The Great Years: 2004-2010
Danish security company Orbasoft is now using comment spam to promote its products.
On my blog.
Using a New Delhi IP, so it looks like the Orbasoft marketing people hooked up with one of these shady “SEO” companies to improve their search rankings.
Nice going, guys.
Alex Eckelberry
ByteHosting, the hosting firm run by James Reno, and linked to Innovative Marketing’s fraudulent marketing tactics, has settled with the FTC.
The settlement includes a $.8 million judgment and injunctions against further sleazy/scareware marketing. The agreement also includes reporting requirements for the next five years.
Alex Eckelberry
Contrary to popular belief, not all malware is hosted in Eastern Europe or China.
In fact, there’s a whole bucketload of malware hosted in Scranton, PA.
Here are malware domains associated with IP 64.191.92.197:
1-againstspy net
1-agentprotect net
1-antispystore com
1-antspy2008 com
1-mas2009 com
1-myantispy net
1-myspyguard com
1-spguard2008 com
1-webspyguard com
2-againstspy net
2-agentprotect net
againstspy net
agentprotect net
antispysoft4u com
antispystore com
antspy2008 com
anush biz
bestcontraadwarelive com
bestcontraadwareonline com
bestcontraadwarestore com
bestmachinedefenderonline com
bestmachinedefenderpro com
bestmachinedefenderstore com
bestopposingadwarelive com
bestopposingadwareonline com
bestopposingadwarepro com
bestopposingadwarestore com
bestserverdefenderlive com
bestserverdefenderonline com
bestserverdefenderpro com
bestserverdefenderstore com
chaepantispyforpc com
codei net
computeralt net
easycontraadwarelive com
easycontraadwareonline com
easycontraadwarestore com
easymachinedefenderonline com
easymachinedefenderpro com
easymachinedefenderstore com
easyopposingadwarelive com
easyopposingadwareonline com
easyopposingadwarepro com
easyopposingadwarestore com
easyremoveviruspro com
easyserverdefenderlive com
easyserverdefenderonline com
easyserverdefenderpro com
easyserverdefenderstore com
easyversusadwarestore com
expertalt com
freeofviruspc com
is-antispy com
lava-antispy com
mas2009 com
medkeep net
metricshop net
ms-antispy com
msantispyware2009 com
myantispy net
mycontraadwareonline com
mymachinedefenderpro com
mymachinedefenderstore com
mymedstore net
myopposingadwareonline com
myopposingadwarestore com
myprosoftware net
myserverdefenderlive com
myserverdefenderonline com
myserverdefenderstore com
myspyguard com
neosoftware net
neosoftwareonline net
novirusonpc com
pc-cleaner2009 com
removevirusonline com
softwaresky net
softwarestrike com
softwaretwo com
softwareunity net
spguard2008 com
spyfighterantivir com
spywaredeletehere net
spyware-out com
spywareout2009 com
stopadvaresoft com
systemstock net
uploadantispy com
virusprotectionsoft com
virussoftwareremoval com
virustreatmentforpc com
webmedstore net
websoftwarecloud com
webspyguard com
winspycleaner com
winsyscleaner com
yourcontraadwarelive com
yourcontraadwareonline com
yourcontraadwarestore com
yourmachinedefenderpro com
yourmachinedefenderstore com
youropposingadwarelive com
youropposingadwareonline com
youropposingadwarepro com
youropposingadwarestore com
yourserverdefenderlive com
yourserverdefenderonline com
yourserverdefenderpro com
yourserverdefenderstore com
Quite a list, eh?
[Obviously, please don’t visit these unless you’re some kind of masochist — or a security researcher (there is little difference between the two, incidentally).]
Alex Eckelberry
News sites on the Web today seem to have just discovered a story from last Thursday’s Guardian newspaper in the UK that said government agencies in the U.S. and U.K. are preparing to go after the servers of the criminal gangs and government-sponsored hackers in Russia, China and North Korea. The measures could include the subtle installation of spyware to try to identify the miscreants all the way up to denial-of-service attacks.
The Guardian quotes unnamed sources saying that the UK’s Serious Organised Crime Agency and the Metropolitan police e-crime unit have already begun operations.
It also said a recent federal government review of cyber security in the U.S. stated that the president has the legal authorization to carry out such attacks to defend the national security under the Communications Act of 1934.
This isn’t the first time this has been discussed. While the increase in hacking and malware recently must be dealt with, a lot of observers draw the conclusion that there could be serious collateral damage if government agencies and the dark side begin exchanging attacks. Since the main “business model” for Internet crime is to organize botnets of other people’s computers to command and control, launch the denial-of-service attacks, store the porn and do the drive-by downloads, this could get really ugly.
Better update the emergency phone numbers for your up-stream provider and dust off the ol’ disaster recovery plan.
Story here.
Tom Kelchner
Malware authors continue to capitalize on the chattiness and marketing webiness in Windows. A prime example is a new fake antivirus program masquerading as the Windows Malicious Software Removal Tool.
CA has done the work on this one so I don’t have to — along with some good screenshots. Link here.
Alex Eckelberry
Earlier today, I blogged about a new zbot campaign that pushes a program to “reconfigure Outlook Express”. Well, it seems to be working, because the volume of spams with this type of message have gone up.
And — they’ve targeted TheBat! (ah, memories for some of you…), but the bot seems to be a bit confused, mixing in TheBat! with Outlook and Outlook Express.
And, of course, the obligatory fake greeting card.
Sample strings used:
TheBat Setup Notification
You have (1) message from Microsoft Outlook.
Please re-configure your Microsoft Outlook again.Download attached setup file and install.
—————————————————————————————
Outlook Express Setup Notification
You have (8) message from Outlook Express.
Please re-configure your TheBat again.
Download attached setup file and install.
(If you’re curious as to what this thing does, you can view the Sunbelt Sandbox report here.)
Alex Eckelberry
VIPRE and CounterSpy HotFix 5 will be released today at 6 pm EDT, providing a number of improvements in stability and overall effectiveness. Most importantly for enterprise customers, it solves issues experienced when running VIPRE and the ShadowProtect backup program at the same time on a server.
Users will be prompted to update through the user interfaces of both the consumer and enterprise versions of VIPRE and CounterSpy.
Version numbers for Hotfix 5:
CounterSpy (enterprise agent and consumer): 3.1.2774
VIPRE (enterprise agent and consumer version): 3.1.2775
Along with the agent, enterprise customers are encouraged to update their console version. The console build number for both CounterSpy and VIPRE is 3.1.3121.
Alex Eckelberry
New spam message pushes zbot:
You have (1) message from Microsoft Outlook.
Please re-configure your Outlook Express again.
Download attached setup file and install.
The zip file attached gives you a happy dose of zbot love.
Admins — I know some of you don’t like to do this, but really — please, block all incoming zip files.
Alex Eckelberry
FTC denies challenges by Innovative Marketing.
This Court conducted a hearing yesterday on almost all outstanding motions in this case and rendered the following rulings for the reasons stated on the record:
More over at Sandi’s blog.
Alex Eckelberry
Here’s something you don’t see everyday.
Alex Eckelberry
Sunbelt Software researchers turned up an interesting (infected) Web site that’s been taken over and used in a redirect to install Zbot on the machines of web users looking for Al Gore’s “An Inconvenient Truth” site. Search engines are beginning to find it too:
Here is the real site they’re looking for at http://www.climatecrisis.net/:
The infected site, hxxp://an-inconvenient-truth.com, (DO NOT GO THERE!) has been registered since 2006, so, it’s probably a legitimate site that’s been taken over.
Obfuscated JavaScript at the bottom, points to
hxxp://bl4ckst4r.cn/blog/go.php?sid=17, (DO NOT GO THERE!) which delivers Zbot, a Trojan that plants spyware on victims’ machines to steal banking log-in information.
Tom Kelchner
Sears Holding Corporation, which owns Sears, Roebuck and Kmart, has signed an agreement with the U.S. Federal Trade Commission and will destroy the information it harvested using ComScore (spyware) software last year.
It’s shocking that such a big and reputable company would get involved in something that invites Web users to an “exciting online community,” then installs spyware on their computers that monitors their online banking details, texts of secure pages they visit, online drug prescription records and email as well as the relatively mundane information about the web sites they visit.
To its credit, the company stopped the spying after public concern was raised. And they didn’t fight the FTC action.
For Web users, one big lesson here is that you must read those miserable, huge End User Licensing Agreements (EULAs). All the spying was described in the EULA that Sears presented. Of course it was on page 10 of a gargantuan 54-page privacy statement. Harvard University professor and spyware researcher Ben Edelman said the document failed to meet FTC standards set out during actions against spyware companies Direct Revenue and Zango.
News story here.
FTC news release here.
Tom Kelchner
Well, this is not good.
The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers.
Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009.
We already contacted with their competitors and they didn’t show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder.
Please only serious offers, don’t waste our time.
Contact: pwnmobile_at_safe-mail.net
Alex Eckelberry
(Via Securiteam)
We REALLY hope this is the beginning of a trend.
The U.S. Federal Trade Commission has taken down Northern California Internet Service Provider Pricewert LLC (also doing business as 3FN and APS Telecom) that has hosted alleged criminal sites engaged in the distribution of spam, child pornography, spyware and malware as well as the operation of botnet command and control servers.
According to some reports, as many as 15,000 sites used for criminal purposes were shut down by the action.
Sunbelt Software researchers say they have been tracking Pricewert servers hosting alleged exploits and porn dialers since 2004. Also, IP addresses registered to them were known to be hosting exploits and malware, including rogues, since that year.
The FTC said in their complaint, filed in U.S. District Court for the Northern District of California, San Jose Division, that Pricewert advertised to a criminal clientele, then shielded their customers’ activities by ignoring take-down requests from the online security community or shifting the malicious sites to other IP addresses to help customers continue their activities.
The FTC filing is based on the commission’s belief that criminal activities have taken place and that the public interest would be served. A court must determine if any laws have been broken.
According to the FTC news release: “The court issued a temporary restraining order to prohibit Pricewert’s illegal activities and require its upstream Internet providers and data centers to cease providing services to Pricewert. The order also freezes Pricewert’s assets. The court will hold a preliminary injunction hearing on June 15, 2009.”
Mark your calendars!
FTC news release here.
Tom Kelchner
Earlier in the week, I posted a good set of guidelines for enterprise administrators from Microsoft for antivirus exclusions. Unfortunately, the page that I linked to got pulled. However, Rod Trent was kind enough to share the document with me, and you can download it here (MS Word).
Alex Eckelberry
If you’re trying to protect your brand, this is a great tool from DomainTools:
There are a number of typo generators out there, but DomainTools’ is the only one that makes it easy to find out who is typosquatting on your domain name. It also lets you know if someone previously typosquatted or tasted a typo of your domain.
To use the typo generator, go to domaintools.com/domain-typo and enter the domain name. Then choose your options including views:
Registrant View – see typos of your domain and the registrant’s name. Great for seeing if one person is aggressively typosquatting you.
DNS View – typos include nameservers and IP addresses. Great for seeing if typos of your domain are parked.
More here.
Alex Eckelberry
Hackers usually offer their services in the underground market, chatting in private forums, hidden behind various enigmatic aliases. However, a more enterprising bunch offers their services publicly, offering to hack into email accounts, Facebook, MySpace, ICQ or even Facebook’s popular Russian clone, Vkontakte.
However, you’d be an idiot if you actually used them. Doing business with black hats isn’t always the brightest thing to do — you might very well find yourself getting the bad end of the bargain.
Some recent research into one site dedicated to hacking Facebook revealed a number of dodgy sites all under the same IP (in the Cayman Islands, not surprisingly, and with a history). Let’s take a visual tour.
First, a more “general” site on hacking:
Or, hacking vkontakte:
(“vzlom” in Russian means “to break in” — of course, my Russian readers are sure to correct me.)
Or hacking ICQ:
MySpace:
And, of course, Facebook:
But this IP has a number of other questionable domains, such as a site seen in the past delivering malware, and one which looks suspiciously like a phishing site. I can only speculate at this point on the other sites listed in the IP range (“escrow services”, etc.).
The whole dammed lot should be taken down.
Incidentally, if you use these services, please do the obvious and use complex passwords, changing them regularly.
Alex Eckelberry
(Hat tip to Patrick)
Over a year ago, I published a rather stunning graph showing the growth of malware.
It needs updating. I asked Andreas Marx at AV-Test for some new data, and he’s been kind enough to share it with me.
First, the size of Andreas’ collection:
Then the monthly malware collection growth:
(Excel spreadsheet here.)
Andreas tells me an updated chart will be available in a few weeks, and I expect to post that as well.
Alex Eckelberry
