The Legacy Sunbelt Software Blog

Today, it’s all about the taco.

Not those nice things wrapped in tortilla – another kind of taco, served up from an evil fast food joint of doom.

And by “evil fast food joint”, I mean “slightly rubbish website asking you to install things”.

Click to Enlarge

It is, of course, one of those fake Java install websites that pop up from time to time – complete with (fake) Softpedia 100% clean notice. I think the last time I saw one of these was back in April of last year.

This one does exactly the same thing – pops up a prompt asking the user to hit “Run” on a Java notification. When that happens, a rather generic Trojan named after one of my favourite nibbles swings into action.

Say hello to the Taco:

Insanely high detection levels ensure this particular Taco won’t be causing any PC indigestion. However, good advice never goes out of fashion:

Click to Enlarge

Hey look, it’s being served up from Fileave.com, a host for random files that anybody can upload. Looking legit so far. I particularly like the “NOT VERIFIED” next to Microsoft. Hitting the “More information” box should set those final alarm bells ringing:

Yeah…you know what? I think I’ll skip the taco and buy some oranges instead.

I’ll finish this one off with some cut and paste action from an earlier writeup:

* ALWAYS be cautious when presented with an unknown application. Don’t just run it; go Google it first and see if anyone else even mentions it.

* In the same spirit, be very wary of unsigned applications on random websites you’ve never heard of.

* Anyone can grab an award badge from a website and claim they’re the “Best thing ever”.

Don’t eat out tonight.

Christopher Boyd

A number of Internet monitoring systems have detected that Internet traffic is again flowing in Egypt:

The folks at Opera reported this morning that their Opera Mini servers were again seeing traffic from Egypt.

Google’s transparency report shows traffic back up.

And James Cowie reported on the renysys.com blog that “All major Egyptian ISPs appear to have readvertised routes to their domestic customer networks in the global routing table…” he said major sites were again reachable there with the exception of some universities. Renysys.com was one of the first sources to report the initial outage.

Some issues this outage has raised:
— What kind of planning can individuals and enterprises do to be ready for similar outages in the future?

— Is there a net neutrality issue here that has some practical solution?

— Is the dial-up modem going to have a second life?

We can be sure that the effects of this five-day, countrywide outage is going to be seriously studied. Question number one: what was the economic loss?

Tom Kelchner

Here’s a phishing campaign currently targeting American Airlines frequent fliers.

 

Clicking the link leads to a very convincing URL:

 

Alex Eckelberry

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Labs YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Labs Blog, the GFI Rogue Blog and anything else we think might be of interest.

This week: Christopher Boyd turned up  a phishing scheme aimed at customers of British Telecommunications (BT) and scams that use the new Black Ops map pack as bait. Patrick Jordan analyzed the new Antivirus.Net rogue security product.

Tom Kelchner

I’ve heard reports of various bt(dot)com phishes doing the rounds over the last couple of weeks, but arrived at the scene of the crime too late to grab some screenshots and ring the “unclean, unclean” bell.

Thankfully Christmas has come (very) early, as here we have one such phishy character to poke with a stick. I imagine this is being promoted via emails, but I don’t have one of those to hand so we’ll have to make do with a website example for the time being.

Click to Enlarge

As you can see, the site looks pretty convincing and asks the user to “Log in to the personal area”. Phishes tend to say “thanks for coming along, now get out” once you’ve entered your login details – however, this one has bigger things on the horizon.

Like a gold plated yacht.

Click to Enlarge

Credit card / bank account information is the name of the game, along with some other bits and pieces including mother’s maiden name and date of birth. Clicking through takes the user to the following screen:

Click to Enlarge

I don’t know about you, but I tend to think the “billing department” mentioned above will probably be sailing around the Atlantic in their aforementioned gold plated yachts instead of confirming the information sent their way.

We’ve had the above phish taken down, but I doubt we’ve seen the last of this one. Please be wary of emails / websites claiming to be from BT that ask you to fill in all of your payment details – nothing good will come of it (unless you’re the one in the yacht).

Christopher Boyd

Bits and pieces of popular culture will always be a target for scams, and we’ve already seen more than our fair share of Black Ops shenaningans; fake keygens / cracks back in November, and a curious tale from January of how gamers broke into a radiology server to play some rounds while apparently failing to touch the mass of personal info sitting on the compromised box.

February is almost upon us, and that means a new target enters the crosshairs – the Black Ops map pack downloadable content is available for all ($15 / £10 to you, guv’nor with a nifty Youtube preview to make you wave your wallet) and this means scammers are out in force.

Click to Enlarge

Click to Enlarge

Click to Enlarge

Click to Enlarge

As with almost every scam these days, they just want to pop a survey and make some affiliate cash. At best, a dummy file is hiding behind the survey; at worst, you’ll end up with a nasty infection stomping up and down on your hard drive.

Click to Enlarge

Survey popping scams seem to be as popular as ever, which probably means a good chunk of people are still filling the things in then wondering why “dubiouswormthing.exe” causes their hard drive to melt.

Don’t be one of those melty hard drive people.

Christopher Boyd

The companies: Innovative Marketing, Inc. and ByteHosting Internet Services

The rogues: Winfixer, Drive Cleaner and Antivirus XP

Two men will pay $8.2 million to settle a U.S. Federal Trade Commission action that charged them with using deceptive advertising to sell consumers rogue security products in 2008. The money will be used to reimburse customers who were defrauded, the FTC said.

Marc D’Souza and his father, Maurice D’Souza, are among seven people connected with Innovative Marketing, Inc. and ByteHosting Internet Services, LLC, which operated out of offices in a number of countries under a variety of aliases.

The FTC said in a news release: “In December 2008, at the request of the FTC, a U.S. district court ordered a halt to the massive scheme. According to the FTC’s complaint, the defendants falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The FTC alleged that the defendants conned more than one million consumers into buying their software products such as Winfixer, Drive Cleaner and Antivirus XP to remove the malware the bogus scans had supposedly detected.”

Eric Howes, GFI Labs Spyware Research Manager said: “The FTC is to be applauded for taking down what was one of the more prolific and abusive ‘scareware’ operations of the past few years. Although the $8.2 million settlement is likely the best the FTC could gotten under the circumstances, one has to wonder how it compares with what the defendants actually made from their deceptive practices and products. And, sadly, most of the same deceptive tactics employed by Innovative Marketing and its partners are still being used by others to push worthless rogue security products on frightened and confused internet users.”

Antivirus 2008 was another rogue gem from Innovative Marketing (thanks Patrick Jordan.)

Antivirus 2008 graphic interface

Tom Kelchner

An experiment in non-communication?

In what some observers are calling a first, the government of Egypt has shut down the country’s four Internet service providers, blacking out nearly all net access in the country in the face of widespread protests.

According to the Aljazeera news organization, which specializes in news of the Arabic world, protesters have been mobbing city streets and throwing rocks and some gasoline bombs in Alexandria and Cairo for four days. The crowds of mostly young people have been calling for an end to the rule of Hosni Mubarak, who has been in power for 30 years. Protests also have been reported in the cities of Suez, Mansoura and Sharqiya.

James Cowie on the renesys.com blog asked the central question: “What happens when you disconnect a modern economy and 80,000,000 people from the Internet? What will happen tomorrow, on the streets and in the credit markets? This has never happened before, and the unknowns are piling up.”

He said that exceptions to the Internet blackout were the 83 routes of the Noor Group which allows inbound traffic from Telecom Italia. That allows access to the Egyptian stock exchange (www.egyptse.com).

Cowie said that Tunisia blocked certain Internet routes and Iran limited traffic to slow communication when those two countries were faced with large scale protests recently. Neither imposed a complete blackout, however.

Tom Kelchner

Update from Twitter, 4 p.m. (EST):

I’m not sure what to think about this but it sounds serious:

Sure, I’ll buy Antivirus.Net.FakeSpyPro rogue.

Yesterday on the GFI Rogue Blog we reported finding the Antivirus.Net rogue security product (FakeSpyPro family).

 (Click on graphic to enlarge)

Today, researcher Patrick Jordan came across the browser hijacking mechanism that the rogue installs to trick a victim into making a purchase. After the “scan” is performed, this is the only page that a browser user will see:

 (Click on graphic to enlarge)

The fractured English – “There might be an active spyware running on your computer” is one giveaway that this isn’t genuine.

Thanks Patrick.

Tom K

Andreas Marx at AV-Test has shared some more information which highlights the significance of the malware problem.

The numbers are staggering — AV-Test processed an average of 54k samples per day in 2010, up from an average of 33k in 2009 — and up from 426 samples per day just a decade ago.

Stats below, source data here  (xls), all courtesy of AV-Test.

 

Alex Eckelberry

“… an international celebration of the dignity of the individual expressed through personal information.”

Data Privacy Day will be marked Friday in the U.S. and 27 countries in Europe. It’s a day for education and awareness events “… to promote understanding of privacy best practices and rights. Educational events focus on informing teens about the importance of protecting the privacy of their personal information online, on social network sites and other internet activities.”

It’s a division of The Privacy Projects, which is described on the web site as “a nonprofit think tank and research organization dedicated to facilitating the role of consumer privacy and data protection in regulatory controls, technological innovation and consumer protection…”

$10 off VIPRE Home and Premium: $19.95.

In an effort to raise awareness of the increased dangers online and to help consumers protect themselves from digital identify risks, GFI is offering limited-time pricing incentives on its high-performance VIPRE Antivirus Home product line to those seeking to safeguard their personal information and protect their PCs.

On January 28, 2011 – Data Privacy Day, GFI Software will offer a $10 discount on VIPRE Antivirus Home and VIPRE Antivirus Premium, bringing the entry level price point to $19.95. Visit: http://virpreantivirus.com to take advantage of this special pricing, which is only available on Friday, January 28, 2011 until 11:59pm EST.

Tom Kelchner

Our researcher Patrick Jordan has found a group of web sites that uses an ever changing array of redirects to deliver a .pdf exploit. VIPRE detects it as Exploit.PDF-JS.Gen (v), which is ranked 19 in our VIPRE ThreatNet detections at the moment.

One of main links in the group of malicious PPCSearch sites, celltonesfinder.com, presents visitors with a link to toshtube.net which is used to re-direct them to a (changing) group of sites that offers the malcode.

(Click on graphic to enlarge)

The malicious .pdf file has been in VIPRE detections for some time:

(Click on graphic to enlarge)

The PPCSearch sites include:

bestrxfinder.com
celltonesfinder.com
daofinder.com
fastfinder10.com
gamesearchnetwork.com
homefinder10.com
jokerfeed10.com
megasearch10.com
nextfreefinder.info
searchforpills.com
superfinder10.com
top10feedsearches.com
topcasinofeed.com
topdaocasino.com
topdaodating.com
topdaodrugs.com
topdaofinance.com
topdaofinder.com
topdaogames.com
topdaoimage.com
topdaoringtones.com
topdaotravel.com
topfindersup.com
topseachresults.com
toptripsfinder.com
ultrasearch10.com
youfindmore.com
yourdatingnetwork.com
yourlivesearch10.com
yourpillsfinder.com

Today’s sites used to distribute the PDF exploit:

nijade.info/shop/jmclhpgmcmjn.pdf
bestefa.info
gogrefa.info
zealhu.info

Thanks Patrick.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Labs YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Labs Blog, the GFI- Rogue Blog and anything else we think might be of interest.

This week we blogged about a phony offer on Facebook that led to an Trojan disguised as a photo;  the FBI’s Internet Crime Complaint Center notice about criminals using job applications for spear phishing; Twitter “free iPhone” spam, possibly from hacked accounts, that led to “sweepstakes” and “survey” sites and two rogues: WindowsUtilityTool and WindowsScan.

Tom Kelchner

This latest Facebook scam seems to have been rattling around for a few weeks now, directing you to malware from hacked websites hosting the rogue files. There also appear to be various Facebook application pages offering up the same dubious content.

Typically, the scam involves sending messages to Facebook users from compromised accounts similar to this one:

For those of you with images switched off (and that probably isn’t good where my writeups are concerned, as I tend to stuff each one with a million of the things), the message reads: “Foto 😀 apps(dot)facebook(dot)com/photobf/index(dot)php”.

Not a lot of sophistication there, but it doesn’t really take much to get people clicking. Downloading the file and running it will result in you sending your friends more “Foto” related spam and the whole process begins again.

Some users report the messages appearing on their walls, while others have screenshots of messages popping up in their chat applications. Either way, regardless of how the link is delivered the end-user will find themselves on a page containing nothing but a tantalising message regarding their photo hunt.

Click to Enlarge

Yes, unfortunately the photo the end-user is trying to view “has been moved”. Never fear, clicking the “View Photo” button will reveal a photograph. Right?

Actually, no. The end-user is asked to download a file claiming to be an image.

Well, that seems suspicious. I wonder what happens if we ask Windows to stop hiding default file extensions…

You know, I think we rumbled their cunning plan. Infections spamming out malicious links isn’t anything new (in fact, the filename used here pops up at least as far back as 2009!) but people will still fall for it so it pays to be on your guard.

So far, postings on the web indicate the following app pages were involved (all of which are now deactivated):

apps(dot)facebook(dot)com/bestfunnypicever
apps(dot)facebook(dot)com/costumphotos
apps(dot)facebook(dot)com/photobf
apps(dot)facebook(dot)com/hahahahahahh

The good news is that many of the compromised websites hosting the infection file are being taken offline, Facebook are shutting down rogue application pages quickly and the VirusTotal score is coming along nicely with a 32/43 detection rate – we detect this one as Trojan.Win32.Generic.pak!cobra.

Let’s hope decent detection rates along with a growing awareness that random photo viewing requests may not be what they seem will put this one out to pasture for good.

Christopher Boyd

This seems to be circulating through the Facebook pages of people with Indian names. Clicking on the numerous Facebook “like” mechanisms would of course spread this thing pretty quickly

The whois information for the connected web site shows it was set up last week with a service provider in Delhi.

(Click graphic to enlarge)

(Click graphic to enlarge)
 

(Click graphic to enlarge)

   Sharing it and “liking” all the buttons on the page results in lots of stuff being sent to your friends such as:
 

(Click graphic to enlarge)
Which, of course they can share (spam) with their friends:

 

(Click graphic to enlarge)

The collection includes one of those “whose spying on you?” scams.

(Click graphic to enlarge)

And a great tool bar for “Bible enthusiasts” which is installed by a Trojan:

Tom Kelchner

If you are enthusiastic about VIPRE, you might consider nominating it in About.com’s 2011 Readers’ Choice Awards.

The awards will highlight the best products, features and services in categories including technology, hobbies and parenting. About.com will be accepted the nominations from Jan. 13 to Feb. 4 at 11:59 p.m. (Eastern.) Nominees will be named Feb. 11 and winners will be announced March 15.

About.com gives no prizes, “…just the bragging rights that come with getting recognized by the readers of one of the biggest networks on the web,” they said.

Tom Kelchner

Our rogue researcher (and that’s “rogue” in all senses of the word) Patrick Jordan found this over the weekend. We’re not sure how.

Somebody — hopefully with legitimate site access — appears to be having some fun with some potty humor:

(Click on graphic to enlarge)

It has a discussion forum too:
 
(Click on graphic to enlarge)

Thanks Patrick

Tom Kelchner

Update:

We just discovered that this was a Google April Fools Day joke some years ago. They apparently have a history of jokes like this.

Spear phishing aimed at HR

The Internet Crime Complaint Center (IC3) is reporting that businesses have received Bredolab variants in email attachments masquerading as job applications.

“Recent FBI analysis reveals that cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online,” IC3 said in a news release.

They also said: “The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions.”

It’s called “spear phishing” – malicious code sent specifically to someone in a company who would be expecting that type of email (job applications in attachments in this case.)

One giveaway that you received something like this would be an email attachment with an “.exe” extension when you would be expecting something with a document format

Tom Kelchner

URL-shortening site Bit.ly appears to be effectively filtering the links in what remains of the “free iPhone” spam surge on Twitter. Also, the number of spammed Tweets is far lower today than yesterday when we found a rate of over 1,300 per hour.

It is not known why the thousands of Twitter  accounts are sending out the spam, but we found a least one Twitter user yesterday complaining about his account or machine being hacked.

 

 (Click on graphic to enlarge)

Those who received the Tweets and followed the links were taken to pages on Adserve (dot) rewards-confirmation (dot) com or progressiveemail (dot) com that offered a “Free Apple iPhone 4G.” However “testing & participation required.”

 
 (Click on graphic to enlarge)

 (Click on graphic to enlarge)
And then were required to take a survey.

And then go through 20 screens of offers for subscription services.

And then see more screens of offers.

 Subscribing to the required nine of them would probably cost you much more than an iPhone.

  (Click on graphic to enlarge)

Although there was no evidence of malware on the vast number of pages, the process does require you to enter you name, address and phone numbers.

Tom Kelchner

A wave of Twitter posts advertising a “free iPhone” continues today at the rate of about 1,300 Tweets per hour. They lead to sites that require visitors to purchase any of a variety of subscription services in order to get the “gift.”

At least one Twitter user seemed to believe that his account had been hacked.

The vast spam run pumps out Tweets with URL’s shortened by the Bit.ly shortening site that lead to sites including:

— Sweepstakes (dot) com
— BiggestGiftRewards (dot) com
— Rewards-Confirmation (dot) com
— FreeBrandProducts (dot) com

(Click on graphic to enlarge)

(Click on graphic to enlarge)

(Click on graphic to enlarge)

Trying to navigate away from the pages results in a pop-up Window asking if you “sure” you want to move away from the page. Clicking “OK,” merely takes to another page (Sweepstakes, above)

(Click on graphic to enlarge)

The rules of the game also include:

“By clicking Continue, I have read and agree to Sweepstakes.com’s Official Rules, Privacy Policy and Terms & Conditions which includes providing my signature expressly requesting a return phone call from Sweepstakes.com and SMS texts (std msg rates may apply).”

The huge spam run could be the work of affiliates. Cicks on the sites are being monitored:

(Click on graphic to enlarge)

A check of the Twitter accounts some of the spam was sent from shows that some appear to have been used only to send spam (including some in December). Other accounts appear to have sent normal chatter with the “free iPhone” spam sent as well.

At least one Twitter user appeared to know that his account had been hacked:

(Click on graphic to enlarge)

Tom Kelchner