Court Orders Halt to Sale of Spyware

At the request of the Federal Trade Commission, a U.S. District Court has issued a temporary restraining order halting the sale of keylogger spyware. According to the FTC’s complaint, the Florida-based CyberSpy Software, LLC marketed and sold RemoteSpy keylogger spyware to clients who would then secretly monitor unsuspecting consumers’ computers. The FTC seeks to permanently bar the unfair and deceptive practices and require the defendants to give up their ill-gotten gains.

According to papers filed with the court, the defendants provided RemoteSpy clients with detailed instructions explaining how to disguise the spyware as an innocuous file, such as a photo, attached to an email. When consumer victims clicked on the disguised file, the keylogger spyware silently installed in the background without the victims’ knowledge. This spyware recorded every keystroke typed on the victim’s computer (including passwords); captured images of the computer screen; and recorded Web sites visited.

News Release: http://ftc.gov/opa/2008/11/cyberspy.shtm

Original FTC complaint. (PDF) November 5, 2008.

Certifiedbug.com

Keylogger vendor CyberSpy under temporary restraining order

Brian Krebs at The Washington Post, So Much Spam From One Place?

Vincent Weafer, director of development for Symantec Security Response, said the success of Storm, combined with so many criminal operations having been burned by the McColo takedown, strongly suggests botnets are going to continue adopting P2P technology.

That means decentralization.

The Recording Industry Association of America (RIAA) may get an earful.

Also at the Washington Post:
Answers Trickle Out as Spammer Networks Remain Compromised

Certifiedbug.com

Peer-to-peer (P2P) botnets

This happened after a Los Angeles-based reseller named Giglinx sold bandwidth from the Swedish internet service provider TeliaSonera to the bad guys.

The reconnection opened the door, enabling a partial update of the botnet and pushing as much as 15MB of data per second to servers located in Russia, before Telia quickly pulled the plug.

Jart Armin & Paul Ferguson.
Report Supplement; McColo – Exploiting the security flaw in un-vetted bandwidth reselling Version 2.1 Nov 18th 08 (PDF)

Host Expoit also has a video presentation mapping McColo’s attempt to reconnect to the internet November 15/16 2008.
http://hostexploit.com/index.php?option=com_content&view=article&id=25&Itemid=34

FireEye Malware Intelligence Lab’s blog has a map showing the masses of Srizbi Bots.
http://blog.fireeye.com/research/2008/11/not-to-sound-the-panic-alarm.html#more

http://certifiedbug.com/blog/tag/mccolo/

Certifiedbug.com

McColo. Exploiting un-vetted bandwidth reselling

A big difference for users is that it will be a free stand-alone download, no charge to consumers.

Windows Live OneCare will continue to be sold for Windows XP and Windows Vista at retail through June 30, 2009. Direct sales of OneCare will be gradually phased out when “Morro” becomes available. Regardless of their method of purchase, Microsoft will ensure that all current customers remain protected through the life of their subscriptions.

PressPass:
Microsoft Announces Plans for No-Cost Consumer Security Offering

Certifiedbug.com

Windows Live OneCare to be replaced by “Morro”

McColo is a bit different from Intercage/Atrivo in that although the IP addresses were from the N. American registry ARIN, were routed in the US, and the company used US postal addresses, the person or persons controlling the operation are based in Moscow, Russia.

We recommend anyone who saw more than a 30% reduction look into employing some sort of SMTP connection filtering as this drop in botnet spam, nice as it is, will not last. Investigators report that many of the C&C servers at McColo were originally hosted at Intercage/Atrivo. Even now, several of the C&C functions are migrating to hosting closer to the homes of the botmasters: Russia.

Complete article: Another one bytes the dust

Certifiedbug, November 13, 2008. McColo on the move?

Certifiedbug.com

Spamhaus remarks on McColo

Some might say that’s not too far from the truth but the detection is a false positive. The Register

Certifiedbug, November 11, 2008. AVG update removed critical Windows file

Certifiedbug, November 5, 2008. Adobe Flash Player update for Clickjacking vulnerability

Certifiedbug.com

AVG Flags Adobe Flash

Two Critical Five Moderate.

MFSA 2008-46 Heap overflow when canceling newsgroup message
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
MFSA 2008-37 UTF-8 URL stack buffer overflow

Thunderbird 2.0.0.17 Download

Certifiedbug.com

Thunderbird 2.0.0.17 released

CIDR Report for AS26780
26780 MCCOLO - McColo Corporation
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS3549 GBLX Global Crossing Ltd.

Steve Linford from Spamhaus responding to a topic at Google Groups,
McColo Corp

Andreas Kohlbach wrote:

> Mccolo will (under a different name) find a new peer at some
> point, or already has, and in a couple of hours or days all is back where
> it was.

They already have, McColo are now coming back up on retn.net (AKA
Eltel, the old timers will remember that name, a very dirty Russian
network well known for hosting spammers and malware).

Which is a pity, as spam volumes dropped by 30% after McColo went off
the net late Tuesday as vast amounts of bots could no longer contact
their control boxes on McColo IPs and whole botnets went dark. Eltel
(retn.net) will be reactivating the McColo IPs anytime now allowing
the botnets to contact their masters and the spam will flow again.

Spamhaus is preparing to SBL Eltel (retn.net) as soon as we have
confirmation that they have brought McColo’s botnet control machines
back on line.

Steve Linford
The Spamhaus Project
http://www.spamhaus.org

Updates
Washington Post, A Closer Look at McColo

TRACE Blog
Srizbi Stopped, for now

FireEye Malware Intelligence Lab
http://blog.fireeye.com/research/2008/11/index.html

Certifiedbug.com

McColo on the move?

Four Critical Two High Two Moderate One Low

MFSA 2008-58 Parsing error in E4X default namespace
MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
MFSA 2008-55 Crash and remote code execution in nsFrameManager
MFSA 2008-54 Buffer overflow in http-index-format parser
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome
MFSA 2008-47 Information stealing via local shortcut files

Security Advisories

Firefox v3.0.4 Download

Certifiedbug.com

Firefox 3.0.4 Released

The termination of ICANN-accredited registrar EstDomains is to go ahead, effective 24 November 2008.

Letter to EstDomains concerning decision to proceed with termination:
http://www.icann.org/correspondence/burnette-to-poltev-07nov08-en.pdf [PDF]

The notice of primary contact change recently sent to ICANN’s Brussels office is not compliant with the requirements of the RAA and is not an effective notice of primary contact change. Until notice of primary contact change is received at ICANN’s address above, ICANN’s records will continue to reflect that Mr. Vladimir Tsastsin is the primary contact for EstDomains, Inc.

Certifiedbug, October 30, 2008. ICANN Stays EstDomains Notice of Termination

Certifiedbug, October 29, 2008. ICANN cans EstDomains, Inc.

Certifiedbug.com

Registrar EstDomains Stay of Termination lifted