Category: Uncategorized

Adult Friend Finder settles

Today, the FTC announced a settlement with Adult Friend Finder:

The settlement bars the defendant from displaying sexually explicit ads to consumers unless the consumers are actively seeking out sexually explicit content or unless the consumers have consented to viewing sexually explicit content. It requires the defendant to take steps to ensure that its affiliates comply with the restriction, and end its relationship with any affiliates who do not comply. It also requires the defendant to establish an Internet-based mechanism for consumers to submit complaints. Finally, the settlement contains bookkeeping and record- keeping requirements to allow the Commission to monitor compliance.

(Note that it was just a few days ago that we documented a very graphic AFF video.)

Some comments: A major reason for AFF’s problem with this type of advertising is its extremely aggressive affiliate programs, providing high payouts to affiliates who recruit subscribers to AFF — or even simply refer people to AFF (pay-per-click programs). While AFF may no longer provide materials to their affiliates which are sexually explicit, this company will need to pay particular attention to its affiliate channels. There’s just too much money there.

And any malware researcher has also seen AFF ads in spyware. Whether this is through affiliates or not, it is still the responsibility of the company to advertise through legitimate channels — not through malware.

Their advertisements have also been seen extensively in fake pages on social networking sites (MySpace, Tagworld, etc.), and there’s been plenty of fake “Friend” invites through these networks — which are only designed to feed the site with more subscribers. Again, this may or many not be done directly by AFF, but it’s still their responsibility.

Another problem with AFF is the fact that company’s service itself is sold in a highly misleading fashion:

  • The advertisements feature actresses or porn stars, who are not necessarily indicative of the women actually on the site.

  • A Volicitypress study which showed that the male to female ratio is 10:1, and with about half of the women actually interested in a relationship with a man.

In short, it is highly unlikely that a man who signs up for the site will actually be able to “hook-up” with a woman, either one represented by the misleading advertisements, or any woman at all.

It’s good to see the FTC has taken some action here on the most egregious problem. But there’s still other issues with this company.

Alex Eckelberry

Some additional commentary about the Antimalware Testing Group

You may have seen the recent articles on a new antimalware testing effort being launched. We’re part of this effort and very glad to see that it’s happening. New and standardized testing methodologies in this day and age are vital.

Andreas Marx, who is spearheading the new testing group, emailed some excellent remarks on the effort, and with his permission, I’m posting some of his comments:

As you know, the number of new (unique) malware files per day is increasing in high numbers — so far, we’re getting something around 2,000 to 2,500 samples per hour from various sources. The average lifespan of a malware file (used with criminal intent) is, however, only seven hours, according to Symantec.

Current AV software tests are still focusing mainly on some kind of “detection scores”, but testing the software against millions of inactive, outdated and thus “dead” files can’t be seen as useful anymore and the results of such tests are not only less meaningful, but they mislead the average user a lot.

Most of the currently used tests were developed 15 to 20 years ago, but the attack vectors and the offered protection has changed a lot.

Take the example of cars, we no longer only have safety belts as protection, but also different kind of airbags, ABS, car stabilization features, crumble zones and so on.

Nobody would think, that a review which is only focused on safety belts would give a reader an idea how well the protection of a car is working. In case of anti-malware products, the situation is very similar. Therefore, it’s not only important but essential that all parts of the products are tested in a proper way. A single safety belt check… erm, test for detection scores only is not enough.

This includes but is not limited to the testing of the behavior-based detection mechanisms (also called “Dynamic Detection”) which are now used in more and more products. Proper detection and removal of actively running rootkits as well as of other malware and ad-/spyware are also points to consider. Testing the “real world” experience would be the way to go. But how to do this?

During the International Antivirus Testing Workshop in Reykjavik
(Iceland) the industry started to discuss the idea how anti-malware products could be tested in a better way than it’s done today. At the end of the workshop, representatives from Symantec, Kaspersky, F-Secure and Panda, together with AV-Test.org, formed a plan to create a working group. This entity should not only publish guidelines and papers on a regular basis on the topic of AV testing but also educate the users and other testers. Therefore the tests and thus finally the protection products can be improved. When tests are focused only on “outdated” aspects, developers would need to focus on the “wrong” points of their products, instead of improving the really important parts. Consequently, users would buy products which are well-tuned for tests but which are not offering an adequate protection in the “real world”.

During the Virus Bulletin 2007 Conference in Vienna (Austria), we set up another meeting (which was focusing on the “Dynamic Testing” aspects) where representatives of Avira, PC Tools and Trend Micro joined the initiative. The first publication on the topic “Analysts Work on Improved Antivirus Software Test” can be found here.

Last week, AV-Test.org’s Maik Morgenstern and Andreas Marx attended the AVAR 2007 Conference. We spoke about the topic “Dynamic Testing” — a paper which was a joint effort of AV and AS companies’ team members, from Sunbelt, Kaspersky, Eset, Webroot, IBM ISS, PC Tools, Symantec, Sana Security, F-Secure, Panda, Trend Micro, Sophos et al., as well as the testing organizations Virus Bulletin and AV-Test.org, of course. (The paper and the PPT will be available on our webpage by next week.)

As the project related to the behavioral testing paper worked very well, members of this team had the idea to found a “Anti-Malware Testing Working Group” by the beginning of next year, to work on future projects, similar topics related to testing and to create new standards which are reflecting the capabilities of the security products in a better way.

Alex Eckelberry

State of South Carolina lovin’ porn

Scmainpage1238

The sc.gov website is hosting porn pages which redirect to malware.

(Image thumbnailed due to graphic content.)

Scporjn123888

Example 1:

Scporjna123888

Example 2:

Scporjnab123888

You get the picture (no pun intended).

On a quick look, looks like a DNS hack:

Host Name: sc.gov
IP Address: 167.7.41.120

Host Name: beready.sc.gov
IP Address: 66.235.210.100

Maybe James Taylor didn’t have this in mind when he wrote the song.

Alex Eckelberry
(Thanks Patrick Jordan)

New fake codec trojan variant — Windows and Mac — codecmega

A new fake codec: codecmega(dot)net

Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codecmega(dot)net/download/codecmega(dot)dmg; Windows: codecmega(dot)net/download/codecmega(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Patrick Jordan)

So… what happened to the blog

The past few days have been a bit of hell. Apparently, this blog (and others) was automatically migrated (by Blogger) to XHTML last Friday, something which has been going on for a while. Unfortunately, there were a couple of problems:

1. No one told us this was going to happen.

2. The migration wiped out our blog template.

Unfortunately, all efforts to restore our blog template failed. Even if we put up a new default Blogger template, it would only stick for a couple of hours, and then *poof*, it would be replaced by a different default Blogger template (unfortunately, usually one with polkadots). And when we reverted to the classic template (which gets rid of the XHTML stuff), we still had this problem. However, Robert LaFollette, our creative director, fiddled with it and finally found a way to make the classic template stick.

And now I think we have this problem nailed.

Alex Eckelberry

Malware Exploiting Death of Zoey Zane

From the sicko department . . . We have received multiple public reports of attackers using the recent murder of 18 year old college student Emily Sander (AKA “Zoey Zane” in the adult film industry world) as a lure to install malware.

From about.com:

Dental records have confirmed that a body found near a Kansas highway is missing community college student and Internet porn star Emily Sander, authorities said. An autopsy has been completed, but the results have been sealed and are not available to the media . . . After Sander disappeared, it was discovered that the 18-year-old college student led a double life as “Zoey Zane,” a character she played on Internet porn sites.

Attackers have obtained very good search engine position when looking for information about “Zoey Zane”, and users may be lured into installing an “ActiveX upgrade” or “Flash Player” upgrade in order to view a video.

Zoey

Zoey_zane_goingon

In actuality, this “ActiveX video decoder” or “Flash Player Upgrade” is a Trojan that install a Browser Helper Object (BHO) which produces fake pop-up messages and modifies search engine results in an attempt to install the Rogue Software IE Defender.

Trojan_zlob_zooey

IEDefender

Adam Thomas

This blog is hurting…

For some baffling reason, the template for this blog has been deleted and replaced with an ugly Blogger template — and it keeps happening.  This started happening around 5 pm yesterday.

I’m not the only one — Dancho Danchev’s blog has had this happening as well.  And I’m sure there’s many others.

So hang tight, we’ll get the old template back and hopefully it will stick. 

But for now, a lot is broken, including Haloscan commenting.

Alex Eckelberry

New fake codec trojan variant — Windows and Mac — codectime

A new fake codec: codectime(dot)com

Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codectime(dot)com(dot)/download/codectime(dot)dmg; Windows: codectime(dot)com(dot)/download/codectime(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Adam Thomas)

Dwindling Spiral: The increasingly degraded practices of Adult Friend Finder

As a follow-up to my recent post about AFF, we now see them using video hard core porn to lure more subscribers.

Aff123812312312388

While AFF has allegedly used fake pictures of porn stars in the past to promote their site, this is a video clip of hard core porn that plays as an ad — something that is new.

And AFF is getting aggressive on subscriber acquisition, which they’ve made clear to their affiliates:

Reminder: Medley is giving an extra $20,000 to the affiliates with the biggest signup increase for the last two weeks of November (Nov 18 – Dec 1) vs the first two weeks (Nov 4 – Nov 17th). All FriendFinder affiliates with accounts older than one month are eligible. Signup increases will be measured by combined signups on Adult FriendFinder, Cams.com, ALT.com, OutPersonals.com, FriendFinder.com, and our newest hit: MillionaireMate.com. The top increasing affiliate will receive $10k, the 2nd place affiliate $2k, and the next 8 affiliates will each receive $1k.

But we’re not done yet. We are running a 10% bonus for November. To qualify, all you need to do is earn more in November than you did in September and October (which ever had the highest daily average earnings) and we’ll add 10% to your November earnings.*

I hope the alleged buyer of AFF knows what they’re getting into….

Alex Eckelberry
(Thanks, Patrick Jordan)

Four new rogue antispyware programs

4 new rogues of the SpywareNo/Spysheriff/MalwareAlarm Family

1. Site:dr-protection(dot)com
Listed in the CounterSpy database as DrProtection

2. Site: guard-center(dot)com
Listed in the CounterSpy database as GuardCenter

3. Site: liveantispy(dot)com
Listed in the CounterSpy database as LiveAntiSpy

4. Site: online-guard(dot)net
Listed in the CounterSpy database as OnlineGuard

Patrick Jordan
Sunbelt Software Malware Research

Another reason why Firefox really is safer than IE

Not the first time I’ve noticed this — IE 7 is really behind on tagging phish. It’s a real shame, too — I know people on the IE team, and I know they mean well and work hard. But something’s not working right in the system. And IE 7 certainly needs the protection with the amount of users running it.

Same phish, at the same time:

IEfoxphis123788

Firefoxphis123788

And in IE 7, if you want to report a web forgery, you have to go through a two-step process and an incredibly painful CAPTCHA (which even I stumble over when trying to enter):

Truringw3421348

I know why Microsoft is slower than Firefox in tagging websites — they have to be more careful with showing a site as bad with the market share they have. But I believe that a few false positives is well worth the benefits of saving people from phishing and fraudulent websites.

Microsoft — Go for it. Be aggressive.

(And yes, I know this is a completely unscientific observation.)

Alex Eckelberry

Porn back on ca.gov site? Oh, this is not good

Update 11/29: As of this evening, the links are gone. All clear… that was fast.

Update 12/1: As of the morning of 12/1, the porn links are back.

Update 12/1: As of 4 pm EDT, the porn links are gone. I’m getting tired of checking this.

Remember that incident a while back where we discovered massive amounts of porn hosted by the Transportation Authority of Marin? It resulted in a federal shutdown of the entire state’s Internet and email service.

Incredibly, it’s back. Same site, same everything. Take a look at this Google search result (thumbnailed due to offensive content):

Cagovporn123888

Clicking those links lands you to a page which pushes a fake codec (malware):

Zlobfake1238881238888888

So, does this mean that the feds will shutdown teh internets again?

Alex Eckelberry
(thanks Patrick Jordan)

HEADS UP: More Google poisoning on the way?

Google has removed the sites responsible for the recent massive Google poisoning attack.

However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here.

As an example, a simple search of “funny drunk quote site:cn” pulls up the following results:

Suspiciouslinks12388

Notice the pattern? Large amount of fresh .cn domains, with numbered html pages.

However, there are apparently two different groups at work here. One we’ll call Type 1 — which appears to be the same group involved in the prior poisoning. And the other, we’ll call Type 2 (sorry, not very original, but we’re working fast here).

Funnydrunkscreenm123988

Type 1 shows this style of page, and it looks like it’s coming from the same group that was involved in the recent Google poisining:

Page123jjdsfasdfpp

On exiting the page, you get pushed to install Spy-shredder, a rogue antispyware program.

Spyshredderwer183123

Which, even if “cancel” is pressed, you still get a fake scanning page.

Nothing unusual there.

Aspyshredderwer183123

(You can see an example page source of Type 1 by looking at this dump.)

Type 2 is different, and simply shows users a site which is trying to generate traffic (for the purposes of getting affiliate commissions):

Page29123888888

Again, freshly registered stuff. You can see an example page source of Type 2 by looking at this dump.

Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change.

Alex Eckelberry and Adam Thomas

New fake codec — Windows and Mac — codechq

A new fake codec: codechq(dot)net.

Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codechq(dot)net/download/codechq(dot)dmg; Windows: codechq(dot)net/download/codechq(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Bharath)