The Legacy Sunbelt Software Blog

The Telegraph, one of the biggest newspapers in the UK, hasn’t had a good time of it lately where their website is concerned. Vulnerabilities were found back in March 09 involving database access, and it seems a hacking group has gone in and defaced two subdomains.

These are the two subdomains in question:

shortbreaks(dot)telegraph.co.uk
wine-and-dine(dot)telegraph.co.uk/site/index.php

They appear to have been compromised by “R.N.S. – Romanian National Security”. Here’s a screenshot, both defacements are identical:

Both pages play some music – “The Lonely Shepard”, from a .ru domain (you’ll also notice a link to a Top Gear clip hosted on Youtube – it seems this is in relation to comments made in an episode of Top Gear about Romania). Running it through Google Translate gives us this, which is somewhat garbled – we’ve had an update in the translation thanks to a post in the comments which makes sense of the Google Translate results:

“We are sick and tired of seeing how some “garbage” like you try to mock our country. [And try] to create [for us] a completely different picture compared to the real one, and calling us “romanian gypsies” [,] broadcast s****y tv programs like TopGear.”

If you had the nerve to angry an entire country, know that we will not stop here! Romania

Guess What, Gypsies aren’t Romanians, morons.”

We’ve notified The Telegraph, and hopefully the pages will be back to normal soon.

Christopher Boyd

Along the same lines of the Northwestern Bank compromise last week, the Branson Lakes Area Chamber of Commerce is also compromised, serving exploits.

(Do not visit the exploit sites below unless you know what you’re doing.)

GET-hxxp://www.bransonchamber. com
GET-hxxp://mumukafes.net/trf/index. php
GET-hxxp://333.gosdfsdjas.com/index. php
GET-hxxp://333.gosdfsdjas.com/l. php?i=1

|
|
V

Zbot config and drop:
GET-hxxp://agreement52.com/cnf/shopinf. jpg
POST-htxx://agreement52.com/shopinf/gate. php

Also, checks into server “67.231.246.218” on port 553

Serves a Zbot trojan.

Alex Eckelberry
(Thanks Adam and Francesco)

Update 4/15/2010: The situation is now resolved. The site is no longer serving exploits.

“Faceparty is a UK based social networking site allowing users to create online profiles and interact with each other using forums and messaging facilities similar to email” – Wikipedia

Faceparty does things a little differently to other social networking sites, however. Unlike most places where you register a username and password then start telling people how your farm is doing, to join Faceparty you need to send a text message to the tune of £25 / $38(!) and then enter your one time use password onto this page (warning: quite a few swearwords, because the site is indeed down with the kids).

As you can imagine, obtaining these passwords has become a bit of an obsession for some people. Scroll down on that link, and you’ll see the following:

“facepartypassword(dot)com, got mine free today woohoo!” posted by “Chelsea Davies”, who somewhat suspiciously lists their own URL as the very same domain.

Shall we take a look?

Yes, despite the passwords costing £25, this random website will “create a profile 100% free” – and all you have to do is fill in the desired username, password and email address.

This is what you see next:

Yes, it all goes wrong very quickly. You have to click your way through no less than five advert banners, each of which will take you to websites sporting people who seem to have forgotten to put some clothes on. Remember – “If you don’t click all the banners, you WILL NOT be sent the password!”

I don’t know about you, but I’m not entirely convinced here. Once you hit the Next button (just out of shot), this appears:

As you can see, they really want you to keep clicking that Fling banner advert. And wait, only a page earlier they were saying you didn’t have to join – now you do?

Someone is probably raking in a fortune in affiliate signups / clickthroughs here. Can you guess what happens when you hit the “Get Faceparty Password” button?

Sure you can. It doesn’t involve passwords, I can tell you that much – instead, you’re redirected to a specific profile on a site called Adultwork(dot)com, which advertises the services of more people who like to take their clothes off.

A few days later, and (amazingly enough) the email address I used to jump through hoops on the Facepartypassword(dot)com site still hasn’t had a password sent through to it. When I revisited today a new page was appearing at the start of the “signup process”, too:

Yes, a £3.00 / $4.60 text message will get you your “Keycode”, or you can join Fling.

Again.

The thing that particularly caught my eye was that for a split second when visiting the site, a page will flash up before you’re taken to the first form to fill in. If we get all technical (and by technical, I mean reload the page then hit the Stop button on your browser as fast as you can) you’ll see this graphic, with two links at the bottom of the page that will send email to the site owners:

“Share the password”? “Sell your profile”?

Oh boy.

Christopher Boyd

Virus Bulletin Reactive and Proactive (RAP) testing

Sunbelt Software’s VIPRE engine was among the top AV products for reactive and proactive detection in April in Virus Bulletin testing.

Virus Bulletin’s RAP Testing measures products’ reactive and proactive detection abilities against the most recent malware that has emerged around the world.

The test measures products’ detection rates across four distinct sets of malware samples. The first three test sets comprise malware first seen in each of the three weeks prior to product submission. These measure how quickly product developers and labs react to the steady flood of new malware emerging every day across the world. A fourth test set consists of malware samples first seen in the week after product submission. This test set is used to gauge products’ ability to detect new and unknown samples proactively, using heuristic and generic techniques.

Thanks to Virus Bulletin for permission to use the graphic.

Tom Kelchner

It seems spammers on Twitter are using some curious methods to get their message across (thanks to David Cawley for pointing me in the right direction).

Check this out:

Yes, that is vaguely peculiar. Here’s another one:

The spammers are using a system of writing that involves jumbling up the middle letters in the words, which means they’re still readable. There’st some confusion as to whether or not this “system” was developed through research at Cambridge University – this person says “yes”, while this person says “no”.

I have no idea either way, but to be honest I’m more curious as to why the spammers are doing it. I know Twitter keeps an eye out for malicious URLs and the like, but I don’t believe they determine if an account belongs to a spammer based purely on the words they use. This could be a monumental waste of time on the part of the spammers, although if nothing else it did make me sit up and take notice.

If that was the purpose of the switcharound, they’ve failed there too – rather than clicking on the XXX dating site link they’re promoting, I’ll be reporting them to the spam department. Not sure they’ll get much satisfaction from rearranging the word “Banned”…

Christopher Boyd

Microsoft has issued Security Bulletins MS10-109 through 029 — eleven bulletins addressing 25 vulnerabilities in Windows, Exchange and Office.

For further information:

http://www.microsoft.com/technet/security/current.aspx

Tom Kelchner

Scale the wall, comrade. View the peaks of Japan

Sometimes the collective behavior of a lot of people discloses information that isn’t apparent any other way. There’s a big word for it in the social sciences, but I haven’t been able to remember it for about five years.

Chinese net users last weekend apparently discovered the Twitter handle of Japanese adult film actress Aoi Sola (@Aoi_Sola) and the information went viral. A lot of Chinese fans (15,000) signed up to follow her. Aoi Sola is very attractive and best known for her “expansive” treatment of bikini tops

There’s nothing unusual in that in this day and age.

However…

Twitter is blocked by the Great Firewall of China. A lot of the twitters were using simplified Chinese which, according to the Dongguan Times, indicated they were from mainland China. That meant a LOT of people had figured out how to defeat Internet filtering by the Chinese government.

Here’s the account from Danwei.org, a site devoted to “Chinese media, advertising, and urban life.”

“From the Dongguan Times:

“Many netizens are suspicious of the identity of Aoi Sola’s fans, because on the Chinese mainland, many netizens cannot use Twitter. ‘You can’t get on Twitter on the Chinese mainland, did your followers come from Hong Kong or China Taiwan?’

“Because Aoi Sola works in the AV industry, which is adult entertainment, it could cause harm to youngsters’ mental and physical well-being. Therefore, whether it’s Twitter or news about Aoi Sola, all information is forbidden. In order to become a follower of Aoi Sola’s Twitter from the mainland, the fan must use software for ‘scaling the wall.’

“However, for the netizens who left a message on Aoi Sola’s Twitter, many of those used simplified Chinese, [so] most of them were from the Chinese mainland. After Aoi Sola’s Twitter account was ‘discovered,’ netizens claims that many Chinese people are learning to use software to ‘scale the wall.’”

Aoi Sola’s response to all the attention:

“Aoi Sola: I’m surprised.Receive many follow messages & RT from China now.aaaaaaaaahhh,I don’t know,anyway THANK YOU!!”

Danwei.org story here: “AV actress entices Chinese netizens to go on Twitter”

And, check out Google Images: “Aoi Sola” (CAUTION: the Peoples’ Republic of China believes these photos “could cause harm to youngsters’ mental and physical well-being” although the first 700 or so that we looked at showed nothing you can’t see on Clearwater Beach on a warm day.)

Tom Kelchner

Twitter cofounder Biz Stone has announced on the Twitter blog that the microblogging service will begin tweeting advertising.

“We are launching the first phase of our Promoted Tweets platform with a handful of innovative advertising partners that include Best Buy, Bravo, Red Bull, Sony Pictures, Starbucks, and Virgin America — with more to come. Promoted Tweets are ordinary Tweets that businesses and organizations want to highlight to a wider group of users,” he wrote.

Twitter is going to need a source of income to survive, and it certainly comes as no surprise that the organization is moving into something that will “monetize” its traffic and its popularity.

We’re wondering how long it will be before the online pharmacies, botnet operators and rogue security product pushers decide to mimic Twitter’s ads for their own nefarious purposes. Like the search engine optimization techniques that have taken advantage of the big search services, there will be attempts to use the promoted tweets. And there will be countermeasures by Twitter and the rest of us in the anti-malcode world.

So when this starts, use common sense and keep alert for tricky new malicious techniques that will fit into 140 characters. Since Twitter mentioned Best Buy, Bravo, etc. in the blog, those names probably will be some of the first ones (mis)used in mal-tweets. We would expect tweets with links (probably shortened) that lead or redirect to sites selling questionable wares or downloading Trojans or other malware.

Twitter blog here.

Update:

News stories are appearing about Twitter’s move to tweet ads. One statistic that stands out is “$160 million.” That’s the amount of venture capital that Twitter has taken in the last three years.

ZDNet story here.

Tom Kelchner

Brian Krebs, in his “Krebs on Security” blog is reporting that a large number of WordPress blog pages have been hacked to redirected visitors to networkads.net that downloads rogue security applications onto their machines. Also, the owners of the blogs are locked out of access.

“It’s not clear yet whether the point of compromise is a WordPress vulnerability (users of the latest, patched version appear to be most affected), a malicious WordPress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider,” Krebs wrote.

He also said that a script that downloads from the networkads.net site attempts to install a malicious ActiveX browser plugin which runs in Internet Explorer. VIPRE detects it as Trojan.Win32.Generic!BT.

A spokesperson for Network Solutions said an investigation is underway and the hack may be related to a malicious WordPress plugin.

Krebs blog here.

Update: unsecured passwords caused WordPress blog takeovers

Network Solutions has found the vulnerability – passwords stored in plain text – that caused the issue and secured it.

Shashi Bellamkonda said on the company blog:

“As part of the resolution, we have had to change database passwords for WordPress. Normally, this does not impact functioning of the blog, but in some cases if you have custom code with manually-embedded database passwords (in files other than wp-config), this will require changes.

“As a precaution, we’re also recommending that all customers using WordPress should log into their account to change their administrative passwords. Also review all the administrative access accounts and delete those that you do not recognize. If you feel you are still experiencing issues and need help please contact us at Listen NetworkSolutions.com.”

Blog post here.

Expanded story at the Register: “Network Solutions mops up after mass WordPress breach”

Tom Kelchner

Every once in a while, you find some odd piece of text in a piece of malware.

Debugging the TDL 3 rootkit yields some interesting results. Here are messages that dump in the debug window at various times:

Fri Apr 9 09:02:37.495 2010 (GMT-4): You people voted for Hubert Humphrey, and you killed Jesus
Fri Apr 9 09:03:01.900 2010 (GMT-4): Ah Lou, come on man, we really like this place
Fri Apr 9 11:53:08.715 2010 (GMT-4): Dude, meet me in Montana XX00, Jesus (H. Christ)
Fri Apr 9 12:18:27.522 2010 (GMT-4): I felt like putting a bullet between the eyes of every panda that wouldn’t screw to save it’s species. I wanted to open the dump valves on oil tankers and smother all those french beaches I’d never see. I wanted to breathe smoke

If you’re a movie or TV buff, you might recognize these:

Fear and Loathing in Las Vegas: You people voted for Hubert Humphrey, and you killed Jesus

Fight Club: — Ah Lou, come on man, we really like this place and I felt like putting a bullet between the eyes of every panda that wouldn’t screw to save it’s species. I wanted to open the dump valves on oil tankers and smother all those french beaches I’d never see. I wanted to breathe smoke.

Brake my wfie, please: Dude, meet me in Montana XX00, Jesus (H. Christ)

Alex Eckelberry
(Thanks, Chandra)

Aiming for one billion Twitterers by 2013?

Twitter’s International Team Lead Engineer Matt Sanford has blogged on the company’s site that Twitter is seeing growth of over 60 percent in registrations outside the U.S.

After setting up a Spanish language capability in November, the microblogging service saw a huge surge in registrations in Latin America, Sanford said. Sign-ups in India also spiked early in the year after several politicians and Bollywood movie stars began Tweeting.

The service was thought to have 75 million users at the end of January (“New Data on Twitter’s Users and Engagement” ) and documents obtained from Twitter by a hacker and published in 2009 showed that the company had plans to sign up one billion users by the end of 2013.

Several sources have estimated that at the end of 2009 1.7 billion people ere using the Internet.

Twitter Blog: “Growing around the world”

Tom Kelchner

Adobe has announced that it will release an updater along with Adobe Reader and Acrobat versions 9.3.2 and 8.2.2 on patch Tuesday next week.

On the Adobe blog, Steve Gottwals wrote: “…we have been testing a new updater technology with select beta customers since our October 13, 2009 quarterly update. The purpose of the new updater is to keep end-users up-to-date in a much more streamlined and automated way.

“During our quarterly update on January 12, 2010, and then again for an out-of-cycle update on February 16, 2010, we exercised the new updater with our beta testers. This allowed us to test a variety of network configurations encountered on the Internet in order to ensure a robust update experience. That beta process has been a successful one, and we’ve incorporated several positive changes to the end-user experience and system operation. Now, we’re ready for the next phase of deployment.”

Users can set an “Automatically install updates” control or not, as they wish.

Blog entry here.

Given the attention that malcode creators have lavished on Adobe products recently, an updater to go along with regular “patch Tuesday” updates will certainly help us all have a good “end-user experience.”

Tom Kelchner

Northwestern Bank Online – Orange City is compromised and should not be visited until it’s clean.

Embedded in the side is a malicious iframe, as you can see in this screen shot:

(Testing the site with Wapawet doesn’t work, since it chokes on the javascript emulation. However, the iframe is malicious.)

Alex Eckelberry
(thanks Francesco)

Update 4/10: The site appears clean now.

…”click here to view”.

Yes, it seems almost anything is a target for money generating survey spam.

In this case, we start with a Youtube video:

And we finish with this:

Even better, these “fill in a survey to see the content” websites now pop up an additional message as you try to leave the page:

“Help keep this content free.  Please take one minute to complete a SPAM-free market research survey to gain access to this special content.”

Free? They’re preventing the end-user from reading the content unless they sign away their personal information to third party advertisers, while generating affiliate revenue for the owner of the webpage.

I suppose we should be thankful the Youtube link just took us to a spam site, instead of some sort of Malware install…

Christopher Boyd

There could be a denial-of-availability risk to the enterprise in the new anti-piracy law passed by the British Parliament yesterday. Employees using company machines to swap pirated files could trigger a suspension of Internet service.

The law is aimed at repeat offenders, however, employee misuse of company resources or botnet takeovers of machines for use as file-trading servers are a significant threat. At minimum, unintentionally offenders will have some paperwork to deal with when their ISP lets them know they’re in violation.

Recent measures to cut down on piracy have been horrendously controversial – to the point that a Pirate Party has begun a (disorganized) organizing effort in several countries. Somehow the argument that “all information wants to be free” doesn’t answer the question: “who’s going to pay for the creation of all that music, video and software?” And “oh, they charge too much anyway,” isn’t really a recognized legal concept.

The Indian film industry, usually known as Bollywood, has been making a lot more films than its U.S. counterpart for decades but only makes a tiny fraction of the profit in large part because of world-wide piracy that began in the VCR days (You know, those pirated DVDs in every flea market and ethnic convenience store everywhere on Earth.)

In light of the new UK law, it might be a good idea for those in the jurisdiction to revisit company acceptable use policy, maintain good anti-malware and check logs of outbound traffic for uncharacteristically high volumes.

Details of the legislation and its passage here: “U.K. Approves Crackdown on Internet Pirates”

Tom Kelchner

Microsoft has put the PC-using world on notice that next Tuesday there will be 11 bulletins released addressing 25 vulnerabilities in Windows, Exchange and Office.

Jerry Bryant, Group Manager of Microsoft’s Response Communications, said: “I also want to point out to customers that we will be closing the following open Security Advisories with next week’s updates:

— Microsoft Security Advisory 981169 – Vulnerability in VBScript could allow remote code execution.

— Microsoft Security Advisory 977544 – Vulnerability in SMB could allow denial of service”

Advance notice here.

Tom Kelchner

Search terms that are censored in China:

“Tibet”
“Tiananmen Square protests”
“Carrot”

Apaprently “carrot” has a Chinese character that is the same as the surname of President Hu Jintao.

The New York Times has run a great story by Shiho Fukada about Internet censorship in China, where the effort to control the content seen by 384 million Internet users who have 181 million blogs is like “herding cats.”

“This is China’s censorship machine, part George Orwell, part Rube Goldberg: an information sieve of staggering breadth and fineness, yet full of holes; run by banks of advanced computers, but also by thousands of Communist Party drudges; highly sophisticated in some ways, remarkably crude in others,” Fukada wrote.

Apparently there is some push back by Chinese citizens.

Interesting read.

“China’s Censors Tackle and Trip Over the Internet”

Tom Kelchner

If you like downloading or installing programs on your PC related to XBox gaming, you might want to take note of this writeup. There’s a DIY kit in circulation that allows an attacker to create a website claiming to be an XBox Live application for your computer. We’ve grabbed the kit and had a poke around inside to see how this operates – all it takes is two pages of HTML, a fake graphic and a Java archive to set this one in motion. This is the kit in question:

Upon visiting any site related to this scam, the end-user will see a blank webpage with nothing other than a Java notice and a fake Softpedia award at the bottom of the screen:

After a second or two, things become a little more lively with a splash page claiming “the application is loading”:

At this stage, the end-user will be presented with the following Java Application Digital Signature Permission Screen:

Note that they list the publisher as “Microsoft”, which is always going to make potential victims a little bit easier to trick into hitting the Run button. As a counterbalance, notice also the message in large text that reads “The application’s digital signature cannot be verified. Do you want to run the application?”

The smart answer, of course, is “no”.

If the end-user hits “Run”, the applet will download whatever file it’s configured to grab then execute it. At this point, things have gone horribly wrong for all concerned (apart from the creator of the fake application page).

If we download the file offered up by the above prompt separately, we can see that the end-user installs a file that looks a little bit like an art program.

It isn’t an art program.

After running the above file, the end-user will find “Crypted.exe” in their Temp folder. This is actually something called Trojan-PWS.Win32.Fignotok.A, a password stealing program that targets applications such as Firefox, Steam, DynDNS and various IM clients.

It’s worth remembering that the DIY kit allows the attacker to change the infection file offered up by the applet to be anything they desire. Talking about unsigned applets and hijack files is making me feel a little bit 2005, but I guess what goes around comes around.

* ALWAYS be cautious when presented with an unknown application. Don’t just run it; go Google it first and see if anyone else even mentions it.

* In the same spirit, be very wary of unsigned applications on random websites you’ve never heard of.

* Anyone can grab an award badge from a website and claim they’re the “Best thing ever”.

We detect the executable launched by the applet as Trojan.Win32.Generic!BT. Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional testing.

Christopher Boyd .

Hong Kong-based security firm Network Box reported that Korea was the country of origin for 31.1 percent of the malware on the Internet in March. In February the country only pumped out 8.9 percent, leading researchers to theorize that there has been a huge increase in infected machines there pushing out phishing spam.

Network Box includes phishing in its calculations of monthly malware statistics. They also include North and South Korea as one country in their categories, but say the lack of public computers in the North means that South Korea is the country of origin for the bulk of the statistic.

The US was second on the list at 9.34 percent.

See InfoSecurity story here: “Korea reigns as king of malware threats”

Tom Kelchner

I could talk about how The Matrix was a pretty big deal for me back in the day, or how The Matrix Online is (to date) the only MMORPG I ever liked enough to pay a monthly subscription for, or how I think people doing Kung Fu in bullet time is still the best thing ever.

Mostly, I’ll just show you this:

And this:

Is there a glitch in the Matrix? You bet. Unfortunately it seems the website of one of the actors from Reloaded / Revolutions (Harry Lennix, who played Commander Lock) has been hacked and is now, bizarrely, the scene of some Cyber Kung-Fu gone wrong as two warring factions go to, er, war.

First the site was compromised by the initial defacer seen in the Google search result. Fast forward a few days and now it’s been “Rehacked” (though not Reloaded) by another individual. Clearly, something is going on here. But what?

Well, it turns out the middle act of the story is where all the action is. For a short period of time, the site said:

snazzy, you are NOT skiddie.. you are FAKE ******g kiddie!
now go to your mom and get the money for this login and give it to me.

Yes, it appears Defacer A didn’t deface anything – merely purchased (or attempted to purchase) the already compromised site from Defacer B, then went on to brag about how they’d hijacked a “famous actor”. Cue Defacer B reclaiming their territory and making sure everybody knew about it at the same time.

Whoops.

The host has been notified, but for now we’ll just have to ponder the irony of a defacement involving an actor whose character never believed in the ability of a man who could hack reality…

Christopher Boyd