Author: Alex Eckelberry

Virus.gr did a test of AV scanners from the 14th through the 22nd of December. They also included spyware scanners like CounterSpy (not surprisingly, none of the spyware scanners did well, because their focus is on spyware, not viruses).

It’s probably a test that will be argued by the AV companies, but it’s worth looking at.  Not surprisingly, Kaspersky came out on top (it is an outstanding engine).  

Here are top 10 rankings:

1. Kaspersky Personal Pro version 5.0.390- 99.46%
    Kaspersky 2006 beta version 6.0.15.222- 99.46%
2. F-Secure 2006 version 6.10.330 – 96.92%
3. CyberScrub version 1.0 – 96.62%
4. eScan Virus Control version 2.6.522.9 – 95.21%
5. McAfee version 10.0.27 – 94.80%
6. BitDefender version 9 – 90.75%
7. Nod32 version 2.50.41 – 88.79%
8. AntiVir Personal version 6.32.00.51 – 86.55%
9. MKS_VIR 2005 – 86.16%
10. Norton Professional version 2006 – 85.17%

Link here via Donna.

Alex Eckelberry

Imagine getting this scary message while surfing a site (in this case, a porn site):

(upssex(dot)com/galls/amateur.html)

Clicking Ok takes you to a page which describes the so-called “virus” that you’re infected with:

(watchforall(dot)com/cgi-bin/search/go.fcgi)

In this case, the page directs you to a TopTenReviews page (yesterday, it referred to an antispyware application–so I guess it depends on what the state of the affiliate plans are out there…).

Clicking “Cancel” brings up various porn sites. 

tonsporn(dot) com//galls/amateur.html  also brings up the fake message.

Alex Eckelberry
(Thanks to Sunbelt researcher Patrick Jordan for this)

Secure Computing LLC, (not to be confused with the publicly-traded web security company Secure Computing Corporation) was hit with a lawsuit in January that alleged that:

“…Secure Computer, its principals and associates advertised and distributed a product called Spyware Cleaner through spam, pop-up ads and deceptive hyperlinks,” McKenna explained. “However, not only did this product fail to detect and remove spyware on the consumer’s computer, it actually tampered with security settings to make the machine even more vulnerable.”

Secure, which made an alleged rogue antispyware application Spyware Cleaner, has filed an Answer which rigorously defends practices:

John W. Dozier, Jr., managing partner of Dozier Internet Law, P.C., legal counsel for Secure Computer, LLC, reports that, “Our extensive investigation revealed that many of the facts alleged by the Attorney General are wrong. The Answer filed on Tuesday goes through the factual and legal allegations in tremendous detail, and we believe the theories espoused by the State of Washington are patently wrong. In fact, we have provided extensive information that debunks many of the misunderstandings the Attorney General developed in the course of its joint investigation with Microsoft Corporation.”

Paul E. Burke, president of Secure Computer, LLC, feels the lawsuit is motivated by Microsoft’s interest in controlling the anti-spyware software market. Burke stated, “I was shocked when I found out about the lawsuits and was even more shocked to learn that the State of Washington and one of my competitors, Microsoft Corporation, could make these allegations without the facts or law to back them up. Now, as a result of these false allegations, the reputation of my company, and my company’s products, have been disparaged and destroyed.”

Link here.

I’m trying to get a hold of the Answer for all to see. 

This ought to be interesting.

Alex Eckelberry

We’re actively beta-testing our new antispam and antivirus solution for Microsoft Exchange, Sunbelt Messaging Ninja.  If you run Microsoft Exchange and would like to test it, send an email to beta(at)Sunbelt-software.com and put “Ninja Beta” in the subject.

This is a very cool product and if you’re interested in mail security, something you may want to look at. Specs here.

 

Alex Eckelberry

 

 

Brian Krebs at the Washington Post has been working for months on a story on botnets.  It’s finally hit the light of day.  This is solid reporting — Brian spent months researching and working on this piece. 

It’s starts with a story about a hacker, 0x80, who controls a large botnet at his pleasure.  Of course, these are machines that he can install spyware on to make affiliate commissions.

In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves.

Now, with the smoke of his day’s first Marlboro curling across the living room of his parents’ brick rambler, the hacker known online as “0x80” (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims.

You can read the whole article here.

Segues, plazma screens and beautiful people: Brian also went to out to 180Solutions while researching this story.  A lot of what he found when there was cut from the botnet story for space considerations.  So, he posted a separate article on his blog about his experiences out there.

 I notice that each of the company’s departments is fitted with large, wall-mounted plasma screen televisions that display graphs charting 180’s daily and weekly sales and revenue numbers. The display nearest the marketing department showed that 180 pulled in more than $1 million in the past week alone serving ads to people who have its adware installed on their computers. Today’s estimated revenue is slightly more than $100,000; the graph showing how much the company has actually earned so far today reads $2,966, but then again it is just after 10 a.m.

Link here.

There’s also a nifty graphic of how botnets are created that you can see here.

Well done Brian.  You have done a great service to the community. 

Alex Eckelberry

Our Dear Friends at Highconvert(dot)com (you can see them loading spyware through an old exploit at Ben Edelman’s site here) have apparently set up a new IP range in the Russian Federation: 217.170.68.68. 

But going to that IP provides you with a wonderful graphical representation of a word best left unsaid.

Tsk tsk.  What are these boys up to?  Something to watch…

Alex Eckelberry
(Thanks Patrick Jordan)

 

Our head of malware research, Eric Howes, will be in Houston at the Microsoft offices doing a presentation on spyware.  From our propoganda:

Spyware is a serious threat to your enterprise network, and the threat continues to grow. Awareness campaigns and user education are useful, but they’re not enough. Legislation may deter some “legit” adware distributors, but many criminal spyware writers will continue to create and release malware that threatens the stability, security, and performance of your network. Not to mention your users’ and organization’s confidential data. In many cases spyware can also compromise federally mandated security compliance.

Register for Sunbelt Software’s free seminar “Winning the War on the Spyware Battlefield” and learn how to better protect your organization from spyware on Tuesday, February 28, 2006 in Houston, TX.

This seminar will look at the current state of the spyware problem, addressing its effects on privacy, financial security, corporate responsibilities and productivity, as well as outline how CounterSpy Enterprise can help better protect your organization from spyware threats.

Join renowned spyware researcher and Sunbelt’s Director of Malware Research, Eric Howes, for an engaging discussion on the scope of the spyware problem. Widely regarded as one of the foremost experts on spyware and its malicious mechanisms, Howes has served as a panelist at the CNET Antispyware Workshop and is an active and well-known participant in many of the security forums dedicated to spyware research. The seminar will also include a live demonstration on how CounterSpy Enterprise can help you fight the battle against spyware.

Why should you attend?

Learn how spyware affects business productivity
Understand the impact of spyware on network stability, security, and performance
See how spyware can cause violations of federal regulations
Discover how to better protect your network and users from spyware
See CounterSpy Enterprise in action
And more

Click here to register.

Alex Eckelberry

 

If you’re involved in corporate wireless security, you might be interested in this event. We’ve arranged for Craig Mathias, a wireless security expert, to hold a seminar for our enterprise customers on wireless security.

This is not a Sunbelt or vendor sales pitch.  We’re paying for this as a complimentary service for any enterprise customers on a Sunbelt maintenance plan.  

The event is on Tuesday, February 21, 2006 at 2:00 PM – 3:00 PM EST.

If you’re a Sunbelt enterprise customer on a maintenance plan, the event is free; non-customers pay $99 for entry.

From our hype:

Expert Webcast: Strategies for Wireless Security.

With both local-area and wide-area wireless well on their way to becoming the default connectivity for both voice and data, it’s imperative that IT managers develop effective strategies and implementations for wireless security. As it turns out, wireless security is just one aspect of a complete security solution. Join us on Tuesday, February 21st at 2:00 pm Eastern Time, as we take an insightful look at wireless security. Featured speaker will be Craig J. Mathias, the Principal of Farpoint Group.

Widely regarded as one of the foremost experts on wireless security and its mechanisms, Craig has served as a Co-Chairman at the Wireless Security Conference, serves on the Advisory Boards of major industry conferences and is an active and well-known participant in many of the forums dedicated to wireless technologies and industry news such as wireless.itworld.com.

Craig will provide a rare look into the wireless security puzzle and examine wireless LANs, look at the challenges, requirements, tools, and solutions to wireless security. He’ll go beyond the ordinary to fully examine what’s really needed at Layers 2, 3, 4, and 7 of the famous OSI model to provide unique and valuable insight.

During this webcast, you’ll learn from Craig how to:

• Understand the key elements of an overall security plan.
• Examine the security facilities inherent in Wi-Fi
• Explore higher-level security tools and techniques
• See how upper-layer tools can be applied to wireless beyond
  Wi-Fi
• Gain insights into the future of wireless security

To attend, click here (note—it may say on the page that it’s a Microsoft event, but it’s not.)

Alex Eckelberry

Christopher Maxwell, a 20–year old in California, had a ball running a botnet of over 10,000 PCs. In fact, he got really lucky: He was able to get into a hospital network, where according to the Seattle PI, he “allegedly impaired patient treatment, delayed processing lab tests and surgery scheduling, and shut down computers in intensive-care rooms”.

Of course, he installed a slew of adware programs.

I’m trying to get a hold of a copy of the indictment.

Alex Eckelberry
(Hat tip to Ferg)

A number of people have been interested in using our technologies in their products.  Well, we actually have a dedicated effort here to provide often customized security solutions to other companies. 

The offerings range from Software Development Kits (SDKs), which allow OEMs to incorporate our technology into their products, to custom development of security solutions.  

Currently, we offer the following pre-packaged SDKs:

CounterSpy Client SDK: This allows OEMs to incorporate client-side antispyware scanning, remediation and active protection into their products.  The SDK is built on our new 2.0 platform, which is light years ahead of our current version (the 2.0 platform will be part of our client and enterprise antispyware products next quarter).

CounterSpy BorderPatrol SDK: BorderPatrol is a multi-platform, cross-compiled SDK specifically designed for appliance and proxy vendors.  Basically, it stops spyware at the perimeter of the network. You’ll see more and more boxes coming out with this technology.

Kerio Firewall SDK: This exposes quite a bit of the functionality of the Kerio Firewall to people who want to integrate firewall security into their products.  This is a rich endpoint security solution —more than just a firewall — it has a bunch of features, including intrusion prevention.  This SDK will be available over the coming months.

If you’re interested in these technologies, contact Carol Montgomery-Adams.

Alex Eckelberry

A while back, we received this pop-up advertisement after doing some research with the V-CODEC trojans.

This pop-up looks very similar to the actual Windows Live Safety Center:

However, clicking the “Full Service Scan” button on the pop-up takes you WinFixers website where you are prompted to install their software.

Adam Thomas
Spyware Research

Front page of Adotas, an article about Bill Day of WhenU:

After talking to adware players, vendors and proponents, Day eventually hooked with New York-based WhenU in October 2004. In doing so, he immediately set about to change the company’s strategy, technology and policies. “When I came in, I made a lot of changes because I had a long-term vision that it’s about getting to a model where users receive excellent advertising, and go through an entirely above-board process for how the software gets on the computer. If you want to uninstall, you can uninstall. All our ads are branded heavily, and we actually offer an 800 number on the ad itself. These are things that most other people don’t do – I hope they do in the future – but they’re basically what I like to call the ground rules for properly competing in the space. We’re looking to continue to do things to generate user value.”

Link here.

Alex Eckelberry
(Thanks Amanda)

Fresh in from the Anti-spyware Coalition workshop, I hope to be writing a bit about third party ad networks.

But this headline just caught my eye:

Major AdNetworks Promote Porn?

Probably one the most disturbing things in the industry as of late: Last week a little problem popped up on one of the networks we buy from – and turns out that several of the networks have the same problem. Not looking to name anyone, but it seems that several of the top major networks were running banner ads on a website that many people would consider pornographic.

During a reload of this banner ads, we found several major advertisers being shown while a young woman stripped and seemingly have a more than cordial relationship with her cigarette. This site also had an advertisement for CapitalOne Savings show itself while two smurfs were engaging in things that smurfs normally don’t do. It seems that Netflix, the New York Times, Monster.com and even H&R Block among others, have no problem with their ads being shown on QUESTIONABLE  sites. Maybe NYTIMES thinks that people who like smurf sex are interested in subscribing to their newspaper? Who knows?

Link here.

This is on the heels of comments by FTC Commissioner Jon Leibowitz about “shaming” advertisers who advertise through adware. 

The problem is complex.  Advertisers don’t necessarily buy directly from CNN, the Washington Post and other sites.  They use ad networks to place ads on lots of websites.  Then, these ad networks may use other ad networks to place ads — in effect, making a chain of intermediaries.

According to conversations I had at the ASC conference yesterday, there are advertisers concerned about where their ads are distributed, and are (and will be) the driving force to get reforms done by the ad networks. 

I hope to write more on this subject later. 

Alex Eckelberry

A new rogue anti-spyware application has surfaced as a replacement for SpyAxe/SpywareStrike. Behold: SpyFalcon!

WHOIS information:

Domain Name: SPYFALCON.COM (195.225.176.79)

Registrant:
SunShine Ltd
David Taylor
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Other domains at the same IP address:

Spyfalconupdate.com
Updateyourwindows.com

SpyFalcon, and its predecessors, are known to install through exploits as well as piggyback on to users machines via the video codec that we have talked about before. This application has just appeared today, so it might be a good idea to add the domains listed above to your block lists now.

Adam Thomas
Spyware Research

It’s been a long time coming but Sunbelt’s Ninja product is finally seeing the light of day in the form of beta release 1. For those of you that don’t know, Sunbelt Message Ninja is the version 2.0 release of iHateSpam Server Edition, an anti-spam application for Exchange 2000 and 2003 servers. It started off just being a codename for v2 but as the feature set and functionality grew the product was re-written from the ground up.

The first release of Ninja is anti-spam, anti-virus, and attachment filtering. Because of the extensible architecture we’ll be adding disclaimers, content auditing, content filtering, message forking, advanced message reporting, and archival functions over the course of this year. You’ll end up with a single application to do pretty much everything you need on the Exchange server.

The web site is here:
http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm

The beta is being hosted here:
http://beta.sunbelt-software.com

Anyone that is interested in the beta can sign up on the beta forum by using the register button at the top and selecting a username with the prefix of “ninja-“, your information will be reviewed and you should be given access within 24 hours. If you have any questions about the beta or have problems getting signed up just drop a line to beta@sunbelt-software.com

Greg Kras
Sunbelt Software VP Product Management

I am going with a number of Sunbelters to the Anti-spyware Coalition Public Workshop this week. And, Eric Howes, our director of malware research, will be speaking on a panel there.

I will also be going to RSA next week with a group of Sunbelters.  We don’t have a booth — we’ll be walking the floor and going to any good parties we can find.  

So blogging on my part will be a bit light…

Alex Eckelberry

Follow-up to my post about a study by the University of Washington that found spyware is decreasing:  The full research paper has been published.

It does include adult sites, which was a question earlier.  From Suzi Turner:

The PDF has several charts including one that shows the changed numbers in the types of spyware from May 2005 to October 2005.  Two categories decreased – dialers and adware.  Keyloggers increased from .04 to .15 %, trojan downloaders increased from 9.1 to 13% and browser hijackers increased from 60 to 85%. One note, all of the testing of spyware was done by scanning with Lavasoft’s AdAware, no other anti-spyware software was used to detect threats. It’s been well documented that no single anti-spyware or anti-virus app will detect every piece of spyware, so the numbers could have been different if several programs had been used. I have noticed in the last few weeks there’s been a considerable decline in the number of new users registering at my SpywareWarrior forum for help with spyware removal.  I hope that is a sign that spyware infections are decreasing.  Who knows, if spyware really declines maybe this blog will turn into Suzi on SuSE one of these days. 

Link here via Suzi.

 

Alex Eckelberry

From Ben Goodger:

The story of Mozilla is long and rich in detail. There are many perspectives. This is mine.

Getting Involved
I got involved with Mozilla because I loved the idea of working on something that had the potential to make an impact on millions of people. My friends and I lived in our browsers, so there was also a tangible payoff for contributions that made it into a shipping Netscape release. After switching gears on the layout engine, it looked like Netscape needed all the help it could get. In early 1999 only the most basic elements of the old Communicator suite were in place in the new browser; you could barely browse or read mail as Netscape’s engineers worked furiously to erect the framework of the application.

More here via Paul Thurrott.

Alex Eckelberry

 

Link here.

Alex Eckelberry
(Thanks Jarrett) 

Robotic software programs, called ‘bots or agents, automate actions that are typically performed by real people. ‘Bots can be used for good purposes or good – there are ‘bot programs that play games over the Internet, for example, and ‘bots that collect information for search engines, like the GoogleBot. Programmers have used ‘bots on eBay to automatically search the site for bargains. ‘Bots are common on the Internet Relay Chat (IRC) network, where they can moderate a channel by “listening” for profanity or other undesirable conversation and removing violators from the discussion. So-called ChatBots can carry on conversations over Instant Messaging programs.

Unfortunately, ‘bots have gotten a bad reputation because attackers can use them for malicious purposes, such as coordinating a distributed denial of service (DDoS) attack to overwhelm and crash a company’s network. The first ‘bot attacks were against IRC servers but the practice soon spread way beyond IRC. Other uses of ‘bots include:

• ‘Bots have been used to commit “click fraud,” where the ‘bot pretends to be a Web user clicking on an ad, to generate a high number of pay-per-click fees paid by the advertiser to the site owner.
• ‘Bots can collect information such as the passwords, credit card numbers and other confidential information that users type into Web forms for the purpose of identity theft.
• Another malevolent use of ‘bots is to relay spam, to hide the identity of the sender.
• ‘Bots can sniff network packets to read the data inside, and use keyloggers to capture everything a user types.
• ‘Bots can spread new ‘bots, thus propagating themselves through HTTP, FTP or email.
• ‘Bots can manipulate online polls and ratings, so that the ‘bot can greatly increase – or decrease – the apparent popularity of a book on Amazon, an article on a Web site, or a candidate in a political poll. Each ‘bot has a different IP address, so the votes seem to be coming from different, legitimate voters.

What happens when lots of ‘bots get together? Somewhat like an unruly mob, they can do more harm working in conjunction with each other than individual ‘bots can do. “BotMasters” are people who run robot networks called BotNets, using worms, Trojans and backdoors to install the ‘bot software on the systems of unsuspecting users. Then each user’s computer becomes a part of the BotNet, which is controlled by the BotMaster.

The ‘bot software is hidden from the user, who has no idea his/her computer is being used to commit attacks, intrusions and theft of data, or to distribute spam, spyware, and viruses. Because the systems are under the control of a remote entity, they’re often called “zombies.” For a quick overview of how BotNets work, watch the video called “About BotNets” linked here. (Quicktime).

Last October, Dutch police shut down a BotNet that included more than 100,000 computers and arrested its perpetrators. The BotMasters were using the zombie computers to attack networks and hack into bank accounts and PayPal and eBay accounts. You can read more about it here.

The incidence of BotNets (or at least, those that were discovered) started increasing enormously in 2004 and continues to rise. According to Symantec’s Global Internet Threat Report in 2005, there was a 140% increase in the number of active ‘bots observed per day over the previous reporting period.

BotNets have become big business. BotMasters will rent the use of their BotNets for 10 to 25 cents per machine, so that those without the technical savvy to set up their own BotNets can still have the use of one to launch attacks, distribute spam, commit identity theft, or whatever other nefarious activities they wish. Some common ‘bot programs include:

• Agobot/Phatbot/Forbot (there are more than 500 known versions)
• SDBot/RBot/UrBot (published under the Gnu Public License)
• GT-Bots (IRC script-based ‘bots)
• Q8 Bot (for UNIX/Linux systems)
• Perl bots (written in Perl scripting language, also used on UNIX systems)

How do you protect your computer from becoming a member of a BotNet? The same way you secure it against other threats: Update your system to the latest security patches religiously (and SP 2 really helps); and install good firewall, antivirus and anti-spyware software.   Tight on cash?  Read our Security on the Cheap writeup here.

Let us know your experiences with ‘bots. Are you worried about the BotNet threat? Have you ever discovered ‘bot software on your system? What measures do you take to protect against becoming an unwitting member of a ‘bot army? Tell us what you think about ‘bots.

Deb Shinder