The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
The currently active IE zero-day exploit can be avoided by turning off Active Scripting (among other solutions). However, not everyone may know how to do this. George Ou has done the dirty work and posted a step-by-step instruction on what to do. Link here.
Alex Eckelberry
Updated info with fix here.
There is a new rogue Anti-Spyware application out there serving as a replacement for Spy Falcon and SpyAxe.
Spyware Quake is installed through the infamous VCodec trojan as well as various exploits.
WHOIS Information:
Domain Name: SPYWAREQUAKE.COM
Registrant:
SafeSurf LLC
Kevin Gerad (Whois Privacy and Spam Prevention by Whois Source)
U-12 Gamma Commercial Complex # 47 Rizal Highway cor. Manila
Olongapo City
null,98101
PH
Tel. +201.6753332
In addition to just a stealth install of Spyware Quake, an infected machine will exhibit other unwanted symptoms such as Internet Explorer browser hijacks, a stealth installed “Security Toolbar”, and pop-up advertising that is often adult in nature. Also commonly seen is pop-up advertising for WinFixer.
Adam Thomas
Spyware Research
Update: Email may be an attack vector.
From WebSense:
As reported we are actively researching the newest IE zero-day exploits that are surfacing (s: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=449). To date we have discovered nearly 100 unique URL’s that are all attempting to run malicious code on the users machine without user-intervention.
One interesting aspect we are researching is the number of machines that appear to have been compromised here. The sheer percentage of sites that are compromised versus owned by the attacker is higher than usual. In particular we have noticed several travel related websites that are hosted on different networks.
Link here.
I don’t want to spread undue panic. This is not like the WMF exploit, which had the cruel aspect of using a graphic file to execute a payload. This fact broadened the attack vectors to graphics embedded in emails, graphics being viewed through Google Desktop, etc. This is not the same type of exploit.
However, we concur with the good folks over at WebSense — a lot of sites that we examined with this vulnerability are legitimate sites that have been compromised. It’s not just the usual porn and crack sites that some users go to.
There is no patch available for this exploit. The only way to avoid it is a) turn off Active Scripting or b) use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected). Your standard protections should be in place — antivirus, firewall, antispyware. Your antivirus program may catch it, but don’t count on it in the near future, as AV vendors themselves are in the process of getting out new definitions.
Alex Eckelberry
Beat ‘em up.
Manager of the company’s software department, Andrei Smirnov, offered to fight the dealer in a fitness center. He defeated the computer pirate 24-16 in three rounds, lasting three minutes each. The dealer’s name was not revealed, News.Ru web edition on high technologies reported on Thursday.
Link here.
Alex Eckelberry
(Thanks John)
19 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.
These can be very nasty. Our analysis of one site, www(dot)textrum(dot)se (since shutdown):
The exploit calls a file, updater.exe
Norman sandbox report:
Found Sandbox: W32/Backdoor; [ General information ]
* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEM32Updater.exe.
* Creates directory C:WINDOWSSYSTEM32kazaabackupfiles.
* Creates file C:WINDOWSSYSTEM32kazaabackupfilesdownload_me.exe.[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLMSoftwareMicrosoftWindowsCurrentVersionRun”.
* Modifies value “Dir0″=”012345:C:WINDOWSSYSTEM32kazaabackupfiles” in key “HKCUSoftwareKazaaLocalContent”.[ Network services ]
* Connects to “[redacted].com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname [redacted]
* IRC: Uses username [redacted].[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:WINDOWSSYSTEM32Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.
Logs information to: C:WINDOWSsystem32sys.ini
More work going on… may post more later.
Based on what we’re seeing in the wild right now, we hope that Microsoft will patch this new IE exploit prior to April 11 (the next scheduled update).
Keep your AV and antispyware updated and run your software firewall (free suggestions here). The only valid workaround for this patch is to turn off Active Scripting in IE, or use another browser. Your AV may very well catch these nasties, but don’t count on it in the immediate future.
Alex Eckelberry
Pamela Parker at ClickZ muses about adware:
Let me start by saying I don’t think adware is a bad thing. Definitions differ, but I’ve always used the word adware to mean ad-supported software, which includes things like AOL’s AIM and WeatherBug. As far as I’m concerned, so long as users understand they’re seeing ads in exchange for getting free software, that’s just fine. Transparency is key.
That said, the word adware has long some sinister connotations, and for good reason. Even some of the more upstanding of adware companies have somewhat shady pasts — pasts full of questionable distribution methods, associations with disreputable software providers, a lack of disclosure and much consumer ill-will. A history like that can be very hard to leave behind.
Putting WeatherBug, AIM and (ostensibly) Eudora’s free ad-supported version in the category of adware is actually incorrect. Ad-supported software is different that adware. Adware exists with the primary purpose of providing advertising. Ad-supported software (like Eudora) exists for the purpose of supporting the vendor, but the primary purpose of the application is not advertising. Eudora is an email program. It has banner ads. It is not WhenU SaveNow, 180Solutions Zango, Direct Revenue BestOffersNetwork, etc. (Getting definitions on adware is also interesting).
You can read Pamela’s article here.
Alex Eckelberry
Shameless salesmanship, but I figure it has to be said:
When we launched the Kerio Firewall under our own name, we put in place an intro price of $14.95, a ridiculously cheap deal for a full-featured firewall. The offer ends on the 31st, at which point it goes up to $19.95 (still a great deal), so if you want it, grab a free download, do your eval and pick it up before the end of the month. Link to download page here.
Alex Eckelberry
From the CDT:
CDT is urging Sens. Max Baucus (D-Mont.) and Mark Pryor (D-Ark.) to withdraw a bill that would force Internet authorities to create a “.xxx” domain for adult content. In a letter sent this week to the Senators, who co-sponsored S. 2426, the Cyber Safety for Kids Act of 2006, CDT warns that the bill will provide ammunition for those seeking to bring the Internet under the control of a multi-governmental bureaucracy. If passed, the bill would also violate the First Amendment rights of Web site operators and would do little to protect children from harmful material online, CDT wrote. March 24, 2006
Link here.
Alex Eckelberry
At the ASC workshop back in February, I met with one of the folks at Blue Coat, and found out that they are providing a free web filtering product for home use. I tested it, and it’s not bad (considering the price). The version I tested doesn’t compare to more advanced products like CyberPatrol and Cybersitter, but considering the price, it’s not a bad deal Note that Microsoft has announced plans for free web content filtering.
The link for the free K9 version is here.
Alex Eckelberry
As many of you know, there is proof of concept code for a recently published IE vulnerability in the wild.
From SANS:
Folks, as Lorna predicted yesterday, it didn’t take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I’m not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive). For that reason, we’re raising Infocon to yellow for the next 24 hours.
As SANs says, Microsoft recommends turning off Active Scripting. You can also switch to Firefox or Opera.
We are watching very carefully out there for any sites using this exploit.
Alex Eckelberry
One of the free services we’ve been offering IT professionals for years is our user forums. Focused on IT issues, they are valuable if you’re job is running a network, or if you’re involved in network security. We have a lot of professional on these forums and some of these lists are very active.
The most active lists are the NTSYSADMIN list and MS Exchange Management Issues. These are a good starting point for someone who wants to get into communication on general IT issues.
|
|
|
|
|
|---|---|
|
|
Feel free to join one of our lists. A full description of all the lists is here.
Alex Eckelberry
Bill Day, CEO of WhenU, wants ad buyers to be intelligent about their media buys — not just walk away from adware completely.
So what’s a buyer to do? You could simply abstain from all adware (and to be consistent, maybe abstain from working with all behavioral targeting or even all advertising networks whose analytics and third-party tracking cookies raise concerns while you’re at it). As thought leaders, we can’t operate successfully by making simplistic decisions; successful online marketing involves a certain amount of pioneering. But how do you strike the right balance?
Now, realize that the media buying side of the ad business dominated by harassed and overworked 20–somethings. It is a lot to ask of anyone in that position to make a decision with any granularity (“let’s see, this one adware company has a long writeup from Ben Edelman and has practiced a number of illegal drive- installs, while this one is different, because they have full disclosure and consent, however Eric Howes wrote a whitepaper which criticized several aspects of their business…”).
So ad buyers need a simple solution, which is why the ad business loves the TRUSTe Trusted Download Program. It makes buying a simple binary decision for ad buyers — “oh, it’s certified? Then I can place ads in it”. Of course, in the end, it is a validation of the adware business model… (see a recent Sunbelt posting about TRUSTe here).
But here’s a direct reference to an adware company (We All Know of Whom He Is Speaking):
Be especially wary of those who defend themselves by accusing the anti-spyware community of being a bunch of ad-hating “zealots” and “fanatics”–most security advocates leading the charge to accountability are thoughtful, dedicated and discriminating professionals who are able to see the difference between hot air and meaningful moves. If hardcore anti-spyware watchdogs can be discriminating, media buyers can be, too.
Link here.
Alex Eckelberry
Must be because Sean Sundwall left.
Altrec, an online store selling outdoor clothing and gear, has “discontinued its experiement with 180solutions indefinitely,” the company said in an email to vnunet.com. The company stressed that the test had been limited in its scope, with Altrec spending no more than $440.
Online mobile phone store Letstalk.com too has cut all ties with the adware maker, chief executive Delly Tamer said in an emailed statement.
And GreetingCards.com had an epiphany:
Lastly GreetingCards.com said that it was unaware of 180solutions’ history of unfair and deceptive practices and has cancelled its contracts with the firm.
Link here with gracious thanks to Ferg.
One assumes this is as the result of the good work on the part of the CDT, who published the dirty details earlier this week.
Alex Eckelberry
Get a free iPod!
In a civil complaint (click here for PDF) released Thursday, New York Attorney General Eliot Spitzer accused Washington D.C.-based Gratis Internet of deceptive business practices. The suit requests monetary penalties and an injunction against the activity in question.
The suit, filed in the state’s supreme court in Manhattan, marks the latest chapter in Spitzer’s charge against what he has labeled the largest deliberate breaches of privacy in Internet history. Earlier this month, the attorney general announced a $1.1 million settlement with Datran Media. The e-mail marketer had been accused of buying at least 6 million files from Gratis, despite knowing that the transaction ran contrary to the seller’s privacy policy.
Link here.
Alex Eckelberry
Not Good. 505 cameras to be installed in NYC.
The NYPD is installing 505 surveillance cameras around the city – and pushing to safeguard lower Manhattan with a “ring of steel” that could track hundreds of thousands of people and cars a day, authorities revealed yesterday.
NYCLU is battling back:
But don’t expect the NYPD to install its cameras without battling the New York Civil Liberties Union. The watchdog group’s associate legal director, Chris Dunn, questioned the plan.
“Commissioner Kelly may be ready to launch us all into a surveillance society, but we believe cameras are not a cure-all for crime and terrorism,” Dunn said. “It is far from clear that cameras deter crime.”
Link here.
Alex
This site in Russian is offering eBay accounts for sale.
While it’s in Russian, the basics of the text in the website are that:
They even have a list of users to buy:
As is our normal practice, we have reported this to our security contacts at eBay.
Alex Eckelberry
(Thanks Sunbelters Adam Thomas for the site and Olexiy for the translation)
How to Delete Files with Illegal or Reserved Names
Sometimes an application will create a file that has an “illegal” file name (that is, a name that’s reserved by the operating system, such as LPT1 or PRN). If this happens, you may not be able to delete these files using the graphical interface. Here’s how to delete them:
How to Add the Comment Pane in Word
You can add a comment pane feature in Word 2002 or 2003 by creating a macro and running it in a Word document that contains comments. Instructions and code for the macro are shown in KB article 913759 here.
How to Edit the Registry to Replace In-use Files at Windows Startup
There are several ways to replace a file that’s in use by Windows at startup. One way is to edit the Registry. Always back up the registry before editing it.
Direct Hosting of SMB over TCP/IP
Windows 2000/XP/2003 supports file and printer sharing traffic by using Server Message Block (SMB) directly hosted on TCP, unlike earlier versions of Windows that required NetBIOS over TCP (NetBT). Disabling NetBIOS has several advantages. KB article 204279 includes instructions for disabling NetBIOS over TCP/IP here.
How to Configure the Popup Blocker in XP SP2
When you install Service Pack 2 for Windows XP, it adds a popup blocker to Internet Explorer, which is turned on by default. You can configure its settings to allow popups on certain web sites or block all popup windows. You can also configure IE to play a sound to notify you when a popup window is blocked. KB article 843016 tells you how to configure the popup blocker to suit your needs here.
No Results Returned when you Search for Files or Folders
Sometimes if you run a search for files or folders over a slow network link, you Windows XP computer may give you a message that says “Search is complete. There are no results to display” even though the files or folders you’re searching for exist. It happens because Windows mistakenly determines that the files or folders are offline and excludes them from the search. To find out what to do about the problem, see KB article 885843 here.
Deb Shinder
Make IE 6 a Little More Like IE 7: One of IE 7’s new features is a “clear my tracks” option that lets you delete all temporary Internet files (browser cache), cookies and web browsing history.
That’s especially useful when you share a computer with others and don’t want them snooping in your web browsing habits. If you’re not ready to install IE 7 but you’d like to be able to do the same thing with IE 6, you can download this little free program from Microsoft or run it from the web site.
Deb Shinder
According to a subscriber email we just received from Client Server News, the consumer version of Vista won’t ship until January.
According to Client Server News, “the delay it being done in the name of quality, according to Vista boss Jim Allchin.”
Commercial volume licensees will see it in November.
Alex Eckelberry
I often warn computer users about the importance of backing up all your important data. Whether it’s the first few chapters of your Great American Novel, the outline for your ten-year career plan, all that financial information you painstakingly entered into a spreadsheet or tax program, digital photos and home videos, or just a huge collection of (legally downloaded, we hope) MP3s, it represents time, effort and sometimes a lot of money.
Yet a week doesn’t go by that we don’t hear someone lament that “my computer crashed and I lost everything.” A lot of people seem to regard hard disk failure in much the same way they look at plane crashes or tornadoes or fatal diseases – as things that happen to “other people.” Until it happens to them. The good news is that unlike those much more horrific disasters, a computer disaster is something that you can prepare for and recover from with a minimum amount of loss – if you take the time and plan properly.
There are lots of ways to back up your data. You can copy it to a second hard disk (internal or removable), write it to a CD or DVD, copy your files to another computer on your home network, or even invest in a tape backup system. Any of those options is a start, but it’s not enough. Unfortunately, when it comes to their personal data, most folks stop there. But what happens if your computer is stolen (along with its second hard disk and the DVD that you left in the tray of the writer)? What if a flood or fire destroys your computer room, along with the removable disk or tape backup in the desk drawer? What if a tornado wipes out the whole house, including the second computer upstairs to which you copied your data?
That’s why an effective backup plan has to include some sort of off-site storage. A number of online services have popped up, offering a way for you to upload your data to their servers (which may be in another state or even another country – about as off-site as you can get). Some offer a limited amount of free storage, others charge a fee ranging from a few dollars per year to much more for professional level “electronic vaults” that automatically back up your data continually and store it in redundant locations with a high degree of physical security.
Most home users aren’t interested in paying hundreds or thousands of dollars for that level of protection, but you might very well be tempted by some of the free services such as Xdrive or Streamload. The price is certainly right – but you may find that the free plans aren’t really as useful (or as free) as the ads make them sound.
For instance, Xdrive’s front page touts “5GB to unlimited gigabytes of online storage.” Unfortunately, it’s only the 5 GB that’s free. Once upon a time, 5 GB of data was an almost unimaginable amount (a mere ten years ago, in 1996, my computer had a total of 3 GB of hard disk space – two 1.5 GB drives – and I was wondering how I’d ever fill up all that space). Today, with high quality digital photo files that are 100MB or more in size and the ability to record TV shows on your Media Center PC (at about 1.5 GB per half hour program), 5 GB isn’t much space at all. It’s likely it won’t be enough to back up all your data files. To get more space, you have to pay for it. And you have to provide credit card information even to sign up for the free trial. In addition, the service doesn’t support FTP access or allow versioning of your documents, even with the paid plan. On the positive side, they do offer automated backup of selected folders so you don’t have to remember to manually back them up each time.
Streamload, at first glance, looks a lot better. They offer 25 GB of free storage. And they don’t ask for a credit card to set up a free account. However, there is a catch: Although you can upload 25 GB to the site, you’re limited to downloading 100 MB per month. Paid plans range from $4.85 per month (unlimited storage, download up to 1 GB) to $39.95 per month (unlimited storage, download up to 60 GB). This means if you store your 20 GB of data on Streamload and then you need to restore it all at once, you’ll have to upgrade your account to the $19.95 per month plan (allows up to 25 GB download). Of course, you might never need to download the whole thing at once, and if you do, that means all your on-site backups are gone and you probably would be willing to pay to get your data back.
These are just a few examples of consumer-level online storage services. There are many others: IBackup , Online Storage Solutions, My Net Storage. Companies better known for other products also offer online storage options; an example is Apple’s iDisk.
One question you have to consider before signing up with any of these services: how secure is your data on their servers? Remember that anyone who gets your username and password can access your data from anywhere in the world. If you only have music, videos and low-security documents that you want to back up, this probably isn’t an issue. If you have highly confidential information, you might not want to upload it to an online service, or you might want to pay more for a business-grade service that guarantees a higher level of security.
What about reliability? Web businesses come and go, and if you upload your data to one that subsequently goes out of business, you may never see that data again. That’s why I’d recommended using the services as one part of a backup plan – not as the whole plan. Put your non-sensitive data there for convenience, but also make a DVD or tape and take it to work with you and store it in your desk there, or keep it at a friend’s or relative’s house or even in a bank safe deposit box.
There are other options for storing your backup files online, too. Many ISPs give their customers a certain amount of Web space free with an Internet account. If you don’t have a Web site, you can still FTP copies of your data files to the Web server to store them. Note that this isn’t a particular secure option, so only use it for non-sensitive files.
If you have a friend who has a network with extra server space, the two of you could upload files to one another’s servers. This is a good plan if your friend is technically savvy and trustworthy, and you will probably have more control than with a service run by people you don’t know personally.
Tell us your opinions on the backup dilemma. Do you keep copies of your important data off-site? Do you use an online service or do it another way? Have you had good or bad experiences with the services? Comment away.
Deb Shinder
