Rogues had impersonated anti-virus products for many years. That was confusing enough for inexperienced Internet users. There were, however, several sites where lists of legitimate AV software were available (ICSA Labs, Virus Total and Virus Bulletin are three.)
Finding a list of “defragmentation” utilities, or defraggers was tough though.
Donn Edwards, a database programmer who has a software company in Johannesburg, South Africa, named Black and White Inc., contacted us over the holidays to point out that he is maintaining a page on his Fact-Reviews.com site to do just that. His site, which appears to have gone up last June, presents his independent reviews.
Outstanding chart lists outstanding security problems and workarounds
Microsoft’s Web site, which is full of great information, is an unusually large fire hose to drink from. However, today Dr. Johannes Ullrich at SANS pointed out one great, tightly focused piece on Microsoft’s “Security Research & Defense” TechNet blog: a chart breaking down the top outstanding security issues with Microsoft’s products. It also lists workarounds:
Issues addressed are: –Internet Explorer 6/7/8 vulnerability in recursive style sheet importing. (CVE-2010-3971)
— Windows graphics rendering engine vulnerability in parsing BMP thumbnails embedded within an OLESS document container. (CVE-2010-3970)
— IIS 7.0 and 7.5 FTP service vulnerability in encoding Telnet IAC (Interpret As Command) characters in the FTP response.
— Internet Explorer fuzzer released publicly capable of hitting Internet Explorer crashes
— WMI Administrative Tools ActiveX control vulnerability.
Thank you Jonathan Ness of MSRC Engineering for being so concise.
We’re seeing a link doing the rounds on Twitter that you may want to avoid. I was a bit surprised to see the following pop up on the feed of artist Dean Trippe:
According to the Bit.ly statistics for that link, so far it’s gone out around 198 times since the middle of December. Having said that, the stats might need updating because here’s a live view of the link being sent to all and sundry. Screenshot for posterity:
Click to Enlarge
It takes you to hdrollyvideo(dot)co(dot)cc/9/ which forwards the user to rolly(dot)com, a website asking for subscription fees in order to watch movies online.
Click to Enlarge
The site says you can get a month long subscription for $39.90 USD and access a database packed with 10,000 movies (including many which are only just popping up in movie theaters….hmmm), but let’s take a look at some feedback before getting our wallets out:
Web of Trust: Some terrible feedback here, everything from “hacked Twitter accounts used for spam” to someone who apparently paid only to get “five pages of html” back in return.
Complaints galore: people who signed up and are looking for refunds but can’t get hold of anybody, cards charged before the “trial period” expires, movies downloaded in English but playing in Spanish…oh boy.
Webutation: More mentions of “hacked twitter accounts” and problems trying to cancel.
Granny gets charged for a trial: Ouch. Not only that, but she seems to be having problems stopping them from taking repeat payments.
You know what? Just go the cinema and give this one a miss. Given the complaints seen so far, your wallet will thank you for it…
The company said there will be two security bulletins (one “critical” the other “important”) released Tuesday, both for vulnerabilities that could allow remote execution of code.
Just a heads up that one of those “Pay for Skype (addons)” sites is doing the rounds, with a vaguely predictable URL:
2011-skype-upgrades(dot)net
As you may recall, these sites try to make end-users pay to download…well, we’re not sure to be honest. It could be addons, or “upgrades”, or Skype itself…these sites aren’t particular clear where this is concerned. All that really matters is if you see a site looking like this:
Click to Enlarge
You need to put your card back in your wallet and go somewhere else. Like the official Skype download site, for example. Want addons? No worries, here’s a bunch of those too.
Vietnamese college students in Minnesota are subjects in $1.25 million online scams
The Minneapolis Star Tribune is reporting that a U.S. Department of Homeland Security investigation of money mules (Operation eMule) has been led to two Vietnamese students at Winona State University. They said the pair had used stolen identities to set up 180 eBay and 360 PayPal accounts that were allegedly used to defraud merchants out of more than $1.25 million.
Companies that were victims of the thefts including eBay, PayPal, Amazon, Apple, Dell and Verizon Wireless, investigators said.
According to the papers filed in the case, investigators from the National Cyber Crimes Center (part of U.S. Immigration and Customs Enforcement) and the Department of Homeland Security Investigations are working on the case. They said in the court papers that the money was wired to accounts in Canada and Vietnam.
It has been no surprise to me that it has taken most of a decade for law enforcement agencies to get up to speed in their Internet crime investigations. If you’ve ever sat through a trial in which a chain of evidence was presented by the prosecution and cross examined by defense you can appreciate the enormity of the learning curve that law enforcement has faced.
In these cyber-crime investigations, the chain it isn’t a matter of defendants’ links to physical items, but rather a trail of recorded computer connections and money transfers. Thieves’ use of proxy servers make those trails pretty faint.
GFI Labs documented 167 rogue security products in 2010 – exactly the same number as 2009.
(Click on graphic to enlarge)
Number of rogues by year Year Total 2005 26 2006 44 2007 95 2008 162 2009 167 2010 167
Total 661
According to GFI Labs statistics, the number of rogue security products appearing annually has been stable for the last three years. After increasing from 26 in 2005 to 162 in 2008, we’ve seen about the same number of variants each year since: 167 in both 2009 and 2010.
New “utility” look appears in 2010
Late in 2010 Researchers at GFI Labs noticed that at least one group of rogue writers had started a new deceptive tactic: creating graphic interfaces that impersonated utility software — such as hard drive defragmentation applications — instead of anti-virus products.
UltraDefragger — the new “utility” look
(Click graphic to enlarge)
The UltraDefragger rogue appeared mid-November and was quickly followed by a number of clones.
From 2005 to 2007, the rogue creators had static web sites to distribute their clones. Internet enforcement wasn’t up to speed, so the rogue sites were taken down less frequently than they are today. The rogue distributers weren’t pushed to create as many clones.
The number of rogues increased in 2008 largely because the rogue creators needed to evade stepped-up detection by anti-virus companies, according to researcher Patrick Jordan.
By 2009 the pace continued. In that year, the FakeSmoke family of rogues saw a new clone distributed almost every 24 hours, Jordan said. The FakeSmoke family of rogues began in October 2008 with WiniGuard,
(Click on graphic to enlarge) SpySheriff: longest surviving rogue
Rogue distributors usually create their malicious software and server infrastructure then clone their malcode often in order to escape detection by legitimate anti-virus products. They count on making money in the days (or hours) that the new rogue clones go undetected.
The longest-surviving rogue was SpySheriff. It lasted from July 2005 until its site was finally suspended in August 2008. SpySheriff and its 31 clones included:
Here we have what appears to be a scam on Facebook.
It’s a popular one too, with 70,706 people smacking the “Like” button as if their lives (and free points) depended on it.
Of course, popularity doesn’t mean it works. Here are some satisfied customers, and by “satisfied” I mean “absolutely furious”:
Whoops.
Shall we take a look? The site where all the action takes place is xbox360pointsonline(dot)blogspot(dot)com.
Click to Enlarge
Yes, “follow the steps” and get your 4,000 XBox Live points. You can probably guess where this one is going.
Click to Enlarge
As you can see from the happy customers above, nobody actually seems to be getting their free points. Meanwhile lots of profiles start to fill up with this as the Like / Share rampage continues:
Given that the average price of 4,000 Microsoft points is about £35, it’s unlikely that Random Survey Man is going to be making enough money to scatter those points around like confetti.
The GFI Malware Minute video is available for your viewing pleasure on the GFI Labs YouTube channel (and below).
Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Labs Blog, the GFI Rogue Blog and anything else we find that might be of interest.
This week we blogged about the next version of the Storm Worm, fake YouTube ads for the movie Tron, a golden oldie Nigerian 419 scam and two rogues, ProtectShield and Spyware Protection.
From: Maryam Abacha [mailto:maria_abach@_____.com] Sent: Sunday, January 02, 2011 7:38 PM Subject: Very Urgent Reply.
Hi,
My name is Maryam Abacha the widow of Sani Abacha, de facto President of Nigeria from 1993 to 1998.
Following the sudden death of my husband I have been thrown into a state of utter confusion, frustration and hopelessness by the present civilian administration.
I have been subjected to physical and psychological torture by the security agents in the country.
You must have heard over the media reports on the recovery of various huge sums of money deposited by my husband in different security firms abroad.
I am looking for a reliable and trustworthy individual that would receive the sum of $15.5 Million Dollars which I have secretly deposited with a security company abroad.
I will give you 20% of the total sum and how to receive the funds on my behalf as soon as I hear from you.
I got your contact through my personal research, and out of desperation decided to reach you through this medium.
Best Regards
Mariam Abacha.
The Freeman Institute seems to have taken a special interest in the 419 scams that use the Abacha story.
It’s a bit depressing to hear anyone in their twenties or younger say “What’s a Tron”, although the recent film may help out a bit where that’s concerned. Regardless, hunting for some TRON action on the internet may end in frustration, surveys and installs aplenty.
For example, hd-movies(dot)biz gives us a fairly standard “Fake advert on Youtube / hit you with a survey” scam:
Click to Enlarge
What an awesome set of questions. Anyway, next up we have freemoviehub(dot)net imploring us to “get our Gucci on”:
Click to Enlarge
It’d be nice if someone made a New Year’s resolution to never, ever pop a survey for anything for the rest of eternity but somehow I can’t see that happening. Perhaps your choice of beverage isn’t the new fangled TRON film with light cycles that trace a curved path, a bland lead actor or Olivia Wilde sporting the best Ladytron haircut ever. Maybe you’re one of these young’ns who stumbled across TRON Guy and wondered where he got his inspiration from.
You might not want to bother.
Moviepoint(dot)org/tron:
Click to Enlarge
Clicking the player underneath the banner splash takes you to browserdl(dot)com/xvid_dl/ which wants you to install a program before savouring the delights of hearing someone say “Greetings, program”:
Click to Enlarge
Click to Enlarge
Needless to say, there isn’t any TRON action going down once the end-user has installed ClickPotato, ShopperReports, QuestBrowser and blinkx Beat. I’m now going to cross my fingers and hope end-users won’t fall for movie fakeouts like the above as we stumble into 2011, while also wondering why a Daft Punk music video looks more like TRON than the actual sequel.
Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Labs Blog, the GFI Rogue Blog and anything else we find that might be of interest.
This holiday season the operators who distribute rogue security products were busy. We found ProtectShield2010, SpywareProtection, Personal Internet Security 2011, HDDLow, Scanner and DiskRepair. Those are in the FakeSmoke, FakeRean, FakeVimes and FakeSysDef families.
Alex Eckelberry blogged about a spam email that appeared to be phishing for iTunes store passwords, but actually downloaded malicious scripts. Chris Boyd, our man in the UK,, wrapped up the year with a review of the high, or low, spots of malicious gaming schemes in 2010.
Hey look, it’s a “this is what happened this year” post. Don’t worry, I won’t be making any security predictions (because unless I’m Nostradamus I can’t tell you what’s going to happen next week, never mind in six months time) and there won’t be any flying car jokes either.
With that out of the way, let’s see some of the antics that took place and caught my eye in 2010…
January: Getting the year off to a flying start, the ukfi.gov.uk website was defaced by an Albanian hacking crew who rather enjoyed making your browser fly across the desktop while pumping out bad rap music from your speakers. .gov websites are always a prime target for individuals looking to make a statement about something, even if said statement is just usually “lol haxed”.
It’s quite a stylish defacement, I suppose.
February: The Register explored the weird and wonderful world of XBox hacking, something I’ve spent a fair amount of time poking with a stick (don’t worry, I have three lives and a continue left). We also had scareware scammers taking advantage of killer whale attacks and the trusted name of VirusTotal with various fake websites and dodgy forum posts galore. There was also a fake FBI fingerprint scanner which was designed to infect the curious. As I said at the time, question the legitimacy of any fingerprint scanner that accepts pictures of dancing bananas.
Elsewhere, the UK Conservative Party suffered a number of defacements encouraging people to vote for the Labour Party. World of Warcraft authenticators also came under attack, placing budding Leeroy Jenkins fans everywhere at risk.
At least he has chicken.
March: Continuing the whole “gamers in peril” theme, phony Playstation emulators popped up on a couple of websites that infected your computer with Trojans.
Click to Enlarge
Some infected users reported Fake AV popping up after install, which doesn’t surprise me too much. I also rang the bell and yelled “Unclean! Unclean!” in an SC Magazine interview dealing with celebrity deaths and Internet shenanigans.
We also had Toolbars doing their best impression of the Elvis 68 comeback special and reminding us they can still give us a run for their money with built in phish pages.
Click to Enlarge
Mock toolbars at your peril, or something. Phishers also compromised the website of The Big Issue, directing users to fake Paypal pages. There’s low, and then there’s “more low”.
April: Oh look, iPad spam on Twitter. We’d see sporadic outbreaks of “pimping stuff” on Twitter throughout the year, and the iPad was always going to be an attractive target for both scammers and victims alike. We also had Zango installers lurking on Download.com, a website belonging to a Matrix actor hacked (he was one of the shouty guys, in case you were wondering) and a big defacement on The Telegraph website which was caused by comments made on the popular TV show Top Gear. There was also a phishing education test which was, er, blocked for phishing. As good a way as any to wrap up April, methinks.
Told you it was simple. As with any Twitter based Botnet, the commands have to come from a public account which means it’s relatively easy to detect accounts sending commands to Bots. As a sidenote, I did find it rather humorous when a random pr firm working for a security company I’d never heard of sent me a press release proclaiming that “A DIY Twitter Botnet creation kit has been discovered”.
June: Doctor Who became a target not once but twice in the month of June, due to a combination of the series ending and the new Doctor Who game being launched. TV shows in general are great low hanging fruit for scammers, who throw together websites promising online episodes before dumping you on surveys, more surveys and…er…surveys.
Click to Enlarge
The game thing was interesting – people in the UK pay a licence fee to get some BBC related action, but with the game being a Worldwide release anyone outside of the UK had to pay a small fee to obtain the game. Of course, people weren’t too happy about this and before long cracked versions started popping up online. Some of them contained nasty surprises.
There was even a version of the game uploaded to a site that required users in the UK to pay £10 plus network rates to download what would have been free for those users anyway.
Taking a peek into Facebook land, we had fake “your account has been deactivated” emails doing the rounds which took users to phish pages and denied them access to games about cows. Bit of an odd month, really.
Everyone hates surveys, right? They were particularly popular when Toy Story 3 launched, with scammers setting up – what else? – fake “watch the movie” websites that pop surveys asking for personal info galore.
Click to Enlarge
Selecting a kids movie then plastering it with popups asking for info that someone aged 18+ would normally be required to fill in seems all kinds of wrong, but there you go.
September: I love an oddball story, and this one was right up at the top of the oddball pile. A Greasemonkey script claiming to let users “bypass surveys” sounded fine and dandy, until you tried to download it. In order to grab it, you had to fill in a survey which is a vaguely spectacular way to go about things.
There were also websites claiming to offer a “Skype upgrade”, which of course would cost the user money to obtain. As someone in the comments notes, there are a lot of similar sites offering “updates” for Adobe products too. Steer clear of the lot of them. Games testers were promised all sorts of money, and shady websites popped up asking for lots of personal information for fake “tax rebates”. We also came across a haul of around 2,500+ logins dumped on a public facing website which appeared to be for Facebook.
Click to Enlarge
Back in videogame land, the launch of Halo Reach brought a collection of horrible scams along for the ride. Flaming helmet codes, fake programs and surveys were the order of the day.
October: things seemed to be a little quiet in October, although there was a fake Twitter login page promising “new features” and pictures of semi-naked ladies all over the place. It was actually a kit designed to convince end-users to run fake Java updates and install some malware on their PCs.
Click to Enlarge
Yeah, don’t go installing those things. We also had a truly awesome example of domain name confusion.
Oh, I also gave a bunch of talks (some planned, some along the lines of “Oi, get in here and join in”) at the truly excellent HacKid conference in Boston. Designed to teach kids about the joys of computers, technology and security stuff it was a rip-roaring success and I hope to see more of these next year.
Look! A flying drone thing!
November: The Bayrob Trojan rose from the grave to try and infect people with fake Kodak galleries. Bayrob is a clever EBay scam, which directs infected users to fake auctions in an attempt to take their money and run. Nasty stuff.
Click to Enlarge
We also had fake Trojan removal kits that – oh no! – installed Trojans, Facebook death videos and the excellent IRISSCON, which I was lucky enough to take part in.No, I didn’t buy an Alan Wake coat. It just looks like one.
December: things tend to go a little quiet in December, because all the scammers are too busy having parties in castles and building gold plated yachts to spend time ripping us all off but a couple of interesting bits and pieces popped up regardless.
The gag here was in trying to convince a seller to take their “refunds” outside of the safety net that is the Amazon payment system, or just simply get them to send the scammer lots of free stuff. While I’d like to think people wouldn’t fall for this, there are plenty of horror stories in search engines related to sellers going outside the system and being burnt horribly.
Buyer beware! Uh, I mean seller.
Anyway, that just about wraps up this gigantic slab of War and Peace. Assuming anyone out there is still conscious I’d like to thank you for listening to me ramble on (and on) and for reading all of the blog posts / research put together by everybody on a daily basis.
Have a great (and safe) 2011, and I shall see you on the other side…
An email making the rounds makes the innocent claim that “it is possible that your account password has been stolen”.
Expecting a phish?
Actually, no. The site serves a malicious script. Nevertheless, the exploits served are six to eight months old — CVE-2010–0886 (a Java exploit) and CVE-2010-1885 (a cross-site scripting method that exploits a vulnerability in Windows Help). Downloading the latest version of Java and insuring you’re up-to-date on Windows patches will protect against any attack.
Located at…deep breath…99percentofgirlswouldkilltheirboyfriends(dot)info, this website takes the form of the familiar “find out who is watching you” wheeze so beloved by scammers everywhere.
Click to Enlarge
Something to note: although it claims “1,601,636 people like this”, that’s just part of the background graphic (in other words, it’s completely fake). Checking out the application page tied to this one tells us they have “15,034 monthly users” which doesn’t really tally with over a million Likes, does it?
Anyway, hitting the Login button and filling in your details will prompt you to give the “application” access to your profile:
It’ll also pop one of these, which is the main reason for the elaborate trip into Shenanigan City:
Click to Enlarge
Yep, it’s survey time.
Do yourself a favour, and steer clear of this one – there are quite a few comments posted to the “VIP Access” page stating that it doesn’t work.
“Congress has passed the ‘Restore Online Shoppers’ Confidence Act’ to combat deceptive online sales tactics that keep charging consumers for goods and services until they cancel their membership. In so-called “negative option” plans, the seller interprets the consumer’s silence or failure to reject goods or services, or to cancel the sales agreement, as acceptance of the offer,” the release said.
The act, which was originally the Senate bill S 3386, spells out three protections for online consumers. It makes it illegal:
— for post-transaction third-party sellers to charge customers unless they spell out the terms of the transaction and get consent to charge their credit cards or bank accounts.
— for online sellers to transfer a consumer’s financial account number to a third party seller.
— for a seller to charge a consumer for goods or services using a negative option feature in an online transaction without disclosure, without consent from him and without providing a simple way to stop the charges.
This will give the FTC a law to use to stop the sleazy operators behind those mysterious charges that appear like magic on your credit card statement in the wake of some online purchases.
The “alarming variety” of chemicals includes rat poison (the blood thinner warfarin)
The U.S. Food and Drug Administration has sent a letter to manufacturers and trade groups seeking their help in preventing distribution of tainted drugs in the U.S.
Although the letter does not mention Internet sources, it’s clear that the concerns in the letter can be extended to penis pill, diet pill and Canadian pharmacy (which are really not in Canada) web sites.
The letter lists adulterants that should be enough to scare any sensible human from EVER considering buying the stuff advertised in that flood of spam email that seems to wash over all of us:
“FDA laboratory tests have revealed an alarming variety of undeclared active ingredients in products marketed as dietary supplements, including anticoagulants (e.g., warfarin), anticonvulsants (e.g., phenytoin), HMG-CoA reductase inhibitors (e.g., lovastatin), phosphodiesterase type 5 inhibitors (e.g., sildenafil), nonsteroidal anti-inflammatory drugs (NSAIDs) (e.g., indomethacin), and beta blockers (e.g., propranolol). FDA has also identified products marketed as dietary supplements that contain active pharmaceutical ingredients removed from the market for safety reasons (e.g., fenfluramine), as well as new chemical ingredients of unknown safety. Some products marketed as dietary supplements have been found to contain controlled substances (e.g., benzodiazepines and anabolic steroids).” According to the letter, the FDA investigations have also resulted in criminal prosecutions and nearly 200 recalls:
“Where FDA investigations have discovered products marketed as dietary supplements that contain the same active ingredients as in FDA-approved drug products, analogs of such drug ingredients, or other compounds of concern, such as novel synthetic steroids, FDA has issued warning letters and conducted seizures and criminal prosecutions. FDA has also worked with industry on the recall of numerous products with such potentially harmful ingredients, including more than 70 products marketed for sexual enhancement, more than 40 products marketed for weight loss, and more than 80 products marketed for body building. The Agency has also issued consumer alerts and press announcements to warn consumers about such products.”
Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Labs Blog, the GFI-Rogue Blog and anything else we think might be of interest.
This week we found a new look in rogue security products — they’re now impersonating hard drive utilities rather than anti-virus products, the new look on the GFI Labs Blog and a warning about giving permissions for scammers to access your Facebook account.
Since last week the rogue security products (also called scareware) that we’ve posted on the GFI-Sunbelt Rogue Blog have had a new look. Instead of impersonating anti-virus products, these new ones are claiming to be applications that fix disk errors on a victim’s machine: HDDDiagnostic, HDDRepair, HDDRescue and HDDPlus. They’re basically clones and together they are members of a new family of rogues: FakeAV-Defrag.
Of course, they actually do nothing except throw up phony warnings and demand that the victim purchase them before they “fix” the fictional problems they warn about.
FakeAV-Defrag rogues:
(click on graphic to enlarge)
(click on graphic to enlarge)
(click on graphic to enlarge)
(click on graphic to enlarge) Since rogues began to circulate seven or so years ago, they’ve always pretended to be anti-spyware or anti-virus products, imitating the look of many legitimate anti-virus products and even the structure of their product names. In the last two months, however, it has become clear that the rogue writers are trying something new to confuse potential victims.
Earlier in December we had: PCoptomizer, PCprotection Center and Privacy Corrector. These were intended to look like some kind of generic security product – not anti-virus lookalikes.
Rogues that imitate generic security utilities
(click on graphic to enlarge)
(click on graphic to enlarge)
(click on graphic to enlarge)
First of the “defraggers”
Last month we started seeing “defragger” clones that claimed to be disk utilities: UltraDefragger, ScanDisk and WinHDD. These pretended to find “HDD read/write errors.”
Defrag is a Windows utility that, at one time, substantially speeded up a PC’s performance by putting scattered portions of files in continuous sections of a hard drive. Pieces of files were scattered because applications opened and added to them over time and the operating system put them where there was space on the drive. The defrag utility “defragmented” the entire disk, assembling the pieces of files into continuous sections so the operating system wasn’t slowed by the reassembly process when accessing the files.
Defragmenting hasn’t been as much of an issue since PCs got faster, hard drives with much larger capacities became common and newer versions of Windows (with better file handling capabilities) replaced older versions. However, many home PC users have become aware of the defrag utility.
The Internet criminals who make money distributing these fakes are always changing their creations to evade antivirus scanners (at least for a few hours or days) and confuse their potential victims.
Unfortunately, since they’ve made the change from impersonating anti-malcode products to imitating disk utilities, they’ve taken away one source of help that Internet users could rely on: sites that list LEGITIMATE anti-malware products such as:
Most legitimate anti-malcode products should show up on one of those lists.
To avoid being scammed by rogues with the “new look” Internet users should be suspicious of any application that: — is advertised by spam email — pops up dire warnings that your machine is affected my numerous problems (especially immediately after you click on a web page video to view it) — tells you that you need to update your browser (often listing a version earlier than the one you’re running.) — demands that you make a purchase before it will clean or fix problems in your machine
Like many things, if you investigate with a web search engine you will probably find some kind of discussion of the merits (or maliciousness) of the application in front of you.
Your anti-virus application should prevent rogues from downloading and installing, however, the rogue writers change their creations frequently to avoid detection for at least a few hours or days before the AV companies get them into their signature updates. Of course they also snag Internet users who don’t use on-access protection or who do not update their scanners.
You also can search for information on rogues by typing the application name in the search box on the upper left corner of the GFI-Sunbelt Rogue Blog.
