Sunbelt Blog

US FDA going after phony Internet pharmacies

2009-11-20T12:08:00.003-05:00

Washington Post columnist Brian Krebs is reporting that the U.S. Food and Drug Administration (FDA) is moving to shut down 136 Internet pharmacy web sites that have been selling counterfeit drugs or those not approved by the FDA.

The FDA office of criminal investigations has sent warning letters to the site operators and notified their ISPs that they were selling the pharmaceuticals illegally.

According to his column, the sites, which claim to be in the U.S. or Canada, are really in India and have connections to Russia. Those notified by the FDA are all affiliates of Rx-commission.com, one of dozens of pharmacy affiliate organizations. Rx-commission.com chiefly attracts customers to its sites by search engine optimization techniques.

There could be as many as 55,000 such pharmacies on the web.

Krebs column here.

Clearly this is a daunting task, going after all 55,000 sites. The FDA has joined the U.S. Federal Trade Commission and the FBI in this country in taking on the vast amount of Internet lawlessness and there seems to be motion in other countries as well.

Police in Estonia last month arrested some of the men indicted by an Atlanta, Ga., grand jury in the $9 million hack of credit-card processing vendor RBS. Police in Hong Kong and Netherlands also were part of the investigating team and helped arrest two people for withdrawing RBS WorldPay funds from ATMs in Hong Kong.

Also last month, the head of Nigeria’s Economic and Financial Crimes Commission announced the arrest of 18 scammers and shutdown of 800 email accounts they were using. She promised a continuing crackdown.

Tom Kelchner

Malware campaign: “New Moon” movie is bait for rogue security product and bot

2009-11-19T16:54:00.001-05:00

Chat networks and blogs are being used to lure movie fans to malicious sites promising: “Watch New Moon Full Movie,” according to LastWatchDog.com blogger Byron Acohido.

The much anticipated movie “New Moon” is due to open tomorrow.

The malicious operators are using search engine optimizations techniques to lure “New Moon” fans to sites with malicious downloads of a rogue security product and bot malware. If a victim goes to the site he or she is told to download a viewer called “streamviewer” to watch the movie. The download is a Trojan and they get infected.

For those who’ve already infected themselves, he quotes Sunbelt Chief Technical Officer Eric Sites:

”For anyone whose PC is already hopelessly infested with scareware and/or other infectious programs, Sunbelt Software’s free deep scanning tool could be a godsend. VIPRE Rescue can neutralize many of the nastiest scareware promos, rootkits and keyloggers lurking on your hard drive, and bogging down your machine’s performance.

“VIPRE Rescue makes it easy to wipe out infections on a nearly inoperable computer, often times enabling successful repair, as well as installation of necessary security applications to prevent these infections from happening in the future.”

LastWatchDog.com post here.

Tom Kelchner

Single points of failure: How long will the hard drive in your machine last?

2009-11-19T12:42:00.003-05:00

Hard drive lifetime

Good estimate – three years, maybe more. Higher rate of failure in the first year. (Clearly, mileage varies with usage)

Many of us have experienced the failure of a hard drive or we’ve known someone who did. It’s the life experience that answers the question: “how often should I back up my files?”

Manufacturers publicize the expected lifetime for hard drives. It’s called Mean Time to Failure (MTTF). There have been studies that suggest they either overestimate or underestimate the expected life time, though.

A paper given at the 5th USENIX Conference on File and Storage Technologies in 2007, “Disk failures in the real world: What does an MTTF of 1,000,000 hours mean to you?” suggests that drives have about a three-year average lifetime. However, there is a slightly a more complex picture of their life cycle.

Bianca Schroeder and Garth A. Gibson of Carnegie Mellon University, said their research suggested that the average lifetime of about three years could be expected, however, they also found a “bathtub-shaped” curve. Drives failed at a higher rate in their first year of use, failed at a slower rate for years 1-5, then failed at a higher rate after five years.

Schroeder and Gibson studied data on about 100,000 disks from large production systems.

Paper here.

Since the most common part of a machine to fail is the hard drive (power supplies are up there too) it is instructive to look at stories on rates of machine repairs.

Laptop lifetime

About a third will fail in three years with one chance out of three that you cause the failure by doing something like dropping it down the steps.

San Francisco-based SquareTrade, which bills itself as the “largest independent warranty provider” published a study of 30,000 laptops this week. They summarized their findings:

“Looking at the first 3 years of ownership, 31% of laptop owners reported a failure to SquareTrade. Two-thirds of this failure (20.4%) came from hardware malfunctions, and one-third (10.6%) was reported as accidental damage.”

Study here.

Desktop lifetime

There is a seven-21 percent chance your machine will need repairs in the year.

PC magazine did a survey of readers’ experiences with desktop computers and ask if the respondent’s machine needed repairs “in the last year.” This is really a customer satisfaction piece, but, we can pull some rough numbers from it on rates of repair

Article here.

Now, go backup your files.

Tom Kelchner

Two arrested in England for Zbot: go Brits!

2009-11-18T15:06:00.002-05:00

Infosecurity magazine is quoting Manchester, England, news sources as reporting that the Metropolitan Police Central e-Crime Unit has arrested a man and a woman and charged them with distributing the Zbot Trojan.

Infosecurity wrote: “the Zbot trojan has become one of the most virulent trojans in recent months with Sunbelt Software reporting incidences as 25% up during October compared to the month before.”

Zbot uses a wide variety of social engineering tricks to spread through a variety of methods, including spam email and Web downloads. It created a large botnet that collects information about victim’s credit card, banking and social network logins.

Story here.

Tom Kelchner

Other voices: “I’m tired of this whole ‘security is failing, security professionals suck’ meme”

2009-11-18T14:31:00.002-05:00

Our Sunbelt Sales Director Debbie Graves alerted us to a great blog piece about the state of computer security from securosis.com. It falls firmly into the “glass half full” camp (by a toe length, anyway.) It’s a great read.

The blogger, “Rich” raises an interesting point about organizations hiding the real cost of losses.

He also is a master of the long, breathless and funny sentence. Example:

“If the industry was failing that badly all our bank accounts would be empty, we'd be running on generators, our kids would all be institutionalized due to excessive exposure to porn, email would be dead, and all our Amazon orders would be rerouted to Liberia... but would never show up because of all the falling planes crashing into sinking cargo ships.”

And his point…

“Security, and security professionals, aren't failing. We lose some battles and win others, and life goes on. At some point the world feels enough pain and we get more resources to respond. Then we reduce that pain to an acceptable level, and we're forgotten again.

“That said, I do think life will be more interesting once losses aren't hidden within the system (and I mean inside all kinds of businesses, not just the financial world). Once we can tie data loss to pain, perhaps priorities will shift. But that's for another post...”

Blog piece here: http://securosis.com/blog/

Thanks Debbie, thanks Rich at Securosis.com

Tom Kelchner

Latest spear phishing targets: legal firms and public relations groups

2009-11-17T13:51:00.003-05:00

The FBI is warning that its agents are investigating a growing number of spear phishing attacks on legal firms and public relations companies.

Criminals are turning to those two industries because of the large amount of highly confidential information on company networks, often with details of international negotiations.

Spear phishing is a term for malicious email that specifically targets a company or person in the company. Trojan horse programs, usually carrying rootkits, are emailed as attachments. The emails also could contain links to web sites that download malcode that makes data accessible. Victims who click on the attachments to open them or follow the links, trigger malware that gives intruders access to the company network.

The investigators believe that international organized crime is involved in the attacks and are suggesting that companies consider removing sensitive documents from storage accessible by the Internet.

New York Times story here.

Tom Kelchner

U.S. Senate takes a look at deceptive “loyalty” marketing programs

2009-11-17T13:26:00.001-05:00

The U.S. Senate Committee on Commerce, Science and Transportation today is looking into deceptive “loyalty” discount programs – those that offer discounts and coupons to customers for a monthly fee. Marketing companies Webloyalty, Affinion and Vertrue and the retailers Continental Airlines, FTD and Classmates.com that let them charge customers’ credit cards, are in for a closer look.

The Committee is investigating reports that the marketing companies’ charges are showing up on credit card accounts of people who never ordered the service. Shoppers commonly encounter the marketing companies’ pitch in pop-up-windows when they make online purchases. The ads only ask for e-mail addresses, hiding the details of the monthly charges in small print. The retailers then supply the marketing companies with credit card information.

The committee has been investigating the businesses for six months. Recently Webloyalty and Affinion said they would change their advertising to require customers to submit the last four digits of their credit cards to confirm that they want to become members.

Also expected in the hearing today are the results of a study the committee has completed which includes how much money the retail partners are paid by the marketing companies.

These “enrollment” schemes can be really tricky. I inadvertently got roped into two of these things in the last three years. I like to think of myself as being pretty savvy after researching and writing about malware and the Internet underground for 15 years, but they got me. Yep, twice: once on a software company web site and another with a travel and reservation site. They're good.

CNET story here.

Tom Kelchner

Trojans coming soon: “RemoveWAT” and “Chew-WGA”

2009-11-16T16:48:00.001-05:00

The expected hacks for Windows 7 activation have been publicized and utilities called "RemoveWAT" and "Chew-WGA" are circulating.

They join the grimy world of cracks and key-gens – oft-Trojanized applications that defeat activation passwords or other security on legitimate software. It’s an ugly world on the sites that distribute them. We go there.

WGA stands for "Windows Genuine Advantage" Microsoft’s antipiracy software. The company replaced that with "Windows Activation Technologies" (WAT) in Windows 7. Thus the names of the cracks.

Trojanized versions of RemoveWAT and Chew-WGA soon will be available on websites and file-sharing networks near you. Look for them (or maybe we should say "look out for them.")

Computerworld story “Hackers outwit Windows 7 activation” here.

Tom Kelchner

Update to Schemes, Scams, Spams, and Pyramid Plans: Trojan.StartPage.SSSPP

2009-11-16T14:00:00.003-05:00

After working with the folks at Highprofits.com and Fliqz.com we’ve sorted out the trail left by scammers behind Trojan.StartPage.SSSPP.

Basically, it was a two-step click-fraud operation that centered on changing (victim) Web users’ home pages to redirect to Highprofits.com sites (including fliqz.com.) Those visitors who (unwillingly) went to Highprofits.com sites as a result made money for the iframedollars/virut gang.

Step 1 – The gang offered a Trojan downloader (Trojan.StartPage.SSSPP) on a crack site that redirected victims’ home pages to various Highprofits.com sites.

Step 2 -- The gang had become an advertising affiliate of Highprofits.com and the visitors that were sent to the Highprofits.com sites as a result of the Trojan, carried the gang’s affiliate ID (in URLs). So, the gang was getting paid for all the visits.

We said Friday that the Highprofits.com sites were infected with Trojan.StartPage.SSSPP. As a result their site was blacklisted. As it turned out, at no time were Highprofits.com sites or Fliqz.com ever infected or hosting any malware to infect visitors.

Based on Sunbelt research, Highprofits.com was able to identify the affiliate ID that belonged to the gang and ban it as an affiliate.

Glad Sunbelt could help. Sorry about the blacklist thing.

Tom Kelchner

(Patrick and Alex too)

Fliqz.com

2009-11-13T18:10:00.001-05:00

A recent blog post referenced the following URLs as being potentially involved in “scams”:

67.221.34.202
1. Fliqz.com
2. M0v1.biz
3. Realsimplemedia.com

Further research indicates that these sites are not directly involved in scam activity and are clean.

We will continue our research and if anything changes our view, will post an update.

Something new in your inbox: Google Reader Spam

2009-11-13T16:34:00.003-05:00

This:

Takes you to this:

Thanks Anupam, Stu and Alex

Tom Kelchner

Fighting malicious web sites through domain registration

2009-11-13T10:30:00.002-05:00

Computer security blogger Dave Piscitello of Hilton Head Island, S.C. (“The Security Skeptic”) ran an interesting piece: “Nine ways to mitigate malicious domains.” It’s a list of proposals that ICANN has collected from the security community that it will consider for new rules for top level domain applicants. It's an effort to help prevent the establishment of malicious web sites.

ICANN is taking public comments at: http://www.icann.org/en/public-comment/

Dave said the suggestions under consideration are:

-- Vetting registry operators to filter out criminal organizations. (Recommended by the Anti-Phishing Working Group and others.)

-- Demonstrated plan for the deployment of Domain Name System Security Extensions. This would require written plans for signing zone files and delegations (domain names registered in its top level domain.).

-- Prohibition of redirection by top level domains. (ICANN’s SSAC, the ICANN Board of Directors) “…applicants must return negative responses when a DNS query is made to a non-existent domain and must not synthesize (redirect) queries for error resolution or advertising purposes.”

-- Removal of orphan glue records. “Orphaned glue records frequently point to name servers that host malicious domains. This measure requires applicants to explain the policy they will enforce to ensure that a name server record in a delegation will not persist in the TLD zone file when the parent domain name is deleted from the zone.”

-- A requirement for detailed Whois records.

-- Centralization of zone file access. Presently, applications must contract with top level domain registries to get FTP access to zone files.

-- Documented registry level abuse contacts and procedures.

-- Participation in the Expedited Registry Security Request process to help ICANN and registries to maintain security during an incident.

-- Establishment of High Security Zones Verification.

See Dave’s blog piece here.

Thanks Dave

Tom Kelchner

A flurry of Schemes, Scams, Spams, and Pyramid Plans: Trojan.StartPage.SSSPP

2009-11-12T14:45:00.005-05:00

Today Patrick added the fourth Trojan.StartPage.SSSPP to VIPRE detections. There’s a new one about every two to three days, he said.

Thanks Patrick

Tom Kelchner

Big changes at Intel, Motorola and HP are news

2009-11-12T14:28:00.001-05:00

It’s a whopping day for news about Intel, Motorola and HP:

-- Intel is going to settle its legal differences with A.M.D for $1.25 billion.

-- There are significant rumors that Motorola wants to split into three companies to pay down debt.

-- It’s been announced that Hewlet-Packard will acquire network equipment maker 3-Com for $2.7 billion. HP thinks the move will help it compete against Cisco and with customers in China.

“Intel Pays A.M.D. $1.25 Billion to Settle Legal Disputes"

“Motorola Said to Explore Dividing Into 3 Companies”

“Hewlett-Packard to Acquire 3Com”

Tom Kelchner

The Internet: nobody goes there any more. It’s too crowded

2009-11-11T14:42:00.002-05:00

Palo Alto Networks of Sunnyvale, Calif., issued its Fall, 2009, Application Usage and Risk Report (“An Analysis of End User Application Trends in the Enterprise”), analyzing traffic patterns on more than 200 worldwide networks. The Palo Alto researchers document massive growth in social networking and collaborative applications for business since their last report in April.

The use of blogs and wikis increased 39 times with total bandwidth use for those two activities increasing 48 times.

The report said there was a 192 percent increased in Facebook use. Facebook Chat, which began in April 2008, was the fourth most commonly detected IM application. It beat out AIM, IM and Yahoo!

The use of SharePoint, especially SharePoint documents, increased 17 times since April.

Palo Alto found a 252 percent increase in Twitter sessions since its spring Risk Report.

Report here.

Apple MobileMe credit card phish

2009-11-11T10:36:00.004-05:00

Red phish, blue phish, this is a new phish:

From: Mobile IDisk [noreply01@me.com] [mailto:noreply01@me.com]
Date: November 8, 2009 5:25:10 PM CST
To: [*****]
Subject: **Your subscription expires tomorrow...*

Welcome,

Just a reminder to renew your MobileMe subscription by November 08,
2009 PDT to avoid interruption of service.

*To renew your service, log in to MobileMe, select Account, and click
Account Options.*Then click the
* Login* box for your subscription. When you're done, click Billing
Info and make sure your credit card information is up to date. It
takes only a few minutes, and your credit card won't be charged until
the day before your renewal date.

Thanks for being a MobileMe subscriber. We're looking forward to
another great year. .

[The phishing site has been taken down]

Copyright 2009 Apple Inc. All rights reserved.

Thanks Laura

Tom Kelchner

There might be more to Farmville than just finding a lost cow

2009-11-11T10:20:00.003-05:00

Techcrunch has done an interesting story about the businesses that came up with the big popular social games: things like Farmville, Pet Society and Mobsters.

The three companies that behind these and other social games -- Zynga, Playfish and Playdom -- have about 100 million subscribers and are making $300 million per year just from the sale of virtual goods. Making money is great, but there are some referral schemes that they offer that can get you hooked into services that will cost more than $100 per year. So, you better read the fine print.

See story: “Social Games: How The Big Three Make Millions” here.

And for a slightly darker view: “Zynga CEO Admits to Being a Scammer” here.

And for a REALLY dark view: “Scamville: The Social Gaming Ecosystem Of Hell” here.

Tom Kelchner

“MaCatte” rogue tries to copy McAfee AV scanner look

2009-11-10T16:40:00.001-05:00

Maybe they just misspelled it:

It blocks other AV, redirects your browser and nags you about phony malware infections until you pay it $99. McAfee might be our competitor, but we know that ISN’T their business model.

McAfee blog story here.

Tom Kelchner

Unabashed hype

2009-11-10T15:01:00.001-05:00

It’s irritating when CEOs post self-aggrandizing posts that read more like press releases than substance.

So I’ll just link to our braggart press release and not actually post the text in the blog. Hopefully I’ve avoided autophobia.

Alex Eckelberry

3,100 vulnerabilities connected with Web software

2009-11-10T14:14:00.001-05:00

If anyone ever needed a great example for the lectures they give friends, relatives or employees about the importance of installing software updates, here it is.

Security firm Cenzic ( http://www.cenzic.com/company/ ) has made public a report documenting 3,100 vulnerabilities that affect the software used on web sites and in browsers! The report included patched and unpatched vulnerabilities.

Cenzic, which provides software as a service, said in their report “Web Application Security Trends Report Q1-Q2, 2009” that Cross Site Scripting and SQL Injection vulnerabilities were a factor in half of all web attacks.

They said 87 per cent of web applications their researchers looked at "had serious vulnerabilities that could potentially lead to the exposure of sensitive or confidential user information during transactions."

On the server side, they said Apache, Citrix, F5 Networks, IBM, PHP, SAP, Sun and Symantec all ran software with vulnerabilities.

On the browser side, they said Firefox (44 percent of the vulnerabilities) and Safari (35 percent) had the most flaws. Internet Explorer had 15 per cent and Opera six percent, they said. They apparently didn’t review Google's Chrome. They added that Firefox vulnerabilities were patched much quicker then Internet Explorer.

Story here.

Tom Kelchner

Major net advertiser site is spreading little-detected malware to visitors

2009-11-10T10:38:00.002-05:00

Web security firm Websense is reporting that the servers of web advertiser media-servers.net has been compromised and is serving visitors malcode that exploits Microsoft and Adobe vulnerabilities. Thousands of sites have been compromised over several months with the result that visitors get served an auto-loading script, the Websense researchers said.

Patches have been available for the vulnerabilities involved, so, only unpatched machines visiting the site will be compromised.

Websense researchers also said that the malware involved is only detected by two of the 40 anti-virus companies: F-Secure (Suspicious:W32/Malware!Gemini) and Sunbelt (Trojan.Win32.Bredolab.Gen.1 (v)). The detection is based on behavioral analysis by F-Secure’s DeepGuard, and Sunbelt’s VIPRE technology.

Story here.

Tom Kelchner

Univ. of Tampa student starts non-profit to investigate wrongful convictions

2009-11-09T17:14:00.002-05:00

University of Tampa senior Gretchen Cothron has launched a nonprofit organization called “Screaming for Sunshine” to help investigate wrongful convictions.

Cothron is an honors student, with a major in criminology and minor in law and justice.

Last year, she completed a project to demonstrate the necessity of recording interrogations during investigation, which isn’t required in Hillsborough County. Last month she presented her findings at the National Collegiate Honors in Washington, D.C.

After her work last year, she moved into an honors fellowship “…researching a statistical formula to see how eyewitness testimony, faulty forensic science and false confessions contribute to wrongful convictions,” according to the University of Tampa web site.

“Cothron has presented her preliminary findings at the Southern Criminal Justice Association’s annual conference and is presenting an extension of the same project at the American Society of Criminology's annual meeting in November,” the UT site said.

“Cothron hopes to practice criminal appellate law after law school to help fund her real passion, a nonprofit she has formed called Screaming for Sunshine to assist with investigations of wrongful convictions.

“Florida leads the nation in the number of death-row exonerations,” Cothron said, “and there has to be countless others.”

Cothron’s nonprofit site here.

Story here.

For the tip on this, thanks to Glenn S. Dardick, Ph.D., Associate Prof. of Information Systems at Longwood Univ. in Farmville, Va. He’s also the Director of the Association for Digital Forensics, Security and Law and editor of the Journal of Digital Forensics, Security and Law.

Conficker and Taterf will be with us for a while

2009-11-09T16:38:00.002-05:00

USA Today’s Byron Acohido is reporting that the Conficker and Taterf worms continue to spread.

Conficker is building a botnet, propagating through network shares and devices that use USB ports.

Taterf, the product of a malware tool kit, is aimed at stealing log-in information from on-line games. The malicious operators sell the log-in information to others who steal compromised gamers’ accounts for virtual goods which can be sold to other gamers.

Standard precautions can prevent the two from infecting machines: running a good anti-malware application and keeping current with updates and patches. Turning off the “autorun” feature in Windows also can stop the propagation through USB ports.

USA Today quoted Sunbelt Chief Technology Officer Eric Sites in the story. He told them "The sad fact is worms and viruses would be wiped out if everyone used best security practices."

Story here.

Tom Kelchner

New Trojan uses CloneCashSystem site

2009-11-06T16:54:00.009-05:00

Patrick came across a new Trojan today that uses the CloneCashSystem site (WHOIS registration date Oct. 2).

Patrick’s note:

“My iframedollars downloaded a Trojan from a VX Catus site dl.guarddog2009.com/bookmark.exe.

“The 3 kb Trojan’s only function is to change the users start page to: join. clonecashsystem com/track/NjU1ODMuMjYuMzEuMzUuMC4wLjAuMC4w, which is one of those free report sites. It tries to get you to buy a get-rich-quick scheme.

“The start page is similar to the old CWS hijacking start page Trojans. I have named it Trojan.StartPage.CloneCashSystem.”

[NOTE: only go to the URLs mentioned here with caution.]

Thanks Patrick

Tom Kelchner

Update 11/9: We changed the description of CloneCash in the blog post since it is merely a site pointed to by iframedollars/virut. Patrick wrote the following after further investigating:

"The CloneCashSystem is really only free videos of how to make money on the Internet and not a scam, however, its URL is used in a TrojanStartPage with the file coming from a malicious site.

"The bookmark.exe has changed now to using join.123cashsurveys.com as the StartPage Hijacking.

"Due to the change and as I now have over 100 sites that could end up being used and may come under 3 business aliases, I have changed the threat from Trojan.StartPage.CloneCashSystem to Trojan.StartPage.SSSPP

"For eternal use the SSSPP will stand for Schemes, Scams, Spams, and Pyramid Plans. "

Click fraud Trojan uses Internet security company site

2009-11-06T16:02:00.003-05:00

Our researcher Patrick Jordan ran one of the installers from seriall.com, which is an old fake serial crack site where one can get infected waaaaay too easily. It created a run32.dll which functions as a redirector. When a victim of this searches for the string “remove spyware,” his infected computer re-directs to the web page of security firm Webroot. Clicking on the “Business” tab will take the browser to a redirect site.

On the left is the Webroot page redirect from an infected box and the right is the same action from a clean box.

The sites that it redirects to are typical info-stealing sites with a cheap pay-per-click search pages.

Sunbelt already detects the installer and dll as Trojan.Win32.Generic!BT

Just to clarify: this is not a Webroot issue, the Trojan simply redirects a victim's browser to the Webroot page to give an appearance of authenticity before redirecting it on to a malicious site.

Thanks Patrick

Tom Kelchner