Month: September 2011

One of our researchers noticed that searches in Yahoo! for popular programs will result in Yahoo! placing their own link as the first result, effectively bumping the official program links down into second place.

Click to Enlarge

Clicking the first link takes you to the Yahoo! Downloads portal instead of the official Teamviewer site which is sitting down in the number two spot.

Click to Enlarge

It’s the same deal for various other downloads such as Skype:

Click to Enlarge

The downloads come with additional extras that you wouldn’t see if you’d grabbed them from the official developer site. Cue GFI Researcher Matthew, who first noticed this:

“If the user runs the download from this page, they will be presented with an offer for the Yahoo toolbar and then either Shop to Win or Social Ribbons add-on. After the user accepts or declines these offers, the installer then downloads the actual Teamviewer installer from Tucows to the user’s desktop and and prompts the user to run it.”

Click to Enlarge

The SocialRibbons install is interesting – if you’re not familiar with it, it’s a browser plugin that inserts their affiliate code into the URLs of merchants’ sites you happen shop at, then picks up the the affiliate commission when you make purchases at those sites. The idea is that an end-user would install it because Social Ribbons pledges to donate a percentage of that affiliate commission to charities.

However, the exact percentage of the affiliate commission that is donated to charity is not specified. Just one month ago they claimed that $18,000 had been donated based on 250,000 users – which works out to 8 cents per user. The whole point of this type of program is to drive shoppers to participating merchants’ sites, yet no list of participating merchants is available on the Social Ribbons site. In other words, users don’t even know where to go to make their shopping dollars count for charities.

Furthermore, the charities themselves are not specified – there is an example of the below installer mentioning  the “Susan G. Kohen Foundation” – did they mean the Susan G. Komen Foundation?

Click to Enlarge

They collect basic demographic information and claim to monitor web surfing behavior for the purposes of targeted advertising, though this is never mentioned in a clear and conspicuous fashion outside of the EULA/Privacy Policy (Section 2, “Use of individual information”).

All in all, there’s a fair amount of additional content you’re installing via these promoted search links that you wouldn’t receive if installing from the sites of the program creators. It would perhaps be worth pointing out to relatives unfamiliar with promoted search engine results that you don’t always get the “official” site as the first clickable link at the top of the pile – especially when the search engine you’re using is placing links it has a connection with above the rest.

Christopher Boyd (Thanks to Matthew and Eric for additional information)

Here’s a curious bit of spam mail involving the well worn subject of Green Card Lotteries:

Did you know the “Department of State” send out random emails from a free MSN address? No, neither did I. This multicoloured monstrosity claims you’ve won a US green card, then goes on to say you need to stump up $400 to seal the deal anyway.

Yeah, brilliant. They also claim you’ll get a “free airline ticket to the US”, use a lesser known .hm domain as their contact email address and their website contains the following disclaimer:

“USGreenCardLottery(dot)org is a division of ‘US IMMIGRATION CENTER’, a private entity not affiliated with the U.S. Government.”

What a great name for a private entity, and not at all confusing. The best is saved for last, which would be the location of the lady who supposedly sent you this ticket to a new way of life in the first place:

Poor old Ken.

Christopher Boyd (Thanks Alex)

Bad adverts in Bing leading end-users to Malware downloads first popped up on our radar on the 16th of September, and we covered them again on the 19th. Well, they’re back again – this time promoting fake Firefox downloads whose ads are displayed when searching for….wait for it….”Firefox download”:

You’ll notice they missed a trick there, advertising Firefox 6 instead of the freshly minted Firefox 7. The URLs involved are hotelcrystalpark(dot)com/firefox_1 and firefox(dot)dl-labs(dot)com, with the rogue downloads being hosted at the dl-labs URL. VirusTotal score currently gives us 6/43, with VIPRE detecting this as Trojan.Win32.Kryptik.cqw (v).

Christopher Boyd (Thanks to Matthew for finding this one).

Desperate to purloin money out of stupid and desparate people, 419 scammers are now trying Google Calendar invites.

The pain of it is that if you’re using Outlook, the calendar invite is automatically accepted and you get a reminder popping up. 

This has to be the rudest, nastiest spam I’ve seen in a long time.

Alex Eckelberry

It seems scammers have a bit of thing for spoofing BBC websites at the moment. Yesterday it was work from home scams, and last month it was a Facebook wheeze which (in a nutshell) went like this: “Lady Gaga is dead and here’s a BBC video to prove it, also click here.”

Maybe the (unrelated) work from home fakeout has inspired scammers into a fresh round of BBC shenanigans, because the phony BBC video rides again on Facebook. As usual, it’s surveytacular and is geared around fake Facebook messages promoting the completely fake BBC page:

The site in question is sqvw(dot)myfannso(dot)in/e/, and is still currently live at time of writing. This is one news report you can afford to miss.

Christopher Boyd (Thanks to Matthew for finding this one).

Just a quick heads up that there’s a Twitter spamrun targeting mentions of the videogame Bioshock Infinite.

The promise: “My friend got Bioshock Infinite free”.

The reality:

A woman doing aeroplane impressions. Of course, people getting free copies of Bioshock Infinite would be quite a feat in itself, given the thing won’t be released until 2012.

[Update 1] It seems numerous games are having the same spammy treatment – we’re informed that poor old Batman is having similar problems with spam such as this:

“This is amazing! Get a FREE copy of the new Batman: Arkham City. Get one here”
“I love batman, I play the video game look at this”

As before, the URLs lead to linkdumps, spam offers and other assorted junk. Thanks to Pete for the heads up.

Christopher Boyd

We’re seeing some more bad adverts popping up in Bing – just like the original attack, these results are served with very basic search terms so it’s pretty easy to stumble into one of the bad URLs. The results below appear when searching for “Flash player download”:

In the below example, the end-user arrives at malaysiaaktif(dot)com/flash and the fake Flash Player file is served up from dl-softonic(dot)net (a slight change from the original URL used to push the files which flatlined a few days ago):

As before, these are not particularly sites you want to be wandering into so please be careful when searching for basic tools, programs and files in Bing until these rogue adverts have a healthy dose of “put in jail and throw away the key” applied to them.

Christopher Boyd (Thanks Matthew)

In-game advertising has been around for a long time (specifically since 1978, when the Scott Adams game ‘Adventureland’ placed a promotional message in the game for his next release ‘Pirate Adventure‘, which involved crackers, a parrot and dying a lot).

There are three main types: Static (which as you probably guessed don’t do much other than sit there advertising things. They don’t change and can’t interact with the outside world), Dynamic (which are adverts effectively injected into the game world on the fly, meaning your futuristic shooter can have up to the minute posters on the wall for Pepsi or Alienware or whatever. These can also track gamers with regards successful advertising – for example, length of time spent staring at it when you should have been shooting at other gamers). The final type is ‘Advergaming” which would take way too much time to explain, so here’s the Wiki page. Go nuts.

Attempts at ingame advertising can be successful (Keanu billboards in The Matrix Online? Meta), somewhat innovative or run into teething troubles – more often than not on consoles where EULAs and other agreements may involve some hoop jumping to read.

You can see why gamers tend to be irked by advertising in their gaming, and a case in point would be a furore surrounding a recent patch applied to Deus Ex: Human Revolution (which is apparently not the cause of said advertising furore, it’s just some unfortunate timing.) Gamers are complaining about a somewhat noticeable addition to loading screens: see if you can spot it.

I’m not sure if it’s up there with the Vader “NOOOOOOOOOO”, but it certainly gives Midichlorians a run for their money. A rather bright and unavoidable Star Wars advert sits in the bottom right corner of the screen, pleading with you to use the Force and buy the boxset. A few more examples can be seen here and here.

As you may have guessed, people aren’t best pleased and the inevitable result is users attempting to game the system – you can see what I did there – and kill the ads off. Some are tweaking their Hosts file:

Others are downloading random patches and mods from the internet:

While there aren’t any reports of malicious patches compromising systems (though the above popular ad killer currently hits a 1/44 detection in VirusTotal which appears to be a “Wisdom of the Crowds” thing), I can’t say it’s a great idea to be downloading files and hoping they don’t blow your PC sky high. Another issue is that the game developers (or whoever is providing you the platform to play your PC game on, such as Steam) may not take kindly to tampering, and could theoretically ban your account / access / some other thing you can’t really go without.

This would not be a good thing.

Of course, “patches” and cracks are appearing on Youtube and similar sites, all of which result in survey popups and fakeout websites galore – this probably won’t matter one jot to anybody really desperate to hose that Star Wars promo and a clicking they will go:

…and so on. For me, the most interesting thing about this one is that the adverts have gone live a little while after the game has already sold a stack of copies – I’m struggling to think of ingame adverts that weren’t live from the moment the title was released, and this has contributed toward the negative reaction for what is a small (if distracting) advertisement. At any rate, it’s definitely created an opportunity for people with malicious intent to snag some victims, either by survey affiliate moneymaking or the ever present threat of infection files.

It may well be worth waiting to see if the adverts are pulled due to the negative reaction before deciding to download File X from Site Y while crossing your fingers.

And Han shot first.

Christopher Boyd

Overnight we saw a number of adverts being displayed in Bing that were directing end-users to malicious content. These adverts were promoting all manner of downloads including Firefox, Skype and uTorrent.

Some of the search terms used:

“FireFox Download”
“Download Skype”
“Download Adobe Player”

As you can see, they’re not particularly complicated or unusual searches so you probably wouldn’t be jumping through hoops to reach these things.

Clicking the adverts takes end-users to sites such as river-park(dot)net, and they do a pretty good job of convincing visitors that these sites are the real deal (incidentally, you’ll notice that some of the ads display the “real” URL of the program mentioned, but take you to a rogue site such as the “Download uTorrent Free” advert above which actually takes you to aciclistaciempozuelos(dot)es/torrent).

All of the malicious downloads are coming from en-softonic(dot)net, and here’s their open directory with various files waiting to be launched on unsuspecting end-users:

As an example, the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects. Current VirusTotal score for that one is 16/44, and we detect it as Win32.Malware!Drop. These adverts were also appearing in Yahoo search – we notified both Yahoo and Microsoft, and both companies are in the process of killing these things off.

It’s entirely possible these sites will show up somewhere else, so be careful when downloading programs and make sure you’re on the official site before grabbing anything. These are definitely not the kind of files you want on your system.

Christopher Boyd (Thanks to Matthew for finding this one).

I keep getting asked for comments on McAfee/Intel’s new Deepsafe. So what the heck, here goes.

This is a great marketing pitch.  But remember that the platform that the technology is based upon, Intel VTx, is an open archictecture that any antivirus company can use.  McAfee is innovating but I truly doubt it’s because of any proprietary relationship with Intel. 

I just don’t think there is any secret sauce here.  This stuff is available to us all, and if it makes sense to use it, we will.

Alex Eckelberry

Hands up: who wants a cheap HP Touchpad complete with charging dock and bluetooth keyboard?

Yep, you all do. However, not only does this prospect look a little unlikely due to the ultra scarce stock, you may well find you end up with a little more than you bargained for while searching for one of the few remaining deals knocking around the web.

Should you visit the rather long web address listed below (which may or may not completely ruin my formatting, cross your fingers), you’ll be enticed by the rather awesome offer that includes all of the above for the low, low price of $159.99.

tigger(dot)horizon-host(dot)com/123/td/applications/SearchTools/touchpad(dot)html

It sounds like a great deal. However, hit the “Buy” button and this website – which was pulling genuine content from a Tiger Direct page – would use some handy Javascript to load up a Survey box populated with data from fileice(dot)net.

I must admit, seeing a survey in this instance is somewhat bizarre as typical survey scams involve the affiliate offering freebies in return for a completed survey. I guess they’re banking on the lure of the cheap touchpad being too much for end-users to resist. An example offer:

Just a quick heads up that a gaming website is offering up what appears to be a version of FileZilla, but is actually throwing the Jeefo Virus into the mix.

The site in question is someofcs(dot)com, and (as far as we can tell) it looks as though you may have to be a member of the site to download the file in question. The VirusTotal result right now is sitting at 38/44, so at least there’s decent coverage of this one.

Christopher Boyd (Thanks to Patrick Jordan for sending this over).

After (well, during):

I think something in the region of 200(ish) people turned up to listen to talks on a wide variety of subjects. Ye Olde Cyberterror kept popping up throughout the event, as it’s clearly a bit of a hot topic although there were plenty of other things to get your teeth into if you never wanted to hear the word “cyber” attached to anything ever again.

For the duration of the event, there were fairly spectacular gaming rigs available for people to hop on:

When the PC above is turned on it seems to glow brighter than the Sun:

Of course, this being a hacker con there were various wargames / capture the flag type events taking place too. While it’s entirely possible I captured someone below simply wiping their face, I like to imagine the pwnage before her is so amazing that she is straight up shrieking into a napkin.

Probably not though.

Anyway, there was also an obligatory tshirt booth and everybody had a badge complete with a QC code or two to crack.

So there we go. As for the talks, they came thick and fast over the two day event. No prizes for guessing that I talked about videogame / PC game hacking and threats, but in addition to that there was a great ZEUS talk by Trend Micro:

Another presentation given by a chap well known for being involved in the legal side of things discussed the topic of whether the Philippines was ready for “cyber terrorism”. I must admit, I was curious when I heard that “Cyberterrorism” was a “convergence of cybernetics and terrorism“. I always thought that was something to do with scary robots, but feel free to plough through this lot and make sense of it for me.

There was also a fairly exciting kerfuffle between him and researchers from a company who gave a talk prior to this then found themselves referenced incorrectly in his own. I missed most of it, but below is some of the drama captured for posterity:

Yeah, that was pretty awesome.

Something else that was awesome was the TDL 4 talk by my colleague Berman Enconado, which explored the history of TDL 4, what it does and the damage it can cause.

Now it’s time to break for cakes because, well, look at them.

Hacker cons tend to have some sort of lockpicking shenanigans taking place in the form of a village, but Rootcon had a one man lockpick village in the form of Jolly Mongrel who went through the various types of lock you could pick, examined a famous bank heist from yesteryear that involved lockpicking galore and also had some fun with handcuffs:

I also thought his tshirt said “I love Batman”, which would have been amazing.

A quick prize draw at the GFI booth later (with a handily swiped fishbowl which I’m sure the fish didn’t miss) and it was time for the panel talk including speakers from IBM, Trend Micro, GFI Software, that legal guy and a chap called Sven Herpig who is as awesome as his name suggests. It was about – you’ve guessed it – cyberterror, along with a bunch of random security questions including ethical vulnerability reporting, Wikileaks and, er, setting up an overseas anonymous security company that quickly wandered into a discussion about tax evasion.

Also someone said something pretty funny here, but I have no idea what it was.

All in all, this was an excellent event – especially as this was the first “official” security conference in the Philippines (despite there being four Rootcons prior to this, which were much smaller in scale). This had numerous speakers (both local and international), talks on a wide range of subjects, PC gaming, hacking events and booths stuffed with products and freebies.

Plans are already underway for Rootcon 6, so it would probably be wise to pencil in a visit to Cebu sometime next year. Thanks to everyone who organised the event and thanks also to everyone who visited the booth / listened to the talks, we had a great time!

Christopher Boyd

Our research team have discovered a rather nasty SEO poisoning scam over the last few days, targeting 9/11 related search terms (along with anything else they can get their hands on) to attempt the infection of vulnerable PCs. They use a combination of the Black Hole Exploit Kit (Correction: Phoenix Exploit Kit) and an interesting “on the fly” SEO poisoning tactic to try and drop infections onto the target PC.

Shangpalace(dot)com(dot)vn was the initial URL our research team discovered, although there are quite a few others out there right now. It goes without saying that all of these domains should be considered hostile and visited only in a dedicated testing machine.

authorizationlettersample(dot)org
chiefpricingofficer(dot)com
craftyk9(dot)com
decaci(dot)mmister(dot)com
e-gizmo(dot)com
geekvenues(dot)com
glorioleedu(dot)com
gospeloftruth(dot)net
hotelcatedralvallarta(dot)com
jetpackdreamsthebook(dot)com
maresmortgage(dot)com
marianaemslie(dot)com
megadeth(dot)megawan(dot)com(dot)ar
moorethoughts(dot)com
plusidol(dot)com
rayoverde(dot)com(dot)ar
referencelettersample(dot)org
ritasresources(dot)com
saponifier(dot)com
saprivateschools(dot)co(dot)za
schorrsolutions(dot)com
secondmilecenter(dot)com|
sellbeads(dot)com
studio-r(dot)in
tisztaszenzor(dot)hu
trainerskills(dot)com
winbeforetrial(dot)com
bridging-the-gap(dot)com
ishmaelkhaldi(dot)com
joshtickell(dot)com
sofresh(dot)ro
themetalden(dot)com

Some example search terms:

If you’re unfortunate enough to visit one of these rogue links, then you can look forward to attacks on your PC. Here’s what GFI Software Malware Research Supervisor Adam Thomas had to say about it:

“The server will return a script pointing to a malicious server which is running Phoenix exploit kit…the referral string used when visiting the compromised site must be an approved referral string (e.g. search.google.com). If not, the server will simply re-direct you to anon-malicious page.”

Click to Enlarge

He continues: “The malicious domain ‘nvwjefrzacronyms(dot)info’ appears to be hosted on a server in Germany. Passive DNS data reveals several other likely malicious servers hosted at the same IP address.”

serveruzgdf(dot)info A 109.230.217.113
acronymsoflh(dot)info A 109.230.217.113
zqqhfowhserver(dot)info A 109.230.217.113
cronymsu(dot)info A 109.230.217.113
aasfhcxserver(dot)info A 109.230.217.113
bpxtecdacronyms(dot)info A 109.230.217.113
nvwjefrzacronyms(dot)info A 109.230.217.113
acronymstxey(dot)info A 109.230.217.113

Adam tells me the site is “attempting to load as many exploits as possible in order to drop the payload”. This is typically what the user will see while the exploits and files are busy behind the scenes:

Click to Enlarge

Here’s an example VirusTotallink to one of the pieces of Malware being used – as you can see, 21/44 currently detect it. As with most attacks of this nature, you can expect to see multiple domains, files and search terms used to lure potential victims. Speaking of search terms, the people behind this are doing some interesting things with their poisoned search results. Adam again:

“The content for SEO poisioning can be generated ‘on-the-fly’. To explain further, the owner of this SEO poisoning system can utilize their network of hacked domains to quickly generate any content desired. By simply passing a search criteria to the url ‘shangpalace(dot)com(dot)vn/<search-term>’, the ‘SEO pack’ generates relevant content based on the search term.”

As an example, he passed a random search term to the server to see what would happen – “purple-golden-retriever”, in thiscase. Sure enough…”Within 2-3 seconds a page complete with keywords, related search phrases and even relevant working images is returned from theserver.”

Click to Enlarge

Pretty slick. Keeping your system patched and your security software up to date is a good place to start with regards to avoiding these kinds of attacks, in addition to running a Limited User Account and (perhaps) some browser based script blocking tools such as NoScript. There’s bound to be more domains out there playing host to the kind of badness seen above, and I’m pretty sure you don’t want to be caught out by this one.

Christopher Boyd (Thanks Adam)

Another day, another random website offering up freebies that you’d be better off without. This time around, the site in question is located at freeamazingsoftwares(dot)blogspot(dot)com. The free programs include – stop me if you’ve heard this one – RuneScape gold generators, iTunes giftcard generators, Amazon Giftcard generators and XBox Live points generators.

Of course, it doesn’t matter which program you want to download – your final destination will be this:

“Are you dumb? Find out now!” Never a truer word spoken, courtesy of ye olde survey popup. Assuming the user fills in one of the above quizzes / signs up to a ringtone service, they’ll be free to download one of the above programs.

Will they work as advertised? Given that I’ve yet to see a working Microsoft points generator – and I’ve seen a lot of points generators – my answer would be “nope”. Could you take that “nope” and apply it to all the other programs too?

“Yep”. As with so many of these types of website, at best you’ll get a non functional dummy download. At worst, you could end up with anything from a phishing tool to a piece of data theft malware. Worth the risk? I think we’re back to “nope” again…

Christopher Boyd

This year, Cebu Island is playing host to the fifth Rootcon security conference, which takes place on the 9th and 10th of September. GFI Software has two standalone talks at this one – “Introducing TDL4, a Sophisticated Fraudster’s Rootkit” by Berman Enconado and “Console (In)Security: The Oncoming Storm” by my good self. Additionally, we’re on a panel discussing the threat of “Cyberterrorism” alongside Paul Sabanal (IBM Security Systems) and a chap named Sven Herpig who is both a professor and a PhD student specialising in Cyberwarfare.

There’s a whole bunch of other talks taking place too, on everything from VoIP security and IPv6 to lockpicking, penetration testing and reversing Android applications. If the talks aren’t your thing, the event also doubles as a job fair and we will be on the lookout for both fresh and experienced talent.

 If you’d like to listen to me complain endlessly about everything that’s gone wrong since I arrived – and who wouldn’t – you can do so here on my personal blog thing. Otherwise, we’ll be posting various updates from now until the weekend so roll on Rootcon!

Christopher Boyd

Here’s a phishing scam that lures users with the promise of getting their “old Facebook profile” back. What that means is up for debate – maybe the scammer is harking back to a land of slightly less privacy options, or maybe he just wants you to look like a Geocities page from 1996. Either way, here it is: