The Legacy Sunbelt Software Blog

There are a couple of programs in circulation at the moment designed to steal Steam account login credentials. People can have a lot of money invested in Steam purchases (if you purchase PC games online Steam is probably the best digital delivery service around), and it isn’t really the greatest thing in the world to have one stolen.

Steam is a popular thing to have in webcafes, and the company behind it actually support this in a very big way. These particular infection files would cause the most trouble on the networks of netcafes with minimal security in place, allowing chancers to install files with a USB stick, let the stealer grab account logins then come back later to collect the passwords.

This is what the first one looks like:

There’s a number of clues that the above is 100% fake – for starters, it’s based on the old style Steam login which may tip off a clued-up gamer. Secondly, the spelling is all over the place: “Please re-login with you’r correct login informations for being safe from hackers”.

Oh dear. “Copyrighted” doesn’t do them any favours, either.

I suppose the creator knew he wouldn’t get very far with the above, because there’s a second version and it’s a lot more impressive, sadly:

Looking absolutely identical to the real thing, only a clued-up webcafe Admin type guy would save the day at this point, either by having the network locked down or by running security software that detects the threat. Once the account details are entered, they appear in a .txt file wherever the logger happens to be running on the PC at the time:

Poor old Fakey Mc Fakename can wave goodbye to his account.

We detect both of these as Trojan-PSW.Win32.Steam.z – you can see the most recent count on VirusTotal here.

Christopher Boyd

There seems to be an established procedure used by government officials who want to censor Internet traffic: begin requiring Google and ISPs to filter pornography then sneak in filtering of the politically sensitive material of your choice.

Maybe we should give this a name: how about “porn filter law bait and switch?”

In China’s Green Dam fiasco last summer, the web filter that was required on new machines (before the whole idea broke down) was supposed to protect good Chinese Internet users from sex and violence. When various researchers took apart the Green Dam files, however, they found that 1.) it ripped off a lot of code from a U.S. company and 2) two thirds of the strings it was set up to filter were politically sensitive words and not sex and violence issues at all.

Australian Communications Minister Stephen Conroy is taking the same tack: He’s furious that Google is opposed to the Internet filtering scheme he’s proposing. It starts with sexually related web sites (which present photos of flat-chested women allegedly preferred by pedophiles), but his blacklist also includes material that would screen discussions of sexual health matters and EUTHANASIA. Conroy is a strong opponent of euthanasia.

Inquirer story here: “Australia attacks Google”

Tom Kelchner

Facebook is working on filtering a piece of nuisance malware that poses as a “Facebook antivirus” application that — when it’s installed — puts several dozen photos on a victim’s Facebook wall and tags their friends in them. Once their friends click on the “tagged” photo, they are offered the fake anti-virus.

Spellings include: “F’acebook Antivirus,” “Facebook Antivirus” and “Antivirus in Focebook”

Facebook Insider said Facebook is filtering the fake tags and gives instructions for removing tags of ones self from friends’ photos.

Story here: “Warning: Facebook Antivirus Will Virally Spam Your Friends”

Tom Kelchner

Today, our friends at Trend Micro blogged about a new attack vector using Microsoft Word documents. We saw this as well last week, and have written a detection for the dropped trojan.

It’s not just a “lawsuit” that’s being spammed, we also picked up another form of this attack in our honeypots over the weekend:

When you open the Word document, you see a “PDF”, but it’s actually not. It’s a JPG, which links to an executable.

In Word 2007, it’s kind of like the Amish virus: The user has to really want to get infected.

Latest VirusTotal detection here.

Alex Eckelberry

Microsoft said today it will issue an out-of-band patch tomorrow for a vulnerability in Internet Explorer 6 and 7 that is being actively exploited.

“The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” Microsoft said in its Security Advisory 981374 earlier this month.

“In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability,” they said.

The vulnerability is enumerated as CVE-2010-0806

Advisory here.

Tom Kelchner

It seems Larry Hryb, Director of XBox Live Programming, had his account taken over at the weekend. However, there are a number of faintly hysterical headlines claiming he was “hacked” along with “are you next?” taglines (such as this one), and I thought it might be useful to look at the methods the team behind the attack might have used and how you can lessen the chance of something similar happening to you.

First of all – let’s see what happened to “Major Nelson” (as he’s better known). His Live account was hijacked, and numerous offensive messages were posted to the Biography section. Here’s a screenshot:

As you can see, “Code of Conduct” is in his speech balloon and Name / Location are, er, somewhat colourful. At one point it also said “Any account $100 PayPal!!!!!!!!”

Where this tale becomes interesting is the fact that the attacker has put an endless stream of information about himself onto the Net. The homepage of his crew hosts a video that reveals his Skype address, AIM account and – more seriously for him – a name and address that the URL is registered to (his Facebook page is supposedly all over forums, and he seems to have a history of console scamming dating back to at least 2008). While the information could be false, everything about this so far screams “script kiddies” and generally speaking they don’t tend to think about faking Whois data.

Script kiddies or not, they still managed to compromise the account of a Microsoft Exec. How did they do this? Well, I talked about some of the methods used in relation to grabbing XBox Live accounts in Canada last year – while there’s no way to know how they did this yet, we can explore a few of the possibilities available to the account compromisers out there:

1) Phishing. This is usually the number one method for grabbing XBox Live accounts – fake XBox Live logins are a dime a dozen, and they also tie into fake XBox Live Generator programs (that claim to give you “free money” but actually steal your account details). Sometimes people will send phish links or requests for logins from compromised accounts, too:

Now, I can’t imagine Major Nelson running a fake generator and I don’t think he’d fall for a random phish. What IS interesting here is that Stephen Tolouse (the Director of Policy Enforcement) said the following on Twitter:

“Looks like this was very specific and very targeted to Major. I’ll look into the details and report back later.”

Could it have been a spear phish? It seems doubtful, given the way the individuals behind the attack have placed all sorts of personal data online for investigators to follow. Stranger things have happened, however.

2) Social Engineering. There are a number of options available here, but more often than not an attacker won’t try to Social Engineer the victim; they try to fool the support staff on the other end of the helplines. Of course, this is the one place where the victim is somewhat helpless – if the support staff falls for an individual calling up pretending to be you, there’s not a lot you can do about it.

Having said that, individuals that attempt these kinds of calls usually run into a brick wall if you take some precautions. Entering some false information into the personal info boxes for the questions attackers are most likely to know the answers to works wonders (though it goes without saying you need to remember what information you’ve put into the account!):

If you’re curious about the EMail address having underscores in it, there is a theory that support staff the world over will see an EMail address show up on their system with what appear to be letters “missing” and think it’s protected by some fancy pants security system. Of course, it isn’t – but if the attacker is trying to squeeze your EMail address out of the support staff and they can’t even read it back to them properly then great.

3) Live Account Password Reset. The other method is the old classic – guess the secret answer to the Live account password reset question. A good tactic here is to have a totally nonsensical (but memorable!) answer to one of the common questions. As you can see, my mother has an interesting birthplace:

I also appear to live in Rwanda, which is probably going to confuse the attackers a little bit more. It’ll be interesting to see if Microsoft release any additional information on this high profile compromise, although you probably don’t need to start worrying just yet about the safety of your XBox Live details. As long as you steer clear of phishes, strange programs advertised on Youtube, messages from people you don’t know and apply a little common sense in relation to the information you enter on contact forms you’ll probably be fine.

Christopher Boyd

Well, this is unfortunate. In the UK, we have something called “The Big Issue”, which is a magazine designed to help the homeless get back into society via a legitimate income. It sells around 300,000 copies a week and is listed as the third-favourite newspaper of young British people aged 15 to 24, according to Wikipedia.

At this moment in time, The Big Issue website is playing host to a French Paypal Phish – they have a zipped copy of the Phish uploaded to the server, and a live Phish directory too:

Here’s the live Phish:

Should the end-user enter their Paypal login, the next screen they see asks them to “Update their Paypal account” with valid card details:

Checking out the Fiddler log reveals something interesting:

Googling for that particular name reveals it has appeared in a couple of Paypal related Phishes previously, all at the tail end of 2009.

We’ve notified the host, and hopefully the Phish will be offline soon. Making ill gotten gains through the website of a magazine designed to help generate income for the homeless is in pretty poor taste, even for a scammer.

Christopher Boyd

Cracks in the Great Firewall of China

Slashdot.org had a brief story this morning about pro-Google comments of Chinese Web users that were carried on the ChinaSMACK web site.

ChinaSMACK was registered in June 2008 by a California-based proxy service and it has a lot of friends:

It hosts a lot of pro-Chinese government comments, but a few interesting critical ones as well. Some shed a little light on Chinese government censorship methods:

— “I just know that on this piece of land that is the mainland, any media company, whether internet or newspaper, cannot be independent, because the Party manages the media.”

— “Many Chinese netizen comments have been deleted or hidden and most comments that remain visible clearly support the government or are critical of Google. You can see this in the translated comments from NetEase above.”

“On KDS, a popular Shanghai BBS discussion forum, I was able to find some comments in support of Google or critical of the government before they were deleted. KDS moderators first deleted posts with many replies before deleting the smaller posts with fewer replies. Many posts were deleted while I was still collecting comments from them.”

— “First, I don’t believe what the ZF (government) says, and this has nothing to do with whether or not I like Google, it only relates the ZF’s behavior. Next, I like Google, because the value of their first page of information [search results] is higher than Baidu. I am a consumer, don’t care about whatever dog fart politics, nor would I think of everything from a political perspective, but from a consumer’s perspective, I like Google, and no longer having Google I think is really regrettable.”

— “There are only two types of people who will be happy: 1, wumao, 2, Baidu.” (ed. Note: “wumao” are government employees who are paid a small sum for each pro-government comment they post on line. Baidu is China’s biggest search site.)

— “Wumao wishes Google would make a row every month.

1. Always material to write about.
2. “Fees” have caps and are disbursed monthly, benefits can be maximized.
3. If a LAN is really established, then many people will probably lose this job.”

There is a rather interesting (and very scatological) cartoon on the site as well that comments (and we’re really generalizing here) on the fact that Google could no longer accept the humiliation of Chinese censorship and “left the table,” but other search sites “stayed at the table.”

ChinaSMACK site.

Slashdot story here.

Tom Kelchner

Our good friends at Hanoi, Viet Nam, -based security firm Bkis have written about an interesting malcode lure: Trojans masquerading as updates for popular applications such as Adobe, Java or Windows.

The fake updates are distributed with icons of the application they’re impersonating.

Analyst Nguyen Cong Cuong wrote: “In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands.”

As a countermeasure, it would be a good idea to ignore any email you receive with a link or attachment that claims to be an update. Use the “updater” or “check for updates” menu choice on the application or Windows implementation that’s installed on your machine.

Bkis blog piece here.

Tom Kelchner

The Inquirer security news site is reporting that the 25-year-old arrested by French police for hacking a Twitter data base and accessing U.S. President Barak Obama’s account guessed the admin’s password.

The unemployed man, who went by the handle “Hacker Croll.” is not a genius, the news site concluded.

“Apparently it was a doddle to do. He simply guessed people’s passwords by working them out from information on their blogs or online pages they had created about themselves,” it said.

So, if you have a web site with pictures of cat “Fluffy” all over it, and you Tweet about Fluffy until your friends start dropping hints about getting a life, it wouldn’t be unreasonable to think that the password you use on your MySpace page, Twitter account and bank web site is something like “fluffy1.”

Story here.

Not Fluffy

Tom Kelchner

Fast action at Pwn2Own

In the Pwn2Own hacking contest at the CanSecWest security conference in Vancouver, Canada, security researchers and hackers quickly hacked three of the major browsers to take control of the underline operating systems.

— A German hacker who goes by the handle “Nils” used a previously unknown vulnerability in Mozilla’s Firefox to gain control of a 64-bit Windows 7 machine.

— Peter Vreugdenhil an independent researcher from the Netherlands, used several vulnerabilities in Internet Explorer to take control of a machine running a patched 64-bit Windows 7 implementation.

— Researcher Charlie Miller used a vulnerability in the Safari browser to take control of a Mac Book.

The winners of the contest get cash prizes and get to keep the machines they hack.

TippingPoint’s Zero Day Initiative, which sponsored the contest, owns the rights to the hacks and will present the details to Mozilla, Microsoft and Apple so those company can issue patches before details are made public.

TippingPoint has put up $100,000 in prizes for the contest. This is its fourth year.

PCWorld story here.

More details in Computerworld story here.

This is a very high-profile event that helps focus the world’s attention on security vulnerabilities without anyone losing their banking logins, credit card numbers or account balance. The big lesson this year is that all browsers have vulnerabilities that can be exploited by malicious web sites and are often the way in to an operating system. Web users would be well advised to keep alert for updates no matter which one they use.

Various commentators are foaming at the mouth about Windows 7 weaknesses (“a FULLY PATCHED 64 bit Windows 7 installation!”), a Mac being hacked (“see, enterprises shouldn’t rely on the security of OS X!”) and the fact that Ubuntu Linux was NOT hacked (“aw, they just didn’t give them enough time!”)

It’s a passion thing: love me, love my OS.

Tom Kelchner

Google and the Chinese government are continuing to trade shots in the PR battle over net censorship. Earlier in the week, Google moved its Chinese search facility to Hong Kong where it claims it is legal under Chinese law to provide searches without censoring results.

In China:

The Chinese government slashed Google in an op-ed piece in China Daily. The op ed, under the name of Ding Yifan, included the assertion:

“Google’s withdrawal is not a purely commercial act. The incident has from the beginning been implicated in Washington’s political games with China.”

China Daily op ed here: “Google’s exit a deliberate plot”

In Washington:

Google’s Director of Public Policy, Alan Davidson, testified before the U.S. Congressional-Executive Commission on China yesterday. His remarks stressed the free trade and rule-of-law implications of China’s actions and ask the U.S. government to consider diplomatic and other actions against the dozens of countries in the world that restrict Internet access.

“We should continue to look for effective ways to address unfair foreign trade barriers in the online world: to use trade agreements, trade tools, and trade diplomacy to promote the free flow of information on the Internet,” he said.

Transcript of testimony here.

Google has nothing (else) to lose in all of this. The Chinese government made the search giant’s position in China untenable with the (assumed) hacking of dissidents’ Gmail accounts and intransigence on net censorship.

China’s human rights record is bad enough that it isn’t going to lose much face on that front. A huge number of businesses that want to get into the vast Chinese market probably don’t care about that anyway. Google, however, can paint China as business-hostile by making an issue of the country’s lack of rule of law, (alleged) government-sponsored hacking to steal proprietary information and arbitrary regulations.

Tom Kelchner

There are a number of Toolbars out there in the wild with a nasty sting in the tail for anybody using them to login to Facebook. We’ve seen two of these so far; it’s possible there are more.

Promoted as toolbars that allow you to cheat at popular Zynga games such as Mafia Wars, they appear to be normal at first glance with a collection of links to various websites and other features common to this type of program.

Should the end-user hit the “Facebook” button, however, things start to go wrong very quickly. In testing, what opened up for us wasn’t the real Facebook login screen – it was a verified Facebook Phish.

Taken to apps-facebook-inthemafia(dot)tk, only the anti-phish protection in both IE and Firefox would probably have saved the end-user from entering their details into the fake page. mafiamafiamafiamafia(dot)t35(dot)com was also flagged on Phishtank, and it looks like we arrived just in time to catch the suspicious activity taking place because the t35 URL was deactivated shortly after.

The story doesn’t end there, however – once the above domain went down at around 5:20 GMT, it was around 90 minutes or less before the toolbars were now pointing to a fresh URL!

As you can see from the above screenshot, the toolbars now took end-users to apps-inthemafias-facebook(dot)tk, which was a cover for another t35 URL: mafiawars200uk(dot)t35(dot)com. Again, it wasn’t too long before the domain looked like this:

Currently, the toolbars we have point to the real Facebook URL – the obvious danger is that they could suddenly switch to another fake site and continue harvesting Facebook logins. I’ve reported both Toolbars (which can be created by anyone through this Community Toolbar form) to Conduit, and hopefully action will be taken shortly. If we see any new phish pages linked to, I’ll update this entry.

For now, some handy tips:

1) If you install a toolbar from the ourtoolbar(dot)com domain, pay attention to what kind of toolbar it is. Does it promise “cheats” for Zynga games? If so, you might want to avoid logging into Facebook by clicking buttons on the toolbar itself.

2) If you do click a Facebook button on one of these toolbars, are you taken to a .tk domain? If so, check at the bottom of the page – the phish page creators are a little lazy, and have left a rather large clue that you’re not on the real Facebook site:

Adverts and a T35 hosting notice – probably a bit of a giveaway (you can also View Source in your browser and confirm you’re on a T35 domain and not Facebook).

We detect this as Trojan.Fbphishbar. Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional testing.

Christopher Boyd

In spite of the polarized, poisonous atmosphere in Washington, D.C., generated by President Barak Obama’s health care reform campaign, two Senators from very opposite ends of the political spectrum are co-sponsoring a bill to fight international cybercrime.

U.S. Senators Kirsten Gillibrand (D-NY) and Orrin Hatch (R-UT) have cosponsored a bill aimed at fighting international cyber crime: the International Cybercrime Reporting and Cooperation Act.

If enacted into law, the bill would give the U.S. government the power to help countries that need assistance in their fight against cyber crime. It also gives the U.S. government the power to cut off financial assistance to countries that don’t crack down on net criminals.

A wide variety of Internet criminals currently rely on bullet-proof servers in countries where their crimes are tolerated. It is believed that in some countries cyber crime is protected by corrupt governments or seen as a source of income for the country as long as the victims are all foreigners.

U.S. criminal investigators and those of other countries who have evidence to shut down criminal operations often get no cooperation from law enforcement groups in countries where the crime is tolerated. Russia, many eastern European countries, Nigeria and China traditionally have topped the list of non-cooperating countries.

In their news releases on the introduction of the bill, the two senators said:

“Earlier this year, hackers in China launched a large, sophisticated attack on Google and other American businesses. A conservative estimate from the Government Accountability Office (GAO) estimates that in 2005 U.S. businesses lost $67.2 billion as a result of cyberattacks. Since then, attacks have dramatically increased. The global economy overall lost over $1 trillion in 2008 as a result of cyber attacks, according to studies by McAfee, Inc.”

The bill would:

— Establish an annual presidential report in which the President would assess the extent of cybercrime in each country as well as the country’s efforts to fight it and protect consumers and online commerce. It also would report on multilateral efforts against cybercrime.

— Prioritize programs designed to combat cybercrime to help countries with little information and communications technology in order to stop them from becoming cybercrime havens.

— Provide assistance to improve finance or telecommunications infrastructure in countries that need it in order to combat cybercrime.

— Identify countries of cyber concern: those with a pattern of cybercrime against the U.S.

— Identify the countries that don’t deal with cybercrime “through investigations, prosecutions, bilateral or international cooperation, or appropriate legislation.”.

— Establish an action plan to help governments of high cyber-crime countries fight it.

— Penalize countries that fail to meet benchmarks in their action plans by cutting off financing, preferential trade programs, or new foreign assistance, as long as the penalties don’t limit projects to fight cybercrime.

— Have the Secretary of State designate a senior official to coordinate the international fight against cybercrime and appoint employees at key embassies to focus on cybercrime policy.

We wish the Gentleman from Utah and the Lady from New York success.

Sen. Gillibrand news release here.

Sen. Hatch news release here.

Tom Kelchner

“Dirty” or “Flirty”

Ok.

It’s an old formula for a successful business: pay girls to have fun with you.

This time the schtick is getting on-line gamers to pay $8.25 (US) to play an online game with a female for 10 minutes. The women get to keep 40 percent.

The site is GameCrush. It just opened last night and it seems to be a success (screen shots below.)

“GameCrush is being touted as the first social site for adult gamers with the women online able to set their gaming mood to either ‘flirt’ or ‘dirt’, IGN reports.

“The men online are known as Players and the women as PlayDates and Players pay to play while PlayDates get paid to play.

“Players browse PlayDate profiles — of which there are currently 1200 — view photos and even chat with girls for free.”

“At the moment it only supports Xbox 360 and some games on the GameCrush website. GameCrush plans to support PlayStation 3, Wii and World of Warcraft.”

Story here: “GameCrush lets gamers pay to play with girls “

And here.

Given that there might be 400,000 gamers (gold farmers) in third world countries making great money (for them) by playing 12 hours a day, I predict GameCrush is going to be a GREAT opportunity for female gamers from third-world countries (and everywhere else for that matter.)

GameCrush might be on to something: http://prdtest.gamecrush.com/

Yesterday afternoon:

This morning:

Tom Kelchner

Paper Ghost: “I can’t say I’m massively impressed with this one.

“It’s embarrassing when you walk into a game store and some box art has a ludicrously underdressed woman who’s supposed to be in the middle of a war zone. It’s embarrassing when the cover of video game magazines resemble something you’d normally find on the top shelf. And it’s embarrassing to see people happy to pay for something like this. There are actually plenty of females on gaming services who will happily talk to you for free, and they’ll shoot you AND they won’t charge money for it.

“They might upload your horrible deaths to YouTube, though.”

Update 03/25:

Launch day + 1 — servers still down.

There is a risk to computer security from governments. Regulatory changes, even if they are very positive measures, can impose huge demands on an enterprise (i.e. HIPPA, Sarbanes-Oxley, California’s law requiring notification of customers whose personal information is hacked on company sites.)

The “government” risk can get no bigger than the clash of Google and the government of China over the censorship issue. The world suspects that the Chinese government or its proxies were behind a campaign of hacking against Google and other major U.S companies several months ago. Google reacted to the hacks by saying in January that it would stop censoring search results for web users in China. Monday it said it would move to Hong Kong.

The government of China, which gave the search giant the choice of censoring Internet content or leaving the country, accuses Google of being a pawn of U.S. military establishment, hell bent on subverting Chinese order – the ability of the government to protect its citizens from “harmful” Internet content.

The latest hack

Reporter Mercedes Bunz of the UK’s Guardian is reporting today that a Google web page that lists corporate executives appears to have been hacked and has been redirected to a site in China. The Guardian reported the hacks to Google staff who said they were investigating.

Story here.

(Note: see update 03/25 below)

Analysis from both sides – playing it down in China

A large volume of news analysis today quotes observers with opinions that vary from “what were they thinking, going up against the government of China?” (NYT) to “China defended itself in an ideological battle” (Peoples’ Daily Online).

China Daily reported that Chinese Foreign Ministry spokesman Qin Gang said
“The Chinese government encouraged and pushed for the openness of Internet and its management according to its laws and regulations, which was common practice in all countries.”

Story here: “Google case will not affect China-US relations”

What was Google thinking?

The New York Times quoted J. Stapleton Roy, director of the Kissinger Institute on China and the United States at the Woodrow Wilson International Center for Scholars. “I don’t understand their calculation, I do not see how Google could have concluded that they could have faced down the Chinese on a domestic censorship issue.”

Roy is a former U. S. ambassador to China.

How much is Google giving up in revenue?

The Times said some analysts estimate that Google’s annual revenue in China was only $300 to $600 million out of $24 billion in annual sales, but investors were expecting a bright future in that country, which has 350 million web users. Google’s stock has dropped because of the shoving match with the Chinese government.

Story here: “Google Faces Fallout as China Reacts to Site Shift”

Is there a risk for China’s government?

Some have said that Google’s move to stop the censorship puts the authorities in China in a difficult spot. The government would be reluctant to anger Google users in China who are usually highly educated and who do complain, the Times said.

The paper quoted Bill Bishop, a Beijing Internet entrepreneur who writes the tech blog Digicha, “The Chinese are very serious about pushing their soft-power agenda, Google just put a big hole in that sales pitch, and I think they know that.”

In an analysis piece in the times, Michael Wines wrote:

“But China also does not acknowledge to its own people that it censors the Internet to exclude a wide range of political and social topics that its leaders believe could lead to instability. It does not release information on the number of censors it employs or the technology it uses for the world’s most sophisticated Internet firewall. Its 350 million Internet users, many with fast broadband connections, are assured they have the same effectively limitless access to information and communications that the rest of the world enjoys.”

Will forcing Google out stop innovation in China?

Wines and the reporters in Shanghai Beijing who contributed to the analysis also wrote:

“The cost, at least with some influential sectors of its own society, could be steep. In the technology sector, Google is viewed as an innovator that has spurred rapid development of the Chinese Web. Its departure will leave some Chinese companies with greater influence, but could also stifle competition, some fear.

“‘Google is good at innovation, and when it leaves, the rest of the companies in China will lack motivation. Without its countervailing power, the industry won’t be as healthy,’ said Zhang Yunquan, a professor at the Institute of Software at the Chinese Academy of Sciences.

“Fang Xingdong, chief executive of Chinalabs.com, said the vast majority of Chinese Internet companies invested little in research and ‘simply copy each other’s technology.’ With Google’s departure, their profits may rise, but China’s Web space will begin to stagnate, he predicted.”

Story here. “Stance by China to Limit Google Is Risk by Beijing”

What nastiness is in it for the rest of us?

It’s a clash of the Titans and there could be continuing fallout for everyone else. Although the wrestling match with Google didn’t start the hacking and intellectual property theft via Internet out of China, it could focus the attentions of nationalistic and quite independent Chinese hackers. We won’t even go into the issue of possible government- and military-sponsored hacks.

Enterprises should redouble user education about phishing and everybody better keep operating systems and anti-malware updated.

And, if you live outside China – enjoy the luxury of an uncensored web.

Tom Kelchner

Update 03/25:

Computer security category of risk: human factors?

The Sofia, Bulgaria, news site novinite.com is reporting that a city councilor in Bulgaria’s second largest city of Plovdiv was voted out of a city council committee because he wouldn’t stop playing Farmville during meetings.

The Plovdiv city hall recently got wireless Internet and city councilors got laptop computers. Two weeks ago council chairman Ilko Iliev started to get irritated by council members playing Farmville during budget hearings.

“However, the real scandal erupted during Thursday’s meeting of the City Council when the most persistent Farmville enthusiast, Dimitar Kerin from the nationalist party Ataka, was voted out of the committee he was part of because of his Facebook addiction,” novinite.com reported.

“The proposal to remove Kerin from his respective municipal committee came from Todor Hristov, a former member of Kerin’s party, who has argued that Kerin ‘needs more time for his virtual farm.’”

In his own defense, Kerin pointed out that he had reached only level 40 in Farmville, but a councilor from the Democrats for Strong Bulgaria party (rightist) had made it to level 46.

Novinite.com story here.

Tom Kelchner

Writing about the Neopets phish yesterday made me wonder if there are other scams out there targeting Neopets users (it wouldn’t be the first time). Sure enough, a quick scout around sites such as Youtube and…

Oh dear. A number of files are being promoted on forums and video sharing sites just like the one above (which was uploaded only two days ago), all of which are claiming to be the above “Paintbrush Generator”.

In Neopets, magic paintbrushes are incredibly rare items that can change the colour of your Neopet. These items can sell for absolutely insane amounts of Neopoints (the official ingame currency), and children will happily run a program such as the one above in order to get their hands on said paintbrush.

The problem is that none of these programs are real, and will all contain an infection file designed to target the parent whose PC the child happens to be using. Keyloggers, rootkits and Trojans are the order of the day. As you’ve probably guessed, this isn’t real:

Let’s assume our victim fires up the program and see how quickly something can go wrong:

An .exe called “Crypted” appearing in the Temp Folder? I think we can safely say things have gone wrong very quickly. Having a look through the file throws up some interesting finds:

The above text has appeared in the strings of many infection files, such as this one. Additionally, the code is packed with references to passwords and one or two GUIDs related to passwords too. If you happen to be running VIPRE then you’ll be protected:

Detections are good across the board for this particular infection file (36/42 detection rate on VirusTotal), but I imagine there will be a lot of variations on this over the next week or so until the people making these get bored and move onto something else.

In the meantime, if your children play Neopets you might want to sit them down, show them the screenshot of the “Paintbrush Generator” and advise them that these programs never, ever work and should be avoided at all costs. Additionally, directing them to the Neopets Security Page is probably also a good idea.

Christopher Boyd

Mozilla Foundation has released version 3.6.2 of its Firefox browser a week early. The group had said the update would be available March 30.

The update fixes a widely reported vulnerability (CVE-2010-1028) that prompted Germany’s CERT to advise Web users to switch to another browser until a fix was made. (Sunbelt blog “Germany’s CERT warns against Firefox use” )

Intevydis researcher Evgeny Legerov  had found that Wide Open Font Format decoder in Firefox had an integer overflow in its font decompression mechanism. The flaw involved a memory buffer that was too small to handle a downloadable font. Legerov had found that exploiting the vulnerability could crash a victim’s browser making it possible to run arbitrary code on the system.

If you use Firefox, update here.

Security advisories for Firefox 3.6 here.

Tom Kelchner

 

Our analyst Eric Kumar found this interesting and malicious little mechanism.

The hosts file on a machine under investigation was modified to redirect the victim’s browser to a well known legitimate site (in this case google.com) whenever he attempted to contact a list of nearly 400 sites. The list was a “Who’s Who” of the anti-malware world – most places where someone with an infected machine would go to get help.

The altered hosts file he found contained many lines beginning with ‘#’ followed by gibberish. These would be seen as comments by any browser and ignored. Concealed among the commented lines are lines containing the domain name redirections. When the commented lines are stripped, we find all the listed security related websites being redirected to “209.85.129.99” which is the IP address for google.com.

Some of the sites were:

209.85.129.99 lexikon.ikarus.at
209.85.129.99 www.virusdoctor.jp
209.85.129.99 www.spybotupdates.com
209.85.129.99 securityresponse.symantec.com
209.85.129.99 www.mcafee.com
209.85.129.99 es.trendmicro-europe.com
209.85.129.99 www.quickheal.co.in
209.85.129.99 www.offensivecomputing.net

Sunbelt URLs figure prominently in the list as well:

209.85.129.99 research.sunbelt-software.com
209.85.129.99 www.sunbeltsoftware.com
209.85.129.99 www.sunbeltsecurity.com
209.85.129.99 www.cwsandbox.org

The “hosts” file is in the Windowssystem32driversetc directory in Win XP, Win7 and Win08 Server – and probably all incarnations of Windows, since browsers are going to look there.

Nice work Eric.

Thanks for the help Henry.

Tom Kelchner