Category: Computer Security

I have two levels of pop-up protection.

First off, I have (from of old) PopUpCop, which does a really fine job of pop-up filtering, particularly of different types and different technologies; it has a good control interface, too.

And I have the pop-up protections of SlimBrowser, which cover what PopUpCop doesn’t.

I have to be careful, though. If I tell PopUpCop to turn off scripts, then I can use the little B/I/U editing buttons in my blog (and others), since they use onclick scripts. And if I tell SB to block pop-ups based on appearance, then it treats those same onclick commands as something dangerous, and shuts down legitimate (whitelisted) pop-up windows (like, say, MT comment windows, for those who use that interface).

Annoying. Because, of course, when I let that stuff through, other crap gets through, too.

A constant struggle, I tell you. Rat bastard pop-up vendors …

From: staff@hill-kleerup.org
To: dave@hill-kleerup.org
Subject: Email account utilization warning

Um … I’ll just consider myself chided by myself (since I run hill-kleerup.org), rather than open up a copy of what I’m pretty certain is the Beagle virus.

Still, I thought it was amusing …

Fascinating look behind the scenes of who gets to name computer viruses — and why every virus seems to have multiple names. The answer is pretty straightforward — everybody in the anti-virus world slaps their own name on things. But the race to be the first to report often results in confusion for security experts, not to mention end-users.

Schmugar at Network Associates said he has named about 200 viruses and worms, though not all have stuck. He tries to pick a name that refers to something unique or memorable about a virus’s coding or behavior. In the recent case, he noticed the words “my domain” in the computer worm’s programming. The words stuck in his mind, probably because they were related to the worm’s advanced address-building capability. He shortened the reference to “mydom.” Then he stuck in an extra “o,” making “doom” part of the name.
[…] That afternoon, Network Associates started warning its corporate customers about the “MyDoom” computer worm. (Its full name, “W32/Mydoom@MM” also contains information recognized by computer security workers about what operating systems the worm hits and how it replicates itself.) Customers of Symantec Corp., meanwhile, got warnings about a worm called “Novarg.” Trend Micro warned customers about a worm it called “Mimail.r.”
Symantec derived its name from another, encrypted line of coding in the same worm; Trend Micro first thought the worm was a variant of a bug called “Mimail” because the two had some traits in common, and identified it as a sequel of that worm.
There is a simple rule for which company gets naming rights: The person or company that finds and posts information about a virus first gets to name it. But that’s a rule that is often dropped in the heat of the moment. It’s not clear whether Network Associates actually named the worm first or not — but “MyDoom” is the name that caught on.
[…]”By the time we realized what was happening,” said Shipp at MessageLabs, “Network Associates had already attached the name ‘MyDoom’ and we thought that was pretty good. . . . ‘Novarg’ didn’t really trip off the tongue, but ‘MyDoom’ just seemed to be the name that everyone was going to go for.”

The only rule that everyone seems to follow is to avoid naming it after the virus writer (however identified in the code) or with the name the writer intended.

Interesting stuff.

And this week’s entry into Increasingly Nasty Worms and Virii goes to W32.Beagle.J@mm (and similar names), which is busy spreading joy across the Internet.

The worm arrives as an e-mail from “administrator” or “support” or some other official-sounding type from your own domain. It tells you in reasonable English about a problem with your e-mail account, and conveniently includes a Zip file for you to open, along with its password.

Needless to say, once opened and executed, it does all sorts of nasty things.

And, needless to say, you should:

1. Have a good anti-virus program and a current subscription to its updates protecting your system at all times.
2. Not open e-mail attachments unless it’s someone you know and an attachment you’re expecting. If you get something that looks official, go to your ISP or host’s (or the company that it claims to be from’s) web page and look for a mention of it there.

3. See #1.

Etc., etc., etc.

All this should go without saying, but apparently cannot be.

(via Les and others)

Doyce noted with some worry yesterday that computers are on the verge of being smarter than humans when it comes to chess. On the other hand, it may be a good thing that computers (or, more properly, software programs) are beginning to be more accurate than humans when it comes to spam.

The authors of two spam filters, CRM114 and DSPAM, announced recently that their filters have achieved accuracy rates ten times better than a human is capable of. Based on a study by Bill Yerazunis of CRM114, the average human is only 99.84% accurate. Both filters are reporting to have reached accuracy levels between 99.983% and 99.984% (1 misclassification in 6250 messages) using completely different approaches (CRM114 touts Markovan, while DSPAM implements a Dolby-type noise reduction algorithm called Dobly).

I’ll note that my own lowly Bayesian filter, POPfile, is currently running around 98.24% accurate (including its training period). I’m almost worried about getting a higher accuracy rate — much better, and I’d slack off in checking to see if there were any false positives, which might not be a good thing.

(via BoingBoing)

Is it my imagination, or has blog comment spam dropped way off?

I certainly haven’t received any at my sites for a couple of weeks.

Weeellll … now that I look at my Activity Log, I can see two or three hits a day that ran up against MT-Blacklist. So maybe the answer is that my blacklist is pretty effective right now. Huzzah!

I always find it interesting how spam comes in subject waves. I don’t know if it’s separate scam artists moving along in a pack from one rip-off to another, or if it’s a sign of a single scammer using multiple spam routes to get his/her message out.

Anyway, I suddenly have a ton of message from different sources offering me Tylenol 3 with Codeine (or “Codeine Tylenol3,” as they all say, increasnig the likelihood of it being the second alternative above). It’s enough to give me a head-ache, I’ll tell you …

Our company finally put in a new spam filter, CipherTrust’s IronMail. It’s cut the first-thing-in-the-morning spam count from 80 to about 10, so that’s good.

When I have a message in my inbox from “anna” at hill-kleerup.org, sent to “ted” at hill-kleerup.org … and I’m pretty darned certain there aren’t any folk here by either name.

As inspired by ScriptyGoddess (who gets lots of comment spam), I’m offering access to my own blacklist that I use with MT-Blacklist; it includes both the canonical list, ones I’ve added (I always report to the official list, but I don’t track which ones are accepted in), and ScriptyGoddess’s as well.

I’ve also put a link in the sidebar, up toward the top.

Have fun.

In case you’ve been under a rock, there’s a new computer virus in town, the MyDoom or Novarg virus.

The virus–known as MyDoom, Novarg and as a variant of the Mimail virus by different antivirus companies–arrives in an in-box with one of several different random subject lines, such as “Mail Delivery System,” “Test” or “Mail Transaction Failed.” The body of the e-mail contains an executable file and a statement such as: “The message contains Unicode characters and has been sent as a binary attachment.”
“It’s huge,” said Vincent Gullotto, vice president of security software maker Network Associates’ antivirus emergency response team. “We have it as a high-risk outbreak.”
In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses, Gullotto said. One large telecommunications company has already shut down its e-mail gateway to stop the virus.
Once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. The program primes the PC to send data to the SCO Group’s Web server, starting Feb. 1, a virus researcher said on the condition of anonymity.

As always, update your AV software; if it hasn’t been automatically updated yet, then manually go out and grab the current signature file and engine. Etc.

UPDATE: The following is from the NAI AV site:

This is a mass-mailing and peer-to-peer file-sharing worm that arrives in an email message as follows:
From: (spoofed email sender)
Subject: (Varies, such as)
– The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
– The message contains Unicode characters and has been sent as a binary attachment.
– Mail transaction failed. Partial message is available.
– Error
– Status
– Server Report
– Mail Transaction Failed
– Mail Delivery System
– hello
– hi

More info is also available at Symantec’s site.

I’d like you to meet my sons, Andrew. Oh, and Matt, too. Matt, say hi to the folks. Ah, and there’s Steve and George, playing backgammon in the corner. Cool. Good to see you guys, are your rooms cleaned up.

At least, I assume they’re my sons, since they’re using the hill-kleerup.org domain for their e-mail addresses. At least that’s what some spammers think, based on what’s showing up in my in-box, i.e., mail to andrew, matt, steve, and george at hill-kleerup.org.

Heh.

Given that I walked in the door this morning and found I had 360-odd spams in my in-box, this looks increasingly probable.

UPDATE: Hey, maybe if I put in the link to the cartoon page, not the banner ad thereon, people would actually think it’s funny! (Thanks, Julia.)

I’ve been having pretty good success with MT-Blacklist in blocking (or removing) comment spam.

The approach it takes is interesting. Rather than trying to track IP addresses (which can be spoofed) or e-mail addresses (which can be spoofed even more easily), it looks at URLs, links in the comment. If they are on the blacklist, it gets blocked.

(You can also use that to block certain text, but that’s not the way it’s designed to work.)

So, why not take that approach with e-mail spam? Aside from viruses and Trojan Horses and the like, what really sets e-mail spam is the links to the commercial sites. The verbiage its all wrapped up in makes no difference to a large degree (as seen in some recent efforts to spoof Bayesian filters). If the link isn’t usable and visible, the e-mail has done no good. And since URLs must be established to do any good, and that costs money and takes effort, it seems like a better way to strike back at spammers.

Are there any mail spam products that focus just on URLs? It really seems to me that would be a superior approach. Unless I’m missing something.

Fascinating November Usenet (alt.internet.search-engines) discussion thread here on blog comment spam — from the perspective of the spammers.

What’s more your sexy lingerie site would be a pr8 right now if you also did guestbook, memberlist, and blog posts instead of dropping to a pr6 as it has. (it was a pr7 last month). You’re becoming too ethical and that is stopping you from doing better than you can.

Well, we can’t have that, now, can we? The other person responds, no doubt with accuracy:

You assume too much, when it comes to making money I lower my ethics considerably.

All sorts of fun (as in “like watching bugs under a lifted rock”) discussion of guest books, pageranks, dummy websites, and other ways to game Google for fun and profit.

(via Les)

You don’t mean to tell me that companies that pander to spammers — most of whom redolent frauds — might themselves be frauds? Say it ain’t so, Joe!

This site purchased a couple of those CDs you get spam for, the ones that say they have zillions of legit e-mail addresses that you can then use for your own spamming operation. The result of the analysis:

• Over half the addresses are duplicates (triplicates, or more, up to 14x).
• A large number of spam abuse addresses for various ISPs and organizations show up. Yeah, that’ll sell those enlargers all right.
• A large number of invalid addresses (like “wu.html” as a domain).
• Lots of other useful addresses for hawking viagra, like embassies, airports, and other spammers.

You get what you pay for. Or what you deserve, in this case.

(via BoingBoing)

An Open Letter to Businesses Sending Out E-Mail, Capital One in Particular:

Given the wide array of Internet e-mail scams and spoofs and phishing expeditions, if you send out an e-mail suggesting people go to a web site, or call a phone number, to update their account information, I strongly suggest:

1. You make sure the website links in the e-mail are on your primary domain.

2. You make mention of the e-mailing or initiative that prompted it somewhere prominently on your main page.

and/or

3. You make sure the phone number you suggest people call is prominently displayed on your website, perhaps in conjunction with #2.

Otherwise, you’ll have irritating people like me sending you annoying e-mail messages asking if this is a hoax or not, then, when informed it is not, writing snarky blog entries about how you should go about doing such mailings.

Thanks. And Happy Holidays.

*** Dave

My old Thursday Thumb-Twiddler meme blog is being left up as something of a honey-pot for comment bloggers. I get a number of posts each day left there, most of which are of the standard type (laundry lists of pr0n sites).

Over the past few days, I’ve noticed something a bit sneakier — site name that look normal, but which are, in fact, self-forwarding sites or gateways to pr0n sites of various sorts. If I didn’t know that the posts going there are likely spam, if they weren’t clustered together, and I didn’t actually check some of them out, I might pass them by. Especially since they are embedding the URL in the URL field, and posting with an innocuous “Mine are up!” body.

As it is, they get sighted, reported, and zapped. Huzzah!

MT-Blacklist and comment spam on my blogs.

Twenty-two automatically blocked since 12/1.

Another two-three dozen semi-automatically removed (and reported to the central blacklist).

Sweet.

Two instances of comment spam this morning, and a couple of others over the past few days. These tend to be of two types:

1. Gosh! I love your page. Here’s a long list of links to various pr0n and gambling sites you may enjoy.

These are easy to spot. They may not even include the “Gosh! I love your page” part.

2. Good insight. Here’s what I got on the test. Interesting article.

These are a lot less easy to spot, on the surface. I get a number of relatively innocuous postings like this, too. They don’t have long lists of links — but they do include a link to a commercial site in the poster’s URL. They may not be pr0n sites; they could be hosting sites, or book sites, or others; I’ve seen several instances of this.

That means they get through the initial MT-Blacklist screen — but are still visible to Google (hence their worth to the spammer) and to me (hence my ability to quickly swat them before they give a Google boost).

And I do spot them, folks. I read pretty much every comment that goes up here (the number is not that staggering, and a list is kept up at the top of the blog — you may have noticed it). And I get mail copies of all blog comments, too, which makes such sins even easier to spot.

(I could, I suppose, mask the URL of commenters just as I do the e-mail. But I find it a useful identifier. So I won’t.)

In any case … just don’t try it. Okay? Because I spot them, and yank them, and screen against them in the future. And because I report these things to the MT-Blacklist clearinghouse, too, and they put them on the mast list of Nasty URLs, and that means even folks who aren’t a diligent about screening their blog comments will be protected.

Beware of Dog. Keep Out. No Soliciting. Trespassers Will Be Prosecuted.

UPDATE: Note that this applies to (a) unsought solicitations and (b) hijacking my blog to boost the Google ranking of your commercial site, legit or not. It does not apply to people posting inane or contrary or dissenting or goofy comments. Those I leave, unless they are simply a personal insult. Even then I’m likely to leave them as examples of the idiocy of the commentator, since they are almost inevitably riddled with errors grammatical, orthographical, semantic, and logical.