Russian and Rumanian Cybercrime

“…In the 1970s, communist dictator Nicolae Ceausescu ordered the nation’s universities to make sure young Romanians learned about computers. As freedom came, many well-trained young programmers moved to other parts of Europe and to America to escape the dismal economy at home. But many stayed.

It was much the same in the former Soviet Union. The education system cranked out scientists and computer programmers, but the economy staggered. Graduates of schools there had computer skills that rivaled any in America, but most of them couldn’t afford computers…” From today’s Rocky Mountain News via SpywareInfo.

 

Alex Eckelberry

 

Nasty host file hijack

Check out this host file hijack found on this website.  The hijacker methodically replaced a large list of baniks (apparently mostly UK banks) in the user’s host file with a name that resolved to the hackers IP address.  (For the newbies: Your host file is like an address book for your internet connections.  Click here for an easy writeup on host files or here for a more technical writeup.)

In other words, you merrilly go to Barclay’s bank and get redirected to the hackers website.  The sad thing is it’s such a stupidly simple hack.

This is just another reason why it’s a good idea to lock down your host file.  Wayne Cunningham explains how to do that here.  But remember that nothing is foolproof, as nasty spyware programs like CoolWebSearch are masters of altering read-only hosts files.  

<snip snip>
O1 – Hosts: 141.225.152.142 onlineaccounts2.abbeynational.co.uk
O1 – Hosts: 141.225.152.142 www3.aibgbonline.co.uk
O1 – Hosts: 141.225.152.142 www.bank.alliance-leicester.co.uk
O1 – Hosts: 141.225.152.142 login.iblogin.com
O1 – Hosts: 141.225.152.142 ww2.bankofscotlandhalifax-online.co.uk
O1 – Hosts: 141.225.152.142 inet.barclays.co.uk
O1 – Hosts: 141.225.152.142 iibank.barclays.co.uk
O1 – Hosts: 141.225.152.142 iibank.cahoot.com
O1 – Hosts: 141.225.152.142 www3.coventrybuildingsociety.co.uk
O1 – Hosts: 141.225.152.142 ww.hsbc.co.uk
O1 – Hosts: 141.225.152.142 login.ebank.offshore.hsbc.co.je
O1 – Hosts: 141.225.152.142 ww3.online-offshore.lloydstsb.com
O1 – Hosts: 141.225.152.142 ww3.online-business.lloydstsb.co.uk
O1 – Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
O1 – Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
<snip snip>

 

Alex Eckelberry

Direct revenue talks to Newsweek

Oh man, I wish I had time to really blog on this.  But for now, read the article.

One priceless comment: “I agree there is some frustration around Aurora. However, with our improved branding and disclosure, users should feel free to uninstall our ad client.  It seems to me there are still some people who for some reason do not trust our uninstall process, who try to remove it by their own means.”

Dude, a user has to go to a friggin website to uninstall your product.  And howls of user agony over your product can’t just be blamed on distribution channels.

Alex
(Tip o’ the hat to Suzi)

Test your phishing knowledge

Sascha over at Paretologic posted some tips on Phishing.  Good stuff.

It reminded me, however, of a test that MailFrontier (a competitor of ours) did a while back. So I’m posting it for all the world to see.

You’re going to be surprised by this one.  I did this quite a while back and it was not a cakewalk. Some of these are hard.

So take this test from MailFrontier  and see if you can guess which emails are legitimate or not.

Feel free to comment your results 😉

And for a good (and free) anti-phishing toolbar, download Cloudmark’s.

Alex Eckelberry

Wireless security, the year of living dangerously

The National Association of State CIOs has issued a report on wireless security, entitled “The Year of Working Dangerously”. Link to the report here.

While serious in nature, they paint a somewhat humurous analogy of past technology vs. current:

“Jim, a state employee, checks the radio of his brand new 1985 Buick Riviera for a morning traffic report—everything’s normal so far. Miles down the road, however, Jim realizes that he forgot his favorite BBQ chips. Hurriedly, he spins by the grocery store only to find an empty shelf where the BBQ chips should be. Making the best of it, Jim places a refill order on an existing prescription at the grocery’s pharmacy counter. Back on the road, Jim finds a long line at the toll road because of drivers with incorrect change. Frustrated, he turns on the radio, dialing past the music of Bruce Springsteen and John (still Cougar back then) Mellencamp, only to miss important detour information. What Jim also does not know is that a very time-sensitive message is waiting for him on his desk. Once at work, Jim scrambles between meetings with colleagues and accessing and reviewing files on his new desktop computer with a massive 20 MB hard drive.

Fast forward twenty years. Again taking off without his BBQ chips, Jim’s wife alerts him via his smart phone. This time, he finds his BBQ chips in plentiful supply. Radio Frequency Identification (RFID) tracking at the pallet level helps the grocery store stay well-stocked and also ensures that Jim’s prescription does not contain counterfeit substances. Jim checks out quickly by waving his RFID payment key fob at the cashier counter. At a stoplight, Jim reads an urgent email on his smart phone. He then breezes past the toll booth in his silver Nissan 350Z Coupe without stopping. The toll booth’s RFID reader automatically scans an RFID-tagged sticker on Jim’s car and deducts the toll from his pre-paid account. Listening to Coldplay’s new single, Jim receives a traffic advisory from his on-board telematics system. On time to work because his on-board navigation system guided him through a detour, Jim powers up his wireless laptop with the needed files and conducts a meeting in a colleague’s office. Jim’s use of a smart phone, wireless network and laptop do not compromise sensitive state information because of good security and privacy protection measures and training the state provided to Jim and his colleagues about the responsible use of wireless technologies.”

Kids hack computers, go to jail?

This is nuts.  A dozen kids at Kutztown Area High School “hacked” into the school’s network.  Ok, it’s very wrong, but the clueless luddites at the high school are pressing felony charges.  

From an editorial in the local newspaper..

“…Nobody is accused of altering grades or stealing personal information. The school district likens the tampering to vandalism of school property, saying it had to spend time and money for its technicians (who seem to have been outwitted by the savvier students at every turn) to restore the altered software to its original state….Felony charges against the students also fail to reflect the school district’s culpability here. The district inadvertently gave out its password to students by taping it to the back of the laptops. No computer system is invulnerable, but the district’s firewalls have looked more like speedbumps.”

What these kids did is completely wrong and should be punished.  However, I think most techies can see themselves as bright, bored (and usually nerdy) teenagers having maybe done the same thing.  

What happened to the normal disciplinary actions like suspension, detention or God forbid, being forced to do extra PE? 

I know what I might do as principal: Have the kids make up the damage by working as sys admins for the school. 

But felony charges? Give me a break.

Feel free to comment.

Alex Eckelberry

Grokster madness continues!

After my last blog entry on Grokster, I got some interesting new things to look at.

Eric Howes emailed me with this snippet: “Just tested the Grokster install on a Win2K machine: this thing drops the .NET install bomb on computers without .NET already (which may be why you didn’t see this). No surprise, really, given that it installs BroadcastPC.tv, which was the culprit in the previous rounds. As with those previous installs, there is no notice whatsoever that .NET would be installed.”

So Grokster is installing a BIG FAT .NET PAYLOAD!!!  Sounds familiar…

Then Alex Morganis blogs that Grokster is installing a trojan.    Interestingly, he got the same results I did, but F-Secure is tagging one of the files as a trojan. It’s this nasty KVM thing, whose entire purpose in life is to bring down other adware (Eric’s seen it on other sites as well, such as 4w-wrestling(dot)com).

And now, for the final blow, Grokster hoodwinked someone at Download.com, who despite their laudable “Zero Tolerance No Adware” policy, has allowed Grokster to be downloaded again.

The download.com version is a different than the one on the Grokster site but pretty darned close.  It still installs Cydoor, which displays ads (within the Grokster app). It still pops you to http://client(dot)grokster(dot)com/us/start/?c=as&ver=265, which provides friendly adware installs.  And then on reboot it prompts the user to install BlueTide Software (Surf Sidekick), which displays pop-up ads on the user’s desktop in response to user web browsing.

This Grokster install at Download.com is the second piece of adware we’ve seen back on the download.com site. The other is Warez p2p, which does contextual advertising as well as installing new.net.  

One of our researchers reports that after allowing this Grokster installation to fester for a while, the installed software downloaded a raft of other software, including ABI/Aurora.

Madness.

Alex Eckelberry

 

Zotob? Relax, take the blue pill

Another example of how Microsoft can just make a blogger’s day.  

Microsoft issued a statement on Zotob last night.

“There are currently a number of press reports regarding an Internet worm called Zotob. News reports had indicated that there was potentially a new worm. We are not aware at this time of a new attack; instead our analysis has revealed that the reported worms are different variations of the existing attack called Zotob. Microsoft has reviewed the situation and continues to rate the issue as a low threat for customers…Zotob has thus far had a low rate of infection. Zotob only targets Windows 2000. Customers running other versions such as Windows XP, or customers who have applied the MS05-039 update to Windows 2000 are not impacted by this attack.”

Windows uber-guru Paul Thurrott at Windows IT Pro lashes out: “This statement bears little comfort for companies such as ABC, Caterpillar Company, CNN, Daimler Chrysler, “The Financial Times,”  Kraft Foods, “The New York Times,” San Francisco International Airport, SBC Communications, United Parcel Service (UPS), and The Walt Disney Company, all of which suffered computer crashes, downtime, and repeated reboots because of the worm attacks. According to reports, at least six separate worms have exploited Microsoft’s recently revealed flaws.”

He goes on to make this point: “…Only Win2K, eh? According to AssetMatrix, Win2K is the most-often used Windows version in medium- and large-sized corporations, edging out XP 48 percent to 37 percent. Put another way, roughly half of all Windows installations in corporations are Win2K”

Zotob is not light stuff.  It is hitting companies.  While someone could say that system administrators out there should have taken steps to patch their systems earlier, many of these IT professionals are harried souls dealing with meager budgets and lack of resources. 

I respect Microsoft for having patched this thing, but judging from the current emotional level on the ‘net, the PR team at Wagged might put in a dash more compassion in Microsoft’s statements on Zotob.

Alex Eckelberry

 

Grokster is back with their ad-supported version

Grokster had pulled their adware advertising supported version, offering only a paid-for version.  Now, the adware advertising supported version is back, offering loads of fun for all users.

I thought maybe Grokster got religion.  After all, they lost with the Supreme Court.  People have been upset about adware in Grokster for quite some time.

Wrong.

First, the text on the free download page is a totally confusing.  It says: “In order to download the free version of Grokster, you must agree to install all of the adware listed below during the Grokster install” (it also classifies this adware as “valuable downloadable software”).

However, you can un-check the boxes, which gives you the impression that you can take these little adware components off.

Grokclick

Well, uncheck away, because it doesn’t seem to matter.  There’s this little thing at the end of the page:

Grok4

 

Now, here’s what’s odd.  It doesn’t seem to actually install these components, even though it tells you it will. You get other stuff though (like WinFixer), but not nearly as much as you see above.

Maybe they want to leave that as an option in the future.

At any rate, after the install you get presented with some pop-up about installing Crystal Palace. You also get directed to a start page (http://client(dot)grokster(dot)com/us/start/?c=af&ver=265 which instantly pops up an installer for another piece of adware.

Kvm123

Going back to that same page, you get an active/x prompt (which looks like this under XP SP2)

Grok2

Clearly, they have a bit of a ways to go…A lot of the problem seems to revolve around the client.grokster site.

Maybe it doesn’t matter, because prominent images linking to Music pages goes to Mediafeast, which is well, out of business.

Alex  

HTTP request smuggling

“HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks – web cache poisoning, session hijacking, cross-site scripting and most importantly, the ability to bypass web application firewall protection.”

Link.

 

Ma, I’m not playing GTA, I’m playing Solitaire!

Off topic: A “PSP hacker by the name of Matan phoned in to let us know he ported Bochs (an open-source x86 emulator) to the PSP…” Link (thanks to BoingBoing and Wonderland)

So now you can run Windows 95 and Linux on your PSP!

4352571825857772

Thankfully, there isn’t a whole lot of spyware that runs on Windows 95.

Alex Eckelberry

UK users apathetic about ID theft

Unisys UK proclaims UK users are apathetic about ID theft

To our neighbors (and erstwhile masters) across the pond, I’m happy to show you some examples of some UK people who got nabbed in the recently discovered ID theft ring.

I don’t know if Unisys overstated the problem, but here is what they found:

  • 11% of UK consumers have been the victims of identity theft and fraud
  • 58% have no desire to be educated about fraud
  • 61% have no concerns about the safety of bank or building society accounts
    (only 9% worry a lot compared to almost twice that for U.S. consumers)
  • 73% of consumers have never been contacted by their banks to discuss potential fraud
  • 50% would not switch banks or building societies if offered better security protection

Unisys thinks it’s costing businesses 1.3 billion pounds a year. 

 

Alex Eckelberry

 

Vigilante group shuts down 15 banks

The LazyGenius writes about an article originally posted on CastleCops, on how Artists Against 419 have successfully shut down 15 banks through their vigilante activities. 

Artists

As you may know, the infamous “Nigerian” scams (also called 411 or 419 scams, after the section of the Nigerian penal code that deals with these type of fraud schemes), are those weird emails that you get asking to help some poor Nigerian diplomat get money out of his country.  There are many variations of these scams, as we’ve blogged on before

Artists against 419 is a group of people who try to take down the bandwidth of scammer banks by linking to images on the fake bank’s websites. 

 

Alex Eckelberry