Month: August 2009

Watching kids growing up shows you some sobering stuff about learning. Probably the foremost one is that you usually have to get hurt before you REALLY learn.

There were two high-profile news stories in the last few days that emphasized some computer security concepts and nobody actually got hurt.

Story one: someone mailed a fake fraud alert to some small credit unions with two CDs of “training material” that were believed to contain malcode. The personnel who received them immediately did the right thing: notified the National Credit Union Administration, which quickly sent out a real fraud alert. The casual news reader learns: “Whoa! Bad guys can MAIL CDs with malware that can compromise networks or computers.”

Story two: the governor’s office in West Virginia received five HP laptop computers that they didn’t order. They checked with their IT staffs then called state police, suspecting the machines contained Trojans. The FBI is investigating that incident and similar ones in about 10 other states. The casual news reader learns: “Whoa! Bad guys can mail ENTIRE COMPUTERS that can compromise networks or computers.”

The first story turned out to be part of some penetration testing by a Columbus, Ohio, testing group checking the security at the credit unions. They found that security practices were good.

We have yet to learn what’s lurking on the laptops in the FBI’s possession besides Vista, Office 2007 and 20 Gb of crapware.

The point was made: malware can arrive in any storage media, not just via the Internet.

Story one here.

Story two here.

Tom Kelchner

Microsoft updates this week will contain code to check for pirated versions of Office XP, Office 2003 and Office 2007. It’s the next phase of the “Office Genuine Advantage” (OGA) program which will throw up a nag screen that says “This copy of Microsoft Office is not genuine” if it finds a pirated version.

Theft by software pirates is vast. It was estimated that 41 percent of the software on machines throughout the world in 2008 was pirated – a $50 billion loss to manufacturers and resellers.

There’s a good story about it here.

And here.

Just like in physics, any big move like this by a legitimate manufacturer of popular software is sure to have and equal but opposite reaction on the dark side. We wish Microsoft luck with OGA, but still we predict:

— A news story in the next few weeks about somebody’s discovery of a mechanism to defeat or sidestep OGA security.

— The availability of patches, or entire reverse engineered Windows operating systems and Office versions that suppress or evade the OGA nag screens. The pirated apps will probably attempt to evade updates. The net result will be that they also will avoid patches for newly discovered vulnerabilities.

— Trojanized Windows Office versions that are distributed as apps that evade the Windows Genuine Advantage mechanisms.

— Malicious spam advertising the above.

— Yet more bot-riddled machines in China.

Tom Kelchner

Internet users might be getting more security savvy and are getting better at identifying phishing emails.

Phishing spam is down significantly, according to two recent reports, one by Russian anti-virus company Kaspersky and the other by IBM’s Internet Security X-Force.

Phishing, the attempt to lure victims into revealing banking web site passwords or other sensitive information, is largely aimed at PayPal and eBay customers, according to Kaspersky researchers. They said 60 percent of the phishing emails they monitored were attempts to steal login information for those two businesses.

The Kaspersky researchers said in their report that in the first quarter of this year, phishing emails made up .78 percent of email traffic. In the second quarter it fell to .49 percent.

The IBM X-Force researchers reported that phishing made up .2 – .8 percent of spam emails during sampling periods in the first half of last year. It was .1 percent of spam in the first half of this year.

Besides Internet users being more security conscious, other reasons for the drop could be the success of anti-phishing measures in anti-malware products or banking Trojans could be replacing phishing, they also said. IBM estimated that 55,000 people still lose their confidential information to phishing every month.

Kaspersky report here.

Story on IBM report here.

Tom Kelchner

Zango adware has been out of sight for a while. It’s back with a new twist: using a fake codec to install its pain-in-the-butt software. The lure for the codec: an alleged porn video viewer.

Here’s researcher Patrick Jordan’s narrative:

“Any site that runs a fake codec scam or other social engineering scam to get users to infect themselves — those sites directly and indirectly associated are put into my sites listings and Zango just made it!

“From a rotational site I use to get the standard fake codecs and dischargers, today I found one of the re-directs going to a fake codec page advertising porn movies and the normal ‘No video player found.’

“What I got was a pop-up for a DreamMediaPlayerSetup.exe coming from prompt-zangocash.com.”

“Even just going to the main site url will also give a type of fake scanning then tell you not to close the window until installation is complete.”

Sites in the same IP all come under the same email user name with two different aliases:

Andrej Zolotov jcc_parker @ yahoo.com
Dmitry Ivanov Private person jcc_parker @ yahoo.com

216.12.161.18

coolvideoss.com
evideofreak.com
hidevideozz.com
innovavids.com
paradisios.com
pornntubxxx.com
pornotubxxx.com
porntubxxx.com
pvideoguide.org
qualivids.com
reliable007.com
videoguidez.com
videolifezzz.com
youvideoss.com
youvideozz.com

Our last blog entry, from April, about Zango being sold at fire-sale prices is here:

Thanks Patrick

Tom Kelchner

The question has come up and the answer is “no.” No, VIPRE and other Sunbelt software have not been infected by Virus.Win32.Induc.a.

For a virus with no malicious payload in 2009, Virus.Win32.Induc.a has certainly made the headlines. It’s probably the fact that it is an innovative idea. Maybe an update will make it malicious, but it does nothing now.

According to Sunbelt Vice President of Threat Research and Technologies Michael St. Neitzel, Delphi is used by developers much more in Europe and Russia than in the U.S.

According to St. Neitzel: “This is a real challenge for anti-virus vendors and those on the receiving end. When AV scanners start identifying applications as infected with Win32.Induc, it’s an open question whether or not the scanners can clean them.”

“If they can’t, the original developers are going to be required to get the infection out of their Delphi compilers, recompile the applications and get the clean code back to their customers. Given there could be different versions of the infected applications in circulation, this is going to be a real nightmare for some companies to deal with,” he said.
See story here:

Tom Kelchner

Four software pirates in China were sentenced to several years in prison and fined for running a web site that distributed, FOR FREE, 10 million copies of Windows XP over five years, according to the Shanghai Daily newspaper.

According to prosecutors, the four used a web site to distribute copies of Windows XP that were reverse engineered to remove anti-copying measures and renamed “Tomato Garden.” They made more than $400,000 selling advertising on the site.

Story here.

And here.

Since these pirated copies of Windows never got updated, they helped established a vast reservoir of computers wide open to new and old exploits. One can be sure those machines have been used to set up some of the huge botnets that prey on all of us.

So, the Windows XP copies that these guys gave away were a gift of the 21st century the way smallpox-infected blankets were a “gift” in the 18th.

Tom Kelchner

Two women have begun a small treatment program for Internet addiction near Fall City, Wash., called the reStart: Internet Addiction Recovery Program.

The two — Cosette Rae, a clinical social worker, and author Hilarie Cash — believe their center is a first in the U.S. They started it after treating a large number of people dependent on gaming, gambling, chatting, texting and other Internet-related activities.

The 45-day treatment program at the five-acre Heavensfield costs $322 per day.

Discussions of Internet addiction usually range from the amused (”so, who isn’t?”) to the dismissive (“just go outside and play”) and the entire concept is controversial.

Commentary on addiction or excessive use of new substances or activities has been around for a long, long time. One of Nuremberg artist Albrecht Durer’s most profound prints is his “Melancholia,” which shows a pretty depressed looking angel surrounded by intellectual apparatus and tools of the day (1514). And Hogarth’s social commentary on the drinking habits of his fellow Englishmen in his “Beer Street” and “Gin Lane” prints is a condemnation of the gin, a newly-available intoxicant in 1751. So, even those hundreds of years ago, people were trying to figure out “how much of this is really healthy?”

Today, the answer for malware writers is pretty simple: “you need to do a lot less coding and play a lot more World of Warcraft!” And when you need a break, fly over to Heavensfield. (“Resurrection in 45 days!”)

Story here.

XP mode in Windows 7 is a little bit different. It runs in a virtual environment. The implications in that are pretty big for anti-virus companies since the anti-virus application you are running in Win7 mode doesn’t protect the XP mode partition and vise-versa.

Here at Sunbelt Software the quality assurance group just tested the Win7 XP mode and found that VIPRE runs just fine.

According to Curt Larson, VIPRE/CounterSpy Product Manager:

“XP mode acts like a virtual environment in W7. Scanning in XP mode only scans files in the XP mode session, it does not scan on the W7 box itself. Two copies of VIPRE were installed, one in XP mode, one in W7, both performed properly.

“We are thus compatible with XP mode. Our company policy is a single-user license applies to one box, and any VM sessions on that box. A single-user license is set up to allow multiple installations on one box with W7 and XP mode both running.

“Short answer: ‘We’re compatible with XP mode in W7. License applies per box, not per instance of VIPRE on a box.’”

Tom Kelchner

Sunbelt Software has been included in Inc. Magazine’s third annual ranking of the 5000 fastest-growing private companies in the U.S. This is the third time that Sunbelt has been on an Inc. 500 or 5000 ranking.

“The Inc. 5000 gives a cross-industry picture of growing companies with cutting-edge business models, as well as older companies that are still demonstrating growth,” said Inc. 5000 Project Manager Jim Melloan.

“Sunbelt’s position as a leading provider in its industry, coupled with its history of year-over-year growth, makes it a prime example of the caliber of companies included on the list of the fastest-growing companies in the country.”

And now, a word from Alex (that would be CEO Alex Eckelberry):

“Over the past year, the pressures of the economic downturn have made Internet attacks more prevalent than ever, and financially motivated threats continue to rise. Thanks in large part to our VIPRE® next-generation anti-malware offering, Sunbelt gives enterprises and consumers the up-to-date computer security they need to be able to carry out their Internet activities in a safe environment. We continue to drive new innovations in the security industry and the honor of being included on the Inc. 5000 list is an indication that we’re staying on the right track.”

Read all about it here.

Tom Kelchner

The staff at the SANS Internet Storm Center has put together a good brief piece on how to prepare for and go through an outside IT audit. The philosophy is basically: work with the auditors rather than against them in order to get the maximum value from the process.

Text here.

Johannes Ulrich discusses it and adds some good comment in the Aug. 17 podcast.

Someone also left a great comment with the article: if the auditors find problems, you can always use them as leverage to get more budget.

The SANS Institute, in Bethesda, Md., provides information security training, certification and research. Its Storm Center is a cooperative venture in which volunteer members share intrusion detection information to spot and analyze worms and other fast-moving malicious software.

“Zombies are a popular figure in pop culture/entertainment and they are usually portrayed as being brought about through an outbreak or epidemic. Consequently, we model a zombie attack, using biological assumptions based on popular zombie movies. We introduce a basic model for zombie infection, determine equilibria and their stability, and illustrate the outcome with numerical solutions. We then refine the model to introduce a latent period of zombification, whereby humans are infected, but not infectious, before becoming undead. We then modify the model to include the effects of possible quarantine or a cure. Finally, we examine the impact of regular, impulsive reductions in the number of zombies and derive conditions under which eradication can occur. We show that only quick, aggressive attacks can stave off the doomsday scenario: the collapse of society as zombies overtake us all.”

From When Zombies attack!: Mathematical modelling of an outbreak of zombie infection (via GMSV).

Alex Eckelberry

NSS Labs has posted the results of its testing of the big six browsers for their ability to repel social engineering malware and phishing attacks. “The results are based upon empirically validated evidence gathered by NSS Labs during continuous 24×7 testing against fresh, live malicious sites” they said.

Social engineering threats caught:

— Microsoft Internet Explorer v8 (81 percent)
— Mozilla Firefox v3 (27 percent)
— Apple Safari v4 (21 percent)
— Google Chrome 2 (7 percent)
— Opera 10 Beta (1 percent)

Phishing threats caught:

— Microsoft Internet Explorer v8 (83 percent)
— Mozilla Firefox v3 (80 percent)
— Opera 10 Beta (54 percent)
— Google Chrome 2 (26 percent)
— Apple Safari v4 (2 percent)

Test results here.

Tom Kelchner

Jose Nazario, writing on the Arbor Network Security blog “Security to the Core,” has described a botnet that uses Twitter as a command-and-control channel. The bot owner sends update information in a tweet and RSS feeds send it to the botnet.

The tweeted update information is in the form of a shortened URL, which leads to one of several malicious web sites. Before they were taken down, Nazario found that the sites downloaded a packed .exe file that was an information stealer (Buzus) and packed .dll file loaded with URL’s where the .exe could phone home the information.

The mechanism seems to be the work of Brazilian ID thieves, he said.

Blog post here.

Tom Kelchner

No, that headline isn’t from the Onion.

Entire blog post here.

Xinhua story from July 16 here.

Sometimes a big story is eclipsed by a larger one. This is one of them.

The fact that China banned electroshock therapy for Internet addiction showed up in the later paragraphs of a lot of the same stories several weeks ago as the account of a Chinese boy getting beaten to death in a boot-camp style institution that was supposed to cure him of Internet addiction.

The bottom line in both stories is that in China the list of diagnostic standards for a lot of emotional and psychological conditions is kind of messy.

Apparently there are hundreds of institutions that make a lot of money “treating” kids who are diagnosed with “Internet addiction.” Internet addiction is defined as spending more than six hours a day at the computer. By that definition, it is claimed that 10 percent of the Internet-using public in China is addicted: 30,000. It was estimated that 3,000 had already been zapped.

I’m going to end this now without making any jokes about my friends who spend more than six hours a day on WoW.

GO OUTSIDE AND PLAY!

NY Times story here.

Tom Kelchner

The Chinese Minister of Industry and Information Technology, Li Yizhong, has said that the fiat that all computers sold in his country after July 1 were required to have Green Dam Internet censoring software was just a great big misunderstanding.

Green Dam will be installed in school computers and those in public places, but computer buyers are not required to install it on their own machines, he said.

Almost from the moment the Ministry of Industry and Information Technology announced the requirement in May, there was push back from a wide range of places.

A U.S. firm, Solid Oak Software, of Santa Barbara, said June 12 that code from its CyberSitter software was ripped off and used extensively in Green Dam-Youth Escort. It sent cease-and-desist letters to U.S. PC manufacturers who were expecting to install it for the Chinese market. The company also launched lawsuits in the U.S. and China.

The staff at the company that created it, Jinhui Computer System Engineering Com of Zhengzhou, China, got harassing phone calls, including late-night death threats.

Most observers assumed that Green Dam was to prevent Chinese Internet users from seeing content critical of the government. The Chinese government already operates a “Great Firewall” to filter Internet content (including politically sensitive sites) but it can be bypassed.

Politics aside, there are serious problems with Green Dam:
— It has the capacity to monitor keystrokes.
— It logs the URLs of sites the user has attempted to reach.
— It uses unencrypted data transfer from clients to company servers.
— OpenNet Initiative said Green Dam can monitor activities in addition to Web browsing and can shut down applications.
— The black-list update process is vulnerable to compromise
— Exploit code was posted that compromises Internet Explorer on computers running Green Dam. It uses a stack overflow in the browser process triggered by an overly long URL. It works on Microsoft’s latest Vista operating system too.

June 16 we blogged that we classify Green Dam as a surveillance tool with a rating of “moderate risk” and we recommend that CounterSpy™ and VIPRE® users quarantine it.

Story here.

Tom Kelchner

Nice list.

Find it here.

Thanks Alex, and Stu.

Tom Kelchner

A San Antonio, Texas, firm named PearAnalytics, whose company slogan appears to be “analytics, insights, intelligence” studied several thousand tweets from Twitter users and found that 40.55 percent of them were “Pointless Babble” (their caps, not mine.)

“Conversational” tweets were 37.55 percent, “Pass-Along Value” (retweets) was 8.7 percent, “Self Promotion” was 5.85 percent, “Spam” was 3.75 percent and “News” was 3.6 percent of the 2,000 tweets captured.

The study was a great idea, but the snotty name for the biggest category wasn’t exactly something you’d find in anthropology journals.

How about:
— “relationship reinforcing”
— “friendship building”
— “social linking”
— “pleasantries”

A boss of mine in the computer security field some years ago started writing and saying: “there is no privacy, get over it.”

None of us who worked for him could have anticipated the day when a marketing research firm would eavesdrop on Internet exchanges (yes, I know it’s public speech) and insult the people who just wanted to say “hi” or “I’m eating a sandwich” to their friends.

Sheesh! Lighten up! It’s a service named “Twitter.” You’re expecting maybe 140-character discussions of existentialism?

PearAnalytics report here.

Tom Kelchner

Imagine a country where:

— few people can afford computers and any kind of computer security software is usually beyond their means
— 80 percent of computers are infected with malware
— many desperately needed machines are disabled with viruses and in storage
— Internet connections, which are only dial-up, are so slow that AV updates take all day to download and one web page takes 10 minutes to load
— most installed operating systems are pirated, never updated and completely vulnerable

It sounds like the setting of a dystopian novel written in Czech about 1920. It isn’t. It’s Ethiopia — today.

The Guardian of the UK has run a story about the grim world of computing in one country in Africa where most people and organizations are powerless to defend themselves against malware. (Read it here.)

Tom Kelchner

For some reason — probably a dearth of big news in the height of vacation season — there’ve been a lot of retrospective articles on the security news sites we monitor. It’s a good day to read about the history of viruses and their explosive growth. It was kind of like stepping into a time warp or something. Stories about Slammer, Blaster, SoBig.

Then Patrick Jordan drew our attention to a piece he saw: a Trojan aimed at Macs that changes the Domain Naming System is circulating, according to Trend Micro. It claims to be a QuickTime Player update and carries the name “QuickTimeUpdate.dmg.” Users are prompted to download it when they try to view online videos from malicious sites.

Trend’s posting here.

Here’s our blog posting from the last time we saw this:

Sunday, December 16, 2007
Another DNSChanger codec variant to stay away from – codecnice

codecnice(dot)net:

Pushes both Windows and Mac Trojan.DNSChanger. Sample binaries: Mac: codecnice(dot)net/download/codecnice1126.(dot)dmg. Windows: codecnice(dot)net/download/codecnice1126.(dot)exe.

Not so nice . . .

As always, please don’t touch these binaries unless you know what you’re doing as they are live Trojans.

2007 post by Adam Thomas here.

Weird.

Tom Kelchner

Sunbelt has been listed as number 25 on the list of 100 medium-sized companies considered “best companies to work for in 2009” by Florida Trend and on FloridaTrend.com.

It’s an interesting time at Sunbelt. There’s major growth going on here. According to the folks in human resources, we’ve hired about 50 people since the first of the year.

The joy of working for small and midsize companies is the feeling that you’re helping to invent the place. That’s what drew me here in April; that and the year-round bicycling on great bike trails and the beach and the seafood and fresh fruits and fresh vegetables and Alex Eckelberry’s wild and crazy blog.

See the Sunbelt news release here.

Tom Kelchner