May 2008

Not much information at this time, a couple of screenshots at the Sunbelt Blog and a few victims in the security forums seeking assistance.

Sunbelt: Fresh new rogue antispyware programs

{ 0 comments }

Comodo Firewall 3.0.23.364 offers the SafeSurf toolbar. Hmmm

STEP 8: Install Comodo SafeSurf Browser Toolbar
The Comodo SafeSurf Toolbar protects against data theft, computer crashes and system damage by preventing most types of Buffer Overflow attacks. This type of attack occurs when a malicious program or script deliberately sends more data to a target applications memory buffer than the buffer can handle - which can be exploited to create a back door to the system though which a hacker can gain access. Comodo developed the SafeSurf Toolbar explicitly to protect end-users from these kinds of attacks whilst they browse the Internet. After installation, the program will monitor and protect the memory space of all applications that are running on your system and immediately block any buffer overflow attacks. Apart from providing another essential layer of protection, the toolbar also provides one-click access to news, search, shopping; a built in pop-up blocker; is compatible with all major browsers and can be separately uninstalled or disabled at any time after installation.

we get money if you search/buy stuff using this. Its like an affiliate deal.
this way, only if you want to, you can help Comodo generate some money from searching and buying you already do, by choosing to do it via Comodo. Its a way to generate money so that we can keep bringing you even better security and products!

Topic: Re: COMODO Firewall Pro 3.0.23.364 Released!–EGEMEN

As usual Ask’s Toolbar is pre-checked for installation, you can of course opt out.

Comodo Firewall will not be added to the Calendar when the next update is available as per this thread if the Ask Toolbar is prechecked.

Calender Of Updates (COU)

I join Security Garden in being disappointed at this move by Comodo.

Certifiedbug:
Trillian Multiple Vulnerabilities
ASK Approaches WinPatrol
Another vendor bundles ASK
ZoneAlarm pre-checks toolbar
Conflict of interest at StopBadware?
InterActiveCorp/Ask Toolbars, what you need to know

{ 0 comments }

Securia reports highly critical vulnerabilities in Trillian the popular instant messaging client.

Description:
Some vulnerabilities have been reported in Trillian, which can be exploited by malicious people to compromise a user’s system.

1) A boundary error within the header parsing code for the MSN protocol can be exploited to cause a stack-based buffer overflow via a specially crafted X-MMS-IM-FORMAT header with an overly long attribute.
Successful exploitation allows execution of arbitrary code.

2) An error within the XML parsing in talk.dll can be exploited to cause a memory corruption via certain malformed attributes within an ‘IMG’ tag.

Successful exploitation allows execution of arbitrary code.

3) A boundary error when parsing messages (e.g. via the AIM network) with overly long attribute values within the FONT tag can be exploited to cause a stack-based buffer overflow.

Successful exploitation allows execution of arbitrary code but requires that the user is tricked into opening a malicious image file.

Solution:
Update to version 3.1.10.0.
http://www.ceruleanstudios.com/downloads/

Your Trillian client may not inform you of the updates. I used the drop down menu, “Check for updates” and was informed no updates were available.

After downloading and starting the installation of the latest version, I saw the Weather Channel and ASK toolbar were offered as pre-checked options to install with Trillian.

Inside those tiny EULA boxes was a full page of disclosures for each program, if you copy/paste the text into an editor you can read the EULA rather than squinting at a scroll box. Know what you are agreeing to if leaving the box checked to install.

Weather Channel:
“1. PURPOSE. The software you are installing (the “Software”) is provided by The Weather Channel Interactive, Inc. (”TWCi”) and provides you with a quick view of the current weather in a city you select, and provides other weather-related information and data on your desktop (the “Services”). This Agreement contains terms and conditions that apply to both the subscription version of the Software (”Desktop Max Software”) and Services (”Desktop Max Services”) and the advertisement-supported version of the Software (”Desktop Software”) and Services (”Desktop Services”).
14. DESKTOP MAX SERVICES. You agree that if you license Desktop Max Services, the following additional terms will apply:
A. You agree to pay TWCi the monthly or annual service charge for your use Desktop Max Services using a valid credit or debit card, plus any applicable taxes, in accordance with the billing terms and prices in effect at the time the fee or charge becomes payable. You authorize TWCi to automatically bill the charge card you provide each month or year (as applicable), or withdraw funds via electronic transfer from your checking account (depending on what type of charge card you are using), until you cancel Desktop Max Services. Payments are billed in advance at the beginning of the applicable month or year. You agree to provide TWCi with a valid credit or debit card and accurate, complete and updated information required by the subscription registration form. Failure to comply may result in the immediate termination of Desktop Max Services.
B. You agree to notify TWCi about any billing problems or discrepancies within 90 days after they first appear on your account statement. If you do not bring them to TWCi’s attention within 90 days, you agree that you waive your right to dispute such problems or discrepancies.”

ASK Toolbar:
“END USER LICENSE AGREEMENT/PRIVACY POLICY/TERMS OF SERVICES

IMPORTANT — PLEASE READ CAREFULLY - SHORT PLAIN ENGLISH SUMMARY OF END USER LICENSE

This is a legal contract between you and IAC Search & Media, Inc. You must agree to this contract and abide by its terms in order to download and use the toolbar. You must be 18 years of age in order to agree to this contract and download this product. IF YOU ARE NOT YET 18, PLEASE ASK YOUR PARENT OR GUARDIAN TO DOWNLOAD THE TOOLBAR FOR YOU.

UPON INSTALLATION OF THE TOOLBAR, THE FOLLOWING FEATURES WILL BE ADDED TO YOUR BROWSER:

SEARCH BOX is a toolbar to your Internet browser. The browser toolbar is customizable and will provide you access to Ask.com search results..

SEARCH ASSISTANT: This provides relevant links and results when your search request or browser address request is misspelled or incorrectly formatted.

In addition, an Easy Installer will be downloaded to install this software. It does not install any other software and is automatically deleted the first time you turn off your computer after installation of the above-described products.

THIS PRODUCT AND ALL THE FEATURES LISTED ABOVE ARE FREE.

NO REGISTRATION OR PERSONAL INFORMATION IS REQUIRED.”

Please read each EULA completely and if installing do so as an informed user.

{ 0 comments }

Google is a giant with a gigantic share of porn spammers using their resources.

They are rampant at Google Groups and Blogspot, I see Alex Eckelberry wrote yesterday on the Explosion of spam pages on Google Pages

The URLs have a particular look to them. Examples:

b2006e.e52bb.googlepages com
te09d0.e2ee.googlepages com

Google Notebook is also being used for spam, the google.com/notebook/public/ URLs might look similar to this example:
BDQxVQwoQ_7WTr6Ej

Of interest.
Stopbadware: Malware on Google Blogspot
Certifiedbug: Beware Google Search email alerts on Blogger

{ 0 comments }

Alex Eckelberry writes about a Rash of fake sites copying PC World, CastleCops, others at the Sunbelt blog.

As a follow-up to my post earlier today about a fake CastleCops page, there’s more to the story.

There are other domains sharing the same IP (207.226.177.250):

pepato org
slim-cash com
spyware-wiper com
Cpaypal com
Crazycounter net

All are copying legitimate sites.

These domains belong to the “Vladzone” malware gang.

Check out the screenshots if you don’t think you could be fooled. The fake sites look very similar to the real thing, so be careful.

Edit
Sunbelt: More Vladzone fake pages

{ 0 comments }

Bharath’s Security Blog

The rogue uses Software-payment.com site for payment processing. Beware that this site is also used by many other rogue security applications for payment processing.

How to remove KVMSecure
http://www.bleepingcomputer.com/malware-removal/kvmsecure

As always, if you have an infected computer and would feel more comfortable being assisted by a trained malware remover helper, please start a topic at a trusted security forum.

{ 2 comments }

I have no doubt there will be more to follow… Stay tuned.

{ 23 comments }

Yahoo Finance: http://biz.yahoo.com/e/080428/engm.ob8-k.html

28-Apr-2008

Amendments to Articles of Inc. or Bylaws; Change in Fiscal Year

AMENDMENTS TO ARTICLES OF INCORPORATION OR BYLAWS; CHANGE OF FISCAL YEAR.

Effective April 22, 2008, Enigma Software Group, Inc. (the “Company”) changed its corporate name from Enigma Software Group, Inc. to City Loan, Inc. The change in corporate name was effected by the merger, pursuant to Section 253 of the Delaware General Corporation Law, of a newly formed, wholly owned subsidiary of the Company into the Company, with the Company continuing as the surviving corporation. The Company’s corporate name, Enigma Software Group, Inc., as the surviving corporation in the merger, was changed to City Loan, Inc. The Company’s certificate of incorporation and bylaws prior to the merger will be the certificate of incorporation and bylaws of the surviving corporation, with such certificate of incorporation and bylaws amended to reflect such corporate name change.

On April 24, 2008, the Company requested a new ticker symbol from NASDAQ and will report the new ticker symbol on an amendment to this current report on Form 8-K after it has been assigned.

Interesting change of corporate name for a software company.

The controversy following Enigma Software goes way back.
Enigma Software, A Mystery?

From VitalSecurity:

/ Addendum: Enigma Software have posted in the comments section, and have stated the following:

“Enigma Software Group USA, LLC bought SpyHunter and the security software business from Enigma Software Group, Inc. Then we all resigned from the company, and the shell of a the business has become something else (City Loan). So yes the name changed but that company is in no way affiliated with the Security Software Business.

None of the employees, officers, directors or shareholders of Enigma Software Group USA, LLC are in any way involved, employed, affiliated or associated with City Loan.”

Thank you for explaining.

{ 9 comments }

Knowing of my own experience with Creative’s drivers, friend Corrine at the Security Garden linked me to an article at www.vista4beginners.com.

Download Windows Vista SP1 Drivers for Creative sound cards

The bad news is that even after two months since SP1 is available, Creative has not yet launched updated drivers. The good news is that a passionate modder - Daniel Kawakami (Daniel_K) from Brazil - has released his own version of drivers which work on Windows Vista SP1 (32-bit and 64-bit). In this article you will learn what drivers you need to download and where you can find them.

http://www.vista4beginners.com/Windows-Vista-SP1-Drivers-Creative-sound-cards

Certifiedbug:
Vendor Drivers for Vista™

Creative’s struggle to produce drivers for Vista

Creative Labs, so long

Vista Drivers

{ 0 comments }