pest-patrol.com is not the real PestPatrol - part II

The fake pest-patrol.com site we mentioned a few days ago has fixed its download problem and has given us a sample. Like many of these fake anti-malware sites, the executable morphs continually to avoid protection.

Detection rates are not good (VirusTotal results), and the real PestPatrol / eTrust product doesn't pick it up yet.

I strongly suspect that there's nothing good in the 85.255.112.0 - 85.255.127.255 range at all, and it is probably a good idea to block access to that entire IP block.

Antivirus;Version;Last Update;Result
AhnLab-V3;2008.5.22.1;2008.05.27;-
AntiVir;7.8.0.19;2008.05.27;SPR/Dldr.PestPatr.A
Authentium;5.1.0.4;2008.05.26;-
Avast;4.8.1195.0;2008.05.27;-
AVG;7.5.0.516;2008.05.26;-
BitDefender;7.2;2008.05.27;-
CAT-QuickHeal;9.50;2008.05.26;-
ClamAV;0.92.1;2008.05.27;-
DrWeb;4.44.0.09170;2008.05.27;-
eSafe;7.0.15.0;2008.05.26;-
eTrust-Vet;31.4.5826;2008.05.27;-
Ewido;4.0;2008.05.26;-
F-Prot;4.4.4.56;2008.05.26;-
F-Secure;6.70.13260.0;2008.05.27;-
Fortinet;3.14.0.0;2008.05.27;-
GData;2.0.7306.1023;2008.05.27;-
Ikarus;T3.1.1.26.0;2008.05.27;-
Kaspersky;7.0.0.125;2008.05.27;not-a-virus:Downloader.Win32.FraudLoad.bz
McAfee;5303;2008.05.26;-
Microsoft;1.3520;2008.05.27;-
NOD32v2;3134;2008.05.27;-
Norman;5.80.02;2008.05.26;-
Panda;9.0.0.4;2008.05.27;-
Prevx1;V2;2008.05.27;-
Rising;20.46.12.00;2008.05.27;-
Sophos;4.29.0;2008.05.27;-
Sunbelt;3.0.1123.1;2008.05.17;-
Symantec;10;2008.05.27;-
TheHacker;6.2.92.320;2008.05.26;-
VBA32;3.12.6.6;2008.05.27;-
VirusBuster;4.3.26:9;2008.05.26;-
Webwasher-Gateway;6.6.2;2008.05.27;Riskware.Dldr.PestPatr.A

pest-patrol.com is not the real PestPatrol

Thanks to Dancho Danchev for pointing out pest-patrol.com, yet another dodgy looking scareware site. Of course, the real PestPatrol is a pretty well known and legitimate anti-spyware product from CA, the one with the hyphen in the middle is definitely trying to pass itself off as the real thing. (Click the thumbnail for a larger picture).



The fake pest-patrol.com is hosted on 85.255.121.181 in the Ukraine, a range of network addresses that features on the Spamhaus DROP list, and has domain registration service from Estdomains which always seems to be a popular choice with dodgy web sites.

The bottom of the page has a copyright notice claiming that it was created by "Pest Patrol, Inc.", but that is likely to be fake. A large amount of text has been copied and pasted directly from the real CA site. The "PestPatrol" name is pretty widely registered as a trademark, so apart from anything else, this fake pest-patrol.com site is clearly violating CA's trademark rights.

What's interesting about this is just how the pest-patrol.com domain ended up in the hands of a bunch of guys in Eastern Europe. Although the "PestPatrol" name is trademarked, that only applies to computer software. As is turns out, the original pest-patrol.com controlled pests of the creepy crawly variety. CA (or SaferSite Inc as it was before CA took over) would have had no claim over the domain name as it wasn't violating any trademark or causing confusion. But eventually the name expired and after being dropped a couple of times it ended up with someone who clearly is using it to violate a trademark.

The lesson for businesses is perhaps that they need to keep an eye on domains that could potentially violate a trademark or be confusing and secure them if they expire, several registrars can back order domain names. In the long run, that's probably easier than trying to track down an anonymous registrant from the former Soviet Union.

The download option on pest-patrol.com doesn't work at present, but it could be similar to this one (VirusTotal scan results) which appears on a sister site. Unfortunately, CA's genuine product doesn't seem to detect it..

CA PestPatrol false positive - NeoSpy / rarsfx0 directory / WinRAR

Another false positive doing the rounds, this time in CA's PestPatrol software which is incorrectly identifying %profile%\local settings\temp\rarsfx0 as being part of part of the rogue NeoSpy package (see here for CA's description).

In fact, the rarsfx0 directory is just a temporary folder created by RARLAB's WinRAR application - that's a harmless commercial file packager. This folder looks to have been included accidentally in a PestPatrol signature released on 9th January.

Note that if you have PestPatrol installed with the faulty signature, then WinRAR archives may not unpack properly.

eTrust ITM 8.1 fails to update

I've been grappling with a strange problem with eTrust ITM 8.1 for a couple of weeks - the software installs just fine, but the signature updates never apply. The problem occurs on a whole batch of machines that aren't exactly related, but which were all bought in early 2005.

The eTrust Distribution log shows the following:

Completed Time Type Code Description
09-Jan-2008 08:46:11 Information 0 1) Selected component "eTrust Antivirus Arclib Archive Libra...
09-Jan-2008 08:46:11 Information 0 2) Selected component "eTrust Antivirus Base"
09-Jan-2008 08:46:11 Information 0 3) Selected component "eTrust Antivirus Realtime Drivers"
09-Jan-2008 08:46:11 Information 0 4) Selected component "iGateway"
09-Jan-2008 08:46:11 Information 0 5) Selected component "eTrust ITM Common"
09-Jan-2008 08:46:11 Information 0 6) Selected component "eTrust ITM Agent GUI"
09-Jan-2008 08:46:11 Information 0 7) Selected component "CAUpdate"
09-Jan-2008 08:46:11 Information 0 8) Selected component "eTrust PestPatrol Base"
09-Jan-2008 08:46:11 Information 0 9) Selected component "eTrust PestPatrol Clean"
09-Jan-2008 08:46:11 Information 0 10) Selected component "eTrust PestPatrol Engine"
09-Jan-2008 08:46:11 Information 0 11) Selected component "eTrust PestPatrol Realtime"
09-Jan-2008 08:46:11 Information 0 12) Selected component "eTrust PestPatrol Signatures"
09-Jan-2008 08:46:11 Information 0 13) Selected component "eTrust Vet Engine"
09-Jan-2008 08:46:11 Information 0 Checking updates for "eTrust Antivirus Arclib Archive Librar...
09-Jan-2008 08:46:11 Information 0 Downloading from "SERVERNAME:42511"
09-Jan-2008 08:46:09 Information 0 The distribution program started the download process.
Show 10 Show 25 Show 50 Show All Page 1 « ‹ 1-16 of 16 › »

Note that there are always 16 lines in the log.. the update process starts but never completes, and there's no error message.

After working with our reseller we discovered the problem - it's not a problem with eTrust, but instead a very strange permissions issue that has happened with those PCs. What has happened is that the computer's SYSTEM account (which the eTrust services run under) doesn't have access to write to that part of the disk, despite having permissions explicitly set.

In the case of eTrust, the fix is to open up the Services control panel (Start.. Run.. services.msc), and then.

• Double-click on the eTrust ITM Job Service
  
• Click the Log On tab
• Change the credentials from the "Local System account" to the local Administrator account on the PC (i.e. username Administrator, password to whatever you set it to).
• Restart the service
• Either reboot the machine, or terminate the ITMDist service
• Tell the machine to download updates again.

In the cases I have seen, the update works correctly after the Administrator account has been specified. There does seem to be some problem with the SYSTEM service not working properly.

Of course, you can also do this all remotely with the Computer Management tool and something like PSKILL (from PSTools), so you don't have to be sitting at the machine to do it.

As I said, I don't believe that this is an eTrust problem, it looks as though Windows is borked somehow, possibly an issue with SIDs or something. I have a feeling that other software misbehaves, possibly including Active Directory policies. I have no solution other than a complete rebuild, but if you're struggling to get eTrust updating properly, then I would definitely look at the user rights for the service.

CA.com compromised / Zero-day RealPlayer flaw

The ISC reports that several websites have been compromised by a zero-day vulnerability in RealPlayer. The halware is hosted or routed via uc8010.com (currently down).

Surprisingly, one of the compromised web sites (since cleaned up) is ca.com (Computer Associates), who make the eTrust anti-virus product.

A Google search for uc8010.+com site:ca.com comes up with several dozen hacked pages, mostly press releases.



A look at a cached copy of the code shows a link to n.uc8010.com/0.js (don't visit this url) which then loads the exploit.



Note that everything here is a .gif to stop virus scanners freaking out.

To be fair, a lot of sites are compromised including government bodies and large corporations. It just goes to show that there's no such thing as a "safe site" any more.