Print

Welcome to Smokey's Security Forums.

Guests have only limited access to the board and it's features, please consider registering to gain full access!

Registration is free and it only takes a few moments to complete.

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Gilbert]

Five years ago today on the Sunbelt Blog
5 March 2010, 7:24 pm

“Is Spyware Real?”

March 4, 2005: Sunbelt Software CEO Alex Eckelberry blogged his disagreement with comments made by AV pioneer Eugene Kaspersky about a new thing called “spyware.”

Alex quoted him as saying: "The term spyware is basically a marketing gimmick... Just to separate new ersatz-security products from traditional ones, just to push almost zero-value products to the security market."

The Sunbelt CEO explained that spyware was real and traditional AV vendors were ignoring it: “The term ‘spyware’, obviously, is a broad term encompassing lots of different categories of malware. Really, what people mean when they say spyware is ‘adware’ -- stuff that loads your machine up with junk ads, turns it into the equivalent of an electronic toaster, and makes your life hell.”

He also pointed readers to a March 1, 2005, PCWorld review that found that Sunbelt’s CounterSpy anti-spyware product caught 85 percent of a test set of 81 adware and spyware samples.

Today, five years later, more than 47,000 detections (of the total 13 million detections) in the VIPRE and CounterSpy signature database are classified as “adware.”

Sunbelt now sells a range of full-blown anti-malware products. They do much better than 85 percent detections and have VB100 certification as well.

Sunbelt Software has grown a bit in five years. VIPRE version 4.0 just shipped and the office space that held the entire company in 2005 is now mostly our server room.

Read 2005 blog post here:  Is Spyware Real?

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Search engine bait and switch
5 March 2010, 5:34 pm

Our good friends at F-Secure AV company have blogged about a new and significant malcode-delivery technique: publishing a web page with a .pdf file on it then changing the .pdf link to something malicious after search engines index the page.

What they found delivered a rogue security product (but of course.)

Nice work  F-Secure.

FSecure blog piece here.

Yes, it's one more creepy thing on the Internet, as if we need any more. The lesson for us all:

-- be aware that it is possible,

-- keep alert for the mechanism

-- keep  your AV protection running and updated. (Shameless plug: VIPRE version 4.0 came out this week. Check it out here. )

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Patch Tuesday coming next week
5 March 2010, 3:40 pm

Microsoft has issued an advance notification for Patch Tuesday next week. The company said it expects to issue two patches, one for Windows and one for Office. Both are intended to patch vulnerabilities that could allow remote code execution and both are rated “important.”

Microsoft Security Bulletin Advance Notification for March 2010 here.

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Chat with malcode
4 March 2010, 7:40 pm

It’s time for your daily dose of “spot the fake program / avoid the fake program”.

What is it this time? Well, if you have family members who are into webcams and chatting you might want to point them to this writeup because a new challenger has entered the ring:



Yes, “Chat Cam” is a rather smart looking (and entirely fake) program designed to make end users think they’re taking part in a large community of webcam owners. Clearly, the creator had the recently launched Chatroulette in mind when they made this one (if you’re not familiar with it, Chatroulette is a site where you jump from webcam chat to webcam chat over and over again, all within one large community of strangers. In practice, you tend to mash the “Next” button endlessly as one “chat” after another fails to materialise). This is what Chatroulette looks like – you’ll notice the similarity as we move further into the writeup:



Meanwhile, this is what  our “Chat Cam” looks like when you fire it up – notice how slick it is, along with the well crafted options it gives the user to play with:





Did you notice the “online users” count at the bottom of those two screenshots?  Here it is again. Notice anything?



That’s right - it changes randomly, which is a particularly convincing touch. Note that Chatroulette also displays the number of users online in the top right hand corner. Hit the “Start a chat” button, and the application dumps you into a pretend conversation with any one of a large selection of usernames stored in the program database. It has a very similar feel to the Chatroulette chatbox:



Unsurprisingly, the webcam never loads – and the chat never gets beyond the first line or two of text. The fake bot “disconnects”, and the user is left to go right back and hit the “Start chat” button all over again. What’s particularly interesting here is that it apes the actual Chatroulette experience brilliantly – for me, anyway. When I tried it out a couple of days ago, every single chat I jumped into was a carbon copy of the above screenshot.

Of course, everything above is purely academic by this point – end users are doomed the moment they fire up the executable, as it’ll have been wrapped up tightly with a random infection file. There seems to be a bit of a trend for fake webcam apps mashed up with infection files at the moment – in particular, programs that do something similar to the above but loop fake “webcam footage” (usually ripped from Youtube videos) are very popular on underground forums.

Whatever you do, be wary of programs trying to cash in on the popularity of webcam chats with strangers – as you can see, fake a/s/l information is the least of your worries...

Paper Ghost







Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

The Internet as a moral ground
4 March 2010, 4:58 pm

“…in that space one can easily indulge in depravity, lies, vulgarity...”

Here’s a sort of comment about the Internet that you don’t see much in the news.

The Russian government news service RiaNovosti is reporting that Patriarch Kirill of Moscow and All Russia (head of the Russian Orthodox Church), told school students in Moscow that "Nowadays the Internet is a kind of laboratory where an individual should be formed and where a character should be sharpened."

“He also said the Internet has become ‘an examination on our authenticity, an enormous power challenge’ as in that space one can easily indulge in depravity, lies, vulgarity, and the desire to lash out with aggression and impunity,” the news service reported.

Story here: “Internet is examination for human race - Patriarch Kirill"

Created 1991, RiaNovosti traces its history back through various Soviet/Russian government news agencies to the 1941 Soviet Information Bureau. That bureau, (Sovinformburo) was set up by the USSR Council of People’s Commissars and the Central Committee to provide international news and coverage of military events and domestic life.

Its web site includes links to Pravda.ru’s space-aliens-land-in-Russia-type tabloid fare as well as pro-government news in eight languages. The “Strange but True” section is a scream (http://en.rian.ru/strange/)

Check out the piece: “Two-headed calf born in Estonia” A two-headed animal, once seen as a predictor of impending war, is now viewed as an omen foretelling an improving economy -- at least according to the farmer who owns it. Maybe the U.S. Federal Reserve Board should get one.

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Malicious iframes on Google-analitics(dot)net
4 March 2010, 3:27 pm

Right! A site registered in the state of “Taliban.”

You’re really going to go to a site with this registration:



Nice work SANS.

Thanks to Daniel Wesemann at SANS:

http://isc.sans.org/diary.html?storyid=8350

Tom Kelchner







Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

U.S. Census Bureau warning of phishing scams
4 March 2010, 3:03 pm

The U.S. Census Bureau is warning of phishing and other scams that are using the 2010 Census as bait. Here is the warning from the bureau’s web site:

If you are contacted for any of the following reasons -- Do Not Participate. It is NOT the U.S. Census Bureau.

Phishing:

'Phishing' is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, social security numbers, bank account or credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email and it often directs users to enter sensitive information at a fake web site whose look and feel are almost identical to the legitimate one.

Other Scams:

-- The Census Bureau does NOT conduct the 2010 Census via the Internet

-- The Census Bureau does not send emails about participating in the 2010 Census

The Census Bureau never:

-- Asks for your full social security number

-- Asks for money or a donation

-- Sends requests on behalf of a political party

-- Requests PIN codes, passwords or similar access information for credit cards, banks or other financial accounts.

More Census Bureau info on scams here.

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Quarantine for infected PCs?
3 March 2010, 8:43 pm

Microsoft Vice President of Trustworthy Computing Scott Charney, in a keynote address at the RSA security conference in San Francisco yesterday, called for quarantines on malware-infected PCs. His remarks were widely covered by a variety of web news outlets.

He compared the threat from infected PCs with the threat from smokers in public places and resulting bans on smoking because of second-hand smoke: "You have a right to infect and give yourself illness. You don't have the right to infect your neighbor. Computers are the same way." Charney didn’t discuss specific techniques.

The idea has been discussed before but usually stumbles on the issue of forcing ISPs to shoulder the expense and legal problems from enforcing quarantines.

Story here.

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Haiti relief email scams still circulate
3 March 2010, 6:04 pm





Want a place to check the legitimacy of a charity?



http://www.charitynavigator.org/

“Founded in 2001, Charity Navigator has become the nation's largest and most-utilized evaluator of charities. In our quest to help donors, our team of professional analysts has examined tens of thousands of non-profit financial documents. As a result, we know as much about the true fiscal operations of charities as anyone. We've used this knowledge to develop an unbiased, objective, numbers-based rating system to assess the financial health of over 5,000 of America's best-known charities.”

Thanks Alex.

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Battlefield Keygens are Bad Company
3 March 2010, 4:35 pm

In the same way that media event X guarantees Rogue Antispyware Y, a new and highly anticipated videogame that’s about ready to launch will similarly bring out the scams and fakes.



If you have any family members that like their PC games but perhaps aren’t clued up on their Internet fakeouts, you might want to warn them that no matter how cool the so-called “Battlefield: Bad Company 2” keygens look, they should steer clear:



There are a lot of these files being promoted on sites such as Youtube at the moment, and without fail all of them will give your PC a very bad hair day. It’s just not worth the risk...





Paper Ghost







Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Microsoft updates MS010-15
3 March 2010, 4:07 pm

It won’t work if you have a rootkit infection, but it won’t blue screen your machine either.

Microsoft has reissued Security Bulletin MS010-15 from last month to work around a problem that had occurred when a WinXP user attempted to install the patch on a machine that was infected with a rootkit. (blue screen, blue screen)

Jerry Bryant, Microsoft’s senior security communications manager lead, writing on the company TechNet blog said that the new installation packages for MS10-015 have new logic that will prevent the security update from installing on rootkit-infected systems. Microsoft also is offering guidance for those with infected machines and a scanning tool that can detect system conditions that will prevent the patch from applying itself.

Microsoft TechNet blog here.

We described the problem on the Sunbelt blog Feb. 11 “WinXP users: hold off on installing MS010–15.”

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Spain arrests three, shuts down Mariposa botnet
2 March 2010, 10:59 pm

We’re glad to see that world governments took our advice from the Sunbelt Blog last week and started taking down botnets. (Right!)

Police in Spain have arrested three people and shut down the Mariposa botnet, which was thought to have controlled 12.7 million machines in nearly 200 countries. The three were all Spanish citizens. Police identified them only by their handles and ages: "netkairo," 31; "jonyloleante," 30 and "ostiator," 25.

Researchers have been working on taking down the botnet for nearly a year, according to reports.

Story here: “Authorities dismantle botnet with 13 million infected PCs”

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Everybody uses Web 2.0, but IT might not know it
2 March 2010, 10:37 pm

Communications security firm FaceTime of Belmont, Calif., has released the results of a survey (of 1654 people) that strongly indicates we are all using a lot of Web 2.0 applications at work and a third of our IT staffs aren’t aware of it. It was FaceTime’s fifth annual survey.

Social media and Web 2.0 apps are being used by virtually all end users (99 percent) to support business processes, but 38 percent of IT professionals surveyed think there is no social networking on their networks.

Web 2.0 and social media prevalence:

-- Web chat: found in 95 percent of organizations

-- Instant Messaging: reported by 40 percent of IT staffs

-- Social networks: 27 percent of IT staffs

-- Tools such as Twitter: used for work by 78 percent, according to end users.

The survey also found widespread use of Skype, file sharing, web conferencing and IPTV.

Fifty three percent of the end users surveyed said that newer Web 2.0 tools were "better than those provided by my employer."

FaceTime said 69 percent of the organizations they surveyed reported at least one Web 2.0-related attack,

Story here.

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

Don’t press F1
2 March 2010, 6:04 pm



Here’s a new vector: exploiting a Windows vulnerability through an Internet Explorer help menu Visual Basic script: “get ‘em to hit F1 and you own ‘em.”

Microsoft is warning of a VBScript vulnerability in Internet Explorer (on Win2K, XP and Server03) that could be used to run malicious code. A malicious operator could create a web site that displays a specially crafted dialog box and prompts a victim to press the F1 key (help menu.) The exploit could then execute malicious code on a victim machine. (Windows versions that are not vulnerable are: Vista, Win7, Server08 R2 and Server08.)

Proof of concept code has been circulated, but Microsoft has said: “We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.”

The company said in its security advisory: “Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”

Microsoft Security Advisory 981169 here.

Tom Kelchner

 







Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Gilbert]

4.0!
2 March 2010, 4:37 pm

Today Sunbelt is released version 4.0 of its major products that are driven by the VIPRE engine. The version 4.0 platform includes new cutting edge anti-malware technology, additional optional features for more layered protection and a new management console for enterprises.



The new VIPRE 4.0 architecture

The 4.0 architecture is an extensive update of Sunbelt Software’s anti-malware technology which is known for its lightening speed and conservative use of system resources. It includes an optional firewall, host intrusion prevention system (HIPS), intrusion detection system (IDS) and a new framework for managing enterprise endpoints.

The version 4.0 Sunbelt Software products are:

VIPRE Antivirus 4.0 – A major update of our VIPRE 3.1 Antivirus + Antispyware product, VIPRE 4.0 has some cool enhancements, including 64-bit rootkit support, support for Scan Extensions in Mozilla Firefox (equivalent to Browser Helper Objects in Internet Explorer) and support for more file types.

VIPRE Antivirus Premium 4.0 – This edition – for professionals and consumers –

includes a bi-directional desktop firewall, HIPS, IDS, malicious web filtering, ad blocking and anti-phishing.

VIPRE Enterprise 4.0 – This is VIPRE Enterprise with a brand new management console and new VIPRE 4.0 agents. The management console has support for large enterprise environments with a multi-site tiering model.

VIPRE Enterprise Premium 4.0 – New Enterprise Premium features include a bi-directional desktop firewall, HIPS, IDS and malicious web filtering.

CounterSpy 4.0 and CounterSpy Enterprise 4.0 – CounterSpy is basically VIPRE focused on antispyware protection. CounterSpy has been upgraded with many of the same enhancements as the core VIPRE 4.0 product. CounterSpy Enterprise has been upgraded with the same enhancements in VIPRE Enterprise 4.0 including the new management console and multi-site tiering model.

So, what does CEO Alex Eckelberry have to say about it:

“The evolution and acceleration of malware development over the past five years is unprecedented and requires a fundamental shift in how detection technology is engineered. Many vendors have added layer upon layer of capabilities onto already bloated, outdated anti-malware engines in a flawed attempt to catch up.

“When we released VIPRE, we took a different approach, building a new product entirely on new proprietary next-generation technology. Now, we’ve taken that same technology to the next level with the release of our 4.0 platform, which delivers strong, comprehensive malware protection and continues the performance standard we established with VIPRE.”

Check it out: http://www.sunbeltsoftware.com/

Tom Kelchner

 







Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<