[SecurityRatty] tag: sunbelt

AOL Hosted Sites Distribute Malware

Mon, 13 Oct 2008 23:21:17 +0000

Malware on AOL hosted pages has been recently reported by Alex Eckelberry from Sunbelt. It seems that it is not new and AOL is actually neglecting this issue, allowing visitors to get infected with rogue software. AOL’s German Hometown page has a number of pages that redirect to rogue antivirus programs like Antivirus XP (Do NOT [...]

Current List Of Zlob Distributiuon Sites And Rogue Anti-virus Products Domains

Wed, 24 Sep 2008 12:35:26 +0000

Sunbelt, a developer of protection software known for it’s Kerio firewall, has been publishing a list of domains which are involved in spreading of Zlob trojan and fake malware anti-virus known as Antivirus XP 2008 (and its clones). Domains from this list might infect visitors, considered malicious and should be added as untrusted into filters. There [...]

EstDomains & Intercage: A Perfect Couple in Crime

Mon, 15 Sep 2008 17:32:00 +0000

If you track malware issues as readily as I do, you're likely aware of the failings of clownpacks like EstDomains and their hosting buddies Atrivo/Intercage. You need only follow Sunbelt's take on the topic, or search Emergingthreats to come up to speed.
Yesterday, EstDomains posted the most inept, ridiculous response ever issued to the endless and worthy criticism, largely leveled by Brian Krebs at the Washington Post.
Not only can't these morons from EstDomains write, they're either so deeply clueless or flagrantly malicious (likely both), it's beyond laughable. This section sums it up best:
"The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance."
What? Really?
Again, aside from the absolute butchery of the language, did they just say "The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality."? SIGH...yes, they did.

Allow me to exemplify just how ridiculous a claim that is.
Following is content from a packet capture I took during a recent Storm worm analysis.

Using the ip2asn module included in NSM-console availabe in HeX, we find:
27595 | 216.255.189.211 | INTERCAGE - InterCage, Inc.

Using Etherape, also included in HeX, we see:

Using Eric Hjelmvik's NetworkMiner, we see:

See the recurring theme? Intercage, EstDomain's "reliable ally in its battle against malware".
Nice work, guys...keep it up.

I'm submitting this to The Daily WTF as we speak.

del.icio.us | digg

Should You Install Messaging Security Software on Your Exchange Server?

Fri, 05 Sep 2008 09:00:00 +0000

(Source: Sunbelt Software) Osterman Research shares insights gleaned from a just completed survey that dispel the fears of employing server-based email security solutions. Read this white paper to help you understand the latest Exchange security risks and also learn about reasons why an installed security solution may be the best option for you in countering those challenges.

Spammers Take A Cheap Shot...

Tue, 19 Aug 2008 10:24:05 +0000

I'm on holiday this week, but thought I'd better give this a mention anyway (plus, when did being on holiday ever stop me from posting stuff on blogs, right?)

I was surprised to see this posted to the comments section of the Sunbelt Blog:

I was about as surprised as The Dean was!

To quote a further post from The Dean:

"Well, that's weird. Isn't spywareguide Paperghost's blog? I know he wouldn't spam here. And, the link on the first comment goes to a 404 page."

So, we have someone spamming with broken English, dropping links to 404 pages on Spywareguide. Curious.

Now, I did have some suspicions on this - for starters, the recent blogs regarding the pirate movie websites that pop Zango installers just hit a few news websites. As this article mentions, a lot of the sites involved in this are from Asian regions - China, Indonesia etc. I couldn't help but notice the name of the poster was "Tam" - a common name in certain parts of Asia.

Coincidence? Or a possible affiliate not too happy about this being highlighted? Well, a quick email later and the results for the spammer are in:

A potentially forged Reverse DNS aside, it's a strange thing indeed that they just happen to resolve to Vietnam given that a good portion of these sites are in Asia, isn't it?

I think I'll see if any are owned by someone called "Tam".

When I return from my holiday, of course....

Beware of Rogue Anti-Malware

Mon, 18 Aug 2008 06:16:04 +0000

Rogue anti-virus and anti-spyware products are not a new story, but they are a relatively growing threat. One of these threats made some news this week and taught some lessons about just how suspicious you have to be of them. We had heard of XP Antivirus—also known by a plethora of name variants, including Antivirus XP and year variants like Antivirus XP 2008. Click here for a description from Sunbelt Software. Last week, advertisements for this product started appearing on CNET (specifically their Download.com service) through syndicated Google ads. Not to pick on CNET specifically; Google ads are likely to be appearing elsewhere, but we were referred to them on that site. The hallmark of such malware is to start with a free version. This version conducts a fake malware scan that finds lots of malware on the system, and the user is told to pay for the "premium" version in order to remove the malware that doesn't really exist in the first place. Often rogue anti-malware software such as this is not strictly malicious in the sense of spreading itself to other systems or hiding any functions; it is simply a scam. Of course, by buying the product you may also expose personal and credit card details to untrustworthy people. Later last week, GlobalSign, the certificate authority that had issued a code signing certificate for use with Antivirus XP 2008, revoked that certificate after complaints that the software was malicious. They verified that the company existed but couldn't contact them. The investigation is ongoing. The bottom line and moral of the story is that rogue anti-malware vendors are merciless and shameless when it comes to masquerading as legit software. Ads on legit sites don't prove anything, and code-signing certificates don't prove anything. You still need to use common sense and exercise precautions, like running well-known and respected anti-malware, like Sunbelt Software's. They have a lot of special in-house expertise on rogue products like this.

Should You Install Messaging Security Software on Your Exchange Server?

Mon, 04 Aug 2008 09:00:00 +0000

(Source: Sunbelt Software) Security is the most single critical task for any email administrator. Starting with a foundation of anti-spam and anti-virus capabilities, organizations should focus on other capabilities, as well, including policy management and a variety of other tasks designed to protect the network and the company from external and internal threats.

There are a number of ways to deploy messaging security, including appliances, software installed on dedicated servers, hosted or managed services and installation of softwaredirectly on the email server itself. While there are proponents and opponents of these approaches, there seems to be relatively strong opposition to the last approach on the part of many email administrators.

Osterman Research shares insights gleaned from a just completed survey that dispel the fears of employing server-based email security solutions. Read this white paper to help you understand the latest Exchange security risks and also learn about reasons why an installed security solution may be the best option for you in countering those challenges.

Customer Satisfaction with Email Archiving Systems

Fri, 18 Jul 2008 09:00:00 +0000

(Source: Sunbelt Software) Osterman Research conducted a primary survey asking organizations about a variety of archiving systems. The purpose of this research was simply to understand the level of satisfaction that customers of Sunbelt Exchange Archiver (SEA) and other email archiving offerings report on a variety of metrics related to product and vendor performance. Among the offerings to which the SEA offering are compared in this white paper are Symantec Enterprise Vault, Autonomy ZANTAZ EAS, Barracuda Message Archiver, EMC EmailXtender and a wide variety of other leading - and very capable - email archiving solutions.

The goal of this white paper is to provide a point of comparison between SEA and other offerings in order to help decision makers in their archiving system evaluation process.

Good move for Sunbelt software

Wed, 25 Jun 2008 10:07:37 +0000

This could work out well for both parties.
Sunbelt products are widely used and customer satisfaction is at a high right now.
Good luck to them both.

clipped from www.webwire.com

Clearswift Partners with Sunbelt Software to Offer Top Class Anti-spyware Solution

This continual monitoring ensures spyware and the websites intentionally or inadvertently delivering malware are identified with a high degree of accuracy.

“The partnership with Clearswift seemed a natural step for both companies since the combination of the MIMEsweeper Web Appliance and our CounterSpy engine brings clear benefits to the end user,” commented Chad Loeven, vice president of business development, at Sunbelt Software. “With our technologies working hand in hand, I can comfortably say that you will not find a more comprehensive web security solution on the market today.”

Fake YouTube Site Serving Flash Exploits

Thu, 12 Jun 2008 03:12:58 +0000

Originally mentioned by the folks at Sunbelt, this fake YouTube site happens to be a bit more interesting than it seems at the first place :

"Clicking on that link then redirects to a different site, youtube-s, which serves exploits to attempt to infect your system. Then, if your browser hasn’t completely crashed at that point, you may ultimately get redirected to the real YouTube, displaying some idiotic video (hence, possibly even helping to continue the infection, by having users forward the spam above)"

Interesting mostly because it not just attempts to serve a online games password stealer through exploiting the ubiquitous MDAC exploit, but is also serving a flash exploit which when analyzed leads us to a web based C&C of new malware kit. And although I've been aware of its existence for a while now, it's the first time I see it in action.

Upon analyzing youtube-r.com (211.95.79.57) a couple of days ago, it's now returning a 403 forbidden message, however, copies of the malware have already been obtained and analyzed. In between attempting to infect with MDAC at youtube-s.com/load.php?id=912; the flash exploit loads from a9rhiwa.cn/update_files/1.swf, and while this is happening the end user is redirected to the real YouTube site. Some sample detection rates :

Scanners result : 7/32 (21.88%)
TR/Crypt.ULPM.Gen; Mal/EncPk-CO
File size: 8704 bytes
MD5...: cb8611db343067e1fb663ab6ee671114
SHA1..: 4497715e0a365863d6ca41ab12254bf591118ed7

Scanners result : 10/32 (31.25%)
SWF:CVE-2007-0071; Exploit:Win32/APSB08-11.gen!A
File size: 593 bytes
MD5...: 5b6b28d4de3df92f48fbe5e8bd565cda
SHA1..: 3123d357d2080d1ee09ee67203275d51332e3397

The password stealer than connects to the C&C, from where an unknown for the time being number of campaigns are coordinated. What's a useless virtual good such as passwords for MMORPGs for malware gangs aiming to steal Ebanking details through banking malware for instance, is a precious and valuable good for others operating on the other side of the world, where a virtual item is more expensive than access to a Ebanking account.