Month: June 2011

Avid readers of this blog can attest that we’ve been writing about FakeRean for, oh, quite a number of months now. In case you missed out on those posts or you no longer remember them, I have for you here a short list of what we’ve written about this rogue AV family so far:

• What’s in a (rogue) name? VirusTotal 2010
• Malicious warez site offers Firefox 4.0 beta download scam
• Rogue downloads look real: read the fine print
• Obama, birth certificates, and Rogue AV

FakeRean is initially discovered by Microsoft a couple of years ago. Like all rogue AV families, it displays fake scanning results to users in an effort to dupe them into coughing up cash in order to register the software and clean their systems supposedly. This family also alters the infected system’s registry quite extensively and drops lots of component and shortcut files, among other things. What sets FakeRean apart from the usual rogues is its ability to hijack a file association for executable (.EXE) files, which allows it to reappear every time an application is run.

Our intrepid rogue AV hunter, Patrick Jordan, spotted new ways on how FakeRean is currently being distributed online, and by the looks of things, the bad guys behind it have not only casted a wider net but also went, erm, hard-core. Case in point:

Click to enlarge

The above page is found on SourceForge.net, a prominent repository of open-source software, as a profile page. Of course, it wouldn’t matter whether you’re 18 or not, you still get a free but malicious software to download and run on your systems once you click any of the buttons there. This software is a PDF exploit that, once installed, drops and also installs FakeRean. We detect the exploit as Exploit.PDF-JS.Gen (v).

Click to enlarge

Doing a simple search yields results that show a prevailing problem within the said domain.

Click to enlarge

This SourceForge profile URL, and some 100+ other varying Web page URLs, is contained on imonline(dot)nl(slash)ukabefijac.

Click to enlarge

Click to enlarge

Some of Jordan’s finds regarding these Web pages involve prominent domain names, which includes (but are not limited to) the following:

• Twitter
• Flickr
• Yahoo!
• Scribd
• TED
• Formspring
• Posterous
• Box.Net

Click to enlarge

Click to enlarge

All URLs are redirect via seoholding(dot)com. Fortunately, VIPRE users are already protected from this domain if they are accidentally diverted to it.

Click to enlarge

We advise Internet users to be careful when clicking image and text links online. Be extra careful, if not steer clear all together, when visiting online profiles hosted on any site that look suspicious.

Jovi Umawing (Thanks to Patrick for finding this and Chris for the assist)

I recently talked about passwords at the ISSA 2011 Conference in Dublin. I had hoped to get this post online sooner, but it seems there’s a bit of a delay with regards the various conference presentations going online.

With that in mind, here are some random pictures from the event until I can do a roundup of the talks and rip some (hopefully) handy tips from my own presentation.

Let’s get the ball rolling with an event poster:

Presumably they’re watching Superman fly past as he rounds up the stragglers to get inside and listen to the talks asap. Good move for all concerned, really.

Below, you can see the greatest conference slide of the day / week / year.

I mean, look at it.

This is a system called Pico which is a sort of “work in progress” aimed at replacing the current system of passwords that we’ve all come to know and hate. You know how George Lucas ruined Star Wars with those midichlorians (actually he just ruined Star Wars full stop but whatever.) Well, replace “Star Wars” with “old guy smoking a pipe” and “midichlorians” with “specific items you use daily that sync up with your Pico Password device” and you have a really interesting setup for password shenanigans. You need a certain amount of these items on your person for the Pico device to work, so if your shoe falls off or your wig blows away via a strong gust of wind? Yeah, you won’t be logging into anything soon.

Actually, I lie – this isn’t the best slide. The best slide was a pictorial representation of the possibility of someone kidnapping and torturing you for your Pico login credentials. And I’m not even making this up (although sadly, my only photograph of this slide is a blurry mess).

Here’s another one for good measure that doesn’t feature torture but does feature a waving PC.

Whoever drew these things deserves a raise.

Anyway, it’s a pretty interesting device and certainly something to keep an eye on.

Another interesting talk was on the subject of all those data sharing / syncing websites with funny names, and how there were various pros and cons to using them in the workplace.

Apologies for taking the most boring photo in the history of conference photography. Allow me to make it up to you with a picture of the hotel dining area.

See the bar down below? The hotel guy made the fatal mistake of sitting me at a table next to this balcony, and while trying to grab my fork I accidentally sent it flying through the gap and into the void below. Half a second later and a faint “..aaaargh” I made my excuses and left.

Quickest checkout ever.

Thankfully nobody turned up at the conference with a fork sticking out of their head so I think I got away with it. I won’t horrify you any further with my terrible photography, but with any luck Part 2 will include links to most (if not all) of the presentations and also some of the content from my own ramble.

Thanks to everyone at ISSA for having us, it was a lot of fun to do. Next time I’ll even try to avoid head planting a fork although I’m not making any promises….

Christopher Boyd

I recently talked about passwords at the ISSA 2011 Conference in Dublin. I had hoped to get this post online sooner, but it seems there’s a bit of a delay with regards the various conference presentations going online.

With that in mind, here are some random pictures from the event until I can do a roundup of the talks and rip some (hopefully) handy tips from my own presentation.

Let’s get the ball rolling with an event poster:

Presumably they’re watching Superman fly past as he rounds up the stragglers to get inside and listen to the talks asap. Good move for all concerned, really.

Below, you can see the greatest conference slide of the day / week / year.

I mean, look at it.

This is a system called Pico which is a sort of “work in progress” aimed at replacing the current system of passwords that we’ve all come to know and hate. You know how George Lucas ruined Star Wars with those midichlorians (actually he just ruined Star Wars full stop but whatever.) Well, replace “Star Wars” with “old guy smoking a pipe” and “midichlorians” with “specific items you use daily that sync up with your Pico Password device” and you have a really interesting setup for password shenanigans. You need a certain amount of these items on your person for the Pico device to work, so if your shoe falls off or your wig blows away via a strong gust of wind? Yeah, you won’t be logging into anything soon.

Actually, I lie – this isn’t the best slide. The best slide was a pictorial representation of the possibility of someone kidnapping and torturing you for your Pico login credentials. And I’m not even making this up (although sadly, my only photograph of this slide is a blurry mess).

Here’s another one for good measure that doesn’t feature torture but does feature a waving PC.

Whoever drew these things deserves a raise.

Anyway, it’s a pretty interesting device and certainly something to keep an eye on.

Another interesting talk was on the subject of all those data sharing / syncing websites with funny names, and how there were various pros and cons to using them in the workplace.

Apologies for taking the most boring photo in the history of conference photography. Allow me to make it up to you with a picture of the hotel dining area.

See the bar down below? The hotel guy made the fatal mistake of sitting me at a table next to this balcony, and while trying to grab my fork I accidentally sent it flying through the gap and into the void below. Half a second later and a faint “..aaaargh” I made my excuses and left.

Quickest checkout ever.

Thankfully nobody turned up at the conference with a fork sticking out of their head so I think I got away with it. I won’t horrify you any further with my terrible photography, but with any luck Part 2 will include links to most (if not all) of the presentations and also some of the content from my own ramble.

Thanks to everyone at ISSA for having us, it was a lot of fun to do. Next time I’ll even try to avoid head planting a fork although I’m not making any promises….

Christopher Boyd

The mid-series finale for Doctor Who (“A good man goes to war”, fact fans) is rapidly approaching, and big plot twists means lots of sites trying to take advantage of early spoilers. Oh, and making some spare change at your expense too.

Behold the wonders of Youtube:

Click to Enlarge

If I were a betting man, I’d be putting lots of money on the fact that none of the above sites actually contain “A good man goes to war”, but instead pop survey questions followed by random link dumps. Like this, for example:

Click to Enlarge

Yeah, you have to watch out for videos having “lenght” problems. Visit the site, and you can expect a content gateway and a collection of surveys to pick and choose from:

Click to Enlarge

All you’ll get for your trouble is a lack of good men going to war, and a drastic increase in sites that look like this:

Click to Enlarge

Whoops.

This isn’t the first time Doctor Who has been a magnet for scams – the same thing happened when the last series finale was due to air. There was also a bit of an issue with various Doctor Who games doing the rounds, too. As always: avoid. Everything we’ve seen so far is the usual fake video / survey nonsense, but there could well be Malware in the offing between now and Saturday. As the Doctor himself would say…

Christopher Boyd

The mid-series finale for Doctor Who (“A good man goes to war”, fact fans) is rapidly approaching, and big plot twists means lots of sites trying to take advantage of early spoilers. Oh, and making some spare change at your expense too.

Behold the wonders of Youtube:

Click to Enlarge

If I were a betting man, I’d be putting lots of money on the fact that none of the above sites actually contain “A good man goes to war”, but instead pop survey questions followed by random link dumps. Like this, for example:

Click to Enlarge

Yeah, you have to watch out for videos having “lenght” problems. Visit the site, and you can expect a content gateway and a collection of surveys to pick and choose from:

Click to Enlarge

All you’ll get for your trouble is a lack of good men going to war, and a drastic increase in sites that look like this:

Click to Enlarge

Whoops.

This isn’t the first time Doctor Who has been a magnet for scams – the same thing happened when the last series finale was due to air. There was also a bit of an issue with various Doctor Who games doing the rounds, too. As always: avoid. Everything we’ve seen so far is the usual fake video / survey nonsense, but there could well be Malware in the offing between now and Saturday. As the Doctor himself would say…

Christopher Boyd

Until you run it.

Then this happens:

Click to Enlarge

Rainbow propelled cat jacking your desktop ahoy!

The music from the Nyancat website plays in the background too (you know, just in case you still thought the above was a normal feature of Windows. It wouldn’t surprise me though).

Getting rid of it involves not panicking (always a good first step) and opening up Task Manager:

As you can see, Nyancat.exe has a habit of punching your memory usage in the face with a brick, so you may well find the PC gasping and rolling around on the floor a little as you kill the process off. While this is more annoying than malicious, it’s worth noting that a quick scan of search engines reveals Nyancat batch virus coding taking place and some other nasties floating around using the pretence of “strange yet friendly rainbow cat”.

Stay safe, meme fans…

Christopher Boyd

Until you run it.

Then this happens:

Click to Enlarge

Rainbow propelled cat jacking your desktop ahoy!

The music from the Nyancat website plays in the background too (you know, just in case you still thought the above was a normal feature of Windows. It wouldn’t surprise me though).

Getting rid of it involves not panicking (always a good first step) and opening up Task Manager:

As you can see, Nyancat.exe has a habit of punching your memory usage in the face with a brick, so you may well find the PC gasping and rolling around on the floor a little as you kill the process off. While this is more annoying than malicious, it’s worth noting that a quick scan of search engines reveals Nyancat batch virus coding taking place and some other nasties floating around using the pretence of “strange yet friendly rainbow cat”.

Stay safe, meme fans…

Christopher Boyd