Month: November 2010

Nobody said Facebook app advertising had to be in good taste.

In the pantheon of fabled people whose stories are used to attract Facebook users to survey/contest/quiz apps ($9.99 billed to your cell phone), the guy who “killed his roommate aftre (sic) Playing Black Ops games in New York” has just joined the various women who killed themselves after their father/boyfriend/whoever posted something about them on FB.

We counted 55 of these in a 10 minute span, so, it’s in circulation.

Lovely.

(Click on the graphics to enlarge.)

Of course you have to log in to Facebook.

And at this point you can see where this is going:

 It uses your Facebook account to spam itself out to all your friends. At this point you are a vector.

Then it presents some lurid warnings:

And, bingo: “quiz” authentication:

And the sales pitch: one quiz, two clues a week for $9.99.

I’m not sure that anyone falling for this COULD buy a clue.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Sunbelt Software Blog, the GFI-Sunbelt Rogue Blog and anything else we think might be of interest.

This week we have a fake Trojan removal kit that installs the ThinkPoint rogue, a fake Kodak Galleries site that served up the Bayrob Trojan and great royal wedding social engineering spoof by the group Scam Detectives intended to raise awareness about online shopping security.

Tom Kelchner

If you or your relatives wander onto a site claiming to be a genuine Kodak website, you might want to think twice before downloading any executables.

Here’s an example of a site located at kodak-webgallery(dot)com, which is currently offline:

Click to Enlarge

The message at the top reads: “New shared photos! You have received some new pictures, to view them simply click the button below”. Hitting the button launches a “Slideshow”, which is actually an executable file that the end-user is asked to download and run.

Doing so opens up a set of photographs taken of a rather large truck from different angles:

Click to Enlarge

After executing the file, the folder WINDOWSsystem3269821772 was created containing various configuration files. Additionally, sijgzxel.exe and fvwtmkry.exe were copied to the System32 Folder itself.

The final piece of the puzzle are references to an email address, EBay, EBay motors and various other EBay domains (along with the non-Ebay Escrow.com) in the process dumps we generated while testing.

It looks like a blast from the past called Trojan.Bayrob has risen from the grave to cause problems for big moneyspenders on eBay. It seems to come around every so often – here’s an attack from 2007 and here’s one from 2008 – and now someone has decided to spam it out from a fake Kodak domain registered via a privacy service.

Bayrob is a nasty little thing, spoofing pages from eBay and other sites to fool the end-user into handing over bundles of cash. Motor buyers are a popular target, hence the reason why many of these attacks tend to involve car photo slideshows. The Trojan can have a devastating impact – here’s a victim who was fleeced out of $8,600 by scammers.

To coin a phrase: whoops.

We detect this one as Win32.Malware!Drop. Detection rates are very low, currently clocking in at 5/43 so be careful out there and don’t be fooled by random photograph galleries. There’s no way to tell if these fake Kodak sites are currently being pimped by automated spam programs, random chatroom links, infected PCs or strange flashing lights in the sky so always check with a known contact if they suddenly want you to check out their new car pictures.

It might cost you a bit more than a tyre change and a new air freshener…

Christopher Boyd (Thanks to Adam Thomas for additional research).

You might want to steer clear of the following fake security program, being promoted as a “Windows Trojan Removal Kit” but actually hijacking your PC in the form of the ThinkPoint rogue with a mixed (24/43) detection rate.

The file is currently being offered up by your typical “fake security scan” pages, such as microsoftwindowssecurity152(dot)com. Those familiar with this particular rogue will be aware that it tends to stick with domains similar to the one above.

Click to Enlarge

Installing the executable can potentially give you a bit of a headache, with what would appear to the average user to be fake “Blue Screens of Death” and payment nag screens. See here for details on how to get around the supposedly locked up desktop, and check here for some of the many variations on this theme. We catch this one as Trojan.Win32.Generic.pak!cobra.

Christopher Boyd

The Register is reporting a social engineering spoof by the group Scam Detectives who offered fake “Golden Tickets” to the royal wedding next April for £250 ($388 USD). There were 160 site visitors on the spoof site in 12 hours willing to buy the fakes.

(Click on graphic to enlarge)
 
“Scam Detectives used a free online website building package top set up a spoof site – http://www.royalwedding.weebly.com – only minutes after the announcement of the royal wedding. The site was promoted using social networks, adverts on classified advertising websites and spam posts on popular forums” Register writer John Leyden wrote.

Scam detectives, set up about a year ago, said its goal is “To reduce the number of people taken in by online scams every year and stop YOU from losing your hard earned money.”

The stunt is a great awareness raiser, and presents the problem that Internet shoppers always face: how do you spot a fake site?

Scam detectives’ web site provides some approaches in the details of its investigation of another ticket-selling scam:

— On the site purchase page, try inputting fake data, such as all zeros for a credit card number. If the site accepts a random number and gives a notice that your purchase is on the way, it’s a site set up to steal credit card numbers. A legitimate site will tell you the number is bad.

— Look for contact information on the web site. If there is very limited information or no way of contacting the site owners about problems, something is fishy. A site might list contact email addresses, but if they are fake, you don’t want to do business there. Scam Detectives mentioned that there is a web site set up to check the veracity of email addresses: http://www.verify-email.org (Though for some reason it lists valid Yahoo addresses as bad.)

— Check the “whois” listing for the date the site was set up and contact information. It the site claims to have been in business for years but whois date shows a registration in the previous few days or weeks, it’s probably a scam. New businesses go on line all the time, however, a recent registration date should make you check further.

— Do a search engine check for the site (or company) and see if anyone else has discussed it as a scam or as a site with irregularities.

From our experience, we would suggest that shoppers be especially careful of any web site that is advertised by spam email.

Register story: Monarchist marks fall for faux royal wedding ticket site

Tom Kelchner

Unfortunately it seems that the official site of the US Navy Memorial was recently compromised, with the addition of a particularly wordy message for the admins hidden away in a subdirectory, rather than the more obvious target of the frontpage which was left untouched:

Click to Enlarge

As you can see from the Google listing above, the defacement takes the form of a rather foul mouthed rant on an otherwise empty page:

Click to Enlarge

We’ve notified the admins, and the page in question is currently blank with the site running normally so hopefully they now have things under control. There doesn’t seem to be any intention of placing malicious files there, but it might be worth being careful if visiting navymemorial(dot)org for a few days until it has a 100% clean bill of health.

Christopher Boyd

When it comes to Two Point D’oh, do you want to be like this guy:

Click to Enlarge

Or do you want to be like this guy:

I think we can all agree that approach number one is the place to be. With that in mind, I recently gave some hints and tips at IRISSCON 2010 in relation to protecting your brand / company / employees from shenanigans. We have lots of business-centric sites such as Linkedin, Yammer, Present.ly, companies flocking to Facebook and employees doing their thing on Twitter. While you may not agree with all of the sentiments expressed here, I have to say that in my experience companies tend to focus on complaints, compliments and competitors in the 2.0 space while forgetting about our old pal “security”.

Here come the tips, feel free to add your own but I’ve found the below to be quite helpful in recent years…

What are we most worried about? For me, it’s malicious pages / profiles pushing badware in your name, unofficial pages from fans & well meaning employees, dodgy data gathering and compromised accounts. Additionally, geolocation services mean that it isn’t just employees throwing up a page connected to you being a problem anymore; depending on the service, any random individual can happily come along and stick you on a map, or a location service, or a ratings portal.

1) Think Facebook Places, Foursquare – do you have an official page there? Is there a page “in your honour” with comments filling it up?

Here’s one with people not only complaining about the quality of coffee on offer, but also slating rival firms. We all know how grumpy companies can be where random accusations of awfulness are concerned; better to engage, hit that “Do you manage this venue? Claim here” button and talk to people.

Click to Enlarge

Similarly, you should go check out Facebook and create a brand presence there before some scallywag starts pimping viagra and fake handbags from “Your Company INC”. Hit the “Create a page for my business” button at the bottom left side of any Facebook page, then start filling in the blanks.

Click to Enlarge

Additionally, claiming your spot on Facebook places is easy – if you’re in the US, follow this handy guide. If you’re in the UK, I believe it is much the same procedure except they phone you up and you give them a PIN number along with the usual paperwork. Apart from the more obvious sites, be aware that plenty of other services exist and even Yelp is getting in on the act. Finally, here’s some advice in relation to setting up on Foursquare.

2) A common problem: how do you dig through all of those sites to see if anyone is up to Internet shenanigans with your good name? Easy, you load up this collection of websites and start digging:

Click to Enlarge

Two things to note: many “social discussion / conversation tracker” sites will claim to pull up results from across the web, but in my experience only ever give you pages of results from Twitter. Your mileage may vary with those, but the ones listed seemed to serve up information from a variety of sources. The forum trackers are particularly useful if you suspect individuals of performing random drive-by spam on sites with your name plastered all over them. I know one person whose company was targeted by such a campaign and the forum search portals were great for getting Admins to hose the spam quickly.

Knowem.com is a favourite of mine, as they they allow you to search for your name / brand on lots of social networking sites for free, which is extremely useful from a security perspective (they will also register you on those sites for a fee).

3) If your company has a Yammer account, put someone in charge of making sure the account isn’t left lying around with lots of data posted to it:

Click to Enlarge

“Last post: four months ago”? Whoops. There’s always the danger that we might sign up to a hot new service only to get bored and abandon it completely a few months later. But what about the data posted – is someone ready to go in and hose the lot?

While you’re at it, consider coming up with a few basic policies in relation to how much personal info you really need in your account:

Click to Enlarge

Just think: if “Employee A” falls for a phish mail like the one below, the phisher has access to all of the information posted to your internal wall AND any information posted about themselves in the profile. A lot of said information could easily be password reset clues to other services they’re registered with, which makes things worse.

Click to Enlarge

Finally, you should ensure ex-employees can no longer access your Yammer portal, especially if they’re one of those angry disgruntled chaps determined to grab a bunch of “secret” information six months down the line and paste it all over the internet.

4) If you’re hip and trendy – and we know you are – you might be tempted to stick a videogames console in the office recreation room along with the pool table nobody uses and the broken basketball hoop in the corner. We gave a survey to 200 senior IT decision makers in both public and private sector organisations around the globe. The results? 4 in 10 had no idea of the problems posed by consoles, 8 in 10 kept no record of who was using said consoles and 49% of them had a console in the workplace (with 44% of them connected to the net).

Just think, you’ve locked down your social networks in the workplace. You have granular controls to allow or deny individual applications on Facebook. You have an elegant compliance solution in place to ensure nobody is posting sensitive work information to Twitter.

Then I stick my console on with a bunch of Twitter / Facebook / Last.fm apps built in and OH NO IT’S ALL GONE WRONG SOMEHOW.

Click to Enlarge

Click to Enlarge

Hear that? It’s the sound of your carefully thought out network controls flying out the window. While links aren’t clickable on an XBox so there’s no danger of infections via Twitter, it’s worth noting that you may well find your boss walking in and wondering why the Last.fm application has a picture of a popstar with their “modesty” shaking all over the screen via a user uploaded photograph.

Do you have an XBox Live account bearing the company name? Keep in mind people record game sessions and upload them to Youtube – you might find your employee swearing loudly at the 14 year old Halo master that spent the last half hour shooting him in the face. Bit embarrassing, that one.

This is also a good reason why you should keep track of who is using the console, in preparation for “Sweargate” or other similar gaming kerfuffles. In fact, given the wide range of ways people want to mess with you in console land you might not want to put the thing online in the first place. As strange as it sounds, the many parental controls available on consoles may well be useful in terms of locking things down a bit. For example, if you want to be really watertight on the “Who used it?” issue, enable the XBox Live Passcode and change it after every use.

One final thought – the Playstation 3 has a built in web browser, which takes a decent stab at rendering websites. An interesting side issue? A Fake AV site which looks like this on your PC:

Click to Enlarge

…will look something like this on your Playstation:

Click to Enlarge

Note the “virus warning” down the right hand side. Yes, I know it says “computer remains infected” and not “games console”. But given that so many people don’t really think about these problems where consoles are concerned, it’s not surprising that I know of at least one case where a similar “warning” ensured an IT guy spent about three days messing around looking for a non existent network infection.

What’s written above certainly isn’t everything I covered at IRISSCON, but hopefully there’s a few things in there to get you thinking about some areas of day to day networking that need to be considered.

Christopher Boyd

On Black Friday, this year GFI Software will offer a single one-year subscription license to VIPRE for $9.95, 70 percent off the normal ($29.95) retail price. VIPRE Premium will be available for $19.95, 50 percent off the normal retail price.

This Black Friday special pricing is only available for purchase on Friday, November 26, 2010 until 11:59 pm EST. Please visit our Black Friday page for more information. Also, see our latest news release on the risks of cybercrime during the holiday season.

Tom Kelchner

The U.S. Federal Trade Commission has posted some advice for those seeking love in all the wrong places (like on the Internet).

In a sentence: “don’t send cash.”

“… scammers sometimes use online dating and social networking sites to try to convince people to send money in the name of love. In a typical scenario, the scam artist creates a fake profile, gains the trust of an online love interest, and then asks that person to wire money—usually to a location outside the United States,” the agency said.

Here is the FTC list of warning signs that your online paramour might have more of a financial than emotional interest you:

— Wanting to leave the dating site immediately and use personal e-mail or IM accounts.
— Claiming instant feelings of love.
— Claiming to be from the United States but currently overseas.
— Planning to visit, but being unable to do so because of a tragic event.
— Asking for money to pay for travel, visas or other travel documents, medication, a child or other relative’s hospital bills, recovery from a temporary financial setback, or expenses while a big business deal comes through.
— Making multiple requests for more money.

“FTC Warns Consumers About Online Dating Scams” here.

Ya know, I’ve been wondering why that woman with a really stunning Facebook picture and about 150 affluent-looking European men as “friends” contacted me out of the blue and wanted to be buddies.

I somehow suspected she wasn’t a pen pal type.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Sunbelt Software Blog, the GFI-Sunbelt Rogue Blog and anything else we think might be of interest.

This week’s video is the first to include our very state-of-the-art video intro and outro (if that’s a word) provided by our designers here at GFI. Nice work folks!

This week we have another Green Card Lottery scam, fake antivirus sites, Chris Boyd’s coverage of IRISSCON in Dublin, scam giveaway sites and a fake proxy service that claims to help kids evade parental controls and school Internet filters.

Tom Kelchner

I can remember the delicious feeling of being completely free of adult supervision on rare afternoons when I was an adolescent. My friend David and I would sit by a cedar tree in a cemetery on sunny Sundays and smoke cigars.

I date myself.

Obviously it was a long-off time when a 14-year old could walk into a drug store and BUY a cigar.

A web site (myfatherisonline.com) that promises just such tasty independence for kids is being advertised via Facebook posts: it claims to be a proxy service that can get around school and parental controls.

(Click on graphic to enlarge)
The bad English in the initial advertisement alone is a hazard to children:

(Click on graphic to enlarge)

We counted 248 posts advertising the URL in a 45 minute sampling of Facebook posts. Many were from the same accounts, so, this is probably being spammed from “owned” accounts as well as being circulated by Facebook users who took the bait. So, it’s hard to say if it’s going viral or just the subject of a major spam run.

Not good, especially for kids

It didn’t appear to even be a proxy. It just pasted an iframe with advertising over the page content from the URL you type in the box.  It was an affiliate site loaded with malcode, links to cell phone subscription scams and other malicious or seedy stuff.

 
(Click on graphic to enlarge)

“Pac-Man play the original” took you to a RetroGamer site and an installation of MyWebSearch.”

 
(Click on graphic to enlarge)

Then there’s an IQ test scam that will cost you $9.99 per month on your cell phone bill if you want to see your results.

(Click on graphic to enlarge)

“You have (1) message !” leads to a “Free 3G iPhone” site:

(Click on graphic to enlarge)

There’s an  opportunity to sign up for spam:

(Click on graphic to enlarge)

And behind our browser window were three more with ads including “Get a $250 Amazon Gift Card FREE,” the “Womens (sic)  Forum” and a site that promises “My magic lamp can grant your wishes.”

 (Click on graphic to enlarge)

Although the Aladdin site promised some great magic lamp action on our behalf (“Health, Love, Money) it turned out to be a horoscope subscription service billed to your cell phone for the usual $9.99 per month.

(Click on graphic to enlarge)

(Click on graphic to enlarge)

What are they going to do next to lure kids: let them buy cigars in drug stores?

Tom Kelchner

Roll up, roll up for lots of freebies. That’s what the creators of the following sites are hoping you’ll do, anyway.

Com-prizes(dot)com seems to host numerous offers and deals which do their best to get the attention of Twitter / Myspace users.

For example, twiter(dot)com-prizes(dot)com (yes, they did spell “Twitter” like that).

Click to Enlarge

The end-user is asked to fill in a few generic questions about social networking, then “receive up to $2,741.88 in cash”. The next screen – located at 5staroutlet(dot)com – contains a “sort of” attempt at a cheque image, along with various items of merchandise listed under the cash amount. It’s worth noting that above the section where you fill in your card details is a sentence that reads: “To receive my items, I only pay a modest release fee of just US $31.95”.

Click to Enlarge

A quick check of the T&C’s is interesting:

Click to Enlarge

“All items listed are not prizes or gifts as it is part of an intentional publicity program and therefore it is a merchandise offering and not a sweepstakes, prize draw or contest.”

Bold added by me. Also, this:

Click to Enlarge

Strange things are afoot at the Circle-K, methinks. They even call the items they send out “Awards” on the payment screen (look at the text in the circle, next to the VISA logo).

A similar page exists for Myspace users located at myspace(dot)com-prizes(dot)com, which also throws some random social networking questions at you before whipping out a “Free iPad” offer:

Click to Enlarge

This one operates almost identically to the landing page written about by Tom back in October, and of course “free” actually means “sign up for lots of different offers before you get anything”.

Click to Enlarge

Sign me up. Or not, as the case may be.

Further reading here, there and everywhere.

Christopher Boyd

Yesterday I gave a talk at IRISSCON 2010 about how naughty internet people can do horrible things to your brand, and some of the stranger ways things can go spectacularly wrong for your company. A big “well done” to the organisers – I heard nothing but good things all day long in relation to how good the event was.

Typically, the sessions had so many people stuffed into the room they had to open the doors and bring in extra chairs:

Pretty awesome, eh?

I’m told this was the second IRISSCON, and there must have been around 130+ people listening to what the speakers had to say. Talks covered everything from social engineering & blagging your way past security (Peter Wood) to a look at the rather complicated rogue security software moneytrail courtesy of Robert McArdle.

There was also an address given by Howard Schmidt, albeit through the medium of “large talking head on a screen”.

I must admit, I had flashbacks to this advert (there was no hammer throwing and he was very nice so that evens things out). Interestingly, Amazon were there and recruiting security people – engineers and database types, from the sound of it. So if you’re looking for work and available in either Seattle or Dublin you might want to drop them a line on their careers page. They also had this awesome cardboard robot on the stand which just sweetens the deal:

You know you want one.

I know the conference organisers will be uploading pictures / video / presentations from the conference very soon, and I’ll link to said material when it arrives. I’ll also be posting up some handy hints and tips ripped from my own presentation. For now, here’s some badly taken photographs.

Christopher Boyd

A blog piece in which we discuss one Web site selling subscriptions to information about non-existent security products and a number of others that use the names of legitimate AV products as lures of which the gentle reader might beware.

There have probably been as many scams involving sales of anti-virus security products on the World Wide Web as there have been sales of “prime” real estate (that turn out to be under two feet of swamp water) in Florida.

Alert reader Bharath drew our attention to these.

The site Anti-Virus Review, “The No.1 Anti-Virus Internet Network” claims that it has reviewed anti-virus products and presents its “gold”, “silver” and “bronze” award winners: ViraFix, Antivirus Download and Antivirus-Solution respectively.

These aren’t rogue products. These are AV products that apparently DO NOT EXIST.

(click on graphic to enlarge)

So what are they charging you money for?

Anti-Virus Review explains:

“This website has no affiliation whatsoever with the owner of this software program and does not re-sell or license software. Membership is for unlimited access to our site’s resources. We provide an organized website with freeware, links, software, technical support, tutorials and step by step guides. New computer users should find our services valuable and time saving. If you are an advanced computer user, you probably don’t need our services.”

So they’re saying:: “if you don’t know anything about this stuff, this is the site for you, SUCKAH!”

The main page and pages devoted to the non-existent products are professionally laid out, complete with tables, graphs and the seals of certification agencies such as Virus Bulletin (These guys are NOT listed on the VB site: http://www.virusbtn.com/vb100/archive/results?display=vendors).

ViraFix page

(click on graphic to enlarge)

Antivirus Download claims to have VB100 and other certifications

 
(click on graphic to enlarge)

Antivirus & Security package design has a striking resemblance to Kaspersky’s.

 
(click on graphic to enlarge)

One especially meaningless graphic shows up on the ViraFix site. We’re not even going to conjecture what this table is supposed to mean other than “we – good, they – not good.”

Another little bit of insanity/inanity lies in the FAQ. The writer uses the name “Antivirus 2010” (We blogged about a rogue by that name in October ) This leads one to conjecture that maybe this is material borrowed from another site out there.

So, to make this long story a bit shorter, these sites all lead to payment pages that look quite similar: “Membership Options and Features.”

(click on graphic to enlarge)

The site hasn’t been around long either, only since the end of September.

Registrant:
   Domains by Proxy, Inc.
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

   Domain Name: ONLINE-ANTIVIRUS-PROTECTION-REVIEWS.COM
      Created on: 29-Sep-10
      Expires on: 29-Sep-11
      Last Updated on: 29-Sep-10

Other sites with a twist: free legitimate AV products (and one not-so-effective one) used as lures

Our friend Bharath did more digging and found that this group, judging by similarities in page design, also have a load of sites that use the names of legitimate anti-malware products from big-name vendors as lures:

Avast
download-antivirus-now.com
antivirus-download-pro.com
antivirus-prodownload.com

Avira
antivirus-pro-suite.com

 Kaspersky
full-antivirus-solution.com

Malwarebytes Anti-Malware
antimalware-protect.com

SpyBot (not considered an effective product. VIPRE detects as: Backdoor.Spybot)
search-destroy-protection.com
searchdestroy-scan.com

Ad-Aware
aware-download.com

AVG
antivirus-2010pro.com
antiviruspro-download.com
free-anti-virus-software.com

So, if you’re fixed up with an antivirus solution now, maybe you’ll be interested in some land that’s for sale in a little development we know about over by Okeechobee. This one is going to be hot! These babies are selling like hotcakes! You can flip these and double your money FAST!

Thanks Bharath

Tom Kelchner

Did they get the idea for that graphic from the GFI blog?

We’re wondering if the actors behind this one got the idea for the graphic on their email from the title of our November blog piece “In America the streets are lined with gold”

We blogged about green card lottery scams before. The scammers sell something that is free from the U.S. state department. Basically, they are businesses that advertise a U.S. government lottery in which the “winners” get visas to live and work in the U.S.

The real U.S. State Department Diversity Immigrant Visa Program (page here. )

“. . .makes available 50,000 diversity visas (DV) annually, drawn from random selection among all entries to persons who meet strict eligibility requirements from countries with low rates of immigration to the United States.”

That page contains a fraud warning about green card lottery scammers.

Citizens from countries with low levels of immigration to the U.S. are eligible. The Philippines is NOT one of those, in spite of the email we received:

Countries that are ineligible are listed here: http://travel.state.gov/pdf/1318-DV2012Instructions-ENGL.pdf

(click on graphic to enlarge)

See our October blog piece for the rates these guys charge: “Phony green card lottery sites abound”

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).  

The British royal family announced today that Prince William will marry his long-time girlfriend Kate Middleton next year. Every news source on the planet is gushing and the dark side of the Internet is taking advantage of the news coverage. Surf with care.

A Google search for “Kate Middleton” results in a poisoned link on the second photo under “Images for Kate Middleton.”

(click on graphic to enlarge)

It leads to a photo, but that page then redirects to friefox.ddns.pl, where a Trojan is forced on to end users:

(click on graphic to enlarge)

VIPRE detects the download as: Trojan.Win32.Generic.pak!cobra

It helps to know the version of the browser you’re using. In this case, Firefox 3.6.12 IS the latest version.

If you’re in doubt about the latest version available, check getfirefox.com which shows this:

Thanks Adam.

Tom Kelchner

Our intrepid rogue investigator Patrick Jordan was checking the latest evolution of the ThinkPoint FakeRean rogue and passed this along.

The fake “you need to install flash player in order to watch movie” gimmick obviously is still out there. The malicious folks behind ThinkPoint.FakeRean are using it to trick victims into downloading their rogue.

 “They are making them look real, but if the URL doesn’t show adobe.com then it is a fake,” Patrick pointed out.

Just because the “name” is flash_player_installer.exe, that doesn’t mean it’s genuine. This lure is especially suspicious because the pop-up window shows that it is going to download from the site pics24.video.servepics.com and not Adobe.

 (click on graphic to enlarge)

Here is the real Adobe page to download Flash Player: http://www.adobe.com/products/flashplayer/

Rogue Blog entry for ThinkPoint.FakeRean: http://rogueantispyware.blogspot.com/2010/10/thinkpoint.html

Thanks Patrick

Tom Kelchner

(Analysis by Chandra Prakash, Technical Fellow, GFI Labs )

Microsoft’s Windows operating system, running on a 64-bit machine provides enhanced security with driver signing of system and low level drivers. This policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded. [1.]

 The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.

Here’s how it’s done:

The boot option is changed in memory from the code executed by infected MBR. The boot option configures value of a config setting named ‘LoadIntegrityCheckPolicy’ that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an infected version normal kdcom.dll that ships with Windows.

The rootkit also disables debuggers by NOP’ing debugger activation functions as described below. This makes reverse engineering this rookit very difficult! The KdDebuggerInitialize1 (see below) function in infected kdcom.dll called during normal execution of the system installs the rootkit, which hooks the IRP dispatch functions of miniport driver below the disk to hide its malicious MBR.

On a normal machine an unsigned driver will show this message

*** Windows is unable to verify the signature of
    the file Windowssystem32kdcom.dll.

 By changing the boot option, display of the above message is also suppressed.

(This was researched on a 64-bit machine with Windows 7 installed)

 Infected Kdcom.dll with debugger functions NOP’ed out

.text: public KdDebuggerInitialize0
.text: mov cs:byte_1800019EC, 3
.text: xor eax, eax
.text: retn <– Debugger function NOP’ed out that prevents debugger attachment

.text: public KdSendPacket
.text: mov     cs:byte_1800019EC, 6
.text: retn <– Debugger function NOP’ed out

.text: KdDebuggerInitialize1
.text: lea     rcx, sub_18000190C <– This function installs the rootkit
.text: jmp     cs:PsSetLoadImageNotifyRoutine
.text: public KdDebuggerInitialize1 endp

Corresponding functions of clean Kdcom.dll

 .text:  public KdDebuggerInitialize0
.text: mov     [rsp+arg_0], rbx
.text: mov     [rsp+arg_8], rsi
.text: push    rdi
.text: sub     rsp, 20h

(snip)

.text: public KdDebuggerInitialize1
.text: sub     rsp, 28h
.text: cmp     cs:KdComAddressID, 0
.text: jnz     short loc_7FF7045112A

(snip)

.text: public KdSendPacket
.text: mov     [rsp+arg_0], rbx
.text: mov     [rsp+arg_8], rbp
.text: mov     [rsp+arg_10], rsi
.text: push    rdi
.text: push    r12

(snip)

[REFERENCES]

[1.] Kernel-Mode Code Signing Policy (Windows Vista and Later),  http://msdn.microsoft.com/en-us/library/ff548231%28VS.85%29.aspx

Thanks Chandra.

Tom Kelchner

 Adobe has announced that tomorrow it will release out-of-band patches for Reader 9.4 (and earlier 9.x versions) for Windows, Mac and UNIX, and Acrobat 9.4 (and earlier 9.x versions) for Windows and Mac to fix critical security issues.

The patch will fix the vulnerabilities CVE-2010-3654 and CVE-2010-4091.

Adobe issued a notification Oct. 28 that CVE-2010-3654 could cause Reader and Acrobat to crash and allow an intruder to take control of the affected system. Adobe said the flaw was being actively exploited. (Advisory here.)

The company said Nov. 4 that there had been public discussion of the CVE-2010-4091 vulnerability, which could cause a denial of service. (Advisory here.)

An update for UNIX is expected Nov. 30, 2010.

The next scheduled quarterly security updates for Reader and Acrobat are February 8, 2011.

Tom Kelchner