Roger's Information Security Blog

Link
We all know that malicious ads can be hosted by legit sites. Generally being fully patched (including third party apps) is a good protection against most attacks other than social engineering.
Ryan Naraine of The Zero Day Blog over at ZDNet reports that malicious Adobe Flash ads are being used to hijack the clipboard until the browser is closed.
I kind of expected to be protected against this because I set IE to prompt before allowing programmatic access to the clipboard. A proof of concept quickly disproved that theory.
Further searching the feeds I read regularly finds mention of this a week ago in the Spywaresucks blog.
Then this guy says he’s seen it back in July.
The domain injected into the clipboard is for rogue software antivirus 2008 xp. The domain has been used for bad going back to at least April 2008.

The SANS ISC Diary has a good write up of the Subpoena in a Civil Case malicious email. Wish I had seen that before investigating the copy our CEO received.
The message is from subpoena@uscourts.com with a display From of United States District Court. It says

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specified below.

It has a link to download a document on the matter. The website prompts to install a malicious activeX control.
The malware we received doesn’t seem to be the same file the ISC is reporting.

Webroot has posted the Q107 State of Internet Security.

http://www.networkworld.com/columnists/2007/032607edit.html

In a recent study about spyware by Nemertes Research, Senior Vice President Andreas Antonopoulos was surprised to find that 16% of the companies examined were not concerned about the threat.

The article notes that the reason for this isn’t lack of computer security spending at the companies in question. Nor is it because the companies are small. Frustratingly the article doesn’t explore further why this is the case. Perhaps its in the study, but since that study is cited but not linked we are left to speculate.
Perhaps the companies are not concerned because they’ve solved the problem.
Eugene Kaspersky believe that spyware should be addressed by antivirus vendors, not a separate product. Perhaps these companies feel their antivirus is good enough.
Perhaps they use HIPS and feel that prevents the spyware from being installed in the first place.
Perhaps uses aren’t given local administrator right.
Perhaps they just have bigger concerns.
At our company we’ve used an anti-spyware product ever since enterprise ready anti-spyware became available.

I was a fan of Gerhard Eschelbeck when he was with Qualys. He’s been pretty much off my radar sense he took the CTO position at Webroot. Today he comes out swinging against Windows Defender as reported in Information Week.

“If you look at the [Defender] data points, they speak for themselves,” says Eschelbeck. “Defender didn’t block 84% of the tested malware. That’s not the kind of performance users are hoping for.” Eschelbeck says that his firm’s research team tested Defender against a suite of Trojan horses, adware, key loggers, system monitors, and other unwanted programs, all of which were gathered from in-the-wild threats. Webroot’s own Spy Sweeper blocked 100% of the threats.

Hmm, so in tests where they gathered the malware, their own antispyware program detected everything and the competitors didn’t do so well. That’s quite a shock.
Take a look at Sunbelt Software’s response when Webroot and Veritest released results last spring.

Eschelbeck also slammed Windows Defender, and by connection, Vista’s security, for infrequent updates. Microsoft currently issues spyware definition updates every seven to 10 days, he says. Webroot, meanwhile, identifies approximately 3,000 new traces of spyware every month. “Users can’t wait for a week or so to have their anti-spyware signatures updated,” says Eschelbeck.

So Eshelbeck is comparing frequency of updates to number of detections added. Apples/Oranges anyone? Hopefully that is the writer’s mistake.
I know nothing about Windows Defender frequency of updates. I do like that it uses an established update channel like Windows Update. However, I prefer my anti-malware apps on the desktop to check for updates hourly.

Getting hit with some spyware laden links here at work. Our blocker got it no problem. But for everyone without IM protection watch out for
hxxp://nsl-school.org/?id=18388
hxxp://nsl-school.org/?id=winning_list
hxxp://mytermex.com/?news_id=18388
hxxp://mytermex.com/?id=virus_shield
hxxp://nsl-school.org/?id=news X-(
http changed to hxxp to avoid anyone accidently infecting themselves. If you go to the sites, you’re on your own.

In other news the sky is blue. Porn sites are sleazy. and everything isn’t as it seems on myspace.
http://sourcewire.com/releases/rel_display.php?relid=27686&hilite=

A survey of over 600 UK respondents showed that young men are significantly more likely to be infected with spyware than their female counterparts. The likelihood of infection was increased by the risky online behaviour of young males, such as opening instant messages (66%), downloading files (65%) and visiting adult entertainment sites (56%).
“The chances of becoming infected with spyware rapidly increase when performing certain online behaviour, such as visiting adult entertainment sites or social networking sites such as MySpace.com, “ said David Moll, CEO of Webroot. “These sites have become a breeding ground for spyware.”

Sunbelt Blog asks if newly minted MVP Patchou is an adware pusher.

Suzi Turner asks, “should antispyware products detect cookies” in her latest blog entry at ZDNet.
Here is some test results from Ben Edelman on how various antispyware programs treat cookies.
I’m coming at this from the perspective of a corporate information security guy. Several years ago, I started an initiative to purchase enterprise ready antispyware. It was readily apparent that spyware was a problem. Users were installing unlicensed copies of software like adaware and spybot s&d. After reviewing the “free” license, it was apparent that the company could be liable to software piracy charges, particularly since the corporate helpdesk was often the party installing this software. We purchased Webroot Spysweeper Enterprise to resolve this issue.
When we rolled out Webroot, one of the common complaints I heard was that it wasn’t detecting as much. The “free” antispyware products were deleting all the cookies and including that in the detected spyware count. I find that disingenuous.
I debated turning on the cookie detection in Webroot, but it seemed like I was losing cookies that were remembering my login information on various sites. My Techtarget cookie was a regular target.
I continued the rollout without enabling cookie detection. There have been many versions of Webroot Spysweeper since then. I wonder if its time to take another look at detecting cookies.

I added two Websense RSS feeds into my RSS Reader today. One feed is for alerts. It contains alerts about new phishing attacks or interesting dangerous sites. The other feed is their blog.
http://www.websense.com/securitylabs/RSSFeed.php