Microsoft MVP Sandi Hardmeier gives tips on installing the IE 7 beta. Worth reviewing.
Link here.
Alex Eckelberry
Tuesday, January 31, 2006
F-Secure is already receiving reports of Blackworm damage
There are over 300,000 machines infected with the Blackworm worm (aka Kama Sutra, Nyxem, etc.).
The fun is supposed to start February 3rd. However, F-Secure reports:
The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. We've already received first reports from users who've had files on their system overwritten by the worm.
Link here.
Alex Eckelberry
Turning the tables on malware authors
Thorsten Holz and Frederic Raynal have posted an article on “attacking the attackers”:
This article explores measures to attack those malicious attackers who seek to harm our legitimate systems. The proactive use of exploits and bot networks that fight other bot networks, along with social engineering and attacker techniques are all discussed in an ethical manner. Part one of two.
Link here via Thorsten’s blog.
Alex Eckelberry
Rootkit art
Contemporary art has gone through numerous stages, such as New Realism, Fluxus, Battle Elephants, Arte Povera, Neo-Expressionism, Transgressive and Synaaesthesia — just to name a few.
Well, we have a new movement, people:
Rootkit art.
Pictured is Sunbelt’s good friend Wayne Porter, with rootkit art behind him:
Porter says, "People simply couldn't visualize the first rootkit painting and the number of queries hitting my inbox overwhelmed me, even ZDNET tried to clarify the matter. I decided to do this particular rootkit, while recovering, in full color to help people visualize the dangerous nature of the threat. I realize this might anger many rootkit art purists who feel that rootkits are invisible by nature and should stay that way, but I really don't know any other way to capture the elusive and potentianally dangerous nature of the rootkit so that non-technical users and e-commerce professionals can understand its significance."
Porter goes on to say this will be his last rootkit painting, but he is planning a 350 foot-tall sculpture around the set of tools made famous by Sony BMG as well as instant messenger crackers and other companies. "I haven't decided on whether to use oxygen or carbon monoxide to create the sculpture, although I am leaning towards oxygen as it is much safer. Still oxygen has two common allotropes so there is still an artistic decision to be made."
Many art critics have suggested Porter use a mercaptan in his planned rootkit sculpture (a chemical that has a sulfur like odor) to give it the distinct and unpleasant rotton egg smell that is mixed with dangerous gases so that people can be alerted to leaks.
Link here.
Alex Eckelberry
SANS Webcast on Feb 1st: The Spyware Threat Today
Join SANS and Sunbelt Wednesday at 1PM ET:
The Spyware Threat Today
Featuring: Dave Shackleford, SANS Instructor and Greg Kras, VP Product Management, Sunbelt Software
Spyware is quickly becoming one of the most pervasive threats to organizations of all types. The majority of infections occur through basic Web browsing, and existing security controls are often not configured to detect spyware or prevent it from spreading. In addition to this, spyware can cause organizations to lose sensitive information, resulting in a number of compliance-related issues, as well. There are a number of steps that security staff can take to adopt a defense-in-depth strategy addressing spyware at both the system and network levels. This presentation will discuss the state of spyware today, how it infects systems, and network- and host-level methods of detection and prevention.
Managing Spyware with CounterSpy Enterprise
Spyware has become the new headache for IT. Systems become rapidly infected and system admins are often forced to physically go to the end-user and manually run spyware removal tools to get rid of these data threats. CounterSpy Enterprise is a policy-based, antispyware solution that provides a scalable, centrally managed solution that is capable of detecting and removing a broad range of adware, malware and other spyware from corporate networks. This brief overview will show how system admins can effectively manage spyware within their organizations using CounterSpy Enterprise.
Click here to join the webcast.
The Spyware Threat Today
Featuring: Dave Shackleford, SANS Instructor and Greg Kras, VP Product Management, Sunbelt Software
Spyware is quickly becoming one of the most pervasive threats to organizations of all types. The majority of infections occur through basic Web browsing, and existing security controls are often not configured to detect spyware or prevent it from spreading. In addition to this, spyware can cause organizations to lose sensitive information, resulting in a number of compliance-related issues, as well. There are a number of steps that security staff can take to adopt a defense-in-depth strategy addressing spyware at both the system and network levels. This presentation will discuss the state of spyware today, how it infects systems, and network- and host-level methods of detection and prevention.
Managing Spyware with CounterSpy Enterprise
Spyware has become the new headache for IT. Systems become rapidly infected and system admins are often forced to physically go to the end-user and manually run spyware removal tools to get rid of these data threats. CounterSpy Enterprise is a policy-based, antispyware solution that provides a scalable, centrally managed solution that is capable of detecting and removing a broad range of adware, malware and other spyware from corporate networks. This brief overview will show how system admins can effectively manage spyware within their organizations using CounterSpy Enterprise.
Click here to join the webcast.
USB Security
USB drives carry their own security risks. Have you ever lost your keys? Well, how about if your keys have a USB thumdrive on them?
So security is something to keep in mind. If you need a decent overview of USB security, faithful blog reader Ed Stankiewicz passed on this link to me at TheInfoBox.com. It gives a basic overview of security on USB drives. Link here.
Alex Eckelberry
Who's Reading your Mail?
Since the dawn of the written word and throughout history, humans have been devising new and better ways to send messages to others who are far away. Ancient civilizations used couriers who traveled by foot or by horseback to deliver letters. The U.S. postal service was created in the early days of our country to transport our written communications. In the 1800s, those letters traveled by stagecoach, Pony Express, railroad and steamship.
In the early days, you had to take the letter to the post office to mail it and the recipient had to go to the post office to pick it up. Later (mid-1800s), the postal service delivered mail to residencies - first only in the cities, then to rural areas as motor vehicles became common. The twentieth century brought us air mail, as well as some innovative ideas that never quite panned out (such as the delivery of mail via guided missile, with which the Navy experimented in the 50s). (For more info on the history of U.S. Postal Service, click here.)
Today, there are many ways to get our messages through, whether we're sending them next door or all the way around the world. Many of us routinely circumvent the post office (and private delivery services) altogether by sending most of our written communications via email. It's a lot faster, a lot easier and a lot cheaper. What's not to like? (For a brief history of the development of email, click here.)
Trouble is, because it's so much quicker, many of us write much more informally in email than we do in "real" letters. Yet many of us also seem to assume that we have the same level of privacy as we have with our postage-paid letters. And as we use email more and more for both business and personal communications, that can become a problem.
I've said it many times before, but it bears repeating: your email is at least as public as sending a postcard through the "snail mail" - which anyone whose hands it happens to pass through can read. Yet many folks continue to act as if they can say anything they want in email without consequences, despite the many news stories detailing how people's email messages have been used against them in civil and criminal actions.
Note: Although there are still federal laws against opening someone else's mail, snail mail, too, is becoming less private all the time. Particularly, the government has taken steps to make anonymity more difficult. Renting post office boxes or even mail boxes run by private companies now requires furnishing identification, and in 2003 the Presidential Commission on the Postal service called for a way to identify the sender of every piece of mail as a way to improve national security. A concept called "intelligent mail," supported by Pitney Bowes and others, advocates implementing a system that can provide information about senders, recipients and even contents of postal mail. While it has advantages such as the ability to track your mail, it also has privacy implications that worry some.
But back to email: many people believe that the National Security Agency (NSA) reads all of our email. The sheer volume of electronic mail that goes across the Internet every day makes that unlikely, but it would certainly be possible to intercept and send mail through filtering software to flag messages that appear to be "of interest" to the government. Last month, Bruce Schneier's blog quoted some instructions from Richard M. Smith on how to test whether your mail is being monitored. Click here.
You don't have to be a super secret, well funded spy agency to read other people's mail, though. Network administrators do it all the time, "just for fun." Your employer has the legal right to snoop in the mail you send from or receive on company machines or via your company email account. And there's a plethora of real spyware software available that can be used by suspicious spouses, concerned parents or curious friends or co-workers who want to know what you're up to.
Even knowing all this, folks continue to say things in email that can come back to haunt them later. And getting fired, divorced, arrested or at least humiliated because of it. When you hit that Send button, you really never know who will end up eventually seeing your dirty jokes, derogatory comments about your boss, love letters, or other self-incriminating information. It's often been said that you shouldn't put anything in email that you would be ashamed to see on the front page of the newspaper and, indeed, that's where it might wind up. Or on a public Web site for any and everyone to peruse. For example, you can search through hundreds of thousands of email messages that were sent to and from former Enron executives and employees here.
Is encryption the solution? Despite the availability of low-cost email encryption technologies, few people encrypt the email that they send. There are undoubtedly many reasons: lack of knowledge about encryption options, plain old laziness, the belief that if you aren't doing anything wrong (i.e., illegal), you don't need to hide what you're doing. Yet another reason encryption has never really caught on among the general email-sending public is interoperability. Both sender and recipient need to have the software for encrypting and decrypting mail, and you can't assume that all or even most of the people with whom you exchange mail will be able to decrypted your encrypted communications.
Many experts say encryption won't become standard until it's built into the popular email clients and Webmail services and made transparent to the user. That is, it should be as simple as clicking a button to encrypt a message (no having to fuss with installing extra software or obtaining a digital certificate).
But it's also likely that many people don't use encryption simply because it's not in widespread use. This makes those messages that are encrypted stand out like a sore thumb. Encrypting your mail may actually raise suspicions where there were none before. However, if you'd like to give encryption a try, here's a link that tells you how to do it using PGP (Pretty Good Privacy).
What do you think?
Deb Shinder
Monday, January 30, 2006
Online ID theft not as big as people may think
From InternetNews:
If recent stats are to be trusted, incidents of fraud from Internet-based means may well be on the decline.
According to a report set to be released tomorrow from Javelin Strategy and Research, in cases where the source of the identity theft was known, only 9 percent were reported to have come from hacking, viruses and phishing.
In contrast, a lost or stolen wallet or credit/debit card was the cause of 30 percent of the incidents.
The study also found that fraudulent activity is mostly (over 70 percent) conducted offline via phone or mail.
Alex Eckelberry
180solutions withdraws lawsuit
Back in the fall, 180solutions sued Zone Labs for making “false and misleading statements” about 180solutions.
They’ve withdrawn the lawsuit.
“Although the new labeling is still in our view overly aggressive, the immediate purpose of the lawsuit has been served,” said 180 chief compliance officer Ken McGraw in a statement. 180Solutions is currently facing a complaint to the FTC brought on by the Center for Democracy and Technology digital watchdog group, alleging improper business tactics.
Link here.
ZoneLabs press release here.
Alex Eckelberry
(Thanks Ben, Suzi)
Wendy Seltzer responds
Saturday, I blogged about a lawyer at the Berkman Center at Harvard Law bringing up the word “zealots” in relation to antispyware activitities.
She’s responded well:
Several commentors here and elsewhere have seen my post Spyware as an Ecosystem Blight as an attack on those who have exposed spyware. It isn't.
First, as a lawyer who takes seriously the duty of "zealous advocacy" owed to my clients and causes, I see "zealot" as a badge of honor more often than as criticism. Second, I was referring my own criticism specifically to those who have levered poorly-justified lawsuits against alleged spyware -- not to those who have preceded StopBadware.org in exposing the mechanisms by which malware gunks up computers against the users' will.
The most visible "anti-spyware" forces to me, a lawyer, have been those such as U-Haul, Wells Fargo, Washington Post, and 1-800 Contacts, who have run amok in the courts trying to shut down popups with theories I think are harmful to the fabric of the law. I don't think the user-centered movement gains when trademark or copyright law is extended to prevent a user from covering the on-screen display of a web page or trademark -- what if the user wants to browse with Greasemonkey or show her own pop-ups?
It's unfortunate when the companies making misleading legal claims or lobbying for overreaching law become the most visible piece of the anti-spyware spectrum -- though it may be that they're only the most visible to those wearing lawyer-colored glasses. So, to make clear: thank you to all those working to enhance user choice by informing the public about the software that wants to install itself on our computers.
Link here.
Thanks Wendy, for clearing that up!
Zealots rule.
Alex Eckelberry
Btw — this is a light blogging week for me — board meetings. Have to pay the bills…
Sunday, January 29, 2006
Seen in the wild: Phishing gang site
Just some of the typical random junk we run across in our research: http://sharky-socks(dot)net is a backdoor to a phishing gang.
Subdirectories we have found on the site:
CitiScam/
adminlist/
cgi-bin/
citibank/
me/
proxyservice/
So typing in http://sharky-socks(dot)net/citibank will give you the Citibank scam site.
Everyones Internet is hosting it.
Alex Eckelberry
(Thanks to Sunbelt researcher Eric Howes)
Saturday, January 28, 2006
Latest (In)Secure Magazine
(In)Secure Magazine is a great magazine on security and the latest issue is out.
Covered topics in this issue:
- Web application firewalls primer
- Review: Trustware BufferZone 1.6
- Threat analysis using log data
- Looking back at computer security in 2005
- Writing an enterprise handheld security policy
- Digital Rights Management
- Revenge of the Web mob
- Hardening Windows Server 2003 platforms made easy
- Filtering spam server-side
Alex Eckelberry
(Hat Tip to Martin McKeay.)
Oh, there goes that whole zealots thing again
Faithful readers of my blog will remember when I was branded a zealot by 180solutions. (Actually, I found out later that the 180 fellow who said this may not have meant me directly, but the words were in immortalized in print. And what the heck: I admit to rather liking the title.)
Now, Wendy Seltzer (a fellow with the Berkman Center for Internet & Society at Harvard Law School) brings up the “zealots” word, in a blog supportive of the new StopBadware.org project (a project operated by the Berkman Center and the Oxford Internet Institute).
…I still dislike anti-spyware zealotry, but I've come to see that the higher-order consequences of spyware -- the tactics of its opponents and the reactions of users who are plagued by it -- are also problematic. A measured approach to malware can help avert those problems without distorting the law around it. That's why I'm encouraged by the Berkman Center's new Stop Badware project:
Link here.
Alex Eckelberry
(Btw — her blog seems hopelessly broken. Trackbacks and comments didn’t work when I tried them. You can email her directly if you like.)
RSS problems
If you’re using my Feedburner feed, there have been some problems with it due to the size of the blog. It should be fixed it now, but you can always use the Blogger Atom XML which is pretty bulletproof. Link to the atom feed here.
Alex
What is Google censoring?
You can go to the OpenNet Initiative and see for yourself what is being censored.
Link here via John Palfrey.
And Photoshops here via Jeff Nolan.
Alex Eckelberry
Friday, January 27, 2006
Has Dell moved away from using MyWay?
Used to be that when you bought a Dell system, you got a Dell-branded version of MyWay as your start page.
Now, it looks like they’ve moved to Google.
You can see the page at http://www.google.com/ig/dell?hl=en
Let me know if you’re seeing the same thing.
Alex Eckelberry
Ok, guiness.com is back in Google China
Google China now has guiness.com back in the search results.
Guiness lovers the world over can rejoice.
Link.
Alex Eckelberry
One step ahead of the game
The Blackworm/Kama Sutra worm drops its deadly payload February 3.
Microsoft will release its Malicious Software Removal tool on February 14:
…As described in the write-up, the worm will corrupt common document format files, first on February 3rd 2006 and on the third day of every month moving forward. As always, we strongly recommend running an up-to-date antivirus program on your computers and being wary of opening suspicious e-mail attachments even if they were sent from a familiar mail address.
…Microsoft releases a new version of the Windows Malicious Software Removal Tool every month on the second Tuesday of the month together with the other security updates. The next version, targeted for release on February 14th will detect and remove this worm.
Also, the beta version of Windows OneCare Live protects against this threat. It can be obtained here: http://www.windowsonecare.com.
More here.
Alex Eckelberry
Does Download Accelerator Plus merit listing in the CounterSpy database?
Ok, perhaps not the most thrilling title for a blog, but we’ve done a re-review of our exhaustive study on Download Accelerator Plus (DAP):
…Sunbelt's research team recommends that Sunbelt continue to offer DAP as an optional "low risk adware" detection with a default action of "Ignore." The Sunbelt research team does
recommend that Sunbelt review the description provided in Sunbelt's database for DAP and revise the more general description for "Low risk adware" to better fit the programs such as DAP
that fall in that category of detections.
(Listing an application with a default action of Ignore means that CounterSpy will detect the application and present it to the user. The choice of removal is left to the user, as opposed to automatically defaulting to “Quarantine” or “Remove”.)
You can read the full review here.
Alex Eckelberry
Friday Off Topics
Off Topic #1: Even though it was constant background music in the house, I never cared much for Mozart growing up. And when I went for my musical training (originally piano, then later flute), I was interested in earlier baroque, Bach-centered music. In short, I was a Bach snob.
But when you play Mozart, you really appreciate his work. It wasn’t until much later that I worked on my first Mozart piece, the Romance from the Piano Concerto No. 20 in D Minor, that I finally saw Mozart’s magic. (I recently heard a snippet of one recording of this particular movement that I thought was done incorrectly — slow and sweeping. The piece plays for the pianist in a more spirited manner — you can almost feel his sense of mischief coming through the keys. It’s a lot of fun for the musician.).
Anyway, today is the 250th anniversary of Mozart’s birthday. NPR has a great site with a bunch of great interviews and specials on the life of this musical genius. Link here.
Off topic #2: Amidst all this hullabaloo about Google censoring results for its Chinese search engine, one critical fact has been left unsaid: They’re filtering Guiness.com.
The revolution starts today, people.
Off Topic #3: Ok, I get to plug someone, but it’s family. My brother, Marc Eckelberry (a futures trader), has started what is turning into a pretty nice blog on futures trading.
Check it out, including this fun multimedia look at yesterday’s market. I have absolutely no idea if he’s wrong or right on his advice (and his advice is only for pros) but it all looks impressively technical and there’s lots of pictures.
Personally, I’ll stick to software. And on that note, I’m going back to work.
Alex Eckelberry
Thursday, January 26, 2006
Interesting stats on Blackworm
The folks at Lurhq have posted some stats on Blackworm, working with the ISP that’s actually hosting the infamous counter we’ve discussed in the past (this worm reports back to a server that is keeping track of the number of infections).
In the charts, you can see the DDoS attack that increased the counter so dramatically:
More excellent charts, along with the actual infection statistics (closer to 300,000) here, via WebSense.
Alex Eckelberry
Another movie by Paperghost
While the hip and trendy freeze at the Sundance Film Festival, I have a better alternative.
Following on our tradition of showcasing promising young antispyware movie makers (our first film fest was held in July of last year, when Robert Redford was pining for snow), we present another dark, cutting edge film by the notorious Paperghost.
I present: Adware-Man.
And the music makes the movie.
Alex Eckelberry
Seen in the wild: New ClickFraud Trojan
Searchadv.com is a part of the umaxsearch.com pay-per-click affiliate search program and is known for working with home page hijackers. Searchadv.com has now started using a new type of scam: A fraudulent pay-per-click scheme that Sunbelt calls Misc.Iwin.Scam. In short, it’s a trojan that generates fake clicks. These clicks earn money.
Searchadv.com is running this fraudulent scheme through at least two methods at present:
The first involves the use of the WMF exploit served from the web site loomcompany.com (which Searchadv.com owns) that drops a payload file on PCs of victims who visit compromised web sites.
The second known method involves links to RAR compressed files that are disguised as "adult games" at the web site pornocollection.net site (also controlled by Searchadv.com). Users are effectively tricked into un-zipping these RAR files and then running the executables inside, which are not "adult games" at all but instead payload files.
Once their PCs are infected, either through a WMF exploit or the fake RAR porn game files, users see nothing to indicate their PCs have been compromised. Unbeknownst to users, the payload files dropped by these installation schemes are transmitting fake clicks in the background to Searchadv.com, which in turn passes those fraudently generated clicks to its own search feed partners.
Each time an infected computer restarts and re-connects to the Internet, the transmissions and fraudulent clicks resume.
Some of these advertising partners include:
c.enhance.com
tripreservations.com
c.goclick.com
oemji.com
rx-select.com
dealtime.com
shopzilla.com
looksmart.com
goclick.com
ads.ask.com
freegiftworld.com
freepayingsurveys.com
The list goes on . . .
One thing that makes this scheme especially dangerous is that victims are being lured to the WMF exploit pages through web pages designed to turn up in Google searches on completely legitimate, innocent terms. For example, the web page for cobrahealthinsurance.loomcompany.com turns up in a Google search for "Cobra Health Insurance."
Users who click through to the web site, which is a sub-domain of loomcompany.com, could become infected with the Misc.Iwin.Scam Fraud Trojan if their PCs are not updated with the fix for the WMF vulnerability from Microsoft.
Patrick Jordan
Senior Spyware Researcher
Mike Nash interview on /.
Mike Nash, Microsoft security veep, is interviewed on Slashdot today.
Slashdot readers presented a number of questions to Mike, including:
- What has changed?
- What about the tradeoff in security vs. user friendliness?
- What are the top priorities for security in 2006?
Full interview here.
Alex Eckelberry
Wednesday, January 25, 2006
Congressional hearing scheduled over how US internet companies are operating in China
Congressman Chris Smith will be holding a hearing in D.C. on February 16th that will “examine the operating procedures of US internet companies in
Rep. Smith has invited various US companies to testify at the hearing, including: Google, Yahoo, Microsoft and Cisco. Also scheduled to testify are: State Department Senior Advisor for China and Mongolia James Keefe, State Department Deputy Assistant Secretary for International Communications and Information Policy David Gross, Julien Pain from Reporters Without Borders and Harry Wu from the LaoGai Research Foundation.
Link here. Related FT article here.
Alex Eckelberry
Privacy advocates fight back against UK government
Over 33,000 people have been stopped and searched under the UK’s new anti-terror laws.
Some people are fighting back.
Charles Clarke, the Home Secretary, is facing an onslaught over the Government's anti-terror laws after figures showed nearly 36,000 people were stopped and searched under the emergency powers last year. The number of people stopped and searched each year has soared since the Act came into force in 2001, when 10,200 people were stopped. It rose to 33,800 in 2003-04.
Campaigners will mount a legal challenge in the House of Lords today, as they attempt to limit the laws giving police sweeping powers to stop people even if they have no grounds to suspect them of a crime
More here.
Alex Eckelberry
Ok, back to reality
Follow-up to my previous blog posting on the high rate of Blackworm infections, Gadi Evron at Securiteam updates us with (relatively) good news:
After investigation with the ISP and various people from our task force (special thanks to Joe Stewart and all the SANS ISC handlers) it appears that someone (probably the worm author) was trying to be funny and DDoS the counter.
Looking only at unique IP addresses and removing the ones from the DDoS, we end up with only about 300K users whose world is going to crumble on February 3rd.
Good. Because I just checked the counter and it’s up to over 3 million.
Still, as Gadi points out, there’s an estimate of possibly 300,000 users who are going to have a potentially serious data loss on the 3rd.
Alex Eckelberry
Blackworm worm over 1.8 million infestations and climbing
As a follow-up to my previous blog posting, we’re now seeing infestations for the Blackworm worm (aka KamaSutra) getting close to 2 million.
(This worm actually reports back to a server that is keeping track of the number of infections.)
Yesterday it was at close to 700k.
Of course, it’s possible that this URL has gotten out to the public, which would increase the count (simply hitting the website increments the count by one). However, to my knowledge, this URL is only known in the security community.
Remember that this worm has a very destructive payload. Even if you discount the number here, you’re still looking at a significant number of people who will suffer potentially devastating data loss.
Alex Eckelberry
Update/Clarification: As Jamie points out, the site is recording hits, not unique IPs. Expect the real number of infestations to be probably half the number on the counter. See Securiteam link here.
Update: It’s not a real number, it’s a DDoS attack on the counter (probably by the worm author). Actual infestation rates probably closer to 300k. More here.
Tuesday, January 24, 2006
Google helps to fund an antispyware site
According to an article by Ryan Naraine in eWeek, “Web search powerhouse Google has joined with Sun Microsystems to fund a new anti-spyware coalition that is on tap to launch on Jan. 24…”. It will be operated by the Berkman Center at Harvard and the Oxford Internet Institute at Oxford University.
Apparently, the site is going to be an information clearinghouse and help center for consumers. In an article in the Christian Science Monitor, the group’s co-director was quoted as saying “the coalition will act like a "neighborhood watch" for the Internet, relying on citizens to report problems.”
The new site, “StopBadware.org” will be up tomorrow. The domain is owned by Google.
Very surprisingly, Harvard Ph.D candidate and antispyware superstar Ben Edelman is unfortunately not involved.
Update: Eric Howes, our director of malware research, has signed on to be part of the working group. We’ll see how this plays out.
Alex Eckelberry
February 3rd is possibly a D-Day
The Kama Sutra worm (now being referred to by some experts as BlackWorm) has got the concern of a number of people in the security community.
I blogged a few days back about its rate of infestation. Last Saturday, the number of infected machines was at about 500k.
Today, that number is getting close to 700k (we know that because this worm actually reports back to a server that is keeping track of the number of infections).
Why the worry?
On the 3rd of every month, it does some rather nasty things. From our friends at F-Secure:
The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm's UPDATE.EXE file is run, it destroys files with those extensions on all available drives:
*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.psd
*.dmp
Well, that’s not very friendly, is it? More here.
Security expert Gadi Evron has written the following:
This is an urgent alert released by the cooperative efforts of the MWP/DA groups that also worked on the hurricane Rita scams. This task force is now known as the TISF BlackWorm task force.
This task force involves many in the security (anti spam, CERTs, antivirus, academia, ISP’s, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.
Anti Viruses companies each have a chosen name for this, but for operational reasons as well as simplicity we choose BlackWorm. This is what we submit for CME. A CME entry should hopefully be created shortly.
Buttom line:
1. Update anti viruses urgently.
2. See Snort signatures below.
More, with Snort sigs, here.
There’s no great panic if you’re running a decent antivirus program with the latest signatures. The people getting infected are probably getting so because they’re not running AV programs and are making the mistake of opening infected emails…
Oh, and confused about all of its names? Andreas Marx at AV-Test.org gives us this list:
AntiVir Worm/KillAV.GR Avast! Win32:VB-CD [Wrm] AVG Worm/Generic.FX BitDefender Win32.Worm.P2P.ABM ClamAV Worm.VB-8 Command W32/Kapser.A@mm (exact) Dr Web Win32.HLLM.Generic.391 eSafe Win32.VB.bi eTrust-INO Win32/Blackmal.F!Worm eTrust-VET Win32/Blackmal.F Ewido Worm.VB.bi F-Prot W32/Kapser.A@mm (exact) F-Secure Email-Worm.Win32.Nyxem.e Fortinet W32/Grew.A!wm Ikarus Email-Worm.Win32.VB.BI Kaspersky Email-Worm.Win32.Nyxem.e McAfee W32/MyWife.d@MM Nod32 Win32/VB.NEI worm Norman W32/Small.KI Panda W32/Tearec.A.worm QuickHeal I-Worm.Nyxem.e Sophos W32/Nyxem-D Symantec W32.Blackmal.E@mm Trend Micro WORM_GREW.A VBA32 Email-Worm.Win32.VB.bi VirusBuster Worm.P2P.VB.CIL
Alex Eckelberry
Update: The counter has been running high due to a DDoS attack. See here.
Monday, January 23, 2006
Poorly secured sites being used for phishing scams
I get a wee bit tired of seeing stuff like this. Sloppy security practices lead to compromises and people get hurt.
Phishers commonly compromise legitimate sites to hoist their scams from. These are both examples that are live right now.
Here’s one.
The IP number, 202.29.41.99, is for the UniNet Office of Information Technology Administration in Thailand (Whois).
Going up, we see it’s a simple webmail interface
All right, no big deal, right? After all, it’s just a webmail interface, right? (Never mind the irony that it’s the Office of Information Technology Administration).
Well let’s move on to Hanvision, a Korean video camera company. This company, through its sloppy security practices, has allowed a Paypal phishing site free reign on its site.
Main page:
Phishing site:
This is absolutely no news to anyone in the security space. But hopefully, it’s a reminder on basic web server security. Because if your website is insecure, you’re not only putting your company at risk, you’re putting others at risk as well.
Alex Eckelberry
What file extensions are naughty or nice?
Interesting stuff from Websense. They did a study of file extensions typically used in malware installs.
While we in no way are recommending that adding filters to blanket block HTTP traffic by filtering different extensions, we thought it would be interesting to share January numbers 2006 to date, on what extensions are the most popular for malicious websites. Note: this does not include Phishing nor Spyware related websites but mostly sites that are being used to download Trojan Horse download code, keyloggers, and backdoors.
Interesting stuff, actually.
(Image from WebSense)
Link here.
Alex Eckelberry
Broadside against adware: CDT files two complaints against 180Solutions
“180solutions and its affiliates have caused immeasurable harm, not just to individual Internet users, but to the Internet itself.” — Ari Schwartz, deputy director, CDT
This is big news, people: The Center for Democracy and Technology (CDT) has filed two complaints with the FTC against 180solutions.
According to their press release:
The Center for Democracy &Technology (CDT) today asked the Federal Trade Commission (FTC) to put an end to the illegal and deceptive practices of 180solutions Inc., one of the world’s largest developers of Internet advertising software. In a detailed complaint, CDT outlines a pattern whereby 180Solutions, through a complicated web of affiliate relationships, deliberately and repeatedly attempted to dupe Internet users into downloading intrusive advertising software. The complaint illustrates how 180solutions continued this pattern of practice even after being warned by technology experts, privacy advocates and its own auditors that its practices were unethical, and in several cases, illegal.
The first is a general complaint, backed up by extensive research and investigation, which alleges:
After substantial investigation, it is clear to CDT that, 180solutions’ core business model depends on third-party affiliates committing unfair and deceptive practices on the company's behalf. Therefore, CDT urges the Commission to bring a complaint against 180solutions, not on the grounds of an individual case, but rather in response to a pattern of practice that continues to encourage violations of the Title 5 of the FTC Act.
That’s the first complaint.
The second complaint is against 180Solutions and CJB.Net. You may remember my blog post back in November about a 2nd grade class site hosted on CJB, where 180solutions software was offered on the site. CJB has been naughty — you set up a free website on CJB, and then they would offer 180solutions adware to people who go to your free site (I tried this last night, though, and it appears they may have stopped this practice).
So, this second complaint alleges:
…CDT discovered through its investigations that 180solutions is engaging in a number of deceptive and unfair practices to distribute its software through its affiliate, CJB.NET.
…Users who sign up for free Web sites hosted by CJB.NET are not told in a clear and conspicuous manner that visitors to their site will be prompted to download software. This constitutes an unfair practice. CJB.NET also uses a deceptive security warning (ActiveX) prompt to dupe people into installing 180solutions’ software, instead of offering users the opportunity to give informed consent. Following the ActiveX prompt, the automatically triggered Web browser windows (pop-ups) soliciting user consent suggest that the site is “supported by advertising.” While most consumers understand a site “supported by advertising” to mean a Web site that contains banner ads delivered by the page, the “advertising” on a CJB.NET Web site actually involves a program that runs continuously and tracks everything that the user does online. As we document in this complaint, the discrepancy between what users expect a Web site that is “supported by advertising” to do and what CJB.NET-hosted sites actually do are the root cause of several types of unfair and deceptive trade practices. CDT urges the Commission to bring a complaint against 180solutions and CJB.NET for unfair and deceptive practices in the installation of advertising software, in violation of section 5 of the Federal Trade Commission Act (FTC Act).
In the complaints, the CDT referenced research from a number of antispyware superstars, including Chris Boyd, Ben Edelman, Suzi Turner and Sunbelt’s own director of malware research, Eric Howes.
These complaints make for good reading. 180Solutions complaint here (15MB). 180Solutions complaint/CJB.Net complaint here.
In my response to a request for a comment on this blog posting, Sean Sundwall (180solutions PR guy) emailed me this morning with the following:
We have not yet reviewed the letter filed with the FTC by the CDT, but 180solutions and the CDT share the same vision of protecting the rights and privacy of consumers on the Internet. This shared vision has resulted in a healthy working relationship that has seen great progress in the fight against spyware and benefited consumers around the world. We have made voluntarily improvements to address every reasonable concern that the CDT has made us aware of. We hope to continue the productive dialog with the CDT for years to come.
Alex Eckelberry
Saturday, January 21, 2006
The UK is heading toward a police state
British author and former journalist Henry Porter writes on privacy in the Observer.
He’s spot on about the incredibly rapid deterioration of civil liberties in the UK.
The argument for social control goes like this: if you've done nothing wrong, you have nothing to fear from a national data bank of identity/the terrorism act/the tapping of MPs' phones/the use of the public-order act to control protest and limit free expression/the new powers of arrest/the retention of DNA samples taken from innocent juveniles.
…Make no mistake - we are wiring up for the police state.
As I continue to repeat, the fear of real or perceived threats has historically been the justification for the biggest assaults on civil liberties.
Furthermore, I’m truly shocked and concerned by what has been happening over in the UK. It’s not only the privacy issues. For example, just glance through the UK section of overlawyered.com. There’s just an extraordinary encroachment of government into people’s lives, under the guise of “safety” and “security” and political correctness — everything from nursery children being made to stay inside, to cutting down fruit trees (so people won’t slip on falling fruit), to having novelty calendars banned. The list is long. Trust me.
Ironically, I’d be scared to live over there. Really. I’d probably be arrested for blogging something in violation of some ridiculous rule.
How’s that for feeling “safe” and “secure”?
Alex Eckelberry
7 day support
We’ve taken the plunge and are now offering 7–day support for our consumer products (toll-free Monday through Friday, and email support on the weekends). Our tech team did the analysis and came to the conclusion that we can afford to do this move. And actually, it helps, because our techs were spending a good part of Monday catching up on work from over the weekend. Now, the work is more spread out.
A few more notes on our support philosophy: All of our US support is here in the US, right here in Tampa Bay at our headquarters (depending on the circumstances, overseas support is done through in-country distributors or by our European sister company). We’re also won’t do IVR (integrated voice response) type of support. I despise pushing buttons on a phone as a consumer and so do the rest of our techs. We get around it by having call screeners answer the phone so a user will always get a live person who can route them correctly.
I’m not sure how we’re able to do this quality of support with the prices we charge, but it is working so I’m not going to mess with it.
Alex Eckelberry
Kama Sutra worm
You may have heard of the so-called Kama Sutra worm (actually, it goes by a number of different names, but it’s being loosely referred to as “Kama Sutra” because one of the email subject lines it uses includes the words “Kama Sutra pics”).
From Sophos:
The W32/Nyxem-D worm (also known as Email-Worm.Win32.VB.bi or W32.Blackmal.E@mm) can spread via email using a variety of pornographic disguises, in an attempt to disable security software. If launched it tries to disable a number of anti-virus and firewall products, and attempts to harvest other email addresses from the infected computer, in an effort to spread itself further.
Anyway, like any good web “marketing” effort, this worm actually reports back to a server that is keeping track of the number of infections. We did a quick informal check this morning.
At about 12:00 pm EDT, the counter was at 508,728.
At about 12:15 pm EDT, the counter was at 509,532.
804 infections in 15 minutes.
Alex Eckelberry
(Thanks Adam Thomas)
Friday, January 20, 2006
Raze Spyware installs fake keylogger
For the past week, our Spyware Research team has been observing Raze Spyware being silently installed without user consent through various exploits. Raze Spyware is already a long time member of Eric Howes’ Rouge Anti-Spyware products list. Dubious installation methods are a common practice for these Rouge Anti-Spyware applications. To make matters worse, we have also found a fake keylogger being installed alongside of Raze Spyware! The program then alerts the user that they are infected with the "keylogger". 
What is even more compelling was a transmission from the infected machine to Pills-Catalog.net that revealed a bot-net controller.
The WHOIS information from pills catalog shows very similar information:
RAZESPYWARE.NET
Registrant: painter co painter (
255 West 36 Street New York , NY 10018-7555
New York null,23878 US Tel. +212.3002000
PILLS-CATALOG.NET
Registrant: Pant Co Pant (
Colonnel By Hall A510
New York null,11201 US Tel. +91.2263475146
Shown below is the Bot-Net controller in action where you can upload or edit files (amongst other activities). Conveniently enough, we see keylogger32.exe which is the file that magically ends up in the WINDOWS\system32 directory.
I think RazeSpyware has some explaining to do.
Adam Thomas
Spyware Research
Thursday, January 19, 2006
On the heels of da gubmint subpoenaing the search engines
You’ve invariable heard the latest buzz on the ‘net — Google and other search engines being subpoenaed for searches.
Well I say let’s be overt about the whole thing. Seize my searches!
That’s why I’ve set my home page to Patriot Search!
Alex Eckelberry
(Hat tip to John Murrell)
Humor: How to be hired as a penetration tester
(A pen-tester is hacker lexicon for “penetration tester” — a “white hat” hacker.)
The SecuriTeam blog has a very funny satire on “how to be hired as a pen tester”:
Rule 1 - You can’t run Windows. Seriously, don’t even consider showing up to a Con|interview|class|etc with Windows. Even if you have to run a CD distro, or OpenBSD at runlevel 3, you must do it. You will be scoffed at and not taken seriously with a Windows machine. For bonus points, put con stickers or anti-microsoft stickers on the laptop. You get extra bonus points if you’re running a MAC. Just pull up Safari and browse over to slashdot. Yeah, you’re rolling hardcore now.
Rule 2 - You must have complete and utter disdain for any authority figure. You’re the rebel - the misunderstood creative genius. Act the part.
More here.
Alex Eckelberry
(Hat tip to Gadi Evron)
Mark Russinovich responds to the WMF conspiracy theory
There has been a bit of a debate over Steve Gibson’s recent postulate that the WMF exploit was possibly a backdoor deliberately put into Windows by Microsoft or a rogue Microsoft programmer.
From Steve in introducing his podcast on the subject:
Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn't have the feeling of another Microsoft "coding error". It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution "backdoor". We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.
Link here.
Windows internals expert Mark Russinovich responds to Steve’s comments with a new blog entry, that puts the matter to rest: It is almost certainly not a backdoor: It is simply poor design:
The vulnerability is subtle enough that the WINE project, whose intent is to implement the Windows API for non-Windows environments, copied it verbatim in their implementation of PlayMetaFile. A secret backdoor would probably have been noticed by the WINE group, and given a choice of believing there was malicious intent or poor design behind this implementation, I’ll pick poor design. After all, there are plenty of such examples all throughout the Windows API, especially in the part of the API that has its roots in Windows 3.1. The bottom line is that I'm convinced that this behavior, while intentional, is not a secret backdoor.
Link here.
Alex Eckelberry
(Hat tip to Larry Seltzer)
Advertising in video games redux
Back in early December, I blogged about advertising in video games.
Well, Arstechnica writes about Subway’s advertising in Counter-Strike.
"That's exactly what SUBWAY® found when one of its largest local advertising agencies tapped Engage to develop an in-game advertising strategy targeting men 18 to 34 in several designated market areas, including San Francisco, Las Vegas and Sacramento. The objective for the in-game campaign was to increase awareness around the SUBWAY® $2.49 daily special and drive sales from the restaurant's heavy users."
Link here.
Alex Eckelberry
(Thanks Jarrett)
Wednesday, January 18, 2006
Conflicting results
Regarding my last post on PestTrap, I will be re-running the scans later tonight or tomorrow morning at virusscan.jotti.org and virustotal.com. I’m not confident in the scans we had posted earlier and have removed them for the time being.
Alex Eckelberry
A variant of the infamous SpySherif is on the loose
SpySheriff is one of these nasty rogue antispyare applications that we’re all seeing out there.
They have a new variant, PestTrap, downloadable from pesttrap(dot)com.
(Virusscan.jotti.org and Virustotal.com results temporarily removed due to some uncertainties in the results… hopefully will repost later)
Alex Eckelberry
(Thanks Patrick Jordan)
Tuesday, January 17, 2006
Microsoft on why people turn off the firewall in OneCare
Windows OneCare (as well as Vista) have two-way firewalls, unlike XP’s one-way firewall.
The OneCare team found out that a bunch of people had been turning off their firewall and decided to find out why:
Based on our investigation, there are four primary reasons people are turning off their firewall.
- Do not think a software firewall is necessary
- Do not like the (sometimes incessant) pop-up dialogs
- An application failed to install with firewall turned on
- An application fails to work with firewall turned on
More here.
Alex Eckelberry
Is Text Messaging Making our Kids Illiterate?
Kids take to new technology like flies to honey. Among many older folks, it's conventional wisdom that if you've been flummoxed by your computer, video recorder or other high tech gadget, the quickest and cheapest way to solve the problem is to call in a twelve year old to fix it. Lots of kids today grow up with a keyboard in one hand and a joystick in the other.
There are plenty of benefits to introducing kids to tech devices early. Using the devices becomes second nature to them, so the learning curve is less steep. Playing video games helps to develop hand-eye coordination. They learn multi-tasking skills from juggling several computer programs at once. Surfing the Web can expose them to a vast array of knowledge that wasn't available to those of us who grew up without the availability of commercial Internet services, even in some of our best libraries. And kids can have a rich social life and meet a much more diverse group of people to which they might never be exposed in their own hometowns. They can also stay in touch with family members and friends, both local and those who live at a distance, much more easily.
Unfortunately, there are potential harmful effects, in addition to the positive ones. Many parents worry that violent video games may desensitize children to violent behavior in real life, and that the Web will lead them to pornography or hate groups as well as information for completing their schoolwork. The people your kids meet online can be good influences - or they could be pedophiles posing as other children to lure unsuspecting youngsters into their traps.
Some experts fear that even in the innocuous communications with people they know, kids may be exposing themselves to hidden ill effects. For example, one type of communication that's very popular with teenagers is real-time chat. This includes Web-based chat, use of IRC (Internet Relay Chat) programs, Instant Messaging services such as those offered by MSN, AOL and Yahoo, as well as SMS messaging via cell phones.
In order to type their messages more quickly, kids often use a type of phonetic shorthand instead of grammatically correct, properly spelled sentences. For example: "R U going 2?" is much faster and easier to type than "Are you going, too?" This becomes an especially attractive option when using a small keyboard like those on cell phones.
But is this making kids illiterate? Educators, parents and others are divided on that question. Some folks argue that language is always evolving, and newer and more efficient spellings are a good thing. After all, a glance at a page of Olde English will show you that we don't use the same spellings now that our ancestors used. . Other, more pessimistic folks say IM isn't so much making kids illiterate as reflecting the growing illiteracy of younger generations.
Some researchers have concluded that teens are able to slip easily between the abbreviations and conventional spelling, but some teachers say they're seeing the messaging lexicon show up in kids' school work. Does Shakespeare lose something in translation to "2 b R not 2 b"?
Some experts say the problem is not the lingo itself, but the fact that kids are unable to differentiate between when it is and isn't appropriate. Like slang and other informal language, what's okay for chatting with peers is not acceptable when writing an essay - or applying for a job.
What do you think? Is the growing use of "Internet jargon" a problem, or is it just a fad that kids will outgrow as they get older? And if it is causing kids to be less literate, what can be done about it? Should parents prohibit their children from using IM and SMS? That was the solution of the father in this article here.
Deb Shinder
Spammer pleads uncle
Pity the poor spammer.
Darren Brothers reports that Alex Polyakov, the target of his Kick a Spammer in the Nuts Daily retaliatory campaign, has cried uncle.
Brothers says he got a call early this morning from Polyakov. (Brothers has posted a WAV file of the call. I created a smaller MP3 version of the recording, which can be downloaded here.) On the tape, an excited Polyakov complains that Brothers' "Refi Retaliator" program is "killing my business."
Link here (with audio!) via Ferg.
Alex Eckelberry
Two significant additions to the Sunbelt team
Today, we announced two significant hires: Eric Howes, who is now our new Director of Malware Research and Joe Wells, who is joining us as Chief Scientist, Security Research.
Eric is a well known antispyware researcher and one of the most widely quoted authorities on the problems of spyware and adware. You’ll know his work on Spywarewarrior.com running the Rogue/Suspect Anti-Spyware list and his extensive work in antispyware testing. Eric has had an independent consulting relationship with Sunbelt since the fall of 2004, and dealing with him has been highly enjoyable. He is a truly valued addition to our team.
The second addition is veteran security expert Joe Wells as chief scientist, security research. Joe was previously the chief antivirus architect at Fortinet and is one of the most widely known authorities on malware threats — having worked in key R&D positions at Trend Micro, Symantec, Certus and IBM’s Thomas Watson Research Center. He is also the founder of the well-known Wildlist. You can see his full CV here. Joe has an amazing background and it’s been a rare treat and an honor to have spent time with him discussing our future plans. Oh, and talk about war stories – Joe has seen it all.
I’m truly thrilled to have these two new members of our team, as we see Sunbelt moving into new realms.
More corporate propaganda on Joe here and Eric here.
Alex Eckelberry
Saturday, January 14, 2006
WMF Update: Win 9x patch for the concerned
If you’re really worried about the WMF exploit and your old Windows 9x system, there is a new open source fix here (via funsec).
My advice? Don’t play around with unsupported hotfixes for something that, based the best data available, is not a significant issue. Keep your AV sigs updated and move on.
And remember that malware authors themselves are interested in market share. We’re increasingly seeing malware authors not even bother to have compatibility with this platform. It’s a real hassle to program low-level code for both NT kernel and Windows 9x. In other words, Windows 9x systems is a waste of time for them. See the OS platform trends here.
Alex Eckelberry
WMF Update: Microsoft clarifies Win 9x vulnerability
There is a very good blog writeup by Stephen Toulouse at Microsoft as to why WMF is not a “Critical” issue on the Windows 9x platform
It’s technical, but if you can wade through it, it’s well worth the read.
With WMF we want to be very clear: the Windows 9x platform is not vulnerable to any "Critical" attack vector. The reason Windows 9x is not vulnerable to a "Critical" attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record. Although the vulnerable code does exist in the Win9x platform, all "Critical" attack vectors are blocked by this additional step. The remaining attack vectors that we have identified require extensive user interaction and are not rated "Critical". Again the "Critical" rating refers to code execution attacks that could result in automated attacks requiring little or no user interaction.
Link here through Larry Seltzer.
Alex Eckelberry
Download disasters
Our friends at SiteAdvisor (introduced to the world through Ben Edelman’s original article) have a new blog posting up about “download disasters”:
When we first started crawling the Web looking for bad downloads last year, we weren't sure what we'd find. Today, a million Web sites and 140,000 download tests later, I can say with confidence that there are some great programs to be downloaded out there. I can say with equal confidence that there's also plenty of train wrecks waiting to happen to your PC.
Link here with lots of pics.
Alex Eckelberry
Friday, January 13, 2006
Sunbelters in the wild
We’re going to be a peripatetic crew over the next several months. You’ll see Sunbelters floating around at the Antispyware Coalition Workshop in DC (we still haven’t joined – link here to a somewhat dated post – but there’s good reasons to go and check things out), the upcoming RSA conference and InfoSec. We won’t have a booth at RSA but we will have one at InfoSec.
So look out for us and if you’d like to schedule a meeting, drop us a line.
Alex Eckelberry
Thursday, January 12, 2006
Sicko using kid site to download spyware and porn
Until Jan 6, 2006, Corypaints(dot)com was a kids site. The whois on Jan 1, 2006 shows it was a pending delete. It was taken over by a spyware gang that deals with porn.
Let’s take a look at the front page:
Never mind the kid’s content. It’s being pulled from old material.
Let’s do a search in google for “cory paints”, and these are the types of results you’ll get:
If you type the same search in, but instead with “site:corypaints.com”, you get links to corypaint(dot)com directories with really sick links (not for the faint at heart):
Private familysex video download
Free dad & daughter f----
schoolgirl rapecom
Mother and teen son porn
Real rape scenes and stories
Clicking on these links results in an attempted WMF exploit to infect you with spyware.
The lengths these slimeballs will go to to infest a machine just boggle the mind.
Alex Eckelberry
(Thanks Sunbelt spyware researcher Patrick Jordan)
Migrating to Feedburner
I’m gradually migrating feeds to Feedburner. Don’t worry — your Atom RSS feeds will work just fine for a long time. But if you’d like to get on my Feedburner feed, you ca get it from this link.
Alex Eckelberry
An object lesson on why it's so important to patch
Sunbelt researcher Patrick Jordan has been researching a nasty group of sites, including toolbarbarcool(dot)biz.
These guys will do anything to get on your machine.
First, it tries to infect you through a (long patched) compiled help file (CHM) exploit.
If unsuccessful at that, it goes ahead and does a 2 for 1 special — it attempts to infect through both the WMF exploit and the Javascript exploit. Both of these exploits are fairly recent: The Javascript exploit was patched on December 12th, 2005 and the WMF exploit was patched on January 5th, 2006.
Video here.
Here are the URLs:
Iframecash(dot)biz
Toolbarbest(dot)biz
Toolbarbucks(dot)biz
Toolbarcool(dot)biz
Toolbardollars(dot)biz
Toolbarmoney(dot)biz
Toolbarnew(dot)biz
Toolbarsale(dot)biz
Toolbarweb(dot)biz
newtoolbar(dot)biz
Alex Eckelberry
Wednesday, January 11, 2006
Anatomy of a malicious host file hijack
Just for kicks and giggles, Patrick Jordan took apart a host file hijack that resulted in an obscenely accurate spoof of a Bank of America site — and a large number of other financial institutions.
Here’s how the Bank of America site looks like before the hijack:
Here’s what it looks like after. It’s very convincing:
(Notice the new IP number.)
Here are the host file modifications that were made:
O1 - Hosts: 216.32.94.147 www.bankone.com
O1 - Hosts: 216.32.94.147 bankone.com
O1 - Hosts: 216.32.94.147 halifax.com
O1 - Hosts: 216.32.94.147 www.halifax.com
O1 - Hosts: 216.32.94.147 halifax.co.uk
O1 - Hosts: 216.32.94.147 www.halifax.co.uk
O1 - Hosts: 216.32.94.147 www.bankofamerica.com
O1 - Hosts: 216.32.94.147 bankofamerica.com
O1 - Hosts: 216.32.94.147 www.paypal.com
O1 - Hosts: 216.32.94.147 paypal.com
O1 - Hosts: 216.32.94.147 www.lloydstsb.com
O1 - Hosts: 216.32.94.147 lloydstsb.com
O1 - Hosts: 216.32.94.147 www.lloydstsb.co.uk
O1 - Hosts: 216.32.94.147 lloydstsb.co.uk
O1 - Hosts: 216.32.94.147 www.bbvanet.com
O1 - Hosts: 216.32.94.147 bbvanet.com
O1 - Hosts: 216.32.94.147 www.bancopostaonline.poste.it
O1 - Hosts: 216.32.94.147 bancopostaonline.poste.it
O1 - Hosts: 216.32.94.147 www.poste.it
O1 - Hosts: 216.32.94.147 poste.it
O1 - Hosts: 216.32.94.147 www.credem.it
O1 - Hosts: 216.32.94.147 credem.it
O1 - Hosts: 216.32.94.147 www.creval.it
O1 - Hosts: 216.32.94.147 creval.it
O1 - Hosts: 216.32.94.147 www.gruppocarige.it
O1 - Hosts: 216.32.94.147 gruppocarige.it
O1 - Hosts: 216.32.94.147 www.rasbank.it
O1 - Hosts: 216.32.94.147 rasbank.it
O1 - Hosts: 216.32.94.147 www.bancagenerali.it
O1 - Hosts: 216.32.94.147 bancagenerali.it
O1 - Hosts: 216.32.94.147 www.garanti.com.tr
O1 - Hosts: 216.32.94.147 garanti.com.tr
O1 - Hosts: 216.32.94.147 www.kocbank.com.tr
O1 - Hosts: 216.32.94.147 kocbank.com.tr
O1 - Hosts: 216.32.94.147 www.disbank.com.tr
O1 - Hosts: 216.32.94.147 disbank.com.tr
O1 - Hosts: 216.32.94.147 www.cassarimini.it
O1 - Hosts: 216.32.94.147 cassarimini.it
O1 - Hosts: 216.32.94.147 www.unicredit.it
O1 - Hosts: 216.32.94.147 unicredit.it
O1 - Hosts: 216.32.94.147 www.chase.com
O1 - Hosts: 216.32.94.147 chase.com
O1 - Hosts: 216.32.94.147 www.southtrust.com
O1 - Hosts: 216.32.94.147 southtrust.com
O1 - Hosts: 216.32.94.147 www.wachovia.com
O1 - Hosts: 216.32.94.147 wachovia.com
O1 - Hosts: 216.32.94.147 www.wellsfargo.com
O1 - Hosts: 216.32.94.147 wellsfargo.com
O1 - Hosts: 216.32.94.147 www.barclays.co.uk
O1 - Hosts: 216.32.94.147 barclays.co.uk
O1 - Hosts: 216.32.94.147 www.barclays.com
O1 - Hosts: 216.32.94.147 barclays.com
O1 - Hosts: 216.32.94.147 www.barclays.pt
O1 - Hosts: 216.32.94.147 barclays.pt
O1 - Hosts: 216.32.94.147 www.barclays.pt
O1 - Hosts: 216.32.94.147 barclays.pt
O1 - Hosts: 216.32.94.147 online.cassarimini.it
O1 - Hosts: 216.32.94.147 www.bancacarim.it
O1 - Hosts: 216.32.94.147 bancacarim.it
O1 - Hosts: 216.32.94.147 www.citi.com
O1 - Hosts: 216.32.94.147 citi.com
O1 - Hosts: 216.32.94.147 www.citibank.com
O1 - Hosts: 216.32.94.147 citibank.com
O1 - Hosts: 216.32.94.147 www.etrade.com
O1 - Hosts: 216.32.94.147 etrade.com
O1 - Hosts: 216.32.94.147 www.neteller.com
O1 - Hosts: 216.32.94.147 neteller.com
O1 - Hosts: 216.32.94.147 tcfbank.com
O1 - Hosts: 216.32.94.147 www.tcfbank.com
O1 - Hosts: 216.32.94.147 hsbc.com
O1 - Hosts: 216.32.94.147 www.hsbc.com
O1 - Hosts: 216.32.94.147 hsbc.co.uk
O1 - Hosts: 216.32.94.147 www.hsbc.co.uk
216.32.94.147 is hosted in the United States.
I ran the trojan through Virustotal.com and a number of AV companies detect it. You can see the results below (“No virus found” means that the antivirus engine did not detect the trojan I submitted):
| Antivirus | Version | Result |
| NOD32v2 | 1.1362 | Win32/TrojanDownloader.Small.ARJ |
| Norman | 5.70.10 | W32/Downloader |
| Kaspersky | 4.0.2.24 | Trojan-Downloader.Win32.Small.arj |
| BitDefender | 7.2 | Trojan.Downloader.Smalldldr.A |
| DrWeb | 4.33 | Trojan.DownLoader.5860 |
| VBA32 | 3.10.5 | Trojan.DownLoader.5860 |
| AntiVir | 6.33.0.77 | TR/Dldr.Smalldldr.A |
| Avira | 6.33.0.77 | TR/Dldr.Smalldldr.A |
| Panda | 9.0.0.4 | Suspicious file |
| Fortinet | 2.54.0.0 | PossibleThreat |
| Ewido | 3.5 | Downloader.Small.arj |
| AVG | 718 | Downloader.Generic.OZZ |
| F-Prot | 3.16c | Could be infected with an unknown virus |
| Avast | 4.6.695.0 | No virus found |
| CAT-QuickHeal | 8 | No virus found |
| ClamAV | devel-20051123 | No virus found |
| eTrust-Iris | 7.1.194.0 | No virus found |
| eTrust-Vet | 12.4.1.0 | No virus found |
| Ikarus | 0.2.59.0 | No virus found |
| Sophos | 4.01.0 | No virus found |
| Symantec | 8 | No virus found |
| TheHacker | 5.9.2.071 | No virus found |
| UNA | 1.83 | No virus found |
| McAfee | 4672 | No virus found |
(Graphic here.)
Interested in more? Watch this video here.
Alex Eckelberry