The Legacy Sunbelt Software Blog

What caused the WGA goof-up
Last week, computer users experienced problems in trying to validate and activate their Vista systems with the Microsoft Windows Genuine Advantage (WGA) system, a situation that lasted for about 20 hours. Now it appears the culprit has been found: preproduction code that was installed on production servers. It’s fixed now, but not before frustrating many users. Read more here.

How to find out what programs on your computer are connecting to the Internet
Wondering if there’s a spyware program on your computer that’s surreptitiously sending information over the Internet? Want to know which of your legit programs are “calling home?” There’s a command line utility that will help you find out, and it works in both XP and Vista.

• Click Start.
• In XP, click Run and type cmd in the Run box. In Vista, you need to open the command prompt with elevated privileges, so click All Programs, Accessories, then right click Command Prompt and select Run as Administrator.
• At the command prompt, type netstat -nab

This displays a list of running programs, the protocol being used by each to connect to the Internet, and the IP address and port being used. You might be surprised to see, for instance, that PowerPoint is connected to the Internet – but it will be if you use the online Help function, search for clip art, etc.

Where, oh where are our Windows Home Servers?
Microsoft’s new Windows Home Server operating system was released to manufacturing way back in July, but we still haven’t seen any hit the retail shelves yet. What’s going on? Well, according to the official Home Server blog they’ve discovered ways to make it “even better,” and that accounts for the delays. WHS boxes are expected to be available in early September. Ummm, it’s early September now, guys.

Vista Service Pack 1 beta coming soon; expected to be a big one
SP1 for Vista is eagerly anticipated by many, including those users who have been waiting for it before they upgrade their operating systems. The service pack is in beta testing now and will go to 10-15,000 beta testers in September. One thing you can look forward to is a big file: about a gigabyte. Although that may not seem like much when today’s hard disks can easily hold 500 to 750 GB for a reasonable price, to put it in perspective consider that the entire Windows XP installation pack was less than 1 GB in size. Link here.

Chicago abandons plan for city-wide wi-fi
Just a few weeks after our editorial questioning the feasibility and appropriateness of spending taxpayer money to fund city-wide wireless networks, Chicago officials have announced that they’ve shelved their plans for 228 square mile wi-fi coverage due to the high cost. It appears they are, however, building a WiMax network there. Read more here.

New Yahoo Mail goes live at last
Yahoo has been beta testing its new mail software for almost two years, but it’s finally going live and several pundits, including Walter Mossberg (technology writer for the Wall Street Journal) say it outdoes its top two competitors, Hotmail and Gmail. It has built-in IM and even lets you send text messages to cell phones. It also offers unlimited free storage for email and attachments (Gmail limits you to 2.9 GB and Hotmail has just increased their limit to 5 GB). The new version of Yahoo Mail is rolling out in the next few weeks. If you use Safari or other incompatible browsers, you can continue to use the old (“Classic”) version.

Windows SideShow gives your laptop the “wow” factor
One of the coolest new features in Vista unfortunately isn’t supported by most of the hardware on which the OS is running today. That’s Windows SideShow, which allows a secondary display device on the outside of laptop computers to retrieve information from the computer and display it even if the computer is closed, asleep or turned off. For example, this small outer display could display email messages or web information through the use of gadgets, the same small applets that run in the Vista Sidebar.

Although laptops are the most common usage of the technology, it can also run on remote controls, keyboards, mobile phones and other hardware devices. Now if only we can get more hardware available that supports this. Meanwhile, you can read more about it here.

Cell Phone Security
My son recently lost his cell phone, and I had a few moments of sheer terror. I’ve read horror stories about lost or stolen phones resulting in five digit phone bills. I immediately called Verizon to have them suspend the account. We got lucky; it had dropped out of his backpack into the seat of a rental car and the car agency found my number in his speed dial settings and called the next day to tell me they’d found it. Verizon turned it back on (after I satisfactorily identified myself to them) and all was well again.

But many people who carry cell phones everywhere they go don’t realize the consequences if those phones fall into the wrong hands. This article recounts some real life experiences and offers tips on how to protect yourself.

What’s the best way to deploy redundant Internet connections?
QUESTION: I have been thinking seriously for the last couple of months, after my service went down for a morning, about getting redundant connectivity in the form of DSL. I currently have the very high speed version of Time-Warner’s Roadrunner. For the price of [approximately] $30 to $40 month more I can get DSL. My questions are:

1. What is the best way to do this?
2. What experience have others had and are there any tips from those already doing it?
3. How to configure if only using one router?
4. What are some router recommendations to allow simultaneous access and usage of the Internet or to use whichever one is available at the time?

ANSWER: Having two Internet connections from different providers is the best protection against being left without a connection – and with the right equipment, you can aggregate the connections into one faster connection when both are working.

The key is a router with dual WAN (wide area networking) links. That means two (or more) WAN ports to which you can connect your cable and DSL modems. The SonicWall TZ 170 is one of the best, but it’s pricey and may have more features than you need (or want to pay for). It’s around $500. The Xincom Twin WAN Router is available for around $200 and provides load balancing and backup. You can get it from Amazon here. D-Link and Linksys also make dual WAN routers.

Memory leak causes XP to lock up
If you have a program using Windows Management Instrumentation (WMI) running on your XP computer, you might get lock ups (unresponsiveness) because of a memory leak that occurs when the RPC cache gets too big. There is a hotfix for the problem, but you’ll need to submit a request to Microsoft Online Customer Services to get it. To find out more, see KB article 890196.

Safely Remove Hardware doesn’t work in Vista
Sometimes when you click the Safely Remove Hardware icon in the Vista system tray (notification area), the device may not be removed properly because of a timing issue that prevents the system from being able to find the information it needs about the device. SP1 is expected to fix this, but if you’re being severely affected and don’t want to wait, you can get an individual hotfix by submitting a request to Microsoft Online Customer Services. See KB article 91619.

Deb Shinder

Seems as if everybody who’s anybody has his/her own domain these days. A recent Associated Press article reprinted in many newspapers and online venues recounts how the latest trend is for parents to reserve domain names for their babies soon after they’re born – or even before – to ensure that the name won’t be snatched up before the child is old enough to want it.

One report stated that Angelina Jolie had reserved several variations of domain names for her new daughter within hours of the birth.

That might seem a little extreme, but if you happen to become well known, owning the domain named after you can become important. Those of us with fairly distinctive names usually don’t have much trouble getting the domain we want (I didn’t have to compete with anyone else for www.debshinder.com), but what if your name is John Jones or Mary Smith? Things might get a tad more complicated.

For celebrities, the issue can be even more perplexing. In a number of cases, fans have registered the names of famous folks as domains before the owner of the name got around to it. Many of these are fan sites, but what if the person who snags your domain namesake doesn’t like you and uses the site to post derogatory information about you?

Then there are the “cybersquatters” who buy up domain names with no intention of actually putting up web sites, but with the hope that those who do want sites with those names will pay dearly for them. Some people have made substantial amounts of money reselling domain names in this manner. Opponents of the practice accuse them of holding the names hostage. The squatters argue that they are just legally buying something that’s up for sale and then legally selling what they own to someone else – the same thing any retailer does. It can be a lucrative business. Business.com sold for somewhere between $7 million and $8 million, depending on which report you read, and sex.com is reported to have gone for 11 million euros, which translates to almost 15 million U.S. dollars.

Popular names are sometimes put up for auction. Last January, names such as hillaryrodhamclinton.mobi and duncanhunterforpresident.us were announced as available for public auction.

Not surprisingly, there have been many lawsuits filed over the ownership of domain names, especially in cases where the name is a trademark, as in the case of most celebrities. The World Intellectual Property Organization (WIPO) runs a domain name dispute resolution service that deals with many of these cases. According to their web site, they’ve handled 1425 cases in 2007 through the end of August.

Their policy labels registration of a domain name as being “in bad faith” if it’s done primarily for the purpose of selling or renting it to the owner of a trademark or to a competitor of the owner, if you do it to disrupt the business of your competitor or if you use it to defraud web site visitors by making them think the site belongs to or is endorsed by the trademark owner.

How important is it to have your own domain, anyway? Your mom will probably be just as impressed by your web site at www.earthlink.com/bobsmith as she would be by www.bobsmith.com, but in certain fields – especially the tech biz and the entertainment industry, owning a “real” domain is expected. And with registration as low as $6.99/year, it’s within the financial reach of almost anyone (of course, in order to make use of your registered name, you might need to pay a web hosting company or have a business-class Internet connection that allows you to host your own web server, or you may get free web hosting with your consumer-level Internet connection).

What about you? Do you have your own domain? If not, what’s stopping you? Is your name already taken? Don’t want a web site? Have a web site but see no need for your own domain? Should people be allowed to register domain names that are the names of other people? Should famous people be able to “take back” their domain names without paying? Or should domain names be registered strictly on a first come, first served basis and resold at whatever the market will bear? Would you reserve a domain name for your child, or is that just silly? Do you have more respect for a business person, author, or entertainer who has his/her own domain or does it not matter at all?

Deb Shinder

Go to http://www.siteadvisor.com/lookup/ and enter the following:

Alex Eckelberry
(Thanks to Sunbelt researcher Francesco)

Update: My compliments to my colleagues at McAfee. They fixed this xss bug with alacrity — literally in minutes. Well done — very impressive. (And apologies for my little bit of mischief.)

Its back online. ComputerWorld writes about it:

As a result of the breach, persons coming to the bank’s site were likely to be temporarily redirected to another site where Trojans and other malware were downloaded onto their computers, the employee said. The user was then brought back to the bank’s site.

Well, not exactly. If you weren’t fully patched, your machine was basically hosed with crap while you were happily viewing the site.

The bank’s IT staff thought they had the situation under control Friday morning, until they found that each time they changed the index page for the site, it was immediately replaced by the hackers. The bank then decided to bring the site down.

“The Web site was hosted externally by a hosting company in the U.S.,” the employee said. The bank has since changed the company hosting the service, though the employee clarified that the change in hosting provider had been on the cards even before the hacker attack.

Ok, that might have had something to do with it…

The attack on the Web site did not affect the bank’s online banking operations, according to the employee. The bank’s customers access online banking services through a link on the home page of the bank’s site. The online banking service is provided to users from well-protected servers hosted and monitored within the bank by Hewlett-Packard Co., the employee said.

Well, this perhaps needs clarification. If someone visited the home page of the site, and they were vulnerable, they got infected — and it has nothing to do with whether the servers were protected from HP or anyone else. It’s true that this was not a hack of the bank itself, but we did find at least one data-stealing trojan that someone could have gotten just viewing the site’s homepage.

The bank is as yet not clear about the identity of the hackers, although Sunbelt suggested in its blog that it was a criminal gang, called the Russian Business Network (RBN). “We have called for the logs from the hosting provider in the U.S., and we may have some definite information then,” the employee said.

No, it was RBN.

And from the Height of Irony Department, this article from back in January extols the security initiatives of the Bank of India.

I’m not picking on the Bank of India. This kind of stuff is all too common, and it simply highlights the fact that anyone who has a presence on the web is responsible for insuring that their site is clean and safe for visitors — and especially when you have people like RBN out there, just looking for any vulnerability to use to infect users.

As a final note, credit (long overdue) for the discovery of this hack last week goes to Adam Thomas, in Sunbelt’s malware research team.

Alex Eckelberry

Hard to believe it’s already getting to the end of summer for many of you.

So here’s a vid of Mike Parsons in one of the greatest surfing shots ever taken. And yes, it’s real.

In my gangly younger days, I used to surf in California. But I think I would have run for the hills if I ever saw something like this.

Enjoy and have a great weekend.

Alex Eckelberry

You can see a video made by Roger Thompson of how the Bank of India infection looks to the user.

The vid’s a bit rough at the moment, and some of the bits are currently unreadable, but we’ll be editing it as we go, so clearer versions will soon be available, but it’s still interesting.

Video link here. Nice work, Roger.

It’s worth reiterating that fully-patched systems would not have been affected by this hack.

Alex Eckelberry

The Bank of India site is now clean, thanks to the hard work of a number people involved in security and takedown.

It’s worth checking the original blog, which was updated as we got more information through the evening.

The hack was related to the Russian Business Network (RBN) criminal gang. There has has been speculation as to whether the malware was installed through an exploit framework (Webattacker, MPack, Icepack), as it was encrypted in the same way as Webattacker. However, our good friend Roger Thompson (one of the top minds in the area of vulnerability research) believes that it wasn’t using a framework, but likely just now-patched stuff in MS06-042 (someone on a fully patched system would not have gotten infected by visiting this site). Research continues.

Thanks to all who helped!

Alex Eckelberry

We have discovered that the Bank of India’s site, bankofindia(dot)com is compromised and is serving malware. DO NOT VISIT THIS SITE.

The following code can be clearly seen on the site:

(Obviously, do not visit these sites that are in the HTML source).

Attempts are then made to load multiple pieces of malware.

Developing…

Alex Eckelberry

Update: The page is using exploits to install malware.

What we have seen so far:

Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz
Trojan-Proxy.Win32.Xorpix.Fam
Trojan-Downloader.Win32.Agent.ceo
Trojan-Downloader.Win32.Tibs.mt
Trojan-Downloader.Win32.Agent.boy
Trojan-Proxy.Win32.Wopla.ah
Trojan-Proxy.Win32.Wopla.ag
Rootkit.Win32.Agent.ea
Trojan.Pandex
Goldun.Fam
Backdoor.Rustock
Trojan.SpamThru
Trojan.Win32.Agent.alt
Trojan.Srizbi
Trojan.Win32.Agent.awz
Email-Worm.Win32.Agent.q
Trojan-Proxy.Win32.Agent.RRbot
Trojan-Proxy.Win32.Cimuz.G
TSPY_AGENT.AAVG (Trend Micro)
Trojan.Netview

Fully patched systems should be unaffected. More coming.

Update 2: We’ve cataloged over 22 pieces of malware. Mostly spam-related malware but we did find a pinch Trojan variant. More info coming as we get it. Biggest issue is the sheer volume of malware we’ve had to analyze.

Update 3: As I write this, it is currently 1:20 a.m EST (10:20 a.m. in India), and the malicious IFRAME is still located on the Bank of India website.

With that said, i just wanted to mention two other very dangerous information stealing Trojans included in this massive install of malware.

First, we are seeing a variant of TSPY_AGENT.AAVG. Trend Micro has an excellent write which you can read here.

Secondly, a variant of Trojan.Netview is being installed. Trojan.Netview is used to gather files from the infected computer as well as network shares. This characteristic is particularly dangerous in networked environments where infected users might have access to unprotected shares containing sensitive information.

The collected files are then uploaded to an FTP server located in Russia.

Of interest is the fact that Trojan.Netview is specifically searching for quarantine folders of antivirus programs. It is no surprise that this particular person had over a hundred items located in their quarantine folder:

Lovely little botnet controller we uncovered a while back:

There are several Help functions:

Roughly translated:

Refresh rate, the length of time (in minutes), through which work will be of investment in Gate of commands (more than the less load on the server)

Command syntax:
start DDoS- attack:
flood type of attack goal

Supported types of attacks :

– icmp
– syn
– udp
– http
– data

The targets may be set ip [???] or domain name, it is also possible to specify multiple goals extraordinary comma;

If you type syn attack, or udp data, the following goals can optionally specify the port number for the attack (or more ports extraordinary comma) if it is not specified, each package will be sent to a random port;

If you type attacks http, after a goal is an option to specify a script, which will be sent GET request (for example : http flood host.com index.php) if the parameter is not specified, the request will be sent to /

stop DDoS- attack:
stop

On fluderov options:

Fluderov packet size in bytes, and the time between sending packages in milliseconds. What time fewer and bigger size, the stronger the attack, but the more likely that the work will get because of exhaustion limit traffic

die:

die

Alex Eckelberry
(Credit to Sunbelt researcher Adam Thomas)

Your feedback helps me do a better job. Give comments and feedback! Multiple choices are fine.

Alex Eckelberry

Do you think someone might click on this thinking it’s a YouTube video?

If they do, they’ll get sent to this page.

And if they want to watch the video, they’ll get this:

Is this misleading? Or is it just good marketing? What do you think?

Alex Eckelberry

Last night, I got this targeted Better Business Bureau spam:

It’s targeted, like a similar one we saw in the past.

However, in the previous version, a document was attached, that used an embedded OLE in an RTF document. You had to actually go through some hoops to get infected.

This one is different. It points you to a website called “document-repository(dot)com”, which pushes you into downloading a file, Complaint_Details_363619942.doc2.exe.

The file, of course, is a trojan (Sunbelt Sandbox report here). Submitting the file to VirusTotal shows mediocre detection.

Alex Eckelberry

Earlier this week, we reported that Zango had backed off its case against PC Tools.

Now, Zango’s court case against Kaspersky was thrown out because Kaspersky enjoys immunity as a result of the Communications Decency Act.

You can see the decision here, at Ben Edelman’s site (who, as a consequence, has also updated his list of legal actions by adware/spyware companies).

Ben points to the relevant statutory language as being:

“No provider or user of an interactive computer service shall be held liable on account of … any action taken to enable or make available … the technical means to restrict access to the material described [i.e. material that the provider or user considers to be obscene, lewd, lascivious, … or otherwise objectionable].”

You can read this language yourself here. (Under Sec. 230).

This is very big news folks. Big news. This decision may have far-reaching consequences for security companies in the inclusion of malicious and/or potentially unwanted software in their software.

Alex Eckelberry

Possibly through the Blogger mail-to feature (where you can email in a blog post)?

But Blogger’s not the only one. For example, a Google search using the term “”this i not good. If this video gets to her husband” reveals lots of sites spammed with this particular exe: (correction — these appear to be sites discussing the spam.)

(Obviously, don’t download this exe — it’s the storm worm. Not a fun thing.)

Alex Eckelberry
(With credit to Cristian — many thanks)

Latest of many tactics.

Alex Eckelberry

Some samples, courtesy of TJ O’Grady:

Subject lines include:

Beta testers needed!
Can you help us out?
Could you give us a hand?

Alex Eckelberry

Painful to read. But funny in a sort of awful way.

8/27 8:26 AM. You are sending these emails to the wrong Bill.
8/27 9:55 AM. Please remove me from the distribution. Thank you!
8/27 9:57 AM. Please remove me from this distribution thank you
8/27 9:57 AM. Please remove me from the distribution list.
8/27 9:57 AM. Please remove me from the distribution. Thank you!
8/27 9:58 AM. DITTO
8/27 9:58 AM. Remove me also
8/27 9:59 AM. SUPER DITTO!
8/27 9:59 AM. Me too please
8/29 9:59 AM. Please remove me as well. Thank you!
8/27 9:59 AM. Me too
8/27 10:00 AM. Same here.
8/27 10:00 AM. Mee too. Thanks
8/27 10:00 AM. Please remove me as well. Thanks!

It gets worse from there on out. Link here.

Alex Eckelberry

Ben Edelman examines software from coupons.com.

I recently examined software from Coupons.com. At first glance their approach seems quite handy. Who could oppose free coupons? But a deeper look reveals troubling behaviors I can’t endorse. This piece summarizes my key concerns:

• Installing with deceptive filenames and registry entries that hinder users’ efforts to fully remove Coupons’ software. Details.
• Failing to remove all Coupons.com components upon a user’s specific request. Details.
• Assigning each user an ID number, and placing this ID onto each printed coupon, without any meaningful disclosure. Details.
• Allowing third-party web sites to retrieve users’ ID numbers, in violation of Coupons.com’s privacy policy. Details.
• Allowing any person to check whether a given user has printed a given coupon, in violation of Coupons.com’s privacy policy. Details.

Link here.

Alex Eckelberry

Controversial adware publisher Zango today conceded defeat by voluntarily withdrawing its proceedings against anti-spyware maker PC Tools. This news follows the courts denial of Zango’s application for a Temporary Restraining Order in June 2007.

Link here.

Alex Eckelberry

Microsoft WGA outage outrages users
Quite a few people were frustrated last week when they tried to validate their Windows software as genuine (which is required to download most updates) and were told they had pirated copies even though they knew their operating systems were legal. This was apparently due to the Windows Genuine Advantage (WGA) server being down. It’s fixed now, but not before annoying a lot of people. Read more here.

Sugar-powered battery? Sweet!
With more and more devices going mobile, we’re always on the lookout for new and better battery technology. Now Sony has developed a battery that’s powered by pouring sugar into it. It’s an innovative idea, for sure. Read more here.

Digital Pen: Cool tool or a solution in search of a problem?
Despite the popularity in today’s wired world of everything digital, the phenomenon of the digital pen has yet to reach critical mass. You probably know about Tablet PCs, but you might not have ever encountered a standalone digital pen and might not know just what to do with it if you did. Still, some companies are betting that these little devices will finally take off. Read more here.

Getting ready for the Gphone?
Rumors are floating around the web about Google building a phone handset that would be a direct competitor to Apple’s iPhone. True or false? Only time will tell. The company itself “can neither confirm nor deny.” Read more here.

How Vista’s Internet Explorer protects you from attack
The version of IE 7 that comes with Vista is different from the version you can download for XP. Specifically, it has better security because it takes advantage of Vista’s User Account Control (UAC) to run in IE Protected Mode. In Protected Mode, IE won’t allow files to be saved in locations on your computer where they could cause problems, and IE can’t make changes to system files without your explicit permission. This makes it a lot less likely that you’ll be a victim of a “drive-by download” that installs malware on your machine. You can read more about this new feature here.

How to take ownership of a folder in XP or Vista
Even if you’re an administrator on your XP or Vista computer, you might find that you get an “access denied” message if you try to open a folder that was created by a different user. However, you can fix this by taking ownership of the folder. Any administrator can take ownership. Here’s how:

1. Be sure you’re logged on with an account that has administrator rights
2. Right click on the folder you want to access
3. Select Properties
4. Click on the Security tab
5. Click on the Advanced button
6. Click on the Owner tab
7. In the list of Names, click on your name
8. To take ownership of the folder and all its contents, click on “Replace owner on subcontainers and objects”
9. Click OK and then click Yes

Can I get my Hotmail messages with Windows Mail?
QUESTION: When I use XP for my mail I used Outlook Express, and I still have two XP machines. Since OE is not available with Vista I am learning Windows Mail. In OE I was able to download my Hotmail account. Mail says I cannot do this with Hotmail. Do you know if there is a way to download my Hotmail into Mail? Right now, having to log into Windows Live Mail to retrieve it is a pain in the rear. – Dennis H.

ANSWER: It appears the Windows Mail program in Vista is about to be replaced by a brand new email client called Windows Live Mail, which handles POP, IMAP and Hotmail accounts. It can be installed on either Vista or on XP to replace Outlook Express. This was announced back in June. It’s still in beta, so you may want to wait until the final release, but it’s available to the public so if you’re the impatient type, you can download it here.

Some add-ons aren’t listed in the Manage Add-ons Dialog Box
If you open the Manage Add-ons dialog box from the Tools menu in Internet Explorer on an XP SP2 machine, you might find that some add-ons you know are installed aren’t listed. This prevents you from being able to disable those add- ons. That’s not good. Fortunately, there’s a fix available. Find out how to get it via KB article 888240.

Can’t restore XP SP2 after using an XP SP1 restore point
Here’s the scenario: you’ve restored your computer to a restore point when XP with Service Pack 1 was installed and now you want to restore to a later restore point that was made after SP2 was installed – but if you try to do so, you’re still stuck with XP SP1. There’s a fix for this one, too. You’ll find it in KB article 835409.

Deb Shinder