Month: October 2011

After 9 years of building Sunbelt Software, and then working for GFI, I have decided to move on.

It’s been a great adventure.  I joined Stu Sjouwerman, who had built a distribution company, to start the “Software” part of Sunbelt Software.  We started in 2002 with an antispam product, iHateSpam, for desktops.  Then the same technology for Exchange.  Along the way, we released other products, but the big change came in 2004, when we released CounterSpy.

I started the blog with my first post, “Why Adware Works” (it seems so innocent now…).  We got a reputation for publishing our responses to cease and desist letters (as an example, our Hotbar C&D and our response).   Along the way, we did fun things like give away motorcycles  (a chopper and a Ducati), an inspired employee tattoed himself with VIPRE, and much more.   It wasn’t all about Sunbelt.  We worked on PIRT with Paul and Robin Laudanski (they did all the work, actually). A group of dedicated security researchers and I helped a very nice lady get out of real trouble, and then we started a group to help other people in trouble.  We broke the news on some pretty nasty stuff, like the infamous WMF exploit.  Sometimes I would get bored and write about something else.  People were nice and gave us all kinds of awards.  And so on.

Going through the archives of this blog is a virtual history of the industry during one of its more interesting times.

In 2005, we started working on a new technology, VIPRE, based on a new philosophy for antimalware products. In 2008, we released VIPRE and the rest is history.

But with everything in life, there is a start, a middle and an end.   I’ve turned the reins over to some incredibly capable people here at GFI.  Eric Sites, the original Sunbelt Software CTO, is still here as Chief Scientist.  Mark Patton, Sunbelt’s VP of R&D, is now running global R&D for GFI.  The threat team has been getting some great people, and the original team (which we started with Eric Howes, Patrick Jordan, Adam Thomas and a small number of others) has now grown to a large and impressive group.  Jovi Umawing and Chris Boyd are now writing the posts for the blog, and doing a great job.

I’m very proud of the team we built here, and I will certainly miss all the great people I worked with over the past many years. We made great products together and built a wonderful culture.

Finally, I have to thank you.  As a member of this community, you were a key part of this extraordinary experience and I thoroughly enjoyed the interactions I had with many of you.

Now, I am going to take a bit of time with my family, and discover my next great adventure.  Feel free to reach out.

So long for now,

Alex Eckelberry
www.eckelberry.com

GFI Software made it in the books of Philippine cybersecurity history by taking part in RootCon, the first official security conference in the Philippines, which was held in Cebu City last month. Two of ours—Berman Enconado (Senior Malware Analyst at the Manila Labs) and Christopher Boyd (Batman)—had given talks during this two-day event. One of the topics we discussed was about TDL4, the fourth generation TDSS rootkit that made waves in June of this year because of its ability to propagate via removable drives / LAN and infect the Master Boot Record (MBR), allowing it to load on infected systems before the OS does.

Our friends at ESET have in depth analyses of this TDSS rootkit, and from what they have observed as of late, this nasty malware have evolved again; however, it’s not the kind of evolution anyone might have expected:

“Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions. These changes might suggest one of the following: either the team developing the botnet has been changed, or TDL4 developers have started selling a bootkit builder to other cybercrime groups.”

You can read more about it here on their official blog. By the looks of this, this TDSS is becoming more and more sophisticated the longer its developers continue to improve on it.

Jovi Umawing

Just a heads up that a popular Twitter phish is still doing the rounds:

“Found a funny picture of you! mugweb(dot)ru”

Clicking the link takes you to twittelr(dot)com/verify-/session/login-/

I’ll admit, it’s the first time I’ve stayed in a hotel room where they managed to nail four copies of the same picture to the wall horizontally instead of vertically. Here’s one:

The others were just as spectacular. Anyway, RSA Europe took place in London last week and there were a lot of talks to get your teeth into.

The question I left Tim Berners-Lee was “How do I shot web?”

I’m almost certain he’ll get back to me on it eventually. Here I am talking about threats to workplace security in the form of videogame consoles:

The talk itself seemed to go well, although there were a number of teething troubles and then some prior to actually getting up and rambling for half an hour. What’s most interesting to me is that this is the first time I’ve submitted a videogaming threat talk to a more corporate event and had it accepted – maybe all those videogame company hacks over the past year have made people think a little more about the possibility of things going horribly wrong in this particular area of (in)security. At any rate, all of the conference presentation material is available to look at.

Next up is a VB2011 post, as most (if not all) of the conference content is now online…

Christopher Boyd

Here’s an advert in Bing which wants you to install some adware located at chrome(dot)freewarecentral(dot)net – it was coming up in results when searching for “Chrome download”.

As with most of these downloads, the site is reasonably convincing:

Hit the install button, and you’ll be faced with the following Pinball Corp installer:

After you’ve installed the adware, you’ll be taken to

chrome(dot)freewarecentral(dot)net/download/?m1vcjhbpqo

which actually does give you the real Chrome. However, you could just go here and download it without all the additional installs. Microsoft have been notified.

Christopher Boyd (Thanks Matthew)

Here’s a 419 scam with a little of everything, including a wonderful fake website. First, the email:

If the end user ignores the advert popups, they still have the Hot Diamond website itself to contend with – a classy, sophisticated piece of social engineering that is absolutely not stuffed full of awful logic, stolen screenshots and spinning globes.

Or, you know, maybe it is. Anyone with better observation skills than a pet rock will quickly realise that their “Lottery winner pictures” are just hotlinked files for everything from the Euro Lottery to, er, some other lotteries.

By the time you get to their CEO / Board of Directors list, you get the distinct impression they’re not trying very hard. Case in point, say hello to Mr. James Moore:

Let’s not forget Mrs Caroline and Mrs Mary, either. Finally, we have their “Send me all your money” form, which wants all sorts of personal information including banking details.

I’m not sure this website hits the heady heights of this fakeout in terms of sheer dreadfulness, but it certainly comes close. You can happily ignore everything these scammers send to your mailbox.

Christopher Boyd

(Thanks to Robert and Wendy for finding this one.)

One of our researchers has come across a supposed hacking tool—GMail Hacker Pro—that claims it can compromise GMail accounts. This tool comes with a fairly slick looking website (complete with live chat support) located at gmailhackerpro(dot)com.

During installation, it shows users a EULA. Let us just quickly point out that a portion of it states that a search bar will be installed with the program. During our tests, however, no search bar is installed.

Once fully installed, this tool displays a graphical user interface (GUI) and allows the user to enter a GMail email address in a text box. It then claims to “process” the account.

In order to retrieve a product key, users have to pay 29.99 USD. If they agree to, they are then directed to a ClickBank website where they can make the purchase.

Clearly, this is designed to extract a tidy sum of money from unwitting users, and we’d like to save you, Dear Reader, the trouble of wanting to try it out. We categorize GMail Hacker Pro as a Trojan under the detection name GmailHackerPro.pj!.1a.VirusTotal scores currently sit at 16/43.

If you happen to lose or forget your GMail password, have GMail reset the password for you so you can access it again and assign a new password for it. Doing so won’t cost you anything. That said, steer clear from this one, please.

Jovi Umawing (Thanks to Patrick for catching this one)

On a recent press tour in Boston, I sat with Rob and chatted about security for small to medium businesses.  Audio interview link here.

Alex Eckelberry

I’m sure a McDonald’s themed Facebook scam seemed like a good idea to somebody at the time, but wow is this one all over the place. It’s your typical “Click here to Like”, “Post a spam comment saying how good this is” then “do one of these offers” affair. However, there are many things about it that don’t make any sense starting with the URL: macdonalds(dot)in.

Presumably they were thinking of the guy with the farm? Oh well, it’s as close to typosquatting as makes no difference I suppose. Let’s take a look:

“Happy 44th birthday to Donald”, they say. Except his name is Ronald and he was created in 1963, which means he’s actually 48. However, things quickly become confusing at this point. This scam targets Facebook users in India, yet as far as I can tell he’s called Ronald there. In fact, he’s only called Donald McDonald in Japan and I have no idea how old that guy is.

This one claims you can pick up money or coupons (500 rupees or $12 coupons), and all you have to do is jump through some hoops. So far, just under 900 people have hit the “Like” button. The moment you hit it, this will be posted to your Facebook wall:

Facebook users are then asked to wish Ronald – sorry, Donald – a “Happy Birthday”. Kudos to the chap at the top of the comments box who most definitely is not loving it:

The page says “You will be redirected to the next step”, and the next step would be trying to leave the page but being redirected to the following wonderful offer:

Hey look, it’s an Unhappy Meal containing one browser hogging spam offer and a distinct lack of plastic toys that you already have six of anyway. All the usual nonsense is onscreen, including the “Do you really want to leave?” popup box and the ludicrous countdown timer.

No, you do not want to fill any of this in. If you see any other websites out there asking you to fill in offers in return for free money to spend in McDonald’s (or even Macdonalds) keep in mind that the site could be stretching the truth a little bit.

In fact…you might even say…it’s a bit of a whopper.

Christopher Boyd

There’s now a mobile device version of NoScript available for, er, mobile devices. If you’re not familiar with NoScript, then take it away Wikipedia:

NoScript is a free and open-source extension for Mozilla Firefox, SeaMonkey, and other Mozilla-based web browsers…NoScript allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins only if the site hosting it is considered trusted by its user and has been previously added to a whitelist.

It won’t solve all of your problems, but it’s most definitely better than nothing and a long time favourite of mine.

Christopher Boyd

Or, to put it another way, you didn’t.

However, spam mail doing the rounds wants you to think otherwise.

“You have three lost messages on Facebook, to recover the messages please follow the link below.”

The links just go to the usual advert / viagra junk. What’s kind of funny here is that an older version of this campaign claimed you were missing one message. Obviously the spammers decided to up the ante so now you have a whole three messages lost to the void.

If you were really that worried about losing your Facebook messages, I suppose you could just have copies of them all sent to your mailbox. At the very least, hover over the links included in these emails – you’ll see that they take you to places that most definitely are not the official Facebook website.

Coming soon: “You have six lost messages on Facebook…”

Christopher Boyd

We know people love VIPRE. But sometimes, we’re suprised that our own competitors love it too!

Symantec loves VIPRE so much, they’ve used the VIPRE snake!

Webroot loves VIPRE so much, they are giving out a VIPER scooter.

We like ours better. Here’s our VIPRE Ducati:

(And for a bit of nostalgia, here’s the CounterSpy motorcyle we gave out back in 2005):

Alex Eckelberry
(Thanks Brian)

We’ve noted this before, but Microsoft needs to get a handle on ad placements on Bing. Ok, so Bing isn’t the most widely used search engine, but remember that Yahoo plays a part here as well.

It was early this week when Microsoft released its latest volume of the Security Intelligence Report, or SIR. This report, Microsoft noted, “exposes the threat landscape of exploits, vulnerabilities, and malware”, aiming to “help you protect your organization, software, and people.”

SIR volume 11 has a lot more findings, insights, and observations from the the first half of 2011. Below are just some facts and figures from the report that are worth noting for future reference and study:

• More than 1/3 of malware detected (ab)use the AutoRun feature in Windows. These malware spread via removable drives and network drives.
• Exploits that take advantage of flaws in Java, the OS itself, and HTML/JScript were most prevalent from Q3 of 2010 to Q2 of 2011. The volume of exploits targeting Adobe Flash increased by more 40 times compared to the volume seen in Q2 of this year.
• Adobe Reader and Acrobat are the most affected software for document format exploits. No surprise here.
• Windows XP SP3 (client) and Windows Server 2033 SP2 (server) are the OSs with the highest infection rates.
• Adware, software that were deemed potentially unsafe, and Trojans are the most prevalent threats that were detected on systems. An example of this threat is FakeRean.
• There was a 71.97 percent decrease of spam volume from July 2010 to June 2011 due to the takedowns of the Pushdo/Cutwail and Rustock botnets.
• Phishers are now targeting social networks more than financial institutes.

The .PDF copy of SIR is available and can be downloaded here. If you’re interested in backtracking previous volumes, Microsoft has made them available in their library page.

Stay informed, everyone!

Jovi Umawing

This new phishing campaign is trying to get Google credentials and it’s quite well executed.

Alex Eckelberry

Here’s an example of the “Content suitable for adults” verification scam seen over on Tumblr popping up in the world of Orkut. Clicking through teases the end-user with semi naked body bits flopping about all over the screen, followed by a rather nice looking fake login.

This is really quite brilliant.

Christopher Boyd

This is a reasonably convincing “give us your personal details” phish until the last moment when it all goes horribly wrong. The site in the first two screenshots is dead, the form is still live and hosted at palimpalem(dot)com/4/tarjetasprepagas/index(dot)html

“VISA and your mobile phone provider gives you spectacular prizes.”

Reasonably convincing:

Reasonably convincing:

Full screen scrolling Matrix code background sitting behind a form asking for card details and PIN numbers:

….I’ve seen better.

Christopher Boyd

No, Apple are still not giving away iPads. Here’s another Facebook fakeout located at the groanworthy URL stevejobsappleipad2giveway(dot)tk:

Clicking the page elements they want you to click on takes you to the usual collection of offers and other assorted rubbish.

Please don’t fall for this nonsense.

Christopher Boyd

An “XBox code generator” site has been popping up on video sharing websites and elsewhere recently, even though a lot of the content promoting it hawked “Runescape moneymaking”. The site is dead now, but the executable it promoted is still doing the rounds so let’s take a look.

First, the sales pitch – “How to make money with Runescape”:

Visiting the site would bounce you around a number of different redirects, all of which wanted you to download a program. The example below had some awesome pseudo tech babble:

“This is a fully employed xbox whippy maker. It cannot move your xbox untaped account – it gives you a cypher”.

Well, as long as it gives you a cypher. Anyway, hitting the “Generate code” button takes you to a download located on a free file hosting website. Like many programs of this nature, it cycles through a collection of (completely useless) fake codes each time you hit the Generate button. Most programs like this would have dropped something nasty on the PC by this point, or have asked for login credentials to email to the attacker behind the scenes. This one tries something a little different.

You’ll notice some text at the bottom of the program. It says:

“This version uses an outdated formula. The keys generated may not produce correct codes. Upgrade to 1.17”

I guess their cypher was faulty. Anyway, hitting the “upgrade button” – which I can’t say I’ve ever seen in one of these things – takes you to a suspiciously named (dot)tk URL: xbox360generator(dot)tk.

Strangely, it was pointing to a football website – I say “was”, because it now leads nowhere. In this case, the scammer was probably worried they’d be shut down and attempted to point the site to somewhere less suspicious (didn’t work).

Given the name of the .tk URL, it’s possible that the scammer was attempting to first gain the trust of the user with the program, then direct them a web based equivalent that asked for login credentials. Maybe they just dumped you onto a survey scam instead. There’s no real way to know now as all of the sites involved appear to be offline, but we can confirm this program does not generate anything remotely useful.

Including cyphers.

Christopher Boyd (Thanks to Alden Baleva for additional research)