The Legacy Sunbelt Software Blog

You can guarantee that everytime a new product comes out, someone will be offering a “free” version of it in return for filling in a survey.

Yes, we’re all thoroughly sick of surveys. What caught my eye more than the entirely predictable “cracks” for Call of Duty Black Ops was a link sitting in most of the videos I saw:

Click to Enlarge

“How to download”. Clicking that took me to scdownloads(dot)za(dot)pl, which actually gives the end-user step by step instructions on how to access files stored on “fill in a survey to download” sites such as Sharecash. Multiple languages, too!

Click to Enlarge

I’ve no idea who created that website, but obviously individuals are so worried end-users won’t generate money for them that they’re resorting to giving us “The idiot’s guide” treatment. And that particular website isn’t limited to promotion in random fake crack videos, either – you’ll find it being linked to from all manner of offers, “freebies” and pilfered content:

Click to Enlarge

Windows 7 mobile downloads, PS3 jailbreaks, MTV videos, shop hacks, Sony Vegas movie studio keygens…you name it, someone is doing their level best to have you fill in a survey with as little confusion as possible. I’m not entirely sure how “fill this in” could be confusing, but to give you an idea of the way that site is being linked to (and how popular links to surveys are on video sharing portals):

Youtube is telling me it has about 15,000+ links to the tutorial page, and there are fifty pages of links from the last day.

Click to Enlarge

That’s fifty pages of links to surveys, garbage downloads and – of course – a wonderful tutorial ensuring end-users make the most out of getting nothing in return for signing personal information away.

Surveys: most definitely here to stay.

Christopher Boyd

The GFI Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

Topics this week: FakeVimes rogue showing up in various places, Internet gaming scams, a loaded rogue download site and Hotmail phishing.

Tom Kelchner

GFI Software is holding a sweepstakes to give away two free tickets to American Football’s Big Game Feb. 6, 2011, in Arlington, TX.

To enter

The free trial and sweepstakes are open until December 31, 2010 to verifiable IT purchasing influencers 21 years or older who work in a business that employs 25 or more employees within the 48 contiguous United States and the District of Columbia. After downloading VIPRE Antivirus Business and completing a short survey, users will be entered for a chance to win the two tickets. To download VIPRE and enter the sweepstakes and for full rules and restrictions, please visit www.VipreTestDrive.com and follow these easy steps:

•    Download VIPRE Antivirus Business by December 31 and test drive it for free
•    Complete a quick survey
•    Be entered for a chance to win two tickets to the Big Game

VIPRE Antivirus Business combines high-performance antivirus and antispyware into a single agent to provide comprehensive endpoint malware protection with low system resource usage. This combination of technologies brings high-performance endpoint protection with anti-malware software that doesn’t slow down users’ PCs, is low on system resources, and makes it easy to protect enterprise networks. For more information about VIPRE, visit: http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/

GFI news release here.

 As we said in last-week’s blog piece, we didn’t put in a real credit card number to see what a purchase actually got you. Given what we’ve seen, you really don’t want to go any further.

Thanks Bruce.

Tom Kelchner

 Microsoft has issued a security bulletin advanced notification for the November Patch Tuesday next week.

Three bulletins will be issued, fixing two remote code execution vulnerabilities in Microsoft Office and one fixing an elevation of privilege issue in Microsoft Forefront Unified Access Gateway.

Microsoft Security Bulletin Advance Notification for November 2010 here.

Tom Kelchner

It seems there’s a couple of trojans doing the rounds that are using a (semi) cunning disguise:

isn’t going to be new to you but I guarantee you’ll have a relative who hasn’t heard of that one before. It’s always worth a mention to a less computer savvy individual! This is (of course) a case where the executable has been renamed to look like it’s a .txt file, when in reality the file is play.txt.exe. Should the end-user download and double click one of the infection files, they’ll have infected themselves.

told a number of websites hosting these files have been taken down in the last hour or two, but I imagine they’ll be back soon enough.

Better go warn granny…

Christopher Boyd

/ Update – to be clear, these files are executables using the double extension trick, where an attacker renames an executable like so:  filename.txt.exe. The file is still an executable, however the creator is hoping the end-user will only see the .txt extension. I’m also having some problems updating this post – as you can see, half the text is missing and refuses to go back in. I haven’t had a Blogger.com glitch for some time, but they come for everyone eventually…

(click on graphic to enlarge)

Thanks Alex

Tom Kelchner

Alert reader Laurie (my boss actually) forwarded a copy an email she received from a friend. It said the sender was “…pleased to announce the newest version of Antivirus 2010 for Windows.”

There was a link to click, of course.

(Click graphic to enlarge)

Something called “Antivirus 2010” for sale in November is very odd for three reasons:

1) It’s nearly 2011 and legitimate AV companies are putting out their 2011 versions.
2) There was a rogue security product last year called “Antivirus 2010.”  (VIPRE detection: FraudTool.Win32.Antivirus2010 (v))
3) Although a lot of companies make a product named Anti-Virus 2010, they usually put their name in front of it, such as “Kaspersky Anti-Virus 2010” or “Norton AntiVirus 2010.”

The Antivirus 2010 rogue graphic interface from 2009:

(Click graphic to enlarge)

We checked out the URL (officialversion.ru) in the email, putting in our name and “promotion code” (actually any number will do) , went past the “member login page” that made some mentions of the very legitimate AVG anti-virus company, and went on to a credit card payment page. The REAL AVG company (fourth largest AV vendor in the world) offers “AVG Anti-Virus Free Edition 2011” in addition to security software that users purchase.

We noticed the logo on the page mimicked the colors of the AVG logo:
 

The prices:
— $2.49 per month.
— A two-year “Full Access & Support” choice for $17.49 per month
— Three year “VIP” access for $11.67 per year.
— (optional add on) Firewall for $14.88 – marked down from $39.95
— (optional) Antivirus Pro Version Updates for $8.95.

(Click graphic to enlarge)

We didn’t make a purchase, so, we don’t really know what’s behind the “pay now” button however, you can be sure it isn’t anything good.

We can pretty well conclude that the scam email is offering:

— A rogue security product
— AVG’s Anti-Virus Free Edition, except they charge you before they redirect your browser to AVG’s site for download.
— Something else called “Antivirus 2010” that has no visible presence on the Web.

AVG’s real page is here: http://free.avg.com/us-en/homepage

Thanks Laurie. Thanks Doug. Thanks Patrick.

Tom Kelchner

Ever wondered how much of a smackdown your Botnet is dishing out? This program lets the budding script kiddie enter some basic information about their Botnet, then hit the calculate button to see how they’re doing.

Click to Enlarge

“…takes the number of bytes in a typical packet, divides it then multiplies that number against how many victims you have & number of sockets you’re using. This program is considered accurate”.

What it certainly does not do is take into account lost packets, or the connection of the infected users – a dialup PC isn’t going to be as handy in a fight as a dedicated T1 line, for example. One of the stranger things we’ve seen pop up this week.

Christopher Boyd

“This is video ffrom yourd alst party”

(click graphic to enlarge)

Alert reader Wendy received a link to a dangerous-looking video link through her Facebook private messages that turned out to be malicious. Her Facebook friend, however, hadn’t been suspicious enough.

(click graphic to enlarge)

Clicking on the icon to run the video presented a download – an executable file. It just doesn’t get any more suspicious than that.

It was one of the rogues from the FakeVimes family. To see descriptions of the latest in that family, check out the GFI Rogue Blog here.

Thanks Wendy. Thanks Matthew.

Tom Kelchner

The Fallout series of games have always been a particular favourite of mine, and numerous scams have popped up in relation to them through the years. For example, here’s one that promised you Fallout 3 in return for a Zango install.

The promise:

Click to Enlarge

The reality:

Not so much “Amazing game set in a 3D world” as it is “dodgy copy of a half finished tech demo that was never released. Also, a bit rubbish”.

Anyway. Fallout: New Vegas has arrived, and our old friend “Cut and paste Blogspot site promises game crack in return for filling in a survey” has risen from the grave once more. Following the same pattern as the Halo Reach and DC Universe Online scams, you get a website claiming to be “Official” enticing the end-user with a completely useless crack program.

Click to Enlarge

You know the drill: click the “download” button, and fill in one of these wonderful surveys:

Click to Enlarge

After many warnings that I need to enter valid details or be banned forever (oh, the humanity) I decided to check out one of the links. The Bieber link seemed like the one a child would probably click on – this is what I got:

Click to Enlarge

A bunch of questions, complete with timer counting down. I’m always suspicious of timers on offers, because they’re often used as a hook to get the end-user to do something (“Fill this in quick, we only have six billion of product X left!”) This one is slightly different, because once the timer hits zero this pops up:

It’s almost like the survey questions are utterly irrelevant, isn’t it kids. By the way, it’s £4.50 a week. Enjoy!

The domain being used for this is falloutnewvegasgame(dot)blogspot.com. We’ve reported it to Google, and hopefully it’ll be sitting in a post apocalyptic landfill shortly.

As the rather appropriate tagline from Fallout goes, “War. War never changes”.

Neither do scammers…

Christopher Boyd

To avoid poisoned links in a search engine you should beware of:

— sites that appear a number of times in the list of search engine hits, all showing the same phrases
— URLs that are made up of random alpha numerical characters and meaningless. An example would be:  /2LitmlZM/

The “free cards to print” hits re-direct to the FakeVimes Online Scanner Scam.  Here they use a threat name “Troajn.awF” that was an actual threat at one time, although they misspelled it.

Thanks Patrick.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

Topics this week: The new Antivirus Solution 2010 rogue, SEO poisoning of searches for “pumpkin” or “Jack-O-Lantern stencils,” SEO poisoning of searches for “Vanessa Hudgens No Clothes,” a functional menu in the ThinkPoint rogue and MobleMe phishing.

Tom Kelchner

Every now and again, a 419 scam mail comes through that fairly boggles the mind.

This is one such mail.

This is to let you know about scam If you know you have  been scam before, this is an help agent to you. This is to let you know that all of you who had lost money to scammers in Africa and USA, i want to let you know that there is a quick opportunity for you all. Mostly lottery. my name is FBI brad I assure you that i will do all i can to get it back to you in 3 days okay About your lost money…. an opportunity to get your money back to you.

Wait – the gimmick here is that I’ve already been scammed by a 419 mail, but with the aid of “FBI Brad” I can reclaim my money with the aid of some random lottery?

Oh, sign me up.

I believe you know what scam means. We are  global scam fighter in CA 93535. we have all the global scam computer to trace all scammer name and location okay to cut this short..if you had sent money to africa you have a chance to take 1 of them to court because 1 of them had been caught. if you lost money or win deaf lottery contact us quick reply back to this email on [removed].

I’m sure we all wish we had a “global scam computer” to hunt down the bad guys, but in this case all we need is a little common sense. Although a ludicrous attempt at web shenanigans, it still leaves a nasty taste in the mouth due to the fact it plays on the fears of victims who have already lost money to scammers. Unfortunately, it’s a very real possibility that someone desperate enough could stand to lose out twice over.

Don’t let this happen to you!

Christopher Boyd

A seasonal SEO poisoning theme leads to FakeVimes scanner scam

(click on graphic to enlarge)

Over the weekend our analyst Adam Thomas found poisoned search engine links aimed at Web users searching for printable Jack-O-Lantern stencils. By this morning, many of the links had been blacklisted.

The poisoned links included:

1. knockouts.net/djs4ajfd6/
“A guide to finding free printable Jack-O-Lantern carving patterns online to create … There is no pay for lack of pumpkin carving . Jack-o-Lantern primary. …”

2. v-twinmotorinn.com/cfn19leh/
“Free Printable Pumpkin Carving Patterns – Online Services is a personally written site at . A selection of traditional jack-o-lantern patterns are also …”

3. baseballstadiumreviews.com/pKlhoG1H/
“A guide to finding free printable Jack-O-Lantern carving patterns online to create a Halloween Jack-o-Lantern with your favorite animal pumpkin carving …”

4. tripledays.com/cNeARpIYH/ –
“Men’s Crochet Vest Pattern Use these free scary pumpkin stencils to carve creepy jack-o-lantern faces. Find printable Halloween templates online or create …”

They all lead to the FakeVimes online scanner scam.

(click on graphic to enlarge)

Thanks Adam. Thanks Patrick.

Tom Kelchner

Naked ladies as bait, one more time

One of the much-discussed PDF file exploits is circulating in SEO poisoned links. We found it by following links that popped up from a search for “Vanessa Hudgens No Clothes.”

 (Click on graphic to enlarge)

The malcode takes advantage of a vulnerability in an out-of-date version of Adobe Reader (version 6.0) and it prompts a victim to download Java if it doesn’t find it on his machine. Adobe Reader 9.4, the current version, isn’t vulnerable.

(Click on graphic to enlarge)
Clicking on the “Available Updates” pop-up window runs the exploit which then installs a downloader that can infect the victim with any one of a rogue’s gallery of malicious code.

(Click on graphic to enlarge)
VIPRE detects it as Exploit.PDF-JS.Gen (v)

Thanks Patrick

Tom Kelchner

Cross-platform vulnerability patched

 Mozilla has updated its Firefox browser to patch the high-profile vulnerability (CVE-2010-3765) that was discovered Tuesday.

Mozilla Security Advisory 2010-73 here.

Tom Kelchner

Adobe has announced that today it will fix the critical vulnerability in the Windows and Macintosh versions of Adobe Shockwave Player 11.5.8.612 (and earlier). The company said it has received reports of active exploitation.

 The vulnerability (CVE-2010-3653) can crash the application and allow an intruder to take control of the system.

Security bulletin here: http://www.adobe.com/support/security/advisories/apsa10-04.html

If you use Shockwave Player, it would be a good idea to watch for the update.

Tom Kelchner

(Which you can use to get rid of it)

When you fall victim to the ThinkPoint rogue security application, the downloader reboots your machine then presents the victim with its own scanning screen on what appears to be a Windows blue screen.

 
(Click graphic to enlarge)

Once the machine is rebooted, the rogue takes over the machine by preventing Explorer.exe to load (which means, the desktop will not load, either). If you click on the X in the upper right corner to close out of ThinkPoint, you are then presented with the “unprotected startup” screen.

A victim can’t get around the ThinkPoint screen because “current settings don’t allow unprotected startup.”

(Click graphic to enlarge)
However, ThinkPoint actually has an operating “settings” selection with a drop-down box that includes a checkbox “Allow unprotected startup.” You can close the ThinkPoint window and load your desktop once that has been checked. From there, you can use Windows Task Manager to stop hotfix.exe — the rogue’s main file.

Alternatively, you can install and run Vipre which will remove the rogue, too.

 
(Click graphic to enlarge)
We described ThinkPoint on the GFI-Sunbelt Rogue Blog Friday here.

Thanks Dodi.

Tom Kelchner

A phishing email aimed at MobleMe subscribers is circulating:
 
(click graphic to enlarge)

It leads here and this is NOT the real Apple Store:

 
(click graphic to enlarge)

Thanks Alex.

Tom Kelchner