The Legacy Sunbelt Software Blog

WebSense has provided an updated list of exploited sites.  It’s growing.

SANs just reported

Just for the sake of clarity, there is an email attachment vector for this exploit that’s not widely reported. I have not seen any reports of it being used at this time. MS’s bulletin, in the FAQ’s, in “Could this vulnerability be exploited through e-mail?”, says it can be exploited if one “open(s) an attachment that could exploit the vulnerability.” ISS obliquely says attacks may occur by “…simply embedding the required logic in specially crafted HTML emails.”.

The full extent of email as an attack vector is not fully known.  Best thing you can do is turn off Active Scripting in IE (IE 7 beta preview 2 is not affected by this exploit), as according to SANS, this may be a “global” workaround. 

Alex Eckelberry

The currently active IE zero-day exploit can be avoided by turning off Active Scripting (among other solutions).  However, not everyone may know how to do this.  George Ou has done the dirty work and posted a step-by-step instruction on what to do.  Link here.

Alex Eckelberry

Updated info with fix here.

There is a new rogue Anti-Spyware application out there serving as a replacement for Spy Falcon and SpyAxe.

Spyware Quake is installed through the infamous VCodec trojan as well as various exploits.

WHOIS Information:

Domain Name: SPYWAREQUAKE.COM

Registrant:
SafeSurf LLC
Kevin Gerad (Whois Privacy and Spam Prevention by Whois Source)
U-12 Gamma Commercial Complex # 47 Rizal Highway cor. Manila
Olongapo City
null,98101
PH
Tel. +201.6753332

In addition to just a stealth install of Spyware Quake, an infected machine will exhibit other unwanted symptoms such as Internet Explorer browser hijacks, a stealth installed “Security Toolbar”, and pop-up advertising that is often adult in nature. Also commonly seen is pop-up advertising for WinFixer.

Adam Thomas
Spyware Research

Update: Email may be an attack vector.

From WebSense:

As reported we are actively researching the newest IE zero-day exploits that are surfacing (s: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=449). To date we have discovered nearly 100 unique URL’s that are all attempting to run malicious code on the users machine without user-intervention.

One interesting aspect we are researching is the number of machines that appear to have been compromised here. The sheer percentage of sites that are compromised versus owned by the attacker is higher than usual. In particular we have noticed several travel related websites that are hosted on different networks.

Link here.

I don’t want to spread undue panic. This is not like the WMF exploit, which had the cruel aspect of using a graphic file to execute a payload. This fact broadened the attack vectors to graphics embedded in emails, graphics being viewed through Google Desktop, etc. This is not the same type of exploit.

However, we concur with the good folks over at WebSense — a lot of sites that we examined with this vulnerability are legitimate sites that have been compromised. It’s not just the usual porn and crack sites that some users go to.

There is no patch available for this exploit. The only way to avoid it is a) turn off Active Scripting or b) use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected). Your standard protections should be in place — antivirus, firewall, antispyware. Your antivirus program may catch it, but don’t count on it in the near future, as AV vendors themselves are in the process of getting out new definitions.

Alex Eckelberry

Beat ‘em up.

Manager of the company’s software department, Andrei Smirnov, offered to fight the dealer in a fitness center. He defeated the computer pirate 24-16 in three rounds, lasting three minutes each. The dealer’s name was not revealed, News.Ru web edition on high technologies reported on Thursday.

Link here.

Alex Eckelberry
(Thanks John)

Pamela Parker at ClickZ muses about adware:

Let me start by saying I don’t think adware is a bad thing. Definitions differ, but I’ve always used the word adware to mean ad-supported software, which includes things like AOL’s AIM and WeatherBug. As far as I’m concerned, so long as users understand they’re seeing ads in exchange for getting free software, that’s just fine. Transparency is key.

That said, the word adware has long some sinister connotations, and for good reason. Even some of the more upstanding of adware companies have somewhat shady pasts — pasts full of questionable distribution methods, associations with disreputable software providers, a lack of disclosure and much consumer ill-will. A history like that can be very hard to leave behind.

Putting WeatherBug, AIM and (ostensibly) Eudora’s free ad-supported version in the category of adware is actually incorrect.  Ad-supported software is different that adware.  Adware exists with the primary purpose of providing advertising.  Ad-supported software (like Eudora) exists for the purpose of supporting the vendor, but the primary purpose of the application is not advertising.  Eudora is an email program.  It has banner ads.  It is not WhenU SaveNow, 180Solutions Zango, Direct Revenue BestOffersNetwork, etc.  (Getting definitions on adware is also interesting).

You can read Pamela’s article here.

Alex Eckelberry

19 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.

These can be very nasty. Our analysis of one site, www(dot)textrum(dot)se (since shutdown):

The exploit calls a file, updater.exe

Norman sandbox report:

Found Sandbox: W32/Backdoor; [ General information ]

* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEM32Updater.exe.
* Creates directory C:WINDOWSSYSTEM32kazaabackupfiles.
* Creates file C:WINDOWSSYSTEM32kazaabackupfilesdownload_me.exe.

[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLMSoftwareMicrosoftWindowsCurrentVersionRun”.
* Modifies value “Dir0″=”012345:C:WINDOWSSYSTEM32kazaabackupfiles” in key “HKCUSoftwareKazaaLocalContent”.

[ Network services ]
* Connects to “[redacted].com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname [redacted]
* IRC: Uses username [redacted].

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:WINDOWSSYSTEM32Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.

Logs information to: C:WINDOWSsystem32sys.ini

More work going on… may post more later.

Based on what we’re seeing in the wild right now, we hope that Microsoft will patch this new IE exploit prior to April 11 (the next scheduled update).

Keep your AV and antispyware updated and run your software firewall (free suggestions here). The only valid workaround for this patch is to turn off Active Scripting in IE, or use another browser. Your AV may very well catch these nasties, but don’t count on it in the immediate future.

Alex Eckelberry

Shameless salesmanship, but I figure it has to be said:

When we launched the Kerio Firewall under our own name, we put in place an intro price of $14.95, a ridiculously cheap deal for a full-featured firewall.  The offer ends on the 31st, at which point it goes up to $19.95 (still a great deal), so if you want it, grab a free download, do your eval and pick it up before the end of the month.  Link to download page here.

Alex Eckelberry

From the CDT:

CDT is urging Sens. Max Baucus (D-Mont.) and Mark Pryor (D-Ark.) to withdraw a bill that would force Internet authorities to create a “.xxx” domain for adult content. In a letter sent this week to the Senators, who co-sponsored S. 2426, the Cyber Safety for Kids Act of 2006, CDT warns that the bill will provide ammunition for those seeking to bring the Internet under the control of a multi-governmental bureaucracy. If passed, the bill would also violate the First Amendment rights of Web site operators and would do little to protect children from harmful material online, CDT wrote. March 24, 2006

Link here.

Alex Eckelberry

At the ASC workshop back in February, I met with one of the folks at Blue Coat, and found out that they are providing a free web filtering product for home use.  I tested it, and it’s not bad (considering the price).  The version I tested doesn’t compare to more advanced products like CyberPatrol and Cybersitter, but considering the price, it’s not a bad deal   Note that Microsoft has announced plans for free web content filtering.

The link for the free K9 version is here.

Alex Eckelberry

As many of you know, there is proof of concept code for a recently published IE vulnerability in the wild. 

From SANS:

Folks, as Lorna predicted yesterday, it didn’t take long for the exploits to appear for that IE vulnerability.  One has been making the rounds that pops the calculator up (no, I’m not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive).  For that reason, we’re raising Infocon to yellow for the next 24 hours. 

As SANs says, Microsoft recommends turning off Active Scripting.  You can also switch to Firefox or Opera.

We are watching very carefully out there for any sites using this exploit.

Alex Eckelberry

One of the free services we’ve been offering IT professionals for years is our user forums.  Focused on IT issues, they are valuable if you’re job is running a network, or if you’re involved in network security.   We have a lot of professional on these forums and some of these lists are very active.  

The most active lists are the NTSYSADMIN list and MS Exchange Management Issues.  These are a good starting point for someone who wants to get into communication on general IT issues.

NTSYSADMIN Subscribe Read Charter/Login	5,100+ Members – Sunbelt Software hosts this list to invite the free and open discussion of Windows NT System Administration Issues. This list is intended to be a forum to discuss how to keep NT Servers up and running in a production environment. NOTE: High Traffic
MS Exchange Management Issues Subscribe Read Charter/Login	3,600+ Members – Sunbelt Software hosts this list to invite the free and open discussion of Microsoft Exchange Administration Issues. This list is intended to be a forum to discuss how to keep Exchange up & running in a production environment, and as help to pass the Exchange Certification Exams. NOTE: High Traffic

Feel free to join one of our lists.  A full description of all the lists is here.

Alex Eckelberry

Bill Day, CEO of WhenU, wants ad buyers to be intelligent about their media buys — not just walk away from adware completely. 

So what’s a buyer to do? You could simply abstain from all adware (and to be consistent, maybe abstain from working with all behavioral targeting or even all advertising networks whose analytics and third-party tracking cookies raise concerns while you’re at it). As thought leaders, we can’t operate successfully by making simplistic decisions; successful online marketing involves a certain amount of pioneering. But how do you strike the right balance?

Now, realize that the media buying side of the ad business dominated by harassed and overworked 20–somethings.  It is a lot to ask of anyone in that position to make a decision with any granularity (“let’s see, this one adware company has a long writeup from Ben Edelman and has practiced a number of illegal drive- installs, while this one is different, because they have full disclosure and consent, however Eric Howes wrote a whitepaper which criticized several aspects of their business…”). 

So ad buyers need a simple solution, which is why the ad business loves the TRUSTe Trusted Download Program.  It makes buying a simple binary decision for ad buyers — “oh, it’s certified?  Then I can place ads in it”.  Of course, in the end, it is a validation of the adware business model…  (see a recent Sunbelt posting about TRUSTe here).

But here’s a direct reference to an adware company (We All Know of Whom He Is Speaking):

Be especially wary of those who defend themselves by accusing the anti-spyware community of being a bunch of ad-hating “zealots” and “fanatics”–most security advocates leading the charge to accountability are thoughtful, dedicated and discriminating professionals who are able to see the difference between hot air and meaningful moves. If hardcore anti-spyware watchdogs can be discriminating, media buyers can be, too.

Link here.

Alex Eckelberry

Must be because Sean Sundwall left.

Altrec, an online store selling outdoor clothing and gear, has “discontinued its experiement with 180solutions indefinitely,” the company said in an email to vnunet.com. The company stressed that the test had been limited in its scope, with Altrec spending no more than $440.

Online mobile phone store Letstalk.com too has cut all ties with the adware maker, chief executive Delly Tamer said in an emailed statement.

And GreetingCards.com had an epiphany:

Lastly GreetingCards.com said that it was unaware of 180solutions’ history of unfair and deceptive practices and has cancelled its contracts with the firm.

Link here with gracious thanks to Ferg.

One assumes this is as the result of the good work on the part of the CDT, who published the dirty details earlier this week.

Alex Eckelberry

Get a free iPod!

In a civil complaint (click here for PDF) released Thursday, New York Attorney General Eliot Spitzer accused Washington D.C.-based Gratis Internet of deceptive business practices. The suit requests monetary penalties and an injunction against the activity in question.

The suit, filed in the state’s supreme court in Manhattan, marks the latest chapter in Spitzer’s charge against what he has labeled the largest deliberate breaches of privacy in Internet history. Earlier this month, the attorney general announced a $1.1 million settlement with Datran Media. The e-mail marketer had been accused of buying at least 6 million files from Gratis, despite knowing that the transaction ran contrary to the seller’s privacy policy.

Link here.

Alex Eckelberry

Not Good.  505 cameras to be installed in NYC.

The NYPD is installing 505 surveillance cameras around the city – and pushing to safeguard lower Manhattan with a “ring of steel” that could track hundreds of thousands of people and cars a day, authorities revealed yesterday.

NYCLU is battling back:

But don’t expect the NYPD to install its cameras without battling the New York Civil Liberties Union. The watchdog group’s associate legal director, Chris Dunn, questioned the plan.

“Commissioner Kelly may be ready to launch us all into a surveillance society, but we believe cameras are not a cure-all for crime and terrorism,” Dunn said. “It is far from clear that cameras deter crime.”

Link here.

Alex

 

This site in Russian is offering eBay accounts for sale.

While it’s in Russian, the basics of the text in the website are that:

• They sell e-Bay and PayPal (rarely) accounts.
• They have a Trojan that steals account info from e-Bay logs and prefer to steal accounts with minimal seller/buyer activities.
• The better feedback on given account the more expensive it is. Real account holder e-mails are available as well.

They even have a list of users to buy:

As is our normal practice, we have reported this to our security contacts at eBay. 

Alex Eckelberry
(Thanks Sunbelters Adam Thomas for the site and Olexiy for the translation)

 

 

How to Delete Files with Illegal or Reserved Names
Sometimes an application will create a file that has an “illegal” file name (that is, a name that’s reserved by the operating system, such as LPT1 or PRN). If this happens, you may not be able to delete these files using the graphical interface. Here’s how to delete them:

1. If the partition on which the files reside is formatted in FAT, at the MS-DOS prompt, type DEL and then the file name with wildcard characters, such as DEL LPT?.*
2. If the partition is NTFS, you’ll need to use a syntax that bypasses the normal reserved word checks: DEL \.(drive letter):(path)(file name) (for example: DEL \.c:myfolderlpt

How to Add the Comment Pane in Word
You can add a comment pane feature in Word 2002 or 2003 by creating a macro and running it in a Word document that contains comments. Instructions and code for the macro are shown in KB article 913759 here.

How to Edit the Registry to Replace In-use Files at Windows Startup
There are several ways to replace a file that’s in use by Windows at startup. One way is to edit the Registry. Always back up the registry before editing it.

1. Start your favorite registry editor.
2. Navigate to the following key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager
3. Create a new value of the type REG_MULTI_SZ and name it PendingFileRenameOperations.
4. In the value data field, type the following on two separate lines: ??c:tempwin32k.sys !??c:winntsystem32win32k.s
5. Close the registry editor.

Direct Hosting of SMB over TCP/IP
Windows 2000/XP/2003 supports file and printer sharing traffic by using Server Message Block (SMB) directly hosted on TCP, unlike earlier versions of Windows that required NetBIOS over TCP (NetBT). Disabling NetBIOS has several advantages. KB article 204279 includes instructions for disabling NetBIOS over TCP/IP here.

How to Configure the Popup Blocker in XP SP2
When you install Service Pack 2 for Windows XP, it adds a popup blocker to Internet Explorer, which is turned on by default. You can configure its settings to allow popups on certain web sites or block all popup windows. You can also configure IE to play a sound to notify you when a popup window is blocked. KB article 843016 tells you how to configure the popup blocker to suit your needs here.

No Results Returned when you Search for Files or Folders
Sometimes if you run a search for files or folders over a slow network link, you Windows XP computer may give you a message that says “Search is complete. There are no results to display” even though the files or folders you’re searching for exist. It happens because Windows mistakenly determines that the files or folders are offline and excludes them from the search. To find out what to do about the problem, see KB article 885843 here.

Deb Shinder

Make IE 6 a Little More Like IE 7: One of IE 7’s new features is a “clear my tracks” option that lets you delete all temporary Internet files (browser cache), cookies and web browsing history.

That’s especially useful when you share a computer with others and don’t want them snooping in your web browsing habits. If you’re not ready to install IE 7 but you’d like to be able to do the same thing with IE 6, you can download this little free program from Microsoft or run it from the web site.

Deb Shinder

According to a subscriber email we just received from Client Server News, the consumer version of Vista won’t ship until January. 

According to Client Server News, “the delay it being done in the name of quality, according to Vista boss Jim Allchin.”

Commercial volume licensees will see it in November.

 

Alex Eckelberry