The Great Years: 2004-2010
Earlier this week, I blogged about the MLB pushing malware.
The site looks clean now.
However, I will say that it has been very difficult to diagnose, because these fake malvertisements use things like geolocation and time to activate.
In general, the message is — be careful out there.
Alex Eckelberry
We’re working on getting this taken down. However, it’s something that may be of interest.
Offenbachers.com is hacked — badly. The webserver performs a 302 redirect if the referrer is found. Seeing the hack requires that the site see you as a referrer.
Going to the site normally yields this:
However, when you visit the site from Google you get this:
And this:
I made a really quick little video here (it’s not elegant but I’m tight on time).
Alex Eckelberry
(Thanks to Sunbelt’s Francesco for the help, and thanks to John for reporting the site)
Update: As of 1/9/2009, site appears clean.
Finally, the proof you’ve been waiting for. Jobsrated.com has analyzed 200 jobs, and rates math at the top. Software developers have a good showing as well.
Here’s the top 12 (I went to 12 because I rather liked the idea of a philosopher being on the list):
1. Mathematician
2. Actuary
3. Statistician
4. Biologist
5. Software Engineer
6. Computer Systems Analyst
7. Historian
8. Sociologist
9. Industrial Designer
10. Accountant
11. Economist
12. Philosopher
And not to worry: for those not inclined to the hard sciences, the soft ones have a showing as well.
Link here (via beSpacific).
Alex Eckelberry
(Stock photo)
As you can imagine, I really, really don’t like this.
On orders from the federal government, Philadelphia is replacing all its electromechanical signal boxes with a digital system that will eventually host the guts for a citywide network of surveillance cameras. While the old signal boxes were small enough to be strapped to the poles of traffic lights, the new digital, camera-ready signals require a lot more space – freestanding cabinets 67 inches tall.
Alex Eckelberry
Liskula Cohen is suing Google to reveal the source of some nasty comments on a Blogger blog, called Skanks in NYC (the blog itself is here).
Since Liskula has now created a Streisand Effect, many people will assuredly be searching for this blog.
Unfortunately, the bad guys have poisoned Google with the term “skanks in nyc”, with links that push Antivirus 2009.
We have a video that shows what happens here.
Alex Eckelberry
I would stay away from this site until they get it cleaned up. We are seeing various mlb sites redirecting to fake antivirus scan.
These are almost certainly being done by malilcious flash advertisements.
Not the first time it’s happened (courtesy of Innovative Marketing).
Alex Eckelberry
(Thanks Mike)
We are a bit late on blogging this but Patrick Jordan found out something really interesting about this rogue.
This Rogue is unique, uninstaller.exe and the installer totalprotect2009_setup.exe have the same MD5/CRC8, however one installs while the other uninstalls.
Sites associated:
94.247.3.60 Totalprotect2009 com
94.247.3.61 Securitysolutionsnetworks com
Bharath M N
Few Rogue Security applications seen in the last week of December.
Astrum Antivirus Pro
Sites Associated
74.50.119.187 Astrumavr com
74.50.119.187 Astrumavrpro com
iSafe AntiVirus
Sites Associated
94.247.3.240 Isafeantiviruspro com
94.247.3.240 Isafeantivir com
94.247.3.240 Isafe-antivirus com
94.247.3.240 Isaferantivirus com
94.247.3.240 Isafeantivirus com
94.247.3.240 Isafeantvirus com
Express Antivirus 2009
Site Associated
217.20.112.98 Expressantivirus2009 com
Bharath M N
Fake scareware program, a variant of Winweb Security.
(No relation to System Security 2009, a legitimate application.)
Sample at netsecurityonline com/downloadsetupws.php (live malware).
Alex Eckelberry
(Thanks, Patrick Jordan)
Some technical issues on my end, all fixed.
Normally, I write about malware scams. However, I have been seeing quite a few ads recently along the lines of “Teeth Whiteners Exposed”. Curious, my scam radar started going off. I know a fair amount about internet marketing and affiliate channels, and started digging a bit.
“Celebrity Sexy Teeth” purports to provide amazing benefits in whitening teeth (as it “works with both the inner and outer enamel” and the weird statement that a “combination of key ingredients are amazingly effective at drawing hydrogen peroxide in to the tiny pores of your teeth to whiten both the outer layer of enamel for immediately noticeable whiter teeth, and the inner layers of enamel for long lasting results”).
Pushed through affiliate sites such as best-teeth-whitening.com (these fake review sites easily fool people), running ads promising to show “Teeth Whiteners Exposed”, the company is making money off of a product that is quite likely… snake oil.
A search on the product’s name reveals significant dissatisfaction, such as “It doesn’t work and when I opened it the stuff came bubbling out making a mess and wasting a lot of it.”, “I’ve been using it for more than two weeks, haven’t noticed any difference at all. I’m going to try to send it back, hopefully they’ll up hold their guarantee.”, “I tried it exactly as directed. Completely useless, no result whatsoever, “This product is a scam, total ripoff. I paid $50.00 for this crap and I couldn’t see any difference after using.” and so on (although I did find one positive review, against an overwhelming negative stream of user comments).
A dental group on Goggle Groups discusses the product with skepticism, as one reader even notes that the first ingredient listed is Propylene Glycol (antifreeze).
A site with real user reviews shows similar issues. Of course, blogs that likely make affiliate commissions tout the product’s benefits.
So what does the BBB say? Errr… Nothing good. The company behind this product is Ionoline, which the BBB gives fails here (for Celebrity Sexy Lips) and here (for some other service called “GetWired”). They also have launched a new product, Celebrity Sexy Body (the female fat burner!).
There are plenty of solutions if you’re looking for such a product, including the cheapest — Hydrogen Peroxide.
But certainly, I would stay clear of this one.
Alex Eckelberry
Thorsten Holz, one of our partners in our Sunbelt CWSandbox has published a good paper on the underground economy.
We study an active underground economy that trades stolen digital credentials.We present a method with which it is possible to directly analyze the amount of data harvested through these types of attacks
in a highly automated fashion. We exemplify this method by applying it to keylogger-based stealing of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present the first empirical study of this phenomenon, giving many first-hand details about the attacks that were observed during a seven-month period between April and October 2008. This helps us better understand the nature and size of these quickly emerging underground marketplaces.
You can read the paper here. Heise has also done a writeup on this paper (here).
Alex Eckelberry
You can bring gunpowder onto planes! (via Schneier).
Alex Eckelberry
MS Antispyware 2009 is new rogue from WinSpywareProtect family.
Sites Associated
193.142.244.217 MsAntispyware2009 com
94.247.2.84 Files.Msas2009dl com
94.247.2.88 dl.msas2009storage com
216.195.42.227 Sales.buymsantispyware2009 com
Bharath M N
Chandra Prakesh, our Antivirus Lab Manager, presented a paper at AVAR this year on Rustock. PDF here, Powerpoint here.
From a research perspective, Rustock is quite interesting, as it is a complex backdoor trojan that turns a compromised system into a covert proxy, using highly sophisticated methods of evasion.
Chandra is a bit of an expert on Rustock. He’s also written papers on other subjects that I’ve referenced on the blog here and here.
Alex Eckelberry
Rogue security products, often referred to as “scareware”, are a form of malware that uses scare tactics to make people falsely believe their systems are infected with malware, in exchange for payment.
It’s a form of extortion that we’ve routinely blogged about.
Sunbelt’s Patrick Jordan keeps track of a lot of them, and has put together a boatload of screen shots of these rogues from 2008.
I’ve posted them to my Flickr account, here (faithful blog readers will recall I did something similar back in 2006).
Alex Eckelberry
I’m a bit late on blogging this, but there’s a new rogue, Antivirus 360, which replaces Antivirus 2009.
The scam scan is at:
antivirus-rapid-scanner com/360/1/en/_freescan.php?sid=880751
Also, an exe is downloaded from
lead-protection com/download/av_360glof.exe
The free trial of VIPRE will clean this.
Alex Eckelberry
(thanks, Patrick Jordan)
This is pretty cool: Our VIPRE Enterprise has been named as a Finalist in the 2009 SC Awards Program.
Alex Eckelberry
Fascinating reading here from the FTC complaint.
Highlights:
Some of the players: Sam Jain, a man with a past, running the show. Daniel Sundin, apparently Jain’s second in command. James Reno, of ByteHosting (check this search also), helping out on the technical aspects. Maurice D’Souza and Marc D’Souza, helping Innovative find credit card processors (difficult, because there were so many chargebacks and complaints). Kristy Ross, who placed the fraudulent ads.
I don’t feel ill will to many people. But with this crew, I hope they rot in prison.
Alex Eckelberry
(Thanks Suzi)