Month: October 2009

Not everyone may realize this, but it’s worth noting that all Microsoft Signature PCs (name-brand computers sold at their online and retail stores) include Microsoft Security Essentials pre-installed.

Microsoft isn’t making the mistake of competing with their own OEM customers in the PC business. However, for their new PC re-selling initiative, they are hand-selecting a number of PCs from major manufacturers (Dell, HP, Lenovo, Sony, Toshiba, Asus and Acer), and creating “Signature” editions.

These special editions are pre-built with standard Windows components (IE 8, etc.), but also include Windows Media Center, Internet TV for Media Center, Microsoft Security Essentials, Bing 3D Maps, Zune 4.0 and all the major Live components.

Consider the Toshiba NB205. If you buy it from Microsoft, you’ll get Microsoft Security Essentials. If you buy the exact same PC from Toshiba at the same price, you’ll get Norton Internet Security pre-installed.

PC vendors get significant dollars from security companies (these days, primarily McAfee and Symantec) to pre-install antivirus software — reportedly anywhere from $8–$12 per unit. Now, that may seem like a pittance, but this is big money for a PC maker, already living on razor-thin margins. There is enough of an advantage to being part of the Microsoft reselling effort that the PC makers will let go of some of these pre-bundling deals.

This is also a nifty way for Microsoft to potentially get around anti-trust issues. They don’t include Apple products (Quicktime, iTunes). They don’t include non-Microsoft security applications. But it’s because it’s their own product they are selling on their own stores.

This is a development worth keeping an eye on.

Alex Eckelberry
(Hat tip to Colleen)

I think this year was the best ever in terms of costumes (in case you didn’t know, Halloween is a major tradition here where we basically take over the city — for example,  2003, 2005,2006, 2007, 2008, and so on).

Robert’s posted some pics on his Flickr stream, feel free to take a look.

Alex Eckelberry

A federal judge in U.S. District Court for the Northern District of California in San Jose awarded Facebook almost $711 million in its action against infamous junk mail king Sanford Wallace. According to the court action, Wallace and two associates got access to Facebook accounts with phishing emails and used them to send spam that advertised pornography and gambling web sites.

U.S. District Judge Jeremy Fogel ruled that Wallace was responsible for 14,214,753 violations of the CAN-SPAM Act and awarded Facebook $710,737,650. Fogel also said he would ask the U.S. Attorney’s Office to prosecute Wallace for contempt of court.

Facebook brought the suit last March.

We applaud this court decision, in spite of the fact that Facebook probably won’t collect much of the settlement. Wallace was hit with a $4.1 million FTC action in 2006 and a court order to pay MySpace $234 million after a trial last year. At least, it should take one major, blatant spammer to bankruptcy.

Short of a very radical change, as in Eugene Kaspersky’s idea for ending the anonymous use of the Internet or serious government involvement across the globe, the reduction of spam just isn’t going to happen.

Various sources have put the prevalence of spam in email at 85-90 percent for the last few months.

Story here.

Tom Kelchner

Don’t.

http://twitter.com/spam/status/5236330687

Tom Kelchner

There are at least two Facebook “change-your-password” scams circulating in spam. Here’s the first one. It tries to lure you to a malicious site to steal your Facebook login information.

A second one comes with an attachment that installs the Bredolab Trojan.

That story here.

Tom Kelchner

In the October 21 issue of the Sunbelt Security News, Editor Larry Jaffe ran a brief little survey that ask readers just four questions:

— Do you feel your privacy has been compromised since the advent of the Internet?
— Do you make use of any software that makes you anonymous or incognito when you surf the web?
— Do you feel your personal information is secure online?
— Do you change financial site passwords on a regular basis?

Here is a tabulation of the responses from nearly 600 people:

— Do you feel your privacy has been compromised since the advent of the Internet?

Yes: 23.2 percent
No: 49.3 percent
Not sure: 27.6 percent

— Do you make use of any software that makes you anonymous or incognito when you surf the web?

Yes: 33 percent
No: 49.4 percent
Not sure: 17.6 percent

— Do you feel your personal information is secure online?

Yes: 23.2 percent
No: 49.3 percent
Not sure: 27.6 percent

— Do you change financial site passwords on a regular basis?

Yes: 48.2 percent
No: 51.8 percent

Sunbelt Security News here.

Tom Kelchner

Malicious spam. Don’t go there. Zeus Trojan.

Tom Kelchner

Update October 28, 2009

The FDIC has posted a consumer alert about this here.

Number of infected web pages is increasing significantly

Dasient web security firm of Palo Alto, Calif., published some dismal numbers on its blog today. The number of infected pages on the web increased significantly in the third quarter and more than a third of infected sites that are fixed are quickly reinfected, they said.

The company said its malware analysis platform found more than 640,000 infected sites with a total of 5.8 million pages in the quarter. They compare that to the three million infected pages that Microsoft reported in the first quarter of the year.

The attacks:

— JavaScript (54.8%)
— iFrame (37.1%)
— “other” (8.1%. )

Needless to say, with that preponderance of JavaScript malware, if you haven’t updated your Adobe Reader and Acrobat installations recently, you might do so.

Dasient blog here.

Tom Kelchner

Three of the biggest malware threats that were around during Halloween 2008 remain highly active in the public domain 12 months later, according to data collected by Sunbelt Labs. Trojan-Downloader.Zlob.Media-Codec, Trojan-Downloader.braviax and Explorer32.Hijacker all remain in Sunbelt’s top 10 malware list one year on, with reported instances of the latter two increasing in overall share since October 2008.

Muktadir Khan, Sunbelt Software European sales engineer said: “We advise users to be vigilant and to ensure their antivirus applications are fully up-to-date with the latest definition files and the latest application version installed.

“Users should avoid opening any attachments, even from trusted sources, without first running a scan on the file. An effective, updated antivirus and malware solution such as Sunbelt Software’s VIPRE will ensure machines remain protected from a variety of attacks.”

Classic Threats to Watch Out For

Based on reported activity over the last two Halloween periods, Sunbelt Software has identified some common types of Halloween-themed attacks. Users should remain especially vigilant for new variations of these common themes.

• The Dancing Skeleton – This one is based on emails that lure Halloween lovers to web sites where they can download an application that puts the image of a dancing skeleton on their desktop. Users do indeed get the dancing skeleton along with the Storm Trojan. The Halloween.exe is part of a malicious botnet that allows remote attackers to access and control infected computers, accessing personal information and sending yet more infected spam.

• Halloween Gift Cards – These are the modern-day replacement for gift vouchers. For the last two years, emails have made the rounds offering a free $250 or £250 Halloween gift card when users sign up for a new credit card. This is really a scam to harvest personal and financial information for criminal use at a later date.

• The Big Halloween Sale Email – Stores are using Halloween as a topical hook, like they do bank holidays, to boost sales in these challenging economic times. Enterprising scammers have been picking up on this tactic with phishing emails purporting to be from trusted brand names, or offering unbelievably good deals. Clicking on a link usually takes you to an infected web site and a Storm Trojan downloader.

• The Halloween Party Invite – Another email-based attack, this one purportedly invites you to a Halloween-themed party. If it’s from an unknown source, it’s almost certainly a malware attack, either trying to entice you into clicking a link for more information or to open an attachment with the full invite enclosed. Even if it’s from a known source, approach with caution.

Tom Kelchner

We expect our spy agencies to… well… spy, but somehow it’s a little disquieting when you discover they might be spying on YOUR blog posts and Tweets.

Wired has broken a story that the investment agency of the CIA and other U.S. spy agencies, In-Q-Tel, has put money into a company that monitors social media: Visible Technologies of Bellevue, Wash. (page here.)

On the company page, the pitch for their services includes:

“Listening to your customers is a critical first step in deploying an effective social media strategy and successfully managing your brand online. Listening to social conversations helps you get acquainted with online consumers, monitor their perceptions about your brand and competitors, spot potential issues, and can help identify authentic brand influencers and advocates.”

Visible Technologies monitors Flickr, YouTube, Twitter, Amazon, hundreds of thousands of web 2.0 sites and millions of posts on blogs every day, according to Wired. Since Facebook is closed, it does not monitor them.

Their customers get feeds based on key words with scores indicating how positive or negative the items are as well as how influential the writer is.

The spy agencies want to boost Visible’s foreign-language capabilities so they can monitor international discussions of issues, Wired said.

I think anyone using the Internet should certainly know there isn’t the slightest shred of expectation of privacy there. If your tinfoil hat is overheating, you can set up accounts using aliases.

Wired story here.

Tom Kelchner

Update
(thanks Alex)

Paper here.

It’s become the latest craze in security blogs — show how search for a celebrity or current event leads to malware through Google searches.

I’ve done it myself, quite a bit. And I do think it provides a public service.

But the reality is — it’s massive, it’s constant, and the search terms are all over the place.

For example, there is a current blackhat run on Google that is using a dizzying amount of search terms. Here’s a list of terms that I’ve found. There are more.

2010 Military Pay Charts
Aileen Quinn
Amelia Earhart
Anglicanism
Arsenio Hall
Astate
Banco Del Tesoro Venezuela
Bedava Ingilizce
Bianchini .
Bitty Schram Fired
Black Parade
blackberry storm 9520
Blast Off
Bobblehead .
Bravo project runway .
Cafe World
cfnm youtube
Charlie Manuel
child stuck in balloon
Chris Cooley Blog .
Chris Mckendry
Christian Audigier
Collin Wilcox Paxton
Collin Wilcox Paxton .
Comcast Tickets
Cookie Johnson Jean Line
Crucisatorul Potemkin
Daniel Maldonado
David belle parkour video
Deadspin Espn
Dining
Dodsworth
Donovan House Washington Dc
Download Windows 7
Droid Does
Ed Hardy
Electron configuration berkelium
En Clown I Mina Kl??der .
Facebook Live Feed Vs News Feed
Fagacious
Fbi 10 Most Wanted
Female snake charmer costume
Figure roller skating .
Florida Sex Offenders By Zip Code .
Folkston Ga
free porn tube 8
Funny halloween pictures
Gardien
Glee Episode 9 Preview
Gossip Girls .
H1n1 Vaccine Canada
H1n1 Vaccine Side Effects
Halloween Escape Walkthrough .
Hardgame2
Hide Away
Honda Center Anaheim
House Season 6 Episode Guide
Hulk Hogan
Jay Mohr
Jayson Werth Married
Jeff Dunham Tour Dates 2009
Jeffrey Chiang Texas
Jodie Sweetin .
Joe Klein Obama Thesis
Jonathan Broxton
Künstler Cutlery Knife Set By Connoisseur .
Kyrie Irving Twitter
Levi Jones
Lil Wayne Pleads Guilty
Lindsay Lohan E Namorada .
Losing It With Jillian Michaels
Marine Corps Marathon
Marni Phillips Photos
Married With Children .
Matthew Shepard Story
Mikelle Biggs
Min Lieskovsky .
Natalie Portman
New York Yankees
Obama thesis paper
Once Bitten Movie
Organic Baby Food Recall .
Orionids Meteor Shower
Patchwork Nation
Phillies
Phish Tickets
puerto rico explosion
Rajon Rondo Ripped .
Rebel Efi Crack
Secret Girlfriend Wiki
sharona monk
Somewhere Else
Sommer Thompson Missing
supernatural season 5 episode guide
sweetest day 2009 .
The Bunny Ranch
The Jeff Dunham Show
The Perfect Storm Movie .
The Vampire Diaries 7
Tnmmu.ac.in
Tourettes Pete
Uss Freedom
Villisca Axe Murders Wiki .
Wachovia Center Philadelphia
Wapa Tv
Week 7 Football Picks
week 7 football picks .
When You Have No One No One Can Hurt You
Who The Hell Is Wolf
Windows 7 Free Upgrade For Vista .
Windows 7 Release Date
Winter Time
Wombat Day
Y94
Zac Hanson
Ladybugs Good Luck
40 Under 40 Fortune
Ali Kay
California City Element
hot pussy sex
International Paper Franklin Va
Jacksonville News
Jammers
Lil Wayne Going To Jail 2009
Metal Rayonnant
Obama Mit Speech
Path Accident
Psystar
Robin Thicke Wife
Shaq
Somer Thompson Missing

Using any one of these search terms will land you in trouble.

For example, let’s search for Bx 82mf1r:

First four hits are malware links, all compromised sites (the links only work with with Google as a referrer, going to them directly will just land you on a harmeless CNN page). You can see that Google catches the first site. The next three aren’t caught.

(Notice the /?p in the url? That’s generally the Windows Enterprise Defender rogue — thanks Patrick, for pointing that out.)

The rest of the search terms have varying degrees of success in getting to the first page of Google’s results. But in order to find them, we just do a little Google Dorking. Notice that all the malware sites use “/t” in the url. So, we just do a Google search, usingthe inurl operator to narrow down the malicious links.

Hence, we might search for Project Runway with the following search command (just to get more malware links):

project runway inurl:/?t= inurl:runway

And we see all kinds of nasty stuff.

You get the picture. Blackhat SEO is alive and well on Google, contributing to the profits and merriment of both legitimante antivirus vendors and malware authors. Unfortunately, the user doesn’t come out that well in the whole thing.

Alex

Farida Waziri, head of Nigeria’s Economic and Financial Crimes Commission, has announced that her agency, aided by Microsoft, has begun a large-scale crackdown on the email scammers who have made Nigeria infamous to Internet users for 20 years.

Waziri, speaking at a National Conference of Black Mayors convention in Las Vegas, said her commission has arrested 18 people and shut down 800 email accounts linked to scams.

She said the operation, dubbed “Eagle Claw,” will be fully operational in six months with the capacity to shut down 5,000 fraudulent email accounts and send 230,000 advisory emails to victims each month.

“It will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails,” she said.

This has the potential for reducing Internet fraud coming out of a historic hot spot. Nigeria, like developing nations everywhere, has an uphill battle to fight, with limited resources, against crime and corruption. It’s good to see Microsoft lending some technical assistance.

Nice work Ms. Waziri and Microsoft.

If Operation Eagle Claw works, maybe Nigeria can farm her out as a consultant to Russia. They could call it “Operation Bear Claw.” Then she can come to Florida and go after the spam industry here. (Operation Armadillo Claw?)

ArsTechnica story here.

See BBC story here.

Tom Kelchner

CNET UK is reporting that copies of Windows 7 have been mailed to customers in the UK several days before the official release date (tomorrow). According to the CNET UK blog, Microsoft allowed it in anticipation of a postal strike by carriers with the Royal Mail.

This means that for the next few days, Internet users in the UK can expect:

— Spam, both malicious and non-malicious, with Windows 7 themes (“REVERSE ERECTILE~DISFUNCTION WITH WINDOWS 7!”)
— Twitter tweets and Facebook mail with links to sites where you can download something infectious that has a Windows 7 title
— Trojaned copies of Win7 from P2P networks
— About a dozen rogue security programs with names like “WINDOWS 7 PROTECTOR GUARD SECURITY COP SCOUT”
— A few dozen reviews with titles like: “Windows 7 is probably better than VISTA,” “Windows 7 – so when is the first service pack?” and “How long can you milk Windows XP?”

CNET UK story here.

Tom Kelchner

For the second year, Computer Weekly will be holding its IT blog awards, to “discover which bloggers are best meeting the needs of IT professionals in the UK.” The Sunbelt Blog has been nominated.

Oct. 27, after the Computer Weekly folks come up with their short list, all our fans in the IT public in the UK will get to vote.

The way they describe it: “The shortlists will be published in full online, with links straight to each blog (as we did last year) to make it easy for you to check out the top blogs and Twitter users before making your choice.

“Once the votes are in and the count complete, the winners will be announced at a celebratory event on Wednesday 25 November at Shoreditch House, a private members’ club that is one of London’s hottest venues.”

ComputerWeekly page here.

Tom Kelchner

Ok, we’re not going to mention Microsoft’s VISTA now.

Windows 7 will become available Thursday. Reviews based on the beta and release candidate haven’t been too bad, but the world will be waiting to see if computer users buy it quickly, wait a year, wait until the first service pack or whatever.

Here at Sunbelt Software we’re ready. Sunbelt’s VIPRE, VIPRE® Enterprise and CounterSpy Enterprise™ have all been certified as “Windows 7” compatible by Microsoft.

Story here.

The WebUser site ran an interesting history of the Windows operating system versions with brief little thumbnail descriptions

Tom Kelchner

A Massachusetts stock broker will pay a $100,000 penalty to the Securities and Exchange Commission for failing to have security software or procedures when intruders stole account information of hundreds of customers and began making transactions with it.

Commonwealth Equity Services LLP of Waltham, Mass., agreed to pay the penalty for failing to have anti-malware software on its reps computers or written security policies to deal with security breaches. Securities brokers and registered investment advisors are required by SEC regulations to have written procedures to protect customer information.

In 2008, intruders stole the login information of a company employee and accessed the Commonwealth Equity network, ordering stock trades from eight accounts and stealing login information for 368 customers. Company staff noticed the unauthorized trades and stopped them, but the incident caused $8,000 in damage.

Story here.

Tom Kelchner

Rogue researcher S!Ri (blog here) just blogged about catching some rogue affiliate web sites ripping off his content to boost their search engine rankings. The game is a good glimpse into the rogue security software distribution world.

Rogue creators put up web sites, just like legitimate businesses, to sell their fake security products online. They use Trojans in spam email attachments and other nefarious means to frighten victims into believing that their machines are infected, then offer to sell their products (which really do nothing) to fix the bogus problems.

In the web advertising world, one can post advertising for other businesses on one’s site and be paid for visitors who “click through.” These are called “affiliate” sites. Just like legitimate businesses, there are affiliate sites that drive business to pages that sell rogue security products.

These affiliates use search engine optimization to drive up their ratings to draw unsuspecting web browsers, posting content about rogue security products. They may have hundreds of web sites that draw browsers looking for information about rogue products then pass those visitors along to rogue download sites and make money for their pass throughs. To attract visitors, they need content related to rogues, so, they pull content from S!Ri’s research blog.

On Friday, S!Ri invented a rogue name — “Secure Shield” — made a fake graphic of a user interface and posted it on his blog (here.) Today he blogged about how quickly the affiliates scraped his content and put it on their pages: ten minutes in one case. (Blog entry here.)

His blog has seven screen shots of affiliate pages carrying his invention.

Yea, it’s like Chinese boxes or Russian dolls: a fake on a researcher’s site that is stolen by an affiliate site that sends traffic to a site selling (fake) security software.

Thanks S!Ri. Thanks Patrick.

Tom Kelchner

The history of advice about Vista:

2006-7: It’s pretty buggy, wait till they get the kinks out

2007: It’s such a resource hog, wait until you buy your next (bigger, faster) machine and get it free rather than spend the cash for new RAM, etc.

2008: The economy is so bad, WinXP will hold you over and maybe they’ll get more bugs out by the time you can afford it.

2009: Windows 7 is going to be out shortly, why not wait and skip VISTA entirely.

2009 (second half) Whoa! Windows 7 looks pretty nice! Look how fast it starts!

Information Technology Intelligence Corp. of Boston (partnering with Sunbelt Software) found that half of the 1,200 companies they surveyed expect to move to Windows 7 in the first year it is available. Eleven percent of those surveyed said they expect to install it after the first service pack.

Windows XP, which has been around for eight years, will be supported until 2014.

Story here.

TRE AntiVirus is a new rogue application from WiniGuard family.

A few days ago this gang left a Hidden message in their code for Sunbelt.

Kara recently called this gang as lazy after watching a series of clones from this gang. (A total of 28 clones using the same GUI)

Now it looks like they have responded to Kara’s post by pushing a new rogue with a new GUI.

This rogue also uses the same code below the hood but with a new GUI.

Bharath M N

Software piracy and its relationship to the spread of malware has been a topic this week.

Monday, the Business Software Alliance released a report that estimated the “staggering” number of Internet users swapping software through P2P networks has resulted in 41 percent of applications on computers today being unpatched. (Their report “Software Piracy on the Internet: A Threat to your Security” here.)

Friday, Ofcom, the UK’s independent regulator and competition authority for communications industries, issued a report that said surveying showed 55 percent of people 16-24 said they believed “file sharing through downloading shared copies of copyright music and films” should be legal. Although Ofcom didn’t ask specifically, one can be sure that the 55 percent probably feels the same way about downloading “free” software from P2P networks.

A third of adults thought piracy should be legal as well. The survey showed 42 percent of adults thought it should be illegal, 33 percent said it should not be illegal and 25 percent were not sure. (story here.)

Dancho Danchev, writing on the ZDNet blog (here) pointed out an interesting, though dismal, fact: maybe piracy doesn’t matter.

In spite of the free security updates available by nearly all software vendors, a huge number of users rarely install them. Applications are patched even less than operating systems. He cites information from IBM and Secunia.

So, it is possible that all those pirated operating systems and applications are unpatched and wide open for bot and other malware infections (like Conficker recently), but it doesn’t really matter since a vast number of Internet users don’t update ANY software, legitimate or pirated.

Tom Kelchner