Antivirus: August 2007 Archives

There are several lessons to be learned from the recent penetration of monster.com and the subsequent phishing attempts. In this attack, recruiter accounts were compromised and used to download around a million monster user records. These records were used to created targeted phishing attacks purported to be from interested employers.

The first thing I'm wondering is how these recruiter accounts were compromised. Was the account bruteforced? If so, why did Monster allow the use of weak passwords? Why didn't Monster lock the account after numerous bad password attempts. I sure hope the people whose accounts were compromised didn't use that password anywhere else, or if they did, they should be frantically changing them.

Even if the account(s) were compromised through the use of a keystroke logger on the recruiters system, why were they able to download so many records. Shouldn't that raise some sort of red flag?

In the case of the phishing, users need to be aware that requests for their personal, bank and credit information needs to be treated with suspicion. Beware what information you make available on such a site in the first place.

As I wrote about this morning, I've had some issues with SAV 10.1.6.6010 and ccapp.exe.

The first issue with ccapp and vptray not loading was traced to bad permissions on the files msvcp71.dll and mcvcr71.dll. The logged on user didn't have rights to the files. They were needed for ccapp.exe and vptray.exe to run. That problem is solved. Lets here it for process monitor from Microsoft.

I called Symantec about the SMTP issues. They suggest that I remove the internet email scanner where it is a problem. Seems odd after all these versions that I'd suddenly have a problem with it. I checked with my fellow Symantec Admins over at myitforum but no one else has had this happen. Looks like I'll be deploying without the Internet email plugin.

I had one other problem on one computer. ccapp.exe - Application Error. The instruction at "0x010e1feo" referenced memory at "0x010e1feo". The memory could not be read.
After uninstalling the internet email scanner the problem did not return in our brief testing. I'll have to keep an eye on that.

I'm trying to upgrade my Symantec Antivirus CE to 10.1.6.6010. In the small test group I've got going right now I've got two issues.

1. the error "The application failed to initialize properly 0xc0000022." for both ccapp.exe and vptray.exe occurs when the guest account logs in. (I need to do some checking to see what happens when I log in as a regular user).

Investigation with SysInternals Process Monitor shows that it checks for msvcp71.dll in c:\program files\common files\symantec shared\ not finding it there, it finds the dll in system32. After opening it, it then tries to write to it. Of course regular users cannot write to dlls in system32. Actually on my computer, it looks like the user who did the installation gets full control and no one else gets any access.

Another user reports that ccapp crashes at logout and the account never successfully logs out.

2. I'm also having reports of trouble sending email, but I haven't checked into that yet.

I'll either update this post when I get to a solution, or create a new post with a trackback to here.

Over at BroadbandReports, I ran across a thread linking a wilderssecurity thread with screenshots to just about every antivirus product. One of the posters noted that some of these antivirus products allow you to "skin" them.

Call me an old fuddy duddy, but skins have no place on antivirus products. I seem to recall both Winamp and Real Player having security vulnerabilities due to their skins. That may be acceptable for media players which need to be hip. I just expect my antivirus to work. I dont want to know its there.

We had a couple viruses get past MessageLabs last night. That is not something I normally see. Both files were named lgame.zip and contained a single file lgame.exe. The subject of the message was "Hot Pictures." Sunbelt Software's analysis of this file is really good. You can view that online here.

The email messages were detected as a virus by the scanner on the mail server. It was detected as Mal/Dropper-L.

I plan to report this false negative to MessageLabs but their support has been very unresponsive to similar incidents. Their script requires me to save the infected message in a msg format, zip it and mail it to them. Because my mail server antivirus quarantined the attachment, it would be very difficult to reconstruct the original message.

I submitted to virustotal. Here are their results. (this is 7 hours after the files were originally sent).

update: MessageLabs did realize they had let this through and sent us a list of messages to delete. Unfortunately they sent it to the lead contact (who was on vacation) rather than sending to all of us. Fortunately we'd already caught those messages.