Month: December 2006

Here’s a great way to while away your New Years Day — watch uber-guru Mark Russinovich’s video on malware detection and cleaning!

BoingBoing has its web stats available for public viewing. Some mildly interesting information, including the fact that Firefox readers account for over 50% of their readership (my blog, on the other hand, has about 35% of its readers using Firefox).

BoingBoing is a publication catering to a demographic that biases toward urban zeitgeist/web 2.0 technically literate, more liberal readers, so their stats are not representative of the broad population. However, the stat pages themselves are interesting to browse through as a picture of what a major site experiences.

You can see keyword stats here, other stats here.

Alex Eckelberry

Got this tidbit from Larry Seltzer: SpywareBot just bought the domain “antispyware.com” for $550,000.

According to a post today in DomainNameWire:

Afternic has sold AntiSpyware.com for $550,000, making it one of the biggest domain name sales of 2006. The seller of the domain was SpyForce.com, LLC out of Connecticut. The domain’s whois record is now protected by a privacy service so the buyer of the domain is not clear. The domain name is currently resolving to a page offering spyware and adware software.

Link here.

Wow.

Incidentally, while SpywareBot (also marketed under the name AdwareAlert) is not a rogue scam program or trojan in the class of SpySheriff, etc., it is listed on the SpywareWarrior Rogue/Suspect antispyware applications page.

Alex Eckelberry

Apparently my move to the new blogger may have caused a number of old and new posts to get pushed out. So ignore these if you get them. Sorry for the hassles!

This Blogger upgrade hasn’t been the best experience. Biggest problem is my favorite blogging programs, BlogJet, doesn’t support the new Blogger APIs… so I can’t post from it.

Frustrating.

Alex

Two new ones…

Spyware Knight
spywareknight(dot)com

SpySoldier
spysoldier(dot)com

Both domains registered through EST Domains.

Complaint about aggressive, deceptive pop-up advertising for both programs here.

Web page advertising both here.

Both have been entered into the CounterSpy database, and both are now listed on the SpywareWarrior Rogue/Suspect Anti-Spyware page here.

These seem related to another rogue, SpywareSheriff— and even the testimonial pages are ripped-off from download.com:

I’ve upgraded to the new Blogger platform. It only took about 8 hours!

Feeds seemed to get a bit funky, I noticed a feed from a year ago got blasted out (why, I have no idea). No, I did not blog about the antispyware coalition today — that was a long time ago.

Now I have to figure out a way to get rid of the Blogger Navbar at the top, which just got dumped in with the upgrade.

Pardon the dust…

Alex Eckelberry

New sites that use fake codecs. These are dnschanger trojans.

DNSChanger Codec Sites
216.255.181.155 dvds-access(dot)com
216.255.181.155 site-ticket(dot)net
216.255.186.5 siteticket(dot)net

The following porn sites are foisting off these fake codecs.
216.255.186.5 adultan(dot)com
216.255.186.5 adultfilmsite(dot)com
216.255.186.5 adultmovieplus(dot)com
216.255.186.5 adultsper(dot)com
216.255.186.5 clubxxxvideo(dot)com
216.255.186.5 contentlocker(dot)net
216.255.186.5 cutadult(dot)com
216.255.186.5 galleryclick(dot)net
216.255.186.5 gallerypictures(dot)net
216.255.186.5 greatadultvideo(dot)com
216.255.186.5 hardcorevideosite(dot)com
216.255.186.5 loweradult(dot)com
216.255.186.5 mega-adult(dot)com
216.255.186.5 siteticket(dot)net
216.255.186.5 sureadult(dot)com
216.255.186.5 xxxallvideo(dot)com
216.255.186.5 xxxmovietour(dot)com
216.255.186.5 xxxteenfilm(dot)com
216.255.186.5 xxxzonevideo(dot)com
216.255.177.54 dontgetporn(dot)com
216.255.177.54 funxxxporn(dot)com
216.255.177.54 playhardmovie(dot)com
216.255.177.54 playxvideo(dot)com
216.255.177.54 playxxxvideo(dot)net
216.255.177.54 superadultfriend(dot)com
216.255.177.54 superporncity(dot)com
216.255.177.54 theadulteye(dot)com
216.255.177.52 adultzoneworld(dot)com
216.255.177.52 ispfiltersporn(dot)com
216.255.177.52 pornissex(dot)com
216.255.177.52 pornxxxfilm(dot)com
216.255.177.52 stephieporn(dot)com
216.255.177.52 worldbestadult(dot)com

Obviously, stay clear of these rogue sites and the malware they spawn. If you are infected, the latest version of CounterSpy (or the CounterSpy 2.0 beta) should remove them just fine.

Patrick Jordan and Alex Eckelberry

Well, quite a read here by  Peter Gutmann:

As a user, there is simply no escape.  Whether you use Windows Vista, Windows XP, Windows 95, Linux, FreeBSD, OS X, Solaris (on x86), or almost any other OS, Windows content protection will make your hardware more expensive, less reliable, more difficult to program for, more difficult to support, more vulnerable to hostile code, and with more compatibility problems.  Because Windows dominates the market and device vendors are unlikely to design and manufacture two different versions of their products, non-Windows users will be paying for Windows Vista content-protection measures in products even if they never run Windows on them.

Link here.  Schneier also weighs in.

Alex Eckelberry
(Thanks Francesco)

Zlob trojans (fake codecs)  install a program called pmsngr.exe, which is a fake alert generator.

 

We found pmsngr.exe calling to the following sites:

protectgates(dot)com 

protectgates(dot)com/gatevc.php?id=dw04          Opens to virusblast(dot)com/?aid=7

protectgates(dot)com/gatevc.php?id=dw03          Opens to antivirusgolden(dot)com/?aid=1338

protectgates(dot)com/gatevc.php?id=dw02          Opens to malwarewiped(dot)com/?aid=247

protectgates(dot)com/gatevc.php?id=dw01          Opens to pestcapture(dot)com/?advid=177

protectgates(dot)com/gatevc.php                          Opens to checkssecurity(dot)com/soft/

 

acegates(dot)com

acegates(dot)com/gatevc.php?pn=srch0p23total7s2  Opens to allsecuritylinks(dot)com/vc/as/sec1-adls/

acegates(dot)com/gatevc.php?pn=srch0p22total7s2  Opens to popup ads errorsafe(dot)com

acegates(dot)com/gatevc.php?pn=srch0p21total7s2  Opens to winantivirus(dot)com

acegates(dot)com/gatevc.php?pn=srch0p20total7s2  Opens to drivecleaner(dot)com

acegates(dot)com/gatevc.php                                    Opens to allsecuritylinks(dot)com/vc/as/sec-14jdklss/

 

So here’s an updated list of scam sites.

Security scammers:

IP: 85.255.116.214 
protectionssoft(dot)com       

IP: 85.255.116.214 
asafetypage(dot)com          

IP: 85.255.116.211 
iesecuritytool(dot)com         

IP: 85.255.118.212 
acegates(dot)com   

IP: 85.255.118.212 
protectgates(dot)com          

Zlob fake codec site:

IP: 85.255.116.251 
mediaactivexpage(dot)com  

Patrick Jordan and Alex Eckelberry

Not too long ago, we saw a pirated version of Kaspersky Anti-virus being downloaded onto infected machines and used in conjunction with what became known to some as “SpamThru“.  

Joe Stewart published a great analysis on this operation:

Anti-Virus Scanning
Like many viruses and trojans, SpamThru attempts to prevent installed anti-virus software from downloading updates by adding entries into the %sysdir%driversetchosts file pointing the AV update sites to the localhost address. In the past, we’ve also seen malware which tries to uproot other competing malware on an infected system by killing its processes, removing its registry keys, or setting up mutexes which fool the other malware into thinking it is already running and then exiting at start.

SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.

In other words:

1. The machine is infected with the SpamThru trojan.

2. Antivirus programs are disabled from downloading updates.

3. The SpamThru trojan runs a hacked version of Kaspersky AV to kill off any compettiive malware (while making sure to that Kaspersky’s product leaves SpamThru alone).  

4. SpamThru has a field day using the infected machine to send out spam.

Now, it might appear that a rival group to SpamThru might be striking back (though we have no proof to that claim, but we are not seeing SpamThru associated with this new piece of malware). Only these guys are using Dr. Web antivirus instead of Kaspersky.

Some pictures . . . Scanner working:

Key File. Registered to Pupkin Petr?

Rar.exe unpacking the av.rar archive

Scanner in action . . . In “real life”, it runs silently in the background:

 

Adam Thomas and Alex Eckelberry

One of our malware researchers, Francesco, just wrote about a spam email requesting a download of a nasty fake codec. 

A new “Italian only” targeted attack targets users posing as new codecs.  These were spammed via e-mail as “funny Christmas videos” that required the user to download a fake codec.

Once downloaded and installed, it displays some popup saying “sorry, compatible only with Windows Vista”, but unfortunately the trojan is installed already.  Propagation is automatic, meaning an infected person automatically sends the same spam to people in his contacts list (who might in turn think it’s authentic since a “friend” sent it).

While the scripted pages prevent being reached outside Italy (displaying a custom 500 internal server error), the files can be downloaded for analysis.

hxxp://www.newcodecscentral(dot)biz/codec_install.exe

hxxp://www.videocardcodecs(dot)biz/install.exe

hxxp://www.videocodecs(dot)biz/codec_installer.exe

Obviously, stay clear of these dangerous trojans. 

Antivirus coverage is very weak on this new trojan, as can be seen here, here and here.

Alex Eckelberry

Aviv Raff and I have been going back and forth a bit on my blog post on the “non-exploit exploit”.   You’ll recall I was skeptical about his post about a new Internet Explorer “exploit”, feeling that it really wasn’t a major issue. He’s a good guy and I respect him and I’m going to try and give him a fair shake here. 

His response, with my comments:

1) Nowhere in my post I write that this vulnerability alone may allow a full remote code execution with no user interaction (like the WMF vuln).

That’s true, but you did start all this off with an alarming post entitled “Internet Explorer 7 – Still Spyware Writers Heaven”. 

2) The post headline is just the name of the vulnerability with a mention that I’m going to provide a proof-of-concept exploit.. Nothing scary in that 🙂

Ok, Aviv, you have a point.  I didn’t make it clear in my first blog post (since corrected) that my comment about your “scaring people” had to do with the naming of your first post (see above).

3) There are some ways of a file to get on the user’s system which will not require full write access. For example: http://www.symantec.com/avcenter/attack_sigs/s21235.html . Now, save this file on the user’s desktop as one of the DLL files, and you have made a remote code execution.

I would argue that this is more of a social engineering issue than an exploit. It’s a design bug, but still requires user interaction. 

Aviv made a valid follow-up comment — “I think we have a semantic problem here. You refer to “exploit” as any “remote code execution without user interaction exploit”. What I refer to as an “exploit” is (according to Wikipedia): ‘In computer security, an exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability’. I agree that this vulnerability is not critical, but the code I published is still an exploit. 

Yes, I agree with that definition, but it’s all about context here.  So he continues to say “Microsoft usually refers to vulnerabilities as critical only if they may allow remote code execution. I still this is critical enough for them to fix this issue on the Windows XP version.”

Right, I agree with Microsoft in this case — a critical vulnerability is one which allows remote code execution.

In other words, something like WMF, SetSlice and the daxctle exploit — all of which we have seen as ways for crackers to gain access to a system without any user acceptance, are critical exploits.  The “exploit” that Aviv writes about requires a user to proactively acknowledge and accept (and run) a download.  It may be bad, but it’s not nearly as critical as one might be led to believe.  

4) Many spywares are using the startup folders/reg keys as way of loading themselves again when the victim restart the machine. Security products (like yours) looks for changes in those folders/reg keys. This vulnerability is another way for an attacker to load his malicious code and bypass this detection.

Not entirely, if there is a signature generated for the rogue DLL (just like any other piece of malware), we’ll catch it, as will many other security products, regardless of where it loads.  Aviv responds by saying “I agree, but then why do you have a generic startup folder/reg key changes detection mechanism? All I’m saying is that if this issue is not going to be fixed in XP by Microsoft, the security vendors should consider adding a detection for this kind of threat.” He went on to add that AV signatures are used to detect known threats. Behavioral heuristic engines (e.g. startup folders/reg keys changes detection) are usually used  to detect unknown threats.”

He also points out that Microsoft has said they’ll fix this on future OS releases, and that he’s tested IE7 on Windows Vista RTM, and it does not have this vulnerability. 

I think Aviv was right to write about this issue and it should be fixed.  My problem has been with attaching any sense of alarmism to something which is really not a major issue  — there are other bigger fish to fry out there. It goes back to the fundamental illogic:  In order for this vulnerability to be exploited, the remote attacker will have to get something (by permission) on a person’s machine in the first place.   Apparently, I’m not the only one who has this opinion.

Alex Eckelberry

Our good friend Chris Boyd (aka Paperghost) found a site with massive amounts of porn videos, foisting off fake codecs which are actually zlob trojans coming from objectactivex(dot)com .  It also tries to make itself look like YouTube, calling itself AdultTuba.

Check out the screenshots that Chris was kind enough to share with us (with the nasty stuff blacked-out):

 

So just what is this site?  It’s called dreamsexy(dot)info.

As Patrick discovered after a little digging around, these guys have been spamming forums with bestpornvideosonline(dot)info which redirects to dreamsexy(dot)info.  You can see this from this google search (don’t click on the links inside the search, please).  

It goes without saying that you should stay clear of this site and the malware it spawns. 

And mad props to PaperGhost.

Alex Eckelberry and Patrick Jordan

IP: 85.255.118.214 
securityplugins(dot)com      

Patrick Jordan and Alex Eckelberry

If you’re reading this blog through the atom.xml link, do me a favor and move to our Feedburner link, which is http://feeds.feedburner.com/SunbeltBlog. 

I’ve had it up on Feedburner for a while, and I’m comfortable enough now to try and migrate as many readers over to this platform.

Thanks,

Alex Eckelberry

Aviv Raff is a smart guy and I respect his work.  But he does seem to be making a mountain out of a wee molehill.  

Back in November, he wrote an alarming blog post entitled “Internet Explorer 7 – Still Spyware Writers Heaven”, which made the argument that there’s an “exploit” in IE 7 because when IE loads DLLs, it does not provide the full path to some.  When IE can’t find the DLL, Windows will search for a DLL with the same name.  Hence, a malware author could replace a legitimate DLL with a naughty DLL.  

His blog post elicited some light discussion on various security lists, but that was about all I saw about it.  However, today he came out again on this subject, with proof of concept code for this “exploit”. 

Now, I wouldn’t have paid much attention to this, except that in his original post, Avi used a really scary headline, which I really don’t think was warranted. I’ve seen my fair share of crap-in-your pants exploits. This is not one of them.

Remember that in order for a rogue DLL to get on a system, the malware author would need to have full write access to the system. It’s also not trivial to write such a DLL.

Now, the following argument could be made:  “Alex, you moron: a trojan could get installed on a person’s machine, which would have as its payload this rogue DLL”.  Yes, that’s true.  But how is that different than any other malware?  How the hell did the trojan get on the person’s machine in the first place?  The user had to allow it to get in.  Heck, if the malware author can get a trojan on a machine, why not have that be the nasty bugger which ruins your life? Do you see the illogic here?  

In other words, this is not like the infamous WMF exploit, which blasted a hole right into a user’s system by simply visiting a website.

I’ve been exchanging emails with Rob Franco (a good guy btw) on the IE team, who said “the reason that this behavior isn’t a “security vulnerability”, is that the Aviv [Raff] needs to already have write access to your system to get his code to run the way that he describes…I doubt that this will ever become a spyware writer’s “weapon of choice” because frankly, coding a rogue system DLL from scratch is probably one of the harder ways I can imagine for a badguy to get their code running.”

Rob agrees with Raff that security vendors need to keep a lookout for these types of threats, adding that “at the same time, spyware-scanners should probably keep a look out for suspicious DLLs as there’s no end to the creativity of attackers.”

I’m sure this minor bug will be fixed in an update in the near future.  In the meantime, as always, continue to practice good basic security habits.

Alex Eckelberry

Keep in mind that the RIAA is still up to its jackboot bullying tactics.   Here’s the story:  A mother of 5 pushes back against the RIAA, so they drop the suit, only to turn around and go after the kids.

The five companies suing Santangelo, of Wappingers Falls, filed a motion Tuesday in federal court in White Plains asking Judge Colleen McMahon to dismiss the case. Their lead counsel, Richard Gabriel, wrote in court papers that the record companies still believe they could win damages against Santangelo but their preference was to “pursue defendant’s children.”

Santangelo’s lawyer, Jordan Glass, said the dismissal bid “shows defendants can stand up to powerful plaintiffs.” He noted, however, that the companies were seeking a dismissal “without prejudice,” meaning they could bring the action again, “so I’m not sure what that’s worth.”

Link here (via boingboing).

I’m all for protecting IP (heck, I make my living off of IP), but can’t the RIAA figure out how this stupid and vicious campaign is hurting them?  What a PR fiasco.  And what a bunch of idiots.

Alex Eckelberry 

New Zlob trojan fake codec sites

IP: 85.255.116.254 
objectactivex(dot)com         

IP: 85.255.116.253 
imagemediaobject(dot)com  

IP: 69.50.188.105   
activexsource(dot)com        

Bonus! Another sleazy security scammer:

IP: 85.255.116.212 
topsecuritypage(dot)com     

Obviously, please stay clear of these rogue sites and the malware they spawn. If you are infected, the latest version of CounterSpy (or the CounterSpy 2.0 beta) should remove them just fine.

Patrick Jordan and Alex Eckelberry

Here’s what to get your boss for Christmas:  A Charlie Brown Christmas Tree.  In this case, a techie Charlie Brown Christmas Tree. A gift to one of our VPs from some folks in his department.

Yes, we have entirely too much fun here. 

Alex Eckelberry
* a “Charlie Brown Christmas Tree” is a reference to the pathetic tree that Charlie Brown had in the old TV show back in the 60s.

More fun scam sites touting fake codecs and the like.

New Zlob trojan fake codec sites

IP: 217.107.218.241           
vaxcodec(dot)com  

IP: 85.255.116.252 
mediaobjectguide(dot)com   

IP: 85.255.118.212 
allsecuritylinks(dot)com      

IP: 85.255.118.212 
alltruesoftware(dot)com       

New Trojan.DNSChanger (rootkit) sites: 

IP: 69.50.170.102   
accessvid(dot)net   

IP: 69.50.170.102   
siteentrances(dot)com        

IP: 69.50.170.101   
vids-access(dot) com            

IP: 69.50.170.101   
sites-entrance(dot)net         

IP: 69.50.170.100   
sites-entrance(dot)com       

IP: 69.50.170.100   
vidaccess(dot)net   

IP: 69.50.170.99    
playcodecs(dot)com           

IP: 69.50.170.99    
sitesentrance(dot)com        

IP: 69.50.170.98    
playerscodec(dot)com         

IP: 69.50.170.98    
site-entrance(dot)net

As you can see from our “chiclets” style graphics layout below, a number of these sites are virtually identical, except for a different name.            

Obviously, please stay clear of these rogue sites and the malware they spawn. If you are infected, the latest version of CounterSpy (or the CounterSpy 2.0 beta) should remove them just fine.

Patrick Jordan and Alex Eckelberry
(With an additional hat tip to Suzi Turner)