Update to Schemes, Scams, Spams, and Pyramid Plans: Trojan.StartPage.SSSPP

After working with the folks at Highprofits.com and Fliqz.com we’ve sorted out the trail left by scammers behind Trojan.StartPage.SSSPP.

Basically, it was a two-step click-fraud operation that centered on changing (victim) Web users’ home pages to redirect to Highprofits.com sites (including fliqz.com.) Those visitors who (unwillingly) went to Highprofits.com sites as a result made money for the iframedollars/virut gang.

Step 1 – The gang offered a Trojan downloader (Trojan.StartPage.SSSPP) on a crack site that redirected victims’ home pages to various Highprofits.com sites.

Step 2 — The gang had become an advertising affiliate of Highprofits.com and the visitors that were sent to the Highprofits.com sites as a result of the Trojan, carried the gang’s affiliate ID (in URLs). So, the gang was getting paid for all the visits.

We said Friday that the Highprofits.com sites were infected with Trojan.StartPage.SSSPP. As a result their site was blacklisted. As it turned out, at no time were Highprofits.com sites or Fliqz.com ever infected or hosting any malware to infect visitors.

Based on Sunbelt research, Highprofits.com was able to identify the affiliate ID that belonged to the gang and ban it as an affiliate.

Glad Sunbelt could help. Sorry about the blacklist thing.

Tom Kelchner

(Patrick and Alex too)

Fighting malicious web sites through domain registration

Computer security blogger Dave Piscitello of Hilton Head Island, S.C. (“The Security Skeptic”) ran an interesting piece: “Nine ways to mitigate malicious domains.” It’s a list of proposals that ICANN has collected from the security community that it will consider for new rules for top level domain applicants. It’s an effort to help prevent the establishment of malicious web sites.

ICANN is taking public comments at: http://www.icann.org/en/public-comment/

Dave said the suggestions under consideration are:

— Vetting registry operators to filter out criminal organizations. (Recommended by the Anti-Phishing Working Group and others.)

— Demonstrated plan for the deployment of Domain Name System Security Extensions. This would require written plans for signing zone files and delegations (domain names registered in its top level domain.).

— Prohibition of redirection by top level domains. (ICANN’s SSAC, the ICANN Board of Directors) “…applicants must return negative responses when a DNS query is made to a non-existent domain and must not synthesize (redirect) queries for error resolution or advertising purposes.”

— Removal of orphan glue records. “Orphaned glue records frequently point to name servers that host malicious domains. This measure requires applicants to explain the policy they will enforce to ensure that a name server record in a delegation will not persist in the TLD zone file when the parent domain name is deleted from the zone.”

— A requirement for detailed Whois records.

— Centralization of zone file access. Presently, applications must contract with top level domain registries to get FTP access to zone files.

— Documented registry level abuse contacts and procedures.

— Participation in the Expedited Registry Security Request process to help ICANN and registries to maintain security during an incident.

— Establishment of High Security Zones Verification.

See Dave’s blog piece here.

Thanks Dave

Tom Kelchner

Big changes at Intel, Motorola and HP are news

It’s a whopping day for news about Intel, Motorola and HP:

— Intel is going to settle its legal differences with A.M.D for $1.25 billion.

— There are significant rumors that Motorola wants to split into three companies to pay down debt.

— It’s been announced that Hewlet-Packard will acquire network equipment maker 3-Com for $2.7 billion. HP thinks the move will help it compete against Cisco and with customers in China.

“Intel Pays A.M.D. $1.25 Billion to Settle Legal Disputes”

“Motorola Said to Explore Dividing Into 3 Companies”

“Hewlett-Packard to Acquire 3Com”

Tom Kelchner

The Internet: nobody goes there any more. It’s too crowded

Palo Alto Networks of Sunnyvale, Calif., issued its Fall, 2009, Application Usage and Risk Report (“An Analysis of End User Application Trends in the Enterprise”), analyzing traffic patterns on more than 200 worldwide networks. The Palo Alto researchers document massive growth in social networking and collaborative applications for business since their last report in April.

The use of blogs and wikis increased 39 times with total bandwidth use for those two activities increasing 48 times.

The report said there was a 192 percent increased in Facebook use. Facebook Chat, which began in April 2008, was the fourth most commonly detected IM application. It beat out AIM, IM and Yahoo!

The use of SharePoint, especially SharePoint documents, increased 17 times since April.

Palo Alto found a 252 percent increase in Twitter sessions since its spring Risk Report.

Report here.

Apple MobileMe credit card phish

Red phish, blue phish, this is a new phish:

From: Mobile IDisk [noreply01@me.com] [mailto:noreply01@me.com]
Date: November 8, 2009 5:25:10 PM CST
To: [*****]
Subject: **Your subscription expires tomorrow…*

Welcome,

Just a reminder to renew your MobileMe subscription by November 08,
2009 PDT to avoid interruption of service.

*To renew your service, log in to MobileMe, select Account, and click
Account Options.*Then click the
* Login* box for your subscription. When you’re done, click Billing
Info and make sure your credit card information is up to date. It
takes only a few minutes, and your credit card won’t be charged until
the day before your renewal date.

Thanks for being a MobileMe subscriber. We’re looking forward to
another great year. .

[The phishing site has been taken down]

Copyright 2009 Apple Inc. All rights reserved.

Thanks Laura

Tom Kelchner

There might be more to Farmville than just finding a lost cow

Techcrunch has done an interesting story about the businesses that came up with the big popular social games: things like Farmville, Pet Society and Mobsters.

The three companies that behind these and other social games — Zynga, Playfish and Playdom — have about 100 million subscribers and are making $300 million per year just from the sale of virtual goods. Making money is great, but there are some referral schemes that they offer that can get you hooked into services that will cost more than $100 per year. So, you better read the fine print.

See story: “Social Games: How The Big Three Make Millions” here.

And for a slightly darker view: “Zynga CEO Admits to Being a Scammer” here.

And for a REALLY dark view: “Scamville: The Social Gaming Ecosystem Of Hell” here.

Tom Kelchner

3,100 vulnerabilities connected with Web software

If anyone ever needed a great example for the lectures they give friends, relatives or employees about the importance of installing software updates, here it is.

Security firm Cenzic ( http://www.cenzic.com/company/ ) has made public a report documenting 3,100 vulnerabilities that affect the software used on web sites and in browsers! The report included patched and unpatched vulnerabilities.

Cenzic, which provides software as a service, said in their report “Web Application Security Trends Report Q1-Q2, 2009” that Cross Site Scripting and SQL Injection vulnerabilities were a factor in half of all web attacks.

They said 87 per cent of web applications their researchers looked at “had serious vulnerabilities that could potentially lead to the exposure of sensitive or confidential user information during transactions.”

On the server side, they said Apache, Citrix, F5 Networks, IBM, PHP, SAP, Sun and Symantec all ran software with vulnerabilities.

On the browser side, they said Firefox (44 percent of the vulnerabilities) and Safari (35 percent) had the most flaws. Internet Explorer had 15 per cent and Opera six percent, they said. They apparently didn’t review Google’s Chrome. They added that Firefox vulnerabilities were patched much quicker then Internet Explorer.

Story here.

Tom Kelchner

Major net advertiser site is spreading little-detected malware to visitors

Web security firm Websense is reporting that the servers of web advertiser media-servers.net has been compromised and is serving visitors malcode that exploits Microsoft and Adobe vulnerabilities. Thousands of sites have been compromised over several months with the result that visitors get served an auto-loading script, the Websense researchers said.

Patches have been available for the vulnerabilities involved, so, only unpatched machines visiting the site will be compromised.

Websense researchers also said that the malware involved is only detected by two of the 40 anti-virus companies: F-Secure (Suspicious:W32/Malware!Gemini) and Sunbelt (Trojan.Win32.Bredolab.Gen.1 (v)). The detection is based on behavioral analysis by F-Secure’s DeepGuard, and Sunbelt’s VIPRE technology.

Story here.

Tom Kelchner

Univ. of Tampa student starts non-profit to investigate wrongful convictions

University of Tampa senior Gretchen Cothron has launched a nonprofit organization called “Screaming for Sunshine” to help investigate wrongful convictions.

Cothron is an honors student, with a major in criminology and minor in law and justice.

Last year, she completed a project to demonstrate the necessity of recording interrogations during investigation, which isn’t required in Hillsborough County. Last month she presented her findings at the National Collegiate Honors in Washington, D.C.

After her work last year, she moved into an honors fellowship “…researching a statistical formula to see how eyewitness testimony, faulty forensic science and false confessions contribute to wrongful convictions,” according to the University of Tampa web site.

“Cothron has presented her preliminary findings at the Southern Criminal Justice Association’s annual conference and is presenting an extension of the same project at the American Society of Criminology’s annual meeting in November,” the UT site said.

“Cothron hopes to practice criminal appellate law after law school to help fund her real passion, a nonprofit she has formed called Screaming for Sunshine to assist with investigations of wrongful convictions.

“Florida leads the nation in the number of death-row exonerations,” Cothron said, “and there has to be countless others.”

Cothron’s nonprofit site here.

Story here.

For the tip on this, thanks to Glenn S. Dardick, Ph.D., Associate Prof. of Information Systems at Longwood Univ. in Farmville, Va. He’s also the Director of the Association for Digital Forensics, Security and Law and editor of the Journal of Digital Forensics, Security and Law.

Conficker and Taterf will be with us for a while

USA Today’s Byron Acohido is reporting that the Conficker and Taterf worms continue to spread.

Conficker is building a botnet, propagating through network shares and devices that use USB ports.

Taterf, the product of a malware tool kit, is aimed at stealing log-in information from on-line games. The malicious operators sell the log-in information to others who steal compromised gamers’ accounts for virtual goods which can be sold to other gamers.

Standard precautions can prevent the two from infecting machines: running a good anti-malware application and keeping current with updates and patches. Turning off the “autorun” feature in Windows also can stop the propagation through USB ports.

USA Today quoted Sunbelt Chief Technology Officer Eric Sites in the story. He told them “The sad fact is worms and viruses would be wiped out if everyone used best security practices.”

Story here.

Tom Kelchner

New Trojan uses CloneCashSystem site

Patrick came across a new Trojan today that uses the CloneCashSystem site (WHOIS registration date Oct. 2).

Trojan StartPage CloneCashSystem

Patrick’s note:

“My iframedollars downloaded a Trojan from a VX Catus site dl.guarddog2009.com/bookmark.exe.

“The 3 kb Trojan’s only function is to change the users start page to: join. clonecashsystem com/track/NjU1ODMuMjYuMzEuMzUuMC4wLjAuMC4w, which is one of those free report sites. It tries to get you to buy a get-rich-quick scheme.

“The start page is similar to the old CWS hijacking start page Trojans. I have named it Trojan.StartPage.CloneCashSystem.”

[NOTE: only go to the URLs mentioned here with caution.]

Thanks Patrick

Tom Kelchner

Update 11/9: We changed the description of CloneCash in the blog post since it is merely a site pointed to by iframedollars/virut. Patrick wrote the following after further investigating:

“The CloneCashSystem is really only free videos of how to make money on the Internet and not a scam, however, its URL is used in a TrojanStartPage with the file coming from a malicious site.

“The bookmark.exe has changed now to using join.123cashsurveys.com as the StartPage Hijacking.

“Due to the change and as I now have over 100 sites that could end up being used and may come under 3 business aliases, I have changed the threat from Trojan.StartPage.CloneCashSystem to Trojan.StartPage.SSSPP

“For eternal use the SSSPP will stand for Schemes, Scams, Spams, and Pyramid Plans. “

Click fraud Trojan uses Internet security company site

Our researcher Patrick Jordan ran one of the installers from seriall.com, which is an old fake serial crack site where one can get infected waaaaay too easily. It created a run32.dll which functions as a redirector. When a victim of this searches for the string “remove spyware,” his infected computer re-directs to the web page of security firm Webroot. Clicking on the “Business” tab will take the browser to a redirect site.

ClickFraud_SearchEngineResultsHijacking

On the left is the Webroot page redirect from an infected box and the right is the same action from a clean box.

The sites that it redirects to are typical info-stealing sites with a cheap pay-per-click search pages.

Sunbelt already detects the installer and dll as Trojan.Win32.Generic!BT

Just to clarify: this is not a Webroot issue, the Trojan simply redirects a victim’s browser to the Webroot page to give an appearance of authenticity before redirecting it on to a malicious site.

Thanks Patrick

Tom Kelchner

Man-in-the-middle attack uses SSL renegotiation

Researcher Ben Laurie has posted a note on his blog “Links — Ben Laurie blathering” alerting the world to a man-in-the-middle attack against Secure Socket Layer.

“In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end,” he wrote

Laurie said he and fellow researchers have a patch to SSL that bans renegotiation.

Blog post here.

Patch here.

Tom Kelchner

Update

“It’s a protocol-level flaw,” Chris Paget, chief technology officer at H4rdw4r

Computer World story “Scramble on to fix flaw in SSL security protocol” here.

Update 2

It never rains but it pours. Transport Layer Security has the problem too:

“Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities.”

This was blogged by security researchers Marsh Ray and Steve Dispensa today. They work for PhoneFactor , a two-factor authentication company.

TLS and SSL are widely used by online retailers and banks for secure web transactions.

Ray and Dispensa findings here.

Cross-domain flaw in Facebook, Myspace patched

A web developer from Amsterdam, who goes by the name Yvo, discovered a way a user could get access to other domains when logged into Facebook or Myspace. After he notified the two sites, the holes were patched.

Here’s Yvo’s description:

“…Adobe (Flash’s developers) introduced a ‘crossdomain.xml’ file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain=”*”) to access its domain data.”

His blog post here.

Yvo, we’re glad you found it before anyone else did.

Tom Kelchner