Month: October 2011

Yesterday I gave a talk at VB 2011 on the history of rogue web browsers – browsers that have been built from the ground up to cause end-users trouble. They often imitate the real thing, use similar logos to legit browsers, claim to be incredibly secure and offer lots of features and functionality. Typically it’s all lies, and they’re dropping rootkits, hijacking your desktop or clicking invisible links out of view from the person using it.

In my humble opinion, the worst of these browsers was something called Yapbrowser. This was a browser from 2006 that you could download, install and run just like any regular browser. Although it bundled with Zango adware, no hijacks were involved and you had the option to back out. Running the browser didn’t raise any alarm bells – until you typed in a web address….any web address….and found yourself redirected to places you’d rather not go.

Redirecting users to content that could send them to jail wasn’t the best way to promote their browser, and it was quickly pulled. Shortly after the browser vanished, it reappeared for a few more weeks claiming “full protection from virus attacks” – that didn’t last long, and Yapbrowser was finally buried in 2006 after being acquired by a company called SearchWebMe – the browser was gone forever, and the site was basically DOA.

Well.

While giving my slide deck a final runthrough, I noticed a screenshot I was using from the Internet Archive wasn’t displaying correctly so I went there to get an image that worked. I’m not sure what happened next – I thought I was looking at the Yapbrowser pages from 2006. Then I saw this:

“July 2011”? Uh oh. Sure enough, visiting the Yapbrowser website right now gives us this:

Not only is there a “2011” notice at the bottom, there’s a link to the Yapbrowser executable. The file appears to be the original from 2006, the EULA looks identical (to the extent it lists “yapbrowserATyapsearchDOTcom” as a contact, despite the fact that domain is long dead) and when fired up on a testbox it currently takes the end-user to Yapsearch, which is parked:

Not only does it appear to be the same old file, the website blurb also makes the same ludicrous promises of security which are optimistic by any stretch of the imagination:

“Your computer will be free from viruses breeding online…There is a 100% guarantee no system infection will occur when using our software.”

When did the site and browser decide to rise from the grave? It’s hard to tell, but here’s the last Archive snapshot of the Yapbrowser(dot)com site from 2009:

As you can see, it’s still dead. Archive.org don’t crawl the site during 2010, but they do revisit in 2011 and at this point (Feburary 9th at the earliest) the site has returned, complete with old page layout, text and file download. One new change is the location of the download – whether clicking the “regular” download or the “adult” version, you’re served the EXE from filesurfing(dot)com, which is a site used for “file searching” from download sites such as Rapidshare and Mediafire.

Currently, Yapbrowser is registered to what looks like a company registered in the UK. The name of the URL listed as the contact email address differs from SearchWebMe who originally bought the site / program back in 2006, but it’s possible they’re one and the same.

Seeing this site lurch back into life, looking identical to how it did back in 2006 and with the browser download following close behind is quite a shock. I imagine anyone else who researched this one will be feeling much the same, and given the history of this program coupled with the (still) nonsensical claims of security and virus evasion it would be quite the leap of faith to want to download and use this program.

We’ll be keeping a close eye on this one, and if the program starts to do anything beyond point at the parked domain we’ll publish an update. For now? Our advice would be to stick with another browser. Like their highly appropriate slogan says: “Don’t waste your time”.

Christopher Boyd (Thanks to Matthew and Patrick for additional information)

Seven months ago, Google officially released its Android app, the Android Market Security Tool, in response to an outbreak of malicious apps being served then on the Android Market website. Just a few days after, a trojanized version of the said app had been spotted, baiting users into downloading and installing it on their smartphones. This was served on third-party download sites. AV companies already detect the trojanized app.

If your antivirus software detects the Android Market Security Tool retrieved from the Android Market as malicious, even up to this point in time, let us reassure you that this app is clean. If you found yours elsewhere, however, more than likely your app is a fake one. It’s best to remove it from your phone (or PC if you have a copy of it in there, too) and get the legitimate copy from the Market.

Jovi Umawing (Thanks to Dean Bueno)

I can’t speak on behalf of all the folks on this side of the globe who loves technology, specifically from Apple. Who knows how these nifty gadgets have impacted their business and personal lives, but surely, the impact is hugely positive and lasting.

Thank you, Steve Jobs. You have made an indelible impression not just in the technology sector but also in the hearts and minds of people.

Jovi Umawing

Matthew, one of our researchers at the AV Labs, flagged us regarding a Facebook scam he spotted late last weekend. And his timing could not have been more impeccable. The scam is about Southwest Airlines giving away free tickets. Now, as a practical rule of thumb, if something free is given by (a) a non-friend, (b) a non-relative, and (c) a random someone / bot who / that found their way on your social networking feed, you better start thinking twice before clicking that link to accept the freebie. If they’re from people you actually know? Double the amount of thinking. Trust me.

What made this particular scam interesting is that the scammers had used and abused a Facebook token generator to spread it. A token is basically an electronic key that is used to access something one does not readily have access to. In this case, a token is used to gain rights to post on Facebook walls. Once users click the link of the scam post, they are directed to www(dot)southwestisbest(dot)com where an entry box pops up, asking users to “access the offer” by entering a validation code. You can’t go around this one, since there is no option to somehow allow a user to decline to do this action.

“Click Here to Generate Your Validation Code” – and a small browser window, with the URL m(dot)facebook(dot)com/ajax/dtsg(dot)php, shows to display the code.

Hitting the Submit button enables the app to post on the user’s Facebook wall. “But wait!” It doesn’t end there though. Users, clearly unbeknownst to the posting done on their walls, are then redirected to a page asking for their email addresses. After this, they will be asked to complete a survey.

Our experts had already reported this to Facebook and the sites had been taken down shortly after, in turn also terminating the issuance of tokens.

There are other Southwest Airline scams that have been making rounds on Facebook. One such scam was found by our friends at Sophos (Do check out that post, too). So far, however, this is the only one we’ve seen that uses tokens.

As the Christmas season draws near, criminals are taking advantage of consumers wanting to grab the cheapest flights towards their destinations. And they have been for the longest time we can all remember. Be prudent and smart when it comes to gimmicks you see online, never click on links that offer things that sound too good to be true, and never give away any information until you know what these companies are going to do with them.

Jovi Umawing (Thanks to Matthew for spotting this)

It seems scammers need to play a little catch up, or at least read the odd news site occasionally. Here’s an email going around trying out the well worn theme of “Google Anniversary” 419 scam mails:

“We are pleased to inform you that your email address has won you an Award in the Google 11th Anniversary Awards as organized by the Anniversary Centre of Google Inc. held on September 28th 2011 in London, United Kingdom.”

Humorously, the scammers are sending out 11th anniversary mails when that actually took place in 2009 – we recently hit number 13. They don’t need your financial details, they need a calendar.

Christopher Boyd (Thanks to Wendy for sending this one over)