Category: Uncategorized

Our friends over at Secureworks, who have done some great research on Storm, pointed out some very interesting information to us recently. The spam template (which typically includes data such as a peer list, addresses to spam to, spam message content and some other data), was updated to include a list of over 1,000 Geocities domains.

These domains include a small piece of Javascript code that re-directs to a malicious webserver:

This page informs you that it is necessary to download and install a plug-in in order to view the content.

In reality, the “plug-in” is a variant of the dangerous information stealing malware called Backdoor.Win32.Smalll.lu, which was first found back in late 2006. Many variants have spawned and as a result: Infostealer.Monstres, Infostealer.Banker.C, NTOS, PRG, and GPCode/Glamour (which included a file encrypting/ransomware function).

Stolen data from this Trojan is actively being uploaded to a server located in Turkey.

This particular attack only appears to target Dutch/German users and doesn’t appear to be widespread. However, it is not typical for the Storm botnet to be used to spread other malware in this manner. This could indicate that the Storm herders are making the power of their massive botnet available to other malware groups.

Adam Thomas
Malware research

On Monday, eWeek wrote an article about DoubleClick displaying ads that promoted rogue antispyware. The article quoted our work.

To clarify — it wasn’t DoubleClick that was spawning the ads (well, it was, but it wasn’t). DoubleClick sells a system called DART, which websites (called “publishers” in the world of advertising) use to manage their advertising. So if you’re looking at the URL in a packet capture, it looks like it’s coming from DoubleClick . You can see this in a video that Roger Thompson made:

There will be more on this story later today, but quickly, here’s what’s been going on:

• The slimeballs at Adtraff have gone out and registered buckets of sites.
• They contact ad sales people at various websites (like the Economist, mlb.com, etc.) and buy advertising — always using wire transfer or credit cards. They play tricks, like buying ad space at the end of the month, when ad sales people are hungry for deals.
• After the ad space is booked, they send the creative, which is always a .swf (Flash) file. It’s innocuous. In the case of the stuff that happened over the weekend, it was some ad for eMusic:
• 

  (There’s a live sample still up — curious researchers can download it here: m1(dot)2mdn.net/1622576/199485_1194389307_numbers-count-728×90.swf.)

• The SWF files vary: Sandi Hardmier observed one recently for an airline auction site.
• Inside that Flash file are encrypted redirects to whatever site that Adtraff is pushing (like this malware ad that is in Roger’s video above).
• The redirect data in the Flash file does not show itself when the creative people at the website upload it. The redirects are triggered by times, geo location, etc.
• In the case of DoubleClick, many publishers use DoubleClick’s DART system, which allows them to manage the ads. The ads are uploaded into the DART system, which hosts ads on DoubleClick’s servers. Then, websites can track how many people view the ad, generate reports, etc.

  So in the case of what we saw over the weekend, it looked to researchers like the ads were coming from DoubleClick — and they were — sort of. But it was the websites themselves that were uploading the ads onto the DoubleClick system. (DoubleClick is no longer in the ad network business — meaning, they are no longer in the business of placing ads on websites, with the exception of their Performics subsidiary).

• DoubleClick itself is trying to filter these malicious ads, and is working on improved filters to better detect them.

This is not a trivial problem, and the most important thing for publishers to do is to be extremely careful when accepting new advertisers (and be wary of tricks these people use, like giving fake references), and then keep a close eye on the advertising as it’s running (and hopefully some good tools can be developed for publishers to use to check the content of ads for malicious redirects before posting).

Alex Eckelberry

Pushes both Windows and Mac TrojanDNSChanger. 

Sample binaries: Mac: zangcodec(dot)net/download/zangcodec4327(dot)dmg; Windows: zangcodec(dot)net/download/zangcodec4327(dot)exe.  If you are hunting for Mac fake codecs, remember to change your user agent to a Mac.  And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry

 

Link here.

Alex Eckelberry
(thanks Tom)

For search engine optimization and increased distribution, pornography and malware distributors commonly hack websites (interestingly, Google’s work in marking sites as “unsafe” in search results may be contributing to this trend, as it is driving malware and porn distributors to rely increasingly on hacking good sites to perform redirections to their own bad sites).

It’s rampant. And it’s most troubling because a lot of these are happening on .edu and .gov sites. Finding these hacked sites is trivial. Simply search for terms like “sex”, “porn”, “free ringtones”, “free”, “casino”, “‘sesso” “gratuito” “porno”, “fottilo”, etc., combined with the operator Site:edu or site:gov (if you’re going to do this, be very careful with these links — they often push malware). Some of the stuff is just comment spam. But plenty is real live redirects.

What we’re also seeing is a lot of DNS hacks. For example, take the City of Plainsville, Kansas (warning: graphic content):

God what a mess. These people are so hosed it’s beyond belief. And those links push malware.

Now, let’s take a closer look. If you we do a simple dns lookup on cityofplainville-ks.gov, we get an IP 72.22.69.138. However, if we do a dns lookup on, for example, 2.z.cityofplainville-ks.gov, we get an IP of 89.28.13.214. This same pattern will show itself on a number of other sites. And they are always the fault of the web hosting provider.

Fair warning.

Alex Eckelberry
(thanks Francesco)

Greg and I are holding another webinar on archiving for Exchange, featuring our upcoming product, Sunbelt Exchange Archiver.

From our propaganda department:

Join us for a look at Sunbelt Software’s new Exchange email archiving and compliance solution, Sunbelt Exchange Archiver.

If you need a powerful, easy to use, enterprise-class email archiving tool that automatically enables you to comply with all requirements, and allows you or your end-users to transparently retrieve any archived email, then don’t miss this webinar!

The webinar will be hosted by Alex Eckelberry, CEO and Greg Kras, VP of Product Management for Sunbelt Software on Thursday, November 15th at 2:00pm EST and will explain the features and benefits of implementing a powerful email archiving solution on your Exchange Server at an affordable price.

Learn how Sunbelt Exchange Archiver can help you:

• Improve Exchange performance
• Eliminate PST headaches
• Dramatically reduce backup times
• Use up to an 80% smaller message store
• Meet compliance requirements
• And more

When: Thursday, November 15th, 2007 2:00 PM EST

To register for this event, click here.

Alex Eckelberry

This is kind of a bummer: A really good, very reputable security vendor is doing comment spamming.  I did contact them the last time I saw this, thinking it might be a Joe job.  Unfortunately, I didn’t get a clear answer. In fact, I got a response which indicated an affirmation of sorts.

The tech guys at eEye couldn’t possibly condone this type of activity.  I know marketing departments (even mine) are sometimes not completely aligned with the mission of the company, and let’s hope this is only temporary.  

Alex Eckelberry

The comedy group Train of Thought has a video which pretty much encapsulates the Facebook experience.

Sometimes I truly wonder about this site, which makes middle-aged professionals act like college sophomores.

Whatever, maybe that’s a good thing.

Alex Eckelberry
(And yes, I’m on Facebook, Pulse, LinkedIn, etc. And a hat tip for the link.)

gneprogram(dot)com
ndcperformance(dot)com
mzdsoftware(dot)com
pkbsolution(dot)com
zerocodec(dot)com

As is the case with fake codecs these days, the binaries are hidden and getting them depends on where the developer hides them.  With certain sites, you can often get a sample through /download/(sitename).exe (there are always more binaries in the same directory as well, each numbered for affiliates). For other codec sites, /download.php?id=4082 will get a binary (that number is just an affiliate ID — other numbers work as well). If you are hunting for Mac fake codecs, remember to change your user agent to a Mac.  And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Bharath)

Our post-9/11 culture of fear is not having the best effects on our economy. And this depressing story, of a foreign traveler removed from a train for taking pictures, is just another sad highlight as to why:

The police speak through the interpreter, with the impatience of authority. “The conductor asked this man three times to discontinue. We must remove him from the train.” The traveler hears the translation, is befuddled. Hidden beneath the commotion is a cross-cultural drama. With the appearance of police officers, this quiet visitor is embarrassed to find he is the center of attention. The officers explain, “After we remove him from the train, when we are through our investigation, we will put him on the next train.” The woman translates. The passenger replies, “I’m meeting relatives in Boston. They cannot be reached by phone. They expect me and will be worried when I do not arrive on schedule.” “Our task,” the police repeat, “is to remove you from this train. If necessary, we will do so by force. After we have finished the investigation, we’ll put you on another train.” The woman translates. The traveler gathers his belongings and departs.

Link here (via Schneier).

Alex Eckelberry

Visiting the main page prompts a download of the Black Energy DDoS bot.

— This site should not be considered safe to visit —

Alex Eckelberry
(Thanks to Sunbelt researcher Adam Thomas)

Update: Some excellent analysis on the Trojan recently by our friend Jose Nazario here (pdf link here).

Google Pack — completely legitimate.

Unfortunately, one naughty group is trying to get affiliate commissions from Google by referring customers to download the Google Pack — all to watch a porn movie (I hope that convoluted sentence makes sense).

In this case, one can assume it pays as well or better to push this legitimate application as it is to push malware (I’m sure that these folks would be pushing malware if the money was there, as it’s all about money). Intriguing that Google’s high affiliate commissions are in competition with malware.

If there’s any silver lining, it’s that the customer will install a reasonable good bundle of tools in order to watch their porn.

I suppose it’s better than getting a malware install.

(Google has been contacted about this rogue affiliate and I expect the affiliate will be down very rapidly — Google’s responses on these matters is very rapid.)

Alex Eckelberry
(Credit to Sunbelt researcher Patrick Jordan)

We’ve seen quite a bit of FUD out there about the Trojan DNSChanger (both Windows and Mac versions) hijacking your DNS settings and then redirecting you to malicious websites, stealing personal identities, killing your dog and even crank-calling your grandmother with naughty messages.

Actually, it’s quite a bit more pedestrian than that, and we thought we’d set the record straight.

This Trojan is all about generating affiliate commissions by redirecting search results. So if you google “Spyware”, you’ll get search results they want you to see.

Capiche?

Here’s a video that I did with Adam a few months back that shows a Windows TrojanDnschanger in action:

It explains it all.

Alex Eckelberry

Typical Trojan DNS Changer, located at xerocodec(dot)net.

As is the pattern of these sites, the binaries are found through /download/(sitename).extension. So the Windows binary is xerocodec(dot)net/download/xerocodec(dot)exe and the Mac binary is xerocodec(dot)net/download/xerocodec(dot)dmg (there are more downloads in the same directory as well). And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Patrick)

I’m surprised I didn’t catch this earlier. Craig Schmugar at McAfee gets it in his blog post:

Having said all this, these points are not what make this threat significant. What sets this threat apart from other proof-of-concept Mac threats and low-scale attacks is the entity behind it. Puper (a.k.a. Zlob) is one of the most widely reported pieces of malware for Windows. McAfee VirusScan Online users reported more than 4 million detections during the past two years. Microsoft’s latest security threat report states Zlob was the most frequently disinfected piece of malware. Unlike earlier Windows malware, this Mac Trojan is authored by professionals who likely pull in thousands of dollars a month through click fraud, hijacked affiliate sales, and other illegal activity.

Link here.

Alex Eckelberry
(thanks Francesco)

F-Secure writes:

“Looks like the Mac Trojan we posted about last week was not an isolated incident. The gang behind it seems serious about targeting Mac users as well as Windows users. And they keep putting out slightly modified versions of the trojan for the Mac too.”

Yeah.

Also, malware researchers: You may be able to find the DNS Changer Trojan by going to a DNS changer codec site, and using “.dmg” as your file extension instead of “.exe”. As an example, vivacodec(dot)net/download/vivacodec1000.exe downloads the Windows trojan. But going to vivacodec(dot)net/download/vivacodec1000.dmg brings down the Mac binary. Remember to set your user agent to look like a Mac. (Obviously, don’t download these binaries unless you know what you’re doing.)

Alex Eckelberry
(Hat tip to Bharath)

Roberto Preatoni is the founder of Zone-H as well as WabiSabiLabi. He’s well respected in security circles and has even been a professor at the University of Urbino. This is not some malicious hacker. He’s a security professional. He’s also been a staunch advocate of civil liberties in the post 9/11 world.

Yesterday, he was arrested in Italy, on charges that are more than confusing (particularly since the news is mostly in Italian). There are even hints at charges of conspiracy to commit murder — which is utter nonsense.

ComputerWorld has a writeup which is the most lucid, and so we can put together the following fact pattern:

• Preatoni was hired by Telecom Italia to perform pen testing — a completely legitimate, white-hack activity. He was hired as part of a group dubbed the “Tiger Team”.
• However, a number of members of this team were charged earlier this year with spying on the CEO of Brasil Telecom and others — and this has been big news in Italy for months now.
• Preatoni seems to have been caught up in this mess and has found himself charged with spying as well.

I find Preatoni’s alleged guilt quite hard to believe. Preatoni might have been controversial at times, but I find it more than highly unlikely that he would have used his skills to hack illegally.

The problem is that there is not an abundance of technology know-how in jurisprudence, and one can only hope that he gets treated fairly. The Italian press is probably going to sensationalize this story, which certainly isn’t going to help matters. As one of our researchers, who is Italian, put it to me, “…who knows. The press in Italy is so bad, they make stuff up all the time.”

More information is coming out later today, and we should be able to post some updates.

Alex Eckelberry

A couple of articles have come out that provide some counterpoint on the “Is the Mac no longer secure because of this new Trojan, bla bla?” question.

Mac apologist Carl Howe writes a slightly misinformed article on Mac security, where he (sort of) confuses vulnerabilities with this new Trojan and generally bashes Windows.

Ok, just to make it clear: This Trojan is not a vulnerability in OS X, does not use a vulnerability in OS X, is not an exploit and I wish it would stop being referred to in these wildly incorrect terms.

David Harley writes a more reasoned essay, where he points out the Big Critical Piece of Information that Some People Aren’t Getting: The majority of malware attacks are done through social engineering, and this Trojan is installed through social engineering, and that this piece of malware comes from the same group that’s making a lot of money off of Windows users.

This Trojan is quite widespread on Windows (fake codecs are always at the top on our threat center, which tracks in real-time what is actually being removed by CounterSpy users). It requires user confirmation to run, so what makes Mac users think that they are immune to this type of social engineering?

There was even one respected security researcher who implied that Mac users were generally smarter than Windows users and thus weren’t as likely to install the Trojan. Well, this comment on my blog should answer that question:

I am new to the mac life! I just bought a video camera and hooked it up to my new macbook and the video didn’t work so I downloaded whatever popped up!!! I had no idea why my video didn’t work and i figured that mac’s are suppose to be soooooo user friendly that I needed to download it. NOW WHAT DO I DO? HOW DO I KNOW IF I GOT THIS DARN TROJAN OR NOT???? EEK please help?

QED.

Mac users are human beings, like all the rest of us, and can be fooled like all the rest of us. This Trojan is very deceiving, and its existence is simply a wake-up call that the professional, for-profit malware authors have moved into the Mac world, and now Mac users simply need to be more vigilant.

Alex Eckelberry

I love doing Google hacks, so this caught my eye: Our friends over at Symantec wrote up an interesting report on an interesting new method spammers are using to bypass filters. Many filters look at the URLs inside of a spam to determine a spamminess of an email.

In this case, a spammer used a Google search link instead of a URL.

Here’s what the spammer did to pull off this little magic trick:
1. The spammer devised a query string which yielded only his or her URL as result of an advanced Google search.
2. The spammer then simulated the click of the “I’m Feeling Lucky” button (notice the ‘&btnl=’ at the end of the above URL) that will take you to the URL of the first result that comes up for the entered search query.
3. Lastly, the spammer packed this URL into a regular email and sent it out to evade spam filters.

Very cute. More at here (via Register).

Alex Eckelberry

There’s a thread over at CastleCops (thanks PG), where the security folks are arguing with the people from IEDefender as to whether or not the program is malware.

It starts friendly enough, with IEdefender using the standard “it’s not my fault, it’s these terrible affiliates”:

iedefender: Hello, we’re developers of IEDefender, our software is clean and is real antispyware. As we can see, people from your site send our exe to different antivirus and antispyware companies, trying to black PR our company. They’ve got answers, that our soft is clean, because IT IS CLEAN! We contacted Kaspersky, they also confirmed, there are no problems with our software, you can check our .exe with any popular antiviruses, there no problems! Stop sending your detractive mails and messages, in other case we would be forced to send all information to our lawyers and meet your representative in the court, where it would be very hard for you to prove, that our software is not real, because IT’S REAL ANTISPYWARE!

@ iedefender

Answer this directly .

If you are legit then why does malware advertise your software ?

iedefender:Yes, we know about this problem, we have a partnership for our distributors to advertise our program, we pay them a percent of registration fee. Some of them use illegal methods, that we not accept, our customers send us abuses about it and we closed some of our affiliates accounts without paying them. We are watching on it but there are problems with them sometimes. We’re working on this problem and it’s very sad for us. But just think if somebody would advertise any famous antiviruses this way would you add them to malware too?

Then as things progress, it starts to get uglier and uglier:

MANY well known companies have been ripped to shreds for the same thing ……. but in your case, not only are you spamvertized via malware, a part of your own software is also detected as malware

iedefender: Oh, really? Who detects it? You? Any proves? Tell us, what part of our software is malware? I see only bullshit from you, no proves and nothing else. All new messages without proves from you would be ignored, I want to talk with smart people not ones, who just want to spit here.

and

idefender: 2paperghost
Man??? With whom you r talking?

IE Defender Members – People who paid for our software, and they can register on our forum. You r stupid? This is so simple… lol.

2All WE WILL ANSWER YOU QUESTIONS SOON. NO MORE BULSHIT FLOOD HERE.

Well, it’s not the first time forum members have had to battle one of these folks. Won’t be the last.

Alex Eckelberry