Month: September 2009

Schools in Beijing, China, are removing the government-mandated Green Dam Internet censorship software because it interferes with educational software.

The technology director of Beijing Number 50 High School posted a note on the school’s web site that Green Dam “…has strong conflicts with teaching software we need for normal work.”

In May, China’s Ministry of Industry and Information Technology had ordered the Green Dam Youth Escort filtering software to be installed on all computers sold in China after July 1, but rescinded the order for the general public after a flurry of controversies, although schools and Internet cafes were told to install it.

The problems included:

— Green Dam is clearly spyware since it monitors key strokes and Sunbelt and other major anti-virus companies classified it as a surveillance tool.

— A flawed patch for Green Dam was issued, but it left the software vulnerable to exploitation for more than a week after a buffer overflow was discovered that could be exploited by an overly-long URL.

— The Chinese government said it was to block pornography and “unhealthy” content, but activists found that two thirds of the key words it filtered had political significance.

— Solid Oak Software of Santa Barbara, Calif., said June 12 that code from its CyberSitter software was used extensively in Green Dam-Youth Escort. It sent cease-and-desist letters to U.S. PC manufacturers who were expecting to install it for the Chinese market. Solid Oak brought lawsuits in the U.S. and China.

— China’s fiat that the censorship software was to be installed drew protests from the U.S. (as a violation of China’s agreement with the World Trade Organization), the leaders of 22 international business groups and the European Union.

Jinhui Computer System Engineering Co. of Zhengzhou, the company that won the Chinese government’s contract to write the application, got $6 million, late night harassing phone calls and some death threats.

Latest story here.

The New York Times has posted a notice over the weekend that its web site carried a malicious ad for a rogue security product that originated with an advertiser.

“The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week. Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared,” they said. (NYT notice here.)

That attack-through-advertiser approach was pioneered in 2001 by a hacker who went by the handle Fluffi Bunni.

In 2001, Fluffi used an open SSH vulnerability to deface the web pages of security company SecurityFocus by breaching an advertising serving system run by ad-company Thruport Technologies.

He used a similar hack to deface the web site of security group Attrition.org and of SANS Institute, a well-respected company that provides security training and information. (Story from the former NewsBytes here.)

In 2002, Wired news quoted an unnamed source reporting that Fluffi Bunni was contemplating a massive Distributed Denial of Service attack on Akami’s 13 domain-name root servers. (Story here.)

Although Fluffi Bunni was thought to be a hacking group, ultimately he turned out to be one person who was arrested in the UK.

OK, it was a different age. It was funny then. I guess you had to have been there.

Thanks to Eric Howes.

Tom Kelchner

(Click on graphic for better resolution.)

Somebody probably made it up, but it’s still funny.

Thanks to Mike St. Neitzel

Tom Kelchner

A federal court decision might prompt Web-based businesses to make their customers respond in some way indicating they have read a Web site’s “terms and conditions.”

A federal judge in the Eastern District of New York has ruled that web retailer Overstock.com can’t enforce a $30 restocking fee found in its online terms and conditions because there was no evidence that customers even saw the agreement.

The decision came in a court action brought by customer Cynthia Hines who was charged a $30 restocking fee by Overstock.com after she returned a vacuum cleaner. Overstock.com had a link on the bottom of its web page that lead to its “terms and conditions” and said users consent to be bound by them by merely using the site.

U.S. District Court Judge Sterling Johnson, Jr. made the rather significant decision that Overstock.com’s “browsewrap” agreement was not adequate.

“Browsewrap” agreements are those terms and conditions that are simply posted and the act of browsing the site infers that you agree to them. That’s opposed to “click-wrap” agreements in which users must click a button that says “I agree,” or some similar mechanism indicating consent.

Overstock.com’s 13-pages of “terms and conditions” are the usual nightmare of legalese. At 5,541 words, it’s the size of a serious short story and getting into the territory of a novella.

It almost seems like it was written with lots of meaningless padding to intimidate a reader by its size. It begins: “This website – http://www.overstock.com (the ‘Site’) is being made available to you free-of-charge. The terms ‘you’, ‘your’, and ‘yours’ refer to anyone accessing, viewing, browsing, visiting or using the Site.”

Wow! They give you their definition of “you.”

See story here.

Tom Kelchner

Our good friends at Kaspersky labs have done an interesting analysis piece on Induc – the malware that infects Delphi system files then passes itself along in anything created by the infected compiler.

When Induc was first discovered around the middle of August, Denis Nazarov at Kaspersky did a blog piece on it. Then several weeks later the Kaspersky folks wrote a longer analysis and concluded that Induc had some new features. They also concluded that it might have been around for many months before it was detected – possibly as far back as November 2008. And, there could be millions of copies of it around. Fortunately, it has no malicious payload.

“. . .as far as we know, no-one’s tried to directly infect the service files of a compiler before. This approach is so unusual that it doesn’t fit anywhere in our current classification system. Induc isn’t a virus in the strict sense of the word, because it’s doesn’t directly infect files. It modifies a single system file rather than every file which it finds. Induc can’t be called a worm, and it can’t be called a Trojan either, even though it does possess certain hallmarks of such types of malware. So Induc really is something new.”

Since Induc was included in programs when they were compiled, whitelisting companies have some big problems on their hands trying to sort them out.

The folks at Kaspersky also noticed something else interesting: banking Trojans, probably from Brazil, containing Induc. That means malware writers in Brazil have infected compilers. Delphi is popular in that country.

See Kaspersky analysis here.

Vipre detects Induc as Virus.Win32.Induc.a (v)

Tom Kelchner

One of the joys of our fantastic global communications network called the Internet is the twisted prose that comes out of translation engines. They take the well-chosen words of some hard-working person on the opposite side of the world and turn them into a form of Engrish that is only bit more readable than the original text of Beowulf, but really funny.

Here is some of the translated text from a glowing (I think) recommendation of the Sunbelt Personal Firewall. It was originally written in an alphabet that we’re guessing is in use somewhere between the Persian Gulf and India:

“Now, it is called the Sunbelt Personal Firewall. Not all firewalls are the word-for-word. This firewall was discussed in olden days on my blog. They be analyse in effectiveness. That cannot be stressed adequate.

“The Sunbelt Personal Firewall blocks unwanted movement that is entering – but it also monitors what leaves from your conveyance.

“Outgoing dope may be your hush-hush evidence. It could be that your computer has been compromised and is instantly a district of a bot action. That avoirdupois arrange you up as a schnook of uniqueness swiping. Your computer could be district of a bot spamming action.

“This offers expires on September 17, 2009. A benign firewall, which monitors the communicative movement, intent discharge you an additional maybe at contagious some infection that has occurred on your conveyance.

“The Sunbelt Personal Firewall is extraordinarily a give-away at ten dollars.

“At this cost, the Sunbelt Personal Firewall is affordable to undisturbed unpleasantness strapped students at this period of year. Yes, it is just ten dollars when you using our association and the coupon standards SPFLOCKERGNOME when you categorize your codify.”

Site here.

Just another piece of glowing praise for Sunbelt products from a fan. Thanks Chris.

I mean, could we have made that up?

Just remember: “The Sunbelt Personal Firewall is extraordinarily a give-away at ten dollars.”

Thanks to Stu Sjouwerman

Tom Kelchner

Scammers are using a fake Facebook page with a fake “Flash Player” update window to infect victims’ machines. Visiting various malicious sites results in:

Clicking on the “update” installs Trojan-Downloader.Win32.CodecPack.2GCash.Gen that can then install a variety of stuff, none of it good.

Trojan-Downloader.Win32.CodecPack.2GCash.Gen has been around since December.

Thanks to Patrick Jordan

Tom Kelchner

We’ve renamed our popular newsletter VistaNews to Win7News. If you’re interested in tips, tricks, tweaks and other general information this promising new OS from Microsoft, you can subscribe here.

Alex Eckelberry

Researchers at the SANS Internet Storm Center have reported finding exploit code that will crash Vista (SP 1 & 2) and Windows 7. It also could affect Windows Server 2008. The vulnerability it exploits is in the Windows Samba file-sharing mechanism.

A malicious agent need only send one malicious packet to a machine through port 445 to bring on the BSOD, they said. Port 445 is used for file sharing.

Obviously, a work-around is to shut port 445 at the firewall.

Since home users are inclined to use file-sharing and not to have firewalls, there are a lot of vulnerable machines out there. The vulnerability can be used for denial-of-service attacks at this point, but those rarely make money. We can be sure the dark side is working hard to figure out how to “monetize” it.

See story: “New flaw causes ‘Blue Screen of Death’ on Vista, Windows 7”

SANS Internet Storm Center note.

Tom Kelchner

Antivirus Pro 2010 is the latest rogue from the WinReanimator family. This rogue is also pushed through Braviax infection.

Thanks to Maleka for the heads up.

Fake Windows security Center

Sites involved

Antivirusp2010 com
Antivirusp-2010 com
Avirus2010 com
Antivirus-pro-2010 com

Bharath M N

Mozilla has had a good idea: checking for outdated Adobe Flash installations during the Firefox update process.

The mechanism hasn’t been announced by Mozilla, but a researcher found that the upcoming releases of the Firefox browser (3.5.3 and 3.0.14) will keep track of Adobe Flash plug-ins and prompt users when updates are available. The check will occur when users update their browser.

Currently, Firefox users can check for updates by checking Tools | Add-ons. A yellow “update” arrow icon will appear in the pop-up window if any updates are available for any add-ons they are running.

It’s been estimated that four out of five web surfers are using an unpatched version of Flash. In July, a Trojan was found that targeted the code used by Adobe Flash (vs. 9 and 10) and Adobe Reader and Acrobat (9.1.2). The malcode was embedded in PDF files.

Story here “Mozilla to protect Adobe Flash users – Update”

Tom Kelchner

Windows IT Pro and SQL Server Magazine are having their yearly Community Choice Awards Vote. This is always fun and interesting to participate in.

They want to hear from IT pros, data base administrators and developers about what you think the best products and services are in a given category.

Here’s how it works: using the online form, vote for each of the products you’ve used and would recommend to others. This is a quick and easy survey.

And if you could do me a big favor, please vote for VIPRE Enterprise in the second question called “Best Anti-Virus/Anti-Malware Product.”

Survey here.

Thank You So Much!

Laurie Murrell

Patrick Jordan drew our attention to this rogue security product this morning.

Rogues, of course, are fake anti-malware products that confuse victims into believing they are legitimate security software, when actually they infect their computers or do nothing for the purchase price. The “Protection System” rogue takes this confusion one step further by actually searching for a LEGITIMATE anti-malware application on the victim’s computer and tricking him into uninstalling it.

During installation, the Protection System rogue will generate the following message if it detects MalwareBytes.

If a victim clicks “OK,” it will call the MalwareBytes uninstaller and uninstall the software.

After the install, it then asks for your email address.

Then a “thank you” appears as if you actually had purchased the rogue.

To read our white paper “How to Tell If That Pop-Up Window Is Offering You a Rogue Anti-Malware Product” click here.

Tom Kelchner

There has been a curious lack off outrage at Microsoft’s announcement that it will launch a “mandatory upgrade” of Windows Live Messenger (mid-Sept.for Messenger 8.1 or 8.5 and late Oct. for 14.0). The point is to make fixes necessary because of vulnerabilities in the Microsoft Active Template Library. Microsoft tried to fix those in July in Internet Explorer and Visual Studio and in the August patch cycle fixed five more vulnerable apps.

The “net freedom” ethos (anarchy?) has always been widespread, but recently it’s even gone one step further with political parties forming up in Europe that advocate the freedom to steal music and software (oh, sorry, “copyright reform”) as the centerpiece of their platforms. “Pirate” party? Do they know what real seagoing pirates actually do?

Microsoft did a masterful job phasing in the changes over the next few months, encouraging voluntary upgrades and dazzling users with cool new features: “Add a profile picture or video, display a personal scene in the chat window, update the status message with your news, add a favorite link, or add what song you’re listening to.”

“And Photo sharing. Photo sharing lets you share and comment on pictures while you’re chatting.”

Are “mandatory upgrades” the next big thing in computer security? It’s not a bad idea given that a vast amount of malware lives and propagates worldwide on the unpatched PCs of Typhoid Marys who never update anything.

Microsoft notice here.

Tom Kelchner

Web surfers in search of news of California wild fires are being served up Trojan downloaders from malicious sites taking advantage of the high news profile of the situation.

Steve Bass, who is near Altadena, Calif., sent us a note:

“We’ve discovered that if you conduct an “Altadenablog” search on Google right now, it will point you to several sites that will try to load malware on your computer. It’s pretty insidious — it will not allow you to surf away nor shut off the browser unless you click the “Yes” button on the “Download antivirus software now!” box. We have a Mac and know a few hacker tricks to shut down a recalcitrant browser, but others might not be so lucky.”

Another dangerous search string is: “Altadena Fire Hottest Info” Steve said.

In another email he wrote: As you know, we’re in the thick of it. No danger right now, but street is smoky.”

Patrick Jordan followed up with some research.

His comments:

“This is one of the groups of sites which is changed everyday and the Trojan downloader is the Trojan-Downloader.Win32.CodecPack.2GCash.Gen

“They use switching terminal sites as they are the urls not seen in transmissions that can remain static for days but rotating to the newer 2GCash Fake Codec sites.”

Thanks to Steve Bass

Tom Kelchner