February 2008

New Rogues:

WinReanimator is a rogue security program that is advertised and installed by the Vundo Trojan and other malware. The Vundo infection is typically installed by visiting or downloading executables from certain pornographic or crack sites. Once installed, the infections will bombard the infected computer with popups and fake security alerts stating that your computer is infected or has security risks. When you click on these popups you will be presented with variety of rogue anti-spyware programs, including WinReanimator, stating that you are infected and that you should install their products. Remember, that these are all scams and ads delivered by the infections and should be ignored.

Another byproduct of these infections is an alert icon (Fake Taskbar alert) that appears in your Windows taskbar that periodically displays fake security alerts and warnings. The title of these alerts are Windows antivirus and they contain the following text:

Windows has detected spyware infection!

It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you

Click here to protect your computer from spyware!

Removal Instructions.

SpyBurner is a program classified as a rogue anti-spyware program. Rogue anti-spyware programs are ones that are installed or advertised via malware, use deceptive advertising, or use false positives in the scan results to convince a user to purchase the commercial version of the software. These programs also typically will not allow you to remove anything it finds without first paying to register the program. SpyBurner is classified as one of these programs as it is advertised through the use of malware and Trojans that display fake security alerts on your Windows taskbar.

Removal Instructions.

{ 0 comments }

Paperghost:

Bad enough that this idiot cut and pasted the above text from another, entirely unrelated hacking sites’ mailshot - even worse that he thought it’d be a good idea to send it to me. If I had to sum up the potential for extreme mischief that such a mail could generate, I think this would be a pretty good summary:

Choose! Choose the form of your Destructor!

{ 0 comments }

Additional comment on Certifiedbug’s “C-NetMedia’s Deceptive Practices”.

In his missive at C-NetMedia , Edelman criticized several prominent companies for failing to hold C-NetMedia accountable for its practices.

• Google and other search engines could block the widespread deceptive ads from C-NetMedia and its marketing partners. C-Net and its partners have continued these practices for more than a year. Google claims to be tough on malware, and Google does exclude some harmful organic search results. But Google has been ineffective in removing the false and deceptive ads shown above, among many others, despite ample complaints from users and security researchers.

• McAfee could remove its Hacker Safe certification from C-NetMedia sites. At present, the McAfee logo gives users the false impression that McAfee endorses C-Net and the McAfee vouches for the effectiveness of C-Net’s software. I gather neither is truly the case. Indeed, McAfee’s HackerSafe certifies some C-Net sites at the same time that McAfee’s SiteAdvisor characterizes rates those same sites as red. In my view, the SiteAdvisor rating better describes the view of security experts and better serves typical users. (Disclosure: I serve as a member of the Board of Advisors of McAfee SiteAdvisor.) (Update, February 14, 11:30am: McAfee has withdrawn HackerSafe certification of C-NetMedia sites.)

• Microsoft could withdraw its Certified for Windows Vista certification on the basis of C-NetMedia’s violations of various ASC rules, as cited above. Anticipating this kind of harmful marketing practices, Microsoft’s certification rules provide ample basis for excluding C-Net on the basis of its deceptive advertising. Microsoft’s concern should be particularly acute because C-Net copied the layout and format of the Microsoft Antispyware site, because C-Net marketing partners trade on Microsoft’s brand name and product names, and because C-Net products worsen the experience of Windows users (i.e. by charging a fee for security software, when Microsoft provides similar software for free).

• ClickBank could eject C-NetMedia from ClickBank’s affiliate network due to the pattern and practice of false and misleading ads placed by ClickBank affiliates in their promotion of C-Net offers. ClickBank’s Client Contract specifically prohibits fraudulent, deceptive, false or misleading information in advertising messages (clause 7.n.), and Clickbank reserves the right to immediately suspend violators (9.d.). But at present, C-NetMedia seems to remain a ClickBank clent in good standing.

Source: Edelman

According to Information Week, a request for comment left with an assistant of Erik M. Pelton, the attorney of record for C-NetMedia’s trademark filings, went unanswered.
In addition, Information Week found no building resembling the company’s illustration of its headquarters visible on the Google Maps satellite photo of the posted address.

{ 0 comments }

Spyware Researcher Ben Edelman continues his investigation on C-NetMedia.
Critiquing C-NetMedia’s Anti-Spyware Offerings and Advertising Practices

Not every “anti-spyware” program is what it claims to be. Some truly have users’ interests at heart — identifying and removing bona fide risks to privacy, security, stability, or performance. Others resort to a variety of tricks to confuse users about what they’re getting and why they purportedly need it.

This article reports the results of my examination of anti-spyware software from C-NetMedia. I show:

• Deceptive advertising, deceptive product names, and deceptive web sit
  e designs falsely suggest affiliation with security industry leaders. Details.

• The use of many disjoint product names prevents consumers from easily learning more about C-Net, its reputation, and its practices. Details.

• High-pressure sales tactics, including false positives, overstate the urgency of paying for an upgraded version. Details.

Note that C-NetMedia is unrelated to the well-known technology news site CNET Networks. See further discussion below.

Deceptive advertising, deceptive product names, and deceptive web site design falsely suggest affiliation with security industry leaders.

Some C-NetMedia products are marketed using practices, keywords, labels, and layouts that falsely suggest they come from security industry leaders. This suggestion comes from both the actions of C-Net itself, as well as from the actions of C-Net’s marketing partners.

Consider the top three ads for a Google search for “Spybot”, a popular early anti-spyware program (full name “Spybot Search & Destroy”). As shown at right, the top three ads each specifically mention “Spybot” — the first two, in directory names; the third, in its domain name. Furthermore, all three ads also include the distinctive and original phrase “Search & Destroy” that specifically describes the genuine Spybot product. Yet in fact each of these three ads takes users to the unrelated site spywarebot.com (emphasis added) (screenshots: 1, 2, 3). Clicking the first ad immediately takes a user to spywarebot.com via the ClickBank advertising network. As to the second and third ads, traffic flows through independent “landing page” sites which in turn show ClickBank links to promote Spywarebot. These landing pages are hosted on the deceptively-named domains named spybot-sd-info.com and www-spybotcom.com — each further (but falsely) suggesting an affiliation with the genuine “spybot” product.

Ben’s Complete Article

Spybot Search and Destroy (Spybot-S&D) Official Home Page: http://www.safer-networking.org/en/home/index.html

{ 4 comments }

I like my digital point and shoot camera, but for Professional Photographers the latest invention may be a boon against Image Theft.

. . . to provide an imaging apparatus that makes it possible to protect the copyright of photographic images by reliably acquiring biological information of a photographer . . . - US Patent Application No. 2008/0025574

Sources:
Schneier on Security
Photography Bay

{ 0 comments }

Security vendors have been predicting for weeks that Storm would use Valentines Day to dupe users into opening attachments or clicking links to infection.

Even the FBI released a warning this week:

Internet Alert: St. Valentine’s Day E-Card Carries Storm Worm Virus

If you unexpectedly receive a Valentine’s Day e-card, be careful. It may not be from a secret admirer, but instead might contain the Storm Worm virus.

With the holiday approaching, be on the lookout for spam e-mails spreading the Storm Worm malicious software (malware). The e-mail directs the recipient to click on a link to retrieve the electronic greeting card (e-card). Once the user clicks on the link, malware is downloaded to the Internet-connected device and causes it to become infected and part of the Storm Worm botnet. A botnet is a network of compromised machines under the control of a single user. Botnets are typically set up to facilitate criminal activity such as spam e-mail, identity theft, denial of service attacks, and spreading malware to other machines on the Internet.

The Storm Worm virus has capitalized on various holidays in the last year by sending millions of e-mails advertising an e-card link within the text of the spam e-mail. Valentine’s Day has been identified as the next target.

{ 0 comments }

Brian Gardner’s Revolution Pro.

Please excuse the construction and use the Blog tab rather than Home for the moment, lots to learn.

It will be fun, no really…

Update: Blog tab is now “Articles”

{ 0 comments }

Update to Service Pack 1 for Windows Vista to manufacturing (RTM) release

In my blog post on the subject, I noted that we were going to make SP1 available to customers in stages to make sure we delivered a great experience. As I explained, one reason for this is that we are working through an issue with a small set of hardware devices that may not function properly after the Windows Vista-based PC they are installed on is updated to SP1. This is an issue with the way the device drivers were re-installed during the SP1 update process, not with the drivers themselves — these drivers worked on Windows Vista RTM and they work on Windows Vista SP1. For new PCs with Windows Vista SP1 pre-installed, this is not an issue.

We are working with the manufacturers of these devices to get the drivers and their install programs updated, and also working on other solutions we can use to ensure a smooth customer experience when updating to SP1 over Windows Update.

My blog post also noted that when beta testers encountered this issue, the problem was typically corrected by simply uninstalling and reinstalling the driver. This type of issue can be addressed by our more technical customers since they are comfortable reinstalling drivers. While most people think that it’s smart that we are releasing SP1 in stages, some people asked why we haven’t made SP1 available to technical customers sooner.

We’ve heard the feedback and I want to update you on our plans and progress for making SP1 available to our beta participants, our Volume Licensing customers, and our MSDN/TechNet Plus subscribers:

• Late Friday we made SP1 RTM available to individuals and companies who participated in the SP1 beta program

• At the end of this week we will be making the English version of Windows Vista SP1 available to Volume Licensing customers. Other languages will follow soon after

• Later this month, SP1 will be available to MSDN and TechNet Plus subscribers

Windows Vista Team Blog

{ 0 comments }

Bot Herder Ancheta was sentenced to 57 months in jail in 2006. This week cohort SoBe (not the soft drink) has pleaded guilty to two counts of juvenile delinquency relating to conspiracy to commit wire fraud, causing damage to computers used by the federal government in national defense and accessing protected computers without authorization to commit fraud. Sentencing scheduled for May 5, 2008.

Apprantly these malicious hackers gained remote access to thousands of U.S. computers, including Sandia National Laboratories, a facility that works on nuclear weapons and other sensitive material.

{ 0 comments }