Month: July 2010

We just got an email from Dave Mook who is part of an effort to organize the Alliance of Qualified Malware Removal Boards (AQMRB).

Alliance membership will be free. Members will be reviewed every six months.

Boards in the alliance will have the right to display an official AQMRB badge:

Groups seeking membership must:

– Have been in existence for at least two years.
– Have an acceptable use policy and/or terms of use agreement
– Be on a paid hosting account.
– Have fully equipped/dedicated malware removal help and support section readable to all users and guests.
– Have malware removal staff who are trained by or have graduated from an acknowledged malware removal school or university
– Offer malware removal help free of charge for non-commercial users.
– Provide assistance to customers within 24 hours.of their post for help.
– Display no web links to illegal or copyright-protected software.
– Host no ads which will lead to malicious content.
– Not serve pop-ups or pop-under ads.
– Fill out an application and include a complete list of malware removal staff, including a list of the schools or universities where the staff received training.

Requests for alliance membership may be directed to the secretary of the alliance here: applications &lt at &gt aqmrb &lt dot &gt com.

Tom Kelchner

We just got an email from Dave Mook who is part of an effort to organize the Alliance of Qualified Malware Removal Boards (AQMRB).

Alliance membership will be free. Members will be reviewed every six months.

Boards in the alliance will have the right to display an official AQMRB badge:

Groups seeking membership must:

– Have been in existence for at least two years.
– Have an acceptable use policy and/or terms of use agreement
– Be on a paid hosting account.
– Have fully equipped/dedicated malware removal help and support section readable to all users and guests.
– Have malware removal staff who are trained by or have graduated from an acknowledged malware removal school or university
– Offer malware removal help free of charge for non-commercial users.
– Provide assistance to customers within 24 hours.of their post for help.
– Display no web links to illegal or copyright-protected software.
– Host no ads which will lead to malicious content.
– Not serve pop-ups or pop-under ads.
– Fill out an application and include a complete list of malware removal staff, including a list of the schools or universities where the staff received training.

Requests for alliance membership may be directed to the secretary of the alliance here: applications &lt at &gt aqmrb &lt dot &gt com.

Tom Kelchner

Over the weekend, spam started appearing in mailboxes that claimed to be Imageshack registration notification.

That’s great, but I hadn’t registered – and certainly not with that username / password combination. A quick Google for the Forsight domain (pre compromise) reveals it to be an art gallery, so it is unfortunate that either by accident or design the bottom of the spam mail says the following:

Visiting the link in the mail would bring end-users to the following fake “install to continue” message:

Click to Enlarge

Installing the file would land the unsuspecting victim with a Zbot infection, not the best way to spend your weekend. Detections for this particular file are good (39/42 on VirusTotal) – the site owners have apparently removed the executable, but there’s still some iframe activity taking place so it’s probably best to avoid the URL for the time being.

One final thing to note – the “Please update your flash player” graphic the attackers are using? They’re serving up an image from the Coca Cola website.

Click to Enlarge

The text in the box seems to match the overall stylings of the Coca Cola website – it’s unlikely they’ve been compromised and had this graphic placed there, but we’ve reached out for clarification anyway and will update should we hear anything back.

We detect this file as Trojan.Win32.Generic!BT. While coverage is good for that particular file across most AV products, there’s a good chance we’ll see updated “Imageshack” mails going out with fresh links, files and exploits so please: if you don’t remember signing up to something, don’t let curiosity get the better of you and simply delete the email.

Christopher Boyd

Readers of this blog may recall Julie Amero, the substitute teacher who narrowly escaped four felony charges.

Earlier this month, I had written about malware sites being hosted on DynDNS.  To their credit, the abuse team immediately took action and the situation is significantly better.  Hats off to Chris Widner and the abuse team at DynDNS for being so responsive and for taking action.

Alex Eckelberry

Earlier this month, I had written about malware sites being hosted on DynDNS. To their credit, the abuse team immediately took action and the situation is now significantly better — in fact, we saw it get better very shortly after the post was written. Hats off to Chris Widner and the abuse team at DynDNS for being so responsive and for taking action.

Alex Eckelberry

July 16 we blogged about Facebook spam that offers some amazing photo or video but instead lures you into some goofy “survey” that is aimed at collecting your cell phone number. Bottom line is a $9.99 charge on you phone bill for something you didn’t want. (Sunbelt blog piece: “OMG OMG don’t fall for Facebook spam” here.)

And, of course, every time someone falls for one of these and “likes” it, he posts it to Facebook, so the spam spreads:

Simple rule for Facebook: if your friend’s wall posting contains “OMG” and a URL, avoid it. If it wants you to “like” it, REALLY avoid it.

“OMG” Facebook spam has become a new genre.

Today’s load:

Tom Kelchner

Facebook founder Mark Zuckerbert today announced that the following for his social media creation hit 500 million this morning. 

No wonder “Facebook” became a verb.

Facebook blog here.

Tom Kelchner

Boards on new PowerEdge equipment and non-Windows systems not affected.

According to a note on Dell’s company support forum, a small number of PowerEdge R410 replacement motherboards have been found infected with spyware. The company is notifying customers who have purchased the equipment.

http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx

Someone from the company posting under the name “Matt M” wrote in response to a question on the board: “As part of Dell’s quality process, we have identified a potential issue with our service mother board stock, like the one you received for your PowerEdge R410, and are taking preventative action with our customers accordingly.  The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware.  This malware code has been detected on the embedded server management firmware as you indicated.”

The company describes its Dell PowerEdge R410 as “a powerful and ultra-dense 2-socket 1U server that offers the performance of Intel Xeon processor 5500 and 5600 series, DDR3 memory, the availability of up to four hard drives (3.5” or 2.5”)…”

Tom Kelchner

Use a strong FB password or “Laughing Man” will post drivel on your wall.

Someone (or hacker group) has discovered the joy of posting material on the Facebook accounts of people who apparently use weak passwords.

(Click to enlarge)

A search on Facebook for the string “This is a video that’s been appearing on hacked Facebook profiles,” shows a load of accounts carrying it. Some Facebook users also appear to be voluntairly posting the link to the YouTube video as well.

The video features a man’s torso with face overlaid with various still photos. The sound track is a droning lecture about the evils of authority. The eight-minute video concludes with a scroll of meandering quotes from Immanuel Kant and the 19th century French anti-statist writer Frederic Bastiat. There’s also an audio conclusion that’s a bit less than a call to action: “I can’t tell you what to do.”

A manifesto it ain’t.

Thanks Wendy.

Tom Kelchner

Sunbelt malware specialist Adam Thomas located a server being used as a drop for a Zbot/Zeus botnet. It contained over a gigabyte of text files of stolen information.

Yes, it is just another Zeus botnet and a relatively small one by comparison – 5,100 unique infected hosts – but, the list of affected organizations is a bit disconcerting.

(1.1 gigabytes of recovered data in text format)

Most of the infected hosts appeared to be home users, he said, but there were a large number of infected hosts inside of state and federal government agencies; Fortune 500 and 100 companies; drug companies and even banks.

He said: “It has been almost four years since Zbot/Zeus reared its ugly head and unfortunately it is still going strong, holding a high position on our top-10 detected threats list – http://sunbeltsecurity.com/.

“Back in the early days, the bad guys were sloppy with their server configurations and security researchers were able to find and recover the data that had been pilfered by Zbot trojans. The criminals eventually caught on and actually began taking measures to protect the data that they were stealing.

“Every once in a while, however, we stumble on server misconfigurations where the miscreant has (apparently) accidentally allowed access to the collected stolen data. During the past few days, our research team has been monitoring just that.

“Of course, we’ve alerted law enforcement and are working to notify those who have been affected,” he said.

In November, police in England arrested a couple in Manchester in connection with a Zbot network. Zbot enables malicious operators to steal data, including bank passwords, credit card data, personal information and social networking site logins.

This “trojan” would be “Trojan-Spy.Win32.Zbot.gen.” In June it was the second most common detection in the Sunbelt ThreatNet system. ThreatNet consists of tens of thousands of VIPRE and CounterSpy users who have banded together to form an early warning system when a new malware outbreak is noticed.

The trojan isn’t hard to detect and Sunbelt Software offers a free removal tool here.
http://go.sunbeltsoftware.com/?linkid=1211

Thanks Adam.

Tom Kelchner

This is very funny. It’s a cartoon that captures the rogue AV “experience.”

Click here to see the rest of the cartoon.

Thanks Dan. Thanks Alex.

Tom Kelchner

Toy Story 3 is romping across cinemas Worldwide, and rightly so – it’s the best of the series by far. I thought it might be worth pointing out that being a product aimed at children doesn’t exclude it from internet shenanigans.

If you have young children online who are partial to searching for Toy Story material, you might want to warn them about some of the below scams. One of the most popular tactics is advertising the “full movie” on Youtube, but directing the end-user to a bunch of surveys instead:

Click to Enlarge

Click to Enlarge

Most of the surveys we see tend to ask a lot of questions that reveal plenty of information about the individual filling them in, and you probably don’t want your kids giving some random third party lots of information about Dad or whatever.

The Toy Story 3 game is also a juicy target for these scams:

Click to Enlarge

I’m almost certain your child does not want to dine with Gordon Ramsay at Claridges, but what do I know.

Many of the sites promoting these online versions of the film seem to use advertising networks that are a little more adult than most. Let’s break it down:

1) Child goes looking for Toy Story 3.
2) Child finds site promoting Toy Story 3.
3) Child finds their eyeballs melting into the ground and people yell “Think of the children” while all of this pops up:

Click to Enlarge

Click to Enlarge

Click to Enlarge

The above funfest all launched from the same site – wegotbest(dot)com – with popups contained inside the Flash player, gambling adverts popping out of the website itself and eventually throwing up a survey after the site had been inactive for ten minutes.

Amazingly, the survey didn’t contain any nudity. So there’s that.

We’ll round things off with websites asking you to install programs. Thankfully it seems the scammers out there aren’t pimping infectious “Buzz Lightyear.exe” files just yet, but they’ll still try and make some installation affiliate cash regardless.

This site is another one offering up the Toy Story 3 game:

Click to Enlarge

What’s the gag here? Well, hit the download link and you end up with the below folder on your PC:

That’s right – you have to install a toolbar from their frontpage, and after installation a magical message will appear and the fifth word will be the password to open up the zipfiles.

In practice, all I got was the below translation software and not a magic password in sight.

Don’t you just hate it when that happens?

Anyway, those appear to be the most common scams where Toy Story 3 is concerned right now. Sites asking to install programs in return for the Toy Story game or movie should be avoided, along with any promises that sound too good to be true on Youtube. Ensure your children stick to those rules and your PC, personal information and sanity will hopefully remain intact.

Christopher Boyd

Cio-Cio San (Madama Butterfly) getting back at Pinkerton?

Someone using the handle “strelaoz,” (do a web search for it) claiming to be an ex-lover, has been leaving comment spam on hundreds of web sites “exposing” details of a romantic relationship and jilting by an exec at Symantec. The comments usually accompany news pieces about the company.

While comment spam is usually a nuisance, this defamation campaign takes the art form to a higher level than one usually sees. It is possible that the details are fiction and the campaign is simply an attempt to damage Freer and/or Symantec. It represents an Internet threat that could be very difficult to defend against.

In one post, there seems to be an oriental connection too – Chinese characters in the text:

If one reads the details, the back story appears to be vaguely similar to the plot of the Puccini opera “Madam Butterfly” (well, ok, it isn’t Japan and there’s no baby.)

Update: July 20:

Whoever is behind this appears to be using a Yahoo account under the name of Jennifer Yin:

http://pulse.yahoo.com/_J4EQHO7G3XRGON4P3Q33FVCJ2Q

(click to enlarge)

Nice work Mike.

Tom Kelchner

It can cost you $9.99 per month on your phone bill

There seems to be an increasing amount of Facebook spam that spreads by social engineering – which is tough to stop since it’s Facebook users who are being tricked into “liking” the site (and reposting the spam five times if they pursue the following.)

We’ve found a lot of them. This one’s typical. The whole point of the exercise is to trick you into giving away your phone number so it can be billed something like $9.99 per month and send five of your friends to the same site to do the same. Oh, and show all your Facebook friends that you “like” a spam site

First you get a message from a friend that looks something like this:

(click to enlarge)

The link takes you here:

(click to enlarge)

Note that somebody got paid (per click) for sucking in over 16,000 people on this one.

The gig is that you’re supposed to “like” this then share the text they give you.

(click to enlarge)

After you fall for that you “click here” to see who viewed your profile.

(click to enlarge)

Then the “verification” launches you into one of those endless surveys (you get a choice of six) the point of which is to collect your cell phone number so you can be billed $9.99 per month.

(click to enlarge)

And, if you’re running Firefox’s Adblock add-on to protect you from such crap, these folks will even help you disable it!!

(click to enlarge)

And after all that, here is your prize. Everybody seems to get the same one:

(click to enlarge)

Thanks Wendy and Matthew.

Tom Kelchner

There’s a website called “Tweet Unlock” located at tweetunlock(dot)com, which claims to be able to show you hidden content on Twitter. All you have to do is enter the Username of the target account and hit the button.

Click to Enlarge

Of course, it doesn’t work – and they want you to sign up to auto insurance quotes and a random offer served up by “Step 2”. Regardless of what you type into the box, you’ll be taken to a page not found message:

Click to Enlarge

If you have a private Twitter account, don’t panic – complete strangers won’t be digging through your messages for the time being.

Christopher Boyd

Regular readers of this blog will be familiar with those wonderful CPA Lead popups, which typically hide content until you fill in a survey. Well, here we have an interesting development in fake hacking program land. Shall we take a look?

Click to Enlarge

Above, you can see a huge dumping ground of files, directories and executables. It’s a bit of a maze, but generally speaking anything listed as a .htm page will contain an embedded Youtube video and an attempted download of an executable related to the Youtube content (in this case, “credit card generators”) from bestlinkfree(dot)com.

All of the Youtube videos appear to come from one account that currently has 141 hacking programs advertised:

Let’s fire up one of the many programs on offer and see what they do.

Click to Enlarge

This one claims to be able to hack any Twitter account. As you fire it up, a browser window opens up telling you to “connect to your victim account from here”. Enter a Twitter name into the box of the main application, hit the “Crack pass and email” button and your traffic will suddenly look like this:

Click to Enlarge

Fake hacking programs that pop a CPA Lead survey for you to fill in before the “hack” completes? Oh my.

All of these programs do exactly the the same thing – reach the halfway point of a non existent hack, then pop a survey or tell you to do one to get your hands on a database:

Click to Enlarge

I’d imagine building these survey popups into the fake applications would fool quite a few people.

Click to Enlarge

Of course, it’s a touch surreal if anyone actually believes a “VISA card software verification” requires you to fill in a survey but stranger things have happened.

In total, we collected fifteen of these files and they claim to hack everything from Twitter and Myspace to Facebook and online poker games:

It’s a huge scam, so of course we detect them all – however, things are a little lonely in detections land right now. VirusTotal is a little overloaded this morning, but currently the highest detection rate I can find is 3/42 for one of the Myspace programs. Hopefully those numbers will continue to rise – for now, it’s best to avoid all of the above files.

Christopher Boyd

Psychology today: “… money-grabbing pseudoscience.”

Parts of this country seriously need more science education.

There are stories running today about “I-dosing” — Kids inducing a state of ecstasy by listening to special MP3s.

The sources for the story include The Oklahoma Bureau of Narcotics and Dangerous Drugs and either Kansas or Oklahoma News 9 and either Kansas or Oklahoma Mustang Public School District (some people are just scraping news stories and aren’t checking sources.)

Wired is carrying the story “Report: Teens Using Digital Drugs to Get High”

To their credit, they categorize it as “ridiculous.”

The Psychology Today blog “You 2.0” by Ron Doy has some interesting insight:

“But really, Idozer (or I-doser as it is also known) is extremely old drug in a new package. And breathe easy my fellow parents—because it’s not really a drug—it’s binaural beat therapy.

“But there are more controversial (dare I say dubious?) claims associated with binaural beats: Increased dopamine and beta-endorphin production, faster learning rates, improved sleep cycles, and yes, if you dig around less scientific communities like, oh, MySpace, you’ll find kids telling each other that ‘dude, those beats get you like totally high.’”

Blog here.

And some reports from ACTUAL USERS!!!

“Well. I certainly wouldn’t call my self “high” at the moment, but it certainly does something to say the least. Maybe the onset of a migraine.. fun. Oh, and now my hearing is all f****ed.”

— “Largely a droning noise”

— “searched for gates of hades n youtube…turned it off after about 5 seconds.”

— “ya, I tried it to. Kind of disorienting hearing 2 different things going on in either ear, and when it got intense enough did distort my vision, but…I definitely wouldn’t call it ‘high’ :”

Thanks Wendy (God! Where do you find this stuff!)

Tom Kelchner

You CAN go to South Africa in Mafia Wars

Notice of a possible infection – which is really a false positive in AVG’s AV scanner –  in Zynga’s Mafia Wars game on Facebook has not only raised concern, it’s gone viral:

(click to enlarge)

http://www.areapal.com/social/news/United%20States/html%20framer%20virus

AVG’s answer:

ondraploteny wrote
Hi,

This looks like I have noted:
Please keep in mind that this false positive detection HTML/Framer is currently related only with mentioned files (www.google.com/recaptcha/api/js/recaptcha_ajax.js, BrowserCompAp.js), there still exists other websites (files), which really contain this type of infection.

Thank you
***************AVG Team

http://forums.avg.com/us-en/avg-free-forum?sec=thread&act=show&id=98485#post_98485

Thanks Wendy

Tom Kelchner

We’re not in Kansas anymore toto

An affiliate (or affiliates) of FLVDirect has apparently hijacked a domain name server and appropriated the name of a Kansas state government web site to redirect to the FLVDirect page.

*And is it not just Kansas.* There are several others including:

tubes-1111.yanceycountync.gov/1136.html
tubes-0611.uppersiouxcommunity-nsn.gov/1244.html
tubes-0511.woodfin-nc.gov/163.html
tubes-1011.dumontnj.gov/898.html

It also appears as though they or someone else has appropriated names of .gov sites to redirect to an adult dating site XXXBlackBook.com.

Our first example is emporia-kansas.gov:

(click to enlarge)

It redirects to the notorious FLVDirect adware site. VIPRE detects FLVDirect as Win32.FLVDirectPlayer.

(click to enlarge)

(click to enlarge)

It looks like their DNS has been hijacked and those sub domains point to servers that are
not under their control:

PING tubes-1911.emporia-kansas.gov (66.49.238.80)

whois 66.49.238.80

OrgName: Canaca-com Inc.
OrgID: CANAC
Address: 1650 Dundas St East Unit 203
City: Mississauga
StateProv: ON
PostalCode: L4X-2Z3
Country: CA

We found a number of other similar sites with.gov domains out there as well, all leading to XXXBlackBook.com or FLVDirect.com

(click to enlarge)

Adam Thomas and Tom Kelchner