A Year In Security

| | Comments (3)
2009 has seen some incredibly diverse and creative attacks - shall we take one last look the scams, hijacks and infections that particularly caught our eye?

January: If someone told you people will pay good money to have a third party create a Botnet designed to DDoS gamers out of Xbox console sessions, you might have wondered what exactly they were talking about. However, this technique (which has remained off radar for quite some time) finally went mainstream with every second script kiddy trying to work out how to do it via endless Youtube tutorials and "What am I doing wrong" posts on hacking forums.

Attacks on games and gamers have been a constant thread in research this year, as scammers realise there's a fair amount of money invested in gaming profiles - and those profiles can be bought and sold, just like any other stolen account. Attacks on consoles provide a bit of a headache for office network admins, who may well be jumping on the "put a net connected console in the office rec room and leave it to its own devices" bandwagon. Not a good idea...

February: Taking the idea of valued gaming accounts one step further, Erik Larkin of PC World explored the attacks on Steam account holders via phishing techniques. Steam accounts can have hundreds (or in some cases thousands) of dollars invested in them, and regular seasonal sales tend to send profits through the roof. Indeed, there's a heavy collection of "ten free games in exchange for your login" phish pages in circulation at the moment. Don't be fooled!

April: You can never be too careful with downloads, as this story readily illustrated. An instant messaging password stealer (that could disguise itself as Yahoo Messenger, Live Messenger or Skype) turned up on Download.com, a trusted source of legit downloads. Rogue elements will sadly always slip through somewhere, but full credit to CNET for removing the offending program quickly.

June: A program surfaced claiming to be a mail bombing extravaganza that would smite all of your enemies. The catch? You had to give them your own email address to use it.

We've seen many, many programs that attempt to punk out people in the hacking / cracking communities and while the majority of those files tend to stay on hacking forums some do occasionally creep outside into the daylight.

July: Oh dear. Targeting twelve year old kids? There's lame - then there's this. Popular social networking / gaming site Neopets came under attack from individuals who decided to offer kids "magical paintbrushes" for their Neopet in return for running an executable file. Of course, those files would be Trojans, password stealers and various other nasties in disguise. Taking advantage of a young child's desire to obtain rare ingame items - then break their computer - is one of the lowest attempts at being "a hacker" we can think of.

There was also a look at Xbox Gamerscore hacking - a technique used by people who want to artificially inflate statistics related to a gaming account then sell it on.

Did we mention the Megan Fox fake sex tape yet? No? Well, here it is (an article about it, anyway). Celebrities will always be used as low hanging fruit as a means for people to infect themselves or fill in surveys and Megan is no exception where that is concerned.

August: Here we arrived at what seems to have been a phishing page linked to from a legit Facebook application URL. There was also this infection, designed to overwrite all the images on your PC with the word "Hacked".  The Facebook attack was fairly inventive, though we haven't seen a repeat performance so that's good news.

September:  Twilight fever. This was always going to be sucked into various scams and sure enough, just before New Moon came out in cinemas sites such as Youtube had videos on them promoting "online versions" of the film. Sure enough, all you got for your trouble was Zango installers and empty pages.

Can't have an end of year summary without a mention of Zango!

October: This particular file hit the streets a little while after Google Wave invites were no longer the hot topic of debate which probably helped to lessen the impact. A fake Google Wave invite generator most certainly did not generate passwords of any kind, but did seem to be a likely candidate for harvesting email passwords. Clever.

We also talked about Gamers Under Fire at SecTor 2009, a security conference held in Canada. You can take in all the conference presentations here - they're well worth checking out.

November: Ah, Facebook applications. Sometimes you get rogue ones - other times, you get scams like this where no applications exist. Someone had the idea of putting together a fake program that claimed to exploit a genuine application by revealing who-said-what about you. Of course, this was all nonsense and the program infected your PC with a horrible file of the attacker's choosing. A simple but effective attack technique.

December:  We'd been writing about various fake "work from home with Google" scams all year long, and it was nice to see some of them finally being tickled with the legal stick. Long may it continue.

We wound up the year with ZBot, in the form of a fake "Your VISA account has been compromised, download this file to see what's been going on" alert.

A wide-ranging set of attacks then, and a good indication (as if any were needed) that social networks, popular culture, videogames and the lives of celebrities will be targets for Botnets, exploits, scams, get rich quick schemes and every fake program you can think of well into 2010. It will be interesting to see how many 2.0 sites maintain a robust privacy policy (if such a thing is even possible) in the face of potential earnings from ad revenue, and how easy (or difficult) those policies will make it for those who want to use that data for nefarious purposes.
This is a rather interesting little tool. People have been making Youtube video rating tools (and spam commenters) for a while now, but with varying degrees of success.

This one combines the two, and also attempts to randomise the Bot comments to some degree, meaning Youtube may well miss a chunk of the fake ratings / messages attached to each video.

Shall we take a look?

This is the rating / comment bot in question, taking the form of an application wrapped around IE:

Youtube Comment Bot, originally uploaded by Paperghost.

In an attempt to win a game of "miss the Bot", the program preloads 50 accounts and numerous comments, and divides the accounts across five "wave" buttons, each containing 10 Youtube accounts. When a user runs the program, the following file is dropped into the Win32 Folder:


It doesn't appear to do anything harmful to the target PC - it simply acts as the source for the account logins and comments.

Anyway, depending on which wave you select, a randomly selected account from each group of ten tries to login to Youtube and rate / comment on a video of your choosing. Some of the accounts have already been flagged by Youtube, so they're not doing quite as well as they'd hoped:

Account Disabled, originally uploaded by Paperghost.

It's easy enough to find some of their success stories, however.

Here's one:

Youtube Comment Bot Spam, originally uploaded by Paperghost.

Here's another, it's Banhammer time:


As you might have guessed, this program has been in circulation on numerous hacking forums for a couple of weeks now and in general, the comments are being posted to videos promoting fake programs that are actually infection files.

Not that you should ever take notice of Youtube comments anyway, of course...
The VGA awards took place yesterday, and in the mad dash to see the trailers from the show online spam bait such as this is appearing on sites such as Youtube:


From there, you're taken through a long chain of sites asking for a "Minute of your time" to select and fill in one of a wide range of offers involving sites such as


An "end game" set of selections are all lumped together on this splash page:


with all of the landing pages hosted at


Quite a lot of hard work for some advert spam, and at every landing page you're told the "free videos" are one step away (even though they all turn out to be adverts and offers). There's $1000 gas cards, Mc Donalds VS Burger King and "Soda survey" (exciting!) to choose from, along with lots of other offers I couldn't possibly recommend filling in. Of particular note is the "favourite twitter celeb":

twitter celeb, originally uploaded by Paperghost.

What's slightly more worrying is the above offers are geographically targeted - if you're outside the States, you're dropped onto this URL:


If you're in Europe, the page is blank. But if you go back with a US IP address, you may be served up with an embedded Facebook login page to access an application called "Loot" or an application called "Fish Isle":

Facebook Ad, originally uploaded by Paperghost.

While this appears to be a legit ad and not a phish , served up from


...the practice of popping login prompts from random redirection scripts is not a good one, and not something end-users should be trained in. That could just as easily have been something more malicious, and (funnily enough) only makes me somewhat suspicious of the applications being advertised.

Marketing fail?

If you receive an EMail claiming to show an "online statement" from VISA, beware - you'll be walking into a trap of the "horrible infection file" variety.

A website (with a .co.uk domain but hosted in India) is playing host to the following fake setup, asking you to download an "electronic report" of your card transactions in relation to fraudulent transactions:

ZBot Visa EXE, originally uploaded by Paperghost

Of course, the "statement" is in the form of an executable related to our old friend Zbot, which has been spammed out in every form of scam possible, from fake Windows and Outlook updates to phish attacks and server updates.

Should you download and run it, your PC will immediately start making calls to the following domain:


That particular URL has been linked to Zeus Botnet C&C and other dubious practices - currently, it appears to be offline. The infected PC will have a file called SDRA64.exe running in the System32 Folder, which is a rather nasty little thing associated with everything from banking datatheft to keylogging and IRC. The good news is, that particular file has been around for a while so detection levels across the board should be pretty good at this point (I'd double check with Virustotal, but I'm not alone in having some issues with that site at present).

Never, ever download an executable file mentioned in an EMail claiming to be from your bank - you'll end up in a world of hurt.

We detect the file as Cardstatement.exe. A huge thank you to Senior Threat Researcher Peter Jayaraj for his late night assistance with this one!
Since the highly publicised wave of console bans for anybody found pirating XBox games (and, to a lesser extent cheating on the XBox Live network) there seems to be a rather popular item appearing all the time on sites such as EBay.

Shall we see what it is?

Let's fire up EBay, and see how early a suggestion appears for the item we're looking for:


...oh dear. Why would people buy a warranty sticker for a games console? Simple:


Nobody is going to take your console as a "broken" return from the place you bought it when the warranty is screaming "leet hax", right? Warranty sticker sale waves seem to come and go on trading / selling sites, but they seem to be coming back into fashion at the moment. Here's a few samples:


As you can see, a reasonable moneymaker for the seller. I particularly like the text on this one:
Click to Enlarge

That's right, a sticker for your COLLECTION! I guess these are the new Pokemon cards.

Here's one final batch - appearently these are the newer type of warranty sticker, which greatly increase your chances of getting a new console out of the store you bought it from (instead of them hitting you with the "cheater" stick and chasing you out of the building).


I'll stick with Pokemon, I think...

Spot The Hack

| | Comments (0)
Sometimes, I see strange things.

This is one of those moments. Can you see where the defacer has worked their "magic" on the below website called foremostbeverage.com?

Could it be here, right at the top of the page?

spot the hack 1, originally uploaded by Paperghost.


Perhaps they did their damage on the sidebar, or posted malicious URLs where the Social Networking sites should be?

spot the hack 2, originally uploaded by Paperghost.


Ah, they probably tampered with the fancy ad rollover and redirect you to some horrible .ru domain stuffed with Adware and Spyware and...

spot the hack 3, originally uploaded by Paperghost.

Nope. Hang on, what is that?

spot the hack 4, originally uploaded by Paperghost.

There. Right there. Allow me to use a large red arrow, drawn in MS Paint:

spot the hack 5, originally uploaded by Paperghost

It appears to be moving. What on Earth could it possib -

Image Hosted by ImageShack.us
By Paperghost

...oh. Well, that's different.

We have of course notified the site owners (and don't think we didn't spot the hidden text message on the website, either). Now if you'll excuse me, I have a serious case of banana related eye strain...

The Futility Of EULAs

| | Comments (1)
Here we have a typical IM toolbar (SweetIM), which has a rather curious EULA.

Sweet? Nope..., originally uploaded by Paperghost

Yes, they really want you to download this program. What particularly caught my eye was the age requirements on the EULA:

Please note: (1) you MUST be 13 years or older to install or to use the SweetIM Software. If you are not yet 13, do not download SweetIM Software

Thirteen? I must admit, I don't see many applications with an age requirement as low as that.

Okay, fine. You want to allow 13 year old kids to download this thing, fair enough; they're not stupid. However, if you're going to aim your app at kids that young, you probably shouldn't include a EULA that takes about six weeks to read.

Seriously, check it out.

Ten points to anybody who can explain how a reasonably intelligent adult could plough through that lot, let alone a kid. The default narrow web browser it opens in (see the above screenshot) makes it appear to be even longer than it actually is. I dusted off our EULA Analyzer to see what it thought of it all; the results are pretty much as you expected. That is to say, completely ludicrous:


According to the above, an application that they want thirteen year olds to use has a EULA that's BEYOND twelfth grade reading level. For those of you not in the States, a twelfth grader is usually seventeen or eighteen.


170 sentences, 5,000+ words, 34 odd words per sentence......enjoy, kids!
Proving conclusively that there is no honour among thieves (as if you needed proof), here's a website that goes hunting for so-called "big fish" - namely, phishers with a plentiful collection of logins stored on their phishing pages.

The website itself is free of content, save for one small search bar at the top of the screen.


As you've probably guessed, the wannabe Whaler (traditionally a hunter of high level executives and CEOs, now turning their target on, um, random phishers) enters the URL of a confirmed phishing site into the box and hits "Submit".

At this point, the site checks a large list of common (and not so common) filenames that are likely to contain lots of logins gathered up by the original phisher.

If the Whaler is successful, they'll see something like this:


From there, it's simply a case of the Whaler collecting the logins, changing all the passwords and bumping up their tally of stolen details with a minimum of effort. If you're one of the phishing victims whose login details are now changing hands from phisher to whaler, you have my apologies - it can't be nice to see your already stolen account become that little bit dirtier.

While the above site will no doubt be crashing and burning sometime in the near future (especially as the free hosting it sits on can't seem to cope with the strain of becoming the most popular site on the web for script kiddies and account stealers in general), you can bet there will be endless copycats to take its place.

Can't wait to see what "Version 2" brings...

Hm - not so much a "porn success" as a "porn fail".

I find it rather interesting that in the wake of the recent hunt for individuals caught sharing pornography via P2P applications that many programs such as these are suddenly appearing on forum links, downloads and chat rooms:

Click to Enlarge

"Porn Downloader", which for all the World looks like it's made to look like some kind of primitive P2P application, even though the program is designed to let you select a file for download from a website then manually grab it - so not quite the same thing.

The similarity is still striking, especially as the above fake application would be 100% pointless if it were real - why would you use a program like that to download something when you would (logically enough) simply right click and save as? It goes without saying that the program is a fake, designed to be wrapped up with whatever virus, worm or trojan the attacker feels like.

Here's another one, this time claiming to grab you lots and lots of free passwords from paid-for porn sites:

Click to Enlarge

Despite the password / login box, you can enter anything you like - or nothing at all - and be taken straight to the application proper.


"If no accounts show up please try again later" - well, you'll probably be too busy trying to remove whatever infection file has been bound to the fake application to care (not that the program gives you any logins - it doesn't).

As usual, steer clear and think twice before grabbing programs such as the above. If the legal letter slingers don't get you, the infection files will...
I've talked about Botnets used to kick gamers out of sessions before, but I thought it might be interesting to check out some of the current pricing, along with a few other things.

Botnets and Gaming - wha?

People have been using various means to lag people out of games for many years, but it had always been a PC thing. The moment online console gaming took off, somebody realised most console gaming sessions were peer to peer (which meant IP addresses were easy to grab), combined Botnets with moneymaking and rolled out an unstoppable army of teabagging and headshottery.


It all depends on the game. Most online console games offer up rewards for progressing through the ranks, be it additional items, weapons, outfits and / or levels.

Stolen high level accounts in games such as Halo themselves fetch a tidy sum on the black market (would anybody have seriously thought a stolen gaming account could pull in as much as $25 a few years ago?) but the art of "host booting" has turned into a bit of a money spinner.

There are three main types of lagging a game out, and depending on how the game works various types will be deployed or blended to ensure the attacker wins the game and levels up.

1) Lag switching. A lag switch can be picked up for around $20, and if you've ever been in a game that appears to be frozen while the other team happily runs around shooting you this is likely the culprit. Quite common, unfortunately.

2) Host forcing. More often than not, many games come down to who happens to be hosting it. To ensure the hosting advantage (which may or may not be debated endlessly by those who refute being pwned by something as basic as "my connection wasn't as good") the art of "host forcing" was born. Typically, a combination of various programs are used such as Zone Alarm, Commview and custom built programs such as this one:


....to discover the IP addresses of the players, and start throwing them into various "Trusted zones" (which then leads to the not-entirely-sophisticated process of, er, waggling sliders up and down rapidly in Zone Alarm. Nobody ever said this was an elegant solution). That "ION" program has been around since the days of Halo 2, by the way.

Once you have the host, the theory is that you have a slight advantage over the other players because you have no lag. However, this isn't enough for the cheaters so what they'd do is hit the "standby" button on their router and when the game would come back (after lagging all over the place) everybody bar the host would still be lagging. This would result in lots and lots of headshots with a fair amount of swearing from the others in the session.

Worse, in addition to single players doing this, whole teams can bridge their connections and attempt a "team standby", where one team is fine but the other is doomed.

Not very nice, but there you go.

3) DDoS Host Booters. These are probably the worst of the three tactics on offer, and involve custom made programs that target specific players, then knock them offline via a dedicated Botnet. This is no different to someone aiming a regular Botnet at your home connection.

host booter, originally uploaded by Paperghost.

As already mentioned, most console games are peer to peer and because you can use Internet Connection Sharing with an XBox console, it's the easiest thing in the world to grab some IP addresses and have some "fun". Because the attacks target the player rather than XBox Live itself (which would likely be a futile effort) it's quite difficult to do anything about it.

Many saw an opening for money making with this technique, because there are no end of technologically clueless (but very angry) gamers out there who want to get even.

Want to DDoS someone, win that online session and move up a rank or three? No problem, pay us and we'll create a custom built DDoS Low Orbital Cannon to clear out the noobs. Some games punish players / teams that leave a session early, removing experience points and / or awarding the win to the other team which makes this technique rather appealing.

Although getting on a bit, the below pricing structure is pretty much what it is now:


$5 for a Bot, with nothing else. This is the option for those who already know what they're doing and have a Booting program ready to roll.

$10 for a Bot AND a Booter, for those who have no idea which Booter to pick. You're not going to kick many people out of Halo 3 with one Bot, however, so from there it's $2 per additional infected computer added to your Botnet of Doom.

$5 extra is needed if you want them to go dabble with your network / Firewall, and it's $20 if you want them to remote into your PC and set EVERYTHING up for you. Also note that they'll put a fake icon onto the infection file they're trying to nail people with on your behalf - I suppose paying up is in your best interest if you want them to infect as many people as possible.

Some charge per game and / or rank in a particular game, rather than per Bot because hey - they're just that nice, and (more importantly) they figure once you've set up your Botnet for someone you probably can't get anymore money out of them. Keep control of the Botnet, however, and you'll have money rolling in for as long as the buyer wants to DDoS gamers.


Dedicated Host Booting sites that contain both Booting programs and tutorials are a relatively new addition to the ranks, but they're definitely growing in number. Here's a membership sample from one of the more recent portals:

host booter community.png

Worryingly, there are rewards for promoting those communities:


Free Bots? Yep. I've seen one or two sites offering up to as many as 30 or 40 free Bots in return for spreading the word. It's interesting how console gaming is becoming a bit of a driving force for individuals racing out to infect computers, and I don't think the situation will improve anytime soon...