The Legacy Sunbelt Software Blog

We’ve begun to change the look of the GFI Labs (formerly Sunbelt) blog and we thought we’d give our alert readers some idea of what to expect.

Last June Sunbelt Software was purchased by GFI Software and today we changed the logo on top of the blog to reflect that:

Over the next few months there will be more changes too.

Dr. Newton here will be part of the new “labs” look. He was brought to life by the creative team in the GFI marketing group in our sunny Mediterranean island headquarters on Malta.

 

Stephen Chetcuti Bonavita, GFI director of marketing said: “Apart from the current tweaks to this site, we are planning new GFI LABS designs, sections and features in the months to come, focusing on continually improving our offering – so watch this space!”

Tom Kelchner

Microsoft has given advanced notification that Patch Tuesday this month will bring 17 security bulletins. The company said there will be fixes for Windows (12), Internet Explorer and Windows (1), Office (2), Sharepoint (1) and Exchange (1)

Two of the bulletins are considered “critical”, 14 are “important” and one is “moderate.”

Update:

Holly Stewart wrote on the Microsoft Malware Protection Center blog that the vulnerability in Internet Explorer that was publicized in November (CVE-2010-3962) will be patched on Tuesday.

Public exploit code became available and attacks, largely on weekends, have been reported worldwide, though mostly in China and Korea.

Tom Kelchner

GFI Sandbox will help train future security professionals

Chad Loeven, vice president of GFI’s Advanced Technology Group, this week presented an installation of the GFI Sandbox tool to the Department of Electrical and Computer Engineering at Concordia University in Quebec, Canada.

Concordia University slide show of the event

The $56,000 gift will help support graduate students conducting research in the security cluster. It will allow students to reverse engineer and safely test malware in a secure environment so they can see malicious software in action while having the reassurance that it is contained.

Loeven, who helps manage global business development and strategic direction for GFI’s partner alliances, is an alumnus of the university.

Concordia’s news release about the event: “GFI Advanced Technology Group makes major software donation to Concordia”

Tom Kelchner

Auto insurance site affiliate scam targets your Facebook friends

In Facebook, it is important to think about who you give access to. If you give permission to scammers, your account then becomes their spam tool. To illustrate, we followed one of those tiresome posts:

 
(click on graphic to enlarge)

Following the link required you to give an account named “world-news” permission to:
— post messages to your Facebook wall
— access all Facebook account data
— log in AS the Facebook account owner.

(click on graphic to enlarge)

Had you followed this (see below), here’s what would have appeared on your Facebook wall and on friends’ walls overnight: a post that appeared to be from your account “The earth is a spaceship” with a shortened link.

 
(click on graphic to enlarge)
And when friends wonder why you think the “earth is a spaceship” they see the following:

 

And clicking on them leads to auto insurance quote sites:

(click on graphic to enlarge)

(click on graphic to enlarge)

But, alas, you get no information about the girl who ”took her life” and your friends never find out why the Earth is a spaceship. But then the initial verification page was named “prank of the week.”

Although this is just a tired scam by somebody hoping that you’ll do business with an auto insurance site and they’ll get some commission as an affiliate, the same mechanism is available for much worse — posts containing links to sites that download some serious malcode to name one.

Thanks Matthew.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Sunbelt Software Blog, the GFI-Sunbelt Rogue Blog and anything else we think might be of interest.

This week we found a fraudulent receipt generator for Amazon purchases, a Facebook phishing scheme that uses a video as a lure and a “membership” site scam that uses Adobe updates as a lure.

Tom Kelchner

Above, you can see a vaguely optimistic VirusTotal user summary in relation to a file that’s been doing the rounds for about a month or two. Here is the file in question:

A “receipt generator”, I hear you ask – what do people want with one of those?

The answer, of course, is rather straightforward:

This is a particularly interesting scam, as it doesn’t target regular PC users – it targets the people who sell you things, such as the merchants on the Amazon marketplace. This is what the would-be social engineer sees when they fire up the program:

They can fill in a variety of information, including Item name, Price and the date the order was taken. Additionally, it allows them to choose between the .com, .co.uk, .fr and .ca Amazon portals. When they hit “Generate”, a html file is created in the program folder which looks like this:

Click to Enlarge

It’s a pretty good facsimile of a genuine Amazon receipt – I just logged into my Amazon account, hit the “Printable Order Summary” button on an old order and it’s identical to the above. Note the small details, such as “Total before tax”, “Sales tax” and other touches that make it as convincing as possible.

What happens once our scammer is armed with his fake receipt? Well, many sellers on Amazon will ask you to send them a copy of your receipt should you run into trouble, have orders go missing, lose your license key for a piece of software and so on. The gag here is that the scammer is relying on the seller not checking the details and accepting the printout at face value. After all, how many sellers would be aware somebody went to the trouble of creating a fake receipt generator in the first place?

Some things to note for the wary seller: not only will you not have a record of these people buying your products, you should be able to confirm with Amazon that no purchase was ever made. Check the orange order number at the top, because those are randomly selected from a set of looping numbers every time the scammer clicks on the “Order Number” button – again, something either the seller or Amazon should be able to check. Finally, the program seems to add some random digits on the “Visa: payment method” section in payment information.

As you can see, the careful seller has little to worry about – many of the items in the fake printout are convincing as a whole, but once you start digging into the details a little bit it quickly falls apart. However, it seems this program has started a little wave of imitations, as evidenced by this screenshot lifted from a (now defunct) downloads portal:

Click to Enlarge

Oh dear.

Anyway, it’s clear that sellers will need to keep their wits about them over the coming festive season as I can see this being a particularly popular scam for the time being. If a “customer” seems a little peculiar, ensure you take a good look at their receipt – you probably don’t want to have a Homer Simpson moment after you’ve sent three Playstations to their dropoff address.

We’ve passed the files onto Amazon, and the VirusTotal detection rate is currently 1/42 – we detect this as Hacktool.Win32.Amagen.A.

Christopher Boyd (Thanks to Adam Thomas for additional research).

Search engine results have been poisoned for those looking for information about Mono Lake, the California lake where NASA researchers have found a form of bacteria that uses arsenic in its DNA in place of phosphorus when it is in the arsenic-rich environment of the lake bottom.

(click on graphic to enlarge)

After a few seconds, this page redirects to this:

 
(click on graphic to enlarge)

 (click on graphic to enlarge)

Which tries to download 2Gcash. Another link presented by the SEO poisoning, however, leads to a site that tries to download the SecurityTool rogue.

Thanks Adam.

Tom Kelchner

You might be seeing something on your Facebook wall today:

 

Sadly, it’s not a fun video.  It’s just a phish.

The link goes to apps. facebook.com/ lookatuhah, which then redirects to a phishing site:

In other words, if you’re absent-minded enough to enter your credentials again, they will be used to then send more of these stupid fake videos posts to others — or do any of a number of other rather nefarious things.

Alex Eckelberry

 

Operator of (former) 10-billion spam per day MegaD botnet charged with CAN-SPAM violation

 

Oleg Nikolaenko, 23, of Moscow, Russia, was due to face arraignment in U.S. Federal Court in Milwaukee today in the wake of his Nov. 16 indictment for violating the CAN-SPAM Act.

According to the complaint in the case filed by the FBI, Nikolaenko made hundreds of thousands of dollars by sending billions of spam emails advertising counterfeit Rolex watches, herbal remedies and counterfeit prescription medications.

The FBI said in the affidavit filed with the criminal complaint that they and investigators from the FTC were led to Nikolaenko as a result of investigations and arrests of U.S. resident Jody M. Smith and Australian resident Lance Atkinson for trafficking in the counterfeit watches and prescription medications. The investigation, in the U.S., Australia and New Zealand led to the MegaD botnet and Nikolaenko.

The botnet was taken down in November, 2009.

The Milwaukee Journal Sentinel carried a good story about the investigation and court action to date.

The details in the criminal complaint of the international investigation behind the charges are, oddly, a good read. They show the international nature of big Internet crime and what it’s going to take to bring down the organized groups and powerful individuals that have been evading the law and clogging our spam buckets for so long.

It’s taken law enforcement a long time to develop the investigative capability to handle such borderless high-tech crimes, but it looks like they’ve hit their stride.

Thanks to Brian Krebs of the Krebs on Security blog for posting the criminal complaint.

Tom Kelchner

Hey, kids: every single game for free on Steam!

Click to Enlarge

Or, to be more accurate: a free Trojan for anyone grabbing hackncrack.exe then running it on their system.

Virustotal scores are a halfway house, with 22/43 currently detecting it. Might want to warn your kids in relation to avoiding this one, as unlike most “Steam cracks” I see floating around on Youtube, this isn’t hidden behind CPA Lead surveys that need to be filled in before downloading – it’s freely available from Rapidshare, Megaupload and others. As for the Trojan itself, it seems to be a fairly typical downloader which requires large amounts of “avoiding completely”…

Christopher Boyd

Google has altered its rating algorithm in an effort to keep the web sites of bad businesses from achieving high search rankings because of widespread discussion of their offenses, according to a Google blog piece “Being bad to your customers is bad for business.”

“Bad” in this case means those online merchants who “…, provide an extremely poor user experience.”

This is significant since there is a growing industry and body of practice built around gaming search engine results to achieve the best ranking when web users search for anything vaguely related to your business. It’s called “search engine optimization.”

Google didn’t give details of the exact tweak that it made, but the blog piece, written by Google Fellow Amit Singhal, carries a great discussion of how difficult the process is.

— Blocking an individual site is easy enough to do, but doesn’t solve the larger issue.

— Google rankings for an individual site are based in large part, on the number of other sites that link to it. Customer complaint sites include “rel=nofollow” attributes in their page code so search engines don’t mistake the links on their pages for recommendations. Also, the stories on news sites about offensive or criminal sites contain neutral language, so, extensive discussion of a bad site could actually boost its rankings.

— Google has something called “Large-Scale Sentiment Analysis for News and Blogs,” but it has limits. Singhal wrote. “…if we demoted web pages that have negative comments against them, you might not be able to find information about many elected officials, not to mention a lot of important but controversial concepts.”

—   Apparently Google has considered posting user reviews and ratings next to search results. “Though still on the table, this would not demote poor quality merchants in our results and could still lead users to their websites,” Singhal wrote.

The New York Times ran a story detailing one merchant who appeared to benefit in the rankings by outrageous behavior (as well as other black-hat SEO techniques): “Google Acts to Demote Distasteful Web Sellers”

Tom Kelchner

Another site selling “memberships” for something that’s free

Here’s the latest twist in the “membership” site scam: spam emails that tell potential victims to update their Adobe Reader include links to a web site intended to look like something related to Adobe products, but is selling “memberships.”

The REAL way to update your Adobe software is on the help menu: help | check for updates (see the end of this blog piece for details).

The spam email:

 

(click graphic to enlarge)

Notice that the graphic on the web page says “PDF Reader/Writer” and doesn’t mention Adobe, as the email (and the URL it contained) did:

(click graphic to enlarge)

The default selections on the “choose your  plan” page includes

— three years of “unlimited VIP access and support” ($12.97)
— one year of “full protection against intrusion with ETD scanner” ($1.49 per month – payable up front, so that’s $17.88)
— “award-winning download accelerator” for $9.95.

That’s a total of $40.80.

(click graphic to enlarge)

A web search for “ETD scanner” is interesting too. Its home page says it has been parked by GoDaddy.

In material that comes with it, it’s described as: “… an anti-spyware/malware/trojan, privacy protector, system performance enhancer and popup blocker software all-in-one!” In its “system requirements” the latest version of Windows listed is 2003.

The scanner is for sale on a site called “BrotherSoft”  for $29.95 although only 135 people have purchased it in a year and a half.

A 60-day trial version that we downloaded installed successfully and wasn’t detected as malicious code by VIPRE or other AV sources, but didn’t download any signature updates, so, apparently the only detections it was capable of were those from 2004 (if it’s functional at all.)

 

How to REALLY update Adobe products (IT’S FREE!)

Now back in the REAL world, if you want to update one of your Adobe products, you open it, then select the help menu, then “check for updates.” They’re free.

 (click graphic to enlarge)

Thanks Adam.

Tom Kelchner

You’ve locked down your computer. Nothing is going to bypass your privacy shielding programs. AdBlock is fully loaded, NoScript is ready to roll and RefControl is sending “Party on, Wayne” as your custom referrer to all and sundry.

However, you really want to hide your IP address too and decide to load up one of the many web-based proxy services available.

Something humorous I’ve noticed across many web-based proxies recently is that they’re jumping on a marketing strategy that might be slightly at odds with their attempts at privacy for the end-user. In order to keep your private details private, you have to fill in a survey and hand over a bunch of information to third party marketers.

Type in a URL, hit the “Go” button on the proxy and you’ll see one of these:

Click to Enlarge

Click to Enlarge

One of the stranger marketing tactics I’ve seen…

Christopher Boyd

The U.S. Federal Trade Commission (FTC) has accepted a preliminary staff report that lays out a framework for Internet privacy and suggests a “do not track” mechanism – possibly a persistent cookie installed on browsers.

The agency was careful to point out that the commissioners see privacy measures as a balancing act. The news release quotes FTC chairman Jon Leibowitz:

“Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well.”

The report also said industry efforts to guard users’ privacy through self-regulation have been too slow and haven’t provided adequate and meaningful protection.

 “Although many companies use privacy policies to explain their information practices, the policies have become long, legalistic disclosures that consumers usually don’t read and don’t understand if they do. Current privacy policies force consumers to bear too much burden in protecting their privacy.”

The FTC report recommended that companies should have a “privacy by design” approach and build privacy protections into everyday business practices including:
— reasonable security for consumer data
— limited data collection and retention
— reasonable procedures to promote data accuracy

“Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including assigning personnel to oversee privacy issues, training employees, and conducting privacy reviews for new products and services,” they said.

“… consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find.”

The commissioners approved the preliminary staff report by a vote of 5-0.

FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers

Tom Kelchner

Nobody said Facebook app advertising had to be in good taste.

In the pantheon of fabled people whose stories are used to attract Facebook users to survey/contest/quiz apps ($9.99 billed to your cell phone), the guy who “killed his roommate aftre (sic) Playing Black Ops games in New York” has just joined the various women who killed themselves after their father/boyfriend/whoever posted something about them on FB.

We counted 55 of these in a 10 minute span, so, it’s in circulation.

Lovely.

(Click on the graphics to enlarge.)

Of course you have to log in to Facebook.

And at this point you can see where this is going:

 It uses your Facebook account to spam itself out to all your friends. At this point you are a vector.

Then it presents some lurid warnings:

And, bingo: “quiz” authentication:

And the sales pitch: one quiz, two clues a week for $9.99.

 

I’m not sure that anyone falling for this COULD buy a clue.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Sunbelt Software Blog, the GFI-Sunbelt Rogue Blog and anything else we think might be of interest.

This week we have a fake Trojan removal kit that installs the ThinkPoint rogue, a fake Kodak Galleries site that served up the Bayrob Trojan and great royal wedding social engineering spoof by the group Scam Detectives intended to raise awareness about online shopping security.

Tom Kelchner

If you or your relatives wander onto a site claiming to be a genuine Kodak website, you might want to think twice before downloading any executables.

Here’s an example of a site located at kodak-webgallery(dot)com, which is currently offline:

Click to Enlarge

The message at the top reads: “New shared photos! You have received some new pictures, to view them simply click the button below”. Hitting the button launches a “Slideshow”, which is actually an executable file that the end-user is asked to download and run.

Doing so opens up a set of photographs taken of a rather large truck from different angles:

Click to Enlarge

After executing the file, the folder WINDOWSsystem3269821772 was created containing various configuration files. Additionally, sijgzxel.exe and fvwtmkry.exe were copied to the System32 Folder itself.

The final piece of the puzzle are references to an email address, EBay, EBay motors and various other EBay domains (along with the non-Ebay Escrow.com) in the process dumps we generated while testing.

It looks like a blast from the past called Trojan.Bayrob has risen from the grave to cause problems for big moneyspenders on eBay. It seems to come around every so often – here’s an attack from 2007 and here’s one from 2008 – and now someone has decided to spam it out from a fake Kodak domain registered via a privacy service.

Bayrob is a nasty little thing, spoofing pages from eBay and other sites to fool the end-user into handing over bundles of cash. Motor buyers are a popular target, hence the reason why many of these attacks tend to involve car photo slideshows. The Trojan can have a devastating impact – here’s a victim who was fleeced out of $8,600 by scammers.

To coin a phrase: whoops.

We detect this one as Win32.Malware!Drop. Detection rates are very low, currently clocking in at 5/43 so be careful out there and don’t be fooled by random photograph galleries. There’s no way to tell if these fake Kodak sites are currently being pimped by automated spam programs, random chatroom links, infected PCs or strange flashing lights in the sky so always check with a known contact if they suddenly want you to check out their new car pictures.

It might cost you a bit more than a tyre change and a new air freshener…

Christopher Boyd (Thanks to Adam Thomas for additional research).

You might want to steer clear of the following fake security program, being promoted as a “Windows Trojan Removal Kit” but actually hijacking your PC in the form of the ThinkPoint rogue with a mixed (24/43) detection rate.

The file is currently being offered up by your typical “fake security scan” pages, such as microsoftwindowssecurity152(dot)com. Those familiar with this particular rogue will be aware that it tends to stick with domains similar to the one above.

Click to Enlarge

Installing the executable can potentially give you a bit of a headache, with what would appear to the average user to be fake “Blue Screens of Death” and payment nag screens. See here for details on how to get around the supposedly locked up desktop, and check here for some of the many variations on this theme. We catch this one as Trojan.Win32.Generic.pak!cobra.

Christopher Boyd

The Register is reporting a social engineering spoof by the group Scam Detectives who offered fake “Golden Tickets” to the royal wedding next April for £250 ($388 USD). There were 160 site visitors on the spoof site in 12 hours willing to buy the fakes.

(Click on graphic to enlarge)
 
“Scam Detectives used a free online website building package top set up a spoof site – http://www.royalwedding.weebly.com – only minutes after the announcement of the royal wedding. The site was promoted using social networks, adverts on classified advertising websites and spam posts on popular forums” Register writer John Leyden wrote.

Scam detectives, set up about a year ago, said its goal is “To reduce the number of people taken in by online scams every year and stop YOU from losing your hard earned money.”

The stunt is a great awareness raiser, and presents the problem that Internet shoppers always face: how do you spot a fake site?

Scam detectives’ web site provides some approaches in the details of its investigation of another ticket-selling scam:

— On the site purchase page, try inputting fake data, such as all zeros for a credit card number. If the site accepts a random number and gives a notice that your purchase is on the way, it’s a site set up to steal credit card numbers. A legitimate site will tell you the number is bad.

— Look for contact information on the web site. If there is very limited information or no way of contacting the site owners about problems, something is fishy. A site might list contact email addresses, but if they are fake, you don’t want to do business there. Scam Detectives mentioned that there is a web site set up to check the veracity of email addresses: http://www.verify-email.org (Though for some reason it lists valid Yahoo addresses as bad.)

— Check the “whois” listing for the date the site was set up and contact information. It the site claims to have been in business for years but whois date shows a registration in the previous few days or weeks, it’s probably a scam. New businesses go on line all the time, however, a recent registration date should make you check further.

— Do a search engine check for the site (or company) and see if anyone else has discussed it as a scam or as a site with irregularities.

From our experience, we would suggest that shoppers be especially careful of any web site that is advertised by spam email.

Register story: Monarchist marks fall for faux royal wedding ticket site

Tom Kelchner

Unfortunately it seems that the official site of the US Navy Memorial was recently compromised, with the addition of a particularly wordy message for the admins hidden away in a subdirectory, rather than the more obvious target of the frontpage which was left untouched:

Click to Enlarge

As you can see from the Google listing above, the defacement takes the form of a rather foul mouthed rant on an otherwise empty page:

Click to Enlarge

We’ve notified the admins, and the page in question is currently blank with the site running normally so hopefully they now have things under control. There doesn’t seem to be any intention of placing malicious files there, but it might be worth being careful if visiting navymemorial(dot)org for a few days until it has a 100% clean bill of health.

Christopher Boyd