Month: December 2008

Scam alert: “Celebrity Sexy Teeth”

Normally, I write about malware scams.  However, I have been seeing quite a few ads recently along the lines of “Teeth Whiteners Exposed”.  Curious, my scam radar started going off.  I know a fair amount about internet marketing and affiliate channels, and started digging a bit.

“Celebrity Sexy Teeth” purports to provide amazing benefits in whitening teeth (as it “works with both the inner and outer enamel” and the weird statement that a “combination of key ingredients are amazingly effective at drawing hydrogen peroxide in to the tiny pores of your teeth to whiten both the outer layer of enamel for immediately noticeable whiter teeth, and the inner layers of enamel for long lasting results”).

TeethwhiteneradPushed through affiliate sites such as best-teeth-whitening.com (these fake review sites easily fool people), running ads promising to show “Teeth Whiteners Exposed”, the company is making money off of a product that is quite likely… snake oil.

A search on the product’s name reveals significant dissatisfaction, such as “It doesn’t work and when I opened it the stuff came bubbling out making a mess and wasting a lot  of it.”, “I’ve been using it for more than two weeks, haven’t noticed any difference at all. I’m going to try to send it back, hopefully they’ll up hold their guarantee.”, “I tried it exactly as directed. Completely useless, no result whatsoever, “This product is a scam, total ripoff. I paid $50.00 for this crap and I couldn’t see any difference after using.” and so on (although I did find one positive review, against an overwhelming negative stream of user comments).

A dental group on Goggle Groups discusses the product with skepticism, as one reader even notes that the first ingredient listed is Propylene Glycol (antifreeze).

A site with real user reviews shows similar issues.  Of course, blogs that likely make affiliate commissions tout the product’s benefits.

So what does the BBB say? Errr… Nothing good.  The company behind this product is Ionoline, which the BBB gives fails here (for Celebrity Sexy Lips) and here (for some other service called “GetWired”).  They also have launched a new product, Celebrity Sexy Body (the female fat burner!). 

There are plenty of solutions if you’re looking for such a product, including the cheapest — Hydrogen Peroxide. 

But certainly, I would stay clear of this one. 

Alex Eckelberry

Case study on keyloggers and drop zones

Thorsten Holz, one of our partners in our Sunbelt CWSandbox has published a good paper on the underground economy.

We study an active underground economy that trades stolen digital credentials.We present a method with which it is possible to directly analyze the amount of data harvested through these types of attacks
in a highly automated fashion. We exemplify this method by applying it to keylogger-based stealing of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present the first empirical study of this phenomenon, giving many first-hand details about the attacks that were observed during a seven-month period between April and October 2008. This helps us better understand the nature and size of these quickly emerging underground marketplaces.

You can read the paper here.  Heise has also done a writeup on this paper (here). 
 
Alex Eckelberry

What makes Rustock tick?

Chandra Prakesh, our Antivirus Lab Manager, presented a paper at AVAR this year on Rustock.  PDF here, Powerpoint here.

From a research perspective, Rustock is quite interesting, as it is a complex backdoor trojan that turns a compromised system into a covert proxy, using highly sophisticated methods of evasion.

Chandra is a bit of an expert on Rustock.  He’s also written papers on other subjects that I’ve referenced on the blog here and here.

Alex Eckelberry

2008 Scareware perspective

Rogue security products, often referred to as “scareware”, are a form of malware that uses scare tactics to make people falsely believe their systems are infected with malware, in exchange for payment. 

It’s a form of extortion that we’ve routinely blogged about.

Sunbelt’s Patrick Jordan keeps track of a lot of them, and has put together a boatload of screen shots of these rogues from 2008.

I’ve posted them to my Flickr account, here (faithful blog readers will recall I did something similar back in 2006).

Alex Eckelberry

New rogue scareware program: Antivirus 360

I’m a bit late on blogging this, but there’s a new rogue, Antivirus 360, which replaces Antivirus 2009.  

Antivirus 360_OnlineScannerScam

Antivirus 360_InstallBox

Antivirus 360_GUI

The scam scan is at:

antivirus-rapid-scanner  com/360/1/en/_freescan.php?sid=880751

Also, an exe is downloaded from
lead-protection com/download/av_360glof.exe 

The free trial of VIPRE will clean this.

Alex Eckelberry
(thanks, Patrick Jordan)

The Innovative Marketing saga continues

Fascinating reading here from the FTC complaint.

Highlights:

  • Over 1 million PC users have been scammed by Innovative and its affiliates. At $40 a pop, that’s $40 million in ill-gotten revenue.

  • Forget refunds. According to the FTC, “although some consumers later realize they have been defrauded… and attempt to seek refunds, Defendants routinely delay, obstruct and refuse to honor such requests.

  • Innovative bought ads generating over 680 million impressions on MyGeek alone (an advertising network, now AdOn.)

  • When faced with complaints from MyGeek about adware vendors not wanting an advertisement to run on their sites, Innovative offered to not display these adware programs as a threat found.

  • MyGeek finally shut down the relationship over complaints. Not able to continue with MyGeek, Innovative created fake ad agencies purporting to represent legitimate companies, and then placed malvertisements (legitimate Flash-based ads that have been compromised to redirect to malware websites, as Sandi Hardmier has been routinely documenting). This method is what got their ads on mlb.com, nhl.com (remember?), zillow.com, realtor.com and other popular sites.

  • No honor among thieves? Innovative, ironically, is suing father and son Maurice D’Souza and Marc D’Souza over embezzling millions while they worked for Innovative.

Some of the players: Sam Jain, a man with a past, running the show. Daniel Sundin, apparently Jain’s second in command. James Reno, of ByteHosting (check this search also), helping out on the technical aspects. Maurice D’Souza and Marc D’Souza, helping Innovative find credit card processors (difficult, because there were so many chargebacks and complaints). Kristy Ross, who placed the fraudulent ads.

I don’t feel ill will to many people. But with this crew, I hope they rot in prison.

Alex Eckelberry
(Thanks Suzi)

FTC goes after Winfixer

Major news: The FTC is going after Innovative Marketing, which has marketed products like WinFixer and other rogue antispyware programs.  These deliberate scams and frauds have been a plague on the internet now for several years.

At the request of the Federal Trade Commission, a U.S. district court has issued a temporary halt to a massive “scareware” scheme, which falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of those responsible for the scheme, to preserve the possibility of providing consumers with monetary redress.

According to the FTC’s complaint, the defendants used an elaborate ruse that duped Internet advertising networks and popular Web sites into carrying their advertisements. The defendants falsely claimed that they were placing Internet advertisements on behalf of legitimate companies and organizations. But due to hidden programming code that the defendants inserted into the advertisements, consumers who visited Web sites where these ads were placed did not receive them. Instead, consumers received exploitive advertisements that took them to one of the defendants’ Web sites. These sites would then claim to scan the consumers’ computers for security and privacy issues. The “scans” would find a host of purported problems with the consumers’ computers and urge them to buy the defendants’ computer security products for $39.95 or more. However, the scans were entirely false.

According to the complaint, the two companies charged in the case – Innovative Marketing, Inc. and ByteHosting Internet Services, LLC – operate using a variety of aliases and maintain offices in various countries. Innovative Marketing is a company incorporated in Belize that maintains offices in Kiev, Ukraine. ByteHosting Internet Services is based in Cincinnati, Ohio.

We have a long history of tracking Innovative Marketing’s sleazy deals.  They are pure, unadulaterated slime, a statement I can back it up with extensive in-house research.

This is really good news.  Really.

Press release here, complaint here.

Alex Eckelberry

Learning and classification of malware

Thorsten Holz and Carsten Willems, our partners in Sunbelt CWSandbox, have collaborated with Konrad Rieck, Patrick Dussel and Pavel Laskov on a paper, “Learning and Classification of Malware Behavior”.

The abstract explains it well:

Malicious software in form of Internet worms, computer viruses, and Trojan horses poses a major threat to the security of networked systems. The diversity and amount of its variants severely undermine the effectiveness of classical signature-based detection.

Yet variants of malware families share typical behavioral patterns reflecting its origin and purpose. We aim to exploit these shared patterns for classification of malware and propose a method for learning and discrimination of malware behavior.

Our method proceeds in three stages: (a) behavior of collected malware is monitored in a sandbox environment, (b) based on a corpus of malware labeled by an anti-virus scanner a malware behavior classifier is trained using learning techniques and (c) discriminative features of the behavior models are ranked for explanation of classification decisions. Experiments with different heterogeneous test data collected over several months using honeypots demonstrate the effectiveness of our method, especially in detecting novel instances of malware families previously not recognized by commercial anti-virus software.

PDF link here (alternate).

Alex Eckelberry
(And forgive me, if you’re not a malware wonk, this will not be interesting.)