Category: Uncategorized

News sites on the Web today seem to have just discovered a story from last Thursday’s Guardian newspaper in the UK that said government agencies in the U.S. and U.K. are preparing to go after the servers of the criminal gangs and government-sponsored hackers in Russia, China and North Korea. The measures could include the subtle installation of spyware to try to identify the miscreants all the way up to denial-of-service attacks.

The Guardian quotes unnamed sources saying that the UK’s Serious Organised Crime Agency and the Metropolitan police e-crime unit have already begun operations.

It also said a recent federal government review of cyber security in the U.S. stated that the president has the legal authorization to carry out such attacks to defend the national security under the Communications Act of 1934.

This isn’t the first time this has been discussed. While the increase in hacking and malware recently must be dealt with, a lot of observers draw the conclusion that there could be serious collateral damage if government agencies and the dark side begin exchanging attacks. Since the main “business model” for Internet crime is to organize botnets of other people’s computers to command and control, launch the denial-of-service attacks, store the porn and do the drive-by downloads, this could get really ugly.

Better update the emergency phone numbers for your up-stream provider and dust off the ol’ disaster recovery plan.

Story here.

Tom Kelchner

Malware authors continue to capitalize on the chattiness and marketing webiness in Windows.  A prime example is a new fake antivirus program masquerading as the Windows Malicious Software Removal Tool. 

CA has done the work on this one so I don’t have to — along with some good screenshots.  Link here.

Alex Eckelberry

 

Earlier today, I blogged about a new zbot campaign that pushes a program to “reconfigure Outlook Express”. Well, it seems to be working, because the volume of spams with this type of message have gone up.

And — they’ve targeted TheBat! (ah, memories for some of you…), but the bot seems to be a bit confused, mixing in TheBat! with Outlook and Outlook Express.

And, of course, the obligatory fake greeting card.

Sample strings used:

TheBat Setup Notification

You have (1) message from Microsoft Outlook.

Please re-configure your Microsoft Outlook again.Download attached setup file and install.

—————————————————————————————

Outlook Express Setup Notification

You have (8) message from Outlook Express.

Please re-configure your TheBat again.

Download attached setup file and install.

(If you’re curious as to what this thing does, you can view the Sunbelt Sandbox report here.)

Alex Eckelberry

VIPRE and CounterSpy HotFix 5 will be released today at 6 pm EDT, providing a number of improvements in stability and overall effectiveness. Most importantly for enterprise customers, it solves issues experienced when running VIPRE and the ShadowProtect backup program at the same time on a server.

Users will be prompted to update through the user interfaces of both the consumer and enterprise versions of VIPRE and CounterSpy.

Version numbers for Hotfix 5:

CounterSpy (enterprise agent and consumer): 3.1.2774
VIPRE (enterprise agent and consumer version): 3.1.2775

Along with the agent, enterprise customers are encouraged to update their console version. The console build number for both CounterSpy and VIPRE is 3.1.3121.

Alex Eckelberry

New spam message pushes zbot:

You have (1) message from Microsoft Outlook.

Please re-configure your Outlook Express again.

Download attached setup file and install.

The zip file attached gives you a happy dose of zbot love.

Admins — I know some of you don’t like to do this, but really — please, block all incoming zip files.

Alex Eckelberry

FTC denies challenges by Innovative Marketing.

This Court conducted a hearing yesterday on almost all outstanding motions in this case and rendered the following rulings for the reasons stated on the record:

• Sam Jain’s Motion to Stay (Paper No. 45) is DENIED;
• Kristy Ross’s Motion to Temporary Stay (Paper No. 48) is DENIED;
• FTC’s Motion for Order Holding Sam Jain and Kristy Ross in Contempt of Court and Requiring the Repatriation of their Assets (Paper No. 49) is DENIED;
• Kristy Ross’s Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 51) is MOOT;
• Sam Jain’s Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 52) is MOOT;
• Sam Jain’s Motion to Modify Preliminary Injunction (Paper No. 58) is DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze;
• Sam Jain’s Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 60) is DENIED;
• Kristy Ross’s Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 61) is DENIED;
• Marc D’Souza’s Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 70) is DENIED; and
• Marc D’Souza’s Motion for Temporary Stay and Modification of Preliminary Injunction (Paper No. 71) is DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze.

More over at Sandi’s blog.

Alex Eckelberry

Here’s a nifty little tool to use in analyzing your network connection from the folks at ICSI at Berkeley.  Useful for security or other purposes. ICSI Netalyzr link here.

Alex Eckelberry
(hat tip)

Here’s something you don’t see everyday.

Alex Eckelberry

Sunbelt Software researchers turned up an interesting (infected) Web site that’s been taken over and used in a redirect to install Zbot on the machines of web users looking for Al Gore’s “An Inconvenient Truth” site. Search engines are beginning to find it too:

Here is the real site they’re looking for at http://www.climatecrisis.net/:

The infected site, hxxp://an-inconvenient-truth.com, (DO NOT GO THERE!) has been registered since 2006, so, it’s probably a legitimate site that’s been taken over.

Obfuscated JavaScript at the bottom, points to
hxxp://bl4ckst4r.cn/blog/go.php?sid=17, (DO NOT GO THERE!) which delivers Zbot, a Trojan that plants spyware on victims’ machines to steal banking log-in information.

Tom Kelchner

Sears Holding Corporation, which owns Sears, Roebuck and Kmart, has signed an agreement with the U.S. Federal Trade Commission and will destroy the information it harvested using ComScore (spyware) software last year.

It’s shocking that such a big and reputable company would get involved in something that invites Web users to an “exciting online community,” then installs spyware on their computers that monitors their online banking details, texts of secure pages they visit, online drug prescription records and email as well as the relatively mundane information about the web sites they visit.

To its credit, the company stopped the spying after public concern was raised. And they didn’t fight the FTC action.

For Web users, one big lesson here is that you must read those miserable, huge End User Licensing Agreements (EULAs). All the spying was described in the EULA that Sears presented. Of course it was on page 10 of a gargantuan 54-page privacy statement. Harvard University professor and spyware researcher Ben Edelman said the document failed to meet FTC standards set out during actions against spyware companies Direct Revenue and Zango.

News story here.

FTC news release here.

Tom Kelchner

Well, this is not good.

The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers.

Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009.

We already contacted with their competitors and they didn’t show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder.

Please only serious offers, don’t waste our time.

Contact: pwnmobile_at_safe-mail.net

Alex Eckelberry
(Via Securiteam)

We REALLY hope this is the beginning of a trend.

The U.S. Federal Trade Commission has taken down Northern California Internet Service Provider Pricewert LLC (also doing business as 3FN and APS Telecom) that has hosted alleged criminal sites engaged in the distribution of spam, child pornography, spyware and malware as well as the operation of botnet command and control servers.

According to some reports, as many as 15,000 sites used for criminal purposes were shut down by the action.

Sunbelt Software researchers say they have been tracking Pricewert servers hosting alleged exploits and porn dialers since 2004. Also, IP addresses registered to them were known to be hosting exploits and malware, including rogues, since that year.

The FTC said in their complaint, filed in U.S. District Court for the Northern District of California, San Jose Division, that Pricewert advertised to a criminal clientele, then shielded their customers’ activities by ignoring take-down requests from the online security community or shifting the malicious sites to other IP addresses to help customers continue their activities.

The FTC filing is based on the commission’s belief that criminal activities have taken place and that the public interest would be served. A court must determine if any laws have been broken.

According to the FTC news release: “The court issued a temporary restraining order to prohibit Pricewert’s illegal activities and require its upstream Internet providers and data centers to cease providing services to Pricewert. The order also freezes Pricewert’s assets. The court will hold a preliminary injunction hearing on June 15, 2009.”

Mark your calendars!

FTC news release here.

Tom Kelchner

Earlier in the week, I posted a good set of guidelines for enterprise administrators from Microsoft for antivirus exclusions. Unfortunately, the page that I linked to got pulled. However, Rod Trent was kind enough to share the document with me, and you can download it here (MS Word).

Alex Eckelberry

If you’re trying to protect your brand, this is a great tool from DomainTools:

There are a number of typo generators out there, but DomainTools’ is the only one that makes it easy to find out who is typosquatting on your domain name. It also lets you know if someone previously typosquatted or tasted a typo of your domain.

To use the typo generator, go to domaintools.com/domain-typo and enter the domain name. Then choose your options including views:

Registrant View – see typos of your domain and the registrant’s name. Great for seeing if one person is aggressively typosquatting you.

DNS View – typos include nameservers and IP addresses. Great for seeing if typos of your domain are parked.

More here.

Alex Eckelberry

A very useful guide from Microsoft for enterprise administrators as to what to exclude from an AV scanner. Link here.

Alex Eckelberry

Update: The page I linked to was pulled, so you can get the document here.

Hackers usually offer their services in the underground market, chatting in private forums, hidden behind various enigmatic aliases. However, a more enterprising bunch offers their services publicly, offering to hack into email accounts, Facebook, MySpace, ICQ or even Facebook’s popular Russian clone, Vkontakte.

However, you’d be an idiot if you actually used them. Doing business with black hats isn’t always the brightest thing to do — you might very well find yourself getting the bad end of the bargain.

Some recent research into one site dedicated to hacking Facebook revealed a number of dodgy sites all under the same IP (in the Cayman Islands, not surprisingly, and with a history). Let’s take a visual tour.

First, a more “general” site on hacking:

Or, hacking vkontakte:

(“vzlom” in Russian means “to break in” — of course, my Russian readers are sure to correct me.)

Or hacking ICQ:

MySpace:

And, of course, Facebook:

But this IP has a number of other questionable domains, such as a site seen in the past delivering malware, and one which looks suspiciously like a phishing site. I can only speculate at this point on the other sites listed in the IP range (“escrow services”, etc.).

The whole dammed lot should be taken down.

Incidentally, if you use these services, please do the obvious and use complex passwords, changing them regularly.

Alex Eckelberry
(Hat tip to Patrick)

Over a year ago, I published a rather stunning graph showing the growth of malware.

It needs updating. I asked Andreas Marx at AV-Test for some new data, and he’s been kind enough to share it with me.

First, the size of Andreas’ collection:

Then the monthly malware collection growth:

(Excel spreadsheet here.)

Andreas tells me an updated chart will be available in a few weeks, and I expect to post that as well.

Alex Eckelberry

I have a lot of respect for Anne Mulcahy, Xerox’s CEO who has announced her retirement.

One thing that I like about her is that she gets innovation:

To be sure, a company’s R&D investment pool looks tempting in tough times. And draining it might save a few jobs or help make the quarterly results less painful. However, if you fail to fund the future, all you’ll be left with is a really lean company trying to churn old ideas into new business…When Xerox went through a downturn of its own making earlier this decade, everywhere I went, lenders and investors were demanding I cut our R&D spending. But to me, Xerox innovation was sacred. Why avoid financial bankruptcy only to face technological bankruptcy down the road?

Some of the tech CEOs I know right now who are in trouble are, in many cases, the ones who have not spent enough on R&D — the core of innovation in a technology company.

There is an attitude often in financial circles (and among non-technical managers), that research and development is not the vital lifeblood of an organization. It can be off-shored, or outsourced, or heavily cost-managed. I know several companies where the financial backers are soaking the company for cash flow, but not investing heavily in new technology.

An organization starts with a product. It doesn’t start with a sales, finance or marketing department. It starts with something that’s produced. And in technology, the people who make your products are your R&D department. Without a product, you have nothing.

The sometimes painful truth is that the business of technology is very R&D intensive. There are cycles, where you make a new product, make money off of it, and then go into another major new R&D phase. This is an ongoing process.

However, what is commonly observed is a company spends on innovation, gets successful, and then doesn’t realize that it actually needs to keep spending on innovation. The companies that would qualify for this list are legion.

Simply straight-lining your R&D expenses at some magical percentage of total revenue is not the right approach. A company must invest in R&D with relevancy to its current situation. Right now, almost 40% of our staff is dedicated to R&D, a staggering figure for some people. But we’re at an absolutely essential time where innovating is the most important thing we can do, to remain competitive. It pays off — our growth is 70% year-over-year. So we keep investing, and investing. We’re making money, but we’re also spending money on making sure that two years from now, we continue to have the most innovative products. (Our percentage of R&D won’t always be this high, because as revenue goes up, the percentage dedicated to R&D goes down, but the current ratios are relevant to where we need to invest now.)

So to those developers out there facing budget cuts, fight back. Teach your managers that you need the money to make the products that the company will need in the future — so they will have jobs themselves.

In short: Innovate or perish.

Alex Eckelberry

Last year, I met with a prominent journalist who I respect, and he let on to me that some Microsoft execs had been telling him that they don’t run antivirus because Vista is so secure.

Oh really? Hmm… Give me Steve Ballmer’s email address… I could have fun with this.

The idea that you can’t run security software just because you’re running Vista is flat out wrong.

So no offense to the writer, but here’s an article that really needs a retraction:

• Turn off Vista’s overly protective User Account Control. Those pop-ups are like having your mother hover over your shoulder while you work.

• Uninstall your anti-virus software. I’m serious. Symantec Norton 360 spent so much time trying to protect me from problems I don’t have that it dragged my Toshiba’s performance to a crawl. So I uninstalled it. Instant speed boost.

Surprisingly, the article didn’t get much attention when it came out last week, except for some mentions (like this ComputerWorld blog post). Unfortunately, it’s now spreading through syndication.

But really — this is just terrible and dangerous advice.

If you’re fed-up with the bloat of your AV product, get a leaner one. I make one. And there are others as well.

Want reasonable performance tips? I posted some similar advice a couple of years ago on optimizing the performance of your PC, and this LifeHacker article from a while back debunks some common performance myths.

But no way — no way — should you not be running an antivirus product. This is not my self interest speaking, as I’ve blogged about free tools you can use.

It’s just a simple fact.

Alex Eckelberry

Presto TuneUp is the new rogue security suite from the makers of
VirusDoctor rogue security application.

Sites involved:

64.213.140.69 Prestotuneup com
64.213.140.69 update1.prestotuneup com
64.213.140.69 update2.prestotuneup com

You can also find traces of other rogue security product left on Presto TuneUp product web site.

Bharath M N