Month: April 2009

Something someone in our marketing department did. Cute.

Alex Eckelberry

 

Ok. You’re worried about Swine Flu and you want to find a local company that has something that will prevent it. You “turn on the Internet” and do a Web search for the terms “anti-virus” and “Clearwater, FL.”

What’s the first thing that pops up? “Antivirus and Antispyware Software – Anti-Malware & Email …” Sounds like a serious business! You click on that link and find a phone number.

You go right to the top and call Vice President for Threat Research and Technologies Michael St. Neitzel: “Hello. Does Vipre protect against the Swine Flu?”

Sunbelt Software Vice President for Threat Research and Technologies Michael St. Neitzel will then explain that Vipre is an anti-COMPUTER-virus solution.

I’m not making this up! Someone just did this!

Yea, it’s sadly funny, but it’s also an indication of the very high level of concern about the spreading strain of Swine Flu influenza. This thing is a potential pandemic. Public health authorities are worried that it POSSIBLY could mutate into something deadly.

Spammers saw this coming on Monday.

Spam with headlines claiming that celebrities (Salma Hayek, Madonna) have caught the disease are peddling generic Tamiflu – or stealing the credit card numbers of those naïf enough to make a purchase from one of the nearly 300 newly-registered domains with a “Swine Flu” twist in their name. Cisco’s IronPort anti-spam service says Swine Flu spam is now four percent of global spam.

Spam that preys on public fears generated by big news stories is now a genre. Seriously, just delete the alarming e-mails, wash your hands a lot and don’t sneeze in elevators.

See Information week’s coverage here.

There is a vast amount of malcode out there that uses the autorun function to install itself, and that group includes Conficker. We found over 900 variants listed on one of our fellow AV vendors’ sites and over 1,000 listed on another.

Microsoft’s site shows a graph of its monthly detections of AutoRun malware in the last year and a half. It looks like the outline of a dragon. The end of its tail is on the ground (near zero) from July of 2007 to January of 2008, and the top of its head, from November of 2008 to March, 2009, is at 225,000 detections per month.

The company has announced that it will disable the AutoRun function in AutoPlay for USB drives in Windows 7 and back port the change to supported Windows versions. AutoPlay will still work for CDs and DVDs, however.

When the malcode writers started using the autorun.inf file on USB drives several years ago, it was like Déjà vu all over again. Remember the days when you could infect your “home” computer by starting it up with a “floppy” disk in the drive? Well, floppies and discs fell by the wayside along the years with the expanded use of CDs and DVDs, but the dragon came back to bite us in the USB drive.

Koobface, a worm which steals Facebook or MySpace credentials and spams their credentials, is certainly alive and kicking.

Here’s a run occurring right now. You get a message from a friend:

Which leads to a Facebook page:

Which, when clicked, pushes a fake video codec that downloads Koobface:

And yes, my wife just got one from a friend. He was rather surprised when I called him…

Alex Eckelberry

RSA 2009 has been a great show this year. More than 450 exhibitors are showing their stuff at this year’s RSA Conference in San Francisco. eWEEK Labs’ Cameron Sturdevant has been scouring the expo floor to find the most compelling products for the enterprise. VIPRE Enterprise and Shavlik’s NetChkProtect were included.

View the slideshow here.

Zango Inc., the irritating adware firm that was fined $3 million by the U.S. Federal Trade Commission in 2006 has been sold at “fire sale prices” to video search engine company Blinkx PLC, it was announced yesterday.

The company was notorious for its weasel-word excuses and explanations of the intrusive adware it distributed. It also was famous for (unsuccessfully) suing anti-virus Kaspersky Labs and PC Tools in 2007 in an attempt to intimidate them and force them to stop cleaning Zango code out of victims’ computers.

Zango was first named 180 Solutions when it was begun in 2004. It employed more than 200 people at its peak, but laid off 118 of them last year. Two other major adware firms, Claria (which distributed Gator) and DirectRevenue have closed in the past. A third, WhenU, was bought out by a Canadian company, which has continued to perform installations of WhenU’s software, though the company is definitely a shadow of its former self.

Chris Boyd, of Facetime Security, and Ben Edelman, a security researcher at the Harvard Business School, extensively documented Zango’s offensive practices over the years. The company basically installed adware on victim’s computers without permission, served porno advertising without notifying victims and profiting from the distribution of pirated material, according to Edelman’s research.

Edelman told Computerworld that the company failed because:“Zango could never get over its history of non-consensual and deceptive installations.”

See the Computerworld story here.

We found two new rogue security products using the same name “Extra Antivirus”

One of them belongs to the Virusdoctor family of rogue security products.

This rogue uses the same site that was earlier used by Extra Antivir. Like its predecessors this rogue also uses Google Code site as a free way to host its installers.

The other Extra Antivirus rogue is from WinSpywareProtect family of rogue security products.

This rogue uses the same home page and fake/scare scanner page template used by Extra Antivir.

Sites Involved:

206.53.61.74  Extraantivir com
94.75.209.11  Extrantivirus com
195.88.81.117 dl.exstra-scanner-av com
195.88.80.208 Int.extro-reports net

Bharath M N

AV Antispyware is the latest rogue from WinSpywareProtect family of rogue security products.

Sites Involved:

64.191.12.38  Av-antispyware com
195.88.81.74  Files scanner-antispy-av-files com
195.88.81.116 dl scan-antispy-4pc com
195.88.80.207 Int reporting32 com

Bharath M N

Cris Godfrey, our QA Manager, got inspired enough about VIPRE to get the product logo tattooed on his arm.

Sunbelt employee gets VIPRE tattoo

(If the video doesn’t show on your browser, click here.)

You can see photos and some more video on my Flickr stream here.

Alex Eckelberry

I had missed this question posted on Yahoo Answers until Sarkie pointed it out.

It’s funny.  In a sad, awful way.

Alex Eckelberry

Sunbelt will be at the RSA Conference 2009 in San Francisco next week. Stop by for an engaging session hosted by our technology partner, Shavlik Technologies on Tuesday, April 21 at 1 pm PDT.

Antivirus’09 is a new rogue security product. This rogue uses fake/scare scanner pages to trick users into downloading the rogue application.

Fake/scare scanner page

Antivirus’09 uses the same old Fake Security Center which was also used by WinDefender 2008

Once Antivirus’09 is installed it frequently displays fake alert message.

Bharath M N

We’re hosting a complimentary webinar in conjunction with The Aberdeen Group on Thursday, April 16th at 2 p.m. EDT entitled, “Why Small Businesses Should Think Outside the Box When Choosing Endpoint Security Solutions.” The webinar will present fact-based research that underscores the idea that “bigger isn’t necessarily better” for small enterprises when it comes to selecting an antivirus vendor to protect an organization’s network.

For more information on the webinar read the press release.
To attend, register here.

P Antispyware 09 is yet another rogue from WinSpywareProtect family of rogue security products.

Site Involved:
65.110.60.122 Pantispyware09 com

Bharath M N

You may have recently received an email from someone you know, telling them to send you money because of an emergency, or to tell you about a new shopping site.

Well, people’s email accounts get hacked, and then their whole address book is spammed with various junk.

Here’s one I received today from a friend, whose hotmail account was hacked:

Worse, here’s one I received from a friend, who forwarded it from a friend, thinking it was a really his personal message about a great new shopping site:

And here’s an email I received from someone whose hotmail account was hacked, requesting money.

Always feel free to ask… “did you send this email to me?”

Alex Eckelberry

I think this one takes the cake.

From: FEDERAL BUREAU OF INVESTIGATION [mailto:fbisecuritydeptoffice@org]
Sent: Tuesday, April 07, 2009 9:40 AM
Subject: FEDERAL BUREAU OF INVESTIGATION HELP STOP SCAMS ON INTERNET

Federal Bureau of Investigation
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW Washington, D.C. 20535-0001, USA

FEDERAL BUREAU OF INVESTIGATION SEEKING TO WIRETAP THE INTERNET

The Federal Bureau of Investigation (F.B.I) write to you in correspondence to the meeting we recently had with the Federal Republic of Nigeria Government on the ERADICATION of SCAMS on the internet, Federal Bureau of Investigation
(FBI) Washington, DC in conjunction with some other relevant Investigation Agencies like Internal Revenue Service here in the United states of America have recently been informed through our Global intelligence monitoring network that you presently have a transaction with the Central Bank of Nigeria (CBN) as regards to your over-due contract payment which was fully endorsed in your favor accordingly.

After the meeting held on Monday 31st March 2009 at the Bank Auditorium Center , the whole conflict of SCAMS was revealed to us by the Board of Truste of Federal Republic of Nigeria mostly by the three arms of Government.

(The Judiciary, the Legislature and the Executive).

These three arms of Government has made us realize that the rampad of SCAMS over floating around the United State of America and some other part of the world was been set up by the root of some CBN Ex-Workers that have been suspended for sometimes due to their dubious characters of initiating people to impersonate the Government Workers to receive peoples hard earn money from them, mostly with the Executive Governor identity.

For these reasons, the Central Bank Executive Governor was invited to this office to defend the allegation against Him while he made complain that his office was not in charge of foreign transfer of funds, that the accredited office was Federal Ministry of Finance Department (FEDMINAP) in person of (Rev.Paul Badmus) as the Accountant General in charge of all foreign transfer payment files.

They also told us that the only problem they are facing right now is that some unscrupulous element are using this project as an avenue to scam innocent people off their hard earned money by impersonating the Executive Governor that is why the Federal Government has appoint Rev. Paul Badmus as the Payment Director of the Central Bank office.

The Federal government of Nigeria has approved that all overdue outstanding payments must be Paid on OR before 25th, April 2009, for the preparation of their next category to be paid which might leads to recalling of funds back to the Bank Treasury.

Meanwhile, we are also informed that a Man with an America passport number
(3028882234) came to the Central Bank affiliated bank office in U.K few days ago with a letter, claiming to be your true representative.

Here are the man informations bellow:

Name: Denis Marion
Bank Name: City Bank
Bank Address: Arizona, USA
Account Number: 6503809008.

INSTRUCTION/WARNING FROM ROBERT S. MUELLER III.

NB: You are urgently advised to please reconfirm the following to the Office of the Accountant General, as a matter of urgency if this Man is from you so that this office will not issue your fund and be held responsible, If this man isn’t of your true representative, you are requested to contact for your inheritance claim valued of US$12,500,000.00M (Twelve Million, Five hundred thousand United States Dollars)only will be remitted into your nominated bank account.

1) Your full name.
2) Phone, fax and mobile #.
3) Residential address.
4) Company name, Office position and Company address.
5) Profession, Age and marital status.
6) Working I’d / Int’l passport.

And should incase you are already dealing with anybody or office claiming to be from the Central Bank of Nigeria, you are further advised to STOP further contact with in person from africa in your best interest and then contact immediately the real office of the Central Bank of Nigeria (CBN) only with the below information’s accordingly:

NAME: REV. PAUL BADMUS
OFFICE ADDRESS: Central Bank of Nigeria,
Central Business District,
Cadastral Zone,
Abuja, Federal Capital Territory,
Nigeria.

TEL: 001234-01-4328033
0012347032032230

Email: paulbadmus_desk@live.com

IMPORTANT NOTICE.

Note: we are on investigation and security watch over any message with Central Bank, to benefit the satisfaction of all the United States Citizen by seeking to wiretap scams on the internet with the help of Nigeria Government and also with the assistance of all United states Citizen, by listening to the instructions we give out to avoid falling for SCAMS on INTERNET.

All modalities has already been worked out even before you were contacted and note that we will be monitoring all your dealings with them as you proceed so you don’t have anything to worry about, All we require from you henceforth is an update so as to enable us be on track with you and the Central Bank of Nigeria, without wasting much time, will want you to contact them immediately with the above email address so as to enable them attend to your case accordingly without any further delay as time is already running out.

Should in case you need any more information’s in regards to this notification, be free to get back to us so that we can brief you more as we are here to guide you during and after this project has been completely perfected and you have received your contract fund as stated.

Thank you very much for your co-operation in advance as we earnestly await your urgent response to this matter.

Best Regards,

Robert S. Mueller III
Federal Bureau of Investigation
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW Washington, D.C. 20535-0001, USA internet.securitys_federalbureauofinvestigation@live.com

(Thanks to Jeff)

Alex Eckelberry

Ugly.

This time we are taking a close look about what things could happen with an infected computer when the running bot receives an specific command about to kill the Operating System. Not all type of bots usually have this functionality, but banking Trojans usually have. We will take three examples (InfoStealer, Zeus/Zbot and Nethell/Ambler), these are the most common Trojans where we’ve definitely found in their binaries the malicious code that is responsible for the Execution of Windows.

Link.

Alex Eckelberry

Our friends at Opswat have a new online scanner site, filterbit.com, currently in beta.  Using Filterbit, you can upload a file and get results from 9 different scanners. 

Filterbit is another site available to users, security researchers, administrators and the curious to upload files to see if they’re detected.  This activity is an increasingly popular trend at places like Virustotal.com, Jotti, and Virscan.

Alex Eckelberry

Got a couple of comment spams today from these guys. Security companies that do this are doing a Bad Thing. So, avoid them.

Alex Eckelberry

WinPC Antivirus is a new rogue security product and a clone of WinPCDefender.

Bharath M N