Month: January 2006

Searchadv.com is a part of the umaxsearch.com pay-per-click affiliate search program and is known for working with home page hijackers. Searchadv.com has now started using a new type of scam: A fraudulent pay-per-click scheme that Sunbelt calls Misc.Iwin.Scam. In short, it’s a trojan that generates fake clicks.  These clicks earn money.

Searchadv.com is running this fraudulent scheme through at least two methods at present:  

The first involves the use of the WMF exploit served from the web site loomcompany.com (which Searchadv.com owns) that drops a payload file on PCs of victims who visit compromised web sites.

The second known method involves links to RAR compressed files that are disguised as “adult games” at the web site pornocollection.net site (also controlled by Searchadv.com). Users are effectively tricked into un-zipping these RAR files and then running the executables inside, which are not “adult games” at all but instead payload files.

Once their PCs are infected, either through a WMF exploit or the fake RAR porn game files, users see nothing to indicate their PCs have been compromised. Unbeknownst to users, the payload files dropped by these installation schemes are transmitting fake clicks in the background to Searchadv.com, which in turn passes those fraudently generated clicks to its own search feed partners.

Each time an infected computer restarts and re-connects to the Internet, the transmissions and fraudulent clicks resume.

Some of these advertising partners include:

c.enhance.com
tripreservations.com
c.goclick.com
oemji.com
rx-select.com
dealtime.com
shopzilla.com
looksmart.com
goclick.com
ads.ask.com
freegiftworld.com
freepayingsurveys.com

The list goes on . . .

One thing that makes this scheme especially dangerous is that victims are being lured to the WMF exploit pages through web pages designed to turn up in Google searches on completely legitimate, innocent terms. For example, the web page for cobrahealthinsurance.loomcompany.com turns up in a Google search for “Cobra Health Insurance.”

Users who click through to the web site, which is a sub-domain of loomcompany.com, could become infected with the Misc.Iwin.Scam Fraud Trojan if their PCs are not updated with the fix for the WMF vulnerability from Microsoft.

Patrick Jordan
Senior Spyware Researcher

Mike Nash, Microsoft security veep, is interviewed on Slashdot today.

Slashdot readers presented a number of questions to Mike, including:

• What has changed?
• What about the tradeoff in security vs. user friendliness?
• What are the top priorities for security in 2006?

Full interview here.

 

Alex Eckelberry

Congressman Chris Smith will be holding a hearing in D.C. on February 16th that will “examine the operating procedures of US internet companies in China”.

From his website:

Rep. Smith has invited various US companies to testify at the hearing, including: Google, Yahoo, Microsoft and Cisco.  Also scheduled to testify are: State Department Senior Advisor for China and Mongolia James Keefe, State Department Deputy Assistant Secretary for International Communications and Information Policy David Gross, Julien Pain from Reporters Without Borders and Harry Wu from the LaoGai Research Foundation.

Link here.  Related FT article here.

 

Alex Eckelberry

Over 33,000 people have been stopped and searched under the UK’s new anti-terror laws.

Some people are fighting back.

Charles Clarke, the Home Secretary, is facing an onslaught over the Government’s anti-terror laws after figures showed nearly 36,000 people were stopped and searched under the emergency powers last year. The number of people stopped and searched each year has soared since the Act came into force in 2001, when 10,200 people were stopped. It rose to 33,800 in 2003-04.

Campaigners will mount a legal challenge in the House of Lords today, as they attempt to limit the laws giving police sweeping powers to stop people even if they have no grounds to suspect them of a crime

More here.

 

Alex Eckelberry 

Follow-up to my previous blog posting on the high rate of Blackworm infections, Gadi Evron at Securiteam updates us with (relatively) good news:

After investigation with the ISP and various people from our task force (special thanks to Joe Stewart and all the SANS ISC handlers) it appears that someone (probably the worm author) was trying to be funny and DDoS the counter.

Looking only at unique IP addresses and removing the ones from the DDoS, we end up with only about 300K users whose world is going to crumble on February 3rd.

Good.  Because I just checked the counter and it’s up to over 3 million. 

Still, as Gadi points out, there’s an estimate of possibly 300,000 users who are going to have a potentially serious data loss on the 3rd.

Alex Eckelberry

 

As a follow-up to my previous blog posting, we’re now seeing infestations for the Blackworm worm (aka KamaSutra) getting close to 2 million.

(This worm actually reports back to a server that is keeping track of the number of infections.) 

Yesterday it was at close to 700k.

Of course, it’s possible that this URL has gotten out to the public, which would increase the count (simply hitting the website increments the count by one).  However, to my knowledge, this URL is only known in the security community.

Remember that this worm has a very destructive payload.  Even if you discount the number here, you’re still looking at a significant number of people who will suffer potentially devastating data loss.

 

Alex Eckelberry

Update/Clarification:  As Jamie points out, the site is recording hits, not unique IPs.  Expect the real number of infestations to be probably half the number on the counter.  See Securiteam link here.

Update:  It’s not a real number, it’s a DDoS attack on the counter (probably by the worm author). Actual infestation rates probably closer to 300k.  More here.

According to an article by Ryan Naraine in eWeek, “Web search powerhouse Google has joined with Sun Microsystems to fund a new anti-spyware coalition that is on tap to launch on Jan. 24…”.  It will be operated by the Berkman Center at Harvard and the Oxford Internet Institute at Oxford University.

Apparently, the site is going to be an information clearinghouse and help center for consumers.  In an article in the Christian Science Monitor, the group’s co-director was quoted as saying “the coalition will act like a “neighborhood watch” for the Internet, relying on citizens to report problems.”

The new site, “StopBadware.org” will be up tomorrow.  The domain is owned by Google. 

Very surprisingly, Harvard Ph.D candidate and antispyware superstar  Ben Edelman is unfortunately not involved.   

Update:  Eric Howes, our director of malware  research, has signed on to be part of the working group. We’ll see how this plays out.

Alex Eckelberry

The Kama Sutra worm (now being referred to by some experts as BlackWorm) has got the concern of a number of people in the security community. 

I blogged a few days back about its rate of infestation.  Last Saturday, the number of infected machines was at about 500k.

Today, that number is getting close to 700k (we know that because this worm actually reports back to a server that is keeping track of the number of infections).

Why the worry?

On the 3rd of every month, it does some rather nasty things.   From our friends at F-Secure:

The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm’s UPDATE.EXE file is run, it destroys files with those extensions on all available drives:

*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp

Well, that’s not very friendly, is it? More here.

Security expert Gadi Evron has written the following:

This is an urgent alert released by the cooperative efforts of the MWP/DA groups that also worked on the hurricane Rita scams. This task force is now known as the TISF BlackWorm task force.

This task force involves many in the security (anti spam, CERTs, antivirus, academia, ISP’s, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.

Anti Viruses companies each have a chosen name for this, but for operational reasons as well as simplicity we choose BlackWorm. This is what we submit for CME. A CME entry should hopefully be created shortly.

Buttom line:
1. Update anti viruses urgently.
2. See Snort signatures below.

More, with Snort sigs, here.

There’s no great panic if you’re running a decent antivirus program with the latest signatures.  The people getting infected are probably getting so because they’re not running AV programs and are making the mistake of opening infected emails…

Oh, and confused about all of its names?  Andreas Marx at AV-Test.org gives us this list:

AntiVir	Worm/KillAV.GR
Avast!	Win32:VB-CD [Wrm]
AVG	Worm/Generic.FX
BitDefender	Win32.Worm.P2P.ABM
ClamAV	Worm.VB-8
Command	W32/Kapser.A@mm (exact)
Dr Web	Win32.HLLM.Generic.391
eSafe	Win32.VB.bi
eTrust-INO	Win32/Blackmal.F!Worm
eTrust-VET	Win32/Blackmal.F
Ewido	Worm.VB.bi
F-Prot	W32/Kapser.A@mm (exact)
F-Secure	Email-Worm.Win32.Nyxem.e
Fortinet	W32/Grew.A!wm
Ikarus	Email-Worm.Win32.VB.BI
Kaspersky	Email-Worm.Win32.Nyxem.e
McAfee	W32/MyWife.d@MM
Nod32	Win32/VB.NEI worm
Norman	W32/Small.KI
Panda	W32/Tearec.A.worm
QuickHeal	I-Worm.Nyxem.e
Sophos	W32/Nyxem-D
Symantec	W32.Blackmal.E@mm
Trend Micro	WORM_GREW.A
VBA32	Email-Worm.Win32.VB.bi
VirusBuster	Worm.P2P.VB.CIL

Alex Eckelberry

Update:  The counter has been running high due to a DDoS attack.  See here.

I get a wee bit tired of seeing stuff like this.  Sloppy security practices lead to compromises and people get hurt. 

Phishers commonly compromise legitimate sites to hoist their scams from.  These are both examples that are live right now. 

Here’s one.

The IP number, 202.29.41.99, is for the UniNet Office of Information Technology Administration in Thailand (Whois).

Going up, we see it’s a simple webmail interface

All right, no big deal, right?  After all, it’s just a webmail interface, right? (Never mind the irony that it’s the Office of Information Technology Administration). 

Well let’s move on to Hanvision, a Korean video camera company.  This company, through its sloppy security practices, has allowed a Paypal phishing site free reign on its site.

Main page:

Phishing site:

This is absolutely no news to anyone in the security space.  But hopefully, it’s a reminder on basic web server security. Because if your website is insecure, you’re not only putting your company at risk, you’re putting others at risk as well.

 

Alex Eckelberry

Interesting stuff from Websense.  They did a study of file extensions typically used in malware installs.

While we in no way are recommending that adding filters to blanket block HTTP traffic by filtering different extensions, we thought it would be interesting to share January numbers 2006 to date, on what extensions are the most popular for malicious websites. Note: this does not include Phishing nor Spyware related websites but mostly sites that are being used to download Trojan Horse download code, keyloggers, and backdoors.

Interesting stuff, actually.

(Image from WebSense)

Link here.

 

Alex Eckelberry

 

“180solutions and its affiliates have caused immeasurable harm, not just to individual Internet users, but to the Internet itself.” — Ari Schwartz, deputy director, CDT

This is big news, people: The Center for Democracy and Technology (CDT) has filed two complaints with the FTC against 180solutions.

According to their press release:

The Center for Democracy &Technology (CDT) today asked the Federal Trade Commission (FTC) to put an end to the illegal and deceptive practices of 180solutions Inc., one of the world’s largest developers of Internet advertising software. In a detailed complaint, CDT outlines a pattern whereby 180Solutions, through a complicated web of affiliate relationships, deliberately and repeatedly attempted to dupe Internet users into downloading intrusive advertising software. The complaint illustrates how 180solutions continued this pattern of practice even after being warned by technology experts, privacy advocates and its own auditors that its practices were unethical, and in several cases, illegal.

The first is a general complaint, backed up by extensive research and investigation, which alleges:

After substantial investigation, it is clear to CDT that, 180solutions’ core business model depends on third-party affiliates committing unfair and deceptive practices on the company’s behalf. Therefore, CDT urges the Commission to bring a complaint against 180solutions, not on the grounds of an individual case, but rather in response to a pattern of practice that continues to encourage violations of the Title 5 of the FTC Act.

That’s the first complaint.

The second complaint is against 180Solutions and CJB.Net.  You may remember my blog post back in November about a 2nd grade class site hosted on CJB, where 180solutions software was offered on the site.  CJB has been naughty — you set up a free website on CJB, and then they would offer 180solutions adware to people who go to your free site (I tried this last night, though, and it appears they may have stopped this practice).

So, this second complaint alleges:

…CDT discovered through its investigations that 180solutions is engaging in a number of deceptive and unfair practices to distribute its software through its affiliate, CJB.NET.

…Users who sign up for free Web sites hosted by CJB.NET are not told in a clear and conspicuous manner that visitors to their site will be prompted to download software. This constitutes an unfair practice. CJB.NET also uses a deceptive security warning (ActiveX) prompt to dupe people into installing 180solutions’ software, instead of offering users the opportunity to give informed consent. Following the ActiveX prompt, the automatically triggered Web browser windows (pop-ups) soliciting user consent suggest that the site is “supported by advertising.” While most consumers understand a site “supported by advertising” to mean a Web site that contains banner ads delivered by the page, the “advertising” on a CJB.NET Web site actually involves a program that runs continuously and tracks everything that the user does online. As we document in this  complaint, the discrepancy between what users expect a Web site that is “supported by advertising” to do and what CJB.NET-hosted sites actually do are the root cause of several types of unfair and deceptive trade practices. CDT urges the Commission to bring a complaint against 180solutions and CJB.NET for unfair and deceptive practices in the installation of advertising software, in violation of section 5 of the Federal Trade Commission Act (FTC Act).

In the complaints, the CDT referenced research from a number of antispyware superstars, including Chris Boyd, Ben Edelman, Suzi Turner and Sunbelt’s own director of malware research, Eric Howes.

These complaints make for good reading.  180Solutions complaint here (15MB).  180Solutions complaint/CJB.Net complaint here. 

In my response to a request for a comment on this blog posting, Sean Sundwall (180solutions PR guy) emailed me this morning with the following:

We have not yet reviewed the letter filed with the FTC by the CDT, but 180solutions and the CDT share the same vision of protecting the rights and privacy of consumers on the Internet. This shared vision has resulted in a healthy working relationship that has seen great progress in the fight against spyware and benefited consumers around the world. We have made voluntarily improvements to address every reasonable concern that the CDT has made us aware of. We hope to continue the productive dialog with the CDT for years to come.

 Alex Eckelberry

We’ve taken the plunge and are now offering 7–day support for our consumer products (toll-free Monday through Friday, and email support on the weekends).  Our tech team did the analysis and came to the conclusion that we can afford to do this move.  And actually, it helps, because our techs were spending a good part of Monday catching up on work from over the weekend.  Now, the work is more spread out.

A few more notes on our support philosophy: All of our US support is here in the US, right here in Tampa Bay at our headquarters (depending on the circumstances, overseas support is done through in-country distributors or by our European sister company).  We’re also won’t do IVR (integrated voice response) type of support.  I despise pushing buttons on a phone as a consumer and so do the rest of our techs.  We get around it by having call screeners answer the phone so a user will always get a live person who can route them correctly.

I’m not sure how we’re able to do this quality of support with the prices we charge, but it is working so I’m not going to mess with it.

 

Alex Eckelberry

You may have heard of the so-called Kama Sutra worm (actually, it goes by a number of different names, but it’s being loosely referred to as “Kama Sutra” because one of the email subject lines it uses includes the words “Kama Sutra pics”).

From Sophos:

The W32/Nyxem-D worm (also known as Email-Worm.Win32.VB.bi or W32.Blackmal.E@mm) can spread via email using a variety of pornographic disguises, in an attempt to disable security software. If launched it tries to disable a number of anti-virus and firewall products, and attempts to harvest other email addresses from the infected computer, in an effort to spread itself further.

Anyway, like any good web “marketing” effort, this worm actually reports back to a server that is keeping track of the number of infections.  We did a quick informal check this morning.

At about 12:00 pm EDT, the counter was at 508,728.

At about 12:15 pm EDT, the counter was at 509,532.

804 infections in 15 minutes.

 

Alex Eckelberry
(Thanks Adam Thomas)

An overview of the documents. Link here via John Battelle.

 

Alex Eckelberry

Whois.

Updated:  Added another one from the same IP range, guggle(dot)info.

Alex Eckelberry

For the past week, our Spyware Research team has been observing Raze Spyware being silently installed without user consent through various exploits. Raze Spyware is already a long time member of Eric Howes’ Rouge Anti-Spyware products list. Dubious installation methods are a common practice for these Rouge Anti-Spyware applications. To make matters worse, we have also found a fake keylogger being installed alongside of Raze Spyware! The program then alerts the user that they are infected with the “keylogger”. What is even more compelling was a transmission from the infected machine to Pills-Catalog.net that revealed a bot-net controller.

The WHOIS information from pills catalog shows very similar information:

RAZESPYWARE.NET
Registrant: painter co painter ()
255 West 36 Street New York , NY 10018-7555
New York null,23878 US Tel. +212.3002000

PILLS-CATALOG.NET
Registrant: Pant Co Pant ()
Colonnel By Hall A510
New York null,11201 US Tel. +91.2263475146

Shown below is the Bot-Net controller in action where you can upload or edit files (amongst other activities). Conveniently enough, we see keylogger32.exe which is the file that magically ends up in the WINDOWSsystem32 directory.

 

I think RazeSpyware has some explaining to do.

 

Adam Thomas
Spyware Research

You’ve invariable heard the latest buzz on the ‘net — Google and other search engines being subpoenaed for searches.

Well I say let’s be overt about the whole thing.  Seize my searches! 

That’s why I’ve set my home page to Patriot Search!

 

Alex Eckelberry
(Hat tip to John Murrell) 

(A pen-tester is hacker lexicon for “penetration tester” — a “white hat” hacker.)

The SecuriTeam blog has a very funny satire on “how to be hired as a pen tester”:

Rule 1 – You can’t run Windows. Seriously, don’t even consider showing up to a Con|interview|class|etc with Windows. Even if you have to run a CD distro, or OpenBSD at runlevel 3, you must do it. You will be scoffed at and not taken seriously with a Windows machine. For bonus points, put con stickers or anti-microsoft stickers on the laptop. You get extra bonus points if you’re running a MAC. Just pull up Safari and browse over to slashdot. Yeah, you’re rolling hardcore now.

Rule 2 – You must have complete and utter disdain for any authority figure. You’re the rebel – the misunderstood creative genius. Act the part.

More here.

 

Alex Eckelberry
(Hat tip to Gadi Evron)

Macintoshsecurity.com has been hacked. Well, it’s ironic, I guess.  (Warning:  Very foul language.)

1/20 clarification:   In case you were confused, the webserver is not a Mac — as a passerby mentioned, it’s running on Linux (Netcraft).

Alex Eckelberry
(Originally reported on Funsec)