Category: Uncategorized

Good article by Dancho:

With the average price for a DDoS attack on demand decreasing due to the evident over-supply of malware infected hosts, it should be fairly logical to assume that the “on demand DDoS” business model run by the cybercriminals performing such services is blossoming.

Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, is today’s cybercrime enterprise “vertically integrating” in order to occupy as many underground market segments as possible, all of which originally developed thanks to the “malicious economies of scale” (massive SQL injections through search engines’ reconnaissance, standardizing the social engineering process, the money mule recruitment process, diversifying the standardized and well proven propagation/infection vectors etc.) offered by a botnet.

More here.

Alex Eckelberry

The Sunbelt Blog has been shortlisted as a finalist and made it through to the public vote of the Computer Weekly Blog awards! Vote for us!

We’re in the IT Security category along with ten other finalists here.

Tom Kelchner

Interesting form of reputation hijacking.

Alex Eckelberry

Marcin Kleczynski, CEO of Malwarebytes, has posted a detailed accusation, presenting evidence that IOBit is stealing the Malwarebytes database.

Iotbit, a Chinese company based in Chengdu, provides a number of PC utilities, including an antimalware product called IOBit Security 360. According to Kleczynski:

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes’ Anti-Malware software using the exact naming scheme we use to flag such keygens: Don’t.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:Nothing MuchAnti-SpywareMalwarebytes’ Anti-Malware v1.39Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit’s theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This “malware” does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

There’s quite a bit more here.

Stealing AV signatures is not a new phenomena — AV companies have battled this type of thing for years. In this case, it looks to be quite blatant, based on the evidenced presented.

Alex Eckelberry

Update: IOBit responds.

BlockScanner, a new variant of the Winisoft family, uses an old-school fake DOS screen to scare people.

Those of you who remember some of the DOS GUIs may have a moment here.

Alex Eckelberry

The short answer is “no, although Windows 7 is probably a little safer.

That being said, there are a number of security measures that apply to any operating system, that are vital to a layered defense. Windows XP is only a secure operating system if it is updated regularly and operated by users who have some understanding of Internet security. Below are the four vital security practices to go with Windows XP:

1. Install operating system and application updates promptly.

Malware that exploits newly discovered vulnerabilities begins circulating within days, if not hours, of the public disclosure of those weaknesses. Patches (or workarounds) are generally issued as quickly as the software company can deliver them. There may be significant delays. The dark side often is ahead of the curve with “zero-day” exploits, those that take advantage of previously unknown exposures. It is vital that patches are installed as soon as there are available.

The most important updates will be those for the Windows operating system, Adobe applications, Microsoft Office and Internet Explorer or other browsers. These are the most commonly used things on computers worldwide, thus the most widely available and cost-effective targets of malicious operators.

The number one cause of compromised machines is lack of current updates. Microsoft issues patches on a regular basis on the second Tuesday of each month. (Information here.) Adobe has begun issuing updates on the same day.

2. Updated anti-virus applications are your first line of defense.

Having a good anti-virus application running on desktop machines and network can protect the small enterprise from a vast number of threats, including the most recent ones: banking Trojans, rogue security products and bot-associated malware.

Very small businesses with a few machines probably need little more than VIPRE desktop installations and possibly the Sunbelt Personal Firewall (Sunbelt info here.)

Small, medium and large businesses with Internet-facing networks might consider VIPRE Enterprise. (Sunbelt info here.)

VIPRE can stop previously unidentified malware by using MX-V advanced “behavior-based” scanning to spot its malicious behavior in a virtual environment before it infects the machine.

3. To add one more layer of defense, enterprises should consider doing online banking from a dedicated machine that is isolated from networks and not used for any other purpose (especially the exchange of email.)

Many of the banking Trojans that were used to illegally transfer $40 million from the bank accounts of small- and medium-sized businesses in the last five years were installed when someone clicked on an attachment or malicious link in an email. (Story here.)

Also in the last few years there have been numerous spear-phishing campaigns targeting company financial personnel whose machines are used to log onto online banking sites. In some of these, the banking Trojans or their downloaders arrived in email messages with malicious attachments disguised to look like legitimate accounts-receivable correspondence.

4. Providing employees with computer security training can reduce the risk of attacks based on social engineering.

Every day an uncountable number of people are using the Internet for the very first time. Unless they have some kind of instruction, they will quickly fall victim to social engineering gimmicks. These trigger malicious applications that arrive by email or are downloaded from hacked or malicious web pages. New scams begin circulating almost on a daily basis and are aimed at millions of users through email spam originating in botnets or hacked social networking accounts. Employers need to educate employees, especially new ones, about Internet safety and give them a way to keep up with new threats.

The Sunbelt Blog and the threat index on the VIPRE agent interface provide daily updates on the threat landscape for experienced and inexperienced Internet users.

Double clicking on the Threat Index graphic takes users to the Sunbelt web site and a description of the most current threats that are making news:

White papers on security

On the Sunbelt web site, we also have white papers, some written for inexperienced Internet users, in the Sunbelt Research section.

Two of them, especially written for new users are:

“How to Tell If That Pop-Up Window Is Offering You a Rogue Anti-Malware Product”

“What’s in your spam bucket?”

Thanks Stephen in Victoria, BC, Canada, for asking.

Thanks Alex

Tom Kelchner

What’s in your spam bucket?
(Don’t look, delete it!)

The rules for staying safe from malicious email:

1. Do not open emails from strangers. Delete them and you will be safe.
2. Do not click on links in emails from strangers or open the attachments. You should have deleted them before you saw the links.
3. Do not buy anything or take any action based on something you got in an email from a stranger. You should have deleted the email before you read the pitch.
4. For email that has been forwarded to you by your friends, see Rule 1.

Today I checked out several dozen spam emails that I received in order to illustrate the threats that come with 90 percent of email traffic these days. Yes, an estimated 90 percent of email today is spam. Your ISP or employer may filter a lot, but you’re still going to get some of these “everyday” threats.

Read it here.

Tom Kelchner

We’ve been seeing a fair amount of these lately — what appears to be one spam gang using google, ebay and other “normal” looking domains as spam links in unsolicited email.

Example URLs:

alwaysbrighttimes.com
bestcallson.com
childshine.com
chocolatemoneyonline.com
chooseguide.com
cliffsnotesap.com
ebaydirectmarketing.com
ebayphonestore.com
etherealticket.com
exclusivecollar.com
freegoogleworld.com
getgoogleonline.com
goodeasymoney.com
googlemapit.com
greatsonoran.com
hatefulcap.com
humorousskate.com
insidetheiris.com
kiddemand.com
messageorder.com
rezvhome.com
rezvnation.com
smartworldradio.com
superbigsky.com
supergooglesearch.com
supernoteson.com
tenneseeworld.com
thankfulrule.com
theperfectbook.com
uninterestedlist.com
yournotecards.com

The patterns are always junkcname.domain name.junktext.

For example, jrvds.getgoogleonline. com/gcbswsy/hwnvsw:

All are used as a redirect to get you to a spam site.

You can comfortably blacklist these domains to reduce spam traffic.

Alex Eckelberry

Not everyone may realize this, but it’s worth noting that all Microsoft Signature PCs (name-brand computers sold at their online and retail stores) include Microsoft Security Essentials pre-installed.

Microsoft isn’t making the mistake of competing with their own OEM customers in the PC business. However, for their new PC re-selling initiative, they are hand-selecting a number of PCs from major manufacturers (Dell, HP, Lenovo, Sony, Toshiba, Asus and Acer), and creating “Signature” editions.

These special editions are pre-built with standard Windows components (IE 8, etc.), but also include Windows Media Center, Internet TV for Media Center, Microsoft Security Essentials, Bing 3D Maps, Zune 4.0 and all the major Live components.

Consider the Toshiba NB205. If you buy it from Microsoft, you’ll get Microsoft Security Essentials. If you buy the exact same PC from Toshiba at the same price, you’ll get Norton Internet Security pre-installed.

PC vendors get significant dollars from security companies (these days, primarily McAfee and Symantec) to pre-install antivirus software — reportedly anywhere from $8–$12 per unit. Now, that may seem like a pittance, but this is big money for a PC maker, already living on razor-thin margins. There is enough of an advantage to being part of the Microsoft reselling effort that the PC makers will let go of some of these pre-bundling deals.

This is also a nifty way for Microsoft to potentially get around anti-trust issues. They don’t include Apple products (Quicktime, iTunes). They don’t include non-Microsoft security applications. But it’s because it’s their own product they are selling on their own stores.

This is a development worth keeping an eye on.

Alex Eckelberry
(Hat tip to Colleen)

I think this year was the best ever in terms of costumes (in case you didn’t know, Halloween is a major tradition here where we basically take over the city — for example,  2003, 2005,2006, 2007, 2008, and so on).

Robert’s posted some pics on his Flickr stream, feel free to take a look.

Alex Eckelberry

A federal judge in U.S. District Court for the Northern District of California in San Jose awarded Facebook almost $711 million in its action against infamous junk mail king Sanford Wallace. According to the court action, Wallace and two associates got access to Facebook accounts with phishing emails and used them to send spam that advertised pornography and gambling web sites.

U.S. District Judge Jeremy Fogel ruled that Wallace was responsible for 14,214,753 violations of the CAN-SPAM Act and awarded Facebook $710,737,650. Fogel also said he would ask the U.S. Attorney’s Office to prosecute Wallace for contempt of court.

Facebook brought the suit last March.

We applaud this court decision, in spite of the fact that Facebook probably won’t collect much of the settlement. Wallace was hit with a $4.1 million FTC action in 2006 and a court order to pay MySpace $234 million after a trial last year. At least, it should take one major, blatant spammer to bankruptcy.

Short of a very radical change, as in Eugene Kaspersky’s idea for ending the anonymous use of the Internet or serious government involvement across the globe, the reduction of spam just isn’t going to happen.

Various sources have put the prevalence of spam in email at 85-90 percent for the last few months.

Story here.

Tom Kelchner

Don’t.

http://twitter.com/spam/status/5236330687

Tom Kelchner

There are at least two Facebook “change-your-password” scams circulating in spam. Here’s the first one. It tries to lure you to a malicious site to steal your Facebook login information.

A second one comes with an attachment that installs the Bredolab Trojan.

That story here.

Tom Kelchner

In the October 21 issue of the Sunbelt Security News, Editor Larry Jaffe ran a brief little survey that ask readers just four questions:

— Do you feel your privacy has been compromised since the advent of the Internet?
— Do you make use of any software that makes you anonymous or incognito when you surf the web?
— Do you feel your personal information is secure online?
— Do you change financial site passwords on a regular basis?

Here is a tabulation of the responses from nearly 600 people:

— Do you feel your privacy has been compromised since the advent of the Internet?

Yes: 23.2 percent
No: 49.3 percent
Not sure: 27.6 percent

— Do you make use of any software that makes you anonymous or incognito when you surf the web?

Yes: 33 percent
No: 49.4 percent
Not sure: 17.6 percent

— Do you feel your personal information is secure online?

Yes: 23.2 percent
No: 49.3 percent
Not sure: 27.6 percent

— Do you change financial site passwords on a regular basis?

Yes: 48.2 percent
No: 51.8 percent

Sunbelt Security News here.

Tom Kelchner

Malicious spam. Don’t go there. Zeus Trojan.

Tom Kelchner

Update October 28, 2009

The FDIC has posted a consumer alert about this here.

Number of infected web pages is increasing significantly

Dasient web security firm of Palo Alto, Calif., published some dismal numbers on its blog today. The number of infected pages on the web increased significantly in the third quarter and more than a third of infected sites that are fixed are quickly reinfected, they said.

The company said its malware analysis platform found more than 640,000 infected sites with a total of 5.8 million pages in the quarter. They compare that to the three million infected pages that Microsoft reported in the first quarter of the year.

The attacks:

— JavaScript (54.8%)
— iFrame (37.1%)
— “other” (8.1%. )

Needless to say, with that preponderance of JavaScript malware, if you haven’t updated your Adobe Reader and Acrobat installations recently, you might do so.

Dasient blog here.

Tom Kelchner

Three of the biggest malware threats that were around during Halloween 2008 remain highly active in the public domain 12 months later, according to data collected by Sunbelt Labs. Trojan-Downloader.Zlob.Media-Codec, Trojan-Downloader.braviax and Explorer32.Hijacker all remain in Sunbelt’s top 10 malware list one year on, with reported instances of the latter two increasing in overall share since October 2008.

Muktadir Khan, Sunbelt Software European sales engineer said: “We advise users to be vigilant and to ensure their antivirus applications are fully up-to-date with the latest definition files and the latest application version installed.

“Users should avoid opening any attachments, even from trusted sources, without first running a scan on the file. An effective, updated antivirus and malware solution such as Sunbelt Software’s VIPRE will ensure machines remain protected from a variety of attacks.”

Classic Threats to Watch Out For

Based on reported activity over the last two Halloween periods, Sunbelt Software has identified some common types of Halloween-themed attacks. Users should remain especially vigilant for new variations of these common themes.

• The Dancing Skeleton – This one is based on emails that lure Halloween lovers to web sites where they can download an application that puts the image of a dancing skeleton on their desktop. Users do indeed get the dancing skeleton along with the Storm Trojan. The Halloween.exe is part of a malicious botnet that allows remote attackers to access and control infected computers, accessing personal information and sending yet more infected spam.

• Halloween Gift Cards – These are the modern-day replacement for gift vouchers. For the last two years, emails have made the rounds offering a free $250 or £250 Halloween gift card when users sign up for a new credit card. This is really a scam to harvest personal and financial information for criminal use at a later date.

• The Big Halloween Sale Email – Stores are using Halloween as a topical hook, like they do bank holidays, to boost sales in these challenging economic times. Enterprising scammers have been picking up on this tactic with phishing emails purporting to be from trusted brand names, or offering unbelievably good deals. Clicking on a link usually takes you to an infected web site and a Storm Trojan downloader.

• The Halloween Party Invite – Another email-based attack, this one purportedly invites you to a Halloween-themed party. If it’s from an unknown source, it’s almost certainly a malware attack, either trying to entice you into clicking a link for more information or to open an attachment with the full invite enclosed. Even if it’s from a known source, approach with caution.

Tom Kelchner

We expect our spy agencies to… well… spy, but somehow it’s a little disquieting when you discover they might be spying on YOUR blog posts and Tweets.

Wired has broken a story that the investment agency of the CIA and other U.S. spy agencies, In-Q-Tel, has put money into a company that monitors social media: Visible Technologies of Bellevue, Wash. (page here.)

On the company page, the pitch for their services includes:

“Listening to your customers is a critical first step in deploying an effective social media strategy and successfully managing your brand online. Listening to social conversations helps you get acquainted with online consumers, monitor their perceptions about your brand and competitors, spot potential issues, and can help identify authentic brand influencers and advocates.”

Visible Technologies monitors Flickr, YouTube, Twitter, Amazon, hundreds of thousands of web 2.0 sites and millions of posts on blogs every day, according to Wired. Since Facebook is closed, it does not monitor them.

Their customers get feeds based on key words with scores indicating how positive or negative the items are as well as how influential the writer is.

The spy agencies want to boost Visible’s foreign-language capabilities so they can monitor international discussions of issues, Wired said.

I think anyone using the Internet should certainly know there isn’t the slightest shred of expectation of privacy there. If your tinfoil hat is overheating, you can set up accounts using aliases.

Wired story here.

Tom Kelchner

Update
(thanks Alex)

Paper here.

It’s become the latest craze in security blogs — show how search for a celebrity or current event leads to malware through Google searches.

I’ve done it myself, quite a bit. And I do think it provides a public service.

But the reality is — it’s massive, it’s constant, and the search terms are all over the place.

For example, there is a current blackhat run on Google that is using a dizzying amount of search terms. Here’s a list of terms that I’ve found. There are more.

2010 Military Pay Charts
Aileen Quinn
Amelia Earhart
Anglicanism
Arsenio Hall
Astate
Banco Del Tesoro Venezuela
Bedava Ingilizce
Bianchini .
Bitty Schram Fired
Black Parade
blackberry storm 9520
Blast Off
Bobblehead .
Bravo project runway .
Cafe World
cfnm youtube
Charlie Manuel
child stuck in balloon
Chris Cooley Blog .
Chris Mckendry
Christian Audigier
Collin Wilcox Paxton
Collin Wilcox Paxton .
Comcast Tickets
Cookie Johnson Jean Line
Crucisatorul Potemkin
Daniel Maldonado
David belle parkour video
Deadspin Espn
Dining
Dodsworth
Donovan House Washington Dc
Download Windows 7
Droid Does
Ed Hardy
Electron configuration berkelium
En Clown I Mina Kl??der .
Facebook Live Feed Vs News Feed
Fagacious
Fbi 10 Most Wanted
Female snake charmer costume
Figure roller skating .
Florida Sex Offenders By Zip Code .
Folkston Ga
free porn tube 8
Funny halloween pictures
Gardien
Glee Episode 9 Preview
Gossip Girls .
H1n1 Vaccine Canada
H1n1 Vaccine Side Effects
Halloween Escape Walkthrough .
Hardgame2
Hide Away
Honda Center Anaheim
House Season 6 Episode Guide
Hulk Hogan
Jay Mohr
Jayson Werth Married
Jeff Dunham Tour Dates 2009
Jeffrey Chiang Texas
Jodie Sweetin .
Joe Klein Obama Thesis
Jonathan Broxton
Künstler Cutlery Knife Set By Connoisseur .
Kyrie Irving Twitter
Levi Jones
Lil Wayne Pleads Guilty
Lindsay Lohan E Namorada .
Losing It With Jillian Michaels
Marine Corps Marathon
Marni Phillips Photos
Married With Children .
Matthew Shepard Story
Mikelle Biggs
Min Lieskovsky .
Natalie Portman
New York Yankees
Obama thesis paper
Once Bitten Movie
Organic Baby Food Recall .
Orionids Meteor Shower
Patchwork Nation
Phillies
Phish Tickets
puerto rico explosion
Rajon Rondo Ripped .
Rebel Efi Crack
Secret Girlfriend Wiki
sharona monk
Somewhere Else
Sommer Thompson Missing
supernatural season 5 episode guide
sweetest day 2009 .
The Bunny Ranch
The Jeff Dunham Show
The Perfect Storm Movie .
The Vampire Diaries 7
Tnmmu.ac.in
Tourettes Pete
Uss Freedom
Villisca Axe Murders Wiki .
Wachovia Center Philadelphia
Wapa Tv
Week 7 Football Picks
week 7 football picks .
When You Have No One No One Can Hurt You
Who The Hell Is Wolf
Windows 7 Free Upgrade For Vista .
Windows 7 Release Date
Winter Time
Wombat Day
Y94
Zac Hanson
Ladybugs Good Luck
40 Under 40 Fortune
Ali Kay
California City Element
hot pussy sex
International Paper Franklin Va
Jacksonville News
Jammers
Lil Wayne Going To Jail 2009
Metal Rayonnant
Obama Mit Speech
Path Accident
Psystar
Robin Thicke Wife
Shaq
Somer Thompson Missing

Using any one of these search terms will land you in trouble.

For example, let’s search for Bx 82mf1r:

First four hits are malware links, all compromised sites (the links only work with with Google as a referrer, going to them directly will just land you on a harmeless CNN page). You can see that Google catches the first site. The next three aren’t caught.

(Notice the /?p in the url? That’s generally the Windows Enterprise Defender rogue — thanks Patrick, for pointing that out.)

The rest of the search terms have varying degrees of success in getting to the first page of Google’s results. But in order to find them, we just do a little Google Dorking. Notice that all the malware sites use “/t” in the url. So, we just do a Google search, usingthe inurl operator to narrow down the malicious links.

Hence, we might search for Project Runway with the following search command (just to get more malware links):

project runway inurl:/?t= inurl:runway

And we see all kinds of nasty stuff.

You get the picture. Blackhat SEO is alive and well on Google, contributing to the profits and merriment of both legitimante antivirus vendors and malware authors. Unfortunately, the user doesn’t come out that well in the whole thing.

Alex

Farida Waziri, head of Nigeria’s Economic and Financial Crimes Commission, has announced that her agency, aided by Microsoft, has begun a large-scale crackdown on the email scammers who have made Nigeria infamous to Internet users for 20 years.

Waziri, speaking at a National Conference of Black Mayors convention in Las Vegas, said her commission has arrested 18 people and shut down 800 email accounts linked to scams.

She said the operation, dubbed “Eagle Claw,” will be fully operational in six months with the capacity to shut down 5,000 fraudulent email accounts and send 230,000 advisory emails to victims each month.

“It will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails,” she said.

This has the potential for reducing Internet fraud coming out of a historic hot spot. Nigeria, like developing nations everywhere, has an uphill battle to fight, with limited resources, against crime and corruption. It’s good to see Microsoft lending some technical assistance.

Nice work Ms. Waziri and Microsoft.

If Operation Eagle Claw works, maybe Nigeria can farm her out as a consultant to Russia. They could call it “Operation Bear Claw.” Then she can come to Florida and go after the spam industry here. (Operation Armadillo Claw?)

ArsTechnica story here.

See BBC story here.

Tom Kelchner