The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
Visiting the main page prompts a download of the Black Energy DDoS bot.
— This site should not be considered safe to visit —
Alex Eckelberry
(Thanks to Sunbelt researcher Adam Thomas)
Update: Some excellent analysis on the Trojan recently by our friend Jose Nazario here (pdf link here).
Google Pack — completely legitimate.
Unfortunately, one naughty group is trying to get affiliate commissions from Google by referring customers to download the Google Pack — all to watch a porn movie (I hope that convoluted sentence makes sense).
In this case, one can assume it pays as well or better to push this legitimate application as it is to push malware (I’m sure that these folks would be pushing malware if the money was there, as it’s all about money). Intriguing that Google’s high affiliate commissions are in competition with malware.
If there’s any silver lining, it’s that the customer will install a reasonable good bundle of tools in order to watch their porn.
I suppose it’s better than getting a malware install.
(Google has been contacted about this rogue affiliate and I expect the affiliate will be down very rapidly — Google’s responses on these matters is very rapid.)
Alex Eckelberry
(Credit to Sunbelt researcher Patrick Jordan)
We’ve seen quite a bit of FUD out there about the Trojan DNSChanger (both Windows and Mac versions) hijacking your DNS settings and then redirecting you to malicious websites, stealing personal identities, killing your dog and even crank-calling your grandmother with naughty messages.
Actually, it’s quite a bit more pedestrian than that, and we thought we’d set the record straight.
This Trojan is all about generating affiliate commissions by redirecting search results. So if you google “Spyware”, you’ll get search results they want you to see.
Capiche?
Here’s a video that I did with Adam a few months back that shows a Windows TrojanDnschanger in action:
It explains it all.
Alex Eckelberry
Typical Trojan DNS Changer, located at xerocodec(dot)net.
As is the pattern of these sites, the binaries are found through /download/(sitename).extension. So the Windows binary is xerocodec(dot)net/download/xerocodec(dot)exe and the Mac binary is xerocodec(dot)net/download/xerocodec(dot)dmg (there are more downloads in the same directory as well). And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.
Alex Eckelberry
(Thanks Patrick)
I’m surprised I didn’t catch this earlier. Craig Schmugar at McAfee gets it in his blog post:
Having said all this, these points are not what make this threat significant. What sets this threat apart from other proof-of-concept Mac threats and low-scale attacks is the entity behind it. Puper (a.k.a. Zlob) is one of the most widely reported pieces of malware for Windows. McAfee VirusScan Online users reported more than 4 million detections during the past two years. Microsoft’s latest security threat report states Zlob was the most frequently disinfected piece of malware. Unlike earlier Windows malware, this Mac Trojan is authored by professionals who likely pull in thousands of dollars a month through click fraud, hijacked affiliate sales, and other illegal activity.
Link here.
Alex Eckelberry
(thanks Francesco)
F-Secure writes:
“Looks like the Mac Trojan we posted about last week was not an isolated incident. The gang behind it seems serious about targeting Mac users as well as Windows users. And they keep putting out slightly modified versions of the trojan for the Mac too.”
Yeah.
Also, malware researchers: You may be able to find the DNS Changer Trojan by going to a DNS changer codec site, and using “.dmg” as your file extension instead of “.exe”. As an example, vivacodec(dot)net/download/vivacodec1000.exe downloads the Windows trojan. But going to vivacodec(dot)net/download/vivacodec1000.dmg brings down the Mac binary. Remember to set your user agent to look like a Mac. (Obviously, don’t download these binaries unless you know what you’re doing.)
Alex Eckelberry
(Hat tip to Bharath)
Roberto Preatoni is the founder of Zone-H as well as WabiSabiLabi. He’s well respected in security circles and has even been a professor at the University of Urbino. This is not some malicious hacker. He’s a security professional. He’s also been a staunch advocate of civil liberties in the post 9/11 world.
Yesterday, he was arrested in Italy, on charges that are more than confusing (particularly since the news is mostly in Italian). There are even hints at charges of conspiracy to commit murder — which is utter nonsense.
ComputerWorld has a writeup which is the most lucid, and so we can put together the following fact pattern:
I find Preatoni’s alleged guilt quite hard to believe. Preatoni might have been controversial at times, but I find it more than highly unlikely that he would have used his skills to hack illegally.
The problem is that there is not an abundance of technology know-how in jurisprudence, and one can only hope that he gets treated fairly. The Italian press is probably going to sensationalize this story, which certainly isn’t going to help matters. As one of our researchers, who is Italian, put it to me, “…who knows. The press in Italy is so bad, they make stuff up all the time.”
More information is coming out later today, and we should be able to post some updates.
Alex Eckelberry
A couple of articles have come out that provide some counterpoint on the “Is the Mac no longer secure because of this new Trojan, bla bla?” question.
Mac apologist Carl Howe writes a slightly misinformed article on Mac security, where he (sort of) confuses vulnerabilities with this new Trojan and generally bashes Windows.
Ok, just to make it clear: This Trojan is not a vulnerability in OS X, does not use a vulnerability in OS X, is not an exploit and I wish it would stop being referred to in these wildly incorrect terms.
David Harley writes a more reasoned essay, where he points out the Big Critical Piece of Information that Some People Aren’t Getting: The majority of malware attacks are done through social engineering, and this Trojan is installed through social engineering, and that this piece of malware comes from the same group that’s making a lot of money off of Windows users.
This Trojan is quite widespread on Windows (fake codecs are always at the top on our threat center, which tracks in real-time what is actually being removed by CounterSpy users). It requires user confirmation to run, so what makes Mac users think that they are immune to this type of social engineering?
There was even one respected security researcher who implied that Mac users were generally smarter than Windows users and thus weren’t as likely to install the Trojan. Well, this comment on my blog should answer that question:
I am new to the mac life! I just bought a video camera and hooked it up to my new macbook and the video didn’t work so I downloaded whatever popped up!!! I had no idea why my video didn’t work and i figured that mac’s are suppose to be soooooo user friendly that I needed to download it. NOW WHAT DO I DO? HOW DO I KNOW IF I GOT THIS DARN TROJAN OR NOT???? EEK please help?
QED.
Mac users are human beings, like all the rest of us, and can be fooled like all the rest of us. This Trojan is very deceiving, and its existence is simply a wake-up call that the professional, for-profit malware authors have moved into the Mac world, and now Mac users simply need to be more vigilant.
Alex Eckelberry
I love doing Google hacks, so this caught my eye: Our friends over at Symantec wrote up an interesting report on an interesting new method spammers are using to bypass filters. Many filters look at the URLs inside of a spam to determine a spamminess of an email.
In this case, a spammer used a Google search link instead of a URL.
Here’s what the spammer did to pull off this little magic trick:
1. The spammer devised a query string which yielded only his or her URL as result of an advanced Google search.
2. The spammer then simulated the click of the “I’m Feeling Lucky” button (notice the ‘&btnl=’ at the end of the above URL) that will take you to the URL of the first result that comes up for the entered search query.
3. Lastly, the spammer packed this URL into a regular email and sent it out to evade spam filters.
Very cute. More at here (via Register).
Alex Eckelberry
There’s a thread over at CastleCops (thanks PG), where the security folks are arguing with the people from IEDefender as to whether or not the program is malware.
It starts friendly enough, with IEdefender using the standard “it’s not my fault, it’s these terrible affiliates”:
iedefender: Hello, we’re developers of IEDefender, our software is clean and is real antispyware. As we can see, people from your site send our exe to different antivirus and antispyware companies, trying to black PR our company. They’ve got answers, that our soft is clean, because IT IS CLEAN! We contacted Kaspersky, they also confirmed, there are no problems with our software, you can check our .exe with any popular antiviruses, there no problems! Stop sending your detractive mails and messages, in other case we would be forced to send all information to our lawyers and meet your representative in the court, where it would be very hard for you to prove, that our software is not real, because IT’S REAL ANTISPYWARE!
@ iedefender Answer this directly .
If you are legit then why does malware advertise your software ?
iedefender:Yes, we know about this problem, we have a partnership for our distributors to advertise our program, we pay them a percent of registration fee. Some of them use illegal methods, that we not accept, our customers send us abuses about it and we closed some of our affiliates accounts without paying them. We are watching on it but there are problems with them sometimes. We’re working on this problem and it’s very sad for us. But just think if somebody would advertise any famous antiviruses this way would you add them to malware too?
Then as things progress, it starts to get uglier and uglier:
MANY well known companies have been ripped to shreds for the same thing ……. but in your case, not only are you spamvertized via malware, a part of your own software is also detected as malware
iedefender: Oh, really? Who detects it? You? Any proves? Tell us, what part of our software is malware? I see only bullshit from you, no proves and nothing else. All new messages without proves from you would be ignored, I want to talk with smart people not ones, who just want to spit here.and
idefender: 2paperghost
Man??? With whom you r talking?IE Defender Members – People who paid for our software, and they can register on our forum. You r stupid? This is so simple… lol.
2All WE WILL ANSWER YOU QUESTIONS SOON. NO MORE BULSHIT FLOOD HERE.
Well, it’s not the first time forum members have had to battle one of these folks. Won’t be the last.
Alex Eckelberry
Some new fake codecs
Reboot and here’s what your desktop looks like after installing one of these.zsvcompany(dot)com
bcnproduction(dot)com
mojtechnology(dot)com
vaulimited(dot)comAll trojans — fake zlob media codecs.
The main page will show an error; as is standard practice these days, the binaries are actually downloaded from a subdirectory (usually something like /download(dot)php?id=4082).
Detection by all engines is very poor on these (Sunbelt Sandbox report on zsvcompany here, VT results here). We will have detections out shortly.
Alex Eckelberry
(thanks Bharath)Can a spam filter play chess?
Interesting stuff.
Many people these days depend on Bayesian filters to protect them from the ever present email scourge that is spam. Unlike older technologies, these programs’ claim to fame is that they learn the spam patterns automatically, and more importantly, learn personalized spam (bad) and ham (good) email patterns.
Like many others, I wrote a Bayesian filter to protect me from unwanted email, which I called dbacl. My implementation functions as a Unix command line text classifier, with special email support, and can be used with procmail.
People are often astonished at how well statistical mail filtering works after they first try it, and it’s tempting to imagine that such programs actually understand the emails being delivered, rather than merely matching patterns.
Now chess has always been a popular gauge of intelligence that everyone can understand, so if we put all these ideas together, then the question “Can a Bayesian spam filter play chess?” seems like a fun experiment with a lot of appeal.
Link here.
Alex Eckelberry
(thanks Greg)Buy weed online? I don’t think so…
A spam is making the rounds, attempting to lure people to a site which sells “legal buds” (F-Secure did a bit of analysis on one variant of this spam back on the 26th).
The website was registered on November 1st and is basically a landing page for another website, thebudshop(dot)net — registered on the 30th of October.
Obviously, to those who are misguided enough to believe that one is able to buy marijuana online, I have some news for you: You’ll likely get nothing if you try, or if you do, it’s going to a bag of oregano or something else equally innocuous.
Pot is an illegal substance that cannot be purchased in any way in this country (with the obvious exceptions). And who knows, you might even get a rather rude knock on the door from your local authorities if you try…
Alex Eckelberry
Random: Dumbest predictions on Apple
Wired has a story today on the “The 15 Dumbest Apple Predictions Of All Time”.
Side note: of interest to me was this one:
Sony To Buy Apple
“Within the next two months, Sony will acquire Apple. … Sony will be the white knight who will step into the picture.” — former Apple VP Gaston Bastiaens, in January 1996.I was working for Gaston at that time and remember him saying something to this effect. I treated his belief with a mixture of respect (given Gaston’s background) and some disbelief (“why the heck would Sony buy Apple?”). Whatever.
Alex Eckelberry
(Thanks Greg)Bundle of mayhem: mmcodecs
We infected a system with mmcodecs (a relatively new fake codec variant) and have some screenshots to share with you.
You can see mmcodecs in this Google search result here (obviously, don’t go and install it):
So we install it and get a merry bunch of mayhem, with home page hijacking, desktop hijacking, a rootkit and more.
We gets a rootkit –– a DNS changer, no less!
It wants to sell us Safe-Strip (a rogue antispyware program). It really wants to sell us this program!
And it wants to sell us SystemErrorFixer (courtesy of Innovative Marketing). It really wants to sell us this program too!
Well, enough of that fun.
Sunbelt Sandbox results here, VirusTotal results here (pdf).
Alex Eckelberry and Patrick Jordan
