Sunbelt Blog

Sunbelt’s ThreatTrack™ feed helps StopBadware.org

2009-07-17T17:41:00.002-04:00

The partnership between Sunbelt Software and StopBadware.org was part of this week's Data Security Podcast, with info security specialist Ira Victor and broadcaster Samantha Stone. Sunbelt sponsors this podcast, but that’s not the reason we were part of the discussion.

StopBadware.org collects the URLs of malicious and compromised websites from data partners like Sunbelt Software then helps site owners and web hosting companies clean up and protect their sites. Sunbelt provides StopBadware.org with data about sites carrying malcode from its ThreatTrack™ feed.

The portion of the podcast mentioning StopBadware.org and Sunbelt is here.

You can listen to the entire podcast here.

The section about Sunbelt Software and StopBadware is at the 20 minute point.

You can read about our support of StopBadware.org here.

Tom Kelchner

Close to home: MyDoom DDoS attacks controlled from N. Korea S. Korea UK Florida

2009-07-15T08:30:00.003-04:00

PCWorld is reporting that the distributed denial-of-service attacks against U.S. and South Korean government web sites was commanded from one controlling server, not in North Korea, not in South Korea, not in the UK, but rather Miami, Florida, U.S.A.

Yesterday, researchers at a Vietnamese security firm said they’d traced the command-and-control server that directed the attacks to an IP address used by Global Digital Broadcast of Brighton, England. The company provides IP television.

Further investigation revealed that the actual C-and-C machine is owned by one of Global’s partners, Digital Latin America, and is on a virtual private network connected to Global’s network in the U.K., but is physically in Miami, Fla. Digital Latin America encodes television programming for IP TV devices.

The attacks, which began the first week of this month, involved that controlling computer and eight other machines that sent periodic commands to a botnet of 167,000 compromised machines around the world.

Story here.

Tom Kelchner

The tiny itsy bitsy link to Octoshape’s EULA

2009-07-14T18:20:00.002-04:00

Octoshape, the Danish P2P video “enhancer” that came into prominence after it was offered on CNN’s site during the presidential inauguration in January, still has only an obscure link to its EULA where it explains that it IS peer-to-peer software running on your machine.

Such a minor notification is hardly sufficient to tell potential users of what they’re really installing. There also is only obscure notification that you, your company or your ISP is paying for the bandwidth to deliver CNN’s content,

In order to meet bandwidth demand for streaming video, CNN began using this Adobe Flash Player add-on, which joins the user’s machine to a P2P network. Video content is then delivered from/to other peers on the grid. CNN’s streaming live video actually plays fine without the Octoshape installation.

Currently, Octoshape is classified as Low Risk "Potentially Unwanted Program" by Sunbelt Software products. Advise type is set to ignore (active protection quarantines it as well).

The company, Octoshape ApS of Copenhagen, Denmark, has taken quite a bit of heat and has made some small concessions, but they still basically hide the information that Octoshape is a P2P app that sends the video from your machine to other machines and uses your bandwidth to deliver content. CNN could be part of the problem too, since it controls a good part of the install process.

Within the prompt that asks you to agree to the installation of Octoshape, there is a clickable blue question mark, which takes the user to additional information, including an FAQ, EULA, and Privacy Policy.

Most users will never see that additional info, though. So, the key facts regarding the P2P nature of the application are still not put before the user in a clear, straightforward fashion.

A good background story can be found on the Windows Secrets blog here.

Tom Kelchner and Eric L. Howes

Threat level high: Microsoft vulnerabilities ITW

2009-07-13T16:31:00.002-04:00

We just set the Sunbelt Threat Level to high since our researchers and at least two other major organizations have found in-the-wild exploit code for the most recent Microsoft vulnerability (Microsoft Security Advisory 973472).

Workaround here.

Microsoft's advisory, posted today, describes a vulnerability in the ActiveX control used by Internet Explorer to display Excel spreadsheets in Microsoft Office versions before Office 2007. It can allow remote code execution.

Since this advisory was just released today, the vulnerability probably will not be fixed tomorrow on “Patch Tuesday.”

It follows last week’s security advisory (972890) warning of vulnerability in the Video ActiveX Control. That also is being actively exploited. The vulnerability allows an attacker to run arbitrary code on affected machine. A patch isn’t expected soon, but a workaround is available here.

Tom Kelchner

Snap poll results: Majority of admins and users "hate" Office 2007

2009-07-11T17:15:00.002-04:00

We’ve been running a snap poll on our site since Friday asking about Office 2007. Admittedly non-scientific, but we find it to be a fairly good “quick” read on big questions.

There were a lot of clicks on the poll. And since readers of our site tend to skew toward enterprise system administrators, it’s a wake-up call to Microsoft to kill the dammed ribbon in Office 2010.

Alex Eckelberry

The nuttiness has started: A "show of force or strength" for North Korea

2009-07-11T00:54:00.001-04:00

Earlier today, I wrote a blog post cautioning against the rising hysteria over the current DDoS attacks.

Now, in direction contradiction to the opinion of security experts, Rep. Peter Hoekstra (R-Michigan) says the US should conduct a “show of force or strength” against North Korea.

This enterprising fellow is pushing for the United States and United Nations to action based on… nothing. We have not heard or seen a credible shred of evidence that North Korea is behind these attacks.

Compounding the bizarre state of affairs, a ABC News commentator Mike Malone beats the drum for cyberfear, linking dying children, his dislike of “hackers”, and sort of blames South Korea but then has this oddball statement:

Yeah, right. As if all of those millions of middle-class teenaged private owners of broadband connected laptops all over that electricity black hole called the People's Republic of North Korea spontaneously decided to hack the Web sites of another country's government and largest corporations.

Which is mystifying, because that’s not how this botnet (or pretty much any other one) works — these machines are not in North Korea, they’re all over the place.

We learned a harsh lesson not so long ago on military action based on flawed intelligence and hysteria. Let’s not repeat the same thing again.

Alex Eckelberry

Warning: Don't search for things, or your spyware may run slower!

2009-07-10T16:43:00.001-04:00

Bizarre headline of the day. Original here.

Alex Eckelberry

DDoS global hysteria

2009-07-10T13:08:00.003-04:00

Hype and hysteria is normal in the AV business. After all, it’s been an intrinsic part of the business model since the Michelangelo virus. However, I get quite concerned about stuff like this when it could be used as a justification for war. South Korea, already on pins and needles because of its bellicose and nutty northern neighbor, is now suspecting that same country of launching a “cyber” war.

This is nuts.

I know of not a shred of evidence that this bot is from North Korea. It would take considerable research to ascertain the original source (the relevant IPs to the malicious code are in several places — Florida and Germany).

What happened here is trivial stuff in the security world: A bot got on between 60,000 to 100,000 PCs, and started launching DDoS attacks.

BFD. This hasn’t happened before? Russian politicians have to run their political campaigns on social networks because they are so used to being DDoSed during political campaigns. This is common stuff in the malware world.

Through underground channels, one can contact a botmaster (someone who “owns” all these infected machines), and pay them to DDoS whomever. It’s a felony, but it doesn’t mean it doesn’t happen. Or, one can gain control of a command and control (C&C) server and start DDoSing. This is what that kid who was DDoSing CastleCops did — he found a C&C by accident (they are out there, we’ve stumbled upon them not a few times in our research), went to his local library and started DDoSing CastleCops.

And no, one does not have to run out and frantically buy AV software. MyDoom and its variants are well-known pieces of malware that have been out for years. Detections are pretty robust; if you have a recently updated AV product, you should be fine. And remember, millions of people aren’t infected with this bot — the count of infected systems is less than .01% of the entire PC universe.

A far, far more critical issue is the current DirectShow exploit — now that is something to get worried about.

(Incidentally, Brian Krebs is keeping a good tally of the situation, and also links to this excellent overview by Hauri.)

Alex Eckelberry

Office 2010

2009-07-10T09:46:00.001-04:00

Microsoft has released a slick website promoting Office 2010.

Cute videos but virtually no detail.

Let’s hope that Office 2010 fixes the major UI mistakes made in the development of Office 2007 (for heavy keyboard users like me, Office 2007 is an experience beyond painful).

Alex Eckelberry
(thanks Donna!)

Comment spamming

2009-07-10T09:17:00.001-04:00

I noticed a swath of comment spams on my blog today. That’s no surprise, it’s usually for some junk product or service.

But in this case, it advertises products coming from the PC Tools division of Symantec.

Bummer.

Alex Eckelberry

Mydoom attacks – North Korea NOT

2009-07-09T16:36:00.003-04:00

The moderately large botnet distributed-denial-of-service attacks on government web sites in the U.S. and Korea on July 4 and continuing this week were probably NOT the work of North Korean intelligence forces, according to researchers who have analyzed the attacks.

In spite of South Korea’s contention that their country’s rival to the north was to blame, apparently it was the work of a fairly unsophisticated intruder who used the five-year-old Mydoom worm to launch the attack from a botnet of about 50,000 machines mostly in Asia.

The worm was first identified by Sunbelt Software in January, 2004, as Email-Worm.Win32.Mydoom.gen (v). Its variants have always been detected by Sunbelt's malware analysis technology, MX-V™, included in the company's VIPRE™ antivirus product line. MX-V is a compact, high-speed virtualized Windows environment integrated into VIPRE, which performs rapid behavioral analysis of potential malware.

Mydoom is a mass-mailing worm and generally arrives in spam email as an attachment carrying file extensions of .bat, .cmd, .exe, .scr or .zip. If an Internet user activates it, the worm sets up a back door on a system and allows the botnet owner who sent the email to control the infected computer. The infected machine, added to a botnet, can then be used to send spam email to propagate the worm. It also can be used to launch denial-of-service attacks. It will install on most Windows operating systems, including Windows 95, Windows NT, Windows 98, Windows 2000, Windows Me, Windows XP, and Windows Server 2003.

It’s been considered a low-level threat and has been detected by most major antivirus products since it first appeared in 2004.

News stories here and here.

Tom Kelchner

How a little customer service issue can become a PR disaster

2009-07-09T16:24:00.001-04:00

All because of those darned internets.

The backstory (including a pretty good response from United).

Alex Eckelberry
(Thanks, Rob)

Koobface is back – on Twitter

2009-07-09T14:03:00.002-04:00

Good ole Koobface worm is back. This time it's on Twitter.

Here’s how it works:

1. you get a tweet from a friend with the text:

My home video :);
michaeljackson’ testament on youtube, or
Watch my new private video! LOL :).

2. you click the link and go to a Facebook page with a video

3. you run the video

4. you get infected. Then every time you log into Twitter, Koobface sends similar tweets to all your friends to infect them.

Story here.

Oh, yes. If you get infected, don’t bother spreading it to Alex Eckelberry. Someone was nice enough to email his family the Koobface variant in April (see his blog piece here.)

Tom Kelchner

Rogue antivirus blog

2009-07-09T13:09:00.001-04:00

Kara here has been maintaining, on her own, a blog of rogue antivirus and antispyware products. You can see it here at rogueantispyware.blogspot.com. Of course, it’s promotional about our products (obviously) but it does keep up with many of the latest threats.

Nice work Kara!

Alex Eckelberry

Will Google Chrome break Microsoft's hegemony?

2009-07-08T13:41:00.002-04:00

No.

But Microsoft should be (and assuredly is) concerned.

The Google Chrome OS is a lightweight OS initially targeted at the netbook market, but ultimately usable on any desktop PC. It’s not for mobile phones or other small devices — that’s Android (although the two will share components).

But the use of Chrome all comes down to one question: Are users willing to give up their Microsoft applications? Are business users willing to give up interoperability with the rest of their organization, with the wealth of business applications designed for the Microsoft environment?

I’ve bought two netbooks so far. Both were running Windows, because I need Microsoft Office (particularly, Powerpoint, for my presentations on the road). No, I don’t want to run StarOffice or some other solution (like Google Docs). I need perfect operation, every time. I actually once saw a Linux die-hard do a presentation by flipping through a PDF — it was silly. Businesses have always been the major driver of the microcomputer, because people use their business machines and then want to go home and use their home machines in a similar environment (using the same files, etc.). Macs themselves are wonderful (the most wonderful operating system out there IMHO), but there are also practical considerations. People who use Macs in a business environment are the early-adopter types, but the platform has never gotten to massive scale simply because of interoparabiliy (and cost).

I’m as much a fan of Linux, Macs and all the rest as anyone else. But I am also a pragmatist.

Ultimately, the success of the Chrome OS will depend on the third party applications available for it. This is helped by the fact that it’s *nix based is very useful, as applications are easy to port. The fact that Google has some applications already developed is helpful. But it is very, very hard to get any real headway on Microsoft. (Years ago, I was the product manager for an ill-fated operating environment, DESQview (and its big sister, DESQview/X). A different time, and different circumstances, but I will say that getting application support is always a major issue with any operating system.)

Remember, despite Linux dominating the netbook market, the minute Microsoft started offering XP Home on these machines, was the minute that the tide changed. Windows XP now has over 90% market share on netbooks, and I don’t expect that to radically change any time soon.

The whole cloud argument — well, that's a wonderful buzzwords. I’ve also heard the same arguments about cloud-based computing for many years, whether it was ASPs, , etc. There are very useful aspects to the cloud, but excitable non-technical types tend to get a bit starry-eyed around this stuff when it’s not entirely deserving of mass adulation. It’ s just an alternative method of storage, but is deeply constrained by infrastructure (the speed of your connection, the availability of a connection, and so on).

Alex Eckelberry

Update OpenSSH

2009-07-07T14:36:00.001-04:00

Just in case.

Alex Eckelberry

Gmail all grown up

2009-07-07T14:22:00.001-04:00

Did you notice something today when you opened up your Gmail account? It’s no longer in “beta”, ending one of the longest betas known to mankind.

Alex Eckelberry

More on Rustock

2009-07-06T11:23:00.001-04:00

Our Chandra Prakash has written a new paper on Rustock (he’s written several). It’s at the VirusBulletin site, but you need to be a subscriber. A shorter version of the same paper is available at our research site, here.

Alex Eckelberry

Microsoft DirectShow Zero day

2009-07-06T11:16:00.001-04:00

This is serious and is ITW.

Killbit:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

More at SANS here, plus CSIS writeup here (if you don’t “taler Dansk”, then use this Google Translate link).

Best solution? Don’t use IE for now.

Alex Eckelberry

Update: Microsoft info here.

Pornography, government and the Internet

2009-07-02T12:30:00.002-04:00

It’s probably superstition, but it seems that news stories comes in bunches. Today’s theme is: “governments across the planet try to deal with Internet pornography”:

-- The Green-Dam saga continues. China delayed indefinitely the requirement that new computers have an installation of Green Dam-Youth Escort filtering software to protect young people from pornographic and violent Internet content. The big question seems to be: “will the delay be temporary or permanent.” They really should just make the filtering voluntary AFTER they get rid of the political censorship issue and AFTER they resolve the copyright-infringement issues and AFTER they fix the vulnerabilities in it. But I digress.

-- The Ukraine has made illegal the possession of pornography except for medicinal purposes. I just don’t know what to say about “medicinal purposes” except that it’s going to generate another category of spam that will probably give a whole new meaning to “Canadian pharmacy.”

-- In the U.S., several adult-content web sites appear to be collateral casualties of the take down of the Pricewert ISP by the Federal Trade Commission. Some are reporting the loss of $5,000 per day. Some are scrambling to find their web site content, since the Federal court and FTC confiscated Pricewert’s servers. I guess the lesson here is: don’t do business with businesses that do illegal stuff.

-- The Georgia (USA) Bureau of Investigation is warning that an email containing a six-minute child porn video is circulating in the Stone Mountain area. The video may be might be a 2005 clip from the Dominican Republic that has been known to investigators. There are conflicting news reports, but at least one says it’s being spammed by malware. Possession of the video on one’s computer is a felony in the U.S. Investigators are telling Internet users to delete the email on sight (Subject line: "VERY Disturbing! TAKE CARE OF YOUR KIDS/ they should kill this man, do not open if your [sic] sensitive... click video link." )

Pornography has been a complicated issue since, well, forever. There are paintings in the ruins of Pompeii of “adult” nature that were buried in the year 79. In the quaint 1950s in the very Puritan U.S., there were “nudist” and “art photo” magazines that pushed the legal envelop and “men’s” magazines explored how much of a woman’s anatomy they could show and still stay at least one millimeter away from the legal limit.

In the U.S., porn enthusiasts probably won the battle when courts as high as the U.S. Supreme Court found themselves completely unable to define the difference between pornography and free speech. In 1964, U.S. Supreme Court Justice Potter Steward wrote the legendary articles of surrender, saying that he couldn’t define pornography, but “I know it when I see it.” Shortly after that, the VCR went on sale and it was REALLY “game over” for the anti-porn side.

The result has been a legal shadow world and very lucrative gray economy that turned into a terrific environment for scams, fraud, rogue anti-malware products and thieving computer malcode. Yes, there is a load of pornography out there on the Internet that is perfectly legal, sold by perfectly legal businesses with secure servers. Governments in conservative places will always try to fight it. They will only ever have very limited success. Sex will always be a very shiny lure.

The bottom line: if you see any advertisement on the web or in your email for “adult” anything, it simply will never be truly safe to go there.

Links to stories:

“China's Web 'Dam' “

“Yushchenko signs porn law despite widespread opposition”

“Web-Hosting Firm’s Shutdown Costing Adult Affiliate Operator $5K a Day “

“GBI: Open This E-Mail, Go Directly to Jail (Possibly)”

Tom Kelchner

Chinese government delays Green Dam requirement (maybe forever)

2009-06-30T13:11:00.003-04:00

The Chinese government’s Ministry of Industry and Information Technology announced today through the Xinhua news agency that there would be an indefinite delay in the enforcement of a rule requiring the installation of Internet filtering software Green Dam-Youth Escort on all new computers sold in the country. The rule was to go into effect tomorrow.

Green Dam was officially described as an application to protect children from harmful content on the Internet. Researchers, however, discovered that two thirds of the “harmful” terms it filtered had political connotations.

The Chinese government will install Green Dam in school and Internet cafe computers after tomorrow. It also will provide free downloads for anyone who wants it, Xinhua said.

The filtering software has drawn fire from many quarters:

-- China only notified PC makers of the regulation on May 19 and only made the edict public in June. Many manufacturers said they couldn’t comply with the July 1 deadline in such a short time.

-- Solid Oak Software of Santa Barbara said that code from its CyberSitter software was used extensively in Green Dam-Youth Escort and sent cease-and-desist letters to U.S. PC manufacturers to stop them from installing Green Dam. Solid Oak said it would launch lawsuits in the U.S. and China July 1.

-- Jinhui Computer System Engineering Co. of Zhengzhou, the company that won the Chinese government’s $6 million contract to write the application, has received more than a thousand harassing phone calls, including late-night death threats.

-- Jinhui patched one vulnerability in Green Dam, but the application remained open to remote exploitation and a working exploit was published on the Internet.

-- The U.S. protested that installation of the application would violate China’s agreement with the World Trade Organization.

-- Leaders of 22 international business groups last week notified Chinese Prime Minister Wen Jiabao that Green Dam was a threat to privacy and free speech and hardly in keeping with China’s “professed goal of building an information–based society.”

-- The European Union also protested to China, saying that the Internet filter was designed to limit free speech.

For news coverage, link here.

Tom Kelchner

You have no privacy: What you buy may affect your credit

2009-06-30T13:05:00.002-04:00

Interesting article:

Have you used your credit card at merchants specializing in secondhand clothing, retread tires, bail bond services, massages, casino gambling or betting? Your credit card issuer may be taking note -- and making decisions about your creditworthiness based on your purchasing behavior. The reason: Buying used clothing or retread tires may be an indication of financial distress and a preamble to missed credit card payments or defaults.

Link here.

Alex Eckelberry

StopBadware.org and Sunbelt Partner to Fight Badware

2009-06-30T12:06:00.005-04:00

Sunbelt is excited to be working with StopBadware.org, the collaborative initiative to combat viruses, spyware, and other bad software. Sunbelt will participate in the effort as a data partner to provide information to support and encourage website owners and web hosting companies in cleaning up and protecting their sites.

This morning, StopBadware.org launched a new, richer report interface—integrating the new Sunbelt Software data—to its searchable Badware Website Clearinghouse. The new reports allow security researchers, law enforcement, site owners, and other interested parties to see a site’s current and past badware activity, along with basic information about the site. Sunbelt joins Google in contributing data to the project, which is based at Harvard University's Berkman Center for Internet & Society.

Read the press release here.

Laurie Murrell

Michael Jackson spam loads zbot – don’t go there

2009-06-30T10:50:00.003-04:00

The domain, complete with Matrix-like animation, is running "Unique Pack" exploit package version 2.

Subject: Who killed Michael Jackson?
Date: Tue, 30 Jun 2009 08:14:46 -0300
From: x-files
Reply-To: xxxxx@xxxx.com
To: xxxxx@xxxx.com

Michael Jackson Was Killed...

But Who Killed Michael Jackson?

Visit X-Files to see the answer:

hxxp://xxxx.xxxxx.com.mx/x-files

Thanks to Sunbelt Malware Researcher Adam Thomas

Tom Kelchner

Dangerous new spam run infects users through PDF exploit

2009-06-30T10:42:00.002-04:00

Yesterday, our honeypots started detecting a dangerous new spam run, pushing a fake update for Outlook and Outlook Express.

Purporting to come from Microsoft, the spam pushes people to a web page which then redirects to a page serving a PDF exploit.

Clicking the link takes one to a “Microsoft” update page. One of several examples is shown here:

After a brief period of time, the user is redirected to an exploit page. The payload is Zbot.

This is an extremely dangerous spam run if you or your users are not fully updated on the latest versions of Adobe Acrobat. Get updated.

Alex Eckelberry