The Legacy Sunbelt Software Blog

Scammers who don’t appear to be native speakers of English, are trolling for Battle.net passwords with a spam campaign. The spam emails contain messages that appear to be invitations to an “event.”

Battle.net is Blizzard Entertainment’s online service on which vast numbers of members play Starcraft and World of Warcraft. These are games in which characters have teeth like 400 pound Shih Tzus, VERY improbably hair styles and weapons that make top-level Pentagon officials salivate. Blizzard has been saying World of Warcraft has “more than 11 million” monthly subscribers for about two years now.

(click to enlarge)

“Blizzard billing Cataclysm will support in the near future, thanks for users of Blizzard, we have an event as long as you participate in the opportunity to participate in the Cataclysm CDKEY use Activation, you use the following link to obtain the user login…”

Ok. Well, that isn’t the way you use commas in real English (or words either), but we’ll follow the link anyway. (Kids, don’t try this at home.)

(click to enlarge)

Ah yes, just a few letters off from the real thing:

(click to enlarge)

And the phony Battle.net site domain was set up when? Oh! Today!

Whois Record

Registrant Contact:
Ji XiaoWei
xiaowei ji
+86.5787245132 fax: +86.5787245132
LiShui Dengtalu 25
LiShui Zhejiang 323700
cn
. . .
DNS:
ns1.4everdns.com
ns2.4everdns.com
Created: 2010-08-11
Expires: 2011-08-11

A spam troll using a similar site using “battrlie.net” was blacklisted several days ago.

Domain name: battrlie.net

Registrant Contact:
Ji XiaoWei
xiaowei ji
+86.5787245132 fax: +86.5787245132
LiShui Dengtalu 25
LiShui Zhejiang 323700
cn

. . .

DNS:
ns1.4everdns.com
ns2.4everdns.com

Created: 2010-08-06
Expires: 2011-08-06

And if you don’t have a real Battle.net account, the “create account” button on the phony site takes you to the REAL Battle.net site so you can set up a REAL account and THEN the scammers can steal it.

Thanks Douglas. Thanks Wendy.

Tom Kelchner

Microsoft has issued the following bulletins:

MS10-046 — Microsoft Windows (Critical)
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

MS10-047 — Microsoft Windows (Important)
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

MS10-048 — Microsoft Windows (Important)
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

MS10-049 — Microsoft Windows (Critical)
Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

MS10-050 — Microsoft Windows (Important)
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

MS10-051 –Microsoft Windows (Critical)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

MS10-052 — Microsoft Windows (Critical)
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

MS10-053 — Microsoft Windows, Internet Explorer (Critical)
Cumulative Security Update for Internet Explorer (2183461)

MS10-054 — Microsoft Windows (Critical)
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)

MS10-055 — Microsoft Windows (Critical)
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

MS10-056 — Microsoft Office (Critical)
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

MS10-057 — Microsoft Office (Important)
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

MS10-058 — Microsoft Windows (Important)
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

MS10-059 — Microsoft Windows (Important)
Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

MS10-060 — Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight (Critical)
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

Microsoft’s August bulletin here.

Tom Kelchner

Microsoft has issued the following bulletins:

MS10-046 — Microsoft Windows (Critical)
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

MS10-047 — Microsoft Windows (Important)
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

MS10-048 — Microsoft Windows (Important)
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

MS10-049 — Microsoft Windows (Critical)
Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

MS10-050 — Microsoft Windows (Important)
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

MS10-051 –Microsoft Windows (Critical)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

MS10-052 — Microsoft Windows (Critical)
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

MS10-053 — Microsoft Windows, Internet Explorer (Critical)
Cumulative Security Update for Internet Explorer (2183461)

MS10-054 — Microsoft Windows (Critical)
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)

MS10-055 — Microsoft Windows (Critical)
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

MS10-056 — Microsoft Office (Critical)
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

MS10-057 — Microsoft Office (Important)
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

MS10-058 — Microsoft Windows (Important)
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

MS10-059 — Microsoft Windows (Important)
Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

MS10-060 — Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight (Critical)
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

Microsoft’s August bulletin here.

Tom Kelchner

Four people who reside in Canada have settled 2008 charges brought by the U.S. Federal Trade Commission that charged them with scamming small business owners by sending them phony bills for their Internet services. Other victims were billed by the company, Internet Listing Service, for bogus “Search Optimization” services that were supposed to drive traffic to their web sites.

A default judgment order was entered against Steven E. Dale, ordering him to return $4,261,876 to victims. In the order, other defendants Isaac Benlolo, Kirk Mulveney, Pearl Keslassy and 1646153 Ontario Inc., agreed to pay $10,000.

In 2008, the FTC had a federal district court judge in Chicago order the group’s business, Internet Listing Service of Toronto, to stop making the deceptive claims and froze its assets, pending a trial. The settlement and default judgment orders that were announced today bring the litigation to a close.

FTC story here: FTC Halts Cross Border Domain Name Registration Scam

Tom Kelchner

Four people who reside in Canada have settled 2008 charges brought by the U.S. Federal Trade Commission that charged them with scamming small business owners by sending them phony bills for their Internet services. Other victims were billed by the company, Internet Listing Service, for bogus “Search Optimization” services that were supposed to drive traffic to their web sites.

A default judgment order was entered against Steven E. Dale, ordering him to return $4,261,876 to victims. In the order, other defendants Isaac Benlolo, Kirk Mulveney, Pearl Keslassy and 1646153 Ontario Inc., agreed to pay $10,000.

In 2008, the FTC had a federal district court judge in Chicago order the group’s business, Internet Listing Service of Toronto, to stop making the deceptive claims and froze its assets, pending a trial. The settlement and default judgment orders that were announced today bring the litigation to a close.

FTC story here: FTC Halts Cross Border Domain Name Registration Scam

Tom Kelchner

Those unpleasant folks who bring you those unpleasant rogue security products are continuing their recent trend of naming their malicious creations after legitimate security products. The advantage (to them) is that a potential victim, wondering if he should install one of these money-sucking creations, might do a web search to see if the thing in front of him is a legitimate product. Seeing a site pop up with a similar name might give the victim assurance that he was looking at a legitimate security product and cause him to install the rogue.

We blogged about a rogue named VirusTotal 2010 a few days ago. It’s obviously intended to suck some of the legitimacy out of the high-profile Virus Total malware analysis site.

Francis Montesino, the manager of Malware Processing in Sunbelt’s Clearwater office, noticed this one after it went into VIPRE definitions recently: a rogue named “Wireshark Antivirus,” which obviously is trying to borrow the reputation of the very popular (very real and very legitimate) Wire Shark network analyzer.

It does all the usual stupid rogue stuff: pretends to scan your computer, finds alleged malicious code then refuses to leave until you purchase it.

VIPRE detects it generically as the ever-popular Trojan.Win32.Generic!BT.

The Wireshark Antivirus graphics bear a striking resemblance to a rogue named “SysInternals Antivirus” that Microsoft found in June. Microsoft’s Sysinternals troubleshooting utility suite is a very old and respected collection of tools used by the folks who maintain networks.

(photo credit: Microsoft)

Thanks Francis.

Tom Kelchner

Those unpleasant folks who bring you those unpleasant rogue security products are continuing their recent trend of naming their malicious creations after legitimate security products. The advantage (to them) is that a potential victim, wondering if he should install one of these money-sucking creations, might do a web search to see if the thing in front of him is a legitimate product. Seeing a site pop up with a similar name might give the victim assurance that he was looking at a legitimate security product and cause him to install the rogue.

We blogged about a rogue named VirusTotal 2010 a few days ago. It’s obviously intended to suck some of the legitimacy out of the high-profile Virus Total malware analysis site.

Francis Montesino, the manager of Malware Processing in Sunbelt’s Clearwater office, noticed this one after it went into VIPRE definitions recently: a rogue named “Wireshark Antivirus,” which obviously is trying to borrow the reputation of the very popular (very real and very legitimate) Wire Shark network analyzer.

It does all the usual stupid rogue stuff: pretends to scan your computer, finds alleged malicious code then refuses to leave until you purchase it.

VIPRE detects it generically as the ever-popular Trojan.Win32.Generic!BT.

The Wireshark Antivirus graphics bear a striking resemblance to a rogue named “SysInternals Antivirus” that Microsoft found in June. Microsoft’s Sysinternals troubleshooting utility suite is a very old and respected collection of tools used by the folks who maintain networks.

(photo credit: Microsoft)

Thanks Francis.

Tom Kelchner

Microsoft has issued advance notification for its patch Tuesday next week. The Windows-using population of planet Earth can expect 14 bulletins, eight of them rated “critical.”

Patches will be posted for Internet Explorer, Office, Silverlight and Windows. Silverlight is a plug-in development platform for creating interactive applications.

More info here: Microsoft Security Bulletin Advance Notification for August 2010

Tom Kelchner

Microsoft has issued advance notification for its patch Tuesday next week. The Windows-using population of planet Earth can expect 14 bulletins, eight of them rated “critical.”

Patches will be posted for Internet Explorer, Office, Silverlight and Windows. Silverlight is a plug-in development platform for creating interactive applications.

More info here: Microsoft Security Bulletin Advance Notification for August 2010

Tom Kelchner

Spam-advertised training drops from $197 to $ 59.90

Elizabeth Jackson, “America’s Top Work At Home Consultant” spammed emailed me again. I can’t understand why her generous offers (making $75 per hour!) keep going into that pesky spam folder.

It might be a time warp thing, since her email was dated 14 years in the future. Of course you might expect ripples in the space-time continuum from a domain named “contrastivecontortion.com.” Whois says it’s registered in Romania and has a tech contact with an email address at jokernethosting.com.

We blogged about Elizabeth and “Work at Home Position Placement” July 7. This month she appears to be working for Home Employment Agency.

Her new “Work-At-Home” web site is just as verbose as the last one – a pitch that runs to about 7,000 words. Near the end she finally mentions the price. It’s considerably lower than the $197 last month:

I’m sure I’ll be hearing from Elizabeth again, although the “INCOME CLAIM WARNING” on the web page hints that Elizabeth doesn’t really exist. It also hints that if you sign up for the program, you might not make any money at all and that the people giving testimonials were paid to do so and the pictures of them are really of somebody else.

But then, the date on the email was in the year 2024.

Tom Kelchner

Spam-advertised training drops from $197 to $ 59.90

Elizabeth Jackson, “America’s Top Work At Home Consultant” spammed emailed me again. I can’t understand why her generous offers (making $75 per hour!) keep going into that pesky spam folder.

It might be a time warp thing, since her email was dated 14 years in the future. Of course you might expect ripples in the space-time continuum from a domain named “contrastivecontortion.com.” Whois says it’s registered in Romania and has a tech contact with an email address at jokernethosting.com.

We blogged about Elizabeth and “Work at Home Position Placement” July 7. This month she appears to be working for Home Employment Agency.

Her new “Work-At-Home” web site is just as verbose as the last one – a pitch that runs to about 7,000 words. Near the end she finally mentions the price. It’s considerably lower than the $197 last month:

I’m sure I’ll be hearing from Elizabeth again, although the “INCOME CLAIM WARNING” on the web page hints that Elizabeth doesn’t really exist. It also hints that if you sign up for the program, you might not make any money at all and that the people giving testimonials were paid to do so and the pictures of them are really of somebody else.

But then, the date on the email was in the year 2024.

Tom Kelchner

Workaround: use Opera browser (and be careful opening .pdfs in mail)

Apple is working on a fix for the much-publicized .pdf vulnerability in the iPhone – and might be putting the finishing touches on one – but it looks like it might be a while before it is available.

This isn’t a small problem. There could be nearly 100 million vulnerable iPhones and iPod Touches out there at this point. In the spring, Steve Jobs said that more than 50 million iPhones and 35 million iPod touches had been sold. According to the Wall Street Journal’s “Market Beat” blog, the company is projecting sales of 12 million of the new iPhones by the end of the third quarter (Sept. 30.)

It also isn’t an insignificant problem, since it is very convenient to do one’s banking in the phone’s browser.

There are actually two vulnerabities in the phone that were made public over the weekend. The first is in the Apple operating system software that parses fonts in PDF files. A malicious operator could inject code into the phone’s document-viewing application.

The second vulnerability allows an application to operate outside of the phone’s security sandbox and gain root access.

Using an alternate browser such as Opera might be a good workaround until the problem is resolved. Opera will ask for confirmation before it opens and then renders a PDF file inside Apple s PDF viewer.

Here is a screen shot of the Opera browser asking for permission to open a .pdf file:

(Click to enlarge)

The Opera browser is available in Apple App Store (http://itunes.apple.com/app/opera-mini-web-browser/id363729560).

It’s ALSO important that users exercise caution opening PDF attachments from unknown sources inside of the Apple Mail application.

Thanks Adam.

Tom Kelchner

Workaround: use Opera browser (and be careful opening .pdfs in mail)

Apple is working on a fix for the much-publicized .pdf vulnerability in the iPhone – and might be putting the finishing touches on one – but it looks like it might be a while before it is available.

This isn’t a small problem. There could be nearly 100 million vulnerable iPhones and iPod Touches out there at this point. In the spring, Steve Jobs said that more than 50 million iPhones and 35 million iPod touches had been sold. According to the Wall Street Journal’s “Market Beat” blog, the company is projecting sales of 12 million of the new iPhones by the end of the third quarter (Sept. 30.)

It also isn’t an insignificant problem, since it is very convenient to do one’s banking in the phone’s browser.

There are actually two vulnerabities in the phone that were made public over the weekend. The first is in the Apple operating system software that parses fonts in PDF files. A malicious operator could inject code into the phone’s document-viewing application.

The second vulnerability allows an application to operate outside of the phone’s security sandbox and gain root access.

Using an alternate browser such as Opera might be a good workaround until the problem is resolved. Opera will ask for confirmation before it opens and then renders a PDF file inside Apple s PDF viewer.

Here is a screen shot of the Opera browser asking for permission to open a .pdf file:

(Click to enlarge)

The Opera browser is available in Apple App Store (http://itunes.apple.com/app/opera-mini-web-browser/id363729560).

It’s ALSO important that users exercise caution opening PDF attachments from unknown sources inside of the Apple Mail application.

Thanks Adam.

Tom Kelchner

Network equipment is at risk too.

It’s the season for lightning storms in much of the northern hemisphere.

Here in Clearwater, Fla., we’re really aware of the risk of damaging surges since some pretty intense storms come through almost every afternoon and evening.

Uninterruptable power supplies (UPSs) and surge protectors are standard countermeasures, although a poor-man’s risk management strategy is to simply unplug electronics when the storms come through. Putting equipment on power strips and turning those off can make it a bit more convenient. Working on your laptop on battery power (with no wired network connection) during storms is a pretty good idea too if you just CAN’T get off the computer (guilty here.)

Johannes Ullrich at SANS in Jacksonville, Fla., posted a great diary entry about his experience with equipment damage from lightning-induces surges. Apparently, lightning does strike the same place twice, since he describes two experiences:

“The damage I had, in particular in the last storm, affected exclusively network equipment and networking interfaces. I assume that the surge entered the network. I lost two switches and the wired network interfaces in two PCs. Otherwise, the PCs work fine. So far I had not used any network surge protectors, but now started to use the surge protectors provided by the UPS. This appears to work fine, but in some cases, the network now works as “half duplex” and no longer in “duplex” mode. I looked into stand alone network surge protectors for some devices, and it turned out to be a bit hard to find one that supports gigabit ethernet. But they are available. The UPS network surge protection is only supposed to work up to 100 Base-T but synced fine at Gigabit (no duplex).

“A thunderstorm a couple months ago, caused some “interesting” damage to my cable modem. I was only able to upload 1MByte in a single connection. This was very weird as it also applied to connections inside VPN tunnels, the cable modem shouldn’t really ‘see’ what was happening. But sure enough, swapping the modem fixed the problem. I added a surge protector for the cable line as well…”

“Couple other hints:

– do not plug surge protectors into a UPS. If the UPS runs on batteries it will usually generate a steep sine wave which may destroy surge protectors (in particular tricky to find power strips without surge protector)
– do not plug a UPS into a UPS (same reason as above)
– lightning damage can be subtle. None of my equipment has any visible damage
– proper grounding of all lines entering the house is important (around here, I find that utility companies are pretty good about that)
– once the power is out, turn off the main fuse to the house. But be aware the main fuse can be hard to “flip”. Depending on the nature of the outage you may have some surges and unstable power until the damage is repaired (if you want to know when power comes back, just flip all the individual fuses other then one or two that only power lights)”

SANS Diary entry here.

Tom Kelchner

Network equipment is at risk too.

It’s the season for lightning storms in much of the northern hemisphere.

Here in Clearwater, Fla., we’re really aware of the risk of damaging surges since some pretty intense storms come through almost every afternoon and evening.

Uninterruptable power supplies (UPSs) and surge protectors are standard countermeasures, although a poor-man’s risk management strategy is to simply unplug electronics when the storms come through. Putting equipment on power strips and turning those off can make it a bit more convenient. Working on your laptop on battery power (with no wired network connection) during storms is a pretty good idea too if you just CAN’T get off the computer (guilty here.)

Johannes Ullrich at SANS in Jacksonville, Fla., posted a great diary entry about his experience with equipment damage from lightning-induces surges. Apparently, lightning does strike the same place twice, since he describes two experiences:

“The damage I had, in particular in the last storm, affected exclusively network equipment and networking interfaces. I assume that the surge entered the network. I lost two switches and the wired network interfaces in two PCs. Otherwise, the PCs work fine. So far I had not used any network surge protectors, but now started to use the surge protectors provided by the UPS. This appears to work fine, but in some cases, the network now works as “half duplex” and no longer in “duplex” mode. I looked into stand alone network surge protectors for some devices, and it turned out to be a bit hard to find one that supports gigabit ethernet. But they are available. The UPS network surge protection is only supposed to work up to 100 Base-T but synced fine at Gigabit (no duplex).

“A thunderstorm a couple months ago, caused some “interesting” damage to my cable modem. I was only able to upload 1MByte in a single connection. This was very weird as it also applied to connections inside VPN tunnels, the cable modem shouldn’t really ‘see’ what was happening. But sure enough, swapping the modem fixed the problem. I added a surge protector for the cable line as well…”

“Couple other hints:

– do not plug surge protectors into a UPS. If the UPS runs on batteries it will usually generate a steep sine wave which may destroy surge protectors (in particular tricky to find power strips without surge protector)
– do not plug a UPS into a UPS (same reason as above)
– lightning damage can be subtle. None of my equipment has any visible damage
– proper grounding of all lines entering the house is important (around here, I find that utility companies are pretty good about that)
– once the power is out, turn off the main fuse to the house. But be aware the main fuse can be hard to “flip”. Depending on the nature of the outage you may have some surges and unstable power until the damage is repaired (if you want to know when power comes back, just flip all the individual fuses other then one or two that only power lights)”

SANS Diary entry here.

Tom Kelchner

There is a well-respected and very useful site that everyone in the anti-virus industry uses – sometimes several times a day: Virus Total. You can upload suspicious files or their check sums to Virus Total to see if a file is malicious. The makers of a new rogue have picked up on the Virus Total name in an effort to make their malicious creation look like something legitimate:

(click to enlarge)

What it tries to download is detected as FraudTool.Win32.FakeRean (fs).

Here’s what the real Virus Total site looks like. It basically runs your code sample or check sum against 41 anti-virus engines and displays the resulting detections.

(click to enlarge)

We’ve entered the MD5 check sum of the VIPRE detection (above) and copied
here a portion of the Virus Total page (32 detections cut out) with the Sunbelt detection highlighted:

(click to enlarge)

Nice work Bharath.

Tom Kelchner

There is a well-respected and very useful site that everyone in the anti-virus industry uses – sometimes several times a day: Virus Total. You can upload suspicious files or their check sums to Virus Total to see if a file is malicious. The makers of a new rogue have picked up on the Virus Total name in an effort to make their malicious creation look like something legitimate:

(click to enlarge)

What it tries to download is detected as FraudTool.Win32.FakeRean (fs).

Here’s what the real Virus Total site looks like. It basically runs your code sample or check sum against 41 anti-virus engines and displays the resulting detections.

(click to enlarge)

We’ve entered the MD5 check sum of the VIPRE detection (above) and copied
here a portion of the Virus Total page (32 detections cut out) with the Sunbelt detection highlighted:

(click to enlarge)

Nice work Bharath.

Tom Kelchner

How much freer can it get?

Like a lot of seedy stuff, this started with a Twitter post:

The current working version of Mozilla’s Firefox browser is 3.6.8. Version 4 is in beta testing. You get them FREE from Mozilla.

(click to enlarge)

Why would you need a crack (program with its password broken) or a keygen (application that generates a password for a password-protected program) for something that is FREE?

Well, there’s a sucker born every minute and the folks at this warez (pirated software) site are betting there are a lot of them using Twitter.

Anybody who was unwise enough to bite on this, (if they were running VIPRE) would see this when they hit the download button for the crack or the keygen:

The crack and keygen were infected with a Trojan downloader VirTool.Win32.Obfuscator.hg!b (v). That’s the Sunbelt detection for an old standard commonly known as “2GCash-FakeCrackSerial.”

Clicking the button to downloading Firefox 4.0 takes the potential victim to another site:

That one offers a whole nest of things to download that are infected with:

FraudTool.Win32.FakeVimes
Trojan-Downloader.Win32.CodecPack.2GCash.Gen
Trojan.DNSChanger.Gen
Virus.Win32.Parite
TrojanDownloader-Win32/FakeRean

Thanks Patrick

Tom Kelchner

How much freer can it get?

Like a lot of seedy stuff, this started with a Twitter post:

The current working version of Mozilla’s Firefox browser is 3.6.8. Version 4 is in beta testing. You get them FREE from Mozilla.

(click to enlarge)

Why would you need a crack (program with its password broken) or a keygen (application that generates a password for a password-protected program) for something that is FREE?

Well, there’s a sucker born every minute and the folks at this warez (pirated software) site are betting there are a lot of them using Twitter.

Anybody who was unwise enough to bite on this, (if they were running VIPRE) would see this when they hit the download button for the crack or the keygen:

The crack and keygen were infected with a Trojan downloader VirTool.Win32.Obfuscator.hg!b (v). That’s the Sunbelt detection for an old standard commonly known as “2GCash-FakeCrackSerial.”

Clicking the button to downloading Firefox 4.0 takes the potential victim to another site:

That one offers a whole nest of things to download that are infected with:

FraudTool.Win32.FakeVimes
Trojan-Downloader.Win32.CodecPack.2GCash.Gen
Trojan.DNSChanger.Gen
Virus.Win32.Parite
TrojanDownloader-Win32/FakeRean

Thanks Patrick

Tom Kelchner

DC Universe Online is an upcoming MMORPG for Playstation 3 and PC which lets you punish evildoers alongside the likes of Batman, Superman and a large collection of other DC Comics superheroes. As you might imagine, interest levels are high and this is turning into an attractive piece of bait for scammers everywhere.

I mean, one look at the fancypants cinematic trailer and you can see why people are getting excited over it:

As a result, there are numerous Youtube videos (what else!) and blogs popping up promising entry to the Beta test. Here’s just a few from the last day or so, there are many more:

Click to Enlarge

Almost all of the videos point to the same spamblog, although we’re now seeing the contents of said blog being lifted and used by other scammers (which link to their own downloads, naturally). Here’s a screenshot of a typical video:

Click to Enlarge

I did consider embedding one of the videos, but as most of them autoplay bad 90s techno or feature some rapper guy singing about his 40 ounce and his bling bling hubcaps I thought the screenshot was the safer option. Anyway, the main spamblog here is dcuniverseonlinebeta(dot)blogspot(dot)com which looks like this:

Click to Enlarge

Due to increased promotion, the site has had 52 visits today with a total of 357 visitors since the site launched – I imagine that number will continue to rise. What they want you to do is download a “DC Universe Online Beta Registration” program, which generates a code to give access to the Beta testing.

If you want to place your bets that this is a fakeout, now is the time to do it.

Hitting the download link takes you to that favourite of scammers everywhere, the multiple survey popup:

Click to Enlarge

Hand over your personal information to a random third party, and you’ll be able to download this executable:

Oh, the excitement. Fire it up and you’re presented with this admittedly slick looking interface:

Hitting “Generate Code” gives you a Beta key that is absolutely the most useless Beta key in the history of anything. All the program does is display the same short list of non random codes over and over again, every time you fire it up. Predictably, this doesn’t help very much when trying to join the Beta.

Cue a lot of soon to be dashed hopes and signing up on the DC Universe Online website:

Click to Enlarge

“Redeem your code”. Well, if we had a code that actually worked we might get somewhere. As it is, prepare to wave goodbye to your dreams of punching Lex Luthor in the face:

Click to Enlarge

ADVANTAGE: EVIL.

Anything that takes place after you’ve filled in the survey is just filler – the story ends once you’ve filled in a survey and the scammer has generated affiliate cash. All you’re left with is a (non infectious) fake application, a bunch of non working Beta keys and a grumpy Activation Code page telling you off for repeatedly entering fake codes.

You have to admire the chutzpah of one particular scammer who claims to have 10 whole sets of codes for you to download and use. Amazingly (or not) each and every one is protected by a survey.

Click to Enlarge

Gee, I wonder if those codes are fake too.

You don’t have to be Batman to work out that random promises of Beta keys involving dubious spamblogs and executables are not going to deliver. Other downloads further down the line could easily be infection files instead of fake code generators, and at the very least you’re giving underserved cash to people who by rights should be tasting the business end of Superman’s fist.

Up, up and run away…

Christopher Boyd