Polar opposites in U.S. Senate co-sponsor cybercrime bill

In spite of the polarized, poisonous atmosphere in Washington, D.C., generated by President Barak Obama’s health care reform campaign, two Senators from very opposite ends of the political spectrum are co-sponsoring a bill to fight international cybercrime.

U.S. Senators Kirsten Gillibrand (D-NY) and Orrin Hatch (R-UT) have cosponsored a bill aimed at fighting international cyber crime: the International Cybercrime Reporting and Cooperation Act.

If enacted into law, the bill would give the U.S. government the power to help countries that need assistance in their fight against cyber crime. It also gives the U.S. government the power to cut off financial assistance to countries that don’t crack down on net criminals.

A wide variety of Internet criminals currently rely on bullet-proof servers in countries where their crimes are tolerated. It is believed that in some countries cyber crime is protected by corrupt governments or seen as a source of income for the country as long as the victims are all foreigners.

U.S. criminal investigators and those of other countries who have evidence to shut down criminal operations often get no cooperation from law enforcement groups in countries where the crime is tolerated. Russia, many eastern European countries, Nigeria and China traditionally have topped the list of non-cooperating countries.

In their news releases on the introduction of the bill, the two senators said:

“Earlier this year, hackers in China launched a large, sophisticated attack on Google and other American businesses. A conservative estimate from the Government Accountability Office (GAO) estimates that in 2005 U.S. businesses lost $67.2 billion as a result of cyberattacks. Since then, attacks have dramatically increased. The global economy overall lost over $1 trillion in 2008 as a result of cyber attacks, according to studies by McAfee, Inc.”

The bill would:

— Establish an annual presidential report in which the President would assess the extent of cybercrime in each country as well as the country’s efforts to fight it and protect consumers and online commerce. It also would report on multilateral efforts against cybercrime.

— Prioritize programs designed to combat cybercrime to help countries with little information and communications technology in order to stop them from becoming cybercrime havens.

— Provide assistance to improve finance or telecommunications infrastructure in countries that need it in order to combat cybercrime.

— Identify countries of cyber concern: those with a pattern of cybercrime against the U.S.

— Identify the countries that don’t deal with cybercrime “through investigations, prosecutions, bilateral or international cooperation, or appropriate legislation.”.

— Establish an action plan to help governments of high cyber-crime countries fight it.

— Penalize countries that fail to meet benchmarks in their action plans by cutting off financing, preferential trade programs, or new foreign assistance, as long as the penalties don’t limit projects to fight cybercrime.

— Have the Secretary of State designate a senior official to coordinate the international fight against cybercrime and appoint employees at key embassies to focus on cybercrime policy.

We wish the Gentleman from Utah and the Lady from New York success.

Sen. Gillibrand news release here.

Sen. Hatch news release here.

Tom Kelchner

New social media? Pay to play online games with women?

“Dirty” or “Flirty”

Ok.

It’s an old formula for a successful business: pay girls to have fun with you.

This time the schtick is getting on-line gamers to pay $8.25 (US) to play an online game with a female for 10 minutes. The women get to keep 40 percent.

The site is GameCrush. It just opened last night and it seems to be a success (screen shots below.)

“GameCrush is being touted as the first social site for adult gamers with the women online able to set their gaming mood to either ‘flirt’ or ‘dirt’, IGN reports.

“The men online are known as Players and the women as PlayDates and Players pay to play while PlayDates get paid to play.

“Players browse PlayDate profiles — of which there are currently 1200 — view photos and even chat with girls for free.”

“At the moment it only supports Xbox 360 and some games on the GameCrush website. GameCrush plans to support PlayStation 3, Wii and World of Warcraft.”

Story here: “GameCrush lets gamers pay to play with girls “

And here.

Given that there might be 400,000 gamers (gold farmers) in third world countries making great money (for them) by playing 12 hours a day, I predict GameCrush is going to be a GREAT opportunity for female gamers from third-world countries (and everywhere else for that matter.)

GameCrush might be on to something: http://prdtest.gamecrush.com/

Yesterday afternoon:

Game_crush

This morning:

Game_crush 2

Tom Kelchner

Paper Ghost: “I can’t say I’m massively impressed with this one.

“It’s embarrassing when you walk into a game store and some box art has a ludicrously underdressed woman who’s supposed to be in the middle of a war zone. It’s embarrassing when the cover of video game magazines resemble something you’d normally find on the top shelf. And it’s embarrassing to see people happy to pay for something like this. There are actually plenty of females on gaming services who will happily talk to you for free, and they’ll shoot you AND they won’t charge money for it.

“They might upload your horrible deaths to YouTube, though.”

Update 03/25:

Launch day + 1 — servers still down.

Google-in-China saga: another hack, move to HK



There is a risk to computer security from governments. Regulatory changes, even if they are very positive measures, can impose huge demands on an enterprise (i.e. HIPPA, Sarbanes-Oxley, California’s law requiring notification of customers whose personal information is hacked on company sites.)

The “government” risk can get no bigger than the clash of Google and the government of China over the censorship issue. The world suspects that the Chinese government or its proxies were behind a campaign of hacking against Google and other major U.S companies several months ago. Google reacted to the hacks by saying in January that it would stop censoring search results for web users in China. Monday it said it would move to Hong Kong.

The government of China, which gave the search giant the choice of censoring Internet content or leaving the country, accuses Google of being a pawn of U.S. military establishment, hell bent on subverting Chinese order – the ability of the government to protect its citizens from “harmful” Internet content.

The latest hack

Reporter Mercedes Bunz of the UK’s Guardian is reporting today that a Google web page that lists corporate executives appears to have been hacked and has been redirected to a site in China. The Guardian reported the hacks to Google staff who said they were investigating.

Story here.

(Note: see update 03/25 below)

Analysis from both sides – playing it down in China

A large volume of news analysis today quotes observers with opinions that vary from “what were they thinking, going up against the government of China?” (NYT) to “China defended itself in an ideological battle” (Peoples’ Daily Online).

China Daily reported that Chinese Foreign Ministry spokesman Qin Gang said
“The Chinese government encouraged and pushed for the openness of Internet and its management according to its laws and regulations, which was common practice in all countries.”

Story here: “Google case will not affect China-US relations

What was Google thinking?

The New York Times quoted J. Stapleton Roy, director of the Kissinger Institute on China and the United States at the Woodrow Wilson International Center for Scholars. “I don’t understand their calculation, I do not see how Google could have concluded that they could have faced down the Chinese on a domestic censorship issue.”

Roy is a former U. S. ambassador to China.

How much is Google giving up in revenue?

The Times said some analysts estimate that Google’s annual revenue in China was only $300 to $600 million out of $24 billion in annual sales, but investors were expecting a bright future in that country, which has 350 million web users. Google’s stock has dropped because of the shoving match with the Chinese government.

Story here: “Google Faces Fallout as China Reacts to Site Shift”

Is there a risk for China’s government?

Some have said that Google’s move to stop the censorship puts the authorities in China in a difficult spot. The government would be reluctant to anger Google users in China who are usually highly educated and who do complain, the Times said.

The paper quoted Bill Bishop, a Beijing Internet entrepreneur who writes the tech blog Digicha, “The Chinese are very serious about pushing their soft-power agenda, Google just put a big hole in that sales pitch, and I think they know that.”

In an analysis piece in the times, Michael Wines wrote:

“But China also does not acknowledge to its own people that it censors the Internet to exclude a wide range of political and social topics that its leaders believe could lead to instability. It does not release information on the number of censors it employs or the technology it uses for the world’s most sophisticated Internet firewall. Its 350 million Internet users, many with fast broadband connections, are assured they have the same effectively limitless access to information and communications that the rest of the world enjoys.”

Will forcing Google out stop innovation in China?

Wines and the reporters in Shanghai Beijing who contributed to the analysis also wrote:

“The cost, at least with some influential sectors of its own society, could be steep. In the technology sector, Google is viewed as an innovator that has spurred rapid development of the Chinese Web. Its departure will leave some Chinese companies with greater influence, but could also stifle competition, some fear.

“‘Google is good at innovation, and when it leaves, the rest of the companies in China will lack motivation. Without its countervailing power, the industry won’t be as healthy,’ said Zhang Yunquan, a professor at the Institute of Software at the Chinese Academy of Sciences.

“Fang Xingdong, chief executive of Chinalabs.com, said the vast majority of Chinese Internet companies invested little in research and ‘simply copy each other’s technology.’ With Google’s departure, their profits may rise, but China’s Web space will begin to stagnate, he predicted.

Story here. “Stance by China to Limit Google Is Risk by Beijing”

What nastiness is in it for the rest of us?

It’s a clash of the Titans and there could be continuing fallout for everyone else. Although the wrestling match with Google didn’t start the hacking and intellectual property theft via Internet out of China, it could focus the attentions of nationalistic and quite independent Chinese hackers. We won’t even go into the issue of possible government- and military-sponsored hacks.

Enterprises should redouble user education about phishing and everybody better keep operating systems and anti-malware updated.

And, if you live outside China – enjoy the luxury of an uncensored web.

Tom Kelchner

Update 03/25:

Bulgarian city official loses committee post because of Farmville addiction

Computer security category of risk: human factors?

The Sofia, Bulgaria, news site novinite.com is reporting that a city councilor in Bulgaria’s second largest city of Plovdiv was voted out of a city council committee because he wouldn’t stop playing Farmville during meetings.

The Plovdiv city hall recently got wireless Internet and city councilors got laptop computers. Two weeks ago council chairman Ilko Iliev started to get irritated by council members playing Farmville during budget hearings.

“However, the real scandal erupted during Thursday’s meeting of the City Council when the most persistent Farmville enthusiast, Dimitar Kerin from the nationalist party Ataka, was voted out of the committee he was part of because of his Facebook addiction,” novinite.com reported.

“The proposal to remove Kerin from his respective municipal committee came from Todor Hristov, a former member of Kerin’s party, who has argued that Kerin ‘needs more time for his virtual farm.’”

In his own defense, Kerin pointed out that he had reached only level 40 in Farmville, but a councilor from the Democrats for Strong Bulgaria party (rightist) had made it to level 46.

Novinite.com story here.

Tom Kelchner

Neopets Paintbrush Generators lead to infections

Writing about the Neopets phish yesterday made me wonder if there are other scams out there targeting Neopets users (it wouldn’t be the first time). Sure enough, a quick scout around sites such as Youtube and…

Neopets Fake Generator

Oh dear. A number of files are being promoted on forums and video sharing sites just like the one above (which was uploaded only two days ago), all of which are claiming to be the above “Paintbrush Generator”.

In Neopets, magic paintbrushes are incredibly rare items that can change the colour of your Neopet. These items can sell for absolutely insane amounts of Neopoints (the official ingame currency), and children will happily run a program such as the one above in order to get their hands on said paintbrush.

The problem is that none of these programs are real, and will all contain an infection file designed to target the parent whose PC the child happens to be using. Keyloggers, rootkits and Trojans are the order of the day. As you’ve probably guessed, this isn’t real:

Fake Neopets installer

Let’s assume our victim fires up the program and see how quickly something can go wrong:

Crypted Neopets

An .exe called “Crypted” appearing in the Temp Folder? I think we can safely say things have gone wrong very quickly. Having a look through the file throws up some interesting finds:

Stringsneopts

The above text has appeared in the strings of many infection files, such as this one. Additionally, the code is packed with references to passwords and one or two GUIDs related to passwords too. If you happen to be running VIPRE then you’ll be protected:

VIPRE detects this

Detections are good across the board for this particular infection file (36/42 detection rate on VirusTotal), but I imagine there will be a lot of variations on this over the next week or so until the people making these get bored and move onto something else.

In the meantime, if your children play Neopets you might want to sit them down, show them the screenshot of the “Paintbrush Generator” and advise them that these programs never, ever work and should be avoided at all costs. Additionally, directing them to the Neopets Security Page is probably also a good idea.

Christopher Boyd

Firefox 3.6.2 early edition

Firefox early

Mozilla Foundation has released version 3.6.2 of its Firefox browser a week early. The group had said the update would be available March 30.

The update fixes a widely reported vulnerability (CVE-2010-1028) that prompted Germany’s CERT to advise Web users to switch to another browser until a fix was made. (Sunbelt blog “Germany’s CERT warns against Firefox use” )

Intevydis researcher Evgeny Legerov  had found that Wide Open Font Format decoder in Firefox had an integer overflow in its font decompression mechanism. The flaw involved a memory buffer that was too small to handle a downloadable font. Legerov had found that exploiting the vulnerability could crash a victim’s browser making it possible to run arbitrary code on the system.

Firefox 2

If you use Firefox, update here.

Security advisories for Firefox 3.6 here.

Tom Kelchner

 

Using Windows “hosts” file to cut off the help line

Our analyst Eric Kumar found this interesting and malicious little mechanism.

The hosts file on a machine under investigation was modified to redirect the victim’s browser to a well known legitimate site (in this case google.com) whenever he attempted to contact a list of nearly 400 sites. The list was a “Who’s Who” of the anti-malware world – most places where someone with an infected machine would go to get help.

Hosts file3

The altered hosts file he found contained many lines beginning with ‘#’ followed by gibberish. These would be seen as comments by any browser and ignored. Concealed among the commented lines are lines containing the domain name redirections. When the commented lines are stripped, we find all the listed security related websites being redirected to “209.85.129.99” which is the IP address for google.com.

Some of the sites were:

209.85.129.99 lexikon.ikarus.at
209.85.129.99 www.virusdoctor.jp
209.85.129.99 www.spybotupdates.com
209.85.129.99 securityresponse.symantec.com
209.85.129.99 www.mcafee.com
209.85.129.99 es.trendmicro-europe.com
209.85.129.99 www.quickheal.co.in
209.85.129.99 www.offensivecomputing.net

Sunbelt URLs figure prominently in the list as well:

209.85.129.99 research.sunbelt-software.com
209.85.129.99 www.sunbeltsoftware.com
209.85.129.99 www.sunbeltsecurity.com
209.85.129.99 www.cwsandbox.org

The “hosts” file is in the Windowssystem32driversetc directory in Win XP, Win7 and Win08 Server – and probably all incarnations of Windows, since browsers are going to look there.

Hosts file

Nice work Eric.

Thanks for the help Henry.

Tom Kelchner

The Facebook Dislike Button Likes Hotbar

Not so long ago, examples of fake Firefox websites / downloads were in the news with the sites involved serving Hotbar installs.

It seems the tactic of offering up Firefox (but giving you something else entirely) is going to be around for a little while. Below is a site promoting a Firefox .xpi called “The Dislike Button”, designed to let you add an “I dislike this” note to Facebook posts:

Dislikebuttonsite

The domain is dislikes(dot)info. Note the “Get Firefox” button at the top. What do you think happens if you click it?

Hotbar download

That’s right, you’re given the option of downloading a setup file from Hotbar…not exactly the Firefox download you were expecting. Should the end-user install it thinking this will give them Firefox, they’re very much mistaken.

Zangboo21

What they actually get is the option to download Hotbar (and no Firefox), complete with a preticked ShopperReports checkbox. While I can understand having to download Firefox to use a Firefox .xpi, the need for installing the above escapes me.

Additionally, there’s a text link further down the page asking you to “Get Firefox now” which also directs you to the Hotbar install.

Install Firefox now

What’s particularly curious here is that if you visit the “Facebook Fan Page” linked to by the main site, you’ll see the following post:

fan page post

They’re not happy about people forcing surveys on end-users to obtain the Dislike button (fair enough), yet the main site asks you to “get Firefox” but gives you Hotbar.

I think….I dislike this.

Christopher Boyd

Germany’s CERT warns against Firefox use

BürgerCERT, Germany’s government information security organization, is recommending that Web users NOT use the Firefox browser until Mozilla fixes a vulnerability in it March 30. No malicious use has been found yet, however a researcher posted proof-of concept code for exploiting the previously unknown vulnerability. A malicious operator could use the vulnerability to run arbitrary code. Mozilla is expected to post version Firefox 3.6.2 to fix the problem.

In January, the governments of France and Germany urged users to stop using Microsoft’s Internet Explorer browser until the company fixed the vulnerability that was blamed, at least in part, for the attacks from China on Google and more than two dozen other companies. (Sunbelt Blog post here. )

Web users who continue to use Firefox have been warned to avoid dodgy web sites that could use the vulnerability to compromise their machines.

BürgerCERT warning here.

Machine translation: “Due to one the Mozilla Foundation confidentially announced security hole recommends the citizen CERT the use of alternative browsers, until the Mozilla Firefox version 3.6.2 is published. The current publication plan of Firefox 3.6.2 sees a supply on Tuesday, 30. March 2010 before.”

Well, you kind of get the picture.

Register news story here.

Tom Kelchner

A Fishy Defacement

Generally speaking, most website defacements I see tend to look the same with political activist Y decrying political activist Z, or leet hax0rs posting up a mile-long shoutout list to their crew.

This one is, er, a little different – a defacement of what appears to have been a site involved in fish logistics and / or preservation, fish2see(dot)dk. I can only imagine the horror on the face of the site admin who woke up this morning to be confronted by this:

Deadfishhack
…oh dear.

The Admin has been notified, but the site is still currently defaced – I wouldn’t advise going there, as the attacker could decide to come back and put something a little more malicious online.

Christopher Boyd

Phishers cast their nets at Neopets Users

If you have children that play Neopets, you might want to warn them about this website or insert it into a blocklist of your choosing. The site is Neopoints(dot)tk, and promises lots of free Neopoints related items, with the help of a cute mascot called “Tuma the Draik”. I think there was a Norwegian prog rock group from the 70s called that, but I could be wrong.

Neopoints1

Of particular note here is the fact the site claims to offer “free magic paintbrushes”. These items are incredibly rare in Neopets land, and an excited child could easily wander into this particular trap as a result.

Neopoints2

You’re no doubt waiting for the sting in the tail – well, here it comes:

Neopoints3

The child is asked to fill in their Account name, Password, Security PIN and Email address before hitting “Done”. I don’t know about you, but I’m going to bet on “total and utter fake”.

The .tk URL currently points to

neopoints(dot)yolasite(dot)com

This will probably change as the free webhost for the phish terminates the account, but I don’t think the .tk URL will start pointing to anything legitimate in the near future so it’s probably one to keep an eye on.

Christopher Boyd

Google’s Pacific submarine cable “Unity” nearly complete

— 7.68 Terabits/s for growing Asian market
— $300 million cost (from consortium of six companies)
— 10,000 km length (Chikura in Japan to Los Angeles)
— Increases capacity across Pacific by 20 percent
— Dense Wavelength Division Multiplexing technology (960Gbps per fibre-optic pair with a maximum of eight fiber pairs)
— construction time: two years

Story here.

Tom Kelchner

20 undocumented holes in OS X?

Charlie Miller, Principal Analyst at Baltimore, Md.-based security firm ISE, has made news in the last two days saying that he found 20 perviously-unknown security vulnerabilities in Apple’s OS X operating system. News stories seem to anticipate that he will reveal them at the CanSec West conference next week in his talk “Babysitting an Army of Monkeys: An Analysis of Fuzzing 4 Products with 5 Lines of Python.”

However, Miller tweeted: “To be clear, I’m not revealing 20 apple bugs at #cansec, I’m revealing how I found 20 apple bugs.”

According to reports, Miller found the vulnerabities by flooding operating system and application inputs with massive amounts of corrupted data — a process called fuzzing.

Apple has said they are not aware of the vulnerabilities.

Story from Heise Security here.

It seems to be a good discussion of what Miller is up to.

It’s just plain weird how stories of potential OS X weaknesses make some people foam at the mouth, so, it’s a little difficult to find any discussion of OS X security without a load of “does too – does not” prose. Heise is staying neutral and we’re going to try to stay that way too.

Tom Kelchner

Phishing increased 62 percent in ’09

The DarkReading site is carrying a story about brand-protection firm MarkMonitor’s finding that phishing increased 62 percent in 2009 with 565,502 attacks in the year. MarkMonitor is based in San Francisco.

Other conclusions in MarkMonitor’s 2009 BrandJacking Index report:

— The huge increase can probably be attributed to the use of botnets and the large amount of personal information that can be scraped from social network sources.
— 2009 saw the all-time high average of 600 phishing attacks per organization
— only 33 percent of victims were first-time targets.
— Social networks suffered 11,240 attacks – two percent of the year’s total.
— The U.S. hosted 44.7 percent of phishing attacks, up from 36.5 in 2008.

DarkReading story here.

Tom Kelchner

Faking a fake

We’re all familiar with Rogue Antivirus products – but it seems script kiddies on numerous sites out there are starting to crank out their own phony security programs, many of which are confusingly based on the designs of – if you’ll pardon the expression – “genuine” fake AV programs.

Shall we take a look at their handiwork?

Skidav1

Note the shields, the yellow warning triangles, the fake scan results – these guys have clearly seen a lot of fake AV out in the wild! Unfortunately for the creator, it’s a little too OTT and might give the end-user pause for thought if they had to physically click something before becoming infected.

This next one (designed to be entirely harmless, instead asking the user to voluntarily download a malicious file from a URL) almost gets away with being convincing, but ruins it all by including what appears to be a poorly ripped Rapidshare download button:

Skidav2

Running with the idea that a huge green shield with a tick on it is always a good thing to throw into your design, “Eternity Virus Killer” takes the approach that you’re going to be infected the moment you run the file, so adding in lots of fake warnings, flashing lights and useless slider bars is a complete waste of time.

Skidav3a

My last example of a program imitating a genuine fake AV (“Genuine fake AV”. I think I have a new favourite phrase) is something that would actually pass for the real deal. Check it out:

Skidav4

For starters, whoever created this has called it “SecureME 2010” which is clearly playing on the good name of a real program called SecureMe used for mobile phone data theft protection. It’s not overloaded like the French app, and not shattering illusions like the other program did with the ludicrous Rapidshare image rip either.

Furthermore, it really looks the part. The creator obviously spent some time looking at rogues – here’s a REAL rogue AV program called “User Protection”:

Userprotection

Can you spot the difference? Much as I hate to admit it, that’s a really well done piece of design work.

Of course, ultimately this is all academic as the end-user probably doesn’t care too much if the file on their PC came from:

a) A shady set of individuals dropping fake antivirus onto their PC with the intention of having them sign away their credit card details or
b) Some script kiddy playing with his “My first Visual Basic” kit.

However, it’s interesting to see how people on forums, sick of making endless “Free XBox Generator points” programs are now moving into emulating the kinds of Rogue Antispyware that have been around for years. Will having two entirely different and unrelated kinds of fake AV confuse security companies with regards dividing these programs up into their respective families? No idea, but it could lead to some unexpected situations. Having said that, nobody in their right mind will hopefully be downloading programs such as the above when the fake box design ends up looking like this:

Skidav5

Whoops. Something tells me I could be wrong, however…

Paper Ghost

Can spam get worse?

Or is it at the saturation point?

The SANS Institute (acronym = SysAdmin, Audit, Network, Security) web site carried a blog piece that gives a good snapshot of the horrible ongoing plague of spam email that IT folks all over the globe must deal with. The writer, Deborah Hale, said the ISP in the Midwest where she works received almost 20 million pieces of email for more than 9,000 accounts since the beginning of March. Only 713,222 (3.6 percent) were NOT spam.

The comments that follow her blog piece also give other readers’ on-the-ground experiences with spam filtering.

SANS is a “cooperative research and education organization” which has been around since 1989. It’s a great resource.

Deborah Hale blog piece here.

The European Network and Information Security Agency (ENISA)
2009 spam survey (published in January) found 95 percent of traffic was spam and the situation hadn’t changed much in the year.

Message Labs has estimated that the top 10 botnets are responsible for over 90 percent of spam.

Tom Kelchner

A malware booty call

We hear so much about stealth tactics, data theft and covert ops where malware is concerned these days that we often forget about the time when it was more about how many popup windows the attacker could throw onto the screen along with a couple of dancing monkeys and a spangly toolbar.

Here, then, is something a little retro that takes a form of infection more known for stealth (parite) and turns it into an overt rip roaring rampage of revenge, but mostly broken computers.

Promoted as a music player based around popular cartoon Aqua Teen Hunger Force, the following file(Win32.booty.exe) should be avoided at all costs:

Aqtnbooty1

Shortly after running the executable, hidden files and folders start to scatter themselves liberally across the PC in both the System32 Folder and the Temp Directory – in this case, 10.tmp containing a file called but!.exe, thrown together with the aid of what was probably the HotFusion file binder:

Aqtnbooty2

From there, another folder then appears (called 12.tmp) which contains the main payload files:

Worm.exe, Zombie.bat and chimes.wav.

Aqtnbooty3

So far, this is reasonably similar to a regular Parite infection (two folders in the temp directory, the promise of wormy action to come) but at this point we start to move away from the notion of Parite stealth to…well….take a look for yourselves.

Let’s check out Zombie.bat:

Aqtnbooty4

As you can see, the commands tell Worm.exe to spring into action and the .wav file (“Chimes”) starts to play.

What happens now?

Well, we prepared a little video demonstration for you (there’s sound, so you might want to put on some headphones):

http://sunbeltblog.eckelberry.com/wp-content/ihs/alex/paritebooty/

….yes, it made no sense to us either. The Task Bar vanishes and the victim loses the ability to open up Task Manager to kill the rogue processes. Any programs opened up once the infection takes hold will generally auto close seconds after opening.

Meanwhile, a file called BoOtY_Call starts spreading itself into every folder it can find, with the intention of jamming up the machine until it collapses in a crying, blubbering heap – with a song blasting out the joys of “booty” through your speakers, naturally.

Aqtnbooty5

If the victim manages to open up a folder and go on a deletion rampage, it doesn’t matter…BoOtY_Call keeps respawning and eventually triumphs in a blaze of malware glory.

This is pretty malicious stuff and throwing in a song about loving booty while a similarly named file proceeds to drive a wrecking ball through your hard drive is a surreal and comical contrast to the otherwise ruthless beating the PC is taking.

Given my earlier ramble, you may not be surprised to find we detect this as a variant of Parite (an infection that traditionally tries to infect EXEs and SCR files on PCs in a very quiet fashion, losing you hard drive space in the process), which is an interesting twist given how, er, loud this is. Probably not what the creators of Parite had in mind when they came up with it, but hey – that’s evolution, baby.

Sort of…

Chris Boyd

iRogue?

Are Mac OS X rogues an emerging threat?

For many years discussions of the potential for malware on Macs have ended with the conclusion: “there isn’t much yet, but as soon as Mac gets a big market share the dark side is going to start writing the code.” There are indications that the bad guys are working on it.

There have been some blog posts suggesting that the dark side is working hard to create a Mac OS X compatible rogue. SCMagazine is carrying a piece quoting a spokesman for researchers at Intego. Apparently Intego researchers got proof-of-concept code for an OS X rogue from underground sources and determined that it didn’t quite work. However, they concluded that some sophisticated coding was going on:

The SCMagazine wrote: “The PoC was actually created with code that was provided by Apple as part of its developer software, (Peter) James (of Intego) said. Apple includes an API in its developer technology that can be used to create a tool called a “kiosk,” which locks a user into an application or disables certain operating system functionality. The PoC does not encrypt files, but launches an application that implements the kiosk tool and locks the user’s computer.”

Rogue anti-malware products — and VIPRE has 1965 detections for them — are one of the fastest growing types of malware out there and are huge money makers for the nasty folks behind them.

So, Mac users, be careful what you click on and if you get a pop-up window screaming that your machine is “infected” and offering to sell you a virus protection product to take care of the problem – you know the “day” has arrived.

“Ransomware not considered threat for Mac OS X”

Dancho Danchev on ZDNet: “Mac OS X SMS ransomware – hype or real threat?”

“Mac OS X Ransomware”

Tom Kelchner

Update, 3:10 p.m.:

Such a coincidence – Caris & Company, analyst Robert Cihra: “But believe it or not, we estimate Apple’s iMac accounting for a full one fourth of ALL desktop market growth in calendar year 2010.”

Apple Insider piece: “Apple’s iMac to account for 25% of global desktop growth in 2010”

Twitter launches shortening service

Twt_tl

Del Harvey, Director of Twitter’s Trust and Safety team, announced on Twitter’s blog that the micro-blogging service has begun using its own shortening service to stop malicious operators from sending tweets with links to their dodgy sites disguised through shortening.

He wrote: “By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe.”

Twitter “Trust and Safety” blog piece here.

The problem with shortened links has been that the tweet-ee can’t really see from the shortened URL what exactly he is clicking on. The LongURL site http://longurl.org/ provides a service to expand shortened URLs so tweet-ees can see if their tweet-er has sent a link to http://www.mAlIcIoUs.PhIsHiNg.DoWnLoAd.Site.com and not the Pottery Barn.

The site bit.ly, which Twitter had been using, was one of the most popular shortening sites last year. The creators thought the name would be cool, which is why they registered the domain in Libya in order to get the “.ly” country domain. It has been pointed out that there is a risk in that (in addition to a huge negative public relations exposure) since Libya has Internet law in place that prohibits traffic related to sex, gambling, the lottery industry or anything insulting to Islam. If Libya suddenly decided to filter traffic, that could be a huge headache.

Story here.

Choosing a domain registered in East Timor (.tl) seems a bit safer, but, what’s with the AK-47 on the country’s coat of arms?

East_Timor

Tom Kelchner