Category: Uncategorized

Comcast has begun an experimental program in the Denver area to warn customers whose PCs have been turned into spam-spewing bots. The infected ones will see a browser pop-up warning them that their machine contains malware.

I don’t want to sound like a whiner, but why didn’t ISPs start doing this, oh, say, four years ago when the number of bots in the wild exploded?

This is really terrific, Comcast should be commended and I hope other ISP (ALL ISPs) do something similar, but why did it take this long? Spam email, and a whole load of it is from botnets, is now estimated to be near 90 percent of email traffic.

The story on the CNET news site says: “For years, security experts have complained that ISPs are uniquely positioned, and should do more, to help customers combat security problems. But ISPs have been reluctant to assume additional responsibilities that are not central to their core service offering and for which they would then have to maintain a standard, going forward.”

See story here.

Tom Kelchner

Oct. 9 Update:

Brian Krebs, in his Washington Post column “Security Fix” today dug into more details of the Comcast plan, including the possibility of fake warnings. He reported:

“The primary challenge to this program, aside from actually helping customers rid their PCs of bot infections and keep them clean, may come from the criminals themselves. One of the most persistent threats to Internet users today are rogue anti-virus programs that use fake security alerts to trick consumers into downloading malicious programs or at the very least paying for worthless software.

“(Jay) Opperman (Comcast senior director of security and privacy) said Comcast is attempting to combat this potential scam by including a link in the banner alert that explains “How do I know this notice is from Comcast?” Among the answers they will list is that Comcast will be sending affected users an e-mail alert at their primary account at the same time as the browser alert is displayed.”

See story here.

Kara here (she runs our separate Rogue blog) posted a bunch of screen shots here.

Alex Eckelberry

Microsoft Office Help’s ad-supported model is getting more intrusive.

This is help.  For the program you purchased. 

Hello!

Alex Eckelberry

 

Sunbelt Software hired an independent test lab recently to compare the performance of VIPRE Enterprise against the enterprise products two leading competitors, Symantec and McAfee. We were very pleased with the results.

The test found that VIPRE Enterprise significantly outperformed the competing products, with its lower system resource usage and faster scanning speed. The test included antivirus scanning performance and system resource utilization.

See Sunbelt news release here.

Tom Kelchner

A Sunbelt researcher today found a ThreatNet scan result from a machine with six identifiable malware threats on it. One of them Trojan.Brontok, had 102,793 traces. That was on one machine!

Alert for things that might be going wrong, he emailed several other analysts:
“Just trying to understand, how is that possible?”

Yep it was possible. Even old threats can overrun a PC if it doesn’t have proper malware protection.

ThreatNet is an early warning system made up of tens of thousands of VIPRE and CounterSpy users who have set their machines to send Sunbelt a record of malcode that they detect. ThreatNet helps us detect virus outbreaks.

Trojan.Brontok is a detection for a group of mass-mailing worms that spreads by sending copies of themselves via e-mail attachments. It gathers e-mail addresses from infected machines in order to propagate.

It disables security applications, spreads through USB drives and has been used in denial of service attacks.

Thanks to Eric Howes and Adam Thomas

Tom Kelchner

The Federal Trade Commission commissioners unanimously approved guidelines that require bloggers to reveal that they’ve been paid or otherwise compensated for writing product reviews (read: have conflicts of interest.)

The new rules, which will go into effect Dec. 1, carry penalties of $11,000 for each violation.

Blogging product reviews has become a major cottage industry. If a blogger gets several free cases of disposable diapers or a $10,000 firewall appliance in exchange for a review, it might just be a good idea if readers were made aware of that fact.

The FTC guidelines on endorsements and testimonials haven’t been updated since 1980.

Story here.

Tom Kelchner

Nice work guys.  Link here.

Alex Eckelberry

One more reason to be careful with the information you share on social networking sites.

Thanks Alex.

Thanks Patrick.

Tom Kelchner

Short answer: when you buy a Lenovo machine.

The editor of Consumerworld.org and Mouseprint.org, Edgar Dworsky, has found that some computer makers are charging “shipping, handling, and fulfillment fees” after Microsoft promised customers free upgrades to Win7 when they purchase PCs with Vista installed.

Microsoft began the Windows 7 Upgrade Option Program in June and said those who purchase a machine between June 26, 2009 and Jan. 1, 2010, will get the upgrade free.

Some manufacturers are giving the new OS free to some customers and charging others varying amounts from $11.60 to $17, Dworsky said.

See Computerworld story here for a list of who charges what.

Tom Kelchner

For those who spend a lot of time behind Google, there are some new features to play with improve your efficiency at work.

After a search results are presented, the “show options” control displays more ways to narrow your search by types of info (videos, blogs, etc.), time (past 24 hours) and whether you already visited the page.

The “Timeline” shows a graph of the periods in history mentioned in the results.

And the “wonder wheel” presents you with related searches.

See story: Google offers search refinements

Tom Kelchner

This month is the Department of Homeland Security’s sixth annual National Cybersecurity Awareness Month and the theme is “Our Shared Responsibility.”

The point of the “theme” is “to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good ‘cyber hygiene’ and to protect themselves and their families at home, at work and at school.”

The DHS page is full of really good basic computer security information and suggestions.

If you’re reading this, you are surely aware of at least one anti-virus company (Sunbelt) and the need for anti-malware protection. That’s a really big part of “our shared responsibility.” If you know somebody who is new to the Internet, you might pass along the link to the DHS Cyber Security Month page and tell them it’s a great place to start learning about protecting themselves. (Link here.)

Tom Kelchner

I check my mail cubbie today (something I actually rarely do anymore, what with all these internets having killed the postal service), and find a simple letter.

Inside is a folded napkin and a hotel room key.

The napkin has a note that says, in what appears to be female writing:

Let’s meet…

www.accepttheinvitation.com/alexeckelberry

So I’m thinking of all the times a beautiful woman has sent me a hotel room key with a note on a (perfumed) napkin.

Never.

I go to the site, and there’s a door, which I have to open.

And then I’m in some kind of restaurant.

You choose your dinner, and after a while, you see this:

Well, I suppose the whole thing is a bit creepy, especially when out of the blue, I get a follow-up email from some dude.

Creepy? Good marketing?

I suppose a bit of both.

Alex Eckelberry

One spammer, having a conversation with himself on my blog — as two different identities.

Alex Eckelberry

Jon Oberheide, a security researcher and PhD candidate at the University of Michigan, has gone public with an application (exploit?) to disable the censorship capabilities of Green Dam Youth Escort. It’s called Dam Burst.

According to the Oberheide web site, Dam Burst (v 1.2, tested on Green Dam 3.17), doesn’t need administrative privileges to disable Green Dam censoring functions.

His site notes a security benefit: “As a pleasant side effect, disabling the Green Dam components within a running process actually increases the security of the end host as the vulnerable code paths within the Green Dam software are no longer exploitable by an attacker.”

Sunbelt Software considers Green Dam to be spyware and our official description is:

Green Dam is system monitoring and content filtering software that blocks disapproved content on the local PC as well as incoming and outgoing network traffic.

About two weeks ago, schools in China were removing the Internet monitoring software because it was interfering with educational software. (Sunbelt Blog entry here.)

In mid August, Chinese Minister of Industry and Information Technology, Li Yizhong, reversed the requirement that all computers were required to have it, but Green Dam was to be installed just on school computers and those in public places. (Sunbelt Blog entry here.)

If you’d like to read the whole crazy story, search for “green dam” in the search box on the bottom of the right column on the Sunbelt Blog page.

Green Dam has been SUCH a fun disaster to write about.

Tom Kelchner

A university study has found that two out of three Americans do not care for online tracking by advertisers. And, once they find out how the marketing folks track them on the Internet, even more object.

The study, believed to be the first conducted by someone outside the advertising industry, was carried out by researchers at the University of Pennsylvania and the University of California, Berkeley. They hired a survey company who contacted 1,000 adults who use the Internet and interviewed them for 20 minutes each.

According to the study, 66 percent of those interviewed said they did not like tailored advertising. When they told that web sites might track their behavior, another 7 percent said they did not like it. And, when asked about being tracked by other web sites, an additional 18 percent objected.

Ninety two percent of those surveyed said they would support a law that required Web sites and advertising organizations to delete information about them on request.

Marketing trade groups, who point out that advertising pays for a lot of Web content, are working on a set of practices, like notification that site visitors are being tracked, in order to avoid government regulation of their practices. Meanwhile, there have been indications that Congress and the U.S. Federal Trade Commission might be about to step in to protect consumer on line-privacy.

See story here: “Two-thirds of Americans object to online tracking”

Thanks Alex.

Tom Kelchner

A banking Trojan named URLZone (Finjan) exploits a hole in the major browsers on Windows machines to show victims a fake balance on their banking web site as it steals cash and sends it to the account of a money mule, according to Finjan researchers.

Victims will continue to see the fake balance in their accounts and not notice the theft until they obtain their balance at an ATM machine, check with a computer that is not infected or get an overdraft notification.

URLZone, which is loaded onto victims’ computers by malicious .pdf files or JavaScripts, exploits a vulnerability in Firefox and Opera as well as Internet Explorer 6, 7 and 8 browsers. It has been used to steal more than $400,000 from customers of German banks recently, according to Yuval Ben-Itzhak, Finjan chief technology officer.

Ben-Itzhak said “It’s a next generation bank Trojan. This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems.”

Story here.

Patrick Jordan found this one today:

The rogue Alpha AntiVirus page used to hijack a browser copies the Firefox warning screen:

Looks like the Firefox warning page (in Internet Explorer), but with a difference. Clicking leads to this:

Which goes to the payment screen:

The AlphaAV lineage:

XP Antivirus (2007)

AntiVirus 2009 (2008)

AntiVirus 360 (end of 2008)

Total Security (January 2009)

Personal AntiVirus (January 2009)

Total Security (2009)

What makes research on these rogues very challenging is the fact that they swap the download web sites about every six hours.

Thanks to Patrick Jordan

Tom Kelchner

Researchers in the Sunbelt Manila office have reported that the entire staff has been accounted for and flood waters are receding. Half the staff members are in their homes and unable to reach the office. The Sunbelt facility is on the 17th floor and has electricity.

The Sunbelt headquarters in Tampa Bay, Florida, has been in touch with various staff members by email.

Staffer Alejandro Mendoza III sent the following:

Here are some photos taken from my apartment. I am at Pasig Green Park Village and fortunately, my place is on the 3rd flr. Our village near joey, aldous, reggie, reggie and berman

When we woke up at around ll am, water is already waist deep. We were not worried at all since the place does not usually get flooded. We no longer have electricity at around 1 pm.

By 4 pm, the place is already at chest deep. At this point, things start to get scary. We could no longer go out and evacuate because the water level is higher in the main road so we opted to stay in our apartment. Those who are staying in single story houses began to move to our place.

Inside the first floor of our apt. our place is higher than the road so the water level is still knee deep at this point

By 11 pm the murky water has already covered the first floor and cars are now completely submerged. Water level on the street is about 6 feet or deeper. You can only see the trunk of the Chevrolet.

By 8:30am 9/27, water is still at shoulder deep. People have to use an air bed as lift-raft to go out and check our other neighbors.

Water slowly subsided and by 8 pm, water is still waist deep.

Aldous de los Santos sent this account at 1:44 p.m. Sept. 28 (local time)

Water in my area has receded this morning.

I plan to come by the office this afternoon to recharge cell phones and laptop computer.

We are fixing and cleaning a lot of things in the apartment. Roads going out are muddy but passable.

I’m saving battery of my laptop that I can only go online from time to time.

I’ll see if I need to get a power generator for the house in case the power will take weeks to be restored since I heard that some areas are still in waters.

We have only little updates on the news since we are saving batteries.

No TV, we can only get updates from the net and radio.

(View from los Santos’ apartment during the flooding.)

(And when it peaked.)

Tragic flash floods and landslide always happen in PH =(

I only watched from news and visited the place after it has happened, and this is my first time to experience being really involved. I think what I have experienced is still minor compared to other subdivision and provinces. The photos I took are within my area.

I wanted to go to office to take some pictures, since we are in a higher floor, I can get a good view. But I have to stay with my family while the water is high.

–Aldous

News today on Philippine flooding. 100,000 homeless and 240 dead.

To help the victims of the flooding, go through the Philippine Red Cross (URL here.)”

Tom Kelchner

McAfee Avert Labs is advertising its Focus ’09 conference next month in Washington, D.C.. We find one of the 13 sessions offered on the agenda disturbing:

Avert Labs — Malware Experience

Join experts from McAfee Avert Labs and have a chance to create a Trojan horse, commandeer a botnet, install a rootkit and experience first hand how easy it is to modify websites to serve up malware. Of course this will all be done in the safe and closed environment, ensuring that what you create doesn’t actually go out onto the Internet.”

This is unethical. And it’s the wrong approach to teaching awareness and understanding of malware. This would be like your local police giving a crash-course on how to plan and execute the perfect robbery — yet to avoid public criticism, they teach it in a ‘safe environment’: your local police station.

The oldest myth and question in the antivirus business can now be answered thanks to McAfee: ‘Yes, antivirus vendors do create their own malware. At least one of them does it. On top of that they even educate people that are not criminals yet on how to do it!’ Knowing Vesselin Bontchev as a colleague and friend, I’m sure the last word has not been spoken here. Someone has to point out that this is wrong. Very wrong.

I think McAfee just managed to add another point to the ‘why do people write malware list:’

1, Anger issues
2. Fun Factor
3. Espionage
4. The hacker instinct
5. Money Money Money
6. Political agitation
7. The Shakespeare Syndrome: Romance & Drama
8. Sabotage
9. The intellectual challenge and passing the boring time
10. Extortion
11. I just updated my resume with virus knowledge
12. Because McAfee teaches it now in a ‘safe’ environment

See McAfee’s course description here.

Let’s remember that in 2003, the University of Calgary drew fire for offering a similar course.

I have a lot of respect for my colleagues at McAfee. Please, don’t let this happen.

Michael St. Neitzel
VP of Threat Research and Technologies

Update: McAfee has clarified this matter in the curriculum for their upcoming Focus 09 Security Conference. The text now reads: Join experts from McAfee Avert Labs and have a chance to work with a Trojan horse, commandeer a botnet, install a rootkit and experience first hand how easy it is to modify websites to serve up malware.

This is considerably better.

I’ve hemmed and hawed about saying anything about Microsoft Security Essentials. However, I’m getting requests as to my position on the issue.

Generally, my feelings on MSE are as follows:

• It is not a Microsoft conspiracy to take over the world, etc. They had to do this in order to beat off Apple, and improve their security posture as a company. They have removed millions of infections using the MSRT tool and they really do need to do something about machines that are not protected — for the good of the rest of us. It is ultimately good for the consumer.
• It will probably not have a major impact on the big incumbent players, but it will likely have a dramatic effect on the free AV players, like AVG and Avira, because many of their installs come from “experts” installing it on PCs (people like your neighbor, or a family member, who installs it on your behalf). These people will likely move to the Microsoft solution. This will take some time but the risk is there. Nag screens, toolbar installs, misleading messages to upgrade, all efforts to monetize a free product piss off users to no end.
• The incumbents should not underestimate the wrath that many users have about their products. It’s not all fair — there have been many improvements (especially Symantec, which has done a truly remarkable job with their latest releases). But the anger is there, and you see it all the time on listservs, forums, etc. This emotional reaction may play a part in Microsoft getting traction.
• The Microsoft product isn’t bad at all, unlike past efforts on their part (like the free antivirus tool in DOS 5, which was a joke). Decent detections, reasonable footprint. However, it does not have email AV functionality and not all the bells and whistles that the suites have. Nevertheless, 2-way firewall functionality is built-in to Windows 7, so that is a lesser issue.
• The idea that consumers will want a broader, more complete product isn’t totally incorrect. We’ve seen this with the freebie players — there are about 2% of their user base upgrade to the more complete versions. The people with no money will use the free Microsoft product. The people who want to insure a more comprehensive security posture will buy the full suites from Norton, McAfee. Name brand still means a lot in this market (it’s worth noting that our surveys indicate that about 40% of the market has suites, vs. 60% that use a dedicated AV).
• The OEMs like Dell are going to continue to push suites, because they get a lot of money from Symantec and McAfee for pre-installs. Retailers will go the same way — don’t expect Geek Squad to start installing the free product (at least in-store). There’s a lot of money at stake.
• This download is not going to come through Windows Update, which is a big deal. Users will need to proactively download it from the Microsoft website or from places like Download.com. It will also not be OEMed, at least in the major markets (possibly in the third world, but that’s just speculation).
• A lot of people will download it just to remove an infection that their existing antivirus product didn’t catch. This puts the very profitable scan-and-scare model at risk.
• The one space that will not be significantly affected is the enterprise/SME side. The MSE product is not manageable, and hence is not really usable in environments over 25 users. (Microsoft does restrict usage to home networks only, although realistically most micro-SMEs won’t read the fine print).
• Sunbelt is not significantly affected by this release. Years ago, Microsoft purchased our development partner at the time, Giant Company, in order to release a free antispyware product. At that point, I decided not to ever be at the mercy of a Microsoft release, and now 90% of our sales come from the enterprise (this does not mean we’re exiting the consumer market, it’s just that we are not going to let this business get “too big to fail” — we have a consumer product, which is well priced and well supported, and we’ll continue to innovate in this area). As regards the enterprise, we have seen Microsoft bundling ForeFront for free in some cases, but it’s not a major issue. Let’s hope it stays that way.

Alex Eckelberry