Month: September 2010

Since Monday there has been a bit of a deluge of Linkedin scam mails that redirect the end-user to Zeus data theft malware. It’s worth pointing out that these emails are still doing the rounds:

Click to Enlarge

In addition to drive by exploits attempting to install Zeus without permission, some of the sites are using the old “Upgrade your Flash player to continue” trick which will no doubt snare a few more victims. If you absolutely cannot live without using Linkedin via emails, it might be worth forcing yourself to switch to using site based communication only for the time being. Failing that, at least grab Noscript and make your browsing a lot safer.

Christopher Boyd

National Cyber Security Awareness Month — held every October since 2004 — is a “national public awareness campaign to encourage everyone to protect their computers and our nation’s critical cyber infrastructure,” according to the organizers

It’s a cooperative venture of:
— Department of Homeland Security (DHS)
— National Cyber Security Alliance (NCSA)
— Multi-State Information Sharing and Analysis Center (MS-ISAC)

The focus is promoting safe computing practices for home users, schools, businesses and governments to help them protect their computers, children and data.

 

More information on the Stay Safe Online site here.

Stay Safe Online has a very comprehensive page of security resources here.

Tom Kelchner

Our rogue researcher Patrick Jordan was thinking of an upcoming vacation this afternoon and went looking for Caribbean recipes.

Yep. You guessed it: the first site he went to tried to download a rogue called Live Security Suite that’s been around since last May :

We listed it on the GFI Sunbelt Rogue Blog here.

Tom Kelchner

The GFI Sunbelt Software Malware Minute video is available for your viewing pleasure on the SunbeltSoftware YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that will provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

Tom Kelchner

Not-so-virtual theft will probably increase

Miguel Helft in his “Bits” column in the New York Times today reported that researchers expect the sale of virtual goods to hit $2.1 billion next year.

Media research firm Inside Network estimated that the sale of virtual goods — such as items in the Zynga Facebook games, mobile games and virtual worlds — will hit $1.6 billion this year and $2.1 billion in 2011.

With such growth I don’t think it’s much of a stretch to predict that the Internet underworld will be intensifying its efforts to tap some of that “value,” whether it’s hard cash or Facebook credits. These scams aren’t new – there’s a whole third-world “gold farming” industry — but with that kind of money out there I’m sure we’re going to see more hacking, social engineering and probably malcode taking aim at the “revenue streams.”

Bits blog here: Virtual Goods Expected to Grow by 40 Percent Next Year, Study Says

Tom Kelchner

Microsoft has posted advance notification that it will post an out-of-band security bulletin for Windows later today.US-CERT is quoting the Microsoft SharePoint Team as saying the bulletin will fix a recently reported vulnerability in ASP.NET that could allow an attacker to access sensitive information data (CVE-2010-3332).

Microsoft’s Sept 17 advisory “Vulnerability in ASP.NET Could Allow Information Disclosure” is here.

 The fix affects nearly all releases of Microsoft Windows:
— Windows XP Service Pack 3
— Windows XP Professional x64 Edition Service Pack 2
— Windows Server 2003 Service Pack 2
— Windows Server 2003 x64 Edition Service Pack 2
— Windows Server 2003 with SP2 for Itanium-based Systems
— Windows Vista Service Pack 1 and 2
— Windows Vista x64 Edition Service Pack 1 and 2
— Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
— Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
— Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
— Windows 7 for 32- and x64-based Systems
— Windows Server 2008 R2 for x64-based Systems and Itanium-based Systems

Update:

Microsoft Security Bulletin MS10-070 – Important
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) here.

Tom Kelchner

Today we found some poisoned search results on Google that were aimed at people searching for information about the new drug Gilenya, which is used to treat multiple sclerosis.

This would  be a good term to use in an SEO poisoning attack since it had beeen in the news. Earlier this week it was announced that the drug company Novartis AG had won approval from the U.S. Food and Drug Administration to sell it. (News story here.)

So, basically, the sick fools who try to make a buck with malicious code are targeting people suffering from MS or their caregivers.

The poisoned search results appeared when someone misspelled Gilenya as “Gilenia” and was set up to download a Trojan horse program that (conjecturing here) would further download a rogue security product or worse.

 
(Click graphic to enlarge)

By the time we got to check out the second site, its owners apparently had removed the malcode. The Google search spider on its last sweep, however, had found that page had the same text as the first poisoned page.

(Click graphic to enlarge)

That’s FraudTool.Win32.FakeVimes!VB (v)

The poisoned site has been taken down.

Thanks StopBadware.

Tom Kelchner

Halo Reach has been doing rather well since the game was launched last week. Of course, this means scammers have marked it as a target for shenanigans. I thought it would be a good idea to have a quick look at some of the most common pitfalls to avoid. I haven’t touched phishing, as Bungie (the Halo developers) have covered that one nicely here so we’ll leave it at that. Here comes the list of woe:

1) Free generators. It doesn’t matter whether they’re offering up free armour downloads, extra weaponry or, er, “flaming helmets” – you can bet hard cash that whatever they’re pimping will not work. Many of these sites lurk on free blog hosting, advertised via Youtube:

Click to Enlarge

Regardless of how convincing the site looks, or whether the Youtube clip has lots of comments saying “Thanks” for the download (those comments are fake) all you’ll get for the time wasted on sites such as these will be a fake application that doesn’t do anything and lots of surveys to fill in.

Click to Enlarge

Click to Enlarge

Click to Enlarge

Click to Enlarge

2) Something else gamers should be wary of is stumbling onto infected sites that through accident or design (in the form of Blackhat SEO) are touting all manner of Malware. Below is a search for a game changing Halo Skull that has been mistyped (it should actually be “IWHBYD”). One little letter missing, and the end-user would be stumbling onto a URL flagged with the “This site may harm your computer” warning from Google Search.

Click to Enlarge

The last time the above site was doing strange things was on the 23^rd of this month – the infection domains serving the malware are all giving 404 errors at the moment. Gamers should always be careful when searching for hints and tips on games – they’re quite a popular target for SEO poisoning.

3) Modding / hacking XBox accounts for cash, buying high level profiles, giving control of your account to strangers to let them increase your score.

All of the above are bad ideas – modding accounts can easily be detected, and the banhammer is probably going to fall on your head shortly afterwards. Here’s someone selling a “high level account” on Ebay whose main selling point is “a Legit account that has 294,624 gamerscore. Offline, it is a Lt in Halo Reach, with everything unlocked, and with 2 million credits.”

Click to Enlarge

Purchasing random accounts on Ebay? Bad idea. Many scammers phish accounts, mod them to artificially increase the Gamerscore then sell them on. If your new account gets busted, too bad – both your cash and your account are gone.

You’ll probably want to avoid deals such as the below on Ebay too:

Click to Enlarge

Finally, it goes without saying that you should never hand over login details to “helpful” gamers who want to increase your score – things will go wrong in a hurry.

There will probably be many more scams related to Halo Reach over the coming months, but the above list hopefully gives you an idea of what the most common ones will be.

Also, the last level of Halo 3 was terrible.

Christopher Boyd

It all started with a troll on Facebook. “SIngh Boobshow Dance” on YouTube. With a URL tacked on. Checking the connections to this site demonstrates an interesting “ephemeral” sort of advertising of a site that has malicious content available (whether intentionally or as a result of a hacked server.)

But hey, who can pass up a video with a name like that:

Good grief in Three months it’s gotten nearly 20,000 views according to YouTube.

(click graphic to enlarge)

And we have the MyHotSite.net URL advertised on top of the video of the jiggle dance show.

Click to enlarge graphic (he he).

And advertised, and advertised and advertised…

(Click graphic to enlarge)

So we finally take the hint and go to the site

Oh, I need an additional plugin for Firefox? Funny, that’s a .pdf file the site seems to want to download.

(Click graphic to enlarge)

VIPRE thought it was funny too. Now it is possible that the file was uploaded to the MyHotSite.net server by a malicious operator.

(Click graphic to enlarge)

VIPRE says it’s a downloader: “Exploit.PDF-JS.Gen (v) is a detection for threats that exploit a security flaw in PDF files with embedded JavaScript that often installs downloaders that retrieve further malware from remote Web sites.”

What did it want to download? You can be sure it wasn’t good, but the site (or code placed on it) clearly had measures set up to offer the malcode only on a visitor’s first visit, so an analyst couldn’t go any further.

The video that was the original lure in all of this might have been swiped from an Indian news site IndiaInteracts.com since its URL appears amid the boobs dancing girls.

But back to the original source of the URL.

Taqi Quresshi doesn’t exist on Facebook.

How about a search for Web pages that link to MyHotSite.net? Only one page links to it in the whole wide world – a Facebook page according to Google:

(Click graphic to enlarge)
 
Asep Tian, whose page no longer exists anywhere except Google’s cache, had text in Indonesian and, of course a link to MyHotSite.net.

Bottom line: beware of those URL’s that show up in social media and in videos. In graphics – such as videos — they can’t be found by search engines looking for the links to malicious sites.

Tom Kelchner

The New York Times is reporting a rising number of law suits against some major players because of their use of persistent web tracking:
— Fox Entertainment Group
— NBC Universal
— Specific Media
— Quantcast

The Times said the suits are claiming that the companies used Flash cookies to collect data on browsing activities in spite of the fact that users had privacy settings on to block them.

Those Local Shared Objects (LSOs) are persistent cookies that are stored in several ways and in some cases will restore themselves when deleted. One is available, with a detailed description here.

There are really mixed reviews on cookies. They range from the paranoid take of the tinfoil hat crowd (“it’s the government! Remember Roswell?”) to the mindset of marketing folks who find targeted advertising a very handy tool. And, hey, advertising does pay the bills.

Everyone agrees that, yes, it is possible for the marketeers to amass a lot of data about individuals by using cookies to monitor browsing activity. The question that probably will be decided in court is: “how much monitoring should be allowed?”

Cookie counter measures

On the New York Times site, someone who called him or herself “Blue Sun” from Stockton, NJ, left a long and detailed comment describing an entire set of anti-tracking practices, including the names of several Firefox add-ons: “Retargeting Ads Follow Surfers to Other Sites”

Blue Sun recommends using Firefox because it has lots of add-ons and lists a number that are useful:

— Ghostery, blocks invisible trackers such as web ‘bugs’, pixels and beacons used by behavioral data providers and ad networks.

— BetterPrivacy, identifies and enables you to delete locally shared objects (described above).

— Click&Clean

— Eraser

— Privacy Plus

Cookie removal

You can remove the advertising cookies (not the LSOs) on your machine whenever you want:

In the Firefox menu: Tools | Privacy | Remove Individual Cookies

It’s impressive just to look in there and see the number of cookies that you’ve accumulated. If you “remove all cookies” keep in mind that you’re going to be required to use your log-in name and password on those pages on which you’ve “saved passwords” in the past.

The Firefox add-on Adblock Plus is another little helper that will simply stop ads from appearing when you visit pages that contain them. (Tools | Add-ons | Get Add-ons).

Those who would like a strong dose of Web security can also disable JavaScripting. Unfortunately that kills a lot of very useful functionality on web pages, including logins and shopping.

Macromedia’s help page that describes how to use Flash Player security settings is here.

Tom Kelchner

Update 09/23:

The Firefox add-on NoScript also is an excellent option for controlling Javascript running in your browser. It gives you the option of letting it run or not. That’s a much more graceful way of doing it than simply shutting it off in Firefox options.

With credit to “IT” in the comments.

Spammers don’t generally tend to hide themselves very well – if your mailbox isn’t heaving with viagra and rolex spam, then your forums are probably stuffed to bursting point with imitation Gucci bags and MMORPG gold farmers.

They do come up with clever little scams every now and again, though. Check out this guy:

Click to Enlarge

While the above isn’t particularly fantastic, he’s certainly up to some sneaky spamming elsewhere. A well known videogame website allows users to write reviews about the games they’ve played on a specific section of the main portal. Instead of forum spamming or sending junk by direct messaging, he’s using the reviews to promote downloads and moneymaking affiliate schemes instead:

Click to Enlarge

Click to Enlarge

Click to Enlarge

That’s a pretty smart way to try and evade the moderators – it’s certainly a lot less obvious than six thousand “buy these handbags” messages splattered across a forum…

Christopher Boyd

New GFI Sunbelt Software weekly video feature

The new GFI Sunbelt Software Malware Minute video is available for your viewing pleasure on the SunbeltSoftware YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that will provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

By the looks of our YouTube statistics, several dozen regular viewers of the Sunbelt YouTube channel already noticed the trial run of the Malware Minute last week.

We think we got all the kinks out.

Tom Kelchner

Twitterers are still clogging the micro-blogging service with little messages about the cross-site-scripting problem earlier today. Twitter has announced that the problem has been fixed.

A cross-site scripting vulnerability using “onmouseover” was being widely exploited to spread worms and redirect viewers to malicious sites.

Story here from The Register.

Tom Kelchner

Firefox: how much freer can it get?

Alert Sunbelt Blog reader Jesse C alerted us to this one. We’ll just quote his email to describe what’s going on:

“After a fresh install of Windows, I pulled up IE and did a Bing search for ‘firefox.’ The *sponsored* result at the very top of the list is from ‘fire10fox.com’, which seems to want to install something called ‘hotbar’ along with a cluster of other seedy looking things, all to get something that’s already free!”

Yep, it was still there this morning:

VIPRE detects it as Trojan.HTML.FakeAlert.e (v)

(click on image to enlarge)

(click on image to enlarge)

(click on image to enlarge)

(click on image to enlarge)

Thanks Jesse C

Tom Kelchner

Update 4:30 p.m. (Eastern):

The Bing folks appear to have fixed the problem. We had reports of a fix as early as 2:30 p.m.

The website viewmorepix(dot)com is currently being spammed out on services such as Twitter, and I thought it was worth poking with a stick.

Click to Enlarge

Yes, this website claims it will let you view all sorts of hidden content – pictures on Facebook, protected Tweets and private profiles on Myspace to name but a few.

Who wants to bet on it working? Oh right, nobody. Well let’s get this train wreck moving with the hilariously poor Disclaimer:

Click to Enlarge

Get this – you build a website specifically designed to convince people you can view hidden and private content. You claim to have all sorts of funky tools that can bypass the services mentioned. You post lots of Youtube videos that no longer exist due to terms of use violation. Then you say “You agree not to use this site for purposes such as gaining access to profiles which you do not own, respect the privacy of others and access only the profiles and images you have rights to”.

I don’t know about you, but that kind of makes the concept of “View More Pix” somewhat redundant.

Every example of profile / content grabbing is amazingly poorly done. This is what happens when you try to look at protected content on Twitter:

Click to Enlarge

“Show tweets”? This is going to be a gigantic flop, isn’t it?

Click to Enlarge

Ah well. You do get to see those awesome protected tweets after filling in one of the surveys though.

Click to Enlarge

The only slight drawback is that they’re written in invisible ink.

Next up, their dire “method” for viewing private Myspace profiles. The amount of Facebook “Likes” the below page has had is rather depressing, so try to focus on the various steps they give you instead:

What comes next is genius, sort of:

Click to Enlarge

You get a small box with a Google Cache link to the profile in question, in the vague hope they might have had their profile public beforehand.

The Facebook one just shows you a picture of the Facebook logo.

Click to Enlarge

They do suggest being logged in when you try this, but it doesn’t seem to make any difference. There’s a surprise.

All in all, I can’t say you’re going to get very far indulging furtive needs on this particular website. Maybe you should just send a follow request or ask if you can look at their pictures instead…

Christopher Boyd

Resident Evil. Man, those films are terrible.

Frankly, I’m happy to end the writeup right there, but if I did you’d miss out on all the fun.

Resident Evil Afterlife is now in cinemas (unfortunately) and scammers are all too happy to cash in.

watchresidentevil4(dot)com is our port of call today:

Click to Enlarge

Try to watch the film, and you’re prompted to install ClickPotato (from Pinball Corp).

Click to Enlarge

There’s also four other items preticked, which is nice of them.

Installing that lot gives you a prompt to “see premium content”.

You know where this is going, and it isn’t anywhere other than “the bottom of a ditch”.

I got:

Click to Enlarge

Some sort of sign up to view content website!

Click to Enlarge

A copyright infringement warning!

About six thousand adverts for Russian dating / bride-to-be services!

What I absolutely did not get was any form of Resident Evil action. Depending on how you feel about such things, that might be such a bad outcome. You still have all of that stuff installed on your PC, though…

Christopher Boyd

Another day, another scampage lurking on Facebook. Let’s kick things off with a look at shockingirlfriend(dot)com:

Click to Enlarge

Do you really think some guy went “a little too far with his revenge”? No, me neither. They do seem awfully keen for you to click “Like” then “Share”, though.

Click to Enlarge

This is what the Facebook Walls belonging to your friends will look like should you hit “Publish”:

Click to Enlarge

Messages galore, courtesy of “g1rlfriendsh0ck”. Let’s take a look at that page, which is a Facebook application page (minus any application) located at apps(dot)facebook(dot)com/shawkgrlfriend:

Click to Enlarge

As you can see, all they’re doing is loading the content from shockinggirlfriend(dot)com into the app page. What do you think happens if you’ve Liked and Shared?

Click to Enlarge

That’s right, a useless survey trying to get you to sign up for various offers you can probably do without. We’ve reported the App page to Facebook and hopefully it won’t be around for much longer.

According to the Facebook Stats there are 9,629 people who have Liked / Shared this page so far. I imagine the owner of said scam (who is hiding behind a Domains By Proxy registration) is making a tidy packet from this one.

Shocking…

Christopher Boyd

Not in your pocket

This surfaced today:

(click graphic to enlarge)

It’s another Facebook scam, this time trading off game maker Zynga’s name:

(click graphic to enlarge)

The page prompts you to “like” and “share” its advertisement. It looks like about 6,500 people did at this point. We checked later and Facebook users were “liking” it at the rate of 800 “likes” per hour.

(click graphic to enlarge)

If you click through without sharing or posting the notice, you still get the offer — some adware-infected games and job search help. Obviously somebody is hoping to make some money as an affiliate, passing along “customers” to a variety of sites:

(click graphic to enlarge)

Bubble Boomers – great game.

(click graphic to enlarge)

About three weeks ago GFI Sunbelt blogger Chris Boyd wrote about a similar scam. Obviously, the stakes are going up since that offer was only ONE million chips,

He concluded:

“I doubt we’ve seen the last of this one…”

He was right.

Tom Kelchner

Below is a rather bland FarmVille phish that was brought to my attention by a friend who had it posted to their Facebook account. The entire page is blank save for the fake login:

Nothing spectacular, I’m sure you’ll agree. However, we did a little digging around on the same URL and came across a large collection what the site claims are stolen Facebook logins dating from July right up to today:

Click to Enlarge

While we can’t confirm these logins were obtained via the FarmVille phish (that seems a little too crude to be grabbing this many username / password combinations), there’s a good chance that many of the users on the list use the same passwords for their email accounts as their Facebook login. We have everything from Yahoo and GMail to Hotmail and AIM on there – not great in terms of the amount of personal data that might be accessible.

As far as numbers go (and accounting for the fact that there are some duplicates / clearly fake entries on there) this is what you get when you paste the accounts line for line into Word:

2,859 lines of text sitting in the table of data, each with a login ready and waiting to be plundered. The site appeared to be rather popular before we notifed Facebook to have it taken down:

If you compare the above stats to those in the first screenshot, the pageviews have gone up by just under 300 since yesterday.

It’s entirely possible there are more of these account dumps out there, seeing as this one was numbered – worse, we’ve since found another dump which has some (but not all) of the same data posted to it along with logins not present in the first batch. The second site is registered to a Chinese email address, and doesn’t seem to be related to the “Facebook” logins so there may be numerous individuals having some fun here.

As always, be careful what you’re clicking on.

Christopher Boyd

Microsoft has issued nine security bulletins patching vulnerabilities in Microsoft Windows and Office. Four were rated “critical” and five “important.”

MS10-061 – (Windows) Vulnerability in Print Spooler Service Could Allow Remote Code Execution
Critical

MS10-062 — (Windows) Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution
Critical

MS10-063 — (Windows and Office) Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution
Critical

MS10-064 – (Office) Vulnerability in Microsoft Outlook Could Allow Remote Code Execution
Critical

MS10-065 — (Windows) Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution
Important

MS10-066 — (Windows) Vulnerability in Remote Procedure Call Could Allow Remote Code Execution
Important

MS10-067 — (Windows) Vulnerability in WordPad Text Converters Could Allow Remote Code Execution
Important

MS10-068 — (Windows) Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege)
Important

MS10-069 — (Windows) Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege
Important

Security bulletin summary here.

Tom Kelchner