Lavasoft News - May 2007

Editorial graphic

The Ad-Aware 2007 beta testing phase is winding down with the final beta scheduled for May 7th. That means we are gearing up for the product's worldwide commercial release in June – yes, June!

This launch is laying the groundwork for Lavasoft's future efforts against the next generation of malware and other cyber threats, an industry showing no signs of slowing down.

This issue of Lavasoft News focuses on crime and punishment. Read about the organizations trying to catch the bad guys behind online fraud. And just who are the “bad guys”? We fill you in on how cyber crime works. We also have a follow-up on the much talked about privacy and anti-spyware legislations.

Read a few of last month's Letters to the Editor on anti-spyware legislation. Write to with comments on what you see in this issue and what you would like to see in future issues of LN.

News from Lavasoft

Ad-Aware 2007 Launch in June
The beta testing process of Ad-Aware 2007 has entered its final stage, and now our Ad-Aware users are only a month away from getting their hands on the final product. That's right - the commercial release of Ad-Aware 2007 is scheduled for June.

arrow Read more

Investigating Cyber Crime - Those Doing the Chasing
Hackers, phishers, spammers and scammers - rounding up these outlaws in cyberspace is just an ordinary day on the job for cyber investigators.

arrow Read more

Creating Cyber Crime - Those Doing the Running
Haven't we all heard the saying “Crime doesn't pay”? In cyber space it does and the people behind the cyber attacks are no hacks. As you will read, cyber crime is more sophisticated and organized than ever.

arrow Read more

Legislating Online Fraud - An Update
In last month's LN, we brought you the scoop on two anti-spyware bills that have moving through the U.S. legislative process. As cyber crime escalates and droves of sensitive personal data is available online through public records and data breaches, federal agencies, technology companies, and privacy advocates have joined in the push for U.S. legislation to keep up with threat concerns.

arrow Read more

Top 10 Most Famous Hackers of All Time IT Security
Get the inside scoop from IT Security on the cyber generation's most notorious computer criminals.

arrow Read more

Security Shorts
Lavasoft News has compiled of a list of "security shorts" - summaries of other online security stories making news around the world this past month.

arrow Read more

Spyware Newsbits

New Targets in Detection (April 2007)
Protect your privacy with a complete list of new targets for April 2007.

arrow Read more

Lavasoft Blog
If you want to go behind the walls of Lavasoft, hear what we are up to, what we are thinking and what is happening in the industry, the Lavasoft Company Blog is the place to go for regular, up-to-date information.

arrow Read more

To get all news on one, printable page, click here

Home   arrow

Ad-Aware 2007 To Hit the Shelves in June

With the help of feedback from our Ad-Aware 2007 beta testers, the final betas are being tested, tweaked, and refined. At the time of our Beta Six release on April 20, over 200,000 people were actively working with the beta, providing key feedback to our development team. The final beta release, followed by a two week testing process, is scheduled for May 7.

Our loyal community has been spreading the word on our upcoming new product, which is already garnering a positive response within the security industry.

"The Ad-Aware 2007 Beta features improved detection of adware and hidden malware, a scanning engine that goes easy on your PC's system resources, and a snazzy new interface," according to one journalist at PC World.

Our beta testers and Ad-Aware SE users alike have been eagerly anticipating the final product. As many of you who have test-driven the Ad-Aware 2007 Beta have seen, Ad-Aware 2007 is a fully redesigned product, giving you the tools necessary to combat today's constantly changing threat landscape.

"They can be assured that Ad-Aware 2007 is not just an improved version of Ad-Aware SE. Ad-Aware 2007 is a completely rebuilt product that will allow us to form a base for future detection of replicating and polymorphic threats. In addition to that, incremental Definitions File updates allow us to be more aggressive in detecting threats, moving towards our goal of zero-day updates," Lavasoft's Security Center Director, Christopher Allansson, says.

Among the host of new features of Ad-Aware 2007 are a fully redesigned engine, advanced Code Sequence Identification Technology, enhanced Detection Database with incremental and automatic Definitions File updates, new graphical user interface, automatic scans and Web updates with the all-new scheduler, Ad-Watch TrackSweep, Hosts File Editor, a system restore point, and multiple browser support.

We have had many questions coming in from our Ad-Aware SE users about Ad-Aware 2007's compatibility with Microsoft Vista. While we have had every intention of launching Ad-Aware 2007 as Vista compatible software, product development has recently discovered a technical glitch required for Ad-Aware 2007 to fully operate with Vista, and in order to meet the launch date that we committed for our worldwide customers and to completely comply with Microsoft's requirements for the Vista program, the product will not be Vista compatible immediately when launched in June.

Lavasoft developers are determined to resolve the issue, and to promptly deliver a Vista compatible version. The new Ad-Aware 2007 product has been built with the capability to immediately distribute version updates and patches (something that was not possible with the SE versions) and all Ad-Aware users with a valid license will immediately receive the Vista compatible update as soon as the issues are resolved.

"We know that Vista compatibility is an important issue for our Ad-Aware users, and it is a priority for the Lavasoft development team. We are doing everything we can to address the issue as quickly as possible, so that we can release a Vista compatible version of Ad-Aware 2007 this fall," says Lavasoft's Chief Technical Officer, Adelmo Pozzi.

Investigating Cyber Crime – Those Doing the Chasing

Cyber crime is no flash in the pan. Unfortunately, it's here to stay. As it spirals out of control, the investigators assigned to catch the bad guys are overwhelmed and understaffed.

It must feel like one step forward, two steps back.

Thankfully, there are organizations out there helping regular law enforcement with the onslaught of cyber crime: organizations like the Computer Crime & Intellectual Property Section (CCIPS) of the U.S. Department of Justice, and the Department of Defense's Cyber Crime Center, both of which work with other government agencies, the private sector, academic institutions, and foreign governments to prevent, investigate and prosecute cyber crimes.

Perhaps the most well-known law enforcement agency in a full-fledged battle to take down cyber cooks is the FBI (the Federal Bureau of Investigation).

According to the Bureau's website, its cyber mission is first and foremost, "to stop those behind the most serious computer intrusions and the spread of malicious code."

The FBI has several cyber operations, including a Cyber Division at FBI headquarters, specially trained Cyber Squads at 56 field offices across the United States, Cyber Action Teams that travel the world to assist in computer intrusion cases, and 93 Computer Crimes Task Forces around the country. Six years ago, the FBI also established the Internet Crime Complaint Center (IC3), a joint effort with the National White Collar Crime Center.

Unfortunately, prosecutions in a lot of cyber crime cases remain relatively few, as the nature and scale of the problem continues to grow.

One of the top problems for investigators today: Botnet controllers. In addition to being tech savvy, they move quickly and are well-practiced in evading the law.

"It's not impossible to track these guys down, but it's technical," Joe Stewart, a senior researcher with the SecureWorks security agency told CBC News Online. "It takes people that really understand the guts of these things, and unfortunately there are not enough of these people in law enforcement."

The Department of Justice is doing its best to assist local and state law enforcement in the fight against e-crime as these agencies often do not have computer experts on the payroll. The department recently released a manual providing details on how to investigate everything from cyber-stalking to spam and illegal hacking.

With no end in sight for cyber crime, several post-secondary institutions across the States have made it their mission to educate a new generation of e-crime fighters.

The University of Texas at San Antonio recently announced it will open a cyber security research center in June that will train students to become "cyber warriors."

The Cyber Defender Program at the University of North Carolina is one of only 22 universities in the U.S. with a program specifically designed to combat online hackers.

"We're very unique in combining the technical know how and also the criminology aspect," said program chief Dr. Bill Chu.

Students major in Criminal Justice with a minor in Software and Information Systems, or vice versa. According to Chu, many students who graduated with the combination major/minor have gone on to work for such agencies like the FBI.

If you think you or someone you know has been victimized by a cyber thief, the Internet Crime Complaint Center (IC3) is one of the places to turn. There is a complaint form available online here.

Creating Cyber Crime – Those Doing the Running

We know that cyber crime is flourishing and we know that investigators are struggling to keep up. But just who are the perpetrators of these attacks?

In the early days of online fraud, it was young, computer savvy whiz-kids hacking into government systems for fun and for the prestige. Today's attacks are carried out by a wide variety of cyber criminals from all walks of life.

According to ThinkQuest online library's Cyber Crime section, there are certain characteristics that define each and every cyber criminal: a substantial amount of technical knowledge; contempt for the law or feeling above the law; a manipulative and risk-taking nature; and an active imagination.

Criminals the world over have jumped on the cyber crime bandwagon, seeing the Internet as an opportunity to score: it is not a system owned by one individual, company or government; and there is almost unlimited access to a wealth of information of all kinds. These days it is our personal information cyber crooks seem to be most interested in because that is where the money is. To get the goods, it requires an entire network of people.

"This is... a community of criminals that is changing and adapting over time. It's a guy in his twenties in a rundown apartment in Ukraine or somewhere else in Eastern Europe who has a network of computers on which they're communicating with thousands of other people who he has never met in person, and who could be in any country around the globe. And these people are involved in a web of criminal activity," said Craig Morford, a leading authority on IT-related prosecution.

It is a tangled web they weave.

Just as in traditional organized crime the anatomy of a cyber scam, like phishing, includes several levels of organization – a hacker, a spammer, a data broker, documents and merchandise, a cashier and a money launderer.

According to Guillaume Lovet, the author of "Dirty Money on the Wires: The Business Models of Cyber Criminals", there are four groups involved in cyber crime:

Coders – these are the veterans of the hacking community. They have contacts, experience and produce ready-to-use tools like Trojans and bots for the so-called labor force – the 'kids'. According to Lovet, coders can earn a few hundred dollars for each illegal activity.

Kids – these are the newbies, generally teenagers - hence the name. They buy, trade and resell things like spam lists, php mailers, proxies, and credit card numbers. The money reportedly isn't as good for 'kids'. They generally take in less than $100 a month.

Drops – these are the people who convert the virtual money stolen in cyber crime into real cash. They are usually situated in nations lacking decent e-crime laws. Lovet claims Bolivia, Indonesia and Malaysia are currently popular. The 'drops' provide so-called safe addresses and legitimate bank accounts for goods and money to be sent to.

Mobs – professional criminal organizations that use coders, kids and drops. Organized crime makes good use of 'safe drops', and often recruits coders onto their payrolls.

Organized crime mobs from eastern Europe, most often Russia, Ukraine and Romania, have joined forces with hackers in recent years, a cooperation resulting in a slew of simple to sophisticated online attacks.

"Because organized crime is so well-entrenched there, and tolerated by authorities to some extent, they're the ones who are moving into it most aggressively," James Lewis, a senior fellow at the Center for Strategic and International Studies, told Wired.

In these countries, where corruption runs deep, economies are less than booming, and young techies lack opportunity, cyber crime has become too appealing to pass up.

For a more in-depth look at the inner workings of cyber crime, read Guillaume Lovet's full article "How cybercrime operations work – and why they make money" at

Crime and Punishment – A Legislation Follow-Up

Anti-spyware bills that would provide a national standard to regulate the spyware industry in the United States are still working their way through the legislative process, while pressure is mounting for uniform anti-spyware and consumer privacy regulations.

At the end of April, a House subcommittee made another step forward by approving the Spy Act (Securely Protect Yourself Against Cyber Trespass), which will next move to the full committee for consideration. The legislation would impose strict regulations on the types of actions software is allowed to perform, and allow the U.S. Federal Trade Commission to seek fines up to $3 million U.S from spyware creators.

The U.S. Congress has attempted for years to pass spyware and adware legislation that would override the web of existing state legislation. While some critics maintain that a sweeping bill could interfere with unintended consequences within the security industry, others are asking for greater authority to penalize spyware vendors.

FTC Commissioner William Kovacic called for increased punishment for spyware purveyors in the form of imprisonment, in answer to a question on whether or not the FTC is sufficiently equipped to combat the spyware threats PC users face, posed at a Senate Commerce Committee hearing.

"Many of most serious wrongdoers we observed in this area, I believe, are only going to be deterred if their freedom is withdrawn," Kovacic said at the hearing in mid April to discuss the Federal Trade Commission's 2008 budget request.

Part of the FTC's requested budget increase of $17 million U.S. would, according to testimony, provide new employees for the consumer protection mission's Privacy and Identity Protection Program, with $100,000 U.S. being used specifically to increase enforcement efforts to combat spyware.

Security breaches and data leaks have brought up another area of contention with members of the security industry, including major technology companies, vocalizing the need for uniform data security legislation to be passed in the U.S.

Microsoft Chairman Bill Gates called on Congress to pass an "all-inclusive" consumer privacy and security law by the end of the year in a recent speech to an audience of FTC officials, state attorney generals, and congressional representatives.

Gates addressed the need for federal laws to require transparency on data collection, grant users access to their own data and provide clear procedures for companies to follow when data breaches occur.

Senator Patrick Leahy followed up on Gates' speech with his own plan to move forward this year with his Personal Data Privacy Act, a broad bill that would impose fines and prison time on those who intentionally conceal information related to security breaches that cause economic damage.

"Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer, yet our privacy laws haven't kept pace," Leahy said in a statement.

Privacy advocates are also on the forefront of bringing about change for consumers' online privacy. American Betty Ostergren is taking matters into her own hands to enact change in personal data protection measures at the state and local level. Ostergrens's mission is to stop county and state government officials around the U.S. from posting personal public data on public records online, a practice which she says fuels identity theft and cyber crime.

Some states have responded to concerns by setting deadlines for removing certain private information from public records, while others have passed laws allowing citizens to send in written requests to remove their private data from online records. The state of California announced earlier this spring that, due to identity theft worries, it shut down online access to public records with sensitive data.

Identity theft concerns are also on the mind of a federally convened task force, which on April 23rd urged Congress to pass a new national strategy for punishing identity fraud.

Although identity fraud is already illegal in the U.S., the new plan calls for rewriting existing laws to punish the use of malicious spyware, increasing prison sentences for particular electronic data theft, and allowing victims of ID theft to receive monetary compensation for both direct financial losses and lost time when recovering from the crime. The panel also recommended creating a National Identity Theft Law Enforcement Center, enabling regulatory agencies, law enforcement, and the private sector to pool their information resources.

Security Shorts

Government Agencies Score Poorly in Cybersecurity Survey
Funding issues are being blamed for the less-than-stellar grades given to the U.S. government in an IT security survey. The overall grade for the 24 agencies included in the FISMA (Federal Information Security Management Act) report was C-, but eight agencies failed, including the departments of Defense, State, the Interior and the Treasury.

Read more

Public Exploit of Windows DNS Server Bug
In April, Microsoft acknowledged a zero-day bug in the Domain Name System (DNS) Server Service in Windows 2000 Server (SP4) and Windows Server 2003 (SP1 and SP2). The company admits the beta of the next-generation server software, called Longhorn, is also affected. Some experts say the area of greatest risk resides within intranets, but if a Trojan horse succeeded in getting onto a client, the botnet controller could gain control of the entire network. Microsoft was working on a patch at the time of publication.

Read more

Skype Worm on the Loose
An instant-messaging worm that slithers its way through Skype's VOIP (Voice over Internet Protocol) has been spreading links to malware through people's contact lists. The link leads to a file that downloads a Trojan horse capable of downloading other malware. This worm sets Skype to "do not disturb" status, which blocks incoming calls and other notifications; it also prevents a user from responding to an IM.

Read more

Keyloggers Used to Hack WoW Accounts
As we told you in the February issue of Lavasoft News, cyber criminals have taken to hacking accounts in online role-playing games. World of Warcraft is the latest game to be targeted. Hackers have been installing keylogging software on Windows-run players' PCs for months, hijacking accounts and selling their in-game assets. Experts see no end in sight for the problem.

Read more

iPod Virus Discovered
Researchers have found a virus that can infect Apple's hugely popular media player, the iPod. However, users do not have to worry just yet. The virus, dubbed Podloso, only affects iPods that run Linux and not the native operating system. Kaspersky Lab says even though the virus may not present a real threat now, it does show malware can be created for platforms like the iPod.

Read more

Home   arrow

Roboform Pro Password Manager
These days, computer security threats are coming from all directions. Here are the top five worries keeping entrepreneurs up at night, according to a March survey by the research firm Forrester.

Viruses and worms: 73%
Spyware: 66%
Spam: 64%
Outside hackers: 57%
Identity theft: 55%

Term of the Month
A dialer is any program that utilizes a computer's modem to make calls or access services. Users may want to remove those that dial without the user's active involvement, resulting in unexpected telephone charges and/or cause access to unintended and unwanted content. They have the ability to run in the background, hiding their presence.
Tech Tips
You are a potential target for auto-dialer if you use a phone line to connect to the Internet or leave a telephone line connected to your PC even after switching to DSL or cable Internet service. Some tips:
  • If you don't need a dial-up connection, unplug your phone from the computer.
  • Disable dialup connections. If you're using Windows, for instance, click on "Start," "Settings," "Control Panel" and then "Internet Options." Open the "Connections" tab, and make sure "Never dial a connection" is checked.
  • Update your Ad-Aware SE anti-spyware and run a full sweep of your computer.
Helpful Homepage
If you suspect your personal information has been stolen, one website will give you the answer - Just input your social security or credit card number on the main page to search more than 2.3 million compromised numbers...for free.
Lavasoft AB
Lilla Bommen 1
411 04 Gothenburg
Page footer