Put Your Antispyware Apps to the Test

March 8, 2008 – 6:21 PM

Does your antispyware software really work? With security experts warning of “rogue” antispyware products that sometimes do more harm than good, two security researchers have decided to take matters into their own hands.

They’re working on a new software product, called Spycar, that will test the effectiveness of antispyware applications. “We decided the best way to do that would be to write a suite of tiny custom programs that each do a tiny spyware-like thing,” says Tom Liston, a senior security consultant with Intelguardians, based in Washington, DC.

Liston is developing the software with Ed Skoudis, also an Intelguardians security consultant.

Spycar will contain about 25 small programs, each of which engages in the kind of nasty behavior normally associated with spyware. For example, it will add favorites to Internet Explorer, or add a file to the machine and change the computer’s Registry so that the file launches at startup. The software will then undo all of the changes it has made after the testing has been completed.

“You could really test and see if your antispyware is doing the things that it should be doing,” Liston says.

And that is becoming an increasingly important concern for many Internet users. While many antispyware products can identify malicious code when using signatures, a kind of digital fingerprint that alerts the software to unwanted code, Liston says the apps don’t do so well when trying to identify unknown software, like that contained in Spycar, that behaves like spyware. “Not too many of them are catching behavior-based stuff at this point,” he says.

Liston likens the state of antispyware products to the antivirus market several years ago: overly reliant on signature-based techniques and lacking in standard testing tools.

Setting a Standard

Security giant Symantec agrees with him, at least when it comes to antispyware testing tools.

“We would love to see the antispyware industry evolve to the point where there are standardized tests,” says David Cole, director of the company’s security response group. “We’ve evolved to that point on the antivirus side.”

In fact, the Spycar name is a play on a popular antivirus testing tool created by EICAR (the European Institute for Computer Antivirus Research).

Symantec and other major security vendors banded together earlier this year to develop standard ways of testing their antispyware products, something that they say will eliminate customer confusion in this space. Information on this effort can be found here.

It’s no surprise that customers are confused. Literally dozens of antispyware products have been classified as rogue antispyware by Spywarewarrior.com, a Web site that serves as a clearinghouse for information about the spyware problem.

One of these alleged “rogue” products came under scrutiny in January, when Microsoft and the Washington state attorney general sued antispyware software vendor Secure Computer. Their complaint alleges that Secure Computer’s Spyware Cleaner software not only failed to remove spyware as advertised, but left its users less secure. The White Plains, New York, company pulled Spyware Cleaner from the market soon after the suit was filed.

While Spycar won’t help users remove rogue antispyware products, it will give customers of those products a sense of whether they have a problem, Liston says.

Spycar will be available free of charge in May. More information will be made available on the company’s Web site at that time.

http://www.pcworld.com/news/article/0,aid,125138,tk,dn032006X,00.asp

Hackers Get Intel Mac to Run Windows XP

March 8, 2008 – 6:21 PM

A contest to see who could first get Windows XP working on an Intel Mac has been won, according to the contest’s coordinator, Colin Nederkoorn. The “Windows XP on an Intel Mac” page provides a link to a download that includes software and instructions for use.

Nederkoorn first put the contest together after he ordered an Intel-based MacBook Pro for work.

“I told my boss that this would replace my IBM desktop and I could boot Windows XP on it,” he said, and to put his money where his mouth was, he put up $100. He suggested that others with an interest in seeing a dual-boot Macintosh do the same.

To date the contest has raised over $13,854 in donations, including significant additions from Digital Express, Delicious Monster, and Uneasy Silence. Nederkoorn says that any further donations will go to support an open-source project created to maintain the work that has already been done.

News that Windows XP was working natively on an Intel-based iMac first came to light several days ago, when two enterprising users who go by the monikers “narf2006” and “blanka” posted pictures to an account on the Flickr photoblog service purportedly showing Windows being installed on the system. A video followed, and the solution has since been verified by Nederkoorn and his testers.

Not a Simple Install

Getting Windows XP to work on the Mac is not a plug and play process. According to the documentation included with the file download provided on Nederkoorn’s Web site, users must create an install CD themselves using a PC equipped with a CD-R drive, Microsoft’s Windows XP SP 2 CD-ROM and Nero CD burning software. Step by step instructions for creating the disc are included.

Users must also reformat and repartition their Intel Mac’s hard disk drive to include a separate partition where Windows XP can be installed, then go through a multistep process to make sure the software is installed properly and the Mac can recognize it.

Once that’s done, users will be able to switch between Mac OS X and Windows after rebooting the Mac.

Nederkoorn notes that with this process in place, all three current Intel-based Mac models can run Windows with the exception of the 20-inch iMac, but he suggests that a fix will be ready by the time a download is available. He also offers a variety of caveats. Native graphics drivers aren’t in place yet, for example, so video performance is limited–a blow to Mac gamers who had hoped for a solution that would let them play Windows games on their new Mac hardware.

“There is no chance you could play a game using this solution, aside from Minesweeper,” says Nederkoorn. “It looks like a fix for this may be a ways off yet.”

The Apple Remote and the iSight Webcam don’t seem to work yet, either.

Windows XP already can function on Intel Macs, but only through the use of machine emulators, which work more slowly than many users would like. The most popular emulator, Microsoft’s Virtual PC, does not yet support Intel-based Mac hardware, and Microsoft has not yet indicated if or when an Intel version might be released.

Hope that Macs might support Windows out of the box dwindled last week during the Intel Developers Forum, when a Microsoft rep told attendees that Windows Vista will not support EFI, the boot technology Macs use, at least until a server version is ready in 2007. And even then, Microsoft said the support will be restricted to machines that use 64-bit processors. Apple’s current crop of Intel Macs use 32-bit processors.

To claim the contest prize, the winners had to avoid using emulation. They also had to avoid using virtualization software such as VMWare, which allow multiple operating systems to work on a single computer simultaneously.

http://www.pcworld.com/news/article/0,aid,125111,tk,dn031606X,00.asp

Cryzip Trojan Encrypts Files, Demands Ransom

March 8, 2008 – 6:20 PM

Virus hunters have discovered a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a decryption password. The Trojan, identified as Cryzip, uses a commercial zip library to store the victim’s documents inside a password-protected zip file and leaves step-by-step instructions on how to pay the ransom to retrieve the files.

It is not yet clear how the Trojan is being distributed, but security researchers say it was part of a small e-mail spam run that successfully evaded anti-virus scanners by staying below the radar.

While this type of attack, known as “ransomware,” is not entirely new, it points to an increasing level of sophistication among online thieves who use social engineering tactics to trick victims into installing malware, said Shane Coursen, senior technical consultant at Moscow-based anti-virus vendor Kaspersky Lab.

The LURHQ Threat Intelligence Group, based in Chicago, was able to crack the encryption code used in the Cryzip Trojan and determine how the files are encrypted and the payment mechanism that has been set up to collect the $300 ransom.

According to a LURHQ advisory, Cryzip searches an infected hard drive for a wide range of widely used file types, including Word, Excel, PDF and JPG images.

Once commandeered, the files are zipped and overwritten the text: “Erased by Zippo! GO OUT!!!”

The Trojan then deletes all the files, leaving only the encrypted file with the original file name, followed by the “_CRYPT.ZIP” extension.

A new directory named “AUTO_ZIP_REPORT.TXT” is created with specific instructions on how to use the E-Gold online currency and payment system to send ransom payments.

The instructions, which are marked by misspellings and poor grammar, contain the following text: “Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files – password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).”

The owner of the infected machine is warned not to search for the program that encrypted the data, claiming that it simply doesn’t exist on the hard drive.

“If you really care about documents and information in encrypted files you can pay using electonic currency $300,” the note says. “Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our E-Gold account will not help you to restore files. This is your only way to get yours files back.”

The Trojan author uses scores of E-Gold accounts simultaneously to get around potential shutdowns, according to LURHQ, which published the complete list of E-Gold accounts in the advisory.

Officials from E-Gold, which operates out of the Caribbean island of Nevis, were not available for comment.

“Infection reports are not widespread, so it is not believed this is a mass threat by any means,” LURHQ said. However, the company said social engineering malware is typically more successful when it is delivered in low volume to get around anti-virus detections.

“[M]ore attention means the likely closing of the accounts used for the anonymous money transfer,” LURHQ said.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.

http://www.eweek.com/article2/0,1759,1937408,00.asp

How Much Does Google Know About You?

March 8, 2008 – 6:20 PM

Want to know what’s going on in someone’s mind? Look at the words they enter in their favorite search engine. Fortunately, that information is private, right? Maybe not.

If you use Google, for instance, and are not blocking cookies, the search engine likely has placed a cookie on your system that won’t expire until 2038. That cookie lets Google track what you searched for, when you conducted the search, and which results you clicked. The cookie doesn’t identify you by name, but it does identify you by your system’s information and IP address.

This is what the U.S. government was after when it subpoenaed Google for search records of millions of random users to establish the need for a federal online pornography law. The company was fighting the subpoena as this article went to press, but AOL, MSN, and Yahoo have already given the government at least some of the kinds of data it wants.

The case highlights the sensitivity of search records in general, and Google’s in particular. The company’s position at the top of the search engine food chain means that its archives could contain years of detailed logs on what millions of users search for and where they surf. (Google has not said how long it keeps such records and didn’t respond to our requests for information on the subject.)

Fortunately, there are well-established ways to rid your PC of tracking cookies, either using your browser or one of many third-party antispyware and system cleanup utilities. For detailed instructions on cleansing private information from your browser, see this month’s Internet Tips.

But ending the privacy threat that cookies pose requires action by Web sites as well as by individuals. As storage gets cheaper, system administrators at commercial sites tend to log everything and keep the data as long as possible, broadening the window for misuse. At last December’s Usenix Large Installation System Administration conference, an Electronic Frontier Foundation attorney recommended that administrators keep only the logs they need, and destroy the rest.

If Google truly wishes to live up to its corporate motto–“Don’t Be Evil”–the company should be selective about the logs that it keeps, and should chuck everything else.

http://www.pcworld.com/howto/article/0,aid,124775,tk,spxhow,00.asp

How To Build The Ultimate Network

March 8, 2008 – 6:19 PM

What organizations would want their networks to be, if only they had all the money, time and expertise in the world, is hardly a mystery. Indeed, in a way, the ultimate network is really about nothing more than the Olympics’ motto “citius, altius, fortius” rephrased as “faster, more efficient, more reliable.” Just how you go about building this network, however, is another thing entirely. “It exists in utopia,” says Info-Tech Research analyst Carmi Levy. “In reality, there’s no such things as the ‘ultimate’ anything. The only way to achieve it is in the lab, and even then, that’s probably not even realistic.”

Although the ultimate network exists only in theory, what is realistic is to make it a target, Levy says. The best thing any organization can do is to take a tip from Friedrich Nietzsche’s superman, whose “reach forever exceeds his grasp.”

That’s good advice, perhaps, but it begs the question of how you actually go about planning for the ultimate network, even if it’s a goal you can approach without ever actually achieving it. Is it a question of spending bundles of money — just like in the days before the dot-com bubble burst — on the hottest equipment, infrastructure and software?

http://www.networkingpipeline.com/181500227