Crescent City Networking

Google’s Pacific submarine cable “Unity” nearly complete

Tom Kelchner — Fri, 19 Mar 2010 21:09:00 +0000

-- 7.68 Terabits/s for growing Asian market
-- $300 million cost (from consortium of six companies)
-- 10,000 km length (Chikura in Japan to Los Angeles)
-- Increases capacity across Pacific by 20 percent
-- Dense Wavelength Division Multiplexing technology (960Gbps per fibre-optic pair with a maximum of eight fiber pairs)
-- construction time: two years

Story here.

Tom Kelchner

20 undocumented holes in OS X?

Tom Kelchner — Fri, 19 Mar 2010 20:33:00 +0000

Charlie Miller, Principal Analyst at Baltimore, Md.-based security firm ISE, has made news in the last two days saying that he found 20 perviously-unknown security vulnerabilities in Apple's OS X operating system. News stories seem to anticipate that he will reveal them at the CanSec West conference next week in his talk “Babysitting an Army of Monkeys: An Analysis of Fuzzing 4 Products with 5 Lines of Python.”

However, Miller tweeted: “To be clear, I'm not revealing 20 apple bugs at #cansec, I'm revealing how I found 20 apple bugs.”

According to reports, Miller found the vulnerabities by flooding operating system and application inputs with massive amounts of corrupted data -- a process called fuzzing.

Apple has said they are not aware of the vulnerabilities.

Story from Heise Security here.

It seems to be a good discussion of what Miller is up to.

It’s just plain weird how stories of potential OS X weaknesses make some people foam at the mouth, so, it’s a little difficult to find any discussion of OS X security without a load of “does too – does not” prose. Heise is staying neutral and we’re going to try to stay that way too.

Tom Kelchner

Windows Virtual PC Everywhere

Virtual PC Guy — Fri, 19 Mar 2010 20:20:56 +0000

With our recent update to Windows Virtual PC that allows it to run on systems without hardware virtualization support – I have been flooded by a stream of people asking what hardware it will run on / if it will run on their system.

The short answer is: If it can run Windows 7, it can run Windows Virtual PC. Note that Windows 7 has a requirement of needing a 1GHz processor – so that should help you qualify your system.

To drive this point home, I provide the following bit of evidence:

This is a photo of OS/2 Warp 3 running on Windows Virtual PC on Windows 7 on my Dell Vostro A90 netbook (the Vostro A90 is basically the business version of the Dell Mini 9). This is a system with an Intel Atom N270 processor – which means it runs at 1.60 GHz and has no hardware virtualization support.

And as you can see – it works just fine.

Cheers,
Ben

P.S. Friday afternoon nerd challenge: Can you identify all the hardware that is sitting in the background / around the netbook?

Phishing increased 62 percent in ‘09

Tom Kelchner — Fri, 19 Mar 2010 19:38:00 +0000

The DarkReading site is carrying a story about brand-protection firm MarkMonitor's finding that phishing increased 62 percent in 2009 with 565,502 attacks in the year. MarkMonitor is based in San Francisco.

Other conclusions in MarkMonitor’s 2009 BrandJacking Index report:

-- The huge increase can probably be attributed to the use of botnets and the large amount of personal information that can be scraped from social network sources.
-- 2009 saw the all-time high average of 600 phishing attacks per organization
-- only 33 percent of victims were first-time targets.
-- Social networks suffered 11,240 attacks – two percent of the year’s total.
-- The U.S. hosted 44.7 percent of phishing attacks, up from 36.5 in 2008.

DarkReading story here.

Tom Kelchner

Faking a fake

Tom Kelchner — Fri, 19 Mar 2010 16:47:00 +0000

We're all familiar with Rogue Antivirus products - but it seems script kiddies on numerous sites out there are starting to crank out their own phony security programs, many of which are confusingly based on the designs of - if you'll pardon the expression - "genuine" fake AV programs.

Shall we take a look at their handiwork?

Note the shields, the yellow warning triangles, the fake scan results - these guys have clearly seen a lot of fake AV out in the wild! Unfortunately for the creator, it's a little too OTT and might give the end-user pause for thought if they had to physically click something before becoming infected.

This next one (designed to be entirely harmless, instead asking the user to voluntarily download a malicious file from a URL) almost gets away with being convincing, but ruins it all by including what appears to be a poorly ripped Rapidshare download button:

Running with the idea that a huge green shield with a tick on it is always a good thing to throw into your design, "Eternity Virus Killer" takes the approach that you're going to be infected the moment you run the file, so adding in lots of fake warnings, flashing lights and useless slider bars is a complete waste of time.

My last example of a program imitating a genuine fake AV ("Genuine fake AV". I think I have a new favourite phrase) is something that would actually pass for the real deal. Check it out:

For starters, whoever created this has called it "SecureME 2010" which is clearly playing on the good name of a real program called SecureMe used for mobile phone data theft protection. It's not overloaded like the French app, and not shattering illusions like the other program did with the ludicrous Rapidshare image rip either.

Furthermore, it really looks the part. The creator obviously spent some time looking at rogues - here's a REAL rogue AV program called "User Protection":

Can you spot the difference? Much as I hate to admit it, that's a really well done piece of design work.

Of course, ultimately this is all academic as the end-user probably doesn't care too much if the file on their PC came from:

a) A shady set of individuals dropping fake antivirus onto their PC with the intention of having them sign away their credit card details or
b) Some script kiddy playing with his "My first Visual Basic" kit.

However, it's interesting to see how people on forums, sick of making endless "Free XBox Generator points" programs are now moving into emulating the kinds of Rogue Antispyware that have been around for years. Will having two entirely different and unrelated kinds of fake AV confuse security companies with regards dividing these programs up into their respective families? No idea, but it could lead to some unexpected situations. Having said that, nobody in their right mind will hopefully be downloading programs such as the above when the fake box design ends up looking like this:

Whoops. Something tells me I could be wrong, however...

Paper Ghost

User Protection

Rogue Antispyware — Thu, 18 Mar 2010 20:48:00 +0000

User Protection is a phony security program, designed to infect PC after PC and rip people off. If User Protection has infected your PC, you should remove it immediately.

PC's infected with User Protection usually experience the following:

Constant pop-ups stating the PC is infected and recommending purchase of the program.

System threat scans that report multiple infections and recommends purchase of the program to remove the viruses and spyware found.

Other security programs will be remove form the system (User Protection really like to remove MalwareBytes)

Most programs will not open, but warnings will be displayed saying the program is infected.

System alerts and warnings will be shown stating the PC is unprotected, under attack or infected and suggests buying User Protection.

You should not fall for the above tricks, these are all techniques User Protection will use to trick people into buying the software. User Protection is a complete scam, it will not protected a PC from infections or remove infections. User Protection is a PC infection in itself.

VIPRE can remove User Protection. If you are infected, click here to download VIPRE's free 30-day trial, which will remove User Protection from your system. If you're smart, you will purchase legitimate antivirus software once your PC is clean to prevent future infections from rogue security software.

Can spam get worse?

Tom Kelchner — Thu, 18 Mar 2010 19:09:00 +0000

Or is it at the saturation point?

The SANS Institute (acronym = SysAdmin, Audit, Network, Security) web site carried a blog piece that gives a good snapshot of the horrible ongoing plague of spam email that IT folks all over the globe must deal with. The writer, Deborah Hale, said the ISP in the Midwest where she works received almost 20 million pieces of email for more than 9,000 accounts since the beginning of March. Only 713,222 (3.6 percent) were NOT spam.

The comments that follow her blog piece also give other readers’ on-the-ground experiences with spam filtering.

SANS is a “cooperative research and education organization” which has been around since 1989. It’s a great resource.

Deborah Hale blog piece here.

The European Network and Information Security Agency (ENISA)
2009 spam survey (published in January) found 95 percent of traffic was spam and the situation hadn’t changed much in the year.

Message Labs has estimated that the top 10 botnets are responsible for over 90 percent of spam.

Tom Kelchner

Windows Virtual PC – no hardware virtualization update now available for download

Virtual PC Guy — Thu, 18 Mar 2010 18:59:00 +0000

The update to Windows Virtual PC to support running on systems without hardware virtualization is now available for download. You can grab it here:

For 32-bit host operating systems: http://www.microsoft.com/downloads/details.aspx?FamilyID=837f12aa-1d37-464e-ae59-20c9ecbebaf6
For 64-bit host operating systems: http://www.microsoft.com/downloads/details.aspx?FamilyID=e70dd043-e262-43c0-a002-446567f1e2b4

You can also read the full KB article here: http://support.microsoft.com/kb/977206

One thing to note: While Microsoft supports the use of Windows XP, Windows Vista and Windows 7 on Windows Virtual PC – when running on systems without hardware virtualization support we only support the use of Windows XP.

So what does this mean? Well, if you have used Virtual PC before you know that it is capable of running many operating systems that are not officially supported – and this is still true for Windows Virtual PC (both with and without hardware virtualization support). But we will not be releasing updated integration components for Windows 7 / Windows Vista to enable optimum performance when running without hardware virtualization.

The key take away here is: If you need to run Windows XP mode on systems without hardware virtualization, you now can. If you want to run other operating systems – you need hardware virtualization support for best performance (and official support from Microsoft).

Cheers,
Ben

A malware booty call

Tom Kelchner — Thu, 18 Mar 2010 18:47:00 +0000

We hear so much about stealth tactics, data theft and covert ops where malware is concerned these days that we often forget about the time when it was more about how many popup windows the attacker could throw onto the screen along with a couple of dancing monkeys and a spangly toolbar.

Here, then, is something a little retro that takes a form of infection more known for stealth (parite) and turns it into an overt rip roaring rampage of revenge, but mostly broken computers.

Promoted as a music player based around popular cartoon Aqua Teen Hunger Force, the following file(Win32.booty.exe) should be avoided at all costs:

Shortly after running the executable, hidden files and folders start to scatter themselves liberally across the PC in both the System32 Folder and the Temp Directory - in this case, 10.tmp containing a file called but!.exe, thrown together with the aid of what was probably the HotFusion file binder:

From there, another folder then appears (called 12.tmp) which contains the main payload files:

Worm.exe, Zombie.bat and chimes.wav.

So far, this is reasonably similar to a regular Parite infection (two folders in the temp directory, the promise of wormy action to come) but at this point we start to move away from the notion of Parite stealth to...well....take a look for yourselves.

Let's check out Zombie.bat:

As you can see, the commands tell Worm.exe to spring into action and the .wav file ("Chimes") starts to play.

What happens now?

Well, we prepared a little video demonstration for you (there's sound, so you might want to put on some headphones):

http://www.sunbeltsoftware.com/ihs/alex/paritebooty/

....yes, it made no sense to us either. The Task Bar vanishes and the victim loses the ability to open up Task Manager to kill the rogue processes. Any programs opened up once the infection takes hold will generally auto close seconds after opening.

Meanwhile, a file called BoOtY_Call starts spreading itself into every folder it can find, with the intention of jamming up the machine until it collapses in a crying, blubbering heap - with a song blasting out the joys of "booty" through your speakers, naturally.

If the victim manages to open up a folder and go on a deletion rampage, it doesn't matter...BoOtY_Call keeps respawning and eventually triumphs in a blaze of malware glory.

This is pretty malicious stuff and throwing in a song about loving booty while a similarly named file proceeds to drive a wrecking ball through your hard drive is a surreal and comical contrast to the otherwise ruthless beating the PC is taking.

Given my earlier ramble, you may not be surprised to find we detect this as a variant of Parite (an infection that traditionally tries to infect EXEs and SCR files on PCs in a very quiet fashion, losing you hard drive space in the process), which is an interesting twist given how, er, loud this is. Probably not what the creators of Parite had in mind when they came up with it, but hey - that's evolution, baby.

Sort of...

Chris Boyd

Dynamic Memory Coming to Hyper-V

Virtual PC Guy — Thu, 18 Mar 2010 16:54:50 +0000

We have just announced that in Windows Server 2008 R2 Service Pack 1 we will be adding a new feature to Microsoft called “Dynamic Memory”. The goal of this feature is to allow for better utilization of memory by dynamically adding and removing memory from running virtual machines.

I am really excited about this for many reasons – one of which is that Dynamic Memory is my baby (I am the program manager primarily responsible for this feature).

I am not going to say too much about it today – as I do not like to talk about things that readers of my blog cannot play with themselves – but once a beta release is available you can expect me to have a lot to say about this feature.

Cheers,
Ben