The Wall Street Journal this week ran an excellent series on government surveillance tools in the digital age. One story looked at FinFisher, a remote spying Trojan that was marketed to the governments of Egypt, Germany and other nations to permit surreptitious PC and mobile phone surveillance by law enforcement officials. The piece noted that FinFisher’s creators advertised the ability to deploy the Trojan disguised as an update for Apple’s iTunes media player, and that Apple last month fixed the vulnerability that the Trojan leveraged.

Image: spiegel.de

But the WSJ series and other media coverage of the story have overlooked one small but crucial detail: A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw.

The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title: According to Apple, as of June 2011, there were approximately a quarter billion installations of iTunes worldwide.

Apple did not respond to requests for comment. An email sent Wednesday morning to its press team produced an auto-response stating that employees were already on leave for the Thanksgiving holiday in the United States.

I first wrote about this vulnerability for The Washington Post in July 2008, after interviewing Argentinian security researcher Francisco Amato about “Evilgrade,” a devious new penetration testing tool he had developed. The toolkit was designed to let anyone send out bogus automatic update alerts to users of software titles that don’t sign their updates. I described the threat from this toolkit in greater detail:

Why is this a big deal? Imagine that you’re at an airport lounge, waiting to board your flight, and you pop open your laptop to see if you can hop on an open wireless network. Bear in mind that there are plenty of tools available that let miscreants create fake wireless access points for the purposes of routing your connection through their computer. You connect to that fake network, thinking you can check your favorite team’s sports scores. A few seconds later, some application on your system says there’s a software update available. You approve the update.

You’re hosed.

Or maybe you don’t approve the update. But that may not matter, because in some cases, auto-update features embedded in certain software titles will go ahead and download the update at that point, and keep nagging you until you agree to install it at a later date.

Evilgrade leveraged a flaw in the updater mechanism for iTunes that could be exploited on Windows systems. Amato described the vulnerability:

“The iTunes program checks that the binary is signed by Apple but we can inject content into the description as it opens a browser, with a malicious binary so that the user thinks its from Apple,” Amato said of his attack tool.

Emails shared with KrebsOnSecurity show that Amato contacted Apple’s security team on July 11, 2008, to warn them that the iTunes update functionality could be abused to push out malicious software. According to Amato, Apple acknowledged receipt of the report shortly thereafter, but it did not contact him about his findings until Oct. 28, 2011, when it sent an email to confirm his name and title for the purposes of crediting him with reporting the flaw in its iTunes 10.5.1 patch release details. Interestingly, Apple chose to continue to ignore the vulnerability even after Amato shipped a significant feature upgrade to Evilgrade in Oct. 2010.

The length of time Apple took to patch this significant security flaw is notable. In May 2006, I undertook a longitudinal study of how long it took Apple to ship security updates for its products. In that analysis, I looked at two years’ worth of patches issued to fix serious security bugs in Apple’s Mac OS X operating system, as well as other Apple software applications like iTunes. I found that on average, 91 days elapsed between the date that a security researcher alerted Apple to an unpatched flaw and the date Apple shipped a patch to fix the problem. In that study, I examined patch times for four dozen flaws, and the lengthiest patch time in that period was 245 days.

Amato said he’s not sure why Apple took so long to fix his bug, which he said should have been trivial to correct.

“Maybe they forgot about it, or it was just on the bottom of their to-do list,” he said.

Public attention to digital surveillance tools being marketed to law enforcement agencies worldwide is spurring discussion about whether antivirus companies are doing all they can to unmask these intruders. Mikko Hypponen, chief research officer for Finnish security firm F-Secure, first blogged about FinFisher in March 2011, when protesters in Egypt took over the headquarters of the Egyptian State Security and gained access to loads of confidential state documents, including those that appear to show the government purchased licenses for the program.

Hypponen said F-Secure has stated unequivocally that it will detect any malware that it knows about, regardless of whether the malware is being actively used by government authorities for surveillance. But he said not all antivirus companies have made similar public commitments.

“There is no real discussion or industry-wide agreement on it,” Hypponen said. “The way it goes down is that [antivirus] companies have no idea which Trojans they get are governmental Trojans or just the usual stuff. There must be many more governmental Trojans that we and others detect but don’t know are being used for government surveillance.”

As for the years that Apple took to patch the iTunes update flaw, Hypponen said he’s stumped, but inclined to give the company the benefit of the doubt.

“It is an unusually long time to patch anything, so it doesn’t make much sense,” he said.

For more details on FinFisher, see Der Spiegel’s fascinating coverage of how this surveillance Trojan was marketed.

One note of caution about upgrading your software that I hope is clear from this post: Staying up-to-date with the latest security patches is one of the surest ways to keep your system secure from malware and intruders. But whenever possible, try to do your updating from a network that you trust and control. Otherwise, you may be placing far too much trust in the security of the update mechanisms built into the software you use.

Update, 3:11 p.m. ET: An earlier version of this story incorrectly stated that Amato was able to exploit the iTunes update flaw on OS X systems. While Apple’s advisory states that this flaw is present on OS X systems that lack the iTunes 10.5.1 patch, Amato said he was unable to replicate the problem on OS X systems during his research.

Mac malware is back in the  news again. Last week, security firm F-Secure warned that it had discovered a Trojan built for OS X that was disguised as a PDF document. It’s not clear whether this malware is a present threat — it was apparently created earlier this year — but the mechanics of how it works are worth a closer look because it challenges a widely-held belief among Mac users that malicious software cannot install without explicit user permission.

Image courtesy F-Secure.

F-Secure said the Mac malware, Trojan-Dropper: OSX/Revir.A, may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. F-Secure was careful to note that the payload installed by the dropper, Backdoor:OSX/Imuler.A, phones home to a placeholder page on the Web that does not appear to be capable of communicating back to the Trojan at the moment.

I wanted to understand a bit more about how this Trojan does its dirty work, so I contacted Broderick Aquilino, the F-Secure researcher who analyzed it. Aquilino said the sample is a plain Mach-O binary — which we’ll call “Binary 1″, that contains PDF file and another Mach-O binary (Binary2). Mach-O, short for Mach object, is a file format for executable files on OS X.

According to Aquilino, when you run Binary1, it will extract the PDF file from its body, drop it in the Mac’s temporary or “tmp” directory, and then open it. This is merely a decoy, as Binary1 continues to extract Binary2 from itself — also into the “tmp” directory — and then runs the file.

Upon execution, Binary2 downloads another binary from [omitted malware download site] and saves it as /tmp/updtdata. For the sake of continuity, we’ll call this latest file “Binary3.” Binary2 then executes and downloads the third binary, which opens up a backdoor on the OS X host designed to allow attackers to administer the machine from afar.

“All of this happens without the user needing to input their password,” Aquilino said.

Aquilino believes the Trojan drops its files into the “tmp” directory because the malware is not meant to be permanent.

“Another reason could be that the Trojan is avoiding the need for users running under a Standard account to be authenticated with an Admin account just to be able to infect the system,” he said. “Standard accounts only have access to their home directory and those such as /tmp. However the account created by OS X setup is an Admin account. Therefore, I believe most will be running under it. Given that assumption, other malwares can choose to run in directory such as /Application just like the case of the Fake MacDefender rogue. Take note though unlike in earlier Windows versions, Admin accounts in OS X are still required to input their password if a malware choose to put its files in system directory such as /System/Library. I don’t see the need for a malware to do that though.”

Aquilino said the malware nevertheless has the potential to be very persistent.

“Upon execution, the downloaded copy of the backdoor (/tmp/updtdata) will create a copy called /users/%user%/library/LaunchAgents/checkvir. It will also create a corresponding launch point in /users/%user%/library/LaunchAgents/checkvir.plist to make sure it still runs after the user rebooted the system. Take note of the casing in ‘library’ instead of ‘Library.’ This maybe the reason why the sample didn’t work on some test machines. Again, no password is needed since the backdoor install its files in the user’s home directory (%user%).”

Aquilino observed that the backdoor will only run when the infected account logs in, but he said this doesn’t mean that other accounts on the infected machine are safe.

“The risk is the same if these accounts save their files in shared volumes where the infected account has permission to,” he said.

Image courtesy Intego.

In other Mac malware news, Mac security vendor Intego is warning about an OS X Trojan called “Flashback” that disguises itself as a Flash update.

It’s worth noting that these threats, like most of those facing Windows users today, rely on social engineering — tricking the user into clicking an attachment or link. Regardless of which operating system you use, it’s a good idea to develop a healthy sense of skepticism and paranoia about any unexpected documents that arrive via e-mail, or random prompts to “update” software. Rule #1 from my 3 Basic Rules for Online Safety applies just as well to Mac users as it does folks using Windows: “If you didn’t go looking for it, don’t install it!”

I still don’t believe it’s necessary for Mac users to install anti-virus software, but for those who disagree there are certainly a number of free and affordable options for anti-malware protection on OS X. Sophos offers a free anti-virus product for the Mac, as does ClamXav and PCTools. There are also several non-free options.

One of the more interesting developments over the past week has been the debut of jailbreakme.com, a Web site that allows Apple customers to jailbreak their devices merely by visiting the site with their iPhone, iPad or iTouch. Researchers soon learned that the page leverages two previously unknown security vulnerabilities in the PDF reader functionality built into Apple’s iOS4.

Adobe was quick to issue a statement saying that the flaws were in Apple’s software and did not exist in its products. Interestingly, though, this same attack does appear to affect Foxit Reader, a free PDF reader that I often recommend as an alternative to Adobe.

According to an advisory Foxit issued last week, Foxit Reader version 4.1.1.0805 “fixes the crash issue caused by the new iPhone/iPad jailbreak program which can be exploited to inject arbitrary code into a system and execute it there.” If you use Foxit, you grab the update from within the application (“Help,” then “Check for Updates Now”) or from this link.

Obviously, from a security perspective the intriguing aspect of a drive-by type jailbreak is that such an attack could easily be used for more nefarious purposes, such as seeding your iPhone with unwanted software. To be clear, nobody has yet seen any attacks like this, but it’s certainly an area to watch closely. F-Secure has a nice Q&A about the pair of PDF reader flaws that allow this attack, and what they might mean going forward. Apple says it plans to release an update to quash the bugs.

I’m left wondering what to call these sorts of vulnerabilities that quite obviously give users the freedom that jailbreaking their device(s) allows (the ability to run applications that are not approved and vetted by Apple) but that necessarily direct the attention of attackers to very potent vulnerabilities that can be used to target jailbreakers and regular users alike. It’s not quite a “featureability,” which describes an intentional software component that opens up customers to attack even as the vendor insists the feature is a useful, by-design ability rather than a liability.

I came up with a few ideas.

- “Apptack”

- “Jailbait” (I know, I know, but it’s catchy)

- “Freedoom”

Maybe KrebsOnSecurity readers can devise a better term? Sound off in the comments below if you come up with any good ones.

Finally, I should note that while Adobe’s products may not be affected by the above-mentioned flaws, the company said last week that it expects to ship an emergency update on Tuesday to fix at least one critical security hole present in the latest version of Adobe Reader for Windows, Mac and Linux systems.

Adobe said the update will fix a flaw that researcher Charlie Miller revealed (PDF!) at last month’s Black Hat security conference in Las Vegas, but it hinted that the update may also include fixes for other flaws. I’ll have more on those updates when they’re released, which should coincide with one of the largest Microsoft Patch Tuesdays ever: Redmond said last week that it expects to issue at least 14 updates on Tuesday. Update, Aug. 10, 5:06 p.m. ET:Adobe won’t be releasing the Reader update until the week of Aug. 16.

I recently highlighted a study which showed that most of the top software applications failed to take advantage of two major lines of defense built into Microsoft Windows that can help block attacks from hackers and viruses. As it turns out, a majority of anti-virus and security products made for Windows users also forgo these useful security protections.

As I wrote last month:

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operating system, and they’re designed to make it difficult for attackers to develop reliable exploits for vulnerabilities in Windows applications. As we saw last month, few top apps invoke the protections, but many readers may be surprised to learn that few anti-virus products have adopted these technologies.

I installed the trial versions of a dozen top anti-virus and security suites on a virtual machine running Windows Vista, and then checked each product’s executable files using Microsoft’s excellent Process Explorer tool, which provides a mass of information about processes running on your Windows system, including whether or not those processes invoke DEP and/or ASLR.

Among the anti-virus products that used neither ASLR nor DEP were AVAST Home Edition, AVG Internet Security 9.0, BitDefender Internet Security 2010, ESET Smart Security, F-Secure Internet Security, Norton Internet Security 2010, Panda Internet Security 2010 and Trend Micro Internet Security 2010.

Microsoft Security Essentials was the only product that used both ASLR and DEP consistently on Windows Vista (although interestingly it does not invoke DEP on Windows XP). Other anti-virus suites I tested used either ASLR or DEP (or both), but only in some applications that make up the suite. For example, McAfee Internet Security’s “mcagent.exe” program runs both ASLR and DEP, while four other executable processes spawned by the program ran DEP but not ASLR (since these tests were run, McAfee has changed the trial version of MIS available on its site, and the company sent me a screen shot that shows DEP and ASLR on all running processes in that version).

Similarly, I found that the anti-virus suite from Avira ran its main avguard.exe program in ASLR mode but did not use DEP. The rest of the program files that ship with this product run neither ASLR nor DEP. Kaspersky Internet Security had DEP enabled on just one process (the browser plug-in), and did not invoke ASLR with any program components.

To be sure, DEP and ASLR are not panaceas: Security researchers have come up with a number of clever ways to bypass these protection mechanisms. Still, it’s interesting to note the lack of these features in anti-virus products for two reasons: First, even researchers who have developed exploits to work around these protections say the two technologies raise the bar significantly for malicious coders. Second, anti-virus products are not immune to introducing their own exploitable software flaws.

I sought comment from all of the anti-virus vendors whose products I examined (except for Microsoft) and received a few responses. Most either downplayed the usefulness of the two technologies in combating today’s threats, or said that they planned to implement the protections in upcoming releases.

Mikko Hypponen from F-Secure said that “adding support for DEP and ASLR in our products is on our roadmap, but has not been implemented yet. This is because we’ve focused our development efforts lately to focus on performance. Once we have this feature ready, it will be available to all of our customers through our update channel.”

Pedro Bustamante, a senior research adviser at Panda Security, said Panda decided not to use either ASLR or DEP in favor of their own technology “to provide protection not only for the single AV processes but also for other types of operations. For example our products include a Shield component which already takes care of the protection as offered by ASLR and DEP, in addition to other types of self-protections such as preventing a process from injecting a thread into a separate process, preventing certain applications from executing dangerous operations on the system (such as Adobe Acrobat dropping an executable in the system and running it), protection of the AV files in the installation directories, etc.”

Bustamante continued: “These Microsoft technologies might be a good solution for certain types of more basic applications, but from our point of view are insufficient for an anti-malware product trying to get a more defense-in-depth approach to securing the whole OS and third party applications.”

Bitdefender said it plans to incorporate DEP and ASLR in its 2011 suite of products.

Symantec’s director of product management, Dan Nadir, said Norton Internet Security 2010 does in fact include support for DEP (although my experiments with Process Explorer showed it was not enabled) and that the company is “evaluating possible support of ASLR in future versions of our products.”

The research team from ESET responded: “Based upon the types of attacks we see against security software, and the likely attack scenarios, ASLR and DEP do not provide any significant defense. [While] enabling ASLR and DEP is quite trivial, the complexity come in assuring the proper test matrix has been implemented. Without proper testing ASLR can be weaponized…We will consider adding the features in the future, but not without extremely rigorous testing.”

Adobe Systems Inc. said today the next release of its free PDF Reader application will include new “sandbox” technology aimed at blocking the exploitation of previously unidentified security holes in its software.

Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

“The idea is to run Reader in a lower-privilege mode so that even if an attacker finds an exploit or vulnerability in Reader, it runs in lower rights mode, which should block the installation of [malware], deleting things on the system, or tampering with the [Windows] registry,” said Brad Arkin, director of product security and privacy at Adobe.

Even if only somewhat effective, the new protections would be a major advancement for one of the computing world’s most ubiquitous and oft-targeted software applications. The company is constantly shipping updates to block new attacks: Less than a month ago, Adobe rushed out a patch to plug vulnerabilities that hackers were using to break into vulnerable machines. Security vendor McAfee found that roughly 28 percent of all known software exploits in the first quarter of 2010 targeted Adobe Reader vulnerabilities. According to anti-virus maker F-Secure, Reader is now the most-exploited application for Windows.

Reader still has to legitimately touch the underlying filesystem in order to save PDF files, but it will be configured to work through a separate Adobe “broker process,” such that any attempts by Reader to communicate directly with the operating system will fail, Arkin said.

“Under such a system, not only would the attacker have to find a vulnerability in Reader, but they’d also have to carry out a second-stage attack from the Reader process to the broker process,” he said. “We have put in a place a very small set of policies to make sure that any action the broker process takes on behalf of Reader is absolutely necessary for operation.”

The initial release will not sandbox “read-only” activities in Reader, such as accessing content on the user’s system, but that functionality may be incorporated into versions down the road.

Arkin said the new feature will be on by default, and will not affect the performance or speed of the application.

“The vast majority of users will never know it’s there,” Arkin said. “It doesn’t increase the number of dialogue boxes or choices, and users should be able to continue to interact with Reader the same way they always have.”

Didier Stevens, a Belgian security researcher who has discovered and reported a number of security vulnerabilities in Reader, said Adobe’s planned protections should indeed block most known PDF-based malware.

“When I read ‘sandboxing of all write calls’ I said to myself: ‘That’s easy to bypass, for example by injecting code into another process (e.g. Windows Explorer) and let it write to disk’,” Stevens wrote in an e-mail to KrebsOnSecurity.com. “But then I read that registry and process calls are also sandboxed, so injecting code inside another process would be blocked.”

Stevens said the broker process could end up being the weakest link of Adobe’s sandbox approach.

“If you can mislead the broker process, you can still get access,” Stevens said. “If similar bugs exist in the broker process, then researchers will soon find them. And I hope this mechanism fails gracefully: if the broker process breaks down, then every action should be denied.”

Adobe isn’t willing to set a date certain for the release of the new sandboxed Reader, but said it should ship in the next version, due out before the end of the year. Arkin said the sandboxing feature will initially be available only for the Windows version of Reader.

“Our primary goal was to protect the largest number of users the fastest,” Arkin said. “In the lab it’s certainly possible to take one of those [vulnerabilities] and export it onto a different platform, but in the real world, every single attack we’ve heard about has been on a Windows platform.”

One of the more common questions I hear from readers with computer virus infections is, “How do I get rid of a virus if I can’t even boot up into Windows to run an anti-virus scan?” Fortunately, there are a number of free, relatively easy-to-use tools that can help on this front.

The tools in this review are known as a “rescue CDs.” These are all free, Linux-based operating systems that one can download and burn to a CD-Rom. Once you’ve configured your PC to boot from the CD you’ve just burned, you can use the CD to scan your hard drive, and — depending on the type of rescue CD you choose — even copy files to a removable drive.

I have recommended more full-fledged versions of these rescue CDs (also known as “Live CDs) as a way for small businesses to protect their online banking sessions from malicious software, the lion’s share of which simply fail to run on non-Windows-based operating systems. But several anti-virus companies also offer slimmed-down Linux-based rescue CDs that can be extremely handy in getting rid of a persistent malware infection, or just for getting a second opinion (or third or fourth) about the state of your system.

Before I go any further, let me just state for the record that I don’t believe there is any substitute for having known good, solid backups of your data and your entire hard drive to restore to in case things go south. I also urge users to segment their systems so that important data files are on a separate chunk of hard drive space than the Windows operating system, which tends to make restoring backups a far simpler affair. I’ll post a separate tutorial on setting up a good backup plan soon. For now, though, I want to introduce readers to these simple tools.

Just one housekeeping note before I get started: If you want to run a rescue CD on a laptop, you’ll need to plug the notebook into a router or other Internet connection via a networking cable. The reason is that the first thing you’ll need to do when you boot into the rescue CD is update the program’s anti-virus definitions, and that requires a working Internet connection. I don’t believe any of these tools support wireless networking, but in any case setting that up is far beyond the scope and ambition of this brief how-to.

Grab the CD image

Several anti-virus vendors offer burnable rescue CDs that are based on Linux, including:

AVG Rescue

Avira Rescue

BitDefender Rescue

Dr. Web Rescue

F-Secure Rescue

Kaspersky Rescue

Panda Rescue

Burn the image to a CD or DVD

After you’ve download the file, burn the image to CD-Rom or DVD. If you don’t know how to burn an image file to CD or don’t know whether you have a program to do so, download something like Ashampoo Burning Studio Free. Once you’ve installed it, start the program and select “create/burn disc images,” and then “burn ISO.” Locate the .iso file you just downloaded, and follow the prompts to burn the image to the disc.

Incidentally, if your computer is a netbook and doesn’t have a CD-Rom drive — or if you’d just prefer to boot the rescue disc from a USB drive — you can create a bootable USB/flash drive using the same .iso image by downloading and running this free tool here.

Set your PC to boot from the CD

When the burn is complete, just keep the disc in the drive. We next need to make sure that the computer knows to look to the CD drive first for a bootable operating system before it checks the hard drive, otherwise this rescue will never be recognized by the computer. When you start up your PC, take note of the text that flashes on the screen, and look for something that says “Press [some key] to enter setup” or “Press [some key] to enter startup.” Usually, the key you want will be F2, or the Delete or Escape (Esc) key.

When you figure out what key you need to press, press it repeatedly until the system BIOS screen is displayed. Your mouse will not work here, so you’ll need to rely on your keyboard. Look at the menu options at the top of the screen, and you should notice a menu named “Boot”. Hit the “right arrow” key until you’ve reached that screen listing your bootable devices. What you want to do here is move the CD-Rom/DVD Drive to the top of the list. Do this by selecting the down-arrow key until the CD-Rom option is highlighted, and the press the “+” key on your keyboard until the CD-Rom option is at the top. Then hit the F10 key, and confirm “yes” when asked if you want to save changes and exit, and the computer should reboot. If you’d done this step correctly, the computer should detect the CD image you just burned as a bootable operating system. [Unless you know what you're doing here, it's important not to make any other changes in the BIOS settings. If you accidentally do make a change that you want to undo, hit F10, and select the option "Exit without saving changes." The computer will reboot, and you can try this step again.]

Note that if you chose above to create a bootable USB drive instead of a rescue CD, you will need to tell your BIOS to select the USB drive as the primary startup target.

Scan and remove any found malware

Some of the free rescue CDs above are more intuitive and user-friendly than others. Of them all, I thought Kaspersky and BitDefender offered the easiest to use and probably the most newbie-friendly interfaces. Both boot into a desktop-like environment that may be more familiar to Windows users. In addition, they each offer an Explorer-like window that allows users to examine files on the Windows hard disk. BitDefender’s rescue CD was the only one I tried that had a copy of the Firefox Web browser built into it. It also includes a point-and-click program that checks for common rootkits, tools often planted on hacked machines to hide the presence of malicious software.

If you have a secondary USB drive connected to the machine, you may even be able to use either the Kaspersky or BitDefender rescue CDs to copy files over to the external drive, although moving files from a damaged hard drive to a backup drive is probably best accomplished with an all-purpose type of Live CD, such as Ubuntu or Knoppix, which generally have better support for removable drives.

It is safe to power off the PC when you’re done with these rescue CDs. Just make sure to remove the CD before you try to boot up again into Windows, otherwise the computer will boot back into the rescue CD.

It is said that you can judge the mettle of a man by the quality of his enemies. So I guess it should be flattering when a group of individuals who appear dedicated to making misery for countless Internet users express glee at what they perceive as my misfortune.

Since my final posting on The Washington Post‘s Security Fix blog last year, I’ve been made aware of several discussions among different shadowy online groups who were apparently celebrating the end of that blog.

Some of those conversations I am not at liberty to point to here, but at least one of them is public: A thread on crutop.nu, a 8,000 member Russian language forum dedicated to Webmasters who specialize in high-risk Web sites, including rogue anti-virus software sales, pharmacy sites, and all manner of extreme porn (including beastiality and rape).

The last time I got this much attention from crutop.nu was last summer, when I published the results of a lengthy investigation that traced a huge number of rogue anti-virus Web site payment processing pages back to Crutop and to Chronopay, a Russian payment processing company that also specializes in high-risk sites. Indeed, that post concluded that the same individual was responsible for running both entities, (Chronopay founder Pavel Vrublevsky, a.k.a. “Redeye” on Crutop).

In this discussion on Crutop, members can be seen celebrating the demise of the Security Fix blog and my employment at The Washington Post, essentially saying that Santa Claus had answered their letters. Members then go on to discuss how I should be shot (among other indignities), as well as various search engine gaming schemes that might bury the rankings of my new blog at krebsonsecurity.com.

The entire thread (or least up until today) can be read by expanding the images below, in order, and viewing a rough translation. For whatever reason, the default view when you see the full sized image may start at the center of the page. If this happens, just scroll up and start from the top. Caution: Some of the language displayed in these posts may be offensive to some readers, and certain thumbnail images may not be appropriate for viewing at work.

PAGE 1

PAGE 2

PAGE 3