The Source of the Malware Scourge

Despite appearances, the U.S. is still the most popular place for the bad guys to place their malware code.

StopBadware.org has listed those Internet Service Providers that wittingly or unwittingly host “badware” — an umbrella term for any kind of software that insidiously installs itself on your computer. What’s interesting is that while there is one China company on the list, by far the biggest culprit is one iPowerWeb Inc, based in Phoenix, Arizona, which has more than 10,000 infected sites on their servers. (By comparison, then next biggest culprit has a quarter that.)

Badware is usually installed on a site without the owner’s knowledge, either by exploiting holes in the software that delivers content to the site or hacking into the site by guessing the owner’s password or making use of a hole in the server software. Victims would unwittingly download the badware by either visiting the website in question or be directed there from other websites which had been infected. Here’s a case of a fake MySpace page which lures victims to an iPowerWeb-hosted site where users give up their MySpace password. Interesting detail on how these work is here.

iPowerWeb appear to have a long history of attracting accusations that it doesn’t take this kind of thing seriously. Examples are here, here and here (from two years ago). So far there’s no press statement from iPowerWeb on its website; I’ve requested comment.

The sad thing here is that when Google and organisations like StopBadware find these hacked sites the sites are flagged and removed from Google searches, or else prefaced by a warning page. While this makes sense, it causes mayhem for the owners of these sites who are either not technically savvy enough to resolve the problem, or find themselves in limbo while their site is removed from the list after they’ve cleaned it up. A recent discussion of the problem on the stopbadware Google Group is here. (StopBadware says it will respond to appeals within 10 days and says the time is closer to two.)

One can only imagine the scale of the mess caused by all this. Hosting companies need to be smarter about monitoring this problem they’ll face declining custom or lawsuits.

The Lego Scam

A man after my own heart: AP reports that a man has been arrested accused of stealing a truck full of Lego:

A 40-year-old man is behind bars, accused of stealing hundreds of thousands of dollars of a toy geared toward the 6-and-up crowd: Legos. To haul away the evidence, agents working for the U.S. Postal Inspector said they had to back a 20-foot truck to William Swanberg’s house in Reno, Nev., carting away mountains of the multicolored bricks.

Swanberg was indicted Wednesday by a grand jury in Hillsboro, a Portland suburb, which charged him with stealing Legos from Target stores in Oregon. Target estimates Swanberg stole and resold on the Internet up to $200,000 of the brick sets pilfered from their stores in Oregon as well as Utah, Arizona, Nevada and California.

When no one was looking, Swanberg switched the bar codes on Lego boxes, replacing an expensive one with a cheaper label, said Detective Troy Dolyniuk, a member of the Washington County fraud and identity theft enforcement team.

Target officials contacted police after noticing the same pattern at their stores in the five western states. A Target security guard stopped Swanberg at a Portland-area store on Nov. 17, after he bought 10 boxes of the Star Wars Millennium Falcon set. In his parked car, detectives found 56 of the Star Wars set, valued at $99 each, as well as 27 other Lego sets. In a laptop found inside Swanberg’s car, investigators also found the addresses of numerous Target stores in the Portland area, their locations carefully plotted on a mapping software.

Records of the Lego collector’s Web site, Bricklink.Com, show that Swanberg has sold nearly $600,000 worth of Legos since 2002, said Dolyniuk.

Interestingly, folk seemed to have been quite happy to deal with Swanberg on Bricklink.com. He’s been registered on the site since 2002, earning praise from more than 6,000 users, and getting complaints from only 11. He was still shipping up until the last minute: Eight folk posted praise about dealing with him on the day or after he’d been indicted. Only one person seemed to harbour doubts: That person wrote on November 19, four days before Swanberg was indicted: “Wish I knew where these came from…”

Actually, this kind of scam is well documented, and may be a copycat theft. Eagle-eyed readers may recall a piece I wrote a few months back about Douglas Havard, a phisher who was jailed in June for conspiracy to defraud and launder money. According to an earlier piece in the Dallas Observer Havard used to steal expensive Lego sets by switching price tags on Lego boxes. The only difference was that Havard was printing his own price stickers.

What is it with Lego that turns people into criminals?

Storage Online: The Options

A reader reminded me I promised a column on how to back up files well. I’m still working on that, but here’s a good article from Marilyn Sweet, writing in the Denver Business Journal’s Bizwomen section. Her recommendations for online storage:

The company I use and depend upon is Go Daddy at www.godaddy.com. Go Daddy will rent you one gigabyte of file storage for $9.95 a year. That’s right. It’s only $10 a year to protect all your digital photos of Uncle Harry playing the accordion at your wedding and your business mailing list. Need more space? Up to 10 gigabytes of space can be rented. Look under the “Business” tab at Go Daddy’s site for online file storage. Go Daddy has 24/7 telephone support and outstanding customer service. Priceless.

A question you might ask is, “What if Go Daddy’s servers are destroyed at the same time?” I don’t want to think about what would be happening in the world if your computer and Go Daddy’s servers in Scottsdale, Ariz., were simultaneously destroyed. I suspect that worrying about my computer files would be the least of my concerns.

Some other options: www.xdrive.com, five gigabytes for $10 a month; www.box.net, one gigabyte for $2.99 a month and five gigabytes for $8.99 a month; and www.streamload.com (thanks, Mike), 10 gigabytes for $9.95 a month.

Anyone have any other ideas?

Podcast: Bacteria at Your Fingertips

Here’s another podcast from the BBC’s World Business Report: this one is on how to prevent the gunk in keyboards from killing you, and it derives from a Loose Wire piece I did for WSJ.com and The WSJ Asia on September 30. (Subscription only, I’m afraid.) Here’s a snippet:

The gunk in your keyboard could kill you. Really.

An exhaustive poll of my friends reveals that all sorts of stuff is being spilled over the average keyboard: biscuit crumbs, mango, fizzy beverage, the odd stray cornflake, nail varnish, rice, soy sauce, coffee, wine (red and white), hand cream. Under your keys lie a faithful record of every snack, lunch and beverage break you’ve had at your desk since you joined the company. It’s like typing on a pile of week-old dirty dishes.

This isn’t only somewhat gross (and likely to lead to the keyboard’s demise at some point) but it also makes your main data input device a Petri dish of bacteria and other microorganisms that could kill you before the job does. A study conducted by Charles Gerba, a professor of environmental microbiology at the University of Arizona, concluded that the computer keyboard was the fifth most germ-contaminated spot in an office. (Topped only by your phone, your desktop — home to an impressive 10 million bacteria — and the handles on the office water fountain and microwave door.) Out of 12 surfaces studied the toilet seat came in cleanest, in case you’re wondering where to have your next lunch break.

Download keyboards.mp3

Yahoo! Goes Outside For Searches

Maybe it’s just Yahoo! trying out the competition, but a press release from Tucson, AZ-based Webglimpse.net, maintainers of the Glimpse search engine, say that Yahoo! has “purchased several licenses” of its software for internal use. Glimpse is a C program for fast searching of large numbers of text files on Unix systems. It is at the core of Webglimpse, a website search engine.

WebGlimpse’s Golda Velez says: “As I understand it this will be used by Yahoo! and Overture developers as a tool to search local datasets, possibly a large code base.” Why isn’t Yahoo using its own software for this kind of thing?

Wi-Fi for the Masses Back On The Air

Lee Thorn, the former bomb-loader who I wrote about a few months back (“Wi-Fi is Aiming for the Masses”, subscription required) has been trying to help Laotians hook up to the Internet, and other Laotians, using Wi-Fi, tells me that he’s back in action again in Laos on a different site after some earlier problems with the military.

He also says he’s working on a similar project in South Africa, and, possibly, one on the Navajo reservation in Arizona.

Will Inspector Brown Save Us From The Phishers?

Combatting phishing ain’t easy. So how does a new weapon, Inspector Brown, mentioned in a comment to an earlier posting here on phishing, shape up?

Inspector Brown is a program that sits between you and your browser (IE, only, I think, but the documentation is minimalist, to put it mildly) and warns you if a site you are visiting is a suspected phishing site: “The page you tried to access is a potential dangerous and fraudulent website,” you will be told. “You may be at risk for identity theft and financial loss if you continue with this website.” You can then choose to proceed or not.

Not a bad idea, but of course it relies entirely on the software knowing what sites are fraudulent, and this is where the system fails. The software checks a library of ‘known’ fraudulent websites updated by Inspector Brown, a bit like anti-virus software checks an internal library of known virus patterns. Unfortunately there are several problems with this:

  • The list depends on users submitting fraudulent websites, raising the question: Why would a user who is smart enough to recognise a fraudulent website need Inspector Brown?
  • Phishing sites are notoriously short term. Some are up only for a few hours before they are taken down, often after already doing serious damage. In this sense combatting phishing by a library of known phishing sites is as flawed as anti-virus software maintaining libraries of viruses. Unless the libraries move very quickly to not only update themselves, but update users, such tools arrive too late to help users. Indeed, phishing is even less suited to this approach, because phishing sites are no longer active after a few hours, whereas old viruses may still be floating around the Internet months, even years, after their creation.
  • The list itself is short and suspect: It includes, for example, legitimate commercial websites like Vsong.com, a Shenzhen-based manufacturer of computer and mobile phone accessories, and zapthedingbat.com, the home of celebrated anti-phisher Sam Greenhalgh. I’m sure he would be amused to find he is, according to Inspector Brown, ‘a Known Fraud’. Other peculiarities in the list are Visualsoft-tech.com, the website of VisualSoft Technologies, ‘a leading software solutions and product development company catering to diverse industry segments’ based in Hyderabad. InspectorBrown’s library calls it a ‘Bad Company’. Lawsuits, anyone?

Lastly, we just don’t know enough about Inspector Brown and how it appraises websites to trust its judgement. In this regard the company has got to be more open about what it’s doing and how it does it. All we know from the website is that the program is the work of Inspector Brown Software, based in Scottsdale, Arizona. There’s no registry data to work with. No support pages or help pages.That’s about it. Of course, they could argue it’s early days but as it stands I think Inspector Brown, with its poor documentation, eccentric library of fraudulent sites and quirky interface, only adds to the noise instead of reducing it.

Now, The MyDoom Backslapping

Queue trumpets. The security software folk have started congratulating themselves for saving us from MyDoom.

Here’s DeepNines Technologies, “the only company to offer a security platform that includes firewall, intrusion prevention and gateway anti-virus functionality in front of the router”, which says: “Companies that have Sleuth9 deployed in front of the router, are finding that approximately 1.5 out of every 10 emails are infected and they are successfully blocking those emails at the perimeter, thus preventing MyDoom from impacting the network.”

Here’s CrystalTech Web Hosting Inc, “a Microsoft Windows-based web host located in Phoenix, Arizona”, which says it “has effectively eliminated the threat of the MyDoom virus for over 1.2 million mail accounts and over 38,000 domains that are hosted on their network”.  Customers, the company is not shy in pointing out, were impressed: “The speed and efficiency with which CrystalTech acted did not go unnoticed by their customers. Several noted on the CrystalTech message board that they were seeing few, if any, infected messages in their inboxes. The majority stated that they were seeing more in their outside accounts, with one customer stating that their free email account was full with infected messages within a day, whereas his CrystalTech account had a single infected message.”

In fact, reading this stuff you’d think the virus had only hit folk in outer space. BorderWare Technologies Inc., “The Security Appliances Company(TM)”, says “no MXtreme Mail Firewall customers have been affected by the MyDoom outbreak or any of its variants and mutations”.

And, then of course, there’s the intoxicating smell of free publicity: 0Spam.Net, “the most accurate Anti-Spam solution in the world for eliminating Spam, Pornography, Phishing (Identity Theft Fraud) and Viruses from email”, is offering “free protection against email delivery of the MyDoom virus and any variants that might appear over the next 30 days” to ISPs, companies, governmental or non-profit organizations, and extends to individuals and families as well. It’s not clear whether this offer was already in place before MyDoom hit. Now that really would have helped.

The there’s the individual heroics: My favourite is from San Diego, where, hours before the world realized what was happening, a certified Juvio computer technician, assisting a customer with a troubled computer detected the MyDoom virus. “With no known protection codes available, the Juvio technician immediately set about to write script to defeat this destructive new virus. In a matter of minutes, the victimized customer ceased to be attacked by this malicious virus thanks to the expertise and quick skill of the attending Juvio technician. The technician immediately alerted fellow Juvio technicians to the situation and provided them with a repair solution, effectively assisting several global customers who found themselves to be in need of emergency help.” I’m not complaining, by the way: This is an uplifting tale and much more fun to read than most press releases.

The serious point in all this, I guess, is that the flood of press releases that tracked MyDoom’s progress (including interactive maps and charts), and now this self-congratulatory fluff, brings home how much money is to be made from selling stuff to protect people.

News: Yes! Another Spam Solution

  I feel this blog is becoming spamblog. Really. I plough through dozens of press releases every day just to find something good for you guys, and it’s all about spam. Here’s another one (and it’s just the headline): MailFrontier Matador(TM) 3.0 Learns and Adapts to Offer Consistent Maximum Spam Protection Over Time Also Protects Mobile Devices from the Increasing Spam Deluge. Excellent. That at least is interesting, although they’ll be really upset when they realise most screens will only read the first half, which will be MailFrontier Matador(TM) 3.0 Learns and Adapts to Offer Consistent Maximum Spam. Anyway, I digress.
 
MailFrontier’s new release is “the world’s smartest desktop anti-spam solution”. It even wheels in a Senator, Arizona’s Scott Bundgaard to confirm it, although he does sound a bit like a guy trying out different brans of mouthwash. “I tried other products on the market, but only with MailFrontier Matador was I able to receive my important email and get rid of spam. Now I can avoid unwanted ads for ink cartridges or home mortgages and can focus on emails that are significant to me,” said Bundgaard.
 
Anyway, on to the product. MailFrontier Matador 3.0, it turns out, “monitors incoming email, analyzing each message to learn more about specific patterns and vocabulary that define good email and bad email for each individual. The software creates an eProfile — a custom rule set — for each individual user, which adapts over time.” Matador also, interestingly, will “filter incoming email before it gets downloaded to a wireless device” which does sound useful.
 
MailFrontier Matador is a desktop application that sells for $29.95. This includes spam signature file updates, product upgrades, and email support for one year at no additional charge. MailFrontier Matador is available for users of Microsoft(R) Outlook(R) (2000 and 2002) and users of Outlook Express(R) (5.0/5.5/6.0), and Hotmail, MSN, and IMAP, when used through Outlook Express. To download a free trial please go to http://www.mailfrontier.com/ .