Month: October 2010

Naked ladies as bait, one more time

One of the much-discussed PDF file exploits is circulating in SEO poisoned links. We found it by following links that popped up from a search for “Vanessa Hudgens No Clothes.”

 (Click on graphic to enlarge)

The malcode takes advantage of a vulnerability in an out-of-date version of Adobe Reader (version 6.0) and it prompts a victim to download Java if it doesn’t find it on his machine. Adobe Reader 9.4, the current version, isn’t vulnerable.

(Click on graphic to enlarge)
Clicking on the “Available Updates” pop-up window runs the exploit which then installs a downloader that can infect the victim with any one of a rogue’s gallery of malicious code.

(Click on graphic to enlarge)
VIPRE detects it as Exploit.PDF-JS.Gen (v)

Thanks Patrick

Tom Kelchner

Cross-platform vulnerability patched

 Mozilla has updated its Firefox browser to patch the high-profile vulnerability (CVE-2010-3765) that was discovered Tuesday.

Mozilla Security Advisory 2010-73 here.

Tom Kelchner

Adobe has announced that today it will fix the critical vulnerability in the Windows and Macintosh versions of Adobe Shockwave Player 11.5.8.612 (and earlier). The company said it has received reports of active exploitation.

 The vulnerability (CVE-2010-3653) can crash the application and allow an intruder to take control of the system.

Security bulletin here: http://www.adobe.com/support/security/advisories/apsa10-04.html

If you use Shockwave Player, it would be a good idea to watch for the update.

Tom Kelchner

(Which you can use to get rid of it)

When you fall victim to the ThinkPoint rogue security application, the downloader reboots your machine then presents the victim with its own scanning screen on what appears to be a Windows blue screen.

 
(Click graphic to enlarge)

Once the machine is rebooted, the rogue takes over the machine by preventing Explorer.exe to load (which means, the desktop will not load, either). If you click on the X in the upper right corner to close out of ThinkPoint, you are then presented with the “unprotected startup” screen.

A victim can’t get around the ThinkPoint screen because “current settings don’t allow unprotected startup.”

(Click graphic to enlarge)
However, ThinkPoint actually has an operating “settings” selection with a drop-down box that includes a checkbox “Allow unprotected startup.” You can close the ThinkPoint window and load your desktop once that has been checked. From there, you can use Windows Task Manager to stop hotfix.exe — the rogue’s main file.

Alternatively, you can install and run Vipre which will remove the rogue, too.

 
(Click graphic to enlarge)
We described ThinkPoint on the GFI-Sunbelt Rogue Blog Friday here.

Thanks Dodi.

Tom Kelchner

A phishing email aimed at MobleMe subscribers is circulating:
 
(click graphic to enlarge)

It leads here and this is NOT the real Apple Store:

 
(click graphic to enlarge)

Thanks Alex.

Tom Kelchner

The High Tech Crime Team of the Dutch National Crime Squad has seized 143 Bredolab command and control servers and effectively shut down the botnet that controlled 30 million computers, according to the country’s public prosecutor’s web site.

The takedown was a cooperative venture that also involved a Dutch hosting provider, the Dutch Forensic Institute, Internet security company Fox IT and GOVCERT.NL (the Dutch computer emergency response team.)

According to the account on the web site of the Public Prosecutor (Openbaar Ministerie): “The botnet network used servers hired in the Netherlands from a reseller of LeaseWeb, which is the largest hosting provider in the Netherlands, and one of the largest hosts in Europe. LeaseWeb fully cooperated in eradicating the issue from its network, as part of its Community Outreach program. The Dutch High Tech Crime Team discovered this botnet system in the late summer. During its investigation, the Team determined that the network was capable of infecting 3 million computers a month. At the end of 2009 it was estimated that 3.6 billion emails with Bredolab virus payloads were sent daily to unsuspecting computer users.”

Public Prosecutor release here: “Dutch National Crime Squad announces takedown of dangerous botnet”

Thanks Nicholas

Tom Kelchner

The GFI Sunbelt Software Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

Topics this week: Chile mine rescue story SEO poisoning, Twitter phishing, U.S.government advisories on money mule recruitment and bank-account takeovers and best books for malcode analysis and reverse engineering.

Tom Kelchner

The U.S. Secret Service, the FBI, the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center have issued a pair of advisories detailing the threat to job seekers from money mule scams and to small and medium size businesses from the bank-account takeovers that use the mules.

In the work-from-home-scam alert they said:

“In February 2010, the U.S. Federal Trade Commission (FTC) coordinated with state law enforcement officials and other federal agencies to announce a sweeping crack down on job and work-from-home fraud schemes fueled by the economic downturn. Individuals who are knowing or unknowing participants in this type of scheme could be prosecuted.”

The advisory also list tips for avoiding the scams and web sites for more detailed information and help spotting job offers from the scammers:

— PhishBucket.org
— OnGuardOnline.org
— Better Business Bureau

In the corporate account takeover advisory they say:

“First identified in 2006, this fraud, known as “corporate account take over,” has morphed in terms of the types of companies targeted and the technologies and techniques employed by cyber criminals. Where cyber criminals once attacked mostly large corporations, they have now begun to target municipalities, smaller businesses, and non-profit organizations. Thousands of businesses, small and large, have reportedly fallen victim to this type of fraud. Educating all stakeholders (financial institutions, businesses and consumers) on how to identify and protect themselves against this activity is the first step to combating cyber criminal activity.”

For further assistance they provide links to:

— Federal Trade Commission
— Internet Crime Complaint Center
— Department of Homeland Security Cyber Report
— National Cyber Security Alliance Stay Safe Online
— Better Business Bureau- “Data Security Made Simple”
— U.S. Chamber of Commerce’s “Internet Security Essentials for Small Business”

Work-at-home scam advisory here.

Corporate account takeover scam advisory here.

The scams could cost U.S. companies $1 billion in losses this year, according to estimates by the Anti-Phishing Working Group. (Story here. )

Tom Kelchner

Stop malware, cut cyber slacking, reduce bandwidth use and block pr0n

Paul Mah, on the ITBusiness Edge blog, reported on GFI’s September survey of web filtering practices in small and medium businesses and got some interesting feedback from readers.

Web filtering is put in place primarily to improve network security, but another big reason is to stop the loss of productivity, he said. Employees however can be offended by the implied lack of trust.

One of Mah’s readers said he dutifully “practices self-censorship to enhance personal productivity.” Another, however, asked: “What makes you think your employees are productive now? A slacker will always find a way to slack around.”

GFI’s survey last year found that 47 percent of U.S. SMEs had the means to monitor or filter HTTP traffic. The GFI survey released in September (631 respondents), showed an increase in the number monitoring or filtering HTTP traffic (69.9 percent).

(GFI graphic — click to enlarge)

From the report:

“When asked why they had invested in a web filtering and web security solution, 9 in 10 SMEs said they did so to block inappropriate content, to prevent malware infections from downloaded files and to prevent malware attacks via drive-by downloads. More than half said they wanted to reduce cyber slacking, to control what sites employees can or cannot visit and to reduce bandwidth costs associated with unnecessary browsing/streaming.”

Paul Mah story here: Survey Finds SMBs are Implementing Web Filtering

GFI-Sunbelt report here.

Tom Kelchner

There was an email thread circulating here at GFI Sunbelt Labs listing good books about malware analysis. Someone said: “we should blog this.”

Here is a list of everybody’s picks:

“Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code,” by Steven Adair, Blake Hartstein, Michael Lighand and Matthew Richard, (2010) http://www.amazon.com/gp/product/0470613033/

“Malware Forensics: Investigating and Analyzing Malicious Code,” by James M. Aquilina, Eoghan Casey and Cameron H. Malin (2008) http://www.amazon.com/Malware-Forensics-Investigating-Analyzing-Malicious/dp/159749268X

In-depth reads on malcode analysis and disassembling techniques:

“Reversing: Secrets of Reverse Engineering,” by Eldad Eilam (2005)
http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817

“The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler,” by Chris Eagle (2008)
http://www.amazon.com/IDA-Pro-Book-Unofficial-Disassembler/dp/1593271786

“Disassembling Code: IDA Pro and SoftICE,” by Vlad Pirogov (2005)
http://www.amazon.com/Disassembling-Code-IDA-Pro-SoftICE/dp/1931769516

“Rootkits: Subverting the Windows Kernel,” by Jamie Butler and Greg Hoglund  (2005)
http://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319

The classics:

“The Art of Computer Virus Research and Defense,” by Peter Szor (2005)
http://www.amazon.com/Art-Computer-Virus-Research-Defense/dp/0321304543

(Although this is five years old, it’s something of a classic. It’s a nice history of malicious code, detection techniques and just a really good all-around read.)

“Malware: Fighting Malicious Code,” by Ed Skoudis and Lenny Zeltser (2003)
http://www.amazon.com/Malware-Fighting-Malicious-Ed-Skoudis/dp/0131014056

Zeltser also has a web site with great information:

http://zeltser.com/reverse-malware-paper/ (2001)

http://zeltser.com/combating-malicious-software/ (updated)

Thanks Alex and Eric

Tom Kelchner

Over the weekend we saw a link being pinged around in various chatrooms, which was directing users to a “mobile” version of Twitter. The page was a phish located on a free webhost:

Click to Enlarge

What particularly caught my eye was when I dug around on Twitter itself for the URL. Check out these posts from 2009:

We have a Twitter account with “Facebook” in the name (a dirty big clue that something isn’t right here), sending out links to a “lighter version of Facebook”…which takes you to the fake Twitter page.

I’m sure it made sense to the creator at the time, but anyway. This was a clear attempt to grab some high profile accounts and use them for shenanigans:

Warren Sapp, retired American Football player.

Alison Sudol, singer / songwriter with a rather large follow count.

Pete Wentz from the band Fall Out Boy, with an even bigger collection of followers.

It doesn’t look like any of them ever sent out spam, infection or phish links so hopefully they didn’t take the bait – there could have been a bit of a Fall Out (oh ho ho) from that eventuality. The phish URL had quite a bit of action going on:

Fake Facebook and Twitter pages, along with a stolen password page for each. Luckily neither password dump appeared to have any valid accounts in them – everything we saw was either random garbage or humorous and entertaining messages left for the phisher, usually with a record number of swearwords thrown in for good measure.

Of course, we’ve reported all of the above and while the rogue Twitter account is still live (though probably not for long), the URL it happens to be pointing to looks like this:

Click to Enlarge

“The site in question was violating our ToS and was removed”.

No kidding.

Christopher Boyd

218 million “class members” probably won’t settle for Farmville dollar

A suit has been filed in U.S. District Court in San Francisco on behalf of a Minnesota woman charging game maker Zynga with leaking the personal information of 218 million Facebook members in violation of federal law. The suit seeks class action status. (Story in The Register of the UK here. )

The action follows by three days an investigative story by The Wall Street Journal that found a large number of Facebooks apps – including Zynga games such as Farmville and Mafia Wars  – leaked the user IDs of Facebook players and their friends to outside companies. (Story here.)

Users’ privacy on the Internet has been a dicey proposition (some say non-existent) for most of the net’s history. Social engineering techniques early on became about as refined as cryptographic algorithms.

The compromise of personal information from breached company, university and government systems made high-profile headlines. That resulted in security standards and laws that required notification of those whose information was compromised (California’s breach notification law, HIPPA, etc.)

The rise of spyware took the issue to entirely new levels and created a whole anti-spyware component of the anti-virus industry.

The most recent controversy over social media exposures (especially by young people) and persistent tracking cookies just refined the concern.

The central question in all of this for the Internet user should be: “will there be some new technology in the future that will circumvent all existing safeguards and compromise my personal information yet one more time?”

If Internet history is any guide, answer is “yes.” There has been a long chain of innovative methods for extracting personal data from any place it is stored and it appears that will never end.

Hackers and virus writers solved the problem years ago. They use pseudonyms (and more than one in known cases.)  We haven’t heard of any widespread use of pseudonyms by the average user on social media sites, but we predict it isn’t far off. And it’s not like we’re suggesting it, but changing accounts every few months on things like web email and social media sites and using false personal data like dates of birth would sure play havoc with tracking systems. It will probably give you a whole new selection of spam too.

Hey, on the Internet no one has to know you’re a dog (or your real DOB.)

Tom Kelchner

I stand corrected.

I’ve been told The Register has a sizable staff in the U.S. and half its 5.5 million unique readers are in the U.S. So when I wrote “The Register of the UK” that wasn’t really accurate.

Last year, I wrote briefly about the Dr. Kent case.

I made the point that this statement was absolutely false:

Under questioning by Kent’s attorney, D. James O’Neil, Investigator Barry Friedman said he had found evidence of some viruses, so-called “trojans” and other unwanted software on Kent’s computer when he analyzed its hard drive at the state police Forensic Investigation Center in Albany. The placement of a “trojan” on a computer makes it easier for other kinds of potentially harmful viruses to find ways to attach themselves to a computer, Friedman explained.

Under questioning by Senior Assistant District Attorney Marjorie Smith, however, Friedman said none of the viruses or “trojans” he found on Kent’s computer would have enabled someone to download, sort or file the more than 60,000 images of children in provocative poses discovered on the computer.

“No known virus is capable of doing those things,” Friedman testified. [emphasis mine]

I just got this update from his brother-in-law:

As a post-script, Dr. Kent was convicted, and just last week his appeal was denied. The appeal included what NY Law Journal characterizes as “first impression” that images from a browser cache may be used as evidence of child pornography. (The article is behind a paywall, here.)

Although the article gets a number of things factually incorrect (and warps many others…), it does correctly express that Dr. Kent declined to pursue a research project involving child pornography several years ago – and attempted to remove illegal items from his hard drive. It does correctly express that the forensic evidence was obtained from a copy-forward image from a previous hard drive, and that none of the items in question were ‘in current use’.

The full text of the appeals decision is (freely) available here.

For other background, please see: http://www.justice4jimkent.com/ (and accounts of his life in prison here).

Alex Eckelberry

Alert reader Marco tipped us off about this one: a web site loaded with 10 landing pages used to poison search results for the Chile mine rescue story. The real agenda was to scam you into installing a rogue security product. Any of the links will redirect your browser to a download site in the familiar co.cc domain.

(Click on graphic to enlarge)

These are the URLs. Notice the variations on the theme of “Chile”, “mine” and “rescue.”

(Click on graphic to enlarge)

Clicking on any of the above results in a Firefox browser gets you this:

(Click on graphic to enlarge)

It’s the “update-your-Firefox-browser” scam, although the page didn’t wait for you to click any buttons, it started itself.

That’s detected as VirTool.Win32.Obfuscator.hg!b1 (v) which is commonly used to download other malcode (like maybe a rogue — see below).

As a side note, we were running the latest version of Firefox, just released today: version 3.6.11:

And for Internet Explorer users

There was no sign of the glitch we blogged about earlier this week, when IE users were told their Firefox browser needed to be updated.

But, without AV protection, clicking through will get you this:

 (Click on graphic to enlarge)

It’s the SecurityTool rogue (see GFI Sunbelt Rogue Blog entry here.  )

 (Click on graphic to enlarge)

Thanks Marco.

Tom Kelchner

The GFI Sunbelt Software Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

This week: two funny screw ups on rogue download pages for Unvirex and Security Tool, a software kit to make Fake Twitter look-alike homepages and Chris Boyd on gaming scams.

Tom Kelchner

Why would I update Firefox? I’m using Internet Explorer.

It’s easy to think of the Internet bad guys out there as all-knowing, all-seeing monsters. They aren’t. They screw up too. Here’s a good one. This is something you might get from a link that appears in search engine results as a result of search engine optomization poisoning. If you go to the malicious site with the Firefox browser you’ll see this:

 
(click on graphic to enlarge)

But, if you’re using Internet Explorer, you see the same thing!

 
(click on graphic to enlarge)
VIPRE tells you that the site is trying to download Exploit.PDF-JS.Gen (v). We’ve been detecting it for a while now.

 
(click on graphic to enlarge)
Ultimately, it’s trying to download the SecurityTool rogue or other types of malware!

Thanks Patrick.

Tom Kelchner

Microsoft has a strict policy on rude names for their XBox Gamertags. If you call yourself Spanky McBumpants (you might want to jazz that up in your head a little), they’ll force you to change it to something a little more sensible. As a result, a kind of urban myth persists that if you want to change your name without paying for it (yes, they make you pay to change your gamertag under normal circumstances), you simply have all your friends report your non-offensive name as something spectacularly foul.

Ka-ching: free name change. Unfortunately for them, Microsoft are aware of this and they check first to see if you’re trying to scam the system.

What do you think some enterprising young chap has created to cash in on this – some sort of fake Gamertag Changer, perhaps?

Oh look:

Click to Enlarge

This doesn’t work, obviously – all they want is the Windows LIVE ID and associated password. While the program is keeping you busy with jibberish such as this…

The program has sent numerous complaints, please keep this application open for at least 2 minutes to allow it to register. The next time you login to xbox live it should ask you to change your gamertag :]

…the program is busy sending emails stuffed with juicy login details to the creator.

At this point, the only offensive thing about the victim will be the large and varied collection of swear words they fire out once they realise they’ve been had. Considering all the things you can use a Windows LIVE ID for, it isn’t really something you want to be handing over to Little Jimmy Hackpants.

VirusTotal scores are extremely low at this point – just 2/43. We detect this as Trojan-PWS.GamertagStealer.

Christopher Boyd

The real name is “Diversity Visa Lottery Program”

We were trolling for seedy stuff today and found a URL in a Twitter post that looked promising:

A Russian porn download site. OK, we’ll give it a try:

The site opened a second browser window with this: “U.S. Program of Green Card Lottery – Year 2010.”

(click on graphic to enlarge)

Green card scams have been around for a while. They charge hopeful immigrants to fill out applications that are free from the actual U.S. State Department site (link below).

We dug around a bit further and found their prices, which are pretty stiff for something that is free from the U.S. Department of State:

(click on graphic to enlarge)
The real U.S. State Department Diversity Lottery page is here.

It contains the following:

“Fraud Warning

“Please Note: There have been instances of fraudulent websites posing as official U.S. Government sites. Some companies posing as the U.S. Government have sought money in order to “complete” lottery entry forms. There is no charge to download and complete the Electronic Diversity Visa Entry Form. The Department of State notifies successful Diversity Visa applicants by letter, and NOT by e-mail. To learn more see the Department of State Warning and the Federal Trade Commission Warning.”

A Google search for “green card lottery” turned up hits for a load of them

We blogged about green card lottery phishing spam last month.

Tom Kelchner

You might be wondering why the frontpage of Twitter has a big “Edit” line running through it in the screenshot below:

Click to Enlarge

The answer, of course, is that this is not the real Twitter page at all. It’s part of an increasingly popular kit used for shenanigans:

The scammer downloads the zip, edits the links in the .htm file and places something likely to catch the attention of an end-user underneath the “Edit” line. The fact that the fake content is sitting directly underneath the “New Twitter” promotional text is not a coincidence.

Click to Enlarge

“Hey look, semi-naked ladies are part of the new Twitter experience! Yay! Oh wait, I have to run some sort of Sun Java update…and now my computer is sending Viagra spam to my mother.”

Top tip: if you happen to see semi-naked ladies posing under the yellow “Sign up” button on the Twitter homepage, you’re on a scam site. If the Twitter homepage starts popping boxes asking you to install Java security updates, or grab Adobe Flash executables, or files with “pwned” in the title – you’re on a scam site.

The “new Twitter experience” may be full of shiny, blinky things but infection files aren’t supposed to be part of the deal. On the bright side, all the fake pages we’ve seen so far make no attempt to disguise the fact they’re sitting on free hosting services. This obviously means that they don’t look a bit like the genuine Twitter.com URL. I’m sure it won’t stay like that forever though, so be wary of potential typosquatting because this technique combined with an “almost but not quite” domain name could reel in quite a few victims…

Christopher Boyd

One really dumb fake scan.

The “businessmen” behind the AntivirusStudio2010 rogue security product have a web site that runs a fake scan of a visitor’s machine, tells him it’s infected then tries to sell him their product. If you look behind the scenes though, the scan is really dumb and sort of funny.

When you go to the site, the page automatically begins a “quick scan:”

(click on graphic to enlarge)

And, of course it finds malicious code on your machine.

(click on graphic to enlarge)

In the grayed-out page behind the “Scan Results” box, it lists the malware it allegedly found.

(click on graphic to enlarge)

If you look at the page source code, you’ll notice that the “scan” information is hard coded right in the HTML! So, every visitor has the same result! Wow, if only detecting malcode was that easy!

(click on graphic to enlarge)

Now here is the result of a REAL AV scan – VIPRE identifying the Unvirex download as LooksLike.Win32.malwareD (v).

(click on graphic to enlarge)

Thanks Patrick.

Tom Kelchner