Month: April 2011

Delicious cake – for years, the symbol of a reward never to materialise.

This sad trend continues with the upcoming release of Portal 2, which – as you would expect – is prompting a rash of utterly fictitious cake designed to lure the unwary into mind bending puzzles of a three dimensional nature, or at least some surveys and a slice of malware.

Over the last few days, Twitter users have reported a huge wave of Portal spam.and this will no doubt continue to be an annoyance as excitement builds over the release. Much of the spam makes no sense, or mashes up random Portal related comments and lines.

See if you can spot the cake mention (yes, this cake was a lie too):

Click to Enlarge

A lot of these spambots were directing users to a “Portal 2 Loader” (hat tip to MrTom), which has been downloaded roughly 4,000+ times and appears to be a Portal 2 crack.

We’re still taking a look at this one, but personally I’d steer clear.

Elsewhere, we have dubious search results. Simply looking for “Portal 2 Still Alive” (you know, the catchy ditty sung by the smiley death robot at the start of the writeup) will bring you a liberal scattering of this:

Click to Enlarge

And also some of that:

Click to Enlarge

Many of the sites are currently down, but there’s a lot of dubious results in there so be careful (you can also bring up a bunch of them by searching for the songwriter, the awesome Jonathan Coulton). In a nutshell, any searches involving songs and a state of being alive may serve up some bad vibes in your general direction.

Are those “this site may harm your computer” warnings useful or what?

Anyway, we also have the usual Youtube suspects in the form of endless “Portal 2 keygen / crack” videos:

Click to Enlarge

Without fail, they’ll all dump you on cookie cutter blogs and file upload sites that want some surveys filling in:

Click to Enlarge

Click to Enlarge

Needless to say, filling in these surveys won’t give you a working crack – it’ll be a non functional dummy file or an infection.

I can tell you this much for certain, there definitely won’t be any cake.

There never is.

Christopher Boyd

Delicious cake – for years, the symbol of a reward never to materialise.

This sad trend continues with the upcoming release of Portal 2, which – as you would expect – is prompting a rash of utterly fictitious cake designed to lure the unwary into mind bending puzzles of a three dimensional nature, or at least some surveys and a slice of malware.

Over the last few days, Twitter users have reported a huge wave of Portal spam.and this will no doubt continue to be an annoyance as excitement builds over the release. Much of the spam makes no sense, or mashes up random Portal related comments and lines.

See if you can spot the cake mention (yes, this cake was a lie too):

Click to Enlarge

A lot of these spambots were directing users to a “Portal 2 Loader” (hat tip to MrTom), which has been downloaded roughly 4,000+ times and appears to be a Portal 2 crack.

We’re still taking a look at this one, but personally I’d steer clear.

Elsewhere, we have dubious search results. Simply looking for “Portal 2 Still Alive” (you know, the catchy ditty sung by the smiley death robot at the start of the writeup) will bring you a liberal scattering of this:

Click to Enlarge

And also some of that:

Click to Enlarge

Many of the sites are currently down, but there’s a lot of dubious results in there so be careful (you can also bring up a bunch of them by searching for the songwriter, the awesome Jonathan Coulton). In a nutshell, any searches involving songs and a state of being alive may serve up some bad vibes in your general direction.

Are those “this site may harm your computer” warnings useful or what?

Anyway, we also have the usual Youtube suspects in the form of endless “Portal 2 keygen / crack” videos:

Click to Enlarge

Without fail, they’ll all dump you on cookie cutter blogs and file upload sites that want some surveys filling in:

Click to Enlarge

Click to Enlarge

Needless to say, filling in these surveys won’t give you a working crack – it’ll be a non functional dummy file or an infection.

I can tell you this much for certain, there definitely won’t be any cake.

There never is.

Christopher Boyd

In the blizzard of patches, which has been well covered elsewhere, it’s worth noting one extra thing.

Last November, we blogged about how the TDL4 rootkit gets around driver signing:

The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.

The boot option is changed in memory from the code executed by infected MBR. The boot option configures value of a config setting named ‘LoadIntegrityCheckPolicy’ that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an infected version normal kdcom.dll that ships with Windows.

The rootkit also disables debuggers by NOP’ing debugger activation functions as described below. This makes reverse engineering this rookit very difficult! The KdDebuggerInitialize1 (see below) function in infected kdcom.dll called during normal execution of the system installs the rootkit, which hooks the IRP dispatch functions of miniport driver below the disk to hide its malicious MBR.

It appears that at least part of this vulnerability has been patched. From the Technet blog:

The second advisory, KB 2506014, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. It is an update available on WU and WSUS, pushed out automatically to customers who have opt-in to Automatic Updates.

Alex Eckelberry
(Thanks Chandra)

In the blizzard of patches, which has been well covered elsewhere, it’s worth noting one extra thing.

Last November, we blogged about how the TDL4 rootkit gets around driver signing:

The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.

The boot option is changed in memory from the code executed by infected MBR. The boot option configures value of a config setting named ‘LoadIntegrityCheckPolicy’ that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an infected version normal kdcom.dll that ships with Windows.

The rootkit also disables debuggers by NOP’ing debugger activation functions as described below. This makes reverse engineering this rookit very difficult! The KdDebuggerInitialize1 (see below) function in infected kdcom.dll called during normal execution of the system installs the rootkit, which hooks the IRP dispatch functions of miniport driver below the disk to hide its malicious MBR.

It appears that at least part of this vulnerability has been patched. From the Technet blog:

The second advisory, KB 2506014, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. It is an update available on WU and WSUS, pushed out automatically to customers who have opt-in to Automatic Updates.

Alex Eckelberry
(Thanks Chandra)

Yuri Gagarin: pretty awesome.

Yuri Gagarin poisoned search results: not so awesome.

The number one image search result in Google for Yuri is currently using the lure of a rather nice image hosted on Imagebucket to bounce them from thetouristsguide(dot)com to various rogue antivirus websites.

Click to Enlarge

Click to Enlarge

Click to Enlarge

Yesterday, the site involved was protecttunexpscanvirus(dot)com – they’re now using copyprotectwinxpscan(dot)com and htmlprotectwinxpscan(dot)com, and this is likely to change again. The file they’re serving up is AntiSpy 2011 – here’s a sample report from VirusTotal (18/40). It’s worth noting that the VirusTotal results will keep changing as they keep uploading new versions of these scareware files.

Constant battle and all that.

Some other URLs to keep an eye on, or simply fire into the heart of the Sun:

inspectagainantivir(dot)com   
protectwinscannerprogramming(dot)com
protestersantivirusxp(dot)com   
scanagainantivirusengine(dot)com   
scanwinantiagency(dot)com
slidescannerantivxp(dot)com
protecttunexpvirusnow(dot)com
protectvirussafexpnow(dot)com
protectvirusxpdriversnow(dot)com
protectyoudistinctrpcscan(dot)com
protectyoujavarpcscan(dot)com

Yesterday the server of choice was having a nice old time of it in Trinidad and Tobago, but just like the URLs you can bet they’ll keep chopping and changing the servers too. Be warned: there are a number of other rogue AV redirects there in the search results, so you might just want to read about how awesome Yuri was instead of hunting for pictures. His 50th Anniversary ensures scammers will be filling up his results with garbage for a few weeks to come…

Christopher Boyd (Thanks to an anonymous tipster for sending this through).

Yuri Gagarin: pretty awesome.

Yuri Gagarin poisoned search results: not so awesome.

The number one image search result in Google for Yuri is currently using the lure of a rather nice image hosted on Imagebucket to bounce them from thetouristsguide(dot)com to various rogue antivirus websites.

Click to Enlarge

Click to Enlarge

Click to Enlarge

Yesterday, the site involved was protecttunexpscanvirus(dot)com – they’re now using copyprotectwinxpscan(dot)com and htmlprotectwinxpscan(dot)com, and this is likely to change again. The file they’re serving up is AntiSpy 2011 – here’s a sample report from VirusTotal (18/40). It’s worth noting that the VirusTotal results will keep changing as they keep uploading new versions of these scareware files.

Constant battle and all that.

Some other URLs to keep an eye on, or simply fire into the heart of the Sun:

inspectagainantivir(dot)com   
protectwinscannerprogramming(dot)com
protestersantivirusxp(dot)com   
scanagainantivirusengine(dot)com   
scanwinantiagency(dot)com
slidescannerantivxp(dot)com
protecttunexpvirusnow(dot)com
protectvirussafexpnow(dot)com
protectvirusxpdriversnow(dot)com
protectyoudistinctrpcscan(dot)com
protectyoujavarpcscan(dot)com

Yesterday the server of choice was having a nice old time of it in Trinidad and Tobago, but just like the URLs you can bet they’ll keep chopping and changing the servers too. Be warned: there are a number of other rogue AV redirects there in the search results, so you might just want to read about how awesome Yuri was instead of hunting for pictures. His 50th Anniversary ensures scammers will be filling up his results with garbage for a few weeks to come…

Christopher Boyd (Thanks to an anonymous tipster for sending this through).

1) Make a Paypal phish and host it on a free blog called “My free porn collection”.

Click to Enlarge

2) Leave comments enabled.

3) Watch the money roll in and buy a gold plated yacht. Or not.

On the off chance you know anybody who is still likely to fall for this, steer them clear of segregetionl(dot)blogspot(dot)com/2011/03/dear-valued-paypal-customer(dot)html. In fact, they should probably steer clear of the entire site as it seems to be serving as a dumping ground for dubious links, spam, 419 scam offers and who knows what else.

Christopher Boyd

1) Make a Paypal phish and host it on a free blog called “My free porn collection”.

Click to Enlarge

2) Leave comments enabled.

3) Watch the money roll in and buy a gold plated yacht. Or not.

On the off chance you know anybody who is still likely to fall for this, steer them clear of segregetionl(dot)blogspot(dot)com/2011/03/dear-valued-paypal-customer(dot)html. In fact, they should probably steer clear of the entire site as it seems to be serving as a dumping ground for dubious links, spam, 419 scam offers and who knows what else.

Christopher Boyd

Wow, let’s check out a rollercoaster crash because it happens to be in sick 3D!

Or, you know, it isn’t.

Here we have yet another website asking the end-user to paste some javascript into their browser, using the lure of a completely fictitious video (this time around the site is funtricks-a(dot)info, another variation on the Rollercoaster spam campaign). Hit the button, and Facebook will appear in a new window – if you’re logged in, you’ll start spamming the below message to people that probably aren’t going to like you very much:

Click to Enlarge

Yeah, you’ll be blocked in minutes. Sorry about that.

Amazingly enough, the user has to jump through a few more hoops – I love this one:

Click to Enlarge

“Please verify that you are – helping to protect your identity and personal information”.

Oh ho ho etc.

Hitting the continue button will display a dazzling lack of originality and pop a survey:

It almost makes you wish for the days of dancing purple gorillas on your desktop, doesn’t it?

Christopher Boyd

Wow, let’s check out a rollercoaster crash because it happens to be in sick 3D!

Or, you know, it isn’t.

Here we have yet another website asking the end-user to paste some javascript into their browser, using the lure of a completely fictitious video (this time around the site is funtricks-a(dot)info, another variation on the Rollercoaster spam campaign). Hit the button, and Facebook will appear in a new window – if you’re logged in, you’ll start spamming the below message to people that probably aren’t going to like you very much:

Click to Enlarge

Yeah, you’ll be blocked in minutes. Sorry about that.

Amazingly enough, the user has to jump through a few more hoops – I love this one:

Click to Enlarge

“Please verify that you are – helping to protect your identity and personal information”.

Oh ho ho etc.

Hitting the continue button will display a dazzling lack of originality and pop a survey:

It almost makes you wish for the days of dancing purple gorillas on your desktop, doesn’t it?

Christopher Boyd

We saw this on a (now expired) Pastebin page while looking for something else, and thought it was worth noting.

Sofia is home to numerous museums, an extensive night life and also a hacked website. Here’s the official website of the Sofia Municipality located at sofia(dot)bg:

Click to Enlarge

Meanwhile, here’s another page tucked away that we think probably isn’t supposed to be there:

Click to Enlarge

Whoops. There doesn’t appear to be any malware on offer, but there’s always a chance that situation could change so it might be worth treating the site with caution until they’ve cleaned things up. They have of course been notified.

Christopher Boyd

We saw this on a (now expired) Pastebin page while looking for something else, and thought it was worth noting.

Sofia is home to numerous museums, an extensive night life and also a hacked website. Here’s the official website of the Sofia Municipality located at sofia(dot)bg:

Click to Enlarge

Meanwhile, here’s another page tucked away that we think probably isn’t supposed to be there:

Click to Enlarge

Whoops. There doesn’t appear to be any malware on offer, but there’s always a chance that situation could change so it might be worth treating the site with caution until they’ve cleaned things up. They have of course been notified.

Christopher Boyd

Spam mails claiming to be from Twitter that send you to pharmacy sites are a popular wheeze for spammers, and here we go again.

Click to Enlarge

It seems I have “two PR messages from Twitter”. If that wasn’t enough to get me clicking (it isn’t), I can also join in on sports conversations, argue with bloggers and tell the World when I stumble into some form of natural disaster.

Hammering one of the many links will actually take me to 219(dot)84(dot)119(dot)56/afternoon(dot)html, which will send me to pharmacydrugstorehealthprofessionals(dot)net.

Click to Enlarge

All the Cialis you can eat!

That might not be a good idea though.

Bear in mind that spam blasts like the one above can sometimes lead to malware most horrid, so – as always – stay safe (and don’t go messing with random pills bought on the internet, either).

Christopher Boyd

Spam mails claiming to be from Twitter that send you to pharmacy sites are a popular wheeze for spammers, and here we go again.

Click to Enlarge

It seems I have “two PR messages from Twitter”. If that wasn’t enough to get me clicking (it isn’t), I can also join in on sports conversations, argue with bloggers and tell the World when I stumble into some form of natural disaster.

Hammering one of the many links will actually take me to 219(dot)84(dot)119(dot)56/afternoon(dot)html, which will send me to pharmacydrugstorehealthprofessionals(dot)net.

Click to Enlarge

All the Cialis you can eat!

That might not be a good idea though.

Bear in mind that spam blasts like the one above can sometimes lead to malware most horrid, so – as always – stay safe (and don’t go messing with random pills bought on the internet, either).

Christopher Boyd

There’s desperate, and then there’s this:

From: Shinto Yabamoto
Date: April 8, 2011 2:27:41 PM EDT
To:
Subject: Assistance for Tsunami Japan 2011 Victims.

Dear Sir/Madam,

I am Shinto Yabamoto resident in Spain. We have other japanese families living as a community here in Spain. Our family members were severely affected by the recent Tsunami earthquake that happened in the pacific ocean that devasted Tokyo and led to the lost over 13,000 lives and properties worth billions of Dollars.

We implore to help the earthquake victims that lack food and shelter. We have established a distribtion channel to these victims. You can send your gifts and aids as cash by western union money transfer system to our division responsible for the distribution of food, shelter and medical assistance using the information stated below:

FIRST NAME: SHIZUKA
LAST NAME:TADASHI
ADDRESS: CALLE VELAZQUEZ 8
28010 MADRID.

After making the payment send the payment details to the Assistance Distribution Section as stated below:

SENDER’S DETAILS:
FIRST NAME:
LAST NAME:
MONEY TRANSFER CONTROL NUMBERS. (MTCN)
COUNTRY:
ADDRESS:
Email: shinto_yabamoto@yahoo(dot)co(dot)jp

Thanks for your assistance to the need of humanity of the Japanese people. May God richly blessed and also expand your territory in any field of your endeavour.

Yours truly,
Shinto Yabamoto

Thanks for that, Shinto, if that is your real name – which it isn’t.

Another one for the “fire into the heart of the Sun” pile.

Christopher Boyd (Thanks to CSO Andy for that one)

There’s desperate, and then there’s this:

From: Shinto Yabamoto
Date: April 8, 2011 2:27:41 PM EDT
To:
Subject: Assistance for Tsunami Japan 2011 Victims.

Dear Sir/Madam,

I am Shinto Yabamoto resident in Spain. We have other japanese families living as a community here in Spain. Our family members were severely affected by the recent Tsunami earthquake that happened in the pacific ocean that devasted Tokyo and led to the lost over 13,000 lives and properties worth billions of Dollars.

We implore to help the earthquake victims that lack food and shelter. We have established a distribtion channel to these victims. You can send your gifts and aids as cash by western union money transfer system to our division responsible for the distribution of food, shelter and medical assistance using the information stated below:

FIRST NAME: SHIZUKA
LAST NAME:TADASHI
ADDRESS: CALLE VELAZQUEZ 8
28010 MADRID.

After making the payment send the payment details to the Assistance Distribution Section as stated below:

SENDER’S DETAILS:
FIRST NAME:
LAST NAME:
MONEY TRANSFER CONTROL NUMBERS. (MTCN)
COUNTRY:
ADDRESS:
Email: shinto_yabamoto@yahoo(dot)co(dot)jp

Thanks for your assistance to the need of humanity of the Japanese people. May God richly blessed and also expand your territory in any field of your endeavour.

Yours truly,
Shinto Yabamoto

Thanks for that, Shinto, if that is your real name – which it isn’t.

Another one for the “fire into the heart of the Sun” pile.

Christopher Boyd (Thanks to CSO Andy for that one)

I just thought this was funny.

Click to Enlarge

The above URL that was apparently serving up fake AV is scannerqueenantivxp(dot)com. Initially I would have seen the “Queen” part and thought it was a vaguely lame attempt at jumping on the upcoming Royal Wedding bandwagon, only for the fact I looked elsewhere and stumbled across another music legend from the Eighties making a comeback:

That is pretty awesome. Stand and Deliver, your money or your Fake AV…

Christopher Boyd

I just thought this was funny.

Click to Enlarge

The above URL that was apparently serving up fake AV is scannerqueenantivxp(dot)com. Initially I would have seen the “Queen” part and thought it was a vaguely lame attempt at jumping on the upcoming Royal Wedding bandwagon, only for the fact I looked elsewhere and stumbled across another music legend from the Eighties making a comeback:

That is pretty awesome. Stand and Deliver, your money or your Fake AV…

Christopher Boyd

A little while ago, phishing mails claiming to be from NACHA were in circulation – it seems the phishers have had enough of that, deciding to send out malicious files instead.

The mail claims an attempted bank transfer has gone horribly wrong, and you should open up the file listed as .pdf.exe – whoops – to see what all the commotion is about.

Click to Enlarge

Hitting the link takes you through a couple of URLs – freenacha-s(dot)info and fasdfq(dot)co(dot)cc/forum(dot)php?tp=27f57d3dcb81f8c0, with a fake 404 error page which serves up a rogue anyway (a member of the FakeSysDef family).

Click to Enlarge

reportAB8839.exe will give you an unwanted vistor, in the shape of Trojan.Win32.FakeAv.awrp (v). VirusTotal report currently gives a total of 7/40 detections. At time of writing, both Freenacha and fasdfq URls actually do appear to be offline, but the download location for the executable (nacha-report-download(dot)com) is still alive and kicking. No doubt it’ll appear in a few more emails before the site goes offline for good.

Christopher Boyd (thanks to Bharath and Joseph).

A little while ago, phishing mails claiming to be from NACHA were in circulation – it seems the phishers have had enough of that, deciding to send out malicious files instead.

The mail claims an attempted bank transfer has gone horribly wrong, and you should open up the file listed as .pdf.exe – whoops – to see what all the commotion is about.

Click to Enlarge

Hitting the link takes you through a couple of URLs – freenacha-s(dot)info and fasdfq(dot)co(dot)cc/forum(dot)php?tp=27f57d3dcb81f8c0, with a fake 404 error page which serves up a rogue anyway (a member of the FakeSysDef family).

Click to Enlarge

reportAB8839.exe will give you an unwanted vistor, in the shape of Trojan.Win32.FakeAv.awrp (v). VirusTotal report currently gives a total of 7/40 detections. At time of writing, both Freenacha and fasdfq URls actually do appear to be offline, but the download location for the executable (nacha-report-download(dot)com) is still alive and kicking. No doubt it’ll appear in a few more emails before the site goes offline for good.

Christopher Boyd (thanks to Bharath and Joseph).