Crescent City Networking

Many Zeus botnet C&C servers taken down

Tom Kelchner — Thu, 11 Mar 2010 21:59:00 +0000

Swiss security blog Abuse.ch has reported that the worst Zeus botnet hosting ISP was taken off line yesterday, cutting the botnet’s number of servers from 249 to 181 – including the six worse ones.

Abuse.ch wrote: “As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddenly disappeared from the ZeuS Tracker.

“I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. “

“Massive Drop in Number of Active Zeus C&C Servers” here.

Tom Kelchner

You don’t want to go looking for Corey Haim videos

Tom Kelchner — Thu, 11 Mar 2010 21:04:00 +0000

Hollywood celebrity Corey Haim has died in typical tabloid fashion: “under investigation.” And we all know that celebrity death equals Internet scams by the boatload.

There are a number of spam runs currently circulating on video sharing sites such as Youtube, ready to catch out the curious and the unwary. Shall we take a look?

“Suicide or killed! Watch Corey Haim first found dead”

Classy. Visiting mycelebzone(dot)com will pop open a Hotbar prompt, which you need to install to “see the content”:

Instead of ghoulish pictures of a deceased celebrity, the end-user will find himself looking at a ghoulish spamblog linking to fake links of ripped movies.

Oh, they’ll have Hotbar, ShopperReports and BarDiscover onboard too. What a value add!

Elsewhere, sites claiming to have horrible images such as Celebrity-autopsies(dot)com will drop you onto surveys and quizzes to be filled in, courtesy of a dancing Michael Jackson:

To see the content, all you have to do is sign up to a ringtone service that charges the low price of £9.00 / $15.00 per week – I know a bargain when I see one, and this probably isn’t it.

There are various other links floating around on video sharing sites, all of which should be avoided like the plague. There probably isn’t much on them that would be of use to you, unless you enjoy the sensation of gaining nothing while lining the pockets of spamblog merchants.

Paper Ghost

Rogue security products are the new black

Tom Kelchner — Thu, 11 Mar 2010 18:32:00 +0000

Well, it looks like rogues are going to be in style this season.

Our good friends at McAfee AV have predicted that the 400 percent increase in rogues (also called “scareware”) they saw in 2009 will continue this year. The loss to victims will be on the order of $300 million they also estimated.

Here at Sunbelt, we’re seeing a huge increase in rogue detections as well – nearly 30 percent increase in just the last three months. We list 1,965 rogues in our VIPRE detections and we’re detecting a constantly increasing number of them. VIPRE and CounterSpy installations report these detections to the Sunbelt ThreatNet. Just pulling some fast numbers out of ThreatNet, I found a 29 percent increase in VIPRE and CounterSpy detections when comparing the daily average for February against that of December.

In the event you’ve been living in a cave (with no Internet service) for the last two years, rogues are thieving malicious programs that pretend to be legitimate anti-malcode products. They are real money makers for organized and disorganized criminals who work through the Internet.

Sadly, security people have been working for most of 20 years to raise the public consciousness about malicious code and the need to run anti-malcode protection. About the time the message really began to sink in, the slimeballs of the world started distributing fake security programs that impersonate the graphic interfaces of legitimate products and use names that have a legitimate look to them.

The scammers behind the rogues often distribute them by using botnets to send vast amounts of spam, advertising a variety of products. When a victim clicks on a link in the spam message, he’s taken to a malicious web site that pops up a window in his browser telling him in the most frightening terms possible that his machine is infected. The pop-up window also conveniently offers to download a product to clean his infected machine for a variety of prices, some as high as $99.99. If the victim bites on the offer, he purchases a piece of useless software that does nothing. Obviously, if you run across one, don’t buy it.

Rogues also are being peddled through search engine optimization scams. The rogue distributors use botnets to game search engines like Google into presenting their malicious sites in the top search results for the most popular, up-to-the-minute search terms. When victims click on the links that show up in search results, they’re taken to the malicious sites that pop up the alarming warnings.

If you run into an application that you think might be a rogue, you can check its name against the Sunbelt Rogue Blog: http://rogueantispyware.blogspot.com/

Here’s a link to one of our blog entries from last month about one such SEO poisoning:
“SEO poisoning not in well, but it’s aiming for the water heater”

Tom Kelchner

Adventures in Backup – continued

Virtual PC Guy — Thu, 11 Mar 2010 07:22:00 +0000

Two weeks ago I discussed some bad experiences I had with Hyper-V + backup. Since then I have spent a bunch of time setting up Hyper-V + backup on a couple of systems – and none were as problematic as my first attempt. I have also setup my home Hyper-V server to perform nightly backups – which have been proceeding without a hick up:

However a lot of you let me know that you too had seen issues with backup and Hyper-V. As such I would like to invite anyone who sees a failed Hyper-V backup to come here and let me know in the comments what the cause of the failure was – you can usually figure this out by looking in the Hyper-V event log (as I did in my original blog) – so that we can try to help each other out here.

Cheers,
Ben

The Big [re]Build

Virtual PC Guy — Thu, 11 Mar 2010 07:13:00 +0000

A while ago I talked about how I use Hyper-V in my house, and more recently I talked about trying to backup my Hyper-V server. This discussion of backup was actually in preparation for a significant rebuild of my home Hyper-V server, that I undertook a week and a half ago. There were several goals that I had with this rebuild:

Upgrade the system disk from an old stand alone disk to a newer RAID1 disk
Add a new disk to my Windows Home Server virtual machine
Pull my Domain Controller / DNS / DHCP server out of my parent partition and put it in a virtual machine

The challenges that I had with this process included:

I did not have a second equivalent server handy to just migrate to. Instead my goal was to utilize the machines sitting around my house as temporary staging locations while I did the rebuild (in fact I used my desktop as a file server and ran Hyper-V on my Mac Mini to act as my backup Hyper-V server).
If this server is down – Internet is down in my house. Any father / husband out there will tell you that you do not want to be responsible for breaking the household internet connection.
My Windows Home Server virtual machine contains all of my families digital memories. 8 years of kid photos, videos of my children’s first steps, etc… Losing this data is simply not an option.

It took over a week of planning and research but I ended off successfully rebuilding the system in the space of a weekend. The process that I used looked something like this:

Identify non-critical server virtual machines, shut them down and export them to a file share (on my desktop)
Use SCVMM to move critical server virtual machines to Hyper-V on my Mac Mini
Perform a configuration-only export of my Windows Home Server
Do a bare metal backup of my physical computer
Restore the bare metal backup into a virtual machine on my Mac Mini
Shutdown my physical computer
Get my Domain Controller / DNS / DHCP server running on the Mac Mini
Swap in the new disks into the physical computer
Install Windows and Hyper-V on the new disks
Move all virtual machines back to the physical computer

To pull this off I used pretty much every trick that I know – so I thought it would be good to do a blog series on the process.

Before I get going – there are a few questions that I have been asked that I would like to answer upfront:

Why are you using RAID1?!? RAID10 would be much faster!

To this I have two answers. The first one is that I have a personal preference for minimizing the number of disks in my system (details that I prefer to not go into right now). The second one is that you do not realize how bad the performance of my old system disk was. I did some benchmarking on my old and new disk configuration to highlight the difference here:
Why are you running your domain controller in a virtual machine?

Read this post for my thoughts on this: http://blogs.msdn.com/virtual_pc_guy/archive/2008/11/24/the-domain-controller-dilemma.aspx
Why don’t you just get some nice high end hardware?

I know of people who do this, but I have many other things that I like to spend my money on. Plus there is some level of satisfaction in getting results on a shoestring budget :-)

Cheers,
Ben

Twitter starts Direct Message phishing filtering

Tom Kelchner — Wed, 10 Mar 2010 20:27:00 +0000

Twust and Safetwy

Del Harvey who leads Twitter’s Trust and Safety team blogged yesterday that the social networking/micro-blogging service has begun filtering all links in Twitter Direct Messages to stop phishing:

“Since these attacks occur primarily on Direct Messages and email notifications about Direct Messages, this is where we have focused our initial efforts. For the most part, you will not notice this feature because it works behind the scenes but you may notice links shortened to twt.tl in Direct Messages and email notifications.”

Twitter blog piece here.

Tom Kelchner

New sniffer soon coming to a server near you

Tom Kelchner — Wed, 10 Mar 2010 19:52:00 +0000

This little gem is probably one of those diagnostic tools that -- like BackOrifice and Metasploit Framework -- in the right hands is a good diagnostic tool and in the wrong hands is a bad diagnostic tool:

http://www.serversniff.net/index.php

“ServerSniff.net - Your free "Swiss Army Knife" for networking, serverchecks and routing with many many little toys and tools for administrators, webmasters, developers, powerusers und security-aware users.

“Tools for webmasters and developers:

“Benchmarks and informations about servers, routing, IP-Stacks, encryption, security, nameservers and domains.

“Tools for powerusers:

“For powerusers ServerSniff.net offers computing Hashes for strings and files and simply a lot of information about servers, ssl-encryption, domains etc.

“ServerSniff.net gathers only public information about servers and networks from publicly available sources or from asking the servers directly.”

It doesn’t exactly build confidence when you find that the ServerSniff "terms of use and acceptable use policy" is a dead link: http://beta.serversniff.net/terms_of_use

Thanks Alex.

Tom Kelchner

Update 03/11:

Alert reader "Guest" pointed out a link where terms of use are available: http://beta.serversniff.de/terms_of_use. Looks like it might have been a typo.

Consoles for old games come with new malcode

Tom Kelchner — Wed, 10 Mar 2010 15:40:00 +0000

Be on the lookout for websites offering up “free applications” which come with a nasty sting in the tail. Here’s a typical example: Appzkeygen(dot)com

If you like videogame consoles, you may be a fan of emulators (programs that ape long dead consoles, allowing you to play old games on your PC – we’ll avoid the murky legal minefield that comes with this practice and instead focus on the malware).

Below is a Playstation 2 emulator – no really, it is. Would they lie to you?

Probably best not to answer that question.

Download and run any of the above files - all hosted at movieutilitesonline(dot)com - and you’ll probably be wondering where the alleged emulator is that is “by far superior to all other PS2 Emulators released before it.”

A pair of files will be dropped onto your PC, including a randomly named executable in the Windows directory and xpysys.dll in your System32 Folder. You’ve actually wound up with Trojan-Downloader.Win32.CodecPack.2GCash.Gen, which is – as you’ve probably guessed from the name - a Trojan downloader.

In some cases, people have reported this particular attack resulting in rogue antivirus appearing on the compromised system – however, during testing nothing was downloaded onto the PC. This doesn’t mean it won’t happen, of course – and you’ll still have the downloader onboard. Trojan-Downloader.Win32.CodecPack.2GCash.Gen has been used in everything from fake codec scams to rogue AV hijacks in previous months, and is probably going to stick around for quite some time.

Paper Ghost

Understanding where your virtual machine files are [Hyper-V]

Virtual PC Guy — Wed, 10 Mar 2010 08:13:00 +0000

To be honest, I am surprised that I have not blogged about this before, but today I would like to talk about how virtual machine files are placed on the hard disk.

Virtual Machine files

The first thing to know is what files are used to create a virtual machine:

.XML files

These files contain the virtual machine configuration details. There is one of these for each virtual machine and each snapshot of a virtual machine. They are always named with the GUID used to internally identify the virtual machine or snapshot in question.

.BIN files

This file contains the memory of a virtual machine or snapshot that is in a saved state.

.VSV files

This file contains the saved state from the devices associated with the virtual machine.

.VHD files

These are the virtual hard disk files for the virtual machine

.AVHD files

These are the differencing disk files used for virtual machine snapshots

Understanding data roots

Hyper-V has a concept of the “virtual machine data root” and the “virtual machine snapshot root”. These are the locations where the virtual machine configuration (.XML) and saved state (.BIN & .VSV) files are stored. For example – a virtual machine which had a virtual machine data root of “D:\Foo” and a snapshot data root of “D:\Foo” and had two snapshots would have a file structure like this:

D:\Foo
D:\Foo\Snapshots
D:\Foo\Snapshots\[Snapshot #1 GUID directory]
D:\Foo\Snapshots\[Snapshot #1 GUID].XML
D:\Foo\Snapshots\[Snapshot #2 GUID directory]
D:\Foo\Snapshots\[Snapshot #2 GUID].XML
D:\Foo\Virtual Machines
D:\Foo\Virtual Machines\[Virtual Machine GUID directory]
D:\Foo\Virtual Machines\[Virtual Machine GUID].XML

If the snapshots and the virtual machine had saved states associated with them – then the file structure would look like this:

D:\Foo
D:\Foo\Snapshots
D:\Foo\Snapshots\[Snapshot #1 GUID directory]
D:\Foo\Snapshots\[Snapshot #1 GUID directory]\[Snapshot #1 GUID].BIN
D:\Foo\Snapshots\[Snapshot #1 GUID directory]\[Snapshot #1 GUID].VSV
D:\Foo\Snapshots\[Snapshot #1 GUID].XML
D:\Foo\Snapshots\[Snapshot #2 GUID directory]
D:\Foo\Snapshots\[Snapshot #2 GUID directory]\[Snapshot #1 GUID].BIN
D:\Foo\Snapshots\[Snapshot #2 GUID directory]\[Snapshot #1 GUID].VSV
D:\Foo\Snapshots\[Snapshot #2 GUID].XML
D:\Foo\Virtual Machines
D:\Foo\Virtual Machines\[Virtual Machine GUID directory]
D:\Foo\Virtual Machines\[Virtual Machine GUID directory]\[Virtual Machine GUID].BIN
D:\Foo\Virtual Machines\[Virtual Machine GUID directory]\[Virtual Machine GUID].VSV
D:\Foo\Virtual Machines\[Virtual Machine GUID].XML

Some key things to highlight about data roots:

We always create a “Virtual Machines” folder under the virtual machine data root and store the virtual machine configuration files there.
We always create a “Snapshots” folder under the snapshot data rot and store the snapshot configuration files there.
We fully support multiple virtual machines having the same virtual machine and snapshot data root

Understanding VHD and AVHD locations

.VHD files can be created pretty much anywhere you want. In Windows Server 2008 R2, .AVHD files are always created in the same location as their parent .VHD files.

Common Virtual Machine File Configuration #1 – Default Virtual Machine Data Root

A virtual machine with a default virtual machine data root is one where you created the virtual machine and accepted the default options in the new virtual machine wizard, specifically where you did not check to “Store the virtual machine in a different location” on the first page of the new virtual machine wizard:

In this configuration option the virtual machine data root and snapshot data root will be set to the path specified under the Hyper-V Settings in the “Virtual Machines” setting, and the virtual hard disk will be created under the path specified under the Hyper-V Settings in the “Virtual Hard Disks” setting:

These paths are normally set to “C:\ProgramData\Microsoft\Windows\Hyper-V” for the “Virtual Machines” setting and “C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks” for the “Virtual Hard Disks” setting. That said – I usually change these settings to “D:\Hyper-V\Configuration Files” and “D:\Hyper-V\Virtual Hard Disks” on my systems as I find this easier to work with.

Common Virtual Machine File Configuration #2 – External Virtual Machine Data Root

If you do select to “Store the virtual machine in a different location” you will get what we call a virtual machine with an external virtual machine data root.

With this option we create a new folder named after the virtual machine, and set the virtual machine data root and snapshot data root to this folder. We also default to creating the virtual hard disk in this new folder.

Common Virtual Machine File Configuration #3 – Exported / Imported virtual machine

If you export a virtual machine a virtual machine and then import it without checking the option to “Duplicate all files so the same virtual machine can be imported again”, you will end up with a virtual machine that looks like a virtual machine with an external data root – but there will be one difference.

Instead of having the virtual hard disks stored in the same location as the virtual machine data root – they will be stored in a “Virtual Hard Disks” folder under the virtual machine data root folder instead.

Changing a virtual machine to a default data root virtual machine

If you have an existing virtual machine that you want to change to a “default data root” configuration – the easiest way to do this is to export the virtual machine and then import it and check the option to “Duplicate all files so the same virtual machine can be imported again”. The resulting virtual machine will be a default data root virtual machine.

Changing a virtual machine to an external data root virtual machine

If you have an existing virtual machine that you want to change to an “external data root” configuration, you have two options:

Spend some time scripting the import / export APIs in Hyper-V. It is possible to do it this way – but it is not easy.
Move the virtual machine using System Center Virtual Machine Manager. SCVMM will always transform a virtual machine into an external data root virtual machine in the process of moving it.

Changing the snapshot data root for a virtual machine

The only way to change the virtual machine data root for a virtual machine is by using import / export. But the snapshot data root for a virtual machine can be changed at any time – as long as all snapshots are deleted first. If you have deleted all existing snapshots you can change the snapshot data root by changing the “Snapshot File Location” setting for the virtual machine under the virtual machine settings user interface.

And that is pretty much all there is to know about where virtual machine files are stored today :-)

Cheers,
Ben

LifeLock will pay $12 million for false claims

Tom Kelchner — Tue, 09 Mar 2010 22:02:00 +0000

LifeLock, Inc., the company that GUARANTEED it would prevent customers’ identities from being stolen (for $10 per month) has agreed to pay fines totaling $12 million because the claims it made to promote its protection services were false, according to the U.S. Federal Trade Commission.

The company will pay $11 million to the FTC and $1 million to the attorneys general of 35 states. It is one of the largest FTC-state coordinated settlements, the commission said. The FTC will use the $11 million from the settlement and make refunds to consumers.

The FTC said in its release:

“The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

“New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.”

The FTC also said the LifeLock told customers that their personal data that it held was stored securely and encrypted, but it wasn’t.

FTC release here.

A federal judge ruled against LifeLock in a court action in California last year after credit reporting agency Experian sued them. Credit customers can place a free 90-day credit alert on their accounts through credit agencies. LifeLock was charging their customers $10 per month to place the alerts – which cost Experian huge amounts of money.

Story here.

Tom Kelchner