Month: November 2007

You’ll notice a completely new layout.  It’s not intentional. We are trying to get to the bottom of this…

Example Google search:

(Thumbnailed due to graphic content)

Links point to fake codec link which attempts to get a user to install a Zlob Trojan:

Patrick Jordan
Sunbelt Malware Research Team

As a follow-up to my recent post about AFF, we now see them using video hard core porn to lure more subscribers.

While AFF has allegedly used fake pictures of porn stars in the past to promote their site, this is a video clip of hard core porn that plays as an ad — something that is new.

And AFF is getting aggressive on subscriber acquisition, which they’ve made clear to their affiliates:

Reminder: Medley is giving an extra $20,000 to the affiliates with the biggest signup increase for the last two weeks of November (Nov 18 – Dec 1) vs the first two weeks (Nov 4 – Nov 17th). All FriendFinder affiliates with accounts older than one month are eligible. Signup increases will be measured by combined signups on Adult FriendFinder, Cams.com, ALT.com, OutPersonals.com, FriendFinder.com, and our newest hit: MillionaireMate.com. The top increasing affiliate will receive $10k, the 2nd place affiliate $2k, and the next 8 affiliates will each receive $1k.

But we’re not done yet. We are running a 10% bonus for November. To qualify, all you need to do is earn more in November than you did in September and October (which ever had the highest daily average earnings) and we’ll add 10% to your November earnings.*

I hope the alleged buyer of AFF knows what they’re getting into….

Alex Eckelberry
(Thanks, Patrick Jordan)

A friend of mine sent this to me today (we were both a bunch of pyromaniacs active in the field of chemistry as kids…):

Alex — I recently joined the National Association of Rocketry. Here are their insurance exclusions:

Alex Eckelberry

4 new rogues of the SpywareNo/Spysheriff/MalwareAlarm Family

1. Site:dr-protection(dot)com
Listed in the CounterSpy database as DrProtection

2. Site: guard-center(dot)com
Listed in the CounterSpy database as GuardCenter

3. Site: liveantispy(dot)com
Listed in the CounterSpy database as LiveAntiSpy

4. Site: online-guard(dot)net
Listed in the CounterSpy database as OnlineGuard

Patrick Jordan
Sunbelt Software Malware Research

Not the first time I’ve noticed this — IE 7 is really behind on tagging phish. It’s a real shame, too — I know people on the IE team, and I know they mean well and work hard. But something’s not working right in the system. And IE 7 certainly needs the protection with the amount of users running it.

Same phish, at the same time:

And in IE 7, if you want to report a web forgery, you have to go through a two-step process and an incredibly painful CAPTCHA (which even I stumble over when trying to enter):

I know why Microsoft is slower than Firefox in tagging websites — they have to be more careful with showing a site as bad with the market share they have. But I believe that a few false positives is well worth the benefits of saving people from phishing and fraudulent websites.

Microsoft — Go for it. Be aggressive.

(And yes, I know this is a completely unscientific observation.)

Alex Eckelberry

Update 11/29: As of this evening, the links are gone. All clear… that was fast.

Update 12/1: As of the morning of 12/1, the porn links are back.

Update 12/1: As of 4 pm EDT, the porn links are gone. I’m getting tired of checking this.

Remember that incident a while back where we discovered massive amounts of porn hosted by the Transportation Authority of Marin? It resulted in a federal shutdown of the entire state’s Internet and email service.

Incredibly, it’s back. Same site, same everything. Take a look at this Google search result (thumbnailed due to offensive content):

Clicking those links lands you to a page which pushes a fake codec (malware):

So, does this mean that the feds will shutdown teh internets again?

Alex Eckelberry
(thanks Patrick Jordan)

We’re probably a little late on this, but we’ve been a wee bit busy. Anyway, the site is vplprocedure(dot)com. Sample binary vplprocedure(dot)com/download.php?id=1058. And please — don’t touch this Trojan unless you know what you’re doing.

Alex Eckelberry
(Thanks Patrick Jordan)

Google has removed the sites responsible for the recent massive Google poisoning attack.

However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here.

As an example, a simple search of “funny drunk quote site:cn” pulls up the following results:

Notice the pattern? Large amount of fresh .cn domains, with numbered html pages.

However, there are apparently two different groups at work here. One we’ll call Type 1 — which appears to be the same group involved in the prior poisoning. And the other, we’ll call Type 2 (sorry, not very original, but we’re working fast here).

Type 1 shows this style of page, and it looks like it’s coming from the same group that was involved in the recent Google poisining:

On exiting the page, you get pushed to install Spy-shredder, a rogue antispyware program.

Which, even if “cancel” is pressed, you still get a fake scanning page.

Nothing unusual there.

(You can see an example page source of Type 1 by looking at this dump.)

Type 2 is different, and simply shows users a site which is trying to generate traffic (for the purposes of getting affiliate commissions):

Again, freshly registered stuff. You can see an example page source of Type 2 by looking at this dump.

Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change.

Alex Eckelberry and Adam Thomas

A new fake codec: codechq(dot)net.

Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codechq(dot)net/download/codechq(dot)dmg; Windows: codechq(dot)net/download/codechq(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Bharath)

As a follow-up to our recent posts, here’s some additional information.

First, we can ring the all-clear bell. Google took action on these domains and you won’t find them anymore in Google.

However, check out this javascript:

(source: cxsjrkelgvjs(dot)cn/gopnikovnet(dot)js << malware site)

So. if you use search terms like “inurl” and “site”, you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff (I recently wrote an article on this subject for VirusBulletin). And, it only cares if you’re coming from Google.

Quite interesting.

Alex Eckelberry
(Thanks to Sunbelt researchers Adam Thomas and Francesco Benedini)

Here’s a first — the Italian Gromozon, one of the nastiest pieces of malware in creation, being pushed in disguised form as a rogue antispyware security app.

(This same page also installs Malwarealarm, but through a different file.)

Incidentally, it’s also the first time we’ve seen Gromozon not being delivered through exploit but through social engineering.

VirusTotal results here.

Alex Eckelberry
(Credit to Sunbelt researcher Francesco Benedini)

Hi all, Adam Thomas here from the Malware Research Team. I just wanted to post a follow up to our blog post yesterday regarding malware redirects from search engine results.

Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages.

For example, the image below shows one page that focuses heavily on searches including the word “infinity”.

This example shows hundreds of search terms for “hospice”. Pretty sick.

For months now, our Research Team has monitored a network of bots whose sole purpose is to post spam links and relevant keywords into online forms (typically comment forms and bulletin board forums). This network, combined with thousands of pages such as the two seen above, have given the attackers very good (if not top) search engine position for various search terms.

In our previous post, we mentioned that the malicious pages also contained an IFRAME link which would attempt to exploit vulnerable systems. If you were unlucky enough to run across one of these links while surfing with a vulnerable system, you would become infected with a family of malware that we call Scam.Iwin. With Scam.Iwin, the victim’s computer is used to generate income for the attacker in a pay-per-click affiliate program by transmitting false clicks to the attacker’s URLs without the user’s knowledge. The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the internet.

Scam.Iwin is also used to load malware for other groups. In this case, one of those malware groups is known to have been associated with the infamous RBN (Russia Business Network).

Links loaded by Scam.Iwin:

So far we have observed the following malware being installed:

Trojan.Crypt.XPACK.Gen
Trojan-Downloader.Small.AAGX
Trojan-Downloader.Win32.Agent.ev
Trojan-Downloader.Win32.Agent.bnm
Trojan-Downloader.Win32.Agent.eus
Trojan-Downloader.Gen
Trojan-Downloader.Win32.Obfuscated.n
Trojan-Downloader.Win32.Small.ddx
Trojan-Downloader.Win32.Small.cib
Trojan-Proxy.Win32.Xorpix.Fam
Trojan.DNSChanger.Gen
Trojan.Win32.Patched.q
Trojan.Rawlam.C
Trojan.FakeAlert
Trojan.SpamThru (Spam-Bot)
Trojan.Netview (Information Stealer)
Trojan-Downloader.Win32.BHO.bt
Trojan.Win32.Pakes.bqt
Scam.Iwin
Dialer.Win32.GBDialer.i (v)
Backdoor.Rustock (spam-bot)
Trojan.Srizbi
Trojan-PWS.Win32.Bzub.gen (Information stealer)
Backdoor.Win32.Small.lu (Information Stealer)
Awola (Rogue Security Program)
Ultimate SecuritySuite (Rogue Security Program)

If your system was not vulnerable (i.e. your system is fully up-to-date with the latest patches), and you were duped into installing the “ActiveX Upgrade”, then you might simply be left with a toolbar installed into Internet Explorer as well as some pesky pop-up advertising for Rogue Security Software.

Of course, the team over at Google has been notified of this. Other search engine companies are welcome to contact us for more information.

Oh, what a tangled web we do weave . . .

Adam

We’re seeing a large amount of seeded search results which lead to malware sites.

These are using common, innocent terms — one researcher landed on a malware site through searching for alternate firmware for a router.

For example, this search for “netgear ProSafe DD-WRT” yields these results:

That site, luewusxrijke(dot)cn/769(dot)html, redirects to another site which pushes a fake codec (malware) and attempts to exploit vulnerable system:

This IFRAME leads to additional malware installs:

These malware distributors are using keywords to lure people into their sites (some example search terms here — PDF).

Some more examples, on innocent search terms.

Clicking on these links will expose the user to exploits which will infect a vulnerable system (in other words, a system that is not fully up-to-date with the latest patches).

Alex Eckelberry
(Thanks Adam Thomas)

A new fake codec: codecvip(dot)com.

Pushes both Windows and Mac TrojanDNSChanger.

Sample binaries: Mac: codecvip(dot)com/download/codecvip(dot)dmg; Windows: codecvip(dot)com/download/codecvip(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Bharath)

Paul Andreason made a comment about Adult Friend Finder (AFF) that has been misconstrued by a large number of folks, resulting in some hate mail. This was exacerbated by a subsequent blog post I made about AFF, where I pointed out comment spam (not his). In the screen shot (since changed), Paul’s comment was next to the comment spammers — possibly leading people to believe he was on the side of AFF.

Paul does not support AFF in the any way. As he puts it, “I was trying to point out that money was the reason they did that, and that morals and money don’t coexist in today’s world.”

Hopefully that sorts things out and he stops getting hate mail 😉

Alex Eckelberry

Pushes both Windows and Mac TrojanDNSChanger.

Sample binaries: Mac: ultrahqcodec(dot)com/download/playcodec1123(dot)dmg; Windows: ultrahqcodec(dot)com/download/playcodec1123(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

Alex Eckelberry
(Thanks Adam Thomas)

My recent blog post on Adult Friend Finder, critical of the company’s spamming methods, attracted some attention: Of a comment spammer.

Apparently from an affiliate, the Adult Friend Finder link points to medimenia.com and the hompage link points to ourfriendfinder.com. I’ve edited the links so that they are no longer live — why help these slimeballs?

Alex Eckelberry

Sandy, in our sales department, is pursuing his dream of becoming a helicopter pilot.

Unfortunately for us, he has taken to buzzing the Sunbelt building during his training sessions. Waving happily as he goes by, we all sit mute in terror as this neophyte pilot flies by.

Dan, our webmaster, took a shot of Sandy doing a fly-by.

Pray for us.

Alex Eckelberry

Other sites on the same IP one might consider avoiding are:

Cigs4you.info 
D101b.com 
Estrel-logistics.com 
Fethard-best.com 
Fresh-film.net 
Gp-eurocapital.com 
Hack-off.info 
Ihos.info 
Intway587.com 
Lskdfjlerjvm.com 
Media-content.biz 
Online-traffeng.com 
Pin-l-games.com 
Piterseo.com 
Prestra.com 
Prestra.net 
Qadro.net 
Qwert285.com 
Referatoff.info 
Serbitoname.info 
Serd158.com 
Trafagon.net 
Unistream-shipping.com 
Usps-mailcorp.com 
Vermont-trust.com 
Xolodilnikov.net 

Patrick Jordan