Month: April 2010

A spokesman for Australian Communications Minister Stephen Conroy has said that legislation that would set up a $120 million Internet censorship system requiring ISPs to block pornography (and information about euthanasia) will not be introduced before Australia’s upcoming elections, possibly October.

Labor party Prime Minister Kevin Rudd stirred up massive controversy when he made an election promise to block “illegal content” on the Internet including pornography.

Critics have said that the censorship wouldn’t be effective, would slow downloads and suppress the free flow of information.

Story ‘ere: “Rudd retreats on web filter legislation”

Last month someone leaked the secret 2,300-page Internet filter blacklist that had been drawn up by the Australian Communications and Media Authority. It showed that the government understated the number of banned Web pages when it said the list was 1,300 pages long.

The list included Web sites of some legitimate businesses including two bus companies, online poker sites, a number of Wikipedia entries, Google and Yahoo group pages, a dental practice and a tour operator.

Story here: “Australia’s Web blacklist leaked”

The Australian Broadcasting Corporation web site has the transcript of a very good debate of the issue on its web site: “Internet filter policy under fire”

One wonders why a government is willing to spend $120 million to require ISPs to block sites that deliver pictures of naked ladies (and suicide advice) but not the ones that steal billions every year pumping spam, downloading malicious code, selling fake medicine or stealing banking and credit card information.

Tom Kelchner

Our good friends at Sophos anti-virus company have released their tabulations of the geographic distribution of spam relaying computers. It isn’t news that the U.S. has the most (13.1 percent) but it IS big news that China has dropped off the Sophos top 12 list.

Graham Cluley at Sophos blogged: “The latest ‘dirty dozen’ stats from Sophos, examining the top twelve countries which are relaying spam from compromised computers, show that China has dropped off the list.

“A new dirty ‘gang of four’ – South Korea, Brazil, India and their ringleader USA – account for over 30% of all the spam relayed by hacked computers around the globe.”

It’s been generally accepted that the U.S. has always led the pack in this statistic because it was the first country out of the chute with adoption of PCs and Internet usage. Along with large numbers of machines on fast internet connections comes bot infections (responsible for a load of spam.) Basically, the botnet operators go looking for victims with good machines on fast connections.

Although the U.S. has been in the “dirty dozen” for some time, a longer view shows that it’s less bad than three years ago.

Sophos figures from April of 2007 show that the U.S. was responsible for 19.8 percent of the world’s spam relaying machines. So, by 2010, the U.S. had 6.7 percent less – that’s nearly one third less – of the world’s spamming computers.

It’s just a numbers game though. The ugly fact is that the spammers haven’t gone away, they’ve simply set up shop (or infected machines) in countries that are “coming on line” with more machines with faster Internet connections in the general population. In the Sophos figures, India has risen to second place (7.3 percent) from 11th in 2007 and Brazil rose to third place (6.8 percent) from 9th in 2007. South Korea which has had great Internet connectivity remained in fourth place, although its share dropped from seven percent to 4.8 percent.

The top twelve spam relaying countries

In top 12 in 2007, but not in 2010

Sophos 2007 figures here.

Sophos 2010 figures here: “China slides off list of top spam-relaying nations”

Tom Kelchner

[Editor’s note: communications have been restored]

All Internet and land line communication at Sunbelt Software went down as of 10:15 a.m. today.

Verizon and Time Warner Internet and land line service in most of Clearwater, Fla., has been blacked out and is expected to be restored by mid afternoon today (EST).

Time-Warner technicians tell us their splicers are repairing a fiber ring that was damaged by a repair crew at the Intersection of Drew Street and Betty Lane. The crew was working on overhead lines when their equipment accidentally damaged a box containing fiber cable equipment.

(Thanks to the Dunedin Public Library for Internet connectivity.)

Tom Kelchner

Update 2:15 p.m.

Photos from the scene:

Repair crew at work

Damaged box:
Damaged cables:

(Photos by Dan L.)

When “doc” stands for “don’t open contents”

Brian Ross, one of our Sunbelt malware removal specialists found this little gem – a malicious file that arrives as an attachment in spam and takes advantage of the newly-discovered launch vulnerability in .PDF files.

It uses a script in a PDF file to install a back door that starts up whenever Internet Explorer is launched. The infected svchost.exe file that it drops has been around for a while, but using a malicious PDF file to drop it is the interesting new twist. We’ve seen other reports of similar malware out there today.

It’s detected by VIPRE as Expoit.PDF.LaunchExe.

The malicious attachment looks innocuous enough.

Named “doc.pdf,” it displays a popup when opened asking if you would like to launch an external file. Choosing “Do Not Open” opens the pdf doc. If you choose “Open” several cmd windows display quickly so you can’t see the text they carry.

If you choose “Do not Open,” you can see that there is text above the viewable text in the popup window:

The script loads the PDF document as a text file, looking for strings within that text, dumping it into other VBS files and executing them.

The script appears to create an array, write data to a file named “game.exe” and run it as another vbscript. The result is an entry in the registry that will launch the bogus svchost.exe in “c:program filesmicrosoft common” whenever explorer.exe is started.

Prior to the PDF document being open, neither “C:Program FilesMicrosoft Common” nor “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe” existed. These items were added following execution of the PDF doc. Details below:

The registry before the threat installs:

And after:

Registry export of the infected key is below:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe]

“Debugger”=”C:\Program Files\Microsoft Common\svchost.exe”

[bottom line] don’t click on attachments in spam. [/bottom line]

Thanks Brian.

Tom Kelchner

Fixes WMS on Win2K server

Microsoft has reissued Security Bulletin MS10-025 – the one it pulled last week.

MS10-025 was aimed at fixing a vulnerability in Windows Media Services running on Windows 2000 Server that could allow remote code execution if an intruder sent a specially crafted transport information packet to a system.

Jerry Bryant, Microsoft Response Communications group manager, said last week on the company’s TechNet site: “Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.”

MS10-025 here.

Tom Kelchner

The Honeynet Project blog is carrying an article about a new botnet that appears to be a revival of the Storm Worm network that died out in 2007 — once one of the biggest on the Internet.

They said Steven Adair from Shadowserver found that the new botware uses the same configuration file (C:WINDOWSherjek.config) as Storm. The new version, however uses an HTTP-based command-and-control channel instead of peer-to-peer.

This is good news if you enjoyed the penis pill, dating service and on-line pharmacy spam that Storm was pumping out three years ago.

Honeynet project blog here.

The Register story “Infamous Storm botnet rises from the grave” here.

Tom Kelchner

“Narcissistic Vulnerability Pimps”

Is it just my perception or are there a diminishing number of good rants on the Internet?

“Admin” on the Verizon Security Blog posted a really great one last week that deserves comment.

“Admin” is David Kennedy who has been with the research group(s) of NCSA/ICSA/Verizon Business for about 15 years. I worked for him. He took the literary form of the rant to levels that have only rarely been reached in the history of human thought. His rants were so awe inspiring that we began documenting them in a “Best of Kennedy” document.

But I digress.

Last week he posted a blog piece “Redefining ‘Security Researcher’”. In it he decries “researchers” who ignore the traditions of responsible disclosure and reveal vulnerabilities in applications or operating systems for the questionable glory of it.

He writes:

“Ugh; we really need to clean up our language. This begins with setting a few principles and regularly using more accurate descriptors in our publications and daily conversations.”

. . .

“We at Verizon Risk Intelligence do hereby adopt and resolve to faithfully use the following definitions:

“Security Researcher: One who studies how to secure things and/or how things are not secure in order to find a solution.

“Security Practitioner: One who applies the findings of the Security Researcher in order to make things more secure.

“Narcissistic Vulnerability Pimp: One who – solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure (or increases risk).

“Criminal: One who actively subverts security without authorization or deliberately creates ways for others to do so.

“It’s time to draw a line in the sand. If you too are tired of seeing criminals elevated to a podium of legitimacy and bestowed the same job title you possess, join us. We’d be grateful to have the company.”

Tom Kelchner

“Finders keepers” isn’t exactly a legal concept

Many bloggers and commentators are making much of the fact that San Mateo police served a search warrant on the home of Gizmodo blogger Jason Chen and confiscated computers, servers and other equipment, probably as a result of his postings about the capabilities of the lost prototype Apple 4G iPhone.

Gawker Media, which owns Gizmodo, made public the fact that it paid $5,000 for the prototype iPhone which was accidentally left in a bar by one of Apple’s software engineers last month.

Gawker publisher, Chief Operating Officer Gaby Darbyshire, has claimed that the search was unlawful because Chen is a journalist and protected by shield laws.

Tech Herald story here.

New York Times coverage here.

The claims that Chen is a “journalist” and protected by shield laws is so far off base it’s absurd. If a journalist COMMITS a crime he isn’t protected under any shield law. Shield laws only protect them from punishment for failing to reveal their sources.

Chen and Gawker basically presented the prosecution with a prima facie case. They publicized the fact that Gawker paid $5,000 for the iPhone and had physical possession of it. Chen appears in a video with it.

If you find something and keep it, that falls under laws with names like “theft of property lost or mislaid.” And if you buy something you know was stolen, well, that’s “receiving stolen property.”

Gawker and Chen really should have known that something as valuable as a prototype next-gen iPhone was high profile enough that there was going to be some legal action. And along with a conviction will be restitution for damage to Apple that could be in the range of millions of dollars.

Shield laws are intended to protect journalists working in the public interest – which generally translates to investigating government misfeasance, malfeasance or nonfeasance.

Publicizing the fact that you paid for a stolen prototype so you can scoop the world and reveal its feature is way-not public interest. It’s just dumb. It’s world-class dumb. It’s “lets-invade-Russia-in-October” class dumb.

This isn’t about protecting the rights of journalists/bloggers, it about breaking the law to get a scoop.

Tom Kelchner

Make big money! $.80 to $1.20 per 1,000

People in China, Bangladesh and China are bidding on jobs solving CAPTCHAS so spammers can create new email accounts, but the work is a bit tedious, according to a story in the New York Times. Many brokers and middlemen who manage the service for spammers and do the hiring are finding it difficult to make a profit.

CAPTCHAS is an acronym for “completely automated public Turing test to tell computers and humans apart” and are used by Web email providers to prevent spammers from using automated agents to create new email accounts to send spam.

Macduff Hughes, an engineering director at Google said “It can’t be helped that paid human solvers will be able to solve CAPTCHAS. Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve CAPTCHAS proves that the tool is working.”

“Story here: “Spammers Pay Others to Answer Security Tests”

Well, it’s at least good to know that all that irritating spam is providing spending money for adolescents in third world countries. But that’s a little bit like saying that the upside to the Irish potato famine was that it made work for businesses that sold coffin hinges.

Tom Kelchner

It’s not the Mayan calendar – it’s the end of address space that could do us in.

IPv4 addressing protocol (32 bits) allows for four billion IP addresses. You’d think that four billion of anything would be enough, but it isn’t. It’s predicted that some time in the next year or two we’re going to run out of them.

IPv6 (128 bits) allows for 3.4 times 10, 38 times. That’s actually 340.3 undecillion. It’s a lot. Every Internet user on earth could get an IP address for each of his teeth, his cat’s teeth and his toaster and it wouldn’t even put a dent in the possible range.

Sean Michael Kerner, writing on the Enterprise Working Planet web site has done a feature “IPv4’s Last Day: What Will Happen When There Is Only IPv6?” that foresees the American Registry for Internet Numbers (IRIN) and the other four regional Internet registry organizations doling out smaller blocks of addresses as fewer and fewer become available.

Sunbelt Software Sales Engineer Phil Owens doesn’t foresee the end of anything, he foresees the beginning of a market for IPv4 addresses as enterprises sell off the address space they don’t need.

So, the long-anticipated switch over to IPv6 will really happen NOT when ARIN runs out of IPv4 addresses, but when the IP addresses for sale get more expensive than switching networks over to IPv6.

Since those IP addresses could be “dirty” — used in the past — the new users could get unwanted traffic on them too. And that’s another reason to switch to IPv6.

So, the IPv4 world will end with neither a bang nor a whimper. It will just limp along, like the owner of a Dodge Dart, making the fixes with aftermarket and junk-yard parts, doing anything possible to hold off that inevitable day when he will be forced to buy another junker and have a car payment.

Unless the Mayan calendar gets us first.

Tom Kelchner

As part of our ongoing series of what $5 can get you on Fiverr (#1, #2) , our third VIPRE jingle has been released.

This time, in the blues.

Alex Eckelberry
(Note that we have no relationship at all with Fiverr, although at this point they should be paying us for all the free PR we’re giving them.)

An acceptable use policy doesn’t enforce itself

The inspector general of the U.S. Security and Exchange commission has run 33 investigations in the last five years of agency employees viewing and collecting Internet pornography instead of working, the Associated Press has reported.

In one instance, a senior attorney at the SEC headquarters in Washington, D.C., spent as much as eight hours per day downloading porn, filling his hard drive then burning files to DVDs, which he kept in his office. He resigned.

In another case, an accountant amassed a porn collection on his hard drive using Google images to avoid network web filtering which blocked his browsing porn web sites more than 16,000 times in a month. He received a 14-day suspension.

Seventeen employees who were under investigation were considered at a senior level and made salaries up to $222,000.

The SEC IG said there were two cases in 2007 and 16 in 2008. The massive economic downturn began in mid-2007 and exploded late in 2008.

Story here: “SEC staffers watched porn as economy crashed”

Tom Kelchner

Your friend on Facebook might be someone else

VeriSign iDefense researchers said they have monitored an underground web forum where a hacker has advertised 1.5 million Facebook accounts for sale. The iDefense group believes the person going by the handle “kirllos” is in Eastern Europe since he posts in the Russian language. The forum he posts in also is used by black market operators in Eastern Europe.

Kirllos is offering the login information for Facebook accounts with 10 friends or fewer for $25 per 1,000 and those with 10 friends or more at $45 per 1,000.

Compromised Facebook accounts can be uses in a variety of social engineering schemes and may succeed because Facebook users put too much trust in messages and posts that appear to come from friends’ accounts.

Story here.

Tom Kelchner

A first for Microsoft

A court in Shanghai has handed down a guilty verdict against the Dazhong Insurance company for using pirated copies of Microsoft software. The company was told to pay $318,000 in damages.

It is the first time that Microsoft has brought a successful legal action against a Chinese company for copyright infringement.

Story here.

Although the billions Microsoft loses to software pirates each year is bad enough, it’s believed that pirated software can be a serious malcode vector as well. A 2006 study by marketing intelligence firm IDC found that 25 percent of counterfeit software tried to install malcode when it was downloaded.

Media Surveillance, a German anti-piracy firm, said last year that one of its studies found 32 percent of pirated copies of Windows and hacks contained malcode.

Last year Microsoft launched an anti-piracy campaign that included educational initiatives and enforcement actions in over 70 countries to raise awareness of counterfeit software and to protect consumers.

Story here.

Tom Kelchner

Update:

According to English language People’s Daily Online, a news outlet of the Chinese Communist Party:

“Evidence used in court showed that Dazhong Insurance used at least 450 copies of pirated software and violated software piracy laws in nine categories. Microsoft demands that Dazhong Insurance should halt the use of pirated software.”

Story here: “Microsoft gets compensation for software piracy in China”

There’s a site you may have seen being pinged around on Twitter today, called ismycreditcardstolen(dot)com. This is what it looks like:

Yes, alarm bells were ringing for me too. “If you fear your credit card info has been stolen, enter it here and you can find out for free“. (Emphasis mine). “Avoiding fraud has never been easier!”

Oh boy.

Anyway, there’s a nice looking yellow padlock and a big green tick which always means something like this is safe, right?

As it turns out, you just failed a test – or so the above text claims. It seems this site has been set up to warn people about the dangers of phishing, giving some hints and tips in relation to phish attacks and also providing a link to the Anti-Phishing Work Group’s Website. The site also mentions it doesn’t send your card details anywhere, and this appears to be the case.

Not sure I’d want to ever be in a situation where I had to take the word of a random third party in relation to something like that, but there we go.

There’s an About page, which lists the people who created it, along with the following message:

“The purpose of this site is to educate users about the dangers of phishing. You can learn more at the Anti-Phishing Working Group’s website.”

Unfortunately(?) most people won’t get to see the “reassuring” messages, as the site has itself been blocked by Firefox for…..phishing.

I’d like to be able to say I hadn’t seen that coming a mile off, but that would make me a gigantic liar. Having credit card in your domain is always going to smell faintly of “suspicious” to various security groups and anti-phish orgs, and having Whois data hidden by privacy services doesn’t help either.

NEVER enter your card details on sites such as the above, because you may not get off as easily next time. While the concept is – perhaps – an interesting one, the waters are muddied too much to be able to make sense of it.

The “Reported web forgery” blocks are a testament to that…

Christopher Boyd

We have been running an experiment to see what you can get for $5 on Fiverr.  In the process, we have probably created irreperable damage to not only our reputation, but possibly eardrums around the world.

However, we can’t help ourselves.  Here’s the latest entry, a rap song about VIPRE.

So that’s another example of what you can get for $5 on Fiverr.

Alex Eckelberry

Use workarounds

Microsoft has taken the rather unusual step of pulling a security bulletin for Windows 2000 Server (issued last week) and telling users to use the mitigations and workarounds until the bulletin can be reissued next week.

MS10-025 was aimed at fixing a vulnerability in Windows Media Services running on Windows 2000 Server that could allow remote code execution if an intruder sent a specially crafted transport information packet to a system.

Jerry Bryant, Microsoft Response Communications group manager, said on the company’s Technet site: “Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.

“Customers should review the bulletin for mitigations and workarounds and those with internet facing systems with Windows Media Services installed should evaluate and use firewall best practices to limit their overall exposure. We will continue to share updates here on the blog as available.”

Post here: MS10-025 Security Update to be Re-released

Microsoft Security Bulletin MS10-025 here.

Tom Kelchner

In yesterday’s blog post “Internet café wi-fi and your security,”
we advised road warriors and others who use public wi-fi hot spots to communicate (without a VPN)  that they should encrypt documents before sending them to avoid the possibility that they could be intercepted by someone sniffing the public network.

A former colleague of mine left a comment on the Sunbelt Blog that I feel is important enough to highlight in its own blog entry. Basically, encryption on older versions of Microsoft Office (before Office 2007) is no longer safe to use.

The colleague (Phil) has pointed me to “David LeBlanc’s Web Log” piece from April 16 entitled: “Don’t Use Office RC4 Encryption. Really. Just don’t do it.” As you might guess from the title, David points out the weakness of RC4 encryption, which is what is available in older Microsoft Office (2003 and before) applications.

He wrote: “If you need to encrypt an Office document, then use the new file format, and get real encryption as we’ve documented in more than one place. If you need to encrypt an older file format, then use a 3rd party tool that will do proper encryption. If you merely need obfuscation, perhaps to keep your kids out of the Christmas list, it might suffice for that, but not if you have a really bright kid.”

That “bright kid” line isn’t a joke because for $49 you can buy “password recovery” software that can crack weak Office 2007 and all passwords from earlier versions.  (For sale here: http://www.lostpassword.com/kit-basic.htm)

One can be sure that fact has not been lost on the darkside, or bright kids. If you explore that lostpassword.com site, it becomes very obvious what password cracking is all about.

Thanks Phil!

So what SHOULD you do to encrypt a document?

You should use the safer AES encryption (Office 2007 and later) algorithm and a password (or phrase) as long as you can tolerate, with caps, numbers and punctuation — something like: “My_cat_Fluffy_likes_canned_tuna_!_12345.”

In versions of Office before Office 2007, Excel, PowerPoint, and Word offered the choice of several flavors of the RC4 encryption algorithm  – not good. In Office 2007, documents are encrypted with the AES 128-bit algorithm. AES 128 is acceptable by the federal government for documents with classifications up to and including secret.

To encrypt a document in Office 2007, go to prepare | encrypt document:

Want a little history of Microsoft encryption? Here’s a site with a concise, fast read:
“History of password protection in MS-Word”

Tom Kelchner

Reports from the Lower Marion School District in Pennsylvania now say that 56,000 photos and screen shots were taken from security software on student’s school laptops.

The district was sued in federal court in February by the parents of a student who was disciplined after school security personnel accused him of taking drugs. They showed him photos of himself taken from the web cam on his school-issued laptop. He claimed the images show him eating candy and his family said in court filings that they were never told there was monitoring software on the machine.

As we reported in February, the FBI is investigating.

The LANrev monitoring software on the machines was to be used only to track stolen machines and only two members of the IT staff had access to it, the district said. IT staff had switched on the cameras of missing computers 42 times this school year and recovered 18 machines, they said.

“In addition, discovery to date has now revealed that thousands of webcam pictures and screenshots have been taken of numerous other students in their homes, many of which never reported their laptops lost or missing,” an attorney wrote in a filing in the case.

TechHerald story here.

The suggestion that the software was activated and webcams switched on for voyeurism has hung over this case since the beginning. The possibility of a class action suit also is hanging over the district.

Tom Kelchner

Not too long ago, a relative of mine fell for a Rogue AV “pay up to get your computer back to full health” scam, handing over $69 / £45 in the process.

Whoops.

After a bit of a clean up and some silliness with the credit card company (who originally told them they couldn’t get their money back – not true), all was well again. However – it occured to me that despite having read something in the region of six million Rogue AV blogposts (and counting), I’d never actually seen the really basic stuff. You know, emails they send you once you’ve paid up. Support pages, things like that. Did support portals even exist for Rogue AV programs?

Honestly, I had no clue.

I suppose that’s because our primary function when a Rogue AV hits is to tell you what the scam is, then advise to steer clear. The only way we could show you those things is if someone we know managed to get tangled up in one of these fiascos.

Well, step forward helpful family member and bring your scam trophies along for the ride. If you ever wanted to see a “Congratulations, you just bought nothing” email then you’ve come to the right place:

Click to Enlarge

I like the part where they advise you to remove and / or switch off Firewalls and other security products. I can imagine a regular end-user being somewhat baffled by this mail – already, a number of domains are thrown at them.

They list the reason for showing the card charges from “Spy-wipe(dot)com” as being for YOUR “safety and privacy”. Softhelpcenter(dot)com directs you to an E-Ticketing system, and the link which allows the end-user to grab their purchased product – members(dot)getavproduct(dot)net – is unsurprisingly bland and content free:

I was very curious at this point – would the login page actually take me to a support section? Or was it non functional? The answer is: here comes a bunch of screenshots from inside a Rogue AV support section.

Click to Enlarge

The victim actually does get a fully functional “support” page (although truth be told, it doesn’t do much supporting). If you have a problem, the Help page is less than spectacular:

Yes, that really is the whole thing. Clicking the link will take you to a similar page to the E-Ticket site mentioned at the start of the blog entry:

One can only imagine the kinds of attachments disgruntled “customers” send them, but anyway. This is, for the record, a fully “activated” version of Antivirus Soft:

Note that it doesn’t actually look any different than the free version except for one key difference; before you pay up, your PC is supposedly infected with six thousand pieces of malware. After? Yeah, that scan is 100% finished and – amazingly –hasn’t found a single infection file.

Funny, that.

If you try to update your definitions, it performs an occasional party trick of Rogue AVs and downloads the Clam AV database.

They’ll even allow you to uninstall with no apparent issues or continued nag screens:

As for the domains involved, the majority mention “Taras Frinov”, who appears in this wonderful list of rogues. While there’s a lot of identikit support sites for the end-user to download their purchase from – backsoftdownload(dot)com and getavsoft(dot)com, to name but two – it’s a better idea to not end up on these sites in the first place.

Always be suspicious when presented with popups handing out dire warnings and demanding your cash – because one “Congratulations, you just bought nothing” email is already one too many.

Christopher Boyd