The Legacy Sunbelt Software Blog

Not so long ago, examples of fake Firefox websites / downloads were in the news with the sites involved serving Hotbar installs.

It seems the tactic of offering up Firefox (but giving you something else entirely) is going to be around for a little while. Below is a site promoting a Firefox .xpi called “The Dislike Button”, designed to let you add an “I dislike this” note to Facebook posts:

The domain is dislikes(dot)info. Note the “Get Firefox” button at the top. What do you think happens if you click it?

That’s right, you’re given the option of downloading a setup file from Hotbar…not exactly the Firefox download you were expecting. Should the end-user install it thinking this will give them Firefox, they’re very much mistaken.

What they actually get is the option to download Hotbar (and no Firefox), complete with a preticked ShopperReports checkbox. While I can understand having to download Firefox to use a Firefox .xpi, the need for installing the above escapes me.

Additionally, there’s a text link further down the page asking you to “Get Firefox now” which also directs you to the Hotbar install.

What’s particularly curious here is that if you visit the “Facebook Fan Page” linked to by the main site, you’ll see the following post:

They’re not happy about people forcing surveys on end-users to obtain the Dislike button (fair enough), yet the main site asks you to “get Firefox” but gives you Hotbar.

I think….I dislike this.

Christopher Boyd

Google has put up a page that shows what Web services are currently being blocked by the Chinese government.

http://www.google.com/prc/report.html#hl=en

Tom Kelchner

 

BürgerCERT, Germany’s government information security organization, is recommending that Web users NOT use the Firefox browser until Mozilla fixes a vulnerability in it March 30. No malicious use has been found yet, however a researcher posted proof-of concept code for exploiting the previously unknown vulnerability. A malicious operator could use the vulnerability to run arbitrary code. Mozilla is expected to post version Firefox 3.6.2 to fix the problem.

In January, the governments of France and Germany urged users to stop using Microsoft’s Internet Explorer browser until the company fixed the vulnerability that was blamed, at least in part, for the attacks from China on Google and more than two dozen other companies. (Sunbelt Blog post here. )

Web users who continue to use Firefox have been warned to avoid dodgy web sites that could use the vulnerability to compromise their machines.

BürgerCERT warning here.

Machine translation: “Due to one the Mozilla Foundation confidentially announced security hole recommends the citizen CERT the use of alternative browsers, until the Mozilla Firefox version 3.6.2 is published. The current publication plan of Firefox 3.6.2 sees a supply on Tuesday, 30. March 2010 before.”

Well, you kind of get the picture.

Register news story here.

Tom Kelchner

Generally speaking, most website defacements I see tend to look the same with political activist Y decrying political activist Z, or leet hax0rs posting up a mile-long shoutout list to their crew.

This one is, er, a little different – a defacement of what appears to have been a site involved in fish logistics and / or preservation, fish2see(dot)dk. I can only imagine the horror on the face of the site admin who woke up this morning to be confronted by this:

…oh dear.

The Admin has been notified, but the site is still currently defaced – I wouldn’t advise going there, as the attacker could decide to come back and put something a little more malicious online.

Christopher Boyd

If you have children that play Neopets, you might want to warn them about this website or insert it into a blocklist of your choosing. The site is Neopoints(dot)tk, and promises lots of free Neopoints related items, with the help of a cute mascot called “Tuma the Draik”. I think there was a Norwegian prog rock group from the 70s called that, but I could be wrong.

Of particular note here is the fact the site claims to offer “free magic paintbrushes”. These items are incredibly rare in Neopets land, and an excited child could easily wander into this particular trap as a result.

You’re no doubt waiting for the sting in the tail – well, here it comes:

The child is asked to fill in their Account name, Password, Security PIN and Email address before hitting “Done”. I don’t know about you, but I’m going to bet on “total and utter fake”.

The .tk URL currently points to

neopoints(dot)yolasite(dot)com

This will probably change as the free webhost for the phish terminates the account, but I don’t think the .tk URL will start pointing to anything legitimate in the near future so it’s probably one to keep an eye on.

Christopher Boyd

— 7.68 Terabits/s for growing Asian market
— $300 million cost (from consortium of six companies)
— 10,000 km length (Chikura in Japan to Los Angeles)
— Increases capacity across Pacific by 20 percent
— Dense Wavelength Division Multiplexing technology (960Gbps per fibre-optic pair with a maximum of eight fiber pairs)
— construction time: two years

Story here.

Tom Kelchner

Charlie Miller, Principal Analyst at Baltimore, Md.-based security firm ISE, has made news in the last two days saying that he found 20 perviously-unknown security vulnerabilities in Apple’s OS X operating system. News stories seem to anticipate that he will reveal them at the CanSec West conference next week in his talk “Babysitting an Army of Monkeys: An Analysis of Fuzzing 4 Products with 5 Lines of Python.”

However, Miller tweeted: “To be clear, I’m not revealing 20 apple bugs at #cansec, I’m revealing how I found 20 apple bugs.”

According to reports, Miller found the vulnerabities by flooding operating system and application inputs with massive amounts of corrupted data — a process called fuzzing.

Apple has said they are not aware of the vulnerabilities.

Story from Heise Security here.

It seems to be a good discussion of what Miller is up to.

It’s just plain weird how stories of potential OS X weaknesses make some people foam at the mouth, so, it’s a little difficult to find any discussion of OS X security without a load of “does too – does not” prose. Heise is staying neutral and we’re going to try to stay that way too.

Tom Kelchner

The DarkReading site is carrying a story about brand-protection firm MarkMonitor’s finding that phishing increased 62 percent in 2009 with 565,502 attacks in the year. MarkMonitor is based in San Francisco.

Other conclusions in MarkMonitor’s 2009 BrandJacking Index report:

— The huge increase can probably be attributed to the use of botnets and the large amount of personal information that can be scraped from social network sources.
— 2009 saw the all-time high average of 600 phishing attacks per organization
— only 33 percent of victims were first-time targets.
— Social networks suffered 11,240 attacks – two percent of the year’s total.
— The U.S. hosted 44.7 percent of phishing attacks, up from 36.5 in 2008.

DarkReading story here.

Tom Kelchner

We’re all familiar with Rogue Antivirus products – but it seems script kiddies on numerous sites out there are starting to crank out their own phony security programs, many of which are confusingly based on the designs of – if you’ll pardon the expression – “genuine” fake AV programs.

Shall we take a look at their handiwork?

Note the shields, the yellow warning triangles, the fake scan results – these guys have clearly seen a lot of fake AV out in the wild! Unfortunately for the creator, it’s a little too OTT and might give the end-user pause for thought if they had to physically click something before becoming infected.

This next one (designed to be entirely harmless, instead asking the user to voluntarily download a malicious file from a URL) almost gets away with being convincing, but ruins it all by including what appears to be a poorly ripped Rapidshare download button:

Running with the idea that a huge green shield with a tick on it is always a good thing to throw into your design, “Eternity Virus Killer” takes the approach that you’re going to be infected the moment you run the file, so adding in lots of fake warnings, flashing lights and useless slider bars is a complete waste of time.

My last example of a program imitating a genuine fake AV (“Genuine fake AV”. I think I have a new favourite phrase) is something that would actually pass for the real deal. Check it out:

For starters, whoever created this has called it “SecureME 2010” which is clearly playing on the good name of a real program called SecureMe used for mobile phone data theft protection. It’s not overloaded like the French app, and not shattering illusions like the other program did with the ludicrous Rapidshare image rip either.

Furthermore, it really looks the part. The creator obviously spent some time looking at rogues – here’s a REAL rogue AV program called “User Protection”:

Can you spot the difference? Much as I hate to admit it, that’s a really well done piece of design work.

Of course, ultimately this is all academic as the end-user probably doesn’t care too much if the file on their PC came from:

a) A shady set of individuals dropping fake antivirus onto their PC with the intention of having them sign away their credit card details or
b) Some script kiddy playing with his “My first Visual Basic” kit.

However, it’s interesting to see how people on forums, sick of making endless “Free XBox Generator points” programs are now moving into emulating the kinds of Rogue Antispyware that have been around for years. Will having two entirely different and unrelated kinds of fake AV confuse security companies with regards dividing these programs up into their respective families? No idea, but it could lead to some unexpected situations. Having said that, nobody in their right mind will hopefully be downloading programs such as the above when the fake box design ends up looking like this:

Whoops. Something tells me I could be wrong, however…

Paper Ghost

Or is it at the saturation point?

The SANS Institute (acronym = SysAdmin, Audit, Network, Security) web site carried a blog piece that gives a good snapshot of the horrible ongoing plague of spam email that IT folks all over the globe must deal with. The writer, Deborah Hale, said the ISP in the Midwest where she works received almost 20 million pieces of email for more than 9,000 accounts since the beginning of March. Only 713,222 (3.6 percent) were NOT spam.

The comments that follow her blog piece also give other readers’ on-the-ground experiences with spam filtering.

SANS is a “cooperative research and education organization” which has been around since 1989. It’s a great resource.

Deborah Hale blog piece here.

The European Network and Information Security Agency (ENISA)
2009 spam survey (published in January) found 95 percent of traffic was spam and the situation hadn’t changed much in the year.

Message Labs has estimated that the top 10 botnets are responsible for over 90 percent of spam.

Tom Kelchner

We hear so much about stealth tactics, data theft and covert ops where malware is concerned these days that we often forget about the time when it was more about how many popup windows the attacker could throw onto the screen along with a couple of dancing monkeys and a spangly toolbar.

Here, then, is something a little retro that takes a form of infection more known for stealth (parite) and turns it into an overt rip roaring rampage of revenge, but mostly broken computers.

Promoted as a music player based around popular cartoon Aqua Teen Hunger Force, the following file(Win32.booty.exe) should be avoided at all costs:

Shortly after running the executable, hidden files and folders start to scatter themselves liberally across the PC in both the System32 Folder and the Temp Directory – in this case, 10.tmp containing a file called but!.exe, thrown together with the aid of what was probably the HotFusion file binder:

From there, another folder then appears (called 12.tmp) which contains the main payload files:

Worm.exe, Zombie.bat and chimes.wav.

So far, this is reasonably similar to a regular Parite infection (two folders in the temp directory, the promise of wormy action to come) but at this point we start to move away from the notion of Parite stealth to…well….take a look for yourselves.

Let’s check out Zombie.bat:

As you can see, the commands tell Worm.exe to spring into action and the .wav file (“Chimes”) starts to play.

What happens now?

Well, we prepared a little video demonstration for you (there’s sound, so you might want to put on some headphones):

http://sunbeltblog.eckelberry.com/wp-content/ihs/alex/paritebooty/

….yes, it made no sense to us either. The Task Bar vanishes and the victim loses the ability to open up Task Manager to kill the rogue processes. Any programs opened up once the infection takes hold will generally auto close seconds after opening.

Meanwhile, a file called BoOtY_Call starts spreading itself into every folder it can find, with the intention of jamming up the machine until it collapses in a crying, blubbering heap – with a song blasting out the joys of “booty” through your speakers, naturally.

If the victim manages to open up a folder and go on a deletion rampage, it doesn’t matter…BoOtY_Call keeps respawning and eventually triumphs in a blaze of malware glory.

This is pretty malicious stuff and throwing in a song about loving booty while a similarly named file proceeds to drive a wrecking ball through your hard drive is a surreal and comical contrast to the otherwise ruthless beating the PC is taking.

Given my earlier ramble, you may not be surprised to find we detect this as a variant of Parite (an infection that traditionally tries to infect EXEs and SCR files on PCs in a very quiet fashion, losing you hard drive space in the process), which is an interesting twist given how, er, loud this is. Probably not what the creators of Parite had in mind when they came up with it, but hey – that’s evolution, baby.

Sort of…

Chris Boyd

Are Mac OS X rogues an emerging threat?

For many years discussions of the potential for malware on Macs have ended with the conclusion: “there isn’t much yet, but as soon as Mac gets a big market share the dark side is going to start writing the code.” There are indications that the bad guys are working on it.

There have been some blog posts suggesting that the dark side is working hard to create a Mac OS X compatible rogue. SCMagazine is carrying a piece quoting a spokesman for researchers at Intego. Apparently Intego researchers got proof-of-concept code for an OS X rogue from underground sources and determined that it didn’t quite work. However, they concluded that some sophisticated coding was going on:

The SCMagazine wrote: “The PoC was actually created with code that was provided by Apple as part of its developer software, (Peter) James (of Intego) said. Apple includes an API in its developer technology that can be used to create a tool called a “kiosk,” which locks a user into an application or disables certain operating system functionality. The PoC does not encrypt files, but launches an application that implements the kiosk tool and locks the user’s computer.”

Rogue anti-malware products — and VIPRE has 1965 detections for them — are one of the fastest growing types of malware out there and are huge money makers for the nasty folks behind them.

So, Mac users, be careful what you click on and if you get a pop-up window screaming that your machine is “infected” and offering to sell you a virus protection product to take care of the problem – you know the “day” has arrived.

“Ransomware not considered threat for Mac OS X”

Dancho Danchev on ZDNet: “Mac OS X SMS ransomware – hype or real threat?”

“Mac OS X Ransomware”

Tom Kelchner

Update, 3:10 p.m.:

Such a coincidence – Caris & Company, analyst Robert Cihra: “But believe it or not, we estimate Apple’s iMac accounting for a full one fourth of ALL desktop market growth in calendar year 2010.”

Apple Insider piece: “Apple’s iMac to account for 25% of global desktop growth in 2010”

Del Harvey, Director of Twitter’s Trust and Safety team, announced on Twitter’s blog that the micro-blogging service has begun using its own shortening service to stop malicious operators from sending tweets with links to their dodgy sites disguised through shortening.

He wrote: “By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe.”

Twitter “Trust and Safety” blog piece here.

The problem with shortened links has been that the tweet-ee can’t really see from the shortened URL what exactly he is clicking on. The LongURL site http://longurl.org/ provides a service to expand shortened URLs so tweet-ees can see if their tweet-er has sent a link to http://www.mAlIcIoUs.PhIsHiNg.DoWnLoAd.Site.com and not the Pottery Barn.

The site bit.ly, which Twitter had been using, was one of the most popular shortening sites last year. The creators thought the name would be cool, which is why they registered the domain in Libya in order to get the “.ly” country domain. It has been pointed out that there is a risk in that (in addition to a huge negative public relations exposure) since Libya has Internet law in place that prohibits traffic related to sex, gambling, the lottery industry or anything insulting to Islam. If Libya suddenly decided to filter traffic, that could be a huge headache.

Story here.

Choosing a domain registered in East Timor (.tl) seems a bit safer, but, what’s with the AK-47 on the country’s coat of arms?

Tom Kelchner

The March Madness that has become the description of the National Collegiate Athletic Association (NCAA) basketball tournament in the U.S. begins March 18. In recent years it’s turned into something of a national event with office pools, Americans glued to any source of information about the college games and, unfortunately, a spike in malware targeting corporate networks. Since most of the early NCAA games in the tournament take place during business hours, cyber criminals work hard to infiltrate corporate networks by tricking workers who are surfing the web looking for scores, live updates and streaming tournament coverage.

In 2007, research firm Challenger, Gray and Christmas of Chicago estimated that more than 22 million workers followed the tournament by checking scores online during work hours. Although live streaming is available on legitimate sites, some fans will undoubtedly become impatient while searching the web for instant updates and will be directed to a host of malicious websites through poisoned Google search results. These sites will look legitimate and some may even provide updated game results, but the threat is that they will also expose work-based computers to viruses, phishing attacks and other malware embedded in web pages, banner ads and fake video streaming downloads.

Sunbelt’s anti-malware researchers offer the following “5 Tips for Responsible Web Surfing” in order to limit the risk of falling prey to malware attacks:

— Make sure your antivirus and Web filtering programs and Windows patches are up to date
— Do not click on links on untrusted sites or email offers – rather, enter URLs directly into your browser
— Do not download any application or program from an untrusted source in order to view video feeds
— Do not provide passwords or other personally identifiable account data from your other Web-based accounts for any reason when attempting to watch games – legitimate sites should not require this
— Be cautious when you follow search engine results for top news stories or score updates

Tom Kelchner

Here’s an ugly trend.

The U.S. Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) has reported that complaints of cyber crime losses in the U.S. more than doubled from $265 million in 2008 to $560 million in 2009.

The increase was much higher than previous year-over-year figures. The Center’s web site carried the following annual numbers:

The IC3 annual report said that the group received 336,655 complaints in 2009, an increase of 22.3 percent increase over 2008.

Types of complaints included:
— Thieves pretending to represent the FBI: 16 per cent
— Non-delivery of merchandise: 11.9 per cent
— advanced fee fraud scams (also called 419 scams): 9.8 per cent

IC3 said 146,663 complaints were referred to local, state or federal agencies
— non-delivery of merchandise or payments:19.9 per cent
— identity theft: 14.1 per cent
— credit card fraud: 10.4 per cent
— auction fraud: 10.3 per cent
— computer fraud or hacking: 7.9 per cent.

IC3 report here.

News story in Register here.

Tom Kelchner

Apple yesterday released a huge Safari update that fixes 16 vulnerabilities – six for Windows versions and ten for Mac OS X and Windows. The update, Safari 4.0.5, makes fixes in Tiger, Leopard, Snow Leopard and Windows versions.

This is probably pretty significant. In November, the TheInquirer.net of the UK carried a piece about browser vulnerabilities that rated Firefox and Safari as the ones with the most vulnerabilities:
— Firefox 44 percent of total browser vulnerabilities
— Safari 35 percent
— Internet Explorer 15 percent
— Opera six percent

Story here: “Most web apps are broken.”

The 4.0.5 update fixes problems in ColorSync, ImageIO, PubSub, Safari and Web Kit, many of which could allow the execution of malicious code.

The last major update, Snow Leopard (Mac OS X 10.6.2) , came out in November. Apple distributed a beta version of Mac OS X 10.6.3 to its development community last week.

Vulnerabilities fixed included:

ColorSync (CVE-2010-0040)
ImageIO (CVE-2009-2285, CVE-2010-0041, CVE-2010-0042 and CVE-2010-0043)
PubSub (CVE-2010-0044)
Safari (CVE-2010-0045)
WebKit (CVE-2010-0046 , CVE-2010-0047, CVE-ID: CVE-2010-0048 , CVE-2010-0049 , CVE-2010-0050, CVE-2010-0051, CVE-2010-0052, CVE-2010-0053 and CVE-2010-0054)

Apple Support statement here.

Tom Kelchner

Swiss security blog Abuse.ch has reported that the worst Zeus botnet hosting ISP was taken off line yesterday, cutting the botnet’s number of servers from 249 to 181 – including the six worse ones.

Abuse.ch wrote: “As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddenly disappeared from the ZeuS Tracker.

“I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. “

“Massive Drop in Number of Active Zeus C&C Servers” here.

Tom Kelchner

Hollywood celebrity Corey Haim has died in typical tabloid fashion: “under investigation.” And we all know that celebrity death equals Internet scams by the boatload.

There are a number of spam runs currently circulating on video sharing sites such as Youtube, ready to catch out the curious and the unwary. Shall we take a look?

“Suicide or killed! Watch Corey Haim first found dead”

Classy. Visiting mycelebzone(dot)com will pop open a Hotbar prompt, which you need to install to “see the content”:

Instead of ghoulish pictures of a deceased celebrity, the end-user will find himself looking at a ghoulish spamblog linking to fake links of ripped movies.

Oh, they’ll have Hotbar, ShopperReports and BarDiscover onboard too. What a value add!

Elsewhere, sites claiming to have horrible images such as Celebrity-autopsies(dot)com will drop you onto surveys and quizzes to be filled in, courtesy of a dancing Michael Jackson:

To see the content, all you have to do is sign up to a ringtone service that charges the low price of £9.00 / $15.00 per week – I know a bargain when I see one, and this probably isn’t it.

There are various other links floating around on video sharing sites, all of which should be avoided like the plague. There probably isn’t much on them that would be of use to you, unless you enjoy the sensation of gaining nothing while lining the pockets of spamblog merchants.

Paper Ghost

Well, it looks like rogues are going to be in style this season.

Our good friends at McAfee AV have predicted that the 400 percent increase in rogues (also called “scareware”) they saw in 2009 will continue this year. The loss to victims will be on the order of $300 million they also estimated.

Here at Sunbelt, we’re seeing a huge increase in rogue detections as well – nearly 30 percent increase in just the last three months. We list 1,965 rogues in our VIPRE detections and we’re detecting a constantly increasing number of them. VIPRE and CounterSpy installations report these detections to the Sunbelt ThreatNet. Just pulling some fast numbers out of ThreatNet, I found a 29 percent increase in VIPRE and CounterSpy detections when comparing the daily average for February against that of December.

In the event you’ve been living in a cave (with no Internet service) for the last two years, rogues are thieving malicious programs that pretend to be legitimate anti-malcode products. They are real money makers for organized and disorganized criminals who work through the Internet.

Sadly, security people have been working for most of 20 years to raise the public consciousness about malicious code and the need to run anti-malcode protection. About the time the message really began to sink in, the slimeballs of the world started distributing fake security programs that impersonate the graphic interfaces of legitimate products and use names that have a legitimate look to them.

The scammers behind the rogues often distribute them by using botnets to send vast amounts of spam, advertising a variety of products. When a victim clicks on a link in the spam message, he’s taken to a malicious web site that pops up a window in his browser telling him in the most frightening terms possible that his machine is infected. The pop-up window also conveniently offers to download a product to clean his infected machine for a variety of prices, some as high as $99.99. If the victim bites on the offer, he purchases a piece of useless software that does nothing. Obviously, if you run across one, don’t buy it.

Rogues also are being peddled through search engine optimization scams. The rogue distributors use botnets to game search engines like Google into presenting their malicious sites in the top search results for the most popular, up-to-the-minute search terms. When victims click on the links that show up in search results, they’re taken to the malicious sites that pop up the alarming warnings.

If you run into an application that you think might be a rogue, you can check its name against the Sunbelt Rogue Blog: http://rogueantispyware.blogspot.com/

Here’s a link to one of our blog entries from last month about one such SEO poisoning:
“SEO poisoning not in well, but it’s aiming for the water heater”

Tom Kelchner

Twust and Safetwy

Del Harvey who leads Twitter’s Trust and Safety team blogged yesterday that the social networking/micro-blogging service has begun filtering all links in Twitter Direct Messages to stop phishing:

“Since these attacks occur primarily on Direct Messages and email notifications about Direct Messages, this is where we have focused our initial efforts. For the most part, you will not notice this feature because it works behind the scenes but you may notice links shortened to twt.tl in Direct Messages and email notifications.”

Twitter blog piece here.

Tom Kelchner