Category: Uncategorized

On Black Friday, this year GFI Software will offer a single one-year subscription license to VIPRE for $9.95, 70 percent off the normal ($29.95) retail price. VIPRE Premium will be available for $19.95, 50 percent off the normal retail price.

This Black Friday special pricing is only available for purchase on Friday, November 26, 2010 until 11:59 pm EST. Please visit our Black Friday page for more information. Also, see our latest news release on the risks of cybercrime during the holiday season.

Tom Kelchner

The U.S. Federal Trade Commission has posted some advice for those seeking love in all the wrong places (like on the Internet).

In a sentence: “don’t send cash.”

“… scammers sometimes use online dating and social networking sites to try to convince people to send money in the name of love. In a typical scenario, the scam artist creates a fake profile, gains the trust of an online love interest, and then asks that person to wire money—usually to a location outside the United States,” the agency said.

Here is the FTC list of warning signs that your online paramour might have more of a financial than emotional interest you:

— Wanting to leave the dating site immediately and use personal e-mail or IM accounts.
— Claiming instant feelings of love.
— Claiming to be from the United States but currently overseas.
— Planning to visit, but being unable to do so because of a tragic event.
— Asking for money to pay for travel, visas or other travel documents, medication, a child or other relative’s hospital bills, recovery from a temporary financial setback, or expenses while a big business deal comes through.
— Making multiple requests for more money.

“FTC Warns Consumers About Online Dating Scams” here.

Ya know, I’ve been wondering why that woman with a really stunning Facebook picture and about 150 affluent-looking European men as “friends” contacted me out of the blue and wanted to be buddies.

I somehow suspected she wasn’t a pen pal type.

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Sunbelt Software YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Sunbelt Software Blog, the GFI-Sunbelt Rogue Blog and anything else we think might be of interest.

This week’s video is the first to include our very state-of-the-art video intro and outro (if that’s a word) provided by our designers here at GFI. Nice work folks!

This week we have another Green Card Lottery scam, fake antivirus sites, Chris Boyd’s coverage of IRISSCON in Dublin, scam giveaway sites and a fake proxy service that claims to help kids evade parental controls and school Internet filters.

Tom Kelchner

I can remember the delicious feeling of being completely free of adult supervision on rare afternoons when I was an adolescent. My friend David and I would sit by a cedar tree in a cemetery on sunny Sundays and smoke cigars.

I date myself.

Obviously it was a long-off time when a 14-year old could walk into a drug store and BUY a cigar.

A web site (myfatherisonline.com) that promises just such tasty independence for kids is being advertised via Facebook posts: it claims to be a proxy service that can get around school and parental controls.

(Click on graphic to enlarge)
The bad English in the initial advertisement alone is a hazard to children:

(Click on graphic to enlarge)

We counted 248 posts advertising the URL in a 45 minute sampling of Facebook posts. Many were from the same accounts, so, this is probably being spammed from “owned” accounts as well as being circulated by Facebook users who took the bait. So, it’s hard to say if it’s going viral or just the subject of a major spam run.

Not good, especially for kids

It didn’t appear to even be a proxy. It just pasted an iframe with advertising over the page content from the URL you type in the box.  It was an affiliate site loaded with malcode, links to cell phone subscription scams and other malicious or seedy stuff.

 
(Click on graphic to enlarge)

“Pac-Man play the original” took you to a RetroGamer site and an installation of MyWebSearch.”

 
(Click on graphic to enlarge)

Then there’s an IQ test scam that will cost you $9.99 per month on your cell phone bill if you want to see your results.

(Click on graphic to enlarge)

“You have (1) message !” leads to a “Free 3G iPhone” site:

(Click on graphic to enlarge)

There’s an  opportunity to sign up for spam:

(Click on graphic to enlarge)

And behind our browser window were three more with ads including “Get a $250 Amazon Gift Card FREE,” the “Womens (sic)  Forum” and a site that promises “My magic lamp can grant your wishes.”

 (Click on graphic to enlarge)

Although the Aladdin site promised some great magic lamp action on our behalf (“Health, Love, Money) it turned out to be a horoscope subscription service billed to your cell phone for the usual $9.99 per month.

(Click on graphic to enlarge)

(Click on graphic to enlarge)

What are they going to do next to lure kids: let them buy cigars in drug stores?

Tom Kelchner

Roll up, roll up for lots of freebies. That’s what the creators of the following sites are hoping you’ll do, anyway.

Com-prizes(dot)com seems to host numerous offers and deals which do their best to get the attention of Twitter / Myspace users.

For example, twiter(dot)com-prizes(dot)com (yes, they did spell “Twitter” like that).

Click to Enlarge

The end-user is asked to fill in a few generic questions about social networking, then “receive up to $2,741.88 in cash”. The next screen – located at 5staroutlet(dot)com – contains a “sort of” attempt at a cheque image, along with various items of merchandise listed under the cash amount. It’s worth noting that above the section where you fill in your card details is a sentence that reads: “To receive my items, I only pay a modest release fee of just US $31.95”.

Click to Enlarge

A quick check of the T&C’s is interesting:

Click to Enlarge

“All items listed are not prizes or gifts as it is part of an intentional publicity program and therefore it is a merchandise offering and not a sweepstakes, prize draw or contest.”

Bold added by me. Also, this:

Click to Enlarge

Strange things are afoot at the Circle-K, methinks. They even call the items they send out “Awards” on the payment screen (look at the text in the circle, next to the VISA logo).

A similar page exists for Myspace users located at myspace(dot)com-prizes(dot)com, which also throws some random social networking questions at you before whipping out a “Free iPad” offer:

Click to Enlarge

This one operates almost identically to the landing page written about by Tom back in October, and of course “free” actually means “sign up for lots of different offers before you get anything”.

Click to Enlarge

Sign me up. Or not, as the case may be.

Further reading here, there and everywhere.

Christopher Boyd

Yesterday I gave a talk at IRISSCON 2010 about how naughty internet people can do horrible things to your brand, and some of the stranger ways things can go spectacularly wrong for your company. A big “well done” to the organisers – I heard nothing but good things all day long in relation to how good the event was.

Typically, the sessions had so many people stuffed into the room they had to open the doors and bring in extra chairs:

Pretty awesome, eh?

I’m told this was the second IRISSCON, and there must have been around 130+ people listening to what the speakers had to say. Talks covered everything from social engineering & blagging your way past security (Peter Wood) to a look at the rather complicated rogue security software moneytrail courtesy of Robert McArdle.

There was also an address given by Howard Schmidt, albeit through the medium of “large talking head on a screen”.

I must admit, I had flashbacks to this advert (there was no hammer throwing and he was very nice so that evens things out). Interestingly, Amazon were there and recruiting security people – engineers and database types, from the sound of it. So if you’re looking for work and available in either Seattle or Dublin you might want to drop them a line on their careers page. They also had this awesome cardboard robot on the stand which just sweetens the deal:

You know you want one.

I know the conference organisers will be uploading pictures / video / presentations from the conference very soon, and I’ll link to said material when it arrives. I’ll also be posting up some handy hints and tips ripped from my own presentation. For now, here’s some badly taken photographs.

Christopher Boyd

A blog piece in which we discuss one Web site selling subscriptions to information about non-existent security products and a number of others that use the names of legitimate AV products as lures of which the gentle reader might beware.

There have probably been as many scams involving sales of anti-virus security products on the World Wide Web as there have been sales of “prime” real estate (that turn out to be under two feet of swamp water) in Florida.

Alert reader Bharath drew our attention to these.

The site Anti-Virus Review, “The No.1 Anti-Virus Internet Network” claims that it has reviewed anti-virus products and presents its “gold”, “silver” and “bronze” award winners: ViraFix, Antivirus Download and Antivirus-Solution respectively.

These aren’t rogue products. These are AV products that apparently DO NOT EXIST.

(click on graphic to enlarge)

So what are they charging you money for?

Anti-Virus Review explains:

“This website has no affiliation whatsoever with the owner of this software program and does not re-sell or license software. Membership is for unlimited access to our site’s resources. We provide an organized website with freeware, links, software, technical support, tutorials and step by step guides. New computer users should find our services valuable and time saving. If you are an advanced computer user, you probably don’t need our services.”

So they’re saying:: “if you don’t know anything about this stuff, this is the site for you, SUCKAH!”

The main page and pages devoted to the non-existent products are professionally laid out, complete with tables, graphs and the seals of certification agencies such as Virus Bulletin (These guys are NOT listed on the VB site: http://www.virusbtn.com/vb100/archive/results?display=vendors).

ViraFix page

(click on graphic to enlarge)

Antivirus Download claims to have VB100 and other certifications

 
(click on graphic to enlarge)

Antivirus & Security package design has a striking resemblance to Kaspersky’s.

 
(click on graphic to enlarge)

One especially meaningless graphic shows up on the ViraFix site. We’re not even going to conjecture what this table is supposed to mean other than “we – good, they – not good.”

Another little bit of insanity/inanity lies in the FAQ. The writer uses the name “Antivirus 2010” (We blogged about a rogue by that name in October ) This leads one to conjecture that maybe this is material borrowed from another site out there.

So, to make this long story a bit shorter, these sites all lead to payment pages that look quite similar: “Membership Options and Features.”

(click on graphic to enlarge)

The site hasn’t been around long either, only since the end of September.

Registrant:
   Domains by Proxy, Inc.
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

   Domain Name: ONLINE-ANTIVIRUS-PROTECTION-REVIEWS.COM
      Created on: 29-Sep-10
      Expires on: 29-Sep-11
      Last Updated on: 29-Sep-10

Other sites with a twist: free legitimate AV products (and one not-so-effective one) used as lures

Our friend Bharath did more digging and found that this group, judging by similarities in page design, also have a load of sites that use the names of legitimate anti-malware products from big-name vendors as lures:

Avast
download-antivirus-now.com
antivirus-download-pro.com
antivirus-prodownload.com

Avira
antivirus-pro-suite.com

 Kaspersky
full-antivirus-solution.com

Malwarebytes Anti-Malware
antimalware-protect.com

SpyBot (not considered an effective product. VIPRE detects as: Backdoor.Spybot)
search-destroy-protection.com
searchdestroy-scan.com

Ad-Aware
aware-download.com

AVG
antivirus-2010pro.com
antiviruspro-download.com
free-anti-virus-software.com

So, if you’re fixed up with an antivirus solution now, maybe you’ll be interested in some land that’s for sale in a little development we know about over by Okeechobee. This one is going to be hot! These babies are selling like hotcakes! You can flip these and double your money FAST!

Thanks Bharath

Tom Kelchner

Did they get the idea for that graphic from the GFI blog?

We’re wondering if the actors behind this one got the idea for the graphic on their email from the title of our November blog piece “In America the streets are lined with gold”

We blogged about green card lottery scams before. The scammers sell something that is free from the U.S. state department. Basically, they are businesses that advertise a U.S. government lottery in which the “winners” get visas to live and work in the U.S.

The real U.S. State Department Diversity Immigrant Visa Program (page here. )

“. . .makes available 50,000 diversity visas (DV) annually, drawn from random selection among all entries to persons who meet strict eligibility requirements from countries with low rates of immigration to the United States.”

That page contains a fraud warning about green card lottery scammers.

Citizens from countries with low levels of immigration to the U.S. are eligible. The Philippines is NOT one of those, in spite of the email we received:

Countries that are ineligible are listed here: http://travel.state.gov/pdf/1318-DV2012Instructions-ENGL.pdf

(click on graphic to enlarge)

See our October blog piece for the rates these guys charge: “Phony green card lottery sites abound”

Tom Kelchner

The GFI Malware Minute video is available for your viewing pleasure on the Sunbelt Software YouTube channel (and below).  

The British royal family announced today that Prince William will marry his long-time girlfriend Kate Middleton next year. Every news source on the planet is gushing and the dark side of the Internet is taking advantage of the news coverage. Surf with care.

A Google search for “Kate Middleton” results in a poisoned link on the second photo under “Images for Kate Middleton.”

(click on graphic to enlarge)

It leads to a photo, but that page then redirects to friefox.ddns.pl, where a Trojan is forced on to end users:

(click on graphic to enlarge)

VIPRE detects the download as: Trojan.Win32.Generic.pak!cobra

It helps to know the version of the browser you’re using. In this case, Firefox 3.6.12 IS the latest version.

If you’re in doubt about the latest version available, check getfirefox.com which shows this:

Thanks Adam.

Tom Kelchner

Our intrepid rogue investigator Patrick Jordan was checking the latest evolution of the ThinkPoint FakeRean rogue and passed this along.

The fake “you need to install flash player in order to watch movie” gimmick obviously is still out there. The malicious folks behind ThinkPoint.FakeRean are using it to trick victims into downloading their rogue.

 “They are making them look real, but if the URL doesn’t show adobe.com then it is a fake,” Patrick pointed out.

Just because the “name” is flash_player_installer.exe, that doesn’t mean it’s genuine. This lure is especially suspicious because the pop-up window shows that it is going to download from the site pics24.video.servepics.com and not Adobe.

 (click on graphic to enlarge)

Here is the real Adobe page to download Flash Player: http://www.adobe.com/products/flashplayer/

Rogue Blog entry for ThinkPoint.FakeRean: http://rogueantispyware.blogspot.com/2010/10/thinkpoint.html

Thanks Patrick

Tom Kelchner

(Analysis by Chandra Prakash, Technical Fellow, GFI Labs )

Microsoft’s Windows operating system, running on a 64-bit machine provides enhanced security with driver signing of system and low level drivers. This policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded. [1.]

 The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.

Here’s how it’s done:

The boot option is changed in memory from the code executed by infected MBR. The boot option configures value of a config setting named ‘LoadIntegrityCheckPolicy’ that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an infected version normal kdcom.dll that ships with Windows.

The rootkit also disables debuggers by NOP’ing debugger activation functions as described below. This makes reverse engineering this rookit very difficult! The KdDebuggerInitialize1 (see below) function in infected kdcom.dll called during normal execution of the system installs the rootkit, which hooks the IRP dispatch functions of miniport driver below the disk to hide its malicious MBR.

On a normal machine an unsigned driver will show this message

*** Windows is unable to verify the signature of
    the file Windowssystem32kdcom.dll.

 By changing the boot option, display of the above message is also suppressed.

(This was researched on a 64-bit machine with Windows 7 installed)

 Infected Kdcom.dll with debugger functions NOP’ed out

.text: public KdDebuggerInitialize0
.text: mov cs:byte_1800019EC, 3
.text: xor eax, eax
.text: retn <– Debugger function NOP’ed out that prevents debugger attachment

.text: public KdSendPacket
.text: mov     cs:byte_1800019EC, 6
.text: retn <– Debugger function NOP’ed out

.text: KdDebuggerInitialize1
.text: lea     rcx, sub_18000190C <– This function installs the rootkit
.text: jmp     cs:PsSetLoadImageNotifyRoutine
.text: public KdDebuggerInitialize1 endp

Corresponding functions of clean Kdcom.dll

 .text:  public KdDebuggerInitialize0
.text: mov     [rsp+arg_0], rbx
.text: mov     [rsp+arg_8], rsi
.text: push    rdi
.text: sub     rsp, 20h

(snip)

.text: public KdDebuggerInitialize1
.text: sub     rsp, 28h
.text: cmp     cs:KdComAddressID, 0
.text: jnz     short loc_7FF7045112A

(snip)

.text: public KdSendPacket
.text: mov     [rsp+arg_0], rbx
.text: mov     [rsp+arg_8], rbp
.text: mov     [rsp+arg_10], rsi
.text: push    rdi
.text: push    r12

(snip)

[REFERENCES]

[1.] Kernel-Mode Code Signing Policy (Windows Vista and Later),  http://msdn.microsoft.com/en-us/library/ff548231%28VS.85%29.aspx

Thanks Chandra.

Tom Kelchner

 Adobe has announced that tomorrow it will release out-of-band patches for Reader 9.4 (and earlier 9.x versions) for Windows, Mac and UNIX, and Acrobat 9.4 (and earlier 9.x versions) for Windows and Mac to fix critical security issues.

The patch will fix the vulnerabilities CVE-2010-3654 and CVE-2010-4091.

Adobe issued a notification Oct. 28 that CVE-2010-3654 could cause Reader and Acrobat to crash and allow an intruder to take control of the affected system. Adobe said the flaw was being actively exploited. (Advisory here.)

The company said Nov. 4 that there had been public discussion of the CVE-2010-4091 vulnerability, which could cause a denial of service. (Advisory here.)

An update for UNIX is expected Nov. 30, 2010.

The next scheduled quarterly security updates for Reader and Acrobat are February 8, 2011.

Tom Kelchner

Scammers are attempting to cash in on a recent flood in Cagayan. Bernadette Sembrano, a well known journalist in the Phillipines, is being impersonated by individuals looking to make a little money out of the misfortune of others.

The fake:

The real thing:

Interestingly, this isn’t the first time the fake account (located at @bsembrano) has asked for money. A quick snap from Google cache confirms this:

While the above smart money account could be theoretically genuine, there’s no information to confirm this from the Twitter page and one wonders why such an account is pretending to be a well known journalist in the first place. It goes without saying, but always check the legitimacy of an account randomly asking for money. The account has 191 followers, which is potentially a lot of victims eager to hand over their money. We’ve notified Twitter of the rogue account and hopefully they’ll look into it shortly.

Christopher Boyd

Insecurity sells

 Internet scams seem to aim at our most primordial instincts. Some of the noteworthy lures have been:

— Sex. How many “sex videos” can all the celebrities in the world really make?
— Fear of losing one’s health: thus there are thousands of “Canadian” pharmacy sites (in China) pushing all kinds of questionable medications.
— Making fast wealth: which brought us those 419 scams that seem to contribute significantly to Nigeria’s annual gross domestic product.

And now there’s a new one: the fear that one of your friends on Facebook no longer likes you.

Above is the Facebook post that will take you to this app:

(Click on graphic to enlarge)

[Side note (see red box in graphic): How insecure do you have to be to sign up for Facebook just to find out if a friend has deleted you? If you don’t have a Facebook account you don’t HAVE any Facebook friends yet! OR, who besides Bernard Madoff is so unpopular that people unfriend them on Facebook before they set up an account?]

Unless you’ve been living deep in the forest with only a dial-up Internet connection for the last five years, you’ve probably seen this before. The app must “protect” its content, so it requires you to play a game or “Save $$$ on Auto Insurance.”  That isn’t exactly a computer security authentication scheme that’s on the test for Certified Information Systems Security Professionals.

To make this short: they collect your name, email address and cell-phone number then try to sell you  a subscription to get a quiz and two clues for $9.99 (billed to your cell phone) each month.

So if you’re really insecure about your Facebook friends, it’s going to cost you. And even if you don’t subscribe, just going this far results in your Facebook account being used to spread ads to all your friends about this loony service.

Which will give them more than ample grounds to unfriend you.

Tom Kelchner

There were some very pecular goings on in Twitter land today, as the account of Kirsty Allsopp seemed to be taking potshots at Sir Alan Sugar:

Click to Enlarge

The only problem? She didn’t post that message, despite a bit of confusion and the fact that the pair of them had a very public argument recently.

It seems like it might be an easy thing to work out: so far, the compromiser is apparently making all of their posts from an iPhone.

Not so long ago, her account was hijacked and started sending out iPad spam. Methinks this time around she’ll be lucky not to get a “You’re fired” from Sir Alan…

Christopher Boyd

“…an unprecedented wave of Java exploitation” – Holly Stewart, Microsoft.

Bottom line: many Java exploits go after vulnerabilities that have been patched. Since Java runs on a wide variety of platforms, this makes it a very serious vector. You should stay alert for the automatic Java updates. You also can check the Java site (see link below.)

The background hum of news about the increase in malware that uses Java vulnerabilities has now increased to a roar.

Today Daniel Wesemann wrote a very readable blog post on the SANS site about Java weaknesses.

Wesemann pointed to an October piece on Microsoft’s Malware Protection Center by Holly Stewart in which she writes: “What I discovered was that some of our exploit ‘malware’ families were telling a scary story – an unprecedented wave of Java exploitation.”

Wesemann described the method used by the recent “bpac” family of exploits. The Java vulnerability that it uses was patched in July he points out.

The infection usually happens as follows:

(1) User surfs to website that has been injected with the exploit
(2) Exploit pack triggers – it comes as an obfuscated JavaScript that downloads an (Java) Applet and a PDF
(3) The applet contains an exploit, here for CVE-2010-0840
(4) The applet is invoked with a parameter that tells it where to find the EXE
(5) If the exploit is successful, the EXE is downloaded and run”

And what is downloaded can be anything, like a back door that can steal your bank login information or turn your machine into a spam-pumping bot.

For beginners: Java is a compiled programming language created by Sun Microsystems (now owned by Oracle)  that can be used to create applications that will run on a virtual operating system or in your browser. You may have heard of JavaScript. That is different. That is a scripting language that is put in the HTML code of web pages to run in your browser.

Here is Oracle’s description of the two:

What is JavaScript and how is it different from Java Technology?

 * Java is an object oriented programming (OOP) language while Java Script is an OOP scripting language.
    * Java creates applications that run in a virtual machine or browser while JavaScript code is run on a browser only.
    * Java code needs to be compiled while JavaScript code is all in text.
    * They require different plug-ins.

How to check to see if your machine needs updates

To test your machine to see if the latest version of Java is installed, go to this test link with your browser: http://www.java.com/en/download/help/testvm.xml

If your Java installation is out of date, you will see something like this:

If you have the current version, you will see something like this:

Tom Kelchner

On Patch Tuesday this month, Microsoft released three security bulletins:

MS10-087 — Vulnerabilities in Microsoft Office Could Allow Remote Code Execution ( critical — remote code execution)
   
MS10-088 — Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution  (important — remote code execution)
   
MS10-089 — Vulnerabilities in Forefront Unified Access Gateway Could Allow Elevation of Privilege (important — elevation of privilege)
   
Bulletins here.

Tom Kelchner

The South Florida Sun Sentinel (Miami and Dade County) is reporting that sheriffs in the Florida Keys arrested an 18-year-old man after they were called to the scene of a break-in and found a computer logged into the suspect’s Myspace account.

The Monroe County Sheriffs office said deputies arrested Robert Rupp, 18, of Big Coppitt Key, near the scene of the break-in and charged him with burglary, possession of burglary tools and theft.

The deputies said they were summoned by a caretaker who noticed someone inside the house on Sugarloaf key. They found an open window, empty food and beverage containers, marijuana and a bedroom computer turned on and logged into Rupp’s Myspace account.

Story here.

Tom Kelchner

You can guarantee that everytime a new product comes out, someone will be offering a “free” version of it in return for filling in a survey.

Yes, we’re all thoroughly sick of surveys. What caught my eye more than the entirely predictable “cracks” for Call of Duty Black Ops was a link sitting in most of the videos I saw:

Click to Enlarge

“How to download”. Clicking that took me to scdownloads(dot)za(dot)pl, which actually gives the end-user step by step instructions on how to access files stored on “fill in a survey to download” sites such as Sharecash. Multiple languages, too!

Click to Enlarge

I’ve no idea who created that website, but obviously individuals are so worried end-users won’t generate money for them that they’re resorting to giving us “The idiot’s guide” treatment. And that particular website isn’t limited to promotion in random fake crack videos, either – you’ll find it being linked to from all manner of offers, “freebies” and pilfered content:

Click to Enlarge

Windows 7 mobile downloads, PS3 jailbreaks, MTV videos, shop hacks, Sony Vegas movie studio keygens…you name it, someone is doing their level best to have you fill in a survey with as little confusion as possible. I’m not entirely sure how “fill this in” could be confusing, but to give you an idea of the way that site is being linked to (and how popular links to surveys are on video sharing portals):

Youtube is telling me it has about 15,000+ links to the tutorial page, and there are fifty pages of links from the last day.

Click to Enlarge

That’s fifty pages of links to surveys, garbage downloads and – of course – a wonderful tutorial ensuring end-users make the most out of getting nothing in return for signing personal information away.

Surveys: most definitely here to stay.

Christopher Boyd