Month: June 2010

Firmware update fixes the problem

Sony has issued a recall for its F11 and CW2 series notebook PCs and is offering a firmware update to fix an overheating problem.

According to the company’s notice today: “In rare instances, these notebook computers may overheat due to a potential malfunction of the internal temperature management system, resulting in deformation of the product’s keyboard or external casing, and a potential burn hazard to consumers.”

The FAQ in the notification said: “Certain units within the VPCF11 and VPCCW2 notebook series are affected by this potential overheating issue. Sony recommends that all units in the VPCF11 and VPCCW2 series be updated with the firmware download.”

Notification here: “Important Notification for the Sony VAIO® F11 and CW2 Series”

Tom Kelchner

Here’s another one of those “paste Javascript into your browser” scams that wants to make significant changes to the appearance of your Orkut account. The site in question here is 500-rs-recharge(dot)minhahomepage(dot)com.

Click to Enlarge

It’s just out of shot, but there’s a little “How many people are on this site” doodah (technical term) at the bottom of the page which veered between around 35 and 60 visitors while I was there.

Will we get some more Javascript code to paste into the browser? Yep.

This one gives you the usual popup about the fact that your “recharge” is on the way, while making some updates to your Orkut page.

Click to Enlarge

“You’ll have your free recharge in 24 hours”. Funnily enough, it’s been 24 hours since the first attempt at running Javascript from the original page and I don’t have any recharging action taking place! Anyway, you’re taken to this URL:

500-rs-recharge(dot)minhapagina(dot)info

The website refuses to load for me at the moment, but it has been submitted to PhishTank by somebody so we’ll have to wait and see if it turns out to be a Phish. I certainly wouldn’t advise logging in on there given what we’ve seen so far, though.

If we take a look at the test profile, there are now a whole bunch of random people staring out at me from the “Friends” section:

Click to Enlarge

Even better, take a look at my “About” section:

Click to Enlarge

“Free recharge version of Orkut, this version was introduced to all Orkut users as a gift from Google services”.

Uh…call me suspicious, but I’m going to chalk this one up as a “not buy”.

Christopher Boyd

Here’s a curious scam putting users of Google’s Orkut in the crosshairs. There’s a number of sites out there claiming a “free recharge code” (presumably they mean call credits) will be posted to your Orkut scrapbook, but only if you take some random Javascript code – oh dear – and paste it into your browser.

We’ve seen that particular wheeze before, but let’s see what they’re doing with it here. This is one of the sites in question:

Click to Enlarge

Shall we take a look at the Javascript?

You may be able to see the URL already. Let’s clean it up a little bit:

Click to Enlarge

Can you see it yet? “Snurl(dot)com/fr33ee”.

That triggers a big page of javascript code located at orkutaddict(dot)net/freerecharge/dpd(dot)js. At this point, the path branches off depending on whether you’re logged into Orkut or not. If you’re not, you’ll see this popup:

Click to Enlarge

“We are done now, login to Orkut and you’ll have your free recharge in just 24 hours”.

You’re then dumped at the following page, located at freerecharge(dot)orkutaddict(dot)net:

Click to Enlarge

“Sign in to OrkutPorn with your Google Account”.

Yeah, right.

Now we’ll see what happens if the victim posts the javascript into their browser while logged into Orkut. First you’re asked for your mobile number:

Then you’re given a collection of popup boxes promising you wonderful “recharge codes”.

After all of that, you’re dumped at a site flagged as a Phish:

Click to Enlarge

Worse, your Orkut account has started to spam out messages galore:

Here’s another one:

Even better(!), they’ve automatically signed you up to a collection of groups.

While Orkut Codes and Orkut Tools look legit, the middle group with 1,811 “members” is clearly related to this particular shenanigan. As you’ve probably guessed, all of the spamlinks on the profiles and in the group take you to more sites asking victims to cut and paste Javascript into their browser – many of which give you rather cheeky popups like this one begging for free advert clicks:

In conclusion, then, we have a whole bunch of dodgy Javascript, phish pages, advert clicking, spammed messages on profiles and popup boxes asking for mobile phone numbers.

Is this the concluding part of the writeup where I advise you to avoid the above at all costs?

You better believe it.

Christopher Boyd

Not so long ago, I wrote about something called the Tango Toolbar. While digging around for more information, I actually came across another toolbar called “Tango” which is entirely unrelated (this one is about the dance, not…er…whatever the other one was about) yet also manages to raise some red flags:

Click to Enlarge

Turns out it was a file on Download.com, and this is what happened when I tried to grab it:

Click to Enlarge

Whoops.

This is what the description page looks like minus the “Blocked” alert box:

As you can see, it’s been available since 2006. Here’s a VirusTotal report from the 18^th of June, with 21/41 vendors flagging it. Here’s an updated report from the 20th, and now 34 vendors are saying “Boom, headshot”. If you want to get into the technical side of things, a ThreatExpert summary from the 6th can be found here.

The main issues seem to be adware.component.toolbars and adware.eztracks, neither of which are mentioned in the (very short) EULA viewed when installing. Here it is:

Not the greatest EULA I’ve ever seen in my life, but there you go. below is what you’re supposed to see on install:

Click to Enlarge

However, the homepage wasn’t even online during testing so the “after install” page looked like this instead:

Click to Enlarge

Not exactly dazzling, I’m sure you’ll agree. Hardly a severe threat (and it’s certainly no Apheve), but a valuable reminder that sometimes things do slip through the cracks even on reputable download services.

I reported this on the 20th, and they took it offline the next day while mentioning their Product Management Team would “temporarily remove the product from our library and notify the publisher of the problem”. My support ticket is now flagged as “Solved” and the download is still MIA, so I’m guessing that’s the last dance for the Tango Toolbar.

Christopher Boyd

Yet another pay-money,-get-followers scheme – right.

THOUSANDS of followers!

http://letgetmorefollowers.com/index.php?pages=Home

See Chris Boyd’s Sunbelt Blog piece from earlier today: “Twitter Followers Lottery”

Tom Kelchner

 

READ your credit card statements – really

The U.S. Federal Trade Commission has said it brought an action in U.S. Federal court that shuts down an identity theft scheme that stole more than $10 million from victims’ credit card accounts in small amounts and sent the money out of the country.

The scammers recruited 14 money mules to set up dummy corporations and open bank accounts to receive payments of $10 or less from victims’ credit card accounts. Each account was charged only once. The FTC said it did not know how the scammers obtained the victims’ credit card information.

The money mules, recruited via spam email, sent the stolen funds to bank accounts in Bulgaria, Cyprus, Estonia, Latvia, Lithuania, and Kyrgyzstan.

The dummy corporations charged with credit card fraud were:
— API Trade LLC,
— ARA Auto Parts Trading LLC,
— Bend Transfer Services LLC,
— B-Texas European LLC,
— CBTC LLC, CMG Global LLC,
— Confident Incorporation,
— HDPL Trade LLC,
— Hometown Homebuyers LLC,
— IAS Group LLC,
— IHC Trade LLC,
— MZ Services LLC,
— New World Enterprizes LLC,
— Parts Imports LLC,
— SMI Imports LLC,
— SVT Services LLC

The action was brought in the U.S. District Court for the Northern District of Illinois, Eastern Division.

FTC release here: “FTC Obtains Court Order Halting International Scheme Responsible For More Than $10 Million In Unauthorized Charges On Consumers’ Credit and Debit Cards”

Tom Kelchner

This is wonderfully cheeky – a website popping up in a lot of Twitter spam called increasethefollowers(dot)info, that wants you to hand over lots of money with no real explanation as to how they’re going to make it worth your while. Example spam post:

This is the site itself:

Click to Enlarge

Prices start at $5 for 100 followers, right up to a huge total of 10,000 followers if you pay the highest price.

The more people you want them to add to your feed, the more time it takes. Anything up to 3,000 followers ($150) will take a maximum of 60 days. Beyond that, 4,000 followers ($200) is 40 to 80 days, 5,000 ($250) is “60+ days” and 10,000 Twitter followers (for $450) will take “90+ days approx”.

Their website says this:

“Refund guarantee: You can request a full refund on your Paypal account in 60 days”.

60 days is the maximum length of time the seller has to send the buyer their refund via the Refund tab inside Paypal. After that, it’s no longer available as an option for the seller and I believe they have to process the refund as a kind of “standalone” payment. Given that the only information on the site is a link to a form that says “Click here to find out more”, would you want to risk giving $450 to a total stranger (with no indication of how they’re going to work their magic), sweating it out for 90 days or more just to bump up your follower count with….real people? Bots? No idea.

Don’t think I’d advise giving this one a try, though.

Christopher Boyd

Today I saw a Youtube account with an array of random World Cup moments cobbled together. Nothing particularly unusual about that, but what did leap out at me was the likely reason the reason the account exists at all – the World Cup stuff looks like a lure to get them to watch this:

Click to Enlarge

“Facebook account hacker / Hack any Facebook”, it says. As you can see, the video has been removed – and quickly (after something like nine hours, which is remarkably fast for a Youtube script kiddie video). We’ll find out why the video was removed so quickly a little later on, but for now let’s take a look at what we’d have grabbed if the video was still there.

Click to Enlarge

A blogspot spamblog seems to be the final destination…

Click to Enlarge

142 visitors in a few hours for a spamblog with no content on it other than these “instructions” which point to a download link? The mystery deepens. Here’s what you see on the download page:

Click to Enlarge

Yes, it’s one of those surveys where you sign up to nonsense in return for something that probably wasn’t worth the time you put into it. More often than not, you’ll find you’ve signed your life away to marketers and also downloaded an infection file (you don’t honestly think the “Hack any Facebook account” program is going to do what it says on the tin, do you)?

As for why the video was pulled (and also how the spamblog has had so many hits in a few short hours), we need to take a quick jump over to the website of UK newspaper The Daily Mail. In their coverage of the England Vs Germany match, they’ve seemingly grabbed the first random Youtube clip they could get their hands on. Unfortunately for them, it was this one:

Click to Enlarge

“Want to know how to hack Facebook accounts? Click here!”

Whoops. That would explain the traffic spike for the spamblog, and also why Youtube have pulled it – looking at the comments from the article, it seems many readers with Youtube accounts have reported the video.

At time of writing, the video is still embedded – it’s pretty harmless now, but I must admit to being baffled how someone could miss the large red box with the “Hack Facebook accounts” text in it. And don’t get me started on the football match, either…

Christopher Boyd

 

The July print edition of PCWorld carried an (otherwise great) article “How to Stay Safe on Public Wi-Fi” (pp 94) that recommended Hotspot Shield VPN software. Unfortunately the magazine neglected to tell its readers that Hotspot Shield has some serious issues and Sunbelt’s VIPRE detects it as adware. We can’t really tell if the magazine is ignoring the issue or just didn’t notice.

Hotspot Shield “Software License and Terms of Service” states:

“9.1 Advertisements.  AnchorFree may deliver third-party advertisements (‘Advertisements’) within the content of any web page accessed. Advertisements may be injected into the top of the page, inserted directly into the page content, or even displayed to overlay the page.”

Some VIPRE users asked us recently about Hotspot Shield and we outlined the problem in the Sunbelt Blog. The company responded and we carried its comments as well. Our conclusion (written by Sunbelt Spyware Research Manager Eric Howes:

“The key test or question in this case is a simple one. AnchorFree promotes Hotspot Shield as means for ‘protecting your privacy, security, and anonymity on the web.’ What would users think if they knew that the very first thing AnchorFree does after users start a ‘private browsing session’ is hand them over to invasive advertising networks? I think they would be appalled.”

VIPRE detects it as Adware.Win32.HotspotShield.

Sunbelt Blog pieces about Hotspot Shield:

“What part of “no adware” don’t you understand?”

“AnchorFree Responds on Hotspot Shield, our response”

Tom Kelchner

 

Like it or hate it, ICANN approves domain for porn

PC World is reporting that the board of directors of the Internet Corporation for Assigned Names and Numbers (ICANN) today approved a dot-XXX top level domain for “adult” web sites. The decision comes after a decade of controversy over the issue.

The domain was proposed by the company ICM Registry.

PC World said, “The proposal was made under ICANN’s rules for ‘sponsored’ TLDs, through which domains have been created by interest groups including the aeronautical industry (dot-aero) and the cooperative movement (dot-coop).”

Story here: “ICANN Board Approves Dot-XXX Top-level Domain for Porn”

IBTimes said “Figures collated by Internet Pornography Statistics suggest more than $3,000 is spent on Internet pornography every second, with ‘sex’ the number one search term in the world, accounting for 25 percent of all Internet searches.

“With an estimated 370 million pornographic websites on the Internet, .xxx could become one of the largest domain name repositories, as big if not bigger than .com.

“But some members of the adult entertainment industry oppose .xxx, saying it will invite censorship and harm their business. Members of the American religious right also oppose its creation on moral grounds.”

Story here: “Internet bosses set to approve .xxx for porn sites”

This has been one of the biggest controversies connected with Internet management in the last decade because of the touchy moral issue of pornography. Anyone who has ever been connected to the Internet, however, knows that the number of porn sites out there is enormous.

It’s a good thing for everyone involved. Internet censors can filter adult sites now whether they’re government officials trying to block their entire citizenry from seeing porn or just parents trying to keep their kids from viewing it.

And anyone who thinks that URLs with a .xxx top level domain will lure the innocent into temptation never looked in his spam bucket or done a search for the word “sex” (803 million hits — this morning.)

Tom Kelchner

If you like Doctor Who, you’re probably rather excited at the prospect of the upcoming season finale. You’ve chewed over the spoilers for the penultimate episode and you really, really want to see what happens.

I bet someone on the internet has the final episode early – right?

Click to Enlarge

Well, what do you know. Somebody does! Of course, it’s all nonsense – clicking the link takes you to that most common of cookie cutter content, the “fill in the quiz to see the episode” gag (which involves you sending lots of personal information to marketers and random internet people).

I’m almost certain Alientube(dot)net does NOT have the World exclusive on the final episode of the season – sorry to disappoint! In fact, fakeout “uploads” of Doctor Who are rather common.

Click to Enlarge

As you’ve probably guessed, all of the above take you to sites that want you to sign your life away in return for very little. Another interesting phenomenon is the Doctor Who spamblog, which all pretty much look the same and also do the same thing – ask you to “Download Now!”:

Click to Enlarge

All of these spamblogs take you to sites like the one below, which claim to offer lots of “movies and TV shows, all of which are free and legal”.

Click to Enlarge

Before you can get your fix of Doctor Who, you’ll need to sign up (obviously). Here are the charges:

Click to Enlarge

Unlimited membership is $34.95, 2 years is $32.88 and 1 year is $29.88. There’s also a preticked box for “hi-speed performance”, “download protection” and the ability to “copy your downloads” for $14.95.

Sign me up!

Or, to be more accurate…don’t. Information with regards what you’re actually getting for your money is thin on the ground, but a quick check of the help section clears things up a little:

Click to Enlarge

“State of the art software will download your file from multiple users simultaneously…”

Click to Enlarge

“With more than 30 million users sharing more than 800 million files…”

Is it just me, or is the magical service they’re trying to get you to pay $35+ for nothing more than a P2P program? Sure seems like it, and that wheeze has been around for quite some time. Don’t confuse any of these sites with the official BBC iPlayer, and don’t fall for any of these offers – whether they take the form of survey spam or websites that want you to cough up for some P2P action, you’ll only regret it in the end.

Christopher Boyd

Bloomberg news is reporting that the government of China on August 1 will make it illegal for companies that operate Web sites that deal in virtual currency to allow minors access. The ban will not affect the way virtual currency is used to buy items within online games, the Chinese Ministry of Culture said.

Business analysts say the ban won’t affect the gaming operators, but could have an effect on sites that provide traders with a place to exchange the virtual currency for real money.

Story here: “China Government Bans Online Virtual-Currency Dealing Platforms for Minors”

This is possibly about two things.

— The Chinese government wants to control (and tax) the huge shadow economy that results from exchange of virtual gold
— and possibly control an industry that could be using child labor.

We blogged about “gold farming” in January: “Gaming Trojans: ‘because that’s where the money is.’”

Gold farming has grown incredibly in recent years and become a source of employment in China and other parts of Asia. An estimated 400,000 people, work for gold farming companies, spending as much as 12 hours per day playing online games in order to accumulate virtual goods which can be sold to some of the 50 million on-line game players world wide for real cash. There’s a pretty good chance that some of those gold farmers are minors.

It is hard to imagine many kids who would complain about playing video games all day for pay, although it could be so attractive they’d be inclined to skip school to “work.”

Tom Kelchner

MyWebSearch, the old familiar toolbar, is still around

The team came across these yesterday on a file-sharing network in a file “Power DVD 8 Cracked.rar.”

It installs, without proper notice, MyWebSearch, FLV Direct Player and other garbage. Adam Thomas found a similar surreptitious install of FLV in April – clearly that was part of an affiliate program scheme in which someone was getting paid each time FLV got installed.

See Sunbelt Blog: “Bot installs adware along with video player”

The MyWebSearch Toolbar is a customizable Internet Explorer search toolbar which installs other tools, including pop-up blockers, screensavers, and cursors. Searches entered into the toolbar search field are directed to MyWebSearch.com. MyWebSearch has been around for five years.

(Click images below to enlarge.)

It does have the URL to an end user licensing agreement buried in its code http://www.stasga.com/view-eula.php which pretty much describes what it’s going to do:

“7. By pressing ‘Accept’ you agree to the terms of the following: You allow us to modify your HTTP packets in your packet filters. This will allow us to modify your URL in your browser. “

For some strange reason, the EULA has no section six.

Thanks Adam,

Tom Kelchner

It seems the last week or so has been a fun time to promote not only the World Cup, but also various bits of software you might not want on your PC. Here’s a collection of Shakira uploads on Youtube, all related to her “Waka Waka” song created for the World Cup:

As you can see, there’s everything from the official video to ripped copies of her performing live. There are many more of these videos floating around Youtube, but all of them point to flvpro(dot)com and ask you to download “free movies and TV shows” with the aid of their “direct downloader”.

What happens when you try to download the executable from that site?

Oh dear – bit of an own goal, there.

It wasn’t so long ago that there was a “hilarious video” scam on Facebook – recognise the filename?

Be careful when rummaging around sites such as Youtube for World Cup related songs, replays and things of a similar nature. You won’t have any problems as long as you stay on the site playing the video, but wandering off into the wide blue yonder could mean an early substitution and a PC full of junk.

Nobody wants that, do they?

Christopher Boyd

The U.S. Intellectual Property Enforcement Coordinator Victoria Espinel, (AKA “copyright czar”) has made public an ambitious new federal government strategy to combat online piracy and the sale of counterfeit products.

Espinel said the plan will improve government efforts at prevention and detection as well as the prosecution of intellectual property thieves. It takes aim at the foreign websites that violate U.S. intellectual property laws.

The plan lays out responsibilities of federal government agencies including the Food and Drug Administration, the FBI and the Department of Justice. The agencies will get added manpower and other resources to detect and intellectual property theft and prosecute the thieves, Espinel said.

Story here.

I would like to think that this initiative, coupled with added vigilance by domain registrars will go a long way toward cleaning up the illegal pharma and product knock-off sites that are so extensively advertised by spam email. Hopefully, the KnujOn report we blogged about yesterday will bring pressure on Domain Registrars to shut down the ISPs that protect crminal Internet operators.

Tom Kelchner

Carries return email address on Belarus server with blocked Whois

It seems that Mr. Liu Yan of the Bank of China Ltd. in Hong Kong has sent me an email message (from dogyoungshop.com – which is in Taiwan, oddly enough) to inform me that the estate of the late General Mohammed Jassim Ali is up for grabs and I just might be able to become the beneficiary.

It seems that General Ali was with the Iraqi forces and he and his family died in the war, leaving a fortune secretly deposited in the Bank of China… oh, you know the shtick.

Business Notification !!! (3.6.10)
From:”Liu” < Yan@Dogyoungshop.com>

FROM: Liu Yan
Bank of China Ltd.
13/F. Bank of China Tower
1 Garden Road
Hong Kong,

I sincerely ask for forgiveness for I know this may seem like a complete
intrusion to your privacy but right about now this is my best option of
communication. . . .

Best Regards

Liu Yan

Please reply to this email: liuyanch@tut.by

Tom Kelchner

Not so long ago, I wrote about a Botnet creation tool that allowed you to insert your Twitter username into your bots and control the infected computers via commands posted to Twitter feeds. This time around, we have something a little different:

Isn’t it cute? This program places the tools of destruction into the hands of the victims, which is never a good thing.

It’s distributed as a kind of “free for all” kit on hacking forums, where individuals are encouraged to take the code, files and graphics then improve upon the basic package:

Here’s what some of the code from one of the many files included looks like:

Note the “edit this / don’t edit that” lines in the code, and also that there is a Twitter account listed. This is the account of the creator, so at a minimum the bare bones package will always follow orders assuming that account isn’t deleted. Of course, the real fun begins when users add in their own Twitter account(s), and also add new commands to the program.

Here’s a very basic example of what the program can do: once I’ve added my own Twitter account to the code in the executable, I start posting commands to my Twitter feed.

At that point, all I need to do is send the nice looking TwitterBot file to the victim and convince them to run it. When that happens, the “Message box” command will pop this on their desktop:

Pulling a message from Twitter and opening it on the desktop is fun, but we’ve already seen versions out there with more malicious uses for Twitter commands like downloading rogue executables, opening up files on the C drive and a particular favourite…hunting for login credentials:

To coin a phrase…”Whoops”.

Of course, much like the Twitternet creator program this suffers from a few drawbacks of using Twitter to “do bad things”(TM). If the account named in the code goes AWOL, then the progam is a dead duck (or in this case, a dead friendly looking blue bird). It also won’t obey commands from a private Twitter account so for the moment, hiding in plain view isn’t really an option and users will have to accept their shenanigans could well be monitored and shut down accordingly.

Still, there are enough people out there who will unfortunately run any random file sent to them that the threat from those lurking Twitter commands is quite real. We detect this as Backdoor.Win32.Vortwix.A.

Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional research.

Christopher Boyd

Anti-spam group KnujOn (“NoJunk” backwards), a member of the Internet Corporation for Assigned Names and Numbers (ICANN), has issued a nearly 100-page report detailing how some domain name registrars are actively shielding pharma and other illegal groups by protecting their web sites from takedown. The report names names.

ICANN is responsible for managing the assignment of domain names and IP addresses on behalf of the U.S. government.

KnujOn’s report quotes John Horton, President of LegitScript.com: “The Internet rule is straightforward. Domain name registrars are required by ICANN to prohibit domain owners from using their domains for unlawful purposes. Without exception, this rule is also reflected in each registrar’s terms and conditions, thus formalizing and protecting the company’s contractual right to suspend domain names for unlawful activity. Once a registrar becomes aware that a website is engaged in criminal activity, the company has the legal authority and technical ability to suspend the domain name, rendering the illegal and fraudulent content inaccessible. This self-policing is meant to balance freedom of speech with safety and legitimacy as the Internet continues to evolve. But all too often, registrars simply turn a blind eye to criminal activity.”

The third section of the KnujOn report describes “…how the Domain Name System is being manipulated on a massive scale to support illicit drug traffic and details conditions that allow this threat to exist at the expense of the consumer and legitimate business.”

The report says the illicit product traffic gives registrars the opportunity to make money selling illegal domain registrations and domain product service related to them.

The report says: “There is no question that underground pharmaceutical traffic is illegal and kills people. The traffickers may paint themselves as virtual Robin Hoods who defy the greedy hands of government and “big pharma”, but in reality they deliver tainted products and cruelly prey on the sick, elderly, and addicted. In contrast with the popular perception, the underground pharmacy market is far beyond lifestyle drugs like Viagra and Cialis. Tainted and completely fake drugs sold on the Internet include heart, blood-pressure, cancer, diabetes, and AIDS medications. There are multiple documented cases of chalk pressed into painted pills, HIV test kits that give false negatives, “anti-aging” cocktails, and an array of other “snake oils” that give false hope and make the sick sicker.”

Tom Kelchner

For a month or so now, support sites and Question / Answer services such as social.answers.microsoft and Yahoo Questions have been looking like this:

Two common themes: nobody seems to know where they get it from, and nobody can uninstall it. Out of all the threads posted, there seems to be only one that potentially gives some specifics with regards a possible source. If you don’t want to read his long ramble, here is his post in a nutshell:

“Went looking for Limewire, downloaded a version and now I have Tango Toolbar”.

So either he grabbed a cracked version which comes with the toolbar, or he downloaded something from P2P land which came with a few surprises. Regardless of infection route, it took a while to find the file in question because “It’s called Tango Toolbar and there’s a picture of a red hat on it” doesn’t really help much. The search was made more annoying by virtue of there being lots and lots of programs, skins and other things called Tango (or Tango Toolbar) that had nothing to do with this.

Things picked up a bit with this HijackThis log, listing a URL in the file which allowed me to grab a report from Threat Expert stuffed with the technical data I needed to pull the file from our database and have a play.

Shall we take a look? Presenting: The Tango Toolbar installer splash.

Click to Enlarge

I know what you’re thinking. However, despite the strangely similar name this doesn’t have anything to do with Zango. The splash claims it has a popup blocker, a built in search and offers “related keywords” when browsing. I particularly like the popup blocker, which notifies you of every popup blocked with the aid of a popup.

Click to Enlarge

I’m also a fan of the “Do not notify me again” checkbox, which works about as well as you’d expect. Three seconds later, and:

Click to Enlarge

Whoops.

The search results come from bar(dot)adbsearch(dot)com, and all seem to be sponsored. I didn’t see any inline adverts, but where this gets really interesting is when you try to uninstall. The “About” box makes it clear this toolbar has a EULA:

Clicking the link takes you to a site called gettango(dot)com:

There is no EULA there, but the reason for this might be a little strange. See, gettango(dot)com is a site owned by a company called Brand Tango, who seem to be a marketing company dealing with timeshare/real-estate/hospitality. Can you see any connection between that and a random toolbar? Even stranger, if you go to Add / Remove Programs and attempt to uninstall this is what you’ll see:

Click to Enlarge

A popup box with nothing other than a message served up from remove(dot)gettango(dot)com.

“Hello, If you were sent to this page then it is likely that you have downloaded some sort of  adware or malware.  We have recently begun to receive reports from individuals who have installed a toolbar that includes the name ‘tango’ and tells them to go to here to remove it. Our company, Brand Tango, has no association with this software and we do not create any software for individual use. The reported toolbar is attempting to mislead people by sending them to a domain that they don’t own and that can’t help them. We recommend that you ensure your internet security software (anti-virus, firewall, malware/adware protection, etc…) is up to date and then contact their technical support for help removing the toolbar. For your convenience, links to some of the more popular internet security companies are listed below.

Sincerely,
Brand Tango”

It then goes on to list Kaspersky, Symantec and McAfee as methods to remove the Toolbar. The Gettango domain and what appears to be their main website brand-tango(dot)com share similar domain registration data, and everything appears to be on the level. Is someone deliberately trying to mess with the reputation of Brand Tango by pointing a toolbar at their domains?

The secondary search feature accessed by clicking the Tango logo also points traffic to the gettango domain, too:

Interestingly, tangosearch(dot)com (from the HiJackThis logs) also has a message on their site:

That site has different Whois data, showing as being “up for sale” and registered to hugedomains(dot)com.

It seems nobody wants anything to do with this toolbar, but it keeps crashing the party regardless. What we can say is that the toolbar is ultimately a problem for Mirar to resolve, even if registered through Domains By Proxy:

Click to Enlarge

This particular toolbar is a mess of broken uninstallers, disclaimers warding off associations with the product and endless people on support forums wondering how it ended up on their computers in the first place. In a situation such as this, there’s really only one course of action to take:

TANGO DOWN.

Christopher Boyd

(Thanks to Adam Thomas for additional research).

As we were trolling the ugly underbelly of the Web for the latest in malicious gimmickry we couldn’t help but notice the “membership plan” shell game played on a site devoted to helping men find “lonely housewives” to apparently add joy to their empty lives.

The plan prices didn’t seem to add up.

Under each per-month price is a grayed out line that says “Billed at____ USD”

$5.99 x 12 = $71.88 not $107.82

$9.99 x 3 = 29.97, not $39.96

BUT $18.99 x 1 DOES INDEED EQUAL $18.99

Multiplication shouldn’t be beyond the ability of the average guy looking for lonely housewives to fulfill.

In rural areas, sensible drivers are especially alert in deer rutting season (November and December). At that time of year bucks insanely dash across the highway (and into vehicles) in pursuit of the deer equivalent of lonely housewives. They don’t think, they just go! The folks running this site apparently are banking on the same hormone-driven behavior in their human visitors.

It’s apparently nothing new. The site has been around for four years.

Tom Kelchner