Month: October 2010

DNS cache poisoning SQL injection

Pirate Bay enthusiasts have defaceed the web page of Copyprotected.com – a site owned by the Motion Picture Association of America that is dedicated to reporting violations of copy protection on DVDs and blue-ray discs.

Defaced page:

(click on graphic to enlarge)

Normal page contents (thanks Google cache):

(click on graphic to enlarge)

The defacement includes a long dissertation that includes such nuggets as: “…this new ‘anarchy’ of freedom to share…” and “… autocratic rulers seek to crush this freedom.”

Thanks Wendy. Thanks Joel.

Tom Kelchner

Update: Oct. 16

We were wrong. It was an SQL injection attack

Since our original post was made, it has come to our attention that there is in fact a connection between WareNet and the MPAA.  By examining out-dated DNS assignments to 216.20.162.14, the IP address owned by WareNet and assigned to copyprotected.com the morning of the attack, it can be seen that several other domain names associated with the MPAA were at one point assigned to this address (along with a rather disparate collection of other potentially unrelated domain names).

The view that it was a DNS cache poisoning attack was based on the presumption of no connection between WareNet and the MPAA.  As it is now clear that a connection did exist and 216.20.162.14 was the original DNS assignment to copyprotected.com, DNS cache poisoning obviously was not the attack vector used.  Most likely, it was just a simple SQL injection attack on the WareNet server hosting copyprotected.com.

Infection files pretending to be Flash Player downloads isn’t particularly original, but hey – it works.

Steer clear of Portuguese language websites waving Flash files at you. Like this one:

Click to Enlarge

The site in question is birimdik(dot)kg/adobeflashplayer(dot)htm. If you download and run the file, you’ve just opened yourself up to a banking Trojan. It attempts to send your data to an email address with “31337” in it, which is surely double the indignity.

We detect this one as Trojan-Spy.Win32.Delf.ho, and the VirusTotal figures currently weigh in at a 22/43 detection rate.

Christopher Boyd

This wouldn’t be a rogue security product from somewhere in the east would it?

The Antivirus Action sales site:

 

(click on graphic to enlarge)

We currently detect it as “Trojan.Win32.Generic.pak!cobra”

That spelling would be a less-than-optimal translation into of English of cтандарт – the word for “standard” in many of the Slavic languages. In Bulgaria there is a newspaper by that name:

 
http://paper.standartnews.com/en/

Thanks Adam

Tom Kelchner

“That which we call a rose by any other name would smell as sweet” (until you thrown in a different top level domain)

The UK National Schools Film Week web site url NSFW.org, is uncomfortably close to a… ah, film site that… ah… well… ah… you probably wouldn’t want kids looking at.

 That site, NSFW.com (Not Safe for Work) has a lot of films available too, however — how does one put this — does the slang term “pr0n” have any meaning for you?

The National Schools Film Week (NSFW) site (that’s dot-ORG) “provides teachers and their students the opportunity to see a wide range of films at local cinemas entirely free-of-charge.

“The Festival’s goal is to support classroom teaching by providing schools with a powerful experience for their students that links directly to elements of the curriculum, supported by an on-line library of resources related to individual films and more generic topics, essentially an extension of the classroom.”

Now NSFW-dot-COM provides a “powerful experience” and “online library” as well.

 

Clearly, with the gift of hindsight, we can say that when you chose a name for your web site check for similar acronyms, similar names in different domains and check for sites that are just one typo away.

Actually, we just did a check. http://www.nsfw.biz/ is a penis pill site:

 

Thanks steeleweed

Tom Kelchner

The non-profit group Creative Commons is offering a Public Domain Mark (see above) for use on documents and files to declare them copyright-free.

Creative Common’s description: “Using the Public Domain Mark, you can mark a work that is free of known copyright restrictions and clearly convey that status. When applied properly, the PDM allows the work to be easily discovered, and provides valuable information about the work.”

Creative Commons is a nonprofit corporation “dedicated to making it easier for people to share and build upon the work of others, consistent with the rules of copyright.”

Tom Kelchner

Microsoft and Oracle both announced monster-size patch Tuesday releases this month.

 

Microsoft Security Bulletin Summary for October 2010:
http://www.microsoft.com/technet/security/bulletin/ms10-oct.mspx

 

Oracle Critical Patch Update Advisory – October 2010
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html

Tom Kelchner

I thought it might be useful to rip a little bit out of my HacKid presentation and post it here. The section in question deals with the most popular scams that are floating around in gaming land. If your kids avoid these, they have a very good chance of hanging on to their accounts, money and other assorted spangly things.

1) Phishing. Yes, I’m walking into Captain Obvious territory here but hey – it works. A typical collection of twenty seven pages worth of stolen logins will drink to that, and there’s plenty of room at the bar.

Click to Enlarge

There’s a fair amount of national / public holidays coming up in many countries, and worth noting that there will be holiday themed phishes out there too. Microsoft do tend to get involved in regional deals during holiday seasons, so a carefully crafted fake email combined with a site such as the one below will work wonders:

Click to Enlarge

2) Used console sales. When people do naughty things with their games consoles, Microsoft hits them with the banhammer. Their expensive console is no longer able to play online, and is about as much use as a toaster. A lot of the various types of cheating means the scammer has to change parts inside the console, which of course breaks the warranty sticker in half.

What do they do? They jump onto EBay, and buy a bunch of warranty stickers “for their collection”.

Click to Enlarge

I guess these replaced Pokemon cards. Anyway, they put the sticker on and take it back to the place they purchased it from – the shop may well put it back on the shelves, at which point some random person ends up buying a banned console.

Click to Enlarge

Selling banned consoles is also a popular past time on EBay, so buyer beware – especially if the seller is called something like “Leetxboxhax0r” or whatever.

3) Fake programs. The staple diet of Youtube video watchers everywhere, fake programs have been around forever but seem to be particularly attractive to young gamers. I mean, they do look nice:

Click to Enlarge

At best, your kid will fill in a survey (handing over a bunch of personal information to marketers) in return for a non functional program. Worst case scenario? The program will steal their login information, or dump infection files onto your PC and start trying to steal a whole lot more.

The other kind of fake program is the kind the scammer will tell you about, but not physically show you. They ask your child to send them information, or logins, or points that they’ve purchased legitimately so they can “double” them via some magical method only they know about.

Click to Enlarge

Click to Enlarge

If you bought your child 2,000 Microsoft points and they then send the scammer the redemption code, they won’t double anything – they simply enter the code themselves and keep the points.

Whenever you see a site claiming to have found a “glitch” in Microsoft servers, or a group of ex-Microsoft coders have come together to give you a bunch of freebies you can bet it is one huge scam. Example:

4) Big name, big target. You can set your watch to the fact that the moment a big name title is on the way, scammers will be all over it. Fake programs offering extra items, surveys to grant access to fictional Beta tests, phish mails that also promise Beta access…all of these scams will hit the ground running, usually driven by phony Youtube video campaigns (complete with the usual fake “This worked, yay” comments from Youtube users that are actually friends with the scammer).

Click to Enlarge

Knowing that some users will be suspicious of freshly registered Youtube accounts singing their praises, the scammers will first steal a bunch of Youtube logins – the older the account, the better – which will look a lot more convincing to a younger user.

Click to Enlarge

Additionally, we see Rogue SEO scammers pushing fake antivirus products focusing on searches related to specific elements of games (usually the most difficult ones). At that point, you could end up with programs on the PC you’d rather not want so extra caution is advised.

There are other ways of acting maliciously, of course – but the above examples are the ones I tend to see recycled over and over again. Feel free to throw in any examples you’ve seen doing the rounds.

Christopher Boyd

The GFI Sunbelt Software Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that will provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

Tom Kelchner

I’ve just returned home from Boston, having taken part in one of the most interesting, original and awesome conferences I’ve ever seen.

Step up HacKid, a conference geared towards “providing an interactive, hands-on experience for kids and their parents which includes things like staying safe online, how the internet works, manipulating hardware / software for fun, meeting law enforcement, low impact martial arts, podcast creation, Makerbot building” and an awful lot more to boot.

I’ll be honest, I wasn’t sure if it would go without a hitch or end up like a scene from 28 Days Later. However, I’ve seen adult conferences that haven’t run as smoothly as this one. Turns out you CAN fill a Microsoft Research Center with small children and watch them learn about security basics, technology, programming languages like KODU, building things and the many, many definitions of what a “hacker” can be and what those same hackers can do in a positive manner.

Plus, we had a Hoverdrone that you could control with an iPhone.

My talk was a shorter, retooled and updated version of the gaming security preso I wheeled out at SecTor. Of particular note to the parents was the “Five top scams to avoid”, which seemed to cause a few “Oh, so THAT’S what it was” type glances around the room. Besides the parents, there were kids of all ages present (from about five up into the teens range) and I was surprised to see most young children were quite happy to sit and listen about security stuff, although I made sure my ramblings were restricted to about 30 minutes tops with time for questions if needed. My only suggestion here would be to maybe have a dedicated “Teens” track session – while the parents of the younger children present are now swimming in “things to avoid”, I’m not 100% certain the very young kids can handle a 30+ minute talk.

There were also security presentations from Microsoft themselves courtesy of Jeff Williams, and a number of other security themed chats throughout both days.

Additionally, you could feast your eyes upon robots that make stuff:

Makerbots are pretty amazing bits of kit – the one below was given away in a raffle on the second day:

That’s a “before” shot, by the way. It looked more like this by Day 2:

I also helped to plug three wires in, and it didn’t explode or anything so that’s a bonus.

Lockpick village:

He has amazing Star Wars tattoos on every square inch of his arms, by the way.

I particularly liked the “anything goes” atmosphere – I found myself getting involved in a talk regarding the many meanings of the word “Hacker” in populare culture across both days.

What particularly blew me away was on Day 2, we all had to wear protective eye goggles.

The reason? A row of kids at the front were shooting us in the face with DIY marshmallow guns.

I tell you what, I never got shot in the face at RSA or InfoSec Europe. Tough crowd!

Now the event is over and people have hopefully arrived home in one piece, I’m starting to see some blog posts go up. I’ll add more as I see them, and you can see my photos here. Hackid was a definite success, and with any luck you’ll be seeing more Hackid events popping up both in America and elsewhere – I believe there’s an upcoming event scheduled for DC to kick things off, and we’ll see how it goes.

Kudos to Microsoft for hosting the event, all of the sponsors and everyone that took part. I had an excellent time, parents and their children picked up lots of useful skills & information and the organisers should be very proud of their efforts.

More please!

Christopher Boyd

This turned up today: new fake codec scam masquerading as a VLC video player plugin error message. In reality, clicking on the “install” button will result in a download of the Security Essentials rogue security product.

(click graphic to enlarge)

In the event you stumble across it and just must watch 10,000 adult movies (or whatever), go to the real VideoLAN plug-in download site here: http://www.videolan.org/

If you are “unwise” enough to fall for the scam, you’ll get this: the Security Essentials rogue (GFI Sunbelt Rogue Blog here: http://rogueantispyware.blogspot.com/2010/02/security-essentials-2010.html)

 (click graphic to enlarge)

Thanks Patrick.Thanks Adam.

Tom Kelchner

World of Warcraft hits 12 million subscribers world wide

Blizzard Entertainment has issued a news release saying that the number of subscribers to World of Warcraft has hit 12 million worldwide.

“This milestone was reached in the wake of the mainland Chinese launch of World of Warcraft’s second expansion, Wrath of the Lich King, and also as global anticipation continues to mount for the December 7 release of the game’s third expansion, Cataclysm,” they said.

WOW, which is played by people speaking eight languages, began in North America, Australia and New Zealand in 2004, the company said. It is now the most popular massive multiplayer online role-playing game (MMORPG) and is keeping people up waaaay too late at night in North America, Europe, mainland China, Korea, Australia, New Zealand, Singapore, Thailand, Malaysia, Indonesia, the Philippines, Chile, Argentina and the regions of Taiwan, Hong Kong, and Macau.

The security picture

Online games, unfortunately, are no longer just fun and games. With the vast, vast audience they have, games are a serious part of the computer security landscape. Players who subscribe at a cost of $13-15 US per month are often the targets of password snatching phishing attempts. We’ve documented some of these and written about the gold-farming – largely in third-world countries – that takes an industrial approach to accessing online game accounts to steal virtual goods and turn them into real money.

Our man in the UK, Chris Boyd, has become a specialist in spotting the hacks, social engineering and scams in the gaming world and blogging about them here on the GFI Sunbelt Blog. It looks like he’s going to have work for some time into the future.

Blizzard Entertainment news release here.

Tom Kelchner

Our rogue specialist Patrick Jordan has found a new delivery mechanism for the rogue security product SecurityTool. It’s a fake Adobe Flash Player update (fake codec) on malicious web sites.

Specifically, you might find this if you go looking for naked lady pictures in the .pl (Poland) top level domain.

(click on graphic to enlarge)

Thanks Patrick.

Tom Kelchner

Why go the trouble of writing new code if you can “borrow” it from somewhere else. Our rogue researcher (in more ways than one) Patrick Jordan has pointed out the similarities in design elements in Web pages used by online scanner scams for the Trojan DNSChanger and four recent rogues.

The “System Folders” portion of the graphic is used in three of them. The “Your computer is infected!” graphic twice. “System scan progress” is used twice. The fake “Windows Security Alert” box three times.

1. “Online Protection:” Trojan DNSChanger

 

2. “Windows Security:” The FakeAlert for the Security Essentials rogue
On Rogue Blog: Security Essentials

 

3. “Wait a minute!” SecurityTool rogue
On Rogue Blog: SecurityTool 

4. “Security Analysis:” FakeVimes family of rogues (most current is SmartSecurity.FakeVimes)
On Rogue Blog: SmartSecurity.FakeVimes

 

5. “Warning!” Antivirus Plus rogue
On Rogue Blog: Antivirus Plus

 

Thanks Patrick

Tom Kelchner

Microsoft has issued its advance notification for October’s Patch Tuesday. The company said it will release 16 security bulletins next week.

Microsoft Office
Two for Microsoft Office marked “important” will patch remote code execution vulnerabilities.

Microsoft Server Software
One for Microsoft Server Software marked “important” will fix information disclosure vulnerabilities.

Windows and IE
One for Microsoft Windows and Internet Explorer marked “critical” will fix remote code execution vulnerabilities.
   
Windows
Three for Microsoft Windows marked “critical” will patch remote code execution vulnerabilities.
   
Two for Microsoft Windows marked “important” will patch elevation of privilege vulnerabilities.

Three for Microsoft Windows marked “important” will patch remote code execution vulnerabilities.

One for Microsoft Windows marked “important” will patch elevation of privilege vulnerabilities.

One for Microsoft Windows marked “important” will patch denial of service vulnerabilities.

One for Microsoft Windows marked “moderate” will patch remote code execution vulnerabilities.

One for Microsoft Windows marked “moderate” will patch tampering vulnerabilities.

Microsoft Security Bulletin Advance Notification for October 2010 here.

Tom Kelchner

Hmmm. That’s not what the source code says

We started out the day fat fingering the spelling of “youtube.com” and ended up at the typo squatting site behind the URL “youube.com.” youube.com redirects you to http://youtube.com-prizes.com – obviously a URL intended to make you think it’s really YouTube.

 
 (click on graphic to enlarge)

 Like so many of these “survey” scam web sites, the offer was available “today only: Thursday, October 7, 2010.” Obviously, this is to add a little bit of sales pressure to make a visitor go for the prize ASAP, or at least before midnight.

Looking for the deeper meaning of life (or at least this site), we checked the page source code. The text “today only: Thursday, October 7, 2010” isn’t in there. There is, however, JavaScript to pull whatever day the page is viewed and put it in the viewer’s browser.

 (click on graphic to enlarge)

Well, there’s nothing illegal about that. But it’s a little html code giveaway that the folks running this thing aren’t exactly the most morally upright people who ever created a Web site, not that the typo squatting didn’t give that away already.

We took the survey of trivial questions and selected our prize: an Apple iPad and iPhone 4. That’s a retail value of $700-$1,130 (depending on options) from a leading on-line retailer. Now that’s not too good to be true or anything – YouTube gives away gear worth nearly a thousand dollars after you answer some inconsequential questions on a survey?

  
(click on graphic to enlarge)

But of course you then head into the old survey loop:

“Compete to win $50,000!” — $9.99 to $19.99 per month (billed to your cell phone)

(click on graphic to enlarge)

“Connect with Singles Anytime Anywhere!” — $6.99 to $19.99 per month (billed to your cell phone)

(click on graphic to enlarge)

“Get the Best Horoscopes Sent Right to your Cell Phone!” $9.99 per month (billed to your cell phone)

(click on graphic to enlarge)

“HOTTEST” flirting tips sent right to your mobile phone!” $9.99 per month (billed to your cell phone)

(click on graphic to enlarge)

Somehow there’s no mention of the iPhone and iPad that was “available TODAY only.”

BUT WAIT! THERE’S MORE!

If you try to navigate away from the page of course, as we’ve come to expect in these sorts of things, we see this:

 
(click on graphic to enlarge)

Tom Kelchner

Our man in the UK Chris Boyd got this via a contact. It was from a Twitterer who obviously had his Twitter login stolen:

 
(click on graphic to enlarge)

(Twitter apparently is filtering this URL at this point.)

The link led to a phishing page that used the deceptive tactic of showing an error message: “Wrong Username/Email and password combination.” You login, it steals your Twitter password, sends the above Tweet to all your contacts and continuing rounding up passwords.

 
(click on graphic to enlarge)

If you’re “ill-informed” enough to log in to the phishing page, it snatches what ever username and password you’ve entered and passes you along to the Twitter log-in page. We made up a username and password and it took them. The real Twitter log-in page would have given you an error notification.

 There are two pieces of evidence here that you’ve been phished: Firefox asks if you want it to remember the password which you just gave to my3gb.com – obviously the phishing site (up since July 12). And there’s the Twitter “sign in” button on the page. That wouldn’t be there if you had really logged in.

 
(click on graphic to enlarge)

This is phishing. The safe practice in this situation is: don’t log into pages that you get as links in emails. Go to the site yourself: type in the URL or use your bookmark.

Thanks “Just_this_time”

Tom Kelchner

How does one say in French: “We’re gonna make an example out of you, boy”

The Toronto Sun is reporting that convicted spammer Adam Guerbuez of Montreal has been ordered to pay $1 billion to Facebook by Quebec Superior Court. The court was upholding a U.S. Federal court fine that resulted from a wave of four million spam ads sent to Facebook users in 2008.

Guerbuez did not contest the Sept. 28 Quebec Superior Court ruling.

The Sun wrote: “According to Facebook, Guerbuez fooled its users into providing him with their usernames and passwords. One method was the use of fake websites that posed as legitimate destinations.

“After Guerbuez gained access to user’s personal profiles, he used computer programs to send out millions of messages promoting a variety of products, including marijuana and penis-enlargement products, Facebook said.

“(Superior Court judge) Fournier wrote that Guerbuez has earned ‘very significant revenues’ from his online business.”

Guerbuez appears to have maintained a very high public presence on his Web site adamguerbuez.com since 2008 and even scheduled a news conference today.

The site includes photos of the very substantial Guerbuez in casinos as well as shots of plates of food in what appears to be a very nice Montreal restaurant.

His first 2008 blog posts were to deny reports that police had raided his home and that he had an extensive criminal record.

Tom Kelchner

We fixed the title. The $1 billion was Canadian dollars. That’s US$873 million.

The GFI Sunbelt Software Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that will provide a weekly roundup of top stories from the GFI Sunbelt Software Blog, the GFI Sunbelt Rogue Blog and anything else we think might be of interest.

Tom Kelchner

Money mules are an essential cog in the machinery of international Internet theft. Commonly they are recruited through an Internet job site or via spam email by off-shore thieves.

The thieves use spear phishing or other means to get the banking credentials of businesses, government bodies or non-profit groups. They transfer money from their victim’s banks to their money mules’ bank accounts. The mules are told to wire the cash to the thieves via untraceable international transfer services minus a 10 percent commission.

Here is a recruiting spam email. The attachment “Position offer!” is a text file. That’s to avoid email filtering.

(click on graphic to enlarge)

Your first line of defense is: DON’T OPEN SPAM ATTACHMENTS!

But, let’s assume you’re desperate for a job and bite at this.

If you do read something like this, look for bad English grammar and non-standard capitalization, punctuation and spelling.

(Below we’ve cut just the important parts out of a monster 920-word document.)

The pitch:

Dear Sir/Ma,

    Would you like to work online from Home/Temporarily and get paid weekly? We are glad to offer you for a job position at our company, Tangram Interior We need someone to work for the company as a Representative/Bookkeeper in the USA. This is in view of our not having an office presently in the USA.

The bait (which is always WAAAY too good to be true):

* The average monthly income is about 4000.00 USD.
* No form of investments from you.
* This job takes only 1-3 hours per day
 
The setup:

Your tasks are;
1. Receive payment from Customers
2. Cash Payment at your Bank
3. Deduct 10% which will be your percentage/pay on Payment processed
4. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to. (Payment is to be forwarded by Western Union Money Transfer).

Who to contact to hook yourself:
A swift acknowledgment of the receipt of this email will be appreciated.

Thanks For Your Total Understanding.
Harry Jones,
Staffing and Recruiting Dept,
Regional Manager,
Tangram Interior.
jones.harry98@mail.com

The defense: do some research:

A Web search for “Tangram Interior” turned up the company’s web site. Checking out their location(s) revealed this:

 
(click on graphic to enlarge)
A vast, sprawling corporate headquarters in Santa Fe Springs, Calif., as well as huge locations in Santa Ana, Woodland Hills and Riverside, Calif.

Does that seem like a company that has no accounts-receivable staff in the U.S.?

Do you think it’s going to be offering jobs using a non-company email account? (jones.harry98@mail.com).

And, a check of Tangram’s “employment” page turns up this:

“Important public notice.
“Our Company is a victim of an Internet scam.  Unscrupulous individual(s) are using our Company name and our website to perpetrate a fraud.  If you receive an email regarding a job opening that invites you to work from home and process payments (money orders or money drafts) please do not respond.”
. . .
That’s a whole lot of clues.

Tom Kelchner

Advertising Option Icon

 A coalition of media and marketing associations announced today that they are encouraging their members to begin using an Advertising Option Icon to allow Web users to opt out of online behavioral tracking.

The program encourages companies to:

— Inform consumers about their data practices through clear, meaningful and prominent notices.

— Display the Advertising Option Icon so that consumers can easily find out about online behavioral advertising, learn about the data practices associated with advertisements they receive, and opt-out if they choose.

— Register to receive information about how to be listed on the Consumer Opt-Out Page, where consumers will be able to easily opt-out of receiving online behavioral advertising from some or all participating companies.

They encourage consumers to:

— Learn about Online Behavioral Advertising: If you’re an online user, you can find out more about online behavioral advertising and how it helps provide you with more relevant advertising on the websites you visit. You’ll learn how online advertising supports the free content, products and services you use online; what choices you have; and how to use browser controls to enhance your privacy.

— Exercise Your Choice: This fall, consumers will have an opportunity to conveniently opt-out from online behavioral ads served by some or all participating companies, if they choose.

Participating Associations

— American Association of Advertising Agencies
— American Advertising Federation
— Association of National Advertisers
— Better Business Bureau
— Direct Marketing Association
— Interactive Advertising Bureau
— Network Advertising Initiative
— American Association of Advertising Agencies
— American Advertising Federation
— Association of National Advertisers
— Better Business Bureau
— Direct Marketing Association
— Interactive Advertising Bureau
— Network Advertising Initiative

Program Website here.

Tom Kelchner

Update:

Last week the story was making the rounds that a committee in the U.S. Senate is working on legislation for the next session of congress that would include a do-not-track list for Web advertisers.

Senate Commerce Consumer Protection Subcommittee Chairman Mark Pryor, D-Ark., said his objective is to give consumers more control over how much tracking they want to allow.

Privacy advocates and Federal Trade Commission Chairman Jon Leibowitz have said they favor creation of a do-not-track list.

Story here: Measure Would Give Consumers More Control Over Web Tracking