The Legacy Sunbelt Software Blog

Another day, another random website offering up freebies that you’d be better off without. This time around, the site in question is located at freeamazingsoftwares(dot)blogspot(dot)com. The free programs include – stop me if you’ve heard this one – RuneScape gold generators, iTunes giftcard generators, Amazon Giftcard generators and XBox Live points generators.

Of course, it doesn’t matter which program you want to download – your final destination will be this:

“Are you dumb? Find out now!” Never a truer word spoken, courtesy of ye olde survey popup. Assuming the user fills in one of the above quizzes / signs up to a ringtone service, they’ll be free to download one of the above programs.

Will they work as advertised? Given that I’ve yet to see a working Microsoft points generator – and I’ve seen a lot of points generators – my answer would be “nope”. Could you take that “nope” and apply it to all the other programs too?

“Yep”. As with so many of these types of website, at best you’ll get a non functional dummy download. At worst, you could end up with anything from a phishing tool to a piece of data theft malware. Worth the risk? I think we’re back to “nope” again…

Christopher Boyd

This year, Cebu Island is playing host to the fifth Rootcon security conference, which takes place on the 9th and 10th of September. GFI Software has two standalone talks at this one – “Introducing TDL4, a Sophisticated Fraudster’s Rootkit” by Berman Enconado and “Console (In)Security: The Oncoming Storm” by my good self. Additionally, we’re on a panel discussing the threat of “Cyberterrorism” alongside Paul Sabanal (IBM Security Systems) and a chap named Sven Herpig who is both a professor and a PhD student specialising in Cyberwarfare.

There’s a whole bunch of other talks taking place too, on everything from VoIP security and IPv6 to lockpicking, penetration testing and reversing Android applications. If the talks aren’t your thing, the event also doubles as a job fair and we will be on the lookout for both fresh and experienced talent.

 If you’d like to listen to me complain endlessly about everything that’s gone wrong since I arrived – and who wouldn’t – you can do so here on my personal blog thing. Otherwise, we’ll be posting various updates from now until the weekend so roll on Rootcon!

Christopher Boyd

Here’s a phishing scam that lures users with the promise of getting their “old Facebook profile” back. What that means is up for debate – maybe the scammer is harking back to a land of slightly less privacy options, or maybe he just wants you to look like a Geocities page from 1996. Either way, here it is:

It seems the Northumbria Police Authority website (northumbriapoliceauthority(dot)org(dot)uk) was compromised recently to push a “fight the power” message, and it looks like the defacement is the least of their worries as you’ll see shortly.

What is the Northumbria Police Authority?

We could use my wonderful description (“An Authority for the Northumbria Police”), but I think an official source would likely be more informative. According to that handy link they appoint chief constables, make sure the Police are doing their job and listen to locals complaining which is definitely something I can get behind.

Unfortunately, this is how the Northumbria Police Authority were rolling earlier today in Google Search:

“The Northumbria Police Authority website was hacked by lamine Foued ( Dr.F0u3D). F*ck You admin. Freedom For T.H.T Anonymous Tunisia :D.”

This isn’t quite a 187 on an undercover cop – in fact, it’s nothing like that – but they’ve still done a number on the website. At time of writing, the hack has been removed though you can still see it basking in, er, glory through the wonders of Google Cache:

Well, the defacement may have been cleaned up, but the Northumbria Police Authority have another problem at the scene of the crime. And by “problem”, I mean “Paypal phish making a gang sign from the comfort of the Northumbria Police Authority website”.

Call for backup! Anyway, we’ve reported the phish and hopefully it’ll be offline soon enough.

Christopher Boyd

As much as we dread hearing about disasters—the natural ones, most especially—happening on certain parts of the globe where most of our families and friends are, we still keep an eye out for what’s happening. And as much as we dread remembering that there are people out there who actually bank on news about such natural disasters to scam others, we continue to remind you about them. If you’re that person who wants to give financial aid to those who need them during these trying times, this reminder is for you.

A few days back, the FBI issued a warning to netizens to “beware of fraudulent e-mails and websites claiming to conduct charitable relief efforts”. The warning also pointed readers to the IC3 government Web page where they can read tips on how to avoid getting entangled into this kind of fiasco. I suggest you visit that page. Also, please tell your friends and family about scams popping not just into their email inboxes but possibly on their social networking streams, too.

In retrospect, here is a short list of some of the “natural disaster” scams that had been out in the wild:

• “Japan Earthquake Relief” and “Young girl commits suicide” Facebook apps
• Dangerous web search: “haiti earthquake donate”
• Donations via text messages will be the next spam scam
• Hurricane Rita scams

Stay safe!

Jovi Umawing

Our friends at Zscaler has blogged about a website compromise involving Karnataka Vikas Grameena Bank (KVGB), a prominent regional rural bank in India, last February of this year. It then housed a malicious JavaScript (JS) code that redirects visitors to another domain that was believed to be malicious at one point. The code had been found to be “multilevel obfuscated”. Also according to the entry, they have informed the said bank about the code injected on their website.

As of 11:05PM (GMT–4:00) of August 25, six months after the said blog is published, GFI Senior Exploit Analyst Francesco Benedini is alerted about KVGB still housing obfuscated JS code. Below is the screenshot of the code found on the site:

(click to enlarge)

After deobfuscation, Benedini has determined that the supposedly malicious domain is inactive, thus, poses no threat to bank site visitors. The script, however, is working. We detect the malicious code as Trojan-Downloader.JS.Twettir.a (v), and VirusTotal shows a 24/43 detection ratio across all AV companies.

Our experts have also pointed out that the attack is related to the MBR rootkit (Trojan-Spy.Madlo) we generally know as Sinowal / Mebroot. This is because (1) the obfuscation technique used in this attack is reminiscent of the technique used by Sinowal, and (2) the structure of the inactive URL follows the one seen in Sinowal infection campaigns.

GFI is currently attempting to reach KVGB in order to help them clean up their website.

Jovi Umawing (Thanks to Adam Thomas for additional information)

Facebook recently published a guide for it’s users on how to secure their online accounts from anything that threatens one’s Facebook security. Among those covered are Wall, Chat, and Comment spams, weak passwords, fake applications, and account hacking. Personally, I’m quite happy that Facebook is actually doing something that concerns user security, despite it being quite late come to think about it. Still, better to have something than nothing.

The document guide contains practical tips and cases to illustrate the gravity of the attack if ignored. It also has some great, agreeable points that make it a good reference anyone can recommend to their friends and family who are on Facebook. Feel free to download here and distribute.

Jovi Umawing

Our engineers over at the AV Labs have spotted recently a deluge of spam about a “traffic ticket” that purports to come from a state department in New York. The said spam has a compressed file attachment that, once extracted, contains a file that bears the icon of a normal Adobe .PDF file. Mimicing file icons, of course, is a common tactic used by criminals to appease any doubts or worries from recipients of such emails, which are actually malicious in nature.

“The malware appears to be sent from a botnet of unknown origin.” says GFI Spyware Researcher Adam Thomas.

When this supposed .PDF file is “opened,” it connects to sfkdhjnsfjg(dot)ru (a server in Ukraine) to download and execute the file, pusk3.exe. This .EXE file, detected as Trojan.Win32.Generic.pak!cobra, is a dropper/downloader. As of this writing, it drops/downloads a rogue AV and TDL rootkit variants.

CNN has written an article about this ticket spam early last month. Seeing that it’s still getting attention, we can surmise that it still is very much at large.

VIPRE users are already protected from ever accessing and downloading interesting “goodies” from the .RU site. And you can protect yourself from nasty attachments pretending to be something else by enabling file extension names of all files on your system. It’s a simple thing to do, yet it can save you from computer security disasters.

Jovi Umawing (Thanks to Adam Thomas for the analysis)

CCleaner (formerly Crap Cleaner, which is a glorious name) is a handy program used to remove unwanted files, fix borked registry entries and more besides.

There’s a website located at myccleaner(dot)ru which claims to be offering up multiple versions / builds of CCleaner:

It’s also offering you the chance to part with your money in various spectacular ways. At time of writing, none of the download links work save for one: “ccsetup303.exe”. Unfortunately for us, this is what’s known in the business as “a very bad thing”. Check it out:

Things look reasonably normal at this point, but then it all goes horribly wrong:

It’s not quite all the tea in China, but it is every payment method under the Sun. SMS, paid call, credit card, terminals, Paypal, webmoney and so on. Click some of the links, and they show you all the fun ways you can cough up some dough to (theoretically) get your hands on the program up for grabs. Here’s an example:

Most of the payment methods seem to clock in at around $5 USD. Not sure I’d chance it personally – you’d be much better off going to the official site and grabbing it there instead. As for ccsetup303.exe, it has a 29/43 score on VirusTotal and we detect it as Hoax.Win32.ArchSMS. You also score one whole cool point if you got the Simpsons reference in the title.

Christopher Boyd

A lot of chatter and breathless reporting about Shady RAT.  All the makings of an epically awesome story — the US is being taken down by Chinese interlopers to the nastiest degree, installing keyloggers and other badness on US government computers. 

Whatever.  Who the heck knows how bad this thing really is (and I am not the only skeptic).

But here’s what’s of concern to a lot of security researchers I deal with:  It was known by McAfee (and certainly others) but no one apparently ever did anything to take the C&C down, even after knowing about it for months.

Let’s take a look at this paragraph from the hyperbolic Vanity Fair article (italics are mine):

“Alperovitch first picked up the trail of Shady rat in early 2009, when a McAfee client, a U.S. defense contractor, identified suspicious programs running on its network. Forensic investigation revealed that the defense contractor had been hit by a species of malware that had never been seen before: a spear-phishing e-mail containing a link to a Web page that, when clicked, automatically loaded a malicious program—a remote-access tool, or rat—onto the victim’s computer. The rat opened the door for a live intruder to get on the network, escalate user privileges, and begin exfiltrating data. After identifying the command-and-control server, located in a Western country, that operated this piece of malware, McAfee blocked its own clients from connecting to that server. Only this March, however, did Alperovitch finally discover the logs stored on the attackers’ servers. This allowed McAfee to identify the victims by name (using their Internet Protocol [I.P.] addresses) and to track the pattern of infections in detail.”

So McAfee blocked the IPs for its own customers. In March the C&C was discovered. It’s not clear if it’s still up or finally down (or if it was down by June).

I never saw one mention of this C&C on any of the closed and vetted security lists I’m on.  A simple “takedown please” would have generated all the help necessary.  This is how a lot of bad stuff gets handled, and the vast majority of internet users are none-the-wiser that there is a large group of very dedicated researchers who are making their lives safer every day.  All of the data on the C&C can be put away nicely for post-takedown analysis.

I’m quite certain that McAfee wasn’t the only organization that knew about this, so it’s not only McAfee who shares the blame here. Furthermore, I am not singling out McAfee (we work with them on other areas and there are many very decent people there). Furthermore, McAfee is being clear that this issue is “old news”, and McAfee’s Dmitri Alperovitch is not acting the role of the self-aggrandizer, but rather as a researcher sharing some pretty interesting and educational insights.  Furthermore, McAfee did reach out to infected victims. 

However, there are many groups or organizations, upon having proof of this C&C, that would have been all over shutting the thing down as fast as possible in coordination with other security organizations.

The bigger point is this:  If you, as a security researcher, discover Really Bad Stuff, you should do everything in your power to get that Really Bad Stuff shut down.  The next time you see a killer presentation at Blackhat or RSA, ask “what have you done to solve the problem?”.

Perhaps we need a volutnary code of ethics for the security industry.  It can start with some pretty simple things, like “If I see really bad stuff happening, I will work with others to fix it”.  Enlightened self interest and all that.

Screw NDAs, the fear of competition getting a heads-up on your research, losing a scoopable news story, etc.

This is not about McAfee.  This is about the industry.  There are researchers out there who aren’t in a position to share data with competitors due to corporate reasons.  They shouldn’t be in that position.  

Alex Eckelberry

Now that I have Harry Potter fans foaming at the mouth for randomly mashing up two unrelated spells to express the intent of this blog entry, I’ll continue.

Pottermore is – help me out here, Wikipedia – a site that will sell eBooks of the Harry Potter novels, provide over 18,000 words of additional content including background details and settings and “experience” the events of the books first hand. All I know is, lots of Harry Potter fans are excited.

Access is currently limited for the Beta, and of course this means ole’ lightning forehead has become a prime target for scams and people wanting to turn a quick profit. Things you should be keeping an eye out for, and running away from:

Click to Enlarge

Click to Enlarge

Go throwing your cash around on “myfakewebsite(dot)whatever” and you may be in a little more trouble.

2) Videos on Youtube. I guess if someone is willing to pay up to $100 for Beta access that may not even exist, they’d certainly be willing to walk right into this “Old as the hills” favourite:

“Beta access” available for “Download”. At the risk of making like Nostradamus, I wonder if we’ll see a survey?

A big hand for the most tiresome scam in history, everybody!

The individual who sent you there will (of course) make some affiliate money should you fill in a survey or enter a competition – meanwhile, after handing over your data to some random marketers you’ll be “blessed” with a download which typically turns out to be A) Nothing, or B) Malware.

3) Malware and poisoned search results. Another obvious one, but even so here’s a random example found after a few minutes digging around:

I’m almost certain pretending to be the Department of Defense is not a good idea, but then it’s not like a 419 scammer has that many of those in the first place. In fact, they can’t even format an email properly so here’s my best attempt at getting as much of it into the screenshot as I could:

You’re not missing much after the cutoff, really – just a Mr Allen Bickford asking you to send over your name, address, sex, age, occupation, country, mobile number, landline number and a scan of your ID card.

You know, like you’d do for any random email sent your way. This one does promise you $750,000 in unclaimed funds though. So there’s that.

If you see a “Remittance of Unclaimed Funds” mail arrive in your mailbox from the “Defense Finance and Accounting Services”, with one “Mrs. Patricia Smith” acting as your legal representative then you should safely file it under “Fire into the heart of the Sun”. In fact, you should do that with any random email promising you untold riches.

Christopher Boyd (Thanks Wendy)

Here’s a site called watchtopgear(dot)info that lets you – amazingly enough – watch Top Gear.

Sort of.

Series 16 / 17 are yours for the taking. Sounds awesome if you’re a Top Gear fan, but of course you need to install something – specifically, one of those FREEzefrog bundles we’ve mentioned previously:

Everything seems to be coming up Milhouse for a change, as once the install is complete the website presents you with Top Gear content (instead of the more usual “nothing at all” for a site of this nature). Feelings of vehicular joy are short lived, however, as the long list of content listed is a little bit inaccurate. And by “little bit”, I mean “six videos work and everything else is a hilarious joke at your expense”.

Click the first six links, and you’ll see some Top Gear episodes that have been ripped and placed on random streaming services.

Click any of the other links, and you’ll see the Top Gear team showing off a variety of overly tight jeans and not much else:

Yes, all of the content is missing. Yes, you just installed a bundle of stuff to watch six videos.

No, that was not a good idea.

Christopher Boyd (Hat tip to Steven Burn).

A few weeks ago, I blogged about porn/malware redirects being hosted on Flickr.  After a brief respite, it’s back and strong.

Just a quick and trivial search shows over hundreds of porn redirect links, pushing “lolita porn” and redirecting to porn and malware sites.

And again, a list of bad sites is here.

Alex Eckelberry

Here’s something that looks like Skype, may or may not give you Skype but certainly wants something in return for it first.

So far, so good I guess. It’s all in Russian of course, but it looks like it is actually installing Skype.

Then this happens.

There are over 3,000 malicious sites on Typepad serving malware. I’ve put the list of malicious domains here.  I’ve also notified Typepad.

Typepad — get a clear abuse or security contact on your site, and do some work to police your blogs.

Alex Eckelberry

I don’t want your heads to explode with the force of a thousand Suns, but I think we may be looking at a new Rogue AV gimmick – specifically in the area of Codecs. I know, I know. Breathe deeply and take a seat.

Researcher Adam Thomas was investigating some FakeVimes Rogues, installing one of the fake products from the usual “Your PC has been infected” website:

He then got ready to take in the sights when this happened: nothing.

No fake security tool asking for payment or telling you the PC has about a million fictitious infections on it, no flashing lights, nothing at all. He rebooted the test machine – still nothing (sometimes a rogue won’t rise from the depths until you restart the machine. Surprise!)

This is a typical FakeVimes GUI:

This is not a typical FakeVimes GUI:

You can see what I did there. Anyway, this is a sample of some of the files found on the infected machine:

c:Documents and SettingsAll UsersApplication Data7f0924VD7f0_2326.exe
c:Documents and SettingsAll UsersApplication Dataipe.exe
c:Documents and SettingsAll UsersApplication DataipFRed32.dll
c:Documents and SettingsAll UsersApplication Dataipinstr.ini
c:Documents and SettingsAll UsersApplication DataipSmartGeare.exe
c:Documents and SettingsAll UsersApplication Dataipspoof.avi
c:WINDOWSsystem32c_726535.nls

Adam went off to the main folder where all the nasty things reside, and found something interesting lurking:

“Spoof.avi”? Well, hello there. Let’s see what you get up to in your spare time:

A “Your Codec version is too old”  message, complete with popup in the bottom right hand corner telling you to “Update your Codec”.

Is this FakeVimes variant designed to prevent you watching movies while making the creator some cash into the bargain? Let’s take a look. Opening up a random website to view some files gave some interesting results.

This is what happened when Adam downloaded a video and tried to play it:

“Windows Media Player cannot find the selected file”.

Not to be beaten, he tried to stream the file instead. Then they schooled us with science. And a large popup.

“Your player cannot display this video file. Click here to update the Codec”.

At this point, you might be expecting infection files, but you’re already infected. So what are they going to do?

This:

“Home Codec pack and video converter suite: This version contains a full package of codecs enabling you to watch video in the best quality possible”.

Yes, and my name is Elvis. Hitting the (extremely large) Purchase buttons will give you this “Show me the money” payment screen, asking you for up to $35.95 for the “Home” version, plus an optional $9.95 to “Protect your purchase” with an extended download service:

Call it a hunch, but I think the best optional extra here is to run in the opposite direction from this particular fiasco. Of course, it makes sense for the people behind these attacks to start mixing things up a little – FakeVimes has been all over the news recently, and not in a “We love you, FakeVimes” kind of fashion. More like a “FakeVimes, we hate you and we want you to die” fashion as Google took the unprecedented step of warning millions of infected users about it last week. From the Google help page on this one:

A warning appears at the top of the search results page when we believe that the computer you’re using is infected with malicious software, also known as “malware.” Malware can be used to intercept your computer’s connection to Google and other sites. When Google’s system detects that a connection has been intercepted, it’s likely that the computer was previously infected with malicious software.

With the heat coming around the corner, the FakeVimes people have decided to diversify into a sort of “Rogue Codec” market instead, and it looks like things could be interesting in Rogue AV land for a while as their otherwise glacier-like tactics (“You’re infected, have some Rogue AV, thanks for the money”) begin to change.

We detect this one as VirTool.Win32.Obfuscator.hg!b (v).

Christopher Boyd (Thanks to Adam Thomas for finding this one)

Here’s a site located at buburuzka(dot)com/xhupt/71093(dot)php offering up some fake Flash. Humorously, they don’t seem to have taken much notice of the latest Flash Player version – compare and contrast:

As you can see, a bit of a difference there. Of course, they’re hoping the victims they attract to a scam like this won’t pay much attention to what they’re clicking on, never mind confirm that the Flash numbering offered matches up with reality.

We detect this as VirTool.Win32.Obfuscator.hg!b1 (v), another 2GCash clickfraud Trojan, and the VirusTotal score is currently at 5/43.

Christopher Boyd (Thanks to Patrick Jordan for finding this one)

This is the National Development Volunteer Service of Nepal located at

ndvs(dot)gov(dot)np/_vti_cnf/customer(dot)ibc(dot)htm:

This is an unwelcome addition to the website in the form of a Lloyd’s TSB Phish.

It’s still live at time of writing, but it’s been reported so let’s hope it’s taken down and the site is cleaned up soon.

Christopher Boyd

I don’t know what it is about this one that sets the Spidey Sense tingling.

Maybe it’s the fact it promises to make things all too easy – Vader reference there for anyone keeping score – for the lazy crook.

Maybe it could even be the fact that the filename has “666” in the title, which is generally a reasonable indicator of fiery flames and pointy pitchforks. Who knows.

What I do know, is that this thing is an Autowhaler and promises an easy haul of plundered bounty on the high seas. For those of you who have no idea what I’m talking about – it’s okay, you don’t have to spare my feelings – I’ll now explain.

Autowhalers: What they are, and how they came to be

Autowhalers come in two flavours (no, not vanilla and chocolate) – websites, and programs. You can see an example of a website Autowhaler here. Imagine you’re a Phisher. You have an awesome collection of stolen logins and you can’t wait to crank out some viagra spam.

Now imagine I’m the laziest phisher who has ever lived.

I’d like a collection just like yours, but there’s no way I’m going to put any effort into obtaining such a stash because I have people from overseas to scream at on XBox Live. No, I’ll just fire up an Autowhaler which checks known Phish URLs for common places where a productive Phisher would keep their logins (/passwords(dot)html or /logins(dot)html, for example).

Then I steal all your things, and do whatever I want with them – which probably doesn’t include leaving them on free webhosting for all and sundry to plunder.

At this point, the “666 Auto Whaler” comes back into play and our would be Phishing King thinks, well, it looks legitimate and it even comes with a handy .txt file pointing out common places Phishers would attempt to hide their wares. What’s the worst that could happen?

Well, a 29/43 VirusTotal report for starters. But wait – that’s not the worst. That’s not even close to being the worst. No, the worst is right over here in your Temp Folder:

Hello there, Cryptedfile.exe – if that is your real name.

Which it isn’t. Step up to the plate, Trojan-PWS.Win32.Fignotok.A (v) – a known password stealer that generally likes to dabble in everything from gaming account logins to Instant Messaging and more besides.

36/43 VirusTotal score, Ladies and Gentlemen.

Now, there may well be a legitimate version of this tool floating around out there. It may even look like this:

Password stealer creators targeting Whalers going after Phishers may sound like a humorously confusing mess of bad people hitting each other in the face with bricks – and don’t think I haven’t thought about it – but the gag quickly evaporates once Little Jimmy loses five sets of credit card details to the void.