Month: July 2009

Our rogue software researcher Patrick (last name withheld to protect the innocent) goes to some strange places on the Internet pretty much on a daily basis. Recently he drew our attention to some interesting URL obfuscation: vvindows.com and google-rnail.com. Look carefully at them. In the first, two “v”s look like a “w” and in the second, “r” and “n” combine to look like an “m.”

To someone browsing the Web, clicking on URLs in those nice emails that somebody keeps sending about bargain drugs and knockoff watches, the URLs in links are just blue squiggles that you put your cursor on before clicking the mouse. You REALLY shouldn’t do that. You SHOULD take a look at the URL. In these two cases, you should look CAREFULLY. The first one, if just glanced at, would appear to be windows.com instead of vvindows.com.

It leads (through a redirect) to a legitimate site. So, that was an honest business using some tricky marketing.

The second, however, wasn’t so innocent. Clearly “google-rnail.com” is meant to look like “google-mail.com.”

That one, according to Patrick, was a look-alike page that would steal a visitor’s GMail username and password. He watched it in action with a sniffer on his test machine.

That was before it was shut down:

The URL “google-mail.com” doesn’t exist:

It’s just one more technique on the web to take you places where you really don’t want to go.

Tom Kelchner

Patrick found a new online scare tactic page being used for the SystemSecurity rogue: Blue screen… clever.

Read about SystemSecurity rogue in the Sunbelt Rogue Blog here.

Tom Kelchner

At least one marketing guru is pushing his fellow professionals to get past their inertia and start using social media more imaginatively.

That imaginative use of sites like Facebook and Twitter by marketers also is starting to attract the attention of people concerned with privacy.

Specifically, one feature of Facebook is drawing fire: the use of users’ photos on advertising that appears on their friends’ Facebook pages. People are much more likely to click on an ad for something that has a photo of one of their friends with it.

Apparently an ad by a third-party advertiser that scraped Facebook users’ photos and connected them to advertising took a potentially bad twist last week. A man with a Facebook account saw an ad for a singles Web site appear on his page (“Hey Peter, Hot singles are waiting for you!”) accompanied by his WIFE’s photo.

Facebook says it was a violation of the site privacy policy and booted the third-party advertiser.

(Read DownLoadSquad’s account here.)

The word started to get around that Facebook had changed its policy and allowed third-party advertisers to use member’s photos. Facebook made the effort to reassure users that it had not changed its privacy policy. In a post to the Facebook Blog by Barry Schnitt, the company’s manager of policy communications wrote:

“In the past couple of days, a rumor has begun spreading that claims we have changed our policies for third-party advertisers and the use of your photos. These rumors are false, and we have made no such change in our advertising policies.”

We’d like to tell you more about Barry, but he guards his privacy. According to his link on the Facebook blog: “Barry only shares certain information with everyone.” (Link here.)

You, like Barry, can screw down your privacy settings in Facebook to limit the use of your photos. After you have logged in to Facebook, in the upper right corner next to the log-in box, click on “Settings.” Select “Privacy Settings” – “News Feeds and Wall” and the tab “Face Book Ads.” Click on the drop-down box and select “no one.”

Another way to guard your privacy: close down your Facebook page and create a new one using an alias.

As the saying goes about identities: “On the Internet, nobody knows you’re a dog.”

If it works for the dog, it can work for you!

Tom Kelchner

Microsoft is releasing two out-of-band updates on Tuesday. It’s always big news when MS does an out-of-band update, because it is a major amount of work for them to test against all the different operating systems, change their normal release cycle, etc.

Out-of-band updates are only done when Microsoft feels there is a real need, so I would take this update seriously (in the past several years, there have been only a few such updates, such as WMF and netapi32, the source of the Conficker nightmare).

Details are light, but according to information from Microsoft, one update will be for the Visual Studio product line, the second “contains defense-in-depth changes to Internet Explorer to mitigate future attacks related to the Visual Studio bulletin, as well as fixes for vulnerabilities rated Critical that are not currently under active attack.”

For the Visual Studio fix, the severity rating is “Moderate”, involving remote code execution, and will affect Microsoft Visual Studio .NET 2003, Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005, and Microsoft Visual C++ 2008. The IE fix is rated at Critical, again involving remote code execution, and impacting IE on Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. There is considerably more information on the Advance Notification here.

Some additional information can be found at Brian Krebs and the Register, and you can stay updated by subscribing to the MSRC blog.

Alex Eckelberry

Another excellent article has been posted by Paul Graham, a must-read writer on technology, startups and the technology business.

This time, about meetings, managers and makers:

One reason programmers dislike meetings so much is that they’re on a different type of schedule from other people. Meetings cost them more.

There are two types of schedule, which I’ll call the manager’s schedule and the maker’s schedule. The manager’s schedule is for bosses. It’s embodied in the traditional appointment book, with each day cut into one hour intervals. You can block off several hours for a single task if you need to, but by default you change what you’re doing every hour.

Link here.

Alex Eckelberry

One of our rogue researchers from the seventh-floor caves brought this to my attention today. It’s an advertisement for mobile device texting spyware sold by some Russian folks we’ve known for a long time. They’re also the folks who bring you rogue anti-malware sold through fake codecs.

Patrick was checking links on web sites that led to fake codecs and associated web sites that invariably peddle rogues. Clicking on links on one site multiple times directed him to different rogue sites AND this little gem.

We’re not revealing the name of the product or site for obvious reasons. However, here are the download instructions:

“All you have to do to start using our service is following three easy steps:
A) Get registered at our site
B) Download the program
C) Install it at the cell phone of your partner
AND THAT’S IT !

“As soon as you are done with this, you will be able to view both the sent and the incoming SMS messages here at our site, inside your account area.
You will be able to read them ALL online !”

Yea “THAT’S IT” all right! And, of course, one wonders who else is reading the addresses and other information from your victim’s phone in “your account.”

The EULA is a priceless piece of Engrish and doublespeak:

[Spyware] Terms & Conditions

By getting registered at this Website you testify that you have read, understood and accepted the following User Agreement (further referred to as “Terms & Conditions”).

Having downloaded [spyware] software into your PC, you become the official user of a registered software product. Please, note that any usage of [spyware] that goes against the law of your country or against these Terms & Conditions may be classified as an action requiring legal punishment.

We strongly suggest you have read these Terms & Conditions before installing and using our software, follow them when using [spyware] and have made sure that the use of this kind of software is not considered unlawful in your country.

Sphere of use of [spyware] software:

1. [spyware] can be installed into the cell phone of your underage or incapable child or into the cell phone of any other incapable person that you have the wardship of (by an official decision of legal authorities in your country) in order to prevent him/her from the contacts that can cause harm to his/her health and/or property.
2. [spyware] can be installed into your cell phone in order to avoid its unauthorized use by third parties.
3. [spyware] can be installed into the cell phones owned by a legal entity belonging to you in order to avoid its unauthorized use by corporate users. In this case, the users of these phones must be warned about the fact that the use of these phones for private needs is unacceptable as well as about the presence of software utilized in order to control the use of corporate phone and internet traffic in written form.
4. As a user of [spyware] software you must take all necessary measures in order to avoid the use of the Site’s resources by third parties (protect your User ID and Password used to access [spyware] website).

According to these Terms & Conditions you are NOT ALLOWED:

1. To install your [spyware] software into the cell phones belonging to other people without getting their explicit agreement.
2. To get access to other people’s accounts at [spyware] website against the will of their owners by any means, including but not limited to: hacking or stealing Users IDs and Passwords.
3. To use other people’s User IDs and Passwords to access their accounts (except the cases when you have got an explicit agreement to do it from the owner of the account).

I suppose that attractive young lady in the art work in the ad is an “underage or incapable child” that somebody has “wardship” of “by an official decision” of the “legal authorities” of her country.

Thanks to Patrick for this find.

Tom Kelchner

As an update to my May post on Andreas Marx’s chart on the growth of malware, here are the latest stats from AV-Test.org.

Unique samples added by month:

Total number of unique samples in the AV-Test zoo:

According to Marx, “if you look at the graphics, you can see that anti-virus companies have to deal with more than one million unique new malware samples per month. In total, we have over 22 million unique malicious programs in our collection.”

That’s a lot of malware…

(Original Excel spreadsheet here.)

Alex Eckelberry

I often have to explain targeted attacks to people, but having examples makes the task much easier.  To that end, our friends over at F-Secure have put together a collection screen shots of various “bait” files — files that when you open them, infect your system.   Take a look here.

It’s this kind of targeted attack that was used in Ghostnet, which infected quite a few prominent institutions and agencies. 

To protect themselves, many organizations license our CWSandbox software, specifically to analyze large quantities of files before they enter the network, to see if they’re malicious or not (you can test files yourself through our free interface).

Alex Eckelberry

Bill Emerick, formerly VP of Product Management for Sophos, has joined Sunbelt, as VP of Product Management and Operations.  We’re thrilled to have him on the team. Welcome aboard, Bill.

Incidentally, we’re growing very fast and hiring for a broad swath of positions.  Even if a position is not posted on our website, send a resume to HR in case a position is coming up in the future.   All I can promise is a great work atmosphere, beautiful weather and, of course, getting to work on some of the coolest stuff in the business.

Alex Eckelberry

Adobe is reporting yet another “potential vulnerability” affecting Adobe Reader and Acrobat 9.1.2 and Flash Player 9 and 10 and is “investigating this potential issue.” (their blog post here.)

Malicious Flash files can be embedded in PDF documents which can be executed by vulnerable copies of Adobe Reader. Exploits also can be executed by the Flash player directly. A small number of exploits has been reported in the wild. A fix is expected by the end of July.

US-CERT has posted workarounds:
Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: “%ProgramFiles%AdobeReader 9.0Readerauthplay.dll” and “%ProgramFiles%AdobeReader 9.0Readerrt3d.dll”.

Disable Flash Player or selectively enable Flash content. CERT offers a document on securing your web browser here.

Tom Kelchner

One of the good folks over at Kaspersky Lab, Yury Namestnikov, has written a great white paper about the worldwide botnet “industry.” The story was picked up by Computer Weekly which did a good summary of it.

The financial “highlights” of the ill-gotten gains from botnets (From Computer Weekly):

• Hiring a botnet for DDoS attacks costs from $50 to thousands of dollars for a continuous 24-hour attack.
• Stolen bank account details vary from $1 to $1,500 depending on the level of detail and account balance.
• Personal data capable of allowing the criminals to open accounts in stolen names costs $5 to $8 for US citizens; two or three times that for EU citizens.
• A list of one million email addresses costs between $20 and $100; spammers charge $150 to $200 extra for doing the mailshot.
• Targeted spam mailshots can cost from $70 for a few thousand names to $1,000 of tens of millions of names.
• User accounts for paid online services and games stores such as Steam go for $7 to $15 per account.
• Phishers pay $1,000 to $2,000 a month for access to fast flux botnets.
• Spam to optimize a search engine ranking is about $300 per month.
• Adware and malware installation ranges from 30 cents to $1.50 for each program installed. But rates for infecting a computer can vary widely, from $3 in China to $120 in the US, per computer.

And what makes this all possible? There are tens of millions of PCs available to botnet operators because of bad computer security on machines in homes and bad security practices by the people who use them.

Computer Weekly story: “Kaspersky reveals price list for botnet attacks”

Original white paper here. “The economics of Botnets”

Tom Kelchner

Police in Queensland, Australia, are doing an electronic version or rattling the doorknobs – they’re war driving, looking for unsecured home WiFi connections.

Queensland Detective Superintendent Brian Hay said “All unsecured WiFi networks out there are open for exploitation by the crooks and the average mum and dad don’t understand the vulnerabilities.”

Intruders can use open connections to hack into other sites, plant malware on the web or steal information. Anyone tracing the malicious behavior would be led back to the victim with the open connection.

I’m sure I’m not the only one who has seen all the unsecured wireless connections in his neighborhood. In two places I’ve lived recently there have been three visible in each. One of them had a network name that looked like a 20-digit password and no password. Now that I think about it, I’ve never opened up my laptop without seeing at least one unsecured network.

Yea, it’s a little complicated, but you really should gut through it and put a password on your wireless router.

Story here.

Tom Kelchner

Today isn’t a good time to go looking for that Erin Andrews “peep hole” video.

There has been a boom in malicious spam, web sites and Twitter posts advertising a “peep hole” video of ESPN reporter Erin Andrews undressing in a hotel room.

Researchers at Sunbelt Software have detected that the Trojan installers used in the scam are generating a large number of polymorphic variants. The installers change with sites each day and number around 10,000 unique hashes.

VIPRE detects one as Trojan.NSIS.DnsChanger (v). Detections for a second, Trojan-Downloader.Win32.CodecPack.2GCash.Gen, will be pushed out shortly.

At one point on Tuesday, July 21, the number-one hit in a Google search for “Erin Andrews” was just two clicks away from a site with a downloader.

Needless to say, don’t get curious about the video. A rogue anti-malware product and a key logger are among the things that are downloaded.

Tom Kelchner

Some VIPRE® users have notified us that they are getting warnings from the Microsoft Security Center that VIPRE® is incompatible with Microsoft’s Vista SP1. It’s a false alarm. The warning pop-up window looks like this:

The text of the note from Microsoft’s Windows Security Center team is:

“To: Security Center ISV
Subject: RE: Windows Security Center Showing “incompatible” notification for AV on Vista SP1

“We have an update:

“We have determined that for full installs of Windows Vista SP1 (not updates) the grace period is actually starting at the time the build was staged for release, not when Windows was actually installed on the end user’s computer. In these cases, the grace period is ending on July 14, 2009.

“We have developed a tool to fix this issue on affected machines and are currently testing it. The tool extends the grace period through September. Our plan is to have it available by the end of next week.

“We thank you for your continued patience….

“Thanks,
Windows Security Center Team“

Tom Kelchner

The partnership between Sunbelt Software and StopBadware.org was part of this week’s Data Security Podcast, with info security specialist Ira Victor and broadcaster Samantha Stone. Sunbelt sponsors this podcast, but that’s not the reason we were part of the discussion.

StopBadware.org collects the URLs of malicious and compromised websites from data partners like Sunbelt Software then helps site owners and web hosting companies clean up and protect their sites. Sunbelt provides StopBadware.org with data about sites carrying malcode from its ThreatTrack™ feed.

The portion of the podcast mentioning StopBadware.org and Sunbelt is here.

You can listen to the entire podcast here.

The section about Sunbelt Software and StopBadware is at the 20 minute point.

You can read about our support of StopBadware.org here.

Tom Kelchner

PCWorld is reporting that the distributed denial-of-service attacks against U.S. and South Korean government web sites was commanded from one controlling server, not in North Korea, not in South Korea, not in the UK, but rather Miami, Florida, U.S.A.

Yesterday, researchers at a Vietnamese security firm said they’d traced the command-and-control server that directed the attacks to an IP address used by Global Digital Broadcast of Brighton, England. The company provides IP television.

Further investigation revealed that the actual C-and-C machine is owned by one of Global’s partners, Digital Latin America, and is on a virtual private network connected to Global’s network in the U.K., but is physically in Miami, Fla. Digital Latin America encodes television programming for IP TV devices.

The attacks, which began the first week of this month, involved that controlling computer and eight other machines that sent periodic commands to a botnet of 167,000 compromised machines around the world.

Story here.

Tom Kelchner

Octoshape, the Danish P2P video “enhancer” that came into prominence after it was offered on CNN’s site during the presidential inauguration in January, still has only an obscure link to its EULA where it explains that it IS peer-to-peer software running on your machine.

Such a minor notification is hardly sufficient to tell potential users of what they’re really installing. There also is only obscure notification that you, your company or your ISP is paying for the bandwidth to deliver CNN’s content,

In order to meet bandwidth demand for streaming video, CNN began using this Adobe Flash Player add-on, which joins the user’s machine to a P2P network. Video content is then delivered from/to other peers on the grid. CNN’s streaming live video actually plays fine without the Octoshape installation.

Currently, Octoshape is classified as Low Risk “Potentially Unwanted Program” by Sunbelt Software products. Advise type is set to ignore (active protection quarantines it as well).

The company, Octoshape ApS of Copenhagen, Denmark, has taken quite a bit of heat and has made some small concessions, but they still basically hide the information that Octoshape is a P2P app that sends the video from your machine to other machines and uses your bandwidth to deliver content. CNN could be part of the problem too, since it controls a good part of the install process.

Within the prompt that asks you to agree to the installation of Octoshape, there is a clickable blue question mark, which takes the user to additional information, including an FAQ, EULA, and Privacy Policy.

Most users will never see that additional info, though. So, the key facts regarding the P2P nature of the application are still not put before the user in a clear, straightforward fashion.

A good background story can be found on the Windows Secrets blog here.

Tom Kelchner and Eric L. Howes

We just set the Sunbelt Threat Level to high since our researchers and at least two other major organizations have found in-the-wild exploit code for the most recent Microsoft vulnerability (Microsoft Security Advisory 973472).

Workaround here.

Microsoft’s advisory, posted today, describes a vulnerability in the ActiveX control used by Internet Explorer to display Excel spreadsheets in Microsoft Office versions before Office 2007. It can allow remote code execution.

Since this advisory was just released today, the vulnerability probably will not be fixed tomorrow on “Patch Tuesday.”

It follows last week’s security advisory (972890) warning of vulnerability in the Video ActiveX Control. That also is being actively exploited. The vulnerability allows an attacker to run arbitrary code on affected machine. A patch isn’t expected soon, but a workaround is available here.

Tom Kelchner

We’ve been running a snap poll on our site since Friday asking about Office 2007. Admittedly non-scientific, but we find it to be a fairly good “quick” read on big questions.

There were a lot of clicks on the poll. And since readers of our site tend to skew toward enterprise system administrators, it’s a wake-up call to Microsoft to kill the dammed ribbon in Office 2010.

Alex Eckelberry

Earlier today, I wrote a blog post cautioning against the rising hysteria over the current DDoS attacks.

Now, in direction contradiction to the opinion of security experts, Rep. Peter Hoekstra (R-Michigan) says the US should conduct a “show of force or strength” against North Korea.

This enterprising fellow is pushing for the United States and United Nations to action based on… nothing. We have not heard or seen a credible shred of evidence that North Korea is behind these attacks.

Compounding the bizarre state of affairs, a ABC News commentator Mike Malone beats the drum for cyberfear, linking dying children, his dislike of “hackers”, and sort of blames South Korea but then has this oddball statement:

Yeah, right. As if all of those millions of middle-class teenaged private owners of broadband connected laptops all over that electricity black hole called the People’s Republic of North Korea spontaneously decided to hack the Web sites of another country’s government and largest corporations.

Which is mystifying, because that’s not how this botnet (or pretty much any other one) works — these machines are not in North Korea, they’re all over the place.

We learned a harsh lesson not so long ago on military action based on flawed intelligence and hysteria. Let’s not repeat the same thing again.

Alex Eckelberry