total Desktop Care solution, which now supports VIPRE Enterprise, is offered to Zenith Infotech IT service provider partners managing 400,000 computer desktops around the globe.

Link here.

Alex Eckelberry

Some more thoughts on Mailinfo

Back in October, I blogged briefly about Mailinfo, the service that allows you to track whether or not anyone has opened your email.

Lior Kimchi, one of our developers, as written a bit of his observations on the program:

The way this service works is by including a picture in the email. The picture is not embedded, but rather it is an HTML link to the MailInfo server, using a unique code for each member, and the picture is retrieved and displayed. By using the unique id for each email, they can track it. By using the tracking feature in outlook, an email gets sent to the sender with the confirmation. So, every email you read generates an email from you. The http request, getting the image, and sending back an email, just quadrupled the traffic needed to view a single message. Imagine trying to read your email when you are on the road, on a slow connection.

And yet, an even more severe potential privacy issue exists here – not only is an email gets sent back, but the MAilInfo service records your IP address. They can do it because of the HTTP request for the picture that’s in the message. This is used by them to do a lookup into an IP-Location table to get your location, and it is sent back to the sender with the confirmation. I see it as a real breach of privacy.

Imagine an abusive husband, whose wife left with the kids. He doesn’t know where she is. He sends her a simple email “how are the kids doing?” She responds, and he gets her location (the location is usually just a city name, and sometimes not that accurate, but still, it’s something).

As some of the comments to the first blog post suggest, it is very easy to bypass this service simply by disabling the display of pictures in emails. I have been doing this for years because spam email almost always had some pictures in them. Spammers use it for other reasons as well.

One simple way is to only view email in text mode. I don’t like it so I just use outlook’s built in features to block confirmation email AND to block image display. But, sometimes you do want to see the images. Here is nice trick: after viewing the email and determining that it is ok to see the pictures, you right click on one of the pictures’ place holders. A pop up menu will show:

Image1123888888182388a

Click on “Download Pictures”. Very easy.

Now, to block confirmation emails from being sent, in Outlook, select Tools|Options, Preferences tab and click on the E-mail Options button, and then click on Tracking Options. You will see this dialog:

Image1123888888182388b

Uncheck all check boxes. Also select “never send a response” and click ok. click ok on the other dialogs.

Per outlook’s help, images are by default blocked in order “To protect your privacy from junk e-mail senders”. If you find that they are not blocked, here is how to enable the block. Go to tools, options, Security tab, and click on the “Change Automatic Download Settings” button. You will see this dialog:

Image1123888888182388c

Check all boxes and click ok, ok. That’s it.

(The above instructions are for Office 2003)

It is also important to note that most web based free email services (yahoo, hotmail, etc.), also have this feature to block images. You can find it in the Preferences. Then when a message is displayed, there is a link at the top to display the images”. Not only is it safer, but email gets displayed much faster.

Have a safe day.

Thanks Lior.

Alex Eckelberry

Russian’s don’t infect themselves?

Little snippet found in Antivirus 2009:

00420054 – http://privaetprotectedupdates com/zsa09/winsystems dll
0042008C –
————————————————————————————————————————
00420105 –
——————————————————————————
00420174 – Bot started.
0042018C – App name:
004201A0 – Exe name:
004201B4 – Bot ID:
004201C8 – Wait before activate:
004201E8 – Sleep period:
00420200 – Popup URL:
00420214 – Don`t install on Rus:
00420234 – Russian or Ukrainian Windows detected. Exiting …
0042027C – Looking for XP antivirus
004202A0 – SoftwareXP AntivirusOptionsAdvancedScan
004202D4 – Key =
004202E4 – XP antivirus detected
00420304 – Unregistering toolbar
00420324 – Unregistering self

Alex Eckelberry
(thanks Adam, Patrick)

Crypto humor

Didier Stevens made a funny little find in Windows 7.  In the past, userassist keys had been encrypted in ROT13.  Now, he sees them encrypted in a Vigenère cipher.

(In case you’re not familiar with these terms, ROT13 is trivial to crack, and Vigenère, although quite a bit more sophisticated than ROT13, is breakable, so it seems just to be a little bit of fun on the part of the developers at Microsoft with the crypto community — sort of an Easter Egg of sorts).

Nice find Didier!

Alex Eckelberry

New product: Sunbelt File Archiver

Sunbelt File Archiver is a natural extension to our Sunbelt Exchange Archiver, which we released late last year. It’s quite a nifty product, actually.

Company hype:

Sunbelt Software … today announced the release of Sunbelt File Archiver™, its new file archiving solution for enterprises. Sunbelt File Archiver (SFA) delivers cost-effective enterprise-grade file archiving for organizations of all sizes, providing administrators with full compliance management for electronic documentation, file server optimization, and advanced disaster recovery management.

SFA provides a simple and reliable method for electronic document management and file archiving to ensure compliance with regulatory requirements and to optimize business resources. SFA allows administrators to easily configure rules that will determine when, and what, files should be archived. This multi-faceted approach to archiving provides businesses with the flexibility required to effectively manage documents.

Press release here, product page here.

Alex Eckelberry

Heads-up: Long tail phishing

What I refer to as long-tail phishing, where phishers run out of steam with the “big phish” (Chase, Bank of America, etc.) and move to smaller fry, now looks to be in full swing (at least right now). Phishers are getting more creative (or, desperate). In just the past few days, I’m now seeing phishing scams for Craigslist, Amazon, Yahoo Search Marketing, Google Adwords, Windows Live…

Alex Eckelberry
(thanks, Saeed and Kevin Lee.)

Another gross credit scam

This is sick. People in hard times, desperate for credit, will reach out increasinngly for these offers, only to get pummeled with fees.

First, here’s misleading the spam offer:

Scamemail123878881123

You got a site which promises a guaranteed credit line of $7,500. Queue music… it’s a wonderful thing, this.

Scamwebpage912388823488p

And then the fake chat agent that pops-up if you leave the page:

Fakeagent127837123p

Take a look at the fine print at the bottom of the page:

Offer Details: By submitting this order you give First Plus Platinum Credit authorization to charge your debit or credit card a processing fee of $2.78 for the 7 day trial membership. The $7,500 credit account is for use towards thousands of our merchandise items only. After the 7 day trial, unless you cancel, we will automatically bill the account you provided us today for $39.95, and each month thereafter. All monthly fees will be applied to any outstanding line of credit balance. This charge will appear as debit by “Credit Line” on your statement. You have the right to cancel any time by calling the toll-free number provided in the Terms and Conditions.

You also agree to receive a 15 day FREE trial membership for Grant Connect where you get easy access to free government money. After the 15-day trial, unless you cancel, Grant Connect will charge your account $19.95 each month thereafter. You have the right to cancel any time by calling the toll-free number located at grantconnect.com.

As an additional bonus, you will also receive a FREE 10 day trial of Vcomm300 International and Long Distance Calling Service. Unless you cancel, Vcomm300 will bill your account $14.95 for the services each month thereafter. You have the right to cancel anytime by calling the toll-free number located at vcomm300.com.

Isn’t it weird that you have to give a credit card number to get approved for a credit card number? That’s because they want to charge you. This so-called “negative option”, where you have to opt-out of an offer, is particularly bad for consumers.

Reminds me so much of the Suntasia marketing scam I wrote about a while back.

Anway, there you have it. Another useless, crappy scam promulgated on the public.

Alex Eckelberry