Author: Alex Eckelberry

Seems as if everybody who’s anybody has his/her own domain these days. A recent Associated Press article reprinted in many newspapers and online venues recounts how the latest trend is for parents to reserve domain names for their babies soon after they’re born – or even before – to ensure that the name won’t be snatched up before the child is old enough to want it.

One report stated that Angelina Jolie had reserved several variations of domain names for her new daughter within hours of the birth.

That might seem a little extreme, but if you happen to become well known, owning the domain named after you can become important. Those of us with fairly distinctive names usually don’t have much trouble getting the domain we want (I didn’t have to compete with anyone else for www.debshinder.com), but what if your name is John Jones or Mary Smith? Things might get a tad more complicated.

For celebrities, the issue can be even more perplexing. In a number of cases, fans have registered the names of famous folks as domains before the owner of the name got around to it. Many of these are fan sites, but what if the person who snags your domain namesake doesn’t like you and uses the site to post derogatory information about you?

Then there are the “cybersquatters” who buy up domain names with no intention of actually putting up web sites, but with the hope that those who do want sites with those names will pay dearly for them. Some people have made substantial amounts of money reselling domain names in this manner. Opponents of the practice accuse them of holding the names hostage. The squatters argue that they are just legally buying something that’s up for sale and then legally selling what they own to someone else – the same thing any retailer does. It can be a lucrative business. Business.com sold for somewhere between $7 million and $8 million, depending on which report you read, and sex.com is reported to have gone for 11 million euros, which translates to almost 15 million U.S. dollars.

Popular names are sometimes put up for auction. Last January, names such as hillaryrodhamclinton.mobi and duncanhunterforpresident.us were announced as available for public auction.

Not surprisingly, there have been many lawsuits filed over the ownership of domain names, especially in cases where the name is a trademark, as in the case of most celebrities. The World Intellectual Property Organization (WIPO) runs a domain name dispute resolution service that deals with many of these cases. According to their web site, they’ve handled 1425 cases in 2007 through the end of August.

Their policy labels registration of a domain name as being “in bad faith” if it’s done primarily for the purpose of selling or renting it to the owner of a trademark or to a competitor of the owner, if you do it to disrupt the business of your competitor or if you use it to defraud web site visitors by making them think the site belongs to or is endorsed by the trademark owner.

How important is it to have your own domain, anyway? Your mom will probably be just as impressed by your web site at www.earthlink.com/bobsmith as she would be by www.bobsmith.com, but in certain fields – especially the tech biz and the entertainment industry, owning a “real” domain is expected. And with registration as low as $6.99/year, it’s within the financial reach of almost anyone (of course, in order to make use of your registered name, you might need to pay a web hosting company or have a business-class Internet connection that allows you to host your own web server, or you may get free web hosting with your consumer-level Internet connection).

What about you? Do you have your own domain? If not, what’s stopping you? Is your name already taken? Don’t want a web site? Have a web site but see no need for your own domain? Should people be allowed to register domain names that are the names of other people? Should famous people be able to “take back” their domain names without paying? Or should domain names be registered strictly on a first come, first served basis and resold at whatever the market will bear? Would you reserve a domain name for your child, or is that just silly? Do you have more respect for a business person, author, or entertainer who has his/her own domain or does it not matter at all?

Deb Shinder

Go to http://www.siteadvisor.com/lookup/ and enter the following:

Alex Eckelberry
(Thanks to Sunbelt researcher Francesco)

Update: My compliments to my colleagues at McAfee. They fixed this xss bug with alacrity — literally in minutes. Well done — very impressive. (And apologies for my little bit of mischief.)

Its back online. ComputerWorld writes about it:

As a result of the breach, persons coming to the bank’s site were likely to be temporarily redirected to another site where Trojans and other malware were downloaded onto their computers, the employee said. The user was then brought back to the bank’s site.

Well, not exactly. If you weren’t fully patched, your machine was basically hosed with crap while you were happily viewing the site.

The bank’s IT staff thought they had the situation under control Friday morning, until they found that each time they changed the index page for the site, it was immediately replaced by the hackers. The bank then decided to bring the site down.

“The Web site was hosted externally by a hosting company in the U.S.,” the employee said. The bank has since changed the company hosting the service, though the employee clarified that the change in hosting provider had been on the cards even before the hacker attack.

Ok, that might have had something to do with it…

The attack on the Web site did not affect the bank’s online banking operations, according to the employee. The bank’s customers access online banking services through a link on the home page of the bank’s site. The online banking service is provided to users from well-protected servers hosted and monitored within the bank by Hewlett-Packard Co., the employee said.

Well, this perhaps needs clarification. If someone visited the home page of the site, and they were vulnerable, they got infected — and it has nothing to do with whether the servers were protected from HP or anyone else. It’s true that this was not a hack of the bank itself, but we did find at least one data-stealing trojan that someone could have gotten just viewing the site’s homepage.

The bank is as yet not clear about the identity of the hackers, although Sunbelt suggested in its blog that it was a criminal gang, called the Russian Business Network (RBN). “We have called for the logs from the hosting provider in the U.S., and we may have some definite information then,” the employee said.

No, it was RBN.

And from the Height of Irony Department, this article from back in January extols the security initiatives of the Bank of India.

I’m not picking on the Bank of India. This kind of stuff is all too common, and it simply highlights the fact that anyone who has a presence on the web is responsible for insuring that their site is clean and safe for visitors — and especially when you have people like RBN out there, just looking for any vulnerability to use to infect users.

As a final note, credit (long overdue) for the discovery of this hack last week goes to Adam Thomas, in Sunbelt’s malware research team.

Alex Eckelberry

Hard to believe it’s already getting to the end of summer for many of you.

So here’s a vid of Mike Parsons in one of the greatest surfing shots ever taken. And yes, it’s real.

In my gangly younger days, I used to surf in California. But I think I would have run for the hills if I ever saw something like this.

Enjoy and have a great weekend.

Alex Eckelberry

You can see a video made by Roger Thompson of how the Bank of India infection looks to the user.

The vid’s a bit rough at the moment, and some of the bits are currently unreadable, but we’ll be editing it as we go, so clearer versions will soon be available, but it’s still interesting.

Video link here. Nice work, Roger.

It’s worth reiterating that fully-patched systems would not have been affected by this hack.

Alex Eckelberry

The Bank of India site is now clean, thanks to the hard work of a number people involved in security and takedown.

It’s worth checking the original blog, which was updated as we got more information through the evening.

The hack was related to the Russian Business Network (RBN) criminal gang. There has has been speculation as to whether the malware was installed through an exploit framework (Webattacker, MPack, Icepack), as it was encrypted in the same way as Webattacker. However, our good friend Roger Thompson (one of the top minds in the area of vulnerability research) believes that it wasn’t using a framework, but likely just now-patched stuff in MS06-042 (someone on a fully patched system would not have gotten infected by visiting this site). Research continues.

Thanks to all who helped!

Alex Eckelberry

We have discovered that the Bank of India’s site, bankofindia(dot)com is compromised and is serving malware. DO NOT VISIT THIS SITE.

The following code can be clearly seen on the site:

(Obviously, do not visit these sites that are in the HTML source).

Attempts are then made to load multiple pieces of malware.

Developing…

Alex Eckelberry

Update: The page is using exploits to install malware.

What we have seen so far:

Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz
Trojan-Proxy.Win32.Xorpix.Fam
Trojan-Downloader.Win32.Agent.ceo
Trojan-Downloader.Win32.Tibs.mt
Trojan-Downloader.Win32.Agent.boy
Trojan-Proxy.Win32.Wopla.ah
Trojan-Proxy.Win32.Wopla.ag
Rootkit.Win32.Agent.ea
Trojan.Pandex
Goldun.Fam
Backdoor.Rustock
Trojan.SpamThru
Trojan.Win32.Agent.alt
Trojan.Srizbi
Trojan.Win32.Agent.awz
Email-Worm.Win32.Agent.q
Trojan-Proxy.Win32.Agent.RRbot
Trojan-Proxy.Win32.Cimuz.G
TSPY_AGENT.AAVG (Trend Micro)
Trojan.Netview

Fully patched systems should be unaffected. More coming.

Update 2: We’ve cataloged over 22 pieces of malware. Mostly spam-related malware but we did find a pinch Trojan variant. More info coming as we get it. Biggest issue is the sheer volume of malware we’ve had to analyze.

Update 3: As I write this, it is currently 1:20 a.m EST (10:20 a.m. in India), and the malicious IFRAME is still located on the Bank of India website.

With that said, i just wanted to mention two other very dangerous information stealing Trojans included in this massive install of malware.

First, we are seeing a variant of TSPY_AGENT.AAVG. Trend Micro has an excellent write which you can read here.

Secondly, a variant of Trojan.Netview is being installed. Trojan.Netview is used to gather files from the infected computer as well as network shares. This characteristic is particularly dangerous in networked environments where infected users might have access to unprotected shares containing sensitive information.

The collected files are then uploaded to an FTP server located in Russia.

Of interest is the fact that Trojan.Netview is specifically searching for quarantine folders of antivirus programs. It is no surprise that this particular person had over a hundred items located in their quarantine folder:

Lovely little botnet controller we uncovered a while back:

There are several Help functions:

Roughly translated:

Refresh rate, the length of time (in minutes), through which work will be of investment in Gate of commands (more than the less load on the server)

Command syntax:
start DDoS- attack:
flood type of attack goal

Supported types of attacks :

– icmp
– syn
– udp
– http
– data

The targets may be set ip [???] or domain name, it is also possible to specify multiple goals extraordinary comma;

If you type syn attack, or udp data, the following goals can optionally specify the port number for the attack (or more ports extraordinary comma) if it is not specified, each package will be sent to a random port;

If you type attacks http, after a goal is an option to specify a script, which will be sent GET request (for example : http flood host.com index.php) if the parameter is not specified, the request will be sent to /

stop DDoS- attack:
stop

On fluderov options:

Fluderov packet size in bytes, and the time between sending packages in milliseconds. What time fewer and bigger size, the stronger the attack, but the more likely that the work will get because of exhaustion limit traffic

die:

die

Alex Eckelberry
(Credit to Sunbelt researcher Adam Thomas)

Your feedback helps me do a better job. Give comments and feedback! Multiple choices are fine.

Alex Eckelberry

Do you think someone might click on this thinking it’s a YouTube video?

If they do, they’ll get sent to this page.

And if they want to watch the video, they’ll get this:

Is this misleading? Or is it just good marketing? What do you think?

Alex Eckelberry

Last night, I got this targeted Better Business Bureau spam:

It’s targeted, like a similar one we saw in the past.

However, in the previous version, a document was attached, that used an embedded OLE in an RTF document. You had to actually go through some hoops to get infected.

This one is different. It points you to a website called “document-repository(dot)com”, which pushes you into downloading a file, Complaint_Details_363619942.doc2.exe.

The file, of course, is a trojan (Sunbelt Sandbox report here). Submitting the file to VirusTotal shows mediocre detection.

Alex Eckelberry

Earlier this week, we reported that Zango had backed off its case against PC Tools.

Now, Zango’s court case against Kaspersky was thrown out because Kaspersky enjoys immunity as a result of the Communications Decency Act.

You can see the decision here, at Ben Edelman’s site (who, as a consequence, has also updated his list of legal actions by adware/spyware companies).

Ben points to the relevant statutory language as being:

“No provider or user of an interactive computer service shall be held liable on account of … any action taken to enable or make available … the technical means to restrict access to the material described [i.e. material that the provider or user considers to be obscene, lewd, lascivious, … or otherwise objectionable].”

You can read this language yourself here. (Under Sec. 230).

This is very big news folks. Big news. This decision may have far-reaching consequences for security companies in the inclusion of malicious and/or potentially unwanted software in their software.

Alex Eckelberry

Possibly through the Blogger mail-to feature (where you can email in a blog post)?

But Blogger’s not the only one. For example, a Google search using the term “”this i not good. If this video gets to her husband” reveals lots of sites spammed with this particular exe: (correction — these appear to be sites discussing the spam.)

(Obviously, don’t download this exe — it’s the storm worm. Not a fun thing.)

Alex Eckelberry
(With credit to Cristian — many thanks)

Latest of many tactics.

Alex Eckelberry

Some samples, courtesy of TJ O’Grady:

Subject lines include:

Beta testers needed!
Can you help us out?
Could you give us a hand?

Alex Eckelberry

Painful to read. But funny in a sort of awful way.

8/27 8:26 AM. You are sending these emails to the wrong Bill.
8/27 9:55 AM. Please remove me from the distribution. Thank you!
8/27 9:57 AM. Please remove me from this distribution thank you
8/27 9:57 AM. Please remove me from the distribution list.
8/27 9:57 AM. Please remove me from the distribution. Thank you!
8/27 9:58 AM. DITTO
8/27 9:58 AM. Remove me also
8/27 9:59 AM. SUPER DITTO!
8/27 9:59 AM. Me too please
8/29 9:59 AM. Please remove me as well. Thank you!
8/27 9:59 AM. Me too
8/27 10:00 AM. Same here.
8/27 10:00 AM. Mee too. Thanks
8/27 10:00 AM. Please remove me as well. Thanks!

It gets worse from there on out. Link here.

Alex Eckelberry

Ben Edelman examines software from coupons.com.

I recently examined software from Coupons.com. At first glance their approach seems quite handy. Who could oppose free coupons? But a deeper look reveals troubling behaviors I can’t endorse. This piece summarizes my key concerns:

• Installing with deceptive filenames and registry entries that hinder users’ efforts to fully remove Coupons’ software. Details.
• Failing to remove all Coupons.com components upon a user’s specific request. Details.
• Assigning each user an ID number, and placing this ID onto each printed coupon, without any meaningful disclosure. Details.
• Allowing third-party web sites to retrieve users’ ID numbers, in violation of Coupons.com’s privacy policy. Details.
• Allowing any person to check whether a given user has printed a given coupon, in violation of Coupons.com’s privacy policy. Details.

Link here.

Alex Eckelberry

Controversial adware publisher Zango today conceded defeat by voluntarily withdrawing its proceedings against anti-spyware maker PC Tools. This news follows the courts denial of Zango’s application for a Temporary Restraining Order in June 2007.

Link here.

Alex Eckelberry

Microsoft WGA outage outrages users
Quite a few people were frustrated last week when they tried to validate their Windows software as genuine (which is required to download most updates) and were told they had pirated copies even though they knew their operating systems were legal. This was apparently due to the Windows Genuine Advantage (WGA) server being down. It’s fixed now, but not before annoying a lot of people. Read more here.

Sugar-powered battery? Sweet!
With more and more devices going mobile, we’re always on the lookout for new and better battery technology. Now Sony has developed a battery that’s powered by pouring sugar into it. It’s an innovative idea, for sure. Read more here.

Digital Pen: Cool tool or a solution in search of a problem?
Despite the popularity in today’s wired world of everything digital, the phenomenon of the digital pen has yet to reach critical mass. You probably know about Tablet PCs, but you might not have ever encountered a standalone digital pen and might not know just what to do with it if you did. Still, some companies are betting that these little devices will finally take off. Read more here.

Getting ready for the Gphone?
Rumors are floating around the web about Google building a phone handset that would be a direct competitor to Apple’s iPhone. True or false? Only time will tell. The company itself “can neither confirm nor deny.” Read more here.

How Vista’s Internet Explorer protects you from attack
The version of IE 7 that comes with Vista is different from the version you can download for XP. Specifically, it has better security because it takes advantage of Vista’s User Account Control (UAC) to run in IE Protected Mode. In Protected Mode, IE won’t allow files to be saved in locations on your computer where they could cause problems, and IE can’t make changes to system files without your explicit permission. This makes it a lot less likely that you’ll be a victim of a “drive-by download” that installs malware on your machine. You can read more about this new feature here.

How to take ownership of a folder in XP or Vista
Even if you’re an administrator on your XP or Vista computer, you might find that you get an “access denied” message if you try to open a folder that was created by a different user. However, you can fix this by taking ownership of the folder. Any administrator can take ownership. Here’s how:

1. Be sure you’re logged on with an account that has administrator rights
2. Right click on the folder you want to access
3. Select Properties
4. Click on the Security tab
5. Click on the Advanced button
6. Click on the Owner tab
7. In the list of Names, click on your name
8. To take ownership of the folder and all its contents, click on “Replace owner on subcontainers and objects”
9. Click OK and then click Yes

Can I get my Hotmail messages with Windows Mail?
QUESTION: When I use XP for my mail I used Outlook Express, and I still have two XP machines. Since OE is not available with Vista I am learning Windows Mail. In OE I was able to download my Hotmail account. Mail says I cannot do this with Hotmail. Do you know if there is a way to download my Hotmail into Mail? Right now, having to log into Windows Live Mail to retrieve it is a pain in the rear. – Dennis H.

ANSWER: It appears the Windows Mail program in Vista is about to be replaced by a brand new email client called Windows Live Mail, which handles POP, IMAP and Hotmail accounts. It can be installed on either Vista or on XP to replace Outlook Express. This was announced back in June. It’s still in beta, so you may want to wait until the final release, but it’s available to the public so if you’re the impatient type, you can download it here.

Some add-ons aren’t listed in the Manage Add-ons Dialog Box
If you open the Manage Add-ons dialog box from the Tools menu in Internet Explorer on an XP SP2 machine, you might find that some add-ons you know are installed aren’t listed. This prevents you from being able to disable those add- ons. That’s not good. Fortunately, there’s a fix available. Find out how to get it via KB article 888240.

Can’t restore XP SP2 after using an XP SP1 restore point
Here’s the scenario: you’ve restored your computer to a restore point when XP with Service Pack 1 was installed and now you want to restore to a later restore point that was made after SP2 was installed – but if you try to do so, you’re still stuck with XP SP1. There’s a fix for this one, too. You’ll find it in KB article 835409.

Deb Shinder

Last Saturday night, we threw a party for a group of people who have been friends of ours for over ten years – but some of them we had never met before. They’re members of a small private email list that “spun off” from a larger Internet discussion group back in the 90s, and when one of our fartherest-away members (from Australia) decided to visit us here in Texas, we took that opportunity to invite other list members from the states to all get together. We had a great time, and as usual when you get a bunch of avid ‘Net users together, the talk eventually turned to computers. During the course of conversation, one friend mentioned a co-worker of his who was wanting to get a new computer. An analysis of her needs and the reason she wanted to upgrade revealed that her present machine did pretty much everything she needed to do; her real complaint was with her small, outdated monitor. He pointed out that instead of spending a lot of money to buy a whole new system she didn’t really need, she could put the same amount or less into a high quality large screen monitor and vastly improve her computing experience.

When you really think about it, your monitor is one of the most important peripherals you’ll buy. For most of us, it’s the primary way we interface with the computer (the exception being the blind who must rely on software that can talk to them and tell them what’s on the screen). Although your processor and memory determine how well and quickly your computer performs tasks, it’s your input/output devices – the keyboard, pointing device and monitor – that greatly influence how pleasant or unpleasant the process of getting information into and out of your computer will be.

Yet I see people all the time who buy high end machines and then add a single 17 inch monitor almost as an afterthought. By limiting themselves in that way, they ensure that their computing experience is never quite what it could be. Sure, you can check your email or surf the web or even get work done on a small monitor – I do it on the road with my tiny Sony laptop and its 12″ monitor. Likewise, one can live fairly comfortably in a 500 square foot home; people in New York City, Tokyo and other places where housing is expensive are living proof of that. But it’s so much nicer to have more space to spread out in.

Think back (if you’re old enough) to the days before computers, when we had to get work done with pens and tablets and paper files in manila folders. You could write a report sitting at a little TV tray table, but it was much easier if you had a big executive size desk or dining table where you could spread out all your books and papers. That’s what a big screen monitor – or its often lower cost alternative, multiple smaller monitors – lets you do.

I know I’m not the only one who feels that way. A recent article on Slate at argues that upgrading your monitor is almost always a better choice that upgrading your processor. And now gigantic monitors that were once reserved for only the wealthiest are within the affordability range of more and more computer users.

Apple is probably responsible for starting this trend when they released their 30 inch Cinema HD display back in 2004. I’m not a big Apple fan (although I do have one Mac), but I lusted after that monitor every time I saw one. It was way out of my price range back then, but the price has dropped steadily and the current incarnation sells for $1799, not cheap but not outrageous either.

However, Apple’s no longer the only company with an affordable giant screen. Dell just recently dropped the price of their 30 inch UltraSharp model to $1499. One thing I like better about the Dell and some others is the ability to adjust the height of the monitor. And HP has a 30 inch model, the LP3065, for just $1399. Samsung’s Synchmaster 305T goes for $1271 on Amazon.

You don’t have to go quite that big to get more screen real estate, though. Many companies make 24 to 27 inch monitors that cost quite a bit less. Both Dell and Samsung have 27 inch models for around $1000 and a ViewSonic VX2835wm 28 inch monitor is selling for $679 on Amazon.

Of course, you want to look at more than just the screen size when you buy. Other important specs include the resolution (you’ll want at least 1920×1200 in a giant screen, or even 2560×1600 in a 30 inch), contrast ratio (the higher, the better; for example, the ViewSonic’s 800:1 is not as good as Dell’s 1000:1) and response time (lower is better; 6 milliseconds is pretty good).

Before you plunk down the bucks for a huge monitor, also be sure you have a video card that supports it. Most 30 inchers require a dual DVI card. Other problems with the supersized screens include the heavy weight and how to fit it on the desk. Although not weighing nearly as much as the old CRTs, a 30 inch can easily weigh in at 25 pounds.

As tempting as the huge monitors may be, it often makes a lot more sense both financially and logistically to buy several smaller monitors instead. You can end up with more total screen space for a lower price, the individual monitors are lighter and easier to move around, and you have more flexibility in arranging them (for instance, you can angle/curve them around you instead of having one big, completely flat surface, or even have a second row of monitors above, like this.

Another advantage of multiples is that you can turn on only as many monitors as you need. For instance, if I’m just going to do a quick check of my email, I only turn on one monitor, saving the electricity required to run the other two. With a giant screen, even if I only need to use a small part of the screen, the whole thing has to be turned on.

Of course, you have to have enough video cards to support the number of monitors you have. Most modern cards have either two DVI connectors or one DVI and one analog connector, so you can get two monitors to the card. So, for example, to hook up six monitors to your computer you’d need three video cards. That might mean you’ll need at least one regular PCI card, since few systems have more than two PCI x16 slots.

For most people, though, two cards are enough. I find three to be the optimum number of monitors for my work; I had four for a while but found that I rarely turned the fourth monitor on – I just didn’t usually need to spread out quite that much.

I like being able to reconfigure my monitor setup the way I want it at any given time. That’s why, much as I like the look of some of the sleek all-in-one computers that have the monitor and CPU in the same housing, I haven’t bought one. If that built-in monitor dies before the computer does, you have a problem.

Whichever way you do it – with one giant screen or several smaller ones – having more room to spread out your various application windows without having to click to bring one and then another to the forefront can improve your productivity more than you can imagine. It’s as if, after having viewed the world through a tiny porthole for years, one day you knock out the whole wall and put in a full size picture window. It changes your perspective completely.

What about you? Do you think bigger is better when it comes to monitors, or are you perfectly content with that 15 inch screen that came with the computer? If price were no object, would you prefer to work with a 30 inch behemoth of a monitor or three 19 inch ones? How many monitors, of what size, are ideal? Would you buy (or have you bought) an all-in-one where the monitor isn’t detachable from the rest of the system?

Deb Shinder

[My opinion? I recently got a very large monitor and I’m not sure I like it as much as my older one — it seems like more work to read from side to side — I would check the ergonomics for comfort if you’re looking at getting a larger monitor — Alex]