This new version has been in development and beta testing for quite some time, and is probably one of the most solid releases of this product ever, going back to its beginning as the Kerio Personal Firewall.

The biggest addition is support for Vista 32 bit (with 64 bit native support on the roadmap).

However, there's been a lot of under-the-hood improvements in many areas. These include:

• Significant improvement in network performance
• Significant improvement in packet filtering
• Enhanced Process Injection prevention to prevent code injection attempts into Windows system DLLs.
• Numerous stability issues corrected in the firewall service.
• Significant improvement in overall product stability.
• Updated Intrusion Detection rules
• Updated translation files for multiple languages

The new version can be download here, and it will also be available through the "Update" function inside SPF toward the end of the week.

The completion of this major development exercise lays the foundation for SPF's inclusion into a future release of VIPRE, our upcoming antivirus+antispyware product.

Alex Eckelberry

Something cute that we saw with an Antivirus XP 2008 install (to clarify, this is a fake error page generated through a running process from the Antivirus XP 2008 Trojan).

When I get some time, I hope to get a video of something else that is similar.

Alex Eckelberry
(Thanks, Adam Thomas)

This ad, which is impossible to read (white text on black background being one of the Bad Things in advertising), is a poking-fun, sarcastic kind of thing ad to sell HP notebooks with an AT&T broadband wireless card.

But if you can actually read it (doubtful), you might find some oddness in it, like this:

"Of course, we don't recommend this, but you could drive through residential neighborhoods to look for homes with Wi-Fi that isn't encrypted. Tip: sometimes the password is "password". Be sure to have all your important files on your hard drive. Don't count on somebody to send you files."

Alex Eckelberry
(Thanks to Adam Thomas)

These are good folks and I'm happy we're working together. They are using our Linux-based CounterSpy SDK (soon evolving to a Linux-based VIPRE SDK).

Clearswift today announced a new partnership with Sunbelt Software to further enhance its powerful MIMEsweeper Web Appliance, the most sophisticated web browsing security engine on the market today. Sunbelt Software's award-winning CounterSpy technology has been integrated within the MIMEsweeper Web Appliance to provide superior anti-spyware security and detection.

As one of the layered security defences within the MIMEsweeper Web Appliance, CounterSpy's highly-tuned gateway anti-spyware solution is specifically designed to stop all known and suspected spyware before it penetrates a network and infects users' machines. CounterSpy works in concert with Clearswift's URL filter, anti-virus/malware and Web 2.0 content filtering engine to ensure maximum protection.

Link here.

Alex Eckelberry
(And yes, blogging has been light as I've been busier than a one-legged Riverdancer. I hope to catch my breath soon and get back to writing again.)

Today, I'm really pleased to announce that Michael St. Neitzel, one of the industry's leading antimalware researchers, has joined Sunbelt Software in the newly created position of vice president, threat research.

Mike is widely regarded as one of the foremost experts on malware and its malicious mechanisms, and has authored a number of technical papers and publications, as well as being a noted speaker at industry conferences.

Mike comes to us from FRISK Software, makers of F-Prot Antivirus, where he was a senior antivirus architect and spokesperson on behalf of the company. Prior to FRISK Software, he was a senior virus researcher with ESET s.r.o., where he worked on the Nod32 antivirus product. Previously, he was with Comodo Security, where he managed the team responsible for the Comodo firewall and antivirus products as executive director in Chennai, India.

Michael will be working on our upcoming VIPRE antivirus+antispyware product, where his work will be essential in developing proprietary heuristics and behavioral detection that is so critical in today's complex malware environment.

Welcome, Michael. We're thrilled to have you as part of the Sunbelt team.

Alex Eckelberry

There is a phishing attempt going on against Facebook. Recipients may see something like the following:

If you look in the source of the email, you see that the actual link address is different:

Upon clicking the link, the user is directed to a site, ostensibly allowing the user to log in to Texas Holdem.

Once the user enters their account information, they are then redirected to to the real Facebook site.

Alex Eckelberry

You may have seen a wave of fake job offers disguised as coming through CareerBuilder. The recipient is asked to contact the employer through an email address. Email addresses we have observed so far are:

Samples:

Alex Eckelberry

"It could be a long time before Omar Khan goes to college: as long as 38 years, according to Orange County prosecutors, who have arrested and charged the 18-year-old student with breaking into his prestigious high school and hacking into computers to change his test grades from Fs to As."

Link here.

Alex Eckelberry

What we reported yesterday about Zango having laid off employees is now officially reported through news channels.

From John Cook over at the Seattle PI:

Sources say that two executives have also departed, including Executive Vice President of Corporate Development York Baur and Chief Technology Officer Ken Smith. Smith, who co-founded the company in 1999, is the brother of Chief Executive Keith Smith. A Zango spokesman declined to comment on the departures.

Ken Smith also talks a bit about his departure here.

The stated reason for the layoffs is the company's focus on its new Platrium product, a so-called casual gaming experience. One commenter isn't that excited, referring to it as a "generic search bar with games thrown in."

In fact, it looks awfully familiar to Zango, just without pop-up ads. Here's what it says when it's installing (EULA here):

Platrium is your access key to premium content. It is FREE, paid for by advertising. While online & using keywords sent to Platrium from your Internet browsing, Platrium software (with Weather forecast) will show targeted ads in a temporary Slider; relevant search suggestions in the Playbar; & comparison shopping offers in a Sidebar browser pane. The Playbar provides easy access to 1000s of emoticons, avatars, games & more, when online. Platrium runs continuously & updates automatically, ensuring access to the freshest content. Uninstallation is easy via Add/Remove Programs.

In other words, it has a search function which redirects searches to sponsored results on "Shopbrite", it hijacks error pages and sends them to Shopbrite, it changes your home page to the Platrium home page, and your screen may end up by looking like the following:

You do get access to games, though (I don't know if they're good, mediocre or bad).

Alex Eckelberry

It’s been a while since we all saw a big stock spam push. 

Well, recently our honeypots saw a wave of a new style of stock spam pushing Angstrom Microsystems stock.  According to the folks at Spam-List, their quick analysis shows that started on Sunday.  Zero revenue, but the promise of future revenue.  The Pink Sheets has put this on their Caveat Emptor list (would be great if Yahoo and Google started doing the same thing for these types of stocks).

It hasn’t helped the price much, but volume sure has benefited.

You may see a wave of this spam as antispam engines adjust.

Alex Eckelberry

Zango tells employee's they're good to go: We received a report that Zango laid off 70 people today.

And in other news, blog reader Andrew was kind enough to send me a link to a website (watchsouthparkonlineepisodes com) pushing Zango, under the auspices of being able to watch South Park episodes for free (this looks to be a Zango affiliate, not Zango itself, nor South Park).

It's worth noting that South Park episodes are freely available at the South Park website, http://www.southparkstudios.com/, with no adware.

Alex Eckelberry

Tech journalists Kelly Jackson Higgins at Dark Reading (link), John Leyden at the Register (link) and Robert McMillan at IDG (link) cover the story. 

Robert McMillan also has the link to the forensic examination here.

Alex Eckelberry

How horrible. Brings forward memories of Julie Amero (who is still awaiting a new trial):

A child porn possession charge lodged against a Department of Industrial Accidents investigator fired for having smut on his state-issued laptop has been dismissed because experts concluded he was unwittingly spammed.

"The overall forensics of the laptop suggest that it had been compromised by a virus," said Jake Wark, spokesman for Suffolk District Attorney Daniel Conley.

Nationally recognized computer forensic analyst Tami Loehrs told the Herald Michael Fiola's ordeal was "one of the most horrific cases I've seen."

"As soon as you mention child pornography, everybody's senses go out the window," she said.

Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye.

Two forensic examinations conducted by the state Attorney General's Office for the prosecution concurred with that conclusion, Wark said.

More here.

Alex Eckelberry
(thanks, Richard)

I was intrigued by a post this morning by my brother, Marc Eckelberry (a futures trader) on his blog. He believes that the dollar may soon exit its six-year decline.

Is the dollar six year decline coming to an end? The monthly chart shows a descending wedge which could soon give ammunition to dollar bulls. We will need two important confirmations. The first would be a monthly close above the 10 month moving average, presently at 74.73. The second and most important test will be a close above the confluence of two major trendline resistances between 76 and 76.90. An all clear would be a close above the 2004 low of 80.39.

If true, this would impact the price of oil, something I've commented on previously on this blog.

Alex Eckelberry

“A Federal judge has dismissed a lawsuit by a man who was barred from the New London police force because he scored too high on an intelligence test.”

Link here.

(Longtime readers of this blog may see an oblique reference in this.)

Alex Eckelberry

It starts with “Hello” in Korean. Then an attractive graphical rendition of the word Viagra (an attempt at concrete peotry, perhaps?)   Then a quotation from the Mahabharata Vana Parva, one of the great late-Vedic sanscrit masterpieces.

But wait… there’s also secretely more when the text is highlighted… is this some type of user-selectable ambigram?   

Perfect.


Alex Eckelberry

As an active user of technology, I hate bad support and poor customer service. Just last week, I had to get support from a major vendor. It was easy to get a salesperson, but harder to get a support person, something which always baffles me (what, I'm not as important after I've bought the product than I was before?).

If I walk into a business and see some sign which says "Lack of planning on your part does not constitute an emergency on ours", or a "suggestion box" shaped like a grenade, I walk right out, and you should too.

We hate bad support. We refuse to install those wretched IVR systems (we use these antiquated things called "people" to pick up the phone); we refuse to outsource our support overseas; and our entire senior management team (including me) is available directly to interact with customers. I also don't hire MBAs for management positions, unless they had a very poor GPA in school (ok, that's a joke... well, mostly).

Surprisingly, it's not as expensive to give great support as one might think, and from a bottom-line standpoint, good support helps the P&L through the tough times (by keeping customers loyal) and makes the better times better (by getting you more customers). Support is something that can be quantified, and made into pigeonholes, and therein lies the problem: It's easy to sort support metrics into various chunks that can be easily outsourced, thus "saving" money for the company (reference above statement about MBAs).

Having worked in the industry for many years, I've been in those senior level discussions about "the cost of support". There seems to be some idea that "support costs need to be controlled". It's an easy department to pick on, because the effects of bad support aren't necessarily felt by senior management (unlike the effects of a bad sales department).

True, cost control is key in any company, but being a CEO is kind of like being a symphony conductor - you have many different components, and all need to work together efficiently and correctly to make, well, a decent sound.

Support is part of the broad holistic system, a gestalt, that makes up a company. Sometimes it's hard to explain to senior managers, because it's obvious that great support alone doesn't guarantee success (look at Wordperfect, a company with some of the greatest support ever, and now practically in the grave). But if you want the whole machine to work right, you have to have great support, you have to have great products, you have to have a great sales team, a great marketing team... you get the picture.

Some starry-eyed managers pump their fists about "great support". Well, that's good, but it's a bit more than that. Good support has to be part of the fabric of a company. It's something that has to be lived and breathed.

It also helps if you only hire good, decent, nice people. That sounds a bit like a Hallmark card, but it's kind of a basic thing in a business. Nothing is ever perfect in any company - people make mistakes, things break, someone trips over a power cord and takes down the server room, etc. - but good, decent, nice people are the glue that will keep it all going in the right direction.

In the end, here's a simple answer to the problem: Vote with your pocketbook. That goes for all the companies out there, mine included. We all should have our feet to the fire to do the right thing.


Alex Eckelberry

Roger Grimes' scathing editorial on companies treating customers badly today is spot on. He's focused on security, but his words apply to our whole industry.

At first I thought it was solely due to my crackerjack customer service, but then I realized that the other common thread was that they were mad at a computer security vendor whom they previously loved or passionately wanted to buy from. It was only because of boneheaded, strategic decisions made by the company that their customers were looking to competitors.

There's a common theme involved. Each of the vendors started with a good product that solidly filled a particular niche, gained market share and industry accolades, and then made inopportune decisions that riled their existing, or new, customers to a point that the customer gave up trying to give them their business. I'm convinced that the vendor's CEOs are oblivious to how much discontent their company is causing with the very people they should be striving to satisfy. Instead of letting the vendors suffer lower market share without understanding why, I've decided to share some representative stories in this blog column.

Right on.

Alex Eckelberry

We’re at Tech.Ed this week.  Robert LaFollette, our creative director, took some pictures and I’ve uploaded them to Flickr, here.

A lot of people are coming to the booth.  Then again, we’re giving away a lot of remote control helicopters…

Alex Eckelberry

Brian Krebs reports on a new trojan that changes router settings.

A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers.

According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking

More here.

Alex Eckelberry

Many of us are at Tech.Ed this week.  If you’re there, drop by and say hello.

Alex Eckelberry

Fresh-it.blogspot, a blog whose entire mission in life is to steal the content of others for the purpose of generating Adwords revenue, posts this delightful (stolen) story today:

Alex Eckelberry

TSA's latest pronunciamento on showing ID at the airport has logical gaps that are beyond reason.

According to the TSA, if you refuse to show ID, you'll be refused entry to the boarding area, but if you say that your ID card was lost, you'll be allowed.

Apparently, they are operating on the theory that "terrorists don't lie".

This is like the old joke:

"I got my car for $50 from a guy on the street!"

"Really? That price is way too low - it must have been stolen."

"Nah, I asked the seller if it was stolen, he said no."

This is so bizarre my mind is reeling.

Alex Eckelberry
(hat tip)

(The Wildlist is the basis of in-the-wild virus testing and certification by VirusBulletin, ICSA, and West Coast Labs.)

Larry Seltzer's pejorative post last week about the Wildlist started a few strong discussions going in the industry (with arguments on both sides). And there's been more since the article (related or not).

The shocker was last Thursday, when it was reported that Trend Micro (following Panda's lead) has decided to "boycott" the Wildlist.

I am of the belief that the Wildlist is an outdated method of determining the efficacy of an antivirus product. Oddly, let me make it clear that it's to my benefit to say just the opposite: to promote the Wildlist as effective, since it's a fairly small list of malware to worry about. Once one is "certified" for the Wildlist, one could then be considered a "real" antivirus product. Nothing is further from the truth, and therein lies the problem: It's an implicit (and unintentional) form of fraud.

Andreas Marx echoes a fair amount of this sentiment, in an email he circulated among some researchers last week:

...there is nothing wrong with the actual testing performed by Virus Bulletin, the problem is related to the samples from the WildList. Indeed, as Larry Seltzer pointed out, there is something seriously wrong with WildList-based testing and certification.

At the Virus Bulletin Conference in 2007, Frank Dessmann and I gave a presentation, "The WildList is Dead, Long Live the WildList!". What we found (proven with facts and figures), pointed to the actual problem of the WildList: We are mainly speaking about a "list of a small number of irrelevant random malware samples".

And here we go for the facts (updated to include the most current WildList from April 2008):

1. The threat landscape has changed dramatically, just a few years back, we had to deal with 10 to 20 virus samples per day, now we are up to 21,000 unique new samples per day, but the current April WildList only includes 678 samples -- that's the number of samples we are getting on an average day in under an hour! Besides this, the WildList only covers self-replicating malware such as viruses, but not today's most common threats, like Trojan Horses or rootkits. By ignoring today's reality, the list MISSES the really HOT samples and the numbers of samples on the WildList is TOO SMALL.

2. While the WildList shows that currently 86 reporters (mainly working for AV companies) are submitting samples to the organization, most of them are inactive, so that a WildList is usually created by 8 to 10 active reporters -- and these 8 to 10 people can "decide" which malware is the most active one world-wide? Therefore, the list is a RANDOM selection of samples.

3. The WildList is usually outdated when published: The April WildList was released on June 1, 2008, so the entire May (or at least 640,000 new malware samples we're seeing per month) have passed by before the WildList was finally published... so the list contains only OLD malware, not really new samples.

The problems are not new -- I've written about them one year ago, but
(almost) nothing has changed. :-(

Another source of some contention on the Wildlist issue is the venerable Randy Abrams of ESET. In his words, "Agreement was virtually unanimous that the WildList is no longer useful as a metric of the ability of a product to protect users".

Mary Landesman, on the other hand, wrote last year that "As much fun as it is to take cheap potshots and sling similes, the fact is the WildList is more pertinent than ever - particularly given today's threat landscape. By setting a standard, definable bar, the WildList has consistently improved detection across the board. Reputable anti-virus vendors must work (hard) to gain credibility, participating fully in order to engage in the sample sharing necessary to build the library of threats required to score well on the tests. But what WildList testing really offers today is a measure of trust." Checking back with Mary recently, she still believes the Wildlist is valid, but expanded on her viewpoint:

...I still think the WildList provides a resource to the average user to distinguish between *real* scanners and rogue (or just plain lousy) scanners. It also establishes some consistency between testing organizations so it helps set a minimum bar for the testers as well. Keep in mind, I've never believed (even in the mid-90s) that WildList testing alone was a good enough measure of a products overall protection capability. I just believe in the value of having a minimum bar and for that purpose it does well. This doesn't mean it's not in need of an overhaul. As an example, I'd love to see some minimum standard measure of behavioral analysis. And it needs a name change because it certainly isn't reflective of what's in the wild (indeed, nothing could be and still be manageable!) So when I say I think the WildList is still pertinent, I am referring to the value of setting those minimum bars, not necessarily about the WildList as it exists per se.

Fair enough.

So let's shift gears. I'll pose the problem in a question: What would you consider the gauge of effectivness of an antivirus product? (I use the term "antivirus prdouct" to denote the current mode of protecting against malware in general - viruses, spyware, etc.).

If I'm guessing right, your answer would probably be something like:

"A good antivirus program should block the broadest amount of malware possible, including new malware as it comes out, and should be able to clean infected systems with a high degree of effectiveness."

The Wildlist only has about 700 samples in the list. Well, there's lots and lots of malware out there. We recently ran scans on over 10 million pieces of malware, and found hundreds of thousands of variants. Are they all in the wild? Not necessarily. But you get the picture. There's a lot of stuff out there, and the Wildlist itself is not "the test".

And really, I don't think anyone really disagrees with that.

The Wildlist itself is peachy, and I think it's just fine as a test of file infecting viruses, etc. It's not an easy test to pass, and I think it should continue to be there. But it's misleading, if consumers rely on the Wildlist (through VB 100 certification or another certification) to make a determination as to the validity of a virus product. Perhaps there should be a "Basic" certifcation, and there then should be a "Premium" Wildlist certification.

As the final word on this issue, I hope this will elucidate the problem graphically. Here, again from Andreas, are collection statistics on malware (these are newly added/discovered samples per month, with a total of about 11.45 million samples right now). .

QED.

Alex Eckelberry

Of the SpywareNo family.

Patrick Jordan