Category: Uncategorized

Hot and fresh, serving Zlob trojans:

ebwmanufacture(dot)com
dmqfirm(dot)com
ictprivate(dot)com

Even though these sites usually show a 403 error, they are serving Zlobs (this is now fairly standard practice for Zlob sites now — show a 403 on the main page, but serve malware off of a subdirectory). For example, one link that actually downloads malware would be something like ebwmanufacture(dot)com/download(dot)php?id=4082.

Obviously, don’t go to these sites unless you want to infect yourself with malware.

Alex Eckelberry
(Thanks to Sunbelt researcher Patrick Jordan)

Earlier today, Zango announced the purchase of SmartShopper.

Why?

Our research leads us to believe that one major reason may be as a way for Zango to get an imprimatur of credibility. SmartShopper is in the TRUSTe Trusted Download Program, a fact that the SmartShopper folks are quite proud of, showcasing it prominently on their website. (Incidentally, and of some concern — SmartShopper is not listed on TRUSTe’s main list of trusted applications, but is, in fact, in the Trusted Download program. This is the second occurrence we’ve observed of “quiet” listings in TRUSTe. Correction — faulty memory on my part — this is the only one, which we did write about earlier. )

It’s also no secret that Zango is trying hard to get a Trusted Download certificate for itself. However, will it make any difference, especially in light of the huge sums of money a vendor must pay (reported to be in the hundreds of thousands, or millions of dollars)? Probably not. I doubt any advertisers will care. We’ve found that advertisers are quite leery of Zango in general. I doubt Trusted Download will help them.

However, having SmartShopper in their portfolio of applications will allow Zango to point proudly at a product they own in the Trusted Download program. And it’s even in the realm of possibility that by having a Trusted Download like SmartShopper, they could use this as a future way to get Zango on more desktops (by bundling with SmartShopper or by offering SmartShopper users a download of Zango).

It’s worth noting that Zango is primarily gaining new users through Seekmo, its porn branch. In other words, new user acquisition occurs from users downloading porn in exchange for free ads, not for funny videos of a cat jumping up and down. They need everything they can to gain legitimacy.

Alex Eckelberry

Reported on TechCrunch:

Everyone’s favorite love-to-hate spyware company Zango has acquired browser based comparison shopping engine Smart Shopper for what we’ve been told by two people related to the company (but unconfirmed directly) for $9 million.

Link here.

Alex Eckelberry

Faithful blog readers will recall “Jane”, who sent us an apoplectic, foul-mouthed rant, mistaking us for the makers of WinFixer WinAntivirusPro.

The letter was entertaining in its creative use of epithets.

However, I had sent her an email explaining that we weren’t related to the WinAntivirusPro band of miscreants, and her reply was significantly more civil, albeit still entertaining:

Dear Mr. Eckelberry;

Thank you for your courteous and helpful response to my potty-mouth- rant. And my apologies to you and other staff at Sunbelt.

This elusive WinAntivirus thing has really been a bother; I use my computer for research and writing. Recently, when I submit a query to Google, I get the nasty WinAntivirus screen that will not go away. It’s to a point where I really don’t know who to trust. I am aware that there are several available programs that represent that they will remove that WinAntivirus stuff, at a price. Then, my own internal computer tells me that the reptiles responsible for the WinAntivirus may be profiting from the sale of the removal programs. It’s all very confusing.

I want to find these WinAntivirus folks quite soon, and I hope they have a 1-800 number.

I work at an inpatient psychiatric facility, where even the most deranged and psychotic patients are entitled to unrestricted access to a telephone. Some of these poor souls are just lonely, and looking for a kind voice to listen to their rantings. Such as the folks that answer the phone at WinAntivirus. Do you, by chance have that number? That would make me feel a whole lot better.

Thanks, Jane

I have advised her that there really is no way to contact these WinAntivirus folks… Although, the idea of using psychiatric patients en masse to harrass a vendor is a curious and novel approach to lodging complaints.

Lest you think it’s all over, however, “Gary” sent an email yesterday through our Media Relations link which is a wee bit confused:

Conversation: Media Inquiry – Sunbelt Software Research Center
Subject: Media Inquiry – Sunbelt Software Research Center

Jason, I don’t know what connection you may have with “pointroll cookie”.

This complaint is not directed at you personally, BUT I DO NOT WANT AND I RESENT WITH FIRE IN MY EYE THE INTRUSION AND INVASION OF MY COMPUTER BY “POINTROLL COOKIE”!!
PLEASE!! IF YOU CAN, R E M O V E ALL DATA PRETAINING TO “POINTROLL COOKIE” FROM MY COMPUTER NOW AND FOREVER!! I CAN NOT MAKE IT MORE PLAIN. YOU WILL NOTICE THAT I AM USING CAPS. POINTROLL COOKIE, GET OUT AND STAY OUT OF MY LIFE FOREVERRRRRRRRR!

SINCERELY, GARY (removed)

Of course, we have no association with the Pointroll cookie and we’re still scratching our heads over exactly what Gary means. We’ve sent an email trying to get more clarity.

Clarity, of course, is sometimes a rare commodity in this business.

Alex Eckelberry

Memories…

 

I’ve stopped doing the Sunbelt Weekly TechTips.  For now, you can read them in Wxpnews, our weekly newsletter for consumers.  Subscribe here.

Alex Eckelberry

With all the hoopla these days surrounding the “Storm Worm”, our Research Team feels that there are some EXTREMELY DANGEROUS threats out there that are being overlooked. One such threat is Trojan.Netview. You may recall that it was observed being installed during the Bank of India hack.

One variant that we have recently found being distributed is actually detected quite well. Some appear to be general heuristic detections, but the malware itself is over one month old so most antivirus companies should be detecting it by now. It is interesting, however, that no attempts have been made to change it’s signature in order to defeat security software.

While detection by major antivirus companies is good, there are still several factors that make this Trojan extremely dangerous.

1. It uses Net View to find vulnerable network shares to steal data from

The name “Trojan.Netview” was devised by the simple fact that this malware uses the net view command. According to Microsoft:

Net view displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.

You can try this yourself by typing the command “net view” inside of a command prompt.

By using this command, the Trojan is able to search for vulnerable network shares to steal information from. A server or workstation containing accounting databases, credit card information, bank account information, system backups, company trade secrets or any other sensitive data, doesn’t need to be infected in order for the data to be stolen. Instead, just a single infected user on the network who has access to network shares containing this data, is putting their company or business at serious risk.

Once the Trojan has identified these vulnerable systems, the data is copied from them and uploaded to an FTP server located in Russia.

2. It is highly distributed

For over a one month now, the MD5 hash of the Trojan has not changed. This fact, may be itself an indicator that the malware is having success. Typically, malware authors re-compile their code quite often in order to defeat security software (as an example, the “Storm Worm” typically changes every sixty (60) seconds).

In addition, Trojan.Netview is usually bundled with massive malware infestations that usually contain software which disables security software.

These days, it seems that we cannot get away without mentioning the Storm Worm, but there happens to be a relationship between Storm and Trojan.Netview. On 10/11/2007, the Storm Worm code changed a little bit. One of these changes was the ability for it to make multiple copies of itself on the infected system with the name “_install.exe”. Another change in the Storm code is the ability to inject malicious IFRAMES into HTML documents (htm, php, asp, xml, etc). This mean that any webmaster making modifications to a webpage and is infected with Storm, is aiding in the propagation of additional malicious code. With the sheer volume of infected Storm hosts, there is no doubt that some websites are going to be automatically defaced by this added functionality.

One recent webpage analyzed by our research team containing the injected code, is responsible for the installation of Trojan.Netview, as well as several other pieces of malware:

Unfortunately, this hotel PMS (Property Management System) appears to be yet another victim of the Storm. Notice that there is a copy of storm, “_install.exe”, which we mentioned earlier located on this remote server:

It is unknown what other data may have been stolen from this hotel.

3. It does a decent job of hiding itself

Trojan.Netview typically copies itself to your root directory as “wsusupd.exe”, with the hidden system file attribute set. While this may seem a bit archaic compared to more sophisticated malware that use rootkit technology to hide, it does not mean that this stealthing technique is ineffective. Out of the box, Windows is not configured to show system hidden files and most end users do not bother to set the option to view them.

4. Specific targets?

Trojan.Netview appears to search for specific data to collect, exibiting a particular interest in transaction systems, database backups, and even antivirus quarantine folders (which we observed earlier during the Bank of India hack). For obvious reasons, there are pictures that we can’t share be here are some that we can.

This appears to be a phisher who had his/her information stolen:

This Giftshop’s data is now in the hands of the bad guys:

Pictured here is a dump of credit card transactions. The logs have since been removed from the server:

This appears to be a 911 emergency center system. While we are not 100% certain, “STATION1” could be one indicator:

So what can be done protect yourself or organization from this threat? As we have preached many time before: Keep your systems patched and use up to date antivirus software or other security software. Of course, a full scan with CounterSpy or CounterSpy Enterprise will remove all variants of this Trojan that we know about.

To see if you are currently infected, it might be a good idea to monitor your network for traffic flow to the IP address: 82.146.43.55. And while you are at it, be sure to deny all access to this address on your firewall.

Adam Thomas

Just got this by email from Didier Stevens:

I witnessed a man-in-the-middle attack on the TLS at hack.lu (a hacker/security conference held in Luxembourg) this weekend. Thomas Roessler, who was also in the room, managed to capture a lot more than a screenshot and posted his fact-findings here.

So, what happened? As I said in a spontaneous lightning talk after that session, my diagnosis was that somebody was running a man-in-the-middle attack on a room full of security people. The tool they were using rewrote the TLS certificates that were shown by servers, but tried to keep the human-readable information in the certificate intact. (As Benny K notes in a comment, “the certificate seemed fine”.)

What fascinates me most about this incident is that several security professionals in the room still accepted the forged certificate while they knew they were connected to a hostile wireless network.

You can see the image at Didier’s blog here.

Alex Eckelberry

For your weekend viewing pleasure: AOL France did an amazing video of the End of AOL France.

Must watch.

The password is “aollover”.

(Via Silicon Valley Insider.)

And it’s all done in one shot.

On seeing the video, ex-AOLer Peter Shankman (who got laid off from AOL in 1996), said “say what you want, but working at America Online was still, to this day, the best thing that ever happened to me in my life. The second best thing was being laid off.” (And he loves the French video — “when we got laid off in 1996, all we did was drive home and drink beer.”)

Alex Eckelberry
(Thanks Skip)

One of the hazards of blogging and writing about malware is that occasionally, users will Google a piece of malware, find some posting on our website or blog about it, and incorrectly assume that we’re the makers of it.

In this case, a user, Jane, apparently googled WinAntivirusPro, thought that we are the ones who make it and sent us a scathing letter recently. It’s high on profanity, so I have not posted it directly in this blog — instead, it’s linked here. It just goes to show the absolute rage that a piece of malware can create in a user.

Unfortunately, our attempts to convince users that we’re not the developers of this type software often fall on deaf ears.

Ah well.

Alex Eckelberry

We had a pretty good turnout on our presentation on email archiving yesterday. In case you missed it, a replay is available here.

Alex Eckelberry

Dns changer fake codecs.

Alex Eckelberry

You can’t make this stuff up. We just received this sick spam from a user in the field:

Then, followed by this one:

The contact email address appears to be an email address of a legitimate (err, normal) person, so it’s likely an attempt to wreak havoc on some poor sods life (a Joe Job). We continue to research this.

Alex Eckelberry

Update: Brian Krebs let me know that this isn’t new. I’m surprised I’ve never seen it before.

Joe St Sauver, Ph.D. at the University of Oregon gave a rather grim presentation at the Internet2 Member Meeting last week.

He points out the potentially serious issue of electromagnetic pulse (EMP) and pandemic flu as threats. While some might feel this is a good opportunity to bring out the Good Old Aluminum Foil, it is interesting stuff, possibly serious and having a basic understanding of these types of threats is worthwhile.

Today we’re going to talk about two unusual threats: high altitude electromagnetic pulse (EMP) effects and pandemic flu.

Those may seem like a couple of odd topics. After all, aren’t system and network security guys supposed to worry about stuff like network firewalls, hacked systems, denial of service attacks, computer viruses, patching, and when you last changed your password? Sure. No question about it, those are all important system- and network-related security topics, and those are all topics which have been covered repeatedly in a variety of fora.

Given all those sort of mundane threats, it can be hard to think about “throw it long”/less-talked-about threats — after all, there are just too many high profile day-to-day operational IT security threats which we have to worry about instead, right? No – emphatically no! You need to worry about both the day-to-day stuff, and the really bad (but thankfully less common) stuff, too.

Check it out here (pdf)

Alex Eckelberry
(with thanks for Paul Ferguson for the link.)

I’m putting a call out for beta testers for the new version of our network security tool, Sunbelt Network Security Inspector (this a tool for network security analysis, not for home/consumer use — think of tools like Nessus, etc.).

If you’re involved in network security, I invite you to beta test this new release. Simply send an email to beta(at)sunbelt-software.com, with the subject “SNSI 2.0 BETA”.

Alex Eckelberry

From Byron Acohido (of USA Today):

As many of you know, I have been working with Jon Swartz on a non-fiction techno thriller about Internet security and cyber crime. We’re in the home stretch, with publication set for April 2008.

Here’s a preview from their website:

On a frigid afternoon in December 2004, veteran Edmonton Police Detectives Al Vonkeman and Bob Gauthier hustled to the Beverly Motel, a dingy, cinder-block establishment, where rooms rent by the hour. They were chasing down a tip that someone in Room 24 was using the phone to access a dial-up Internet account linked to an email folder brimming with stolen identity data.

As Vonkeman and Gauthier prepared to burst in, the door to Room 24 opened and out strolled Biggie, a garrulous methamphetamine addict and trafficker they’d arrested numerous times, followed closely by Socrates, a gaunt 20-year-old computer nerd. Both were sky high on ice—crystal methamphetamine—but gave the officers no trouble. Inside Room 24 the detectives found meth pipes, stolen credit cards, notebooks with handwritten notations about fraudulent transactions, and print-outs of stolen identity data. The distinctive sickly aroma of recently-smoked ice pervaded the air.

“They were just starting to set-up,” recalls Vonkeman.

Biggie and Socrates were preparing to play bit parts in an international money laundering scam made possible by the financial services industry stampede to exploit the Internet’s convenience and global reach. The little operation in the motel room may have looked like small potatoes. But Vonkeman and Gauthier would later discover that the pair worked in concert with a loose confederation of hackers and scammers based in the U.S., Quebec, Romania and Bulgaria. The Edmonton addicts, in fact, comprised a prototypical cell of street operatives helping to carry out the final, riskiest step of online scams—extracting cash from hijacked accounts.

The set-up in Room 24 was not an isolated example. The Internet is rife with chat rooms where drug addicts and street toughs forge partnerships with Third World hackers and fraudsters. This teeming, mostly unseen, world of Internet crime points up a cataclysmic shift all too quietly reverberating through Western society. Here’s the dirty little secret about the digital age we live in: no one is safe from data theft and online financial fraud.

Link here.

Alex Eckelberry

Following on my previous rant, iPhone Elite (a development group that’s spun off of the unofficial “iPhone Dev Team”) has posted instructions on how to unbrick an iPhone (via InfiniteLoop).

While it’s certainly doable for anyone with a modicum of technical expertise (and written for that audience), one can only wonder about average users (for whom it could be argued that Jean François Champollion had an easier time deciphering Egyptian hieroglyphics).

Example:

6. Complete the baseband downgrade by jailbreaking/activating, installing SSH on to the iPhone etc. There are tons of wiki’s about that so I won’t repeat. (Probably also true for step 4 and 5.)

7. Extract the baseband firmware and EEPROM files of 3.14 from the ramdisk of firmware 1.0.2. The files are named ICE03.14.08_G.eep and ICE03.14.08_G.fls and are located under /usr/local/standalone/firmware.

8. Get the secpack of baseband firmware 4.0 (some people have that, I have no idea how they got it but its needed). Name it “secpack”. (maybe http://**********.com/files/61914114/secpack40113.bin will help)

9. Download iEraser2 here or from Geohot’s blog.

10. Install all the tools onto the iPhone (I use the location /usr/local/bin.) You need to have SSH access to the 1.0.2 firmware iPhone and upload iEraser2, the secpack, ICE03.14.08_G.eep, ICE03.14.08_G.fls and anySIM 1.0.2

This is ludicrous. Apple, please figure out a way, tacitly or explicitly, to unlock the damned phone so people can get on with things — and please stop bricking phones. Your contract with AT&T is not nearly as important as your goodwill and market opportunity.

Alex Eckelberry

For some time, malware researchers around the globe have been tracking the shady work of the Russian Business Network (RBN) .

If you wanted to point a finger at one group responsible for a lot of pain on the Internet these days, it’s this outfit.

Brian Krebs at the Washington Post has written a good overview of the RBN.

Article here, with further posts on Brian’s blog here and here.

Alex Eckelberry
(Hat tip to Ferg)

Who is Alexey Tolstokozhev? According to a post on a website run by “Alex Loonov”, he’s a really bad spammer and he’s been shot.

Wow, just saw this on TV, so I decided to translate this story into English so my readers will be first to learn this. Sorry for mistakes in my English, I’m doing this in a hurry 🙂

Alexey Tolstokozhev (btw, in Russian his name means ‘Thick Skin’), a Russian spammer, found murdered in his luxury house near Moscow. He has been shot several times with one bullet stuck in his head. According to authorities, this last head shot is a clear mark of russian hit men (known as “killers” in Russia).

This is starting to circulate around the net rapidly.

Except I’m not sure it’s true.

Alexey Tolstokozhev doesn’t show up on ROKSO. He doesn’t show up on any web searches. And no one I know in the security industry has ever heard of this guy.

And who is Alex Loonov? Well, his website shows all kinds of archives and looks like it has a lot of material.

Except it was only registered today, at, of all places, the infamous EST Domains.

I smell a hoax.

Alex Eckelberry
(Hat tip to Jose Nazario)

Update: Yup, it’s certainly a hoax.

Update 2: I wouldn’t encourage visits to this hoax site. There’s no malware on it and you’re not going to get infected. But given where this thing is hosted (and the fact that it is tracking visits), why bother? (If you’re seriously paranoid, you might even go so far as to use TOR to anonymize yourself.)

At any rate, here’s the link to the hoax website: loonov(dot)com/russian-viagra-and-penis-enlargement-spammer-murdered(dot)htm

This is a new scam, which does a fake scan of your PC off of a web page. Pretty cool to watch — it just makes stuff up.

As Sunbelter Patrick Jordan says:

It installs a toolbar and an exe in a webspyshield folder however, it is a fake web based scam. You have to be connected for it to run and I would hate to think what anyone may pay for to register it as it is no real software but only a new form of their online scanner scams.

The hijackthis shows it even hijacks the home page.

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://webspyshield(dot)com/scan.html
O2 – BHO: WebSpyShieldToolBarShower – {DC87418B-0B2C-424E-900D-54F2ECE15B6B} – C:Program FilesWebSpyShieldWebSpyShield.dll
O3 – Toolbar: WebSpyShield – {E4988DE7-C5DB-4173-96F9-AAC426AF7BCE} – C:Program FilesWebSpyShieldWebSpyShield.dll
O4 – HKCU..Run: [WebSpyShield] C:Program FilesWebSpyShieldWebSpyShield.exe

Alex Eckelberry
(Credit to Bharath)