Month: February 2009

Eric Sites, Sunbelt’s CTO and a professional competition shooter, was a contestant this weekend at the Florida Open Pistol Shooting Tournament (maybe this is Eric’s way of working out his frustration with malware authors).

He had problems with his gun (which you can see at about the 2 minute mark) and hence wasn’t able to place in the top 3, but you can see him in action here.

Alex Eckelberry

Reports of the Adobe Acrobat zero day exploit should not be shrugged off.

However, mitigating this exploit may be a bit bewildering due to lack of information.

Our friend John LaCour has posted a quick fix. However, this involves disabling Javascript in Acrobat, which for some enterprises is unacceptable.
Not a good situation. If you can’t disable Javascript in PDFs, then your next best answer relying on your endpoint solution and begging your users to be careful with PDFs from unknown parties.

Prayer is also a good thing to throw into the mix. Can’t hurt.

Alex Eckelberry

PS: I should mention that you can always get a snort rule for it.

* Best Security Podcast
* Best Technical Security Blog
* Best Corporate Security Blog
* Best Non-Technical Security Blog
* Most Entertaining Security Blog

Link here. 

Alex Eckelberry

Anti-Virus-1 is a new rogue security product. This rogue is a clone of Antivirus 2010.

Sites Associated:

Av1-site info
Av1-download info

Bharath M N

My good friend Ken Gerbino wrote something last month that’s of interest regarding the current economic situation. You can read it here.

Come to your own conclusions. But I will say that I believe a lot of the hysterical talk right now is hogwash, designed to push through political agendas more than anything else. Yes, there are severe problems, mostly in liquidity and credit, but not nearly at the hysterical levels we’re hearing. It’s not the End of the World as You Know It. It certainly should not be the end of the free market, capitalism and other things which are recognized as more good than bad.

Remembering First Principles:

1. Increasing money supply always equals inflation. Always. It may be seen in asset bubbles, or reduced purchasing power. But more money in circulation decreases its value. There’s really no way around it.

2. Never trust politicians. Ever.

Alex Eckelberry

Malvertisements (malicious advertisements) have been a bane of advertising networks the world over. Sleazy malware distributors try to place malicious ads onto legitimate advertising networks using all kinds of tricks (one blogger has made a specialty of tracking all these malicious ads).

Advertising networks (the people who sell all those ads you see on various websites) sometimes have a difficult time figuring out if an ad is legitimate. They can use online tools to check an ad, like Adopstools, or use services like the Sunbelt Sanbox or ClickFacts, but they should also do other background checks.

Enter Google, with a neat specialized search tool called, appropriately, “malvertising research”. The site, available at http://www.anti-malvertising.com/, allows advertisers (or anyone else, for that matter) to search for issues relating to malvertisements, and to conduct background checks.

According to Google’s Eric Davis, it’s admittedly a modest tool, and only indexes a small, focused group of sites that track activity in this space (my blog and Sandi Hardmeier’s, for example). However, it is useful in a) helping ad network customers conduct quick background checks on prospective partners and b) helping security researchers and troubleshooters learn more about parties that may be involved in malvertising threats.

This is the first iteration. They will continue to update and refine the search engine. Feel free to drop a comment in this blog if you have any suggestions, feedback, or other sites that should be added to the search engine.

Alex Eckelberry

As a follow-up to my post on professional malware developers at promake, we see LonelyWolf, one of the developers, has problems like all other programmers.

And uses a female avatar on ICQ:

And is pretty active on the exploit.in forum (a forum for malware developers), using the name DaMaGeLaB Admin.

Seems pretty personable, until you remember that this is someone who has hurt a lot of innocent people, all in the pursuit of profit. 

Alex Eckelberry
(Thanks Adam)

Yesterday’s patch day was an important one.  IE 7 sploits that can be crafted easily, and a SQL sploit that has functional exploit code published. F-Secure has done a good overview here. 

I do hope that admins have taken to heart lessons about patching in light of Conficker/Downadup.  That bug has hit a lot of companies, even stalling an entire city police department and grounding French military fighter planes.

Alex Eckelberry

Thanks to Patrick Jordan for the information.

Here is the list of new active rogue security applications that you should be aware of.

AntiSpyware Protector

Typical Fake/Scare scanner page

System Guard Center

This one advertises some of its buddies as well.

System Guard Center advertising a registry cleaner application

Privacy components

Privacy components belongs to XLG Security Center Family

Bharath M N

“We had to make 5M that night to break even for the year (we were already in the red). We expected to make closer to 50M. We actually made about -30M. Let me write that out for you: One ass-hat residential customer with a 20yo telephone with four extra buttons did thirty million dollars in damages in less than one night.”

An employee of a small telephone company describes how one old phone brought down the company.

Alex Eckelberry
(Thanks Dustin)

Good post.

We confirm that the vulnerability existed in the new version of usa.kaspersky.com/support. We analyzed the log files and found requests with SQL injection. There were several attackers with IP addresses from Romanian ISPs. The requests were initially made with an automated tool – the screenshots showed that the hackers used a free edition of an Acunetix tool.

Once the initial probes told the attackers that this section was vulnerable they attempted to manually exploit the vulnerability to get data about the structure of the database. They used an Information_Schema database to query existing table names and table columns. After collecting field names the attackers made a few attempts to extract the data from tables. Those queries failed because the attackers specified the wrong database. The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE,INSERT,DELETE… were logged.

As I suspected (obvious from at least one screenshot on the hacker’s blog), the Romanian hackers used the free Acunetix tool to find the vulnerabilities (although I thought the free version was limited in scope, but apparently not).

Here is something a little more interesting:

After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky an email – on a Saturday to several public email boxes. They gave us exactly 1 hour to respond. And posted on their blog without having received a response.

Incidentally, it has also been written that Bitdefender was hacked. Actually, it was their Portuguese reseller, a company called Uptrends Software, that was responsible for that site.

Alex Eckelberry

I recently blogged about was a design agency promoting its work on malware. Now, we see a development shop boasting about its work on malware.

Sniffing around an iframedollars trojan, we saw a GET request to promake.me. This resulted in an additional trojan being downloaded.

So what is promake.me? Well, they’re developers of awesomely cool botnet software n’ stuff. And I have to admit, the stuff does look slick, if it wasn’t so sick.

Some screengrabs:

Alex Eckelberry

In a trend that is increasingly popular, Symantec will be bundling a version of the Ask Toolbar with the upcoming release of Norton 360.  This will add to the plethora of toolbars already on people’s systems.  

Donna is pissed and has added Symantec to the list of vendors barred from Calendar of Updates.

The toolbar incorporates Symnatec’s site checking, which in at least one test, did give me some odd results — Zango is whitelisted, while Kephyr.com, a legit site, is blacklisted.

Whatever, chalk it up to beta software.

Ask has been on a tear to get their toolbar installed with leading companies, with their business development folks contacting everyone.  The economics are strong — $1.00 per install, but despite the tempting money, there are quite a few companies that have turned them down flat — Bill P (one of a dying breed of high-integrity software execs) and Lavasoft among them. 

Is Ask so terrible?  Well, they have a history, which to their credit, has really been cleaned up.  Perhaps it’s unfair that some of us in the business have long memories.  But now that Symantec has effectively lowered the bar, expect a lot more of this type of bundling by companies anxious to add more dollars to a tight P&L.  This type of thing certainly improves short-term results, but in the long term, it is brand-destructive. 

I suppose some of the bigger questions are: a) should toolbars such as these be pre-selected during install, b) should your security product add more to your system than it needs to accomplish its goal of securing your system and c) should your security product push your searches toward a specific search provider that they have a monetary relationship with?  
 
I suppose this debate will be raging for some time.  

Alex Eckelberry

SQL injection at Kaspersky site reveals customer data, more.

Alex Eckelberry
(Via reg)

The Dreamaker agency is proud of their design work on scareware/malware products such as Spy Burner and System Security.

Well, that’s not really something to be proud of, is it?

Alex Eckelberry

SpyBurner then, XpyBurner now.

XpyBurner’s Splash screen still has traces of SpyBurner

other Crapware on the same IP range

System Tuner

H DriveSweeper

Sites to block:

72.232.186.18 System-tuner com
72.232.186.18 Systemsecurityse com
72.232.186.19 Electronicbillinghost com
72.232.186.19 Securesoftwarepays com
72.232.186.20 Xpyburner com
72.232.186.20 Xpyburnerpro com
72.232.186.21 Hdrivesweeper com
72.232.186.21 Hdrivesweeperpro com

Bharath M N

Doug Barney has outed me: I was once an Amiga guy.

“Twenty years, ago I first met Alex Eckelberry. At the time, I was the editor in chief of Amiga World magazine and Alex worked for Aegis Development, which sold high-end 3-D modeling and animation software.”

It’s cool that Doug remembers me from back then, when a few of us were working the dream at a tiny little software company. Those were the days… what a wild and strange time. Great concept, terrible implementation, and terrible marketing by a truly confused company.

I finally threw out my library of Amiga technical reference materials a while back. Sad to see them go, but one has to move on (although they’ll probably be worth a fortune sometime and my children will curse my decision).

Alex Eckelberry

A bizarre and sad story.

Richards said he stayed, and his wife took the envelopes to the department, but then, “it got bad.” He said Daily asked him to check light bulbs for spyware and was walking around with a baseball bat convinced someone was trying to kill her.

Richards said he first noticed Daily’s unusual behavior Thursday. He said she called him and asked him to call the police because someone was trying to kill her and spyware had been planted in her granddaughter’s shoes. He said Daily’s neighbor called him Friday reporting that Daily said she couldn’t raise the girl anymore. He said he told Daily to get a motel room and rest and that he would take the girl.

Alex Eckelberry