Month: January 2011

Here’s a curious one to start the week with a bang, or at least a flurry of SMS messages.

There are a number of websites currently doing the rounds promising the latest versions of web browsers in return for payment via SMS.

fastupp(dot)info, ffup(dot)ru and operaupdates(dot)info are some of the most notable ones that have been pinging around chatrooms, security lists and phishtank (although they aren’t actually phish pages, but never mind).

Typically the sites give you an option of “browser update” (or in one case, flash player):

Click to Enlarge

Regardless of selection, you’re taken to a page asking for an SMS in return for your update of choice.

Click to Enlarge

The SMS costs around 170r, which would be about £ 3.50 / $ 5.60. “Why would someone bother paying SMS fees for updates to software which should come for free”, I hear you cry.

Suffice to say, I have no idea either. But I guess it works because otherwise they wouldn’t bother putting these sites together. The ffup(dot)ru site is particularly interesting, because it claims to have numerous versions of Firefox 4, including one with an “AV update”.

Click to Enlarge

Here comes a (quite possibly terrible) translation:

The new browser version will reliably protect your computer from various Internet threats and make your job more secure, thanks to a new plugin that will block unwanted pop-up ads.

FireFox 4 Build 7 + Antivirus Update (Recommended upgrade)

Well, as long as it’s recommended.

At this point, I was presented with a fake scan and for a moment thought I was about to be presented with some form of Rogue AV download.

Click to Enlarge

When the scan finished, however, I was presented with an SMS payment box.

Click to Enlarge

If you want the Firefox 4 Beta, just go here and grab it for free. Not sure I can see any mention of “AV updates” in the feature list, though. Everybody else should think twice – and then a third time – before coughing up money for “software updates” your programs should be grabbing for free by default.

Christopher Boyd

ZDNet reports on a troubling situation involving a security researcher that’s been a favourite of mine for a long time, Dancho Danchev:

Zero Day blogger and malware researcher Dancho Danchev (right) has gone missing since August last year and we have some troubling information that suggests he may have been harmed in his native Bulgaria…Last month, we finally got a mysterious message from a local source in Bulgaria that “Dancho’s alive but he’s in a lot of trouble.”

Yikes. Let’s hope he turns up safe and well – I noticed he hadn’t blogged for a while, but this isn’t exactly the reason I had in mind…

Christopher Boyd

Microsoft has announced that Windows 7, Service Pack 1 Release Candidate is available for download.

“Windows 7 SP1 Release-to-Manufacturing (RTM) will be available in the first half of calendar year 2011. When released, it will be made available as an integrated release,” they also said.

Tom Kelchner

2GCash and Windows System Optimizator rogue from one fake codec scam

Today we came across this fake codec scam that delivered two pieces of malware for those unfortunate enough to stumble across it. The malicious site offers Megan Fox and Carmen Electra sex  videos (among other things.)

 
(Click on graphic to enlarge)

After installing a fake video viewer, it throws up fake Microsoft Security Essentials alerts and installs the Windows System Optimizator rogue.

(Click on graphic to enlarge)

 
(Click on graphic to enlarge)

# 1. 2GCash (VIPRE detection: VirTool.Win32.Obfuscator.hg!b1)

The 2GCash malware has been one of the major downloaders. It’s been used by thousands of affiliate sites since 2008. Its main purpose is to generate profits through click fraud transmissions from infected computers and search engine result hijackings.

VIPRE detects the 2GCash malware as VirTool.Win32.Obfuscator.hg!b1 (v). Kaspersky detects it as *.codecpack, Sophos as FakeAV-CX and Microsoft as Renos.

It uses online scanner scams, third party bundled downloads, fake codec scam sites  and fake crack serial sites.

The file video_part_##.exe is detected as Trojan.Win32.Generic.pak!cobra

# 2. Windows System Optimizator rogue

Windows System Optimizator  is a rogue what uses a fake Microsoft Security Essentials alert.  VIPRE detects it as Trojan.Win32.Generic.pak!cobra.

It’s a rebranding of the Windows Optimization Center rogue.

2GCash

2GCash is the name we gave the detection when the group behind it began an affiliate program with a site named go-go-cash.com in December of 2008.

The page for affiliates was titled “Go Go Cash.”

 
(Click on graphic to enlarge)

Thanks to Patrick Jordan for the analysis.

Tom Kelchner

“I went and checked out your old website at Analyzeguide”

“That’s not my old website”

“…”

A genuine conversation, ladies and gentlemen – and one that resulted in some rogue program shenanigans.

As you’ll have guessed from the above conversation, you’ll be wanting to steer clear of analyzeguide(dot)com/text/[various redacted .php extensions go here]

Running the executable served up (and some of the many others on offer) will give you a phony disk clean up / defrag tool, along the lines of this horrible thing.

In case you were wondering my old stomping ground was Spywareguide, NOT “Analyzeguide” so please don’t go guessing and wandering into a big pile of fake file action.

VirusTotal results are currently at 13/43, and we detect this as FraudTool.Win32.FakeAV.hdd (v).

Christopher Boyd

Mozilla’s Director of Platform Engineering Damon Sicore has posted to Usenet group mozilla.dev.planning saying that there are only 160 significant bugs to be fixed before the Firefox development team has a release candidate of Firefox 4.0.

He wrote: “Over the past several days, component leads have again reduced their blockers by identifying hard blockers and those we can live without. We’ve around 160 hard blockers remaining, and historically it has taken us six weeks to reach RC once we have 100 blockers left.”

He also said there could be one or two more beta versions.

And why does this matter?

Reason # 1: cool new features

Reason # 2: elimination of the security vulnerabilities in the current version 3.6.

Update Jan. 14:

In the interest of fairness (and to satisfy my curiosity) I looked around to see if there was a release date for the next version of Internet Explorer (which will be v. 9).

At least one source — Softpedia — is conjecturing that IE 9 will be released at the end of this month.

You can download the Internet Explorer 9 beta here.

A description of the new features is available here.

Tom Kelchner

The U.S. Federal Deposit Insurance Corp. and at least one bank are warning that an email phishing campaign has been detected in which potential victims are being told that their bank accounts have been suspended because of violations of the Patriot Act and they are asked for their identity and account information.

The special alert from the Division of Supervision and Consumer Protection said:

“The Federal Deposit Insurance Corporation (FDIC) has received numerous reports from consumers who received an e-mail that has the appearance of being sent from the FDIC. The e-mail informs the recipient that ‘in cooperation with the Department of Homeland Security, federal, state and local governments…’ the FDIC has withdrawn deposit insurance from the recipient’s account ‘due to account activity that violates the Patriot Act.’ It further states deposit insurance will remain suspended until identity and account information can be verified using a system called ‘IDVerify.’ If consumers go to the link provided in the e-mail, it is suspected they will be asked for personal or confidential information, or malicious software may be loaded onto the recipient’s computer.”

Tom Kelchner

I guess sometimes dedicated servers aren’t enough, because an enterprising group of gamers decided to compromise a server to get their Black Ops multiplayer kicks.

Unfortunately, said server belonged to a Radiology practice which apparently contained the details of anything up to 231,400 or so patients – names, diagnosis codes, phone numbers and other information. It seems our server jacking chancers were more interested in shooting each other in the face than grabbing the information on the network – and on the bright side (if there is a bright side) no payment details were stored there, so at least they couldn’t go off and rent about six hundred dedicated servers.

This one gets my nomination for Strangest Story of the Day…

Christopher Boyd

“Middleman” rogue distributor switched to a file infector

Ok, if your browser sometimes strays into the corner of the World Wide Web where there are lots of pictures and videos of naked ladies, this is for you.

Antex Vlad goes back to 2004 when he was an affiliate of Coolwebsearch.com and involved with CoolWebSearch home page hijackings.

In 2009, he began re-directing to the SecurityTool rogue and, as of Monday, is now distributing the Bamital file infecting Trojans. Bamital will take over your browser and redirect search results.

The URL porno-video-hunt (dot) co (dot) cc/movies/get (dot) php?name=Skvirting_Movie_36 (dot) mpeg re-directs to his new fake-codec scam on porntubehunt (dot) com/w/video/

It is from here you can get hit, not with a rogue but with the Bamital file-infecting virus. porntubehunt (dot) com/w/video/player_update (dot) exe

Once your machine is infected, clicking on the images re-directs to the legitimate Pornhub.com

You first get to a page to click for free cracks

(Click graphic to enlarge)

You then get a page that mimics pornhub (dot) com and clicking on an image generates the Fake Play button

(Click graphic to enlarge)

Next you get what would appear to be a movie to download and run, however, this one infects the Explorer.exe and Winlogon.exe.

(Click graphic to enlarge)

Our new VIPRE detection Trojan.Win32.Bamital.i (v) detects the downloader so VIPRE will block the Trojan. VIPRE has blocked Antex Vlads sites for a long time now. We have detected the downloader.

(Click graphic to enlarge)

BEST OF ALL! Those who use VIPRE Web Filtering or Clear Cloud, will never come close to becoming infected!

Thanks to Patrick Jordan for the great analysis.

Tom Kelchner

Whatever that means

Alert reader Wendy noticed that her Facebook account was pumping out this spam. We found a flow of more than 100 similar Facebook posts per minute. That would be 6,000 per hour if it continued for any length of time.

 

And, of course it wants full control of your Facebook account:

It’s a “survey” Facebook app selling subscription quiz services (billed to your cell phone) and other crap:

Needless to say, use caution when granting any app access to your Facebook account.

First Status?

OK, think about it. What was your “first status?”

“In utero” is all I can think of, unless “glint in your parents’ eyes” counts.

Tom Kelchner

Wha? I didn’t get the $1,000 Wal-Mart gift card?

It’s interesting to investigate spam email offers. The ones that seem too good to be true are prime candidates if you’re looking for something malicious, fraudulent, sleazy or just plain dumb.

Today we checked out this one:

 

There was nothing new. It led you through a “survey” then about a dozen offers to buy various services that were offered based on your survey answers. Of course if you buy nothing, you don’t get the $1,000 Wal-Mart gift card.

On the last page, however, we found a “mind quiz” question that had history screwed up pretty well: “What U.S. president was shot while walking to California Governor Jerry Brown’s office.” The choices were Jimmy Carter, Gerald Ford or Richard Nixon.

None were. However, in 1975, Charles Manson follower Lynette “Squeaky” Fromme waived a gun at President Gerald Ford but didn’t shoot. There was no round in the weapon’s chamber, although there were four in its magazine. She spent a long time in federal prisons (and medical facilities in them apparently because of anger issues).

Her other contact with a U.S. president was when she performed at the White House as a member of a square dance troupe in 1959, Wikipedia also said.

Some stuff is so weird that you couldn’t possibly make it up.

Tom Kelchner

Hot on the heels of those peculiar “Skype websites” come emails asking you to visit said websites, forwarded to me by the awesome Kevin Church.

The email reads as follows:

———- Forwarded message ———-
From: Skype newsletter@2011-skype-releases(dot)net
Date: Tue, Jan 11, 2011 at 10:03 PM
Subject: Skype Releases : Upgrade New Skype 2011 For PC And MAC
To:

NEW SKYPE 2011 RELEASES

This is to notify that new updates have been released for Skype. Following are major new features:

– Talk more for free via Voice Over IP (VoIP)
– Lower cost when connecting to landlines (much cheaper than Calling Card)
– Record your conversation (better than telephone quality)
– Instant messaging & file-sharing, video calls
– Now available on PSP!

2011–skype-releases(dot)net

To check and upgrade, go to Skype Updates Center or copy this link to your web browser:

2011–skype-releases(dot)net

Skype has changed the way we think of telecommunications.

Thank you for choosing us.

With best regards,
Skype Support

Copy rights Skype 2011 – All Rights Reserved
Website: 2011–skype-releases(dot)net

Some things to note:

1) The email claims to be from “Skype”, instead of “some guys with a website or whatever”.

2) “New feature: now available on PSP”. I’ve had it on a PSP for a long time, actually. Yeah, this isn’t really relevant but I’m a pedant.

3) “Skype has changed the way…” [blah blah blah] …”thank you for choosing us”, again reinforcing the notion that these people might actually be Skype themselves.

4) “Skype updates center”. Official sounding, isn’t it?

5) Signing off as “Skype Support”? Oh boy.

Not something I’ll be signing up for anytime soon…

Christopher Boyd

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Labs YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Labs Blog, the GFI Rogue Blog and anything else we think might be of interest.

This week we blogged about the year-end statistics for rogue security products, the new “utility” look in rogues, Twitter spam from hacked Twitter accounts, another “Pay for Skype” scam and three new rogues: DiskOK, Memory Fixer and Palladium.

Tom Kelchner

Microsoft has posted two security bulletins for the month:

MS11-001 fixes a vulnerability in Windows Backup Manager that could allow remote execution of code. It’s marked “Important.”
   
MS11-002 fixes vulnerabilities in Microsoft Data Access Components in Windows that could allow the execution of code. It’s marked “critical.”

Tom Kelchner

We had an interesting theory put forward in the comments section in relation to the mass of “watch movies online” spam on Twitter. How did someone grab all of those logins? Well…

“I wonder if it had to do with the Gizmodo hack, since I was using the same password there and hadn’t remembered to update my Twitter one.”

Of course, this refers to the Gawker hack that took place not so long ago. Stuffing login details into spam tools was always going to return some accounts not reset by third party sites or the account owners, hence the insane blast of movie spam yesterday.

At this moment in time, the spamming is still continuing though the messages posted seem to have changed somewhat. Although none of the links appear to be carrying any malicious content, it’s still a good idea not to go signing up to movie sites promising content galore. None of the sites I’ve seen give any kind of free preview, and you’re effectively handing money over to The Wallet Inspector and crossing your fingers that he isn’t going to jump on the next bus out of town.

Funnily enough, I can hear an engine revving…

Christopher Boyd

One of the developments in the wonderful world of rogue security products last year was the appearance of rogues imitating utility software such as defraggers.

Rogues had impersonated anti-virus products for many years. That was confusing enough for inexperienced Internet users. There were, however, several sites where lists of legitimate AV software were available (ICSA Labs, Virus Total and Virus Bulletin are three.)

Finding a list of “defragmentation” utilities, or defraggers was tough though.

Donn Edwards, a database programmer who has a software company in Johannesburg, South Africa, named Black and White Inc., contacted us over the holidays to point out that he is maintaining a page on his Fact-Reviews.com site to do just that. His site, which appears to have gone up last June, presents his independent reviews.

Fact-Reviews.com lists real defrag utilities…

and it also lists fakes

 

Nice work Don.

Tom Kelchner

Outstanding chart lists outstanding security problems and workarounds

Microsoft’s Web site, which is full of great information, is an unusually large fire hose to drink from. However, today Dr. Johannes Ullrich at SANS pointed out one great, tightly focused piece on Microsoft’s “Security Research & Defense” TechNet blog: a chart breaking down the top outstanding security issues with Microsoft’s products. It also lists workarounds:

Issues addressed are:
–Internet Explorer 6/7/8 vulnerability in recursive style sheet importing. (CVE-2010-3971)

— Windows graphics rendering engine vulnerability in parsing BMP thumbnails embedded within an OLESS document container. (CVE-2010-3970)

— IIS 7.0 and 7.5 FTP service vulnerability in encoding Telnet IAC (Interpret As Command) characters in the FTP response.

— Internet Explorer fuzzer released publicly capable of hitting Internet Explorer crashes

— WMI Administrative Tools ActiveX control vulnerability.

Thank you Jonathan Ness of MSRC Engineering for being so concise.

Tom Kelchner

We’re seeing a link doing the rounds on Twitter that you may want to avoid. I was a bit surprised to see the following pop up on the feed of artist Dean Trippe:

According to the Bit.ly statistics for that link, so far it’s gone out around 198 times since the middle of December. Having said that, the stats might need updating because here’s a live view of the link being sent to all and sundry. Screenshot for posterity:

Click to Enlarge

It takes you to hdrollyvideo(dot)co(dot)cc/9/ which forwards the user to rolly(dot)com, a website asking for subscription fees in order to watch movies online.

Click to Enlarge

The site says you can get a month long subscription for $39.90 USD and access a database packed with 10,000 movies (including many which are only just popping up in movie theaters….hmmm), but let’s take a look at some feedback before getting our wallets out:

Web of Trust: Some terrible feedback here, everything from “hacked Twitter accounts used for spam” to someone who apparently paid only to get “five pages of html” back in return.

Complaints galore: people who signed up and are looking for refunds but can’t get hold of anybody, cards charged before the “trial period” expires, movies downloaded in English but playing in Spanish…oh boy.

Webutation: More mentions of “hacked twitter accounts” and problems trying to cancel.

Granny gets charged for a trial: Ouch. Not only that, but she seems to be having problems stopping them from taking repeat payments.

You know what? Just go the cinema and give this one a miss. Given the complaints seen so far, your wallet will thank you for it…

Christopher Boyd

Microsoft has posted advance notification for the January patch Tuesday.

The company said there will be two security bulletins (one “critical” the other “important”) released Tuesday, both for vulnerabilities that could allow remote execution of code.

Tom Kelchner

Just a heads up that one of those “Pay for Skype (addons)” sites is doing the rounds, with a vaguely predictable URL:

2011-skype-upgrades(dot)net

As you may recall, these sites try to make end-users pay to download…well, we’re not sure to be honest. It could be addons, or “upgrades”, or Skype itself…these sites aren’t particular clear where this is concerned. All that really matters is if you see a site looking like this:

Click to Enlarge

You need to put your card back in your wallet and go somewhere else. Like the official Skype download site, for example. Want addons? No worries, here’s a bunch of those too.

I think that has you covered…

Christopher Boyd