May 2006 Archives

In a surprising twist the YapBrowser project is back online and loose on the Internet or at least the site is back online.

yap-browser-may-screen-shot.gif

This time the website claims:


"YapBrowser is a browser which will make searching for any information online much simpler. Download YapBrowser for free and forget about getting to sites containing harmful exploits. Your computer will be free from viruses breeding online. Attention! You can download a 100% free adult version of YapBrowser. Using it you will be able to search for and browse adult content for free. There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities. Now you can download it for no cost at all.

So it is an adult version this time around and the user is getting a warning upfront and you guessed it- it's free and now backed by a 100% guarantee you won't experience a "system infection".

For those who are new to the saga you can check out the interview with the creators behind the software as well as some general advice. It is a lengthy read.

YapBrowser The InterviewYapBrowser Questions and E-mail Interview
Yapbrowser...Not Something You'd Want to Plugin To!

Naturally we do not recommend the software given the highly debatable history behind it.

Thus far our tests indicate:

1. Yapbrowser is up for download
2. The MD5 of the main executable is same as the earlier file.
3. There were no third party downloads seen nor there were any third party DNS queries made the download.
4. Currently the software is not working properly.(Receive 404 error pages for every URL entered).
5. Currently Yupsearch.com is redirected to yapbrowser.com.
6. Adult Browser download link is not active.
7. No Phone Home activity seen.

We'll be watching, but I suggest user's steer clear.

Hot on the heels of the Botnet caught bundling Zango a few days ago, here's an interesting one I found while lurking in the outermost regions of IRC yesterday...

First off, check out this IRC server. It's fair to say it has a large userbase (at least 16,000 channels!):

http://blog.spywareguide.com/upload/2006/05/btchans1-thumb.jpg
Click to enlarge

...and with that many users, it's a prime target for Botnet pimping. So with that in mind, let's pick up that Pimp Goblet and get things moving!

Assume...just assume...that IRC is, in fact, full of spammers, viruses, Trojans, haxx0rs and Malware. Then...assume that lots of infected users fire spam messages at you to try and infect you with more garbage, making you a part of that particular Botnet.

Then...assume I was fired a Spam message myself, and decided to have a play with the files....

...and sure enough, that's what happened! At this point, I'd usually show you a screenshot of the infection taking hold of the PC, but the thing about "straight" Botnet installers (ie: minus Adware) is that they aren't much use if they put a big, flashing "Botnet Alert!!!!112" message in the middle of your screen. But what I can show you, is a walkthrough of what this particular nasty actually does.

Suffice to say, this install takes place in two parts, and is run via two different Botnets - the Spam installers come from one source, and the Scanner installers come from another. This is merely a safety precaution - if you lose all your Spam-bots due to being shut down, you still have your "Scanner Bots" (which hunt for exploitable machines), and vice versa. No point rebuilding an Empire from scratch, right?

Now let's examine the state of the Server itself - the view is not pretty. The Admins of the IRC server clearly know about the Bot problems - because I've never seen so many Bot kickers, drone watchers and channels full of infected users being dumped out of channels in my life:

http://blog.spywareguide.com/upload/2006/05/btbanned1-thumb.jpg
Click to enlarge

As you can see, my IP has been banned from that channel due to the fact it was used when I tested this infection previously - hence, I'm kicked out by a Channel Operator. In addition, I'm not even allowed to enter the other channel (blanked out) - such is the hatred here for Bots. Well, it's understandable.

At this point, I enter one of the (semi-random) channels I know this Bot tries to slip you into from my clean PC...and I wait for my infected test-box to show up. See, this thing works like this: user gets infected, infected PC enters and exits a number of IRC channels and has a particular phrase set as the "away" message. At this point, the away message is Spammed to lots of different users, or is viewable when they look up the infected user's contact info. While I'm waiting for my infected machine to show up, I'm bombarded with what looks like different Bot-spam from anything up to 12 different users within the first 10 seconds of entering the channel. Eventually, my infected PC turns up, and I know for sure that this Botnet is up and running correctly. Of course, all the infected PCs are called things like HOTGURL4YOU, to encourage foolish men to start messaging the Bot like crazy. Which they do....and they then see the away message:

http://blog.spywareguide.com/upload/2006/05/btwhois1-thumb.jpg
Click to enlarge

Ooh, yes please!! Want to make a guess how many people will fall for this simple bit of social engineering? Sure enough, anyone foolish enough to click the link and execute the - er - executable...will find themselves upgraded to a higher realm of Botnets!

The "higher realm" here means a Botnet that scans networks for specific vulnerabilities to spread itself still further. I know what you're thinking at this point - the story wouldn't be complete without a screenshot of the master infection channel, right? Well, have no fear, because the Ghostman has already predicted your need to see a payoff shot and here it is:

http://blog.spywareguide.com/upload/2006/05/btmaster1-thumb.jpg
Click to enlarge

Nice!

As a sideline, I should add that I don't just find Botnets and take a bunch of pretty pictures, before leaving them to go look for new ones - appropriate steps are taken to get them shut down where possible. I've since found out this one is also being investigated by another group, and I'll be forwarding the information I've collected here to see if it can be put to good use.

In the meantime, if you insist on navigating the dangrous currents of IRC, think twice before checking out SUPAHOTTIEGURL's latest batch of home-grown pictures, or you may find yourself appearing in my next collection of screenshots!

A Tiny Botnet...

| | Comments (2)

...with the potential to turn into a raging beast, or something. Check this out, it's what you might call a "holiday snap" from inside a real-live Botnet, minus the fake tan and short-shorts:

http://blog.spywareguide.com/upload/2006/05/tinynet1-thumb.jpg
Click image to enlarge

The most users this channel has ever had in it at one time is 18. However, the channel had a fair amount of activity in it while I was there...infected users kept dropping in and out at regular intervals. Could be one to keep an eye on.

Of course, what's even more fun than keeping an eye on a Botnet, is trying to get it shut down. Yes, it'll probably just re-emerge somewhere else, but you have to keep these guys on their toes. It's the only way to go...

...or should that be Smileys?

Check out the below site:

http://blog.spywareguide.com/upload/2006/05/dbrdl3-thumb.jpg
Click to enlarge

Looks nice and innocent, right? Mr Smiley of Smiley Central looking all happy and, er, smiley on a website that basically fires you off to various top 100 lists and other "get this now" kinds of places.

Sadly, this website has something nasty lurking in the background - because if you know where to look, the startled expression on Mr Smiley's face is given a whole new meaning. Enter the URL for the super-secret hidden Executable (instead of randomly clicking any of the links displayed onscreen), and...:

http://blog.spywareguide.com/upload/2006/05/dbrdl1-thumb.jpg

Is this an executable I see before me? Looks like it! Run the thing, and before you know it, your desktop is covered with all manner of popups and icons and who-knows-what else:

http://blog.spywareguide.com/upload/2006/05/dbrdl2-thumb.jpg
Click to enlarge

The startled look on Mr Smiley's visage is looking more and more like a horrified grimace, isn't it?

Interestingly, the payload is incredibly similar to the one covered here, minus the Zango installer (though a call is made to Zangocash.com).

Once again, we see friendly smileys subverted and used for the purpose of evil, instead of good.

Whoops.

For the enterprise downloading and using free consumer IM clients and P2P file sharing applications can invite viruses, worms and other security risks. Businesses must understand the challenges to their organization and if they are at risk for non-compliance with policies or regulations, intellectual property loss or worse.

Thankfully you don't have to give up IM to protect your enterprise. In this eSeminar learn how Microsoft Office Live Communications Server 2005 enables real-time communications. With proper management, it improves business efficiencies and increases productivity. Many leading organizations are already benefiting from this flexible enterprise IM solution.

Find out how companies are maximizing the value of their Live Communications Server investments with FaceTime Enterprise Edition. With FaceTime, you can stop rogue public IM use, detect and block applications like Skype 2.0 and ensure full compliance with state and federal regulations.

Join Marc Sanders from Microsoft and Eric Young from FaceTime as they explore:

- Pros and cons of enterprise-grade vs. free IM
- Transitioning from multiple public IM clients and P2P applications to a safe, secure, collaboration environment
- An example of how two companies have fully leveraged IM with FaceTime and Live Communications Server

The eSeminar is free click here to register.

Implementing Safe, Secure Enterprise-Grade IM
June 1, 2006 @ 12:30 p.m. Eastern/9:30 a.m. Pacific
Duration: 45 minutes

Ever wondered if music should be assigned an "annoyance level" in the Spywareguide.com database? Probably not, but after seeing this latest hijack you might think twice. Throw in a browser which installs itself without your permission and you have one of the craziest hijacks I've seen this year:say hello to yhoo32.explr, courtesy of FaceTime Security Labs.

Sitting comfortably?

Then let's begin...

Blue Security just threw in the towel. Regardless of what you think of them or their methods let's ponder the implications for the Internet thus far.

Chris Boyd and I talked about the possability of this happening back in March during our Podcast with Jeff Molander. In this instance I will quote myself:


Porter says, "Once you've compromised a PC you own it... it's yours you can do with it what you want and you can emulate that activity. Because that net is spread out... you can execute any type of activity and get away with it -from sending spam to recommending certain Web sites to infecting them with more adware to emulating surfing activity and possibly emulating click activity... yes... definitely for sure."

It appears our unfortunate prophecy has become "documented reality" as a botnet owner took aim at Adsense with a small herd of bots designed to click on adsense ads as noted the SANS Institute's Internet Storm Center...


Bottom line is that the advertiser pays in exchange for a bot visiting him.

It seems some bot operator left a website with both the bot's *.exe and the web based control panels wide open. An anonymous source sent us the URL.

The critical part to note about this activity documented by SANS is this:


It is interesting to note that the botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each.

Note the small size of the Botnet- without an anonymous tip and some lack of planning by the botnet owner it might have flown for a long time. This means it was either immature in size or the owner knew to keep the size of the herd under the radar. This is, unfortunately, what we thought we would see and The Register noted it.


Generating traffic from a small number of machines (numbered in the hundreds) makes the traffic generated from compromised machines look innocuous. In return for helping click fraud scammers keep a low profile, botnet owners rake in a percentage from the scam.

No doubt we will see more of this in the future. Whether this is contained or not will depend much on how savvy Google is in detecting and shutting down this activity as well how well user's guard their machines.

I wish I could say the prognosis was better...

Many others have picked up on this activity and that's good. The more people know about it, the better it can be defended against.

Want to see an example of the PM floating around Myspace as blogged by Brian Krebs that eventually leads to a Zango install? Because we've been looking at these bad boys for the last few days too. Good old multi-blog action - nothing finer!

Here you go:

http://blog.spywareguide.com/upload/2006/05/myspzango1-thumb.jpg
Click image to enlarge

The War is Not Lost

|

Lots of people have been pointing me to this writeup, entitled "Have we lost the war" (as you might have gathered!)

There's a lot of talk about what some products do (and don't) do, but the two main extracts are below. From the article:

"Have we really got to a point where users have to admit that they cannot get rid of the spyware infesting their PCs? Why else would we need to create a 'safe' connection before accessing an online bank?"

Well, why not create a safe connection? Isn't that what you're doing when you install Antivirus, Antispyware and a Firewall? Making things inherently safer? So how is applying tighter security some kind of "admission" that we've lost a so-called war?

"Instead of killing off spyware we are learning how to live with it, which makes me think that this battle is almost over."

Again, this is nothing new. We've been "living with Spyware" since forever, so either nothing has changed or the "battle" has been lost from day one. It all sounds a touch self-pitying to me. Either you do something about it or you shut up shop. And if you shut up shop, you can't expect any mercy from the bad guys. take Blue Security - they were recently smashed into the ground by angry Spammers. Well, they waved the white flag and "gave up" - because they didn't want anymore fallout hitting innocent websites. The thing that Blue Security missed, is that the Spammers don't care and have continued to blast them into little pieces (and the innocent bystanders, too).

I'm reminded of the Stones song, "All or Nothing". I'm also reminded of "Street Fighting Man", but mostly because I like the version by Rage Against the Machine. Which is also strangely fitting, come to think of it.

Well, not exactly. We don't have any balloons or men in funny hats - however, you may find this article interesting - it deals with the "local traits" of the US, Europe, China, Russia and more, "local traits" meaning "ability to do nasty things to your PC". According to the writeup, Europe is both attacker and victim, America needs to get a firm handle on where the danger is coming from before it's too late and China's ability to man the walls is severely lacking.

Is it just me, or did they base their study on World War 2?

Joking aside, there's some interesting information presented here:

"...the US does certainly harbour some of the most prolific spammers in the world, as well as the world's three worst ISPs for relaying spam, says Spamhaus."

The depth of Spam coming out of the States is not widely known by Joe Public, and it always seems to come as something of a surprise to them. In addition:

"The most recent figures from MessageLabs suggest almost one-fifth (18.1 per cent) of all compromised machines are located in the US - and it's a fair bet, based on recent police investigations, that many of those doing the infecting are also US-based."

Whoops.

China leads the way in attack volume, with the others playing catchup. Meanwhile, Russia slides down the table with less than 2% of attacks last year and the Middle East is mentioned in connection with Spyware. I have some personal experience of this, and I have to say - those guys are a tough nut to crack.

All in all, a good writeup - however, I'd like to have seen more detail. Some specific examples of what each region gets up to, maybe, or how about some anecdotal evidence. I'd also love to know what kind of actvities are going on in Korea, but that's a whole other ball game...!

1) Open Internet Explorer
2) Click Tools
3) Click the Security Tab
4) Click Custom Levels

5) In the window that opens look for the entry:
ActiveX Controls and Plug-ins.

6) You want to disable
"Download Unsigned ActiveX controls"

7) You want to prompt
"Download signed ActiveX Controls"

This will allow you to see an ActiveX control and who it's from before it's installed. Please make sure to do a bit of researching before you allow the application to install. Never blindly trust an active X control just because it's signed or looks trustworthy.

Anyone can get a signed Active X control, just because it is signed does not mean it is a safe control.

Windows Service Pack 2 for XP now addresses some of the issues of ActiveX controls.

The Peer to Peer (P2P) client eMule; quite popular for file sharing and I'm sure illegal downloads (although I would never do that!) has kicked back with a fun, new P2P bot running around on its network. Normally I wouldn't get that interested in a boring old SPIM bot but this one had an interesting twist that grabbed my interest and forced me to crack open the toolbox. As I was minding my own business one day merrily downloading a set of unnamed files on eMule I couldn't help but notice I had two new messages.

http://blog.spywareguide.com/upload/2006/05/ScreenHunter_1-thumb.jpg

(Click Image to Enlarge)

Normally this would not be interesting. However eMule supposedly has URL filtering capabilities for comments in the form of a handy-dandy pattern matcher.

http://blog.spywareguide.com/upload/2006/05/eMuleURLFilter-thumb.jpg

(Click Image to Enlarge)

So as you can see this would normally filter out all http, https, and www; but low and behold in this case it isn't using any of these. This particular little bot is sending across FTP and it is showing up clear as day in my eMule client. Now they have my attention and no it's not from the catchy phrase "women in your town, blah blah". So obviously I fire up the trusty ole' copy of Ethereal and start sniffin'! Let's take a look at what we get.

http://blog.spywareguide.com/upload/2006/05/ftp_net_trace-thumb.jpg
(Click Image to Enlarge)

There's our nice little FTP stream and as we can see from the trace we end up with the file list.html. Looks harmless enough, but what is actually in this list.html and what happens when the browser decides to render this little goodie?

http://blog.spywareguide.com/upload/2006/05/list-thumb.jpg
(Click Image to Enlarge)

Hey! Surprisingly looks like valid HTML and wouldn't you know- it is! For the added "lemon twist" it uses a fun little META tag to refresh that page and send you off to have fun tonight- and maybe even wang chung tonight if you're really lucky.

So what does all this mean to the everday user?

Don't click on links, these guys are tricky little devils, but really not that tricky if you are really alert.

That is a lot of work for a simple little redirect just because eMule tries to filter comments that contain URL's.

Let's recap.....

1) They've written their eMule bot
2) Setup an FTP server
3) Written their crafty little html pages, and probably collected not more than a few cents with adult content.

Well worth wasting a fine Saturday afternoon for- not!

Chris Boyd checked in from the, It's too insane not to be true department, and now we have another piece of ripped-up reality that makes you wonder what rock ad agencies hide under or perhaps who dinged them in the head with a rock?

According to Media Post 180Solutions and Warner Brothers are working in tandem.

Several bloggers have picked up on this this connection, my favorite was from Chris Kramer of Netexponent who said:


According to today's Media Post online, media giant Warner Brothers has been working with controversial adware company 180 Solutions to distribute their online soap opera "Deception". Can anyone think of a more appropriate title for 180 to be featuring?

(Random and Pointless Trivia: Blogger Chris Kramer is vegetarian and once accidentally ate a scallop mistaking it for a tater tot. This is true.)

Kramer's take is appropriate indeed.

Is this is why 180Solutions has been so silent about UA Porn distribution fiasco complete with interview that details their "harsh" testing process? The fiasco is spelled out in big glowing letters during this interview I conducted. Both in Russian and English and taken apart by PaperGhost over at VitalSecurity.

So let's rewind and back-up and look at what was going on while Warner Brothers and 180 were making web content...

Andrew Clover checks in with some candid evidence on one distributor. It comes complete with a video of pornography- not your run of the mill porn but what appears to be child porn. Link to Video- illegal images have been obscured.(Note special Codec may be required to view.)

Chris Boyd provides more technicolor here. Sunbelt Software gives us the possible Russian background connection. and finally TechDirt asks some more questions....

Suzi Turner of ZDNET's Spyware Confidential asks the ultimate question: "What legitimate company would want to be affiliated with 180solutions after learning of 180's apparent liaison with child porn and CoolWebSearch?"

Well now I have the answer for you Suzi- Warner Brothers!

I got this lovely missive in my mailbox a few days ago:

Tired of being scammed?
Tired of servers downtime?
Tired of high latency?
Being Blocked or Blacklisted too fast?

FORGET ABOUT THAT!
Get rid of asian datacenters and choose a better Spam friendly solution with us.We have the latest development in Bulletproof Webservers that will
handle your high complaint loads.

Contact us for pricing!
-----------------------------
ICQ #:
MSN Messenger:
AIM:
yahoo:

Botnet Hosting Servers
-------------------------------
5 Ips that changes every 10 minutes (with different ISP)
Excellent ping and uptime.
100 percent uptime guarantee. Easy Control Panel to add or delete your domains thru webinterface.
Redhat / Debian LINUX OS.
SSH Root Access.
FTP Access.
APACHE2 PHP CURL ZEND MYSQL FTP SSH.

We have Direct Sending Servers, and we also do Email Lists Mailings.

Spam friendly and Botnet hosting? Oh, dream come true! With that in mind, I decided to check out their website - not a good start, it was offline and the email address kept bouncing. Three of the four IM addresses didn't seem to work and we nearly had no writeup, but with the last address I tried...

No, not Teri Hatcher firing out hundreds of emails about the latest crazy goings-on in her street, but rather an individual by the name of "Gena Elmore" trying to scare people and failing miserably. As you can see here, the bad guys are becoming increasingly rattled by the steps taken to shut them down, drown them out and make them play fair. I'm not sure if anyone fell for their bullish tactics...have a look and see what you think.

By the way, I'd point you to the Blue Security blog, but it's currently down because of DoS attacks...!

PREFACE

I have now received the response's from Yap Browser. Special thanks to Anna of Sunbelt and Joeseph of Facetime for taking out time to provide translation services. The controversy all started when some researchers downloaded the Yap Browser which was bundled with 180 Solutions- Zango product, and the browser was serving up what appeared to be UA Porn (Under Age Porn).

For our Russian speaking readers I have uploaded the interview questions and answers in Russian.

Porter's Interview Questions in Russian

"John Sandy": YapBrowser's Response to Interview in Russian


Per the rules of engagement I will refrain from comments here. However trackbacks are on, if your trackback does not show up please e-mail me and I will put up a summary. On to the interview...

Wayne Porter's E-mail Interview: Questions to Yap Browser:

Porter:. So that it is clear what is the name of the entity or company that develops and operates YapBrowser?

Yap's Response: Enigma Global Inc.

Porter:. Are YapBrowser and YapSearch.com controlled and / or operated by the same entity or otherwise related?

Yap's Response: Yapbrowser.com- is a website of our program called yapbrowser, where users can download our program and read its description. Yapsearch.com ? is a website that is supposed to be reflected within the yapbrowser.com. Also, yapsearch.com is a search engine ( but at this moment not functioning, since we have not selected a non-free search system, which feed could have been used to do searches. At that moment there was only a design form/template on the website.)

Porter: For the purpose of general information background and mutual understanding, can you describe the business that you conduct on the Internet?

Yap's Response: We were planning to open a partner program [[translation: partnering meaning bundling here]] and pay our partners for installations of our yapbrower. The installation of the program was supposed to be sponsored by zango. That is, every partner could register into our bundle and create a link to our program at their website. Before that, we would have to check the website content ( if it breaks any rules i.e. is not illegal) and then allow them to proceed.

Porter: How long has YapBrowser been available for end-users to download from the Internet?

Yap's Response:We came up with the idea of Yapbrowser about half a year ago. Before that, we were trying to come up with what would be the best to be downloaded by users, and chose yapbrowser. Yapbrowser was never made available for end-user. Only some people knew about our program ( programmers, designers, zango etc.) At the time when the problem was discovered, our program was still in development, and wasn?t launched yet. There was no traffic on the websites.

Porter: Aside from working with 180solutions can you cite, as trade references, any other businesses or advertisers that you work with, have worked with in the past or those who have expressed interest in working with you in the future?

Yap's Response: We haven?t even had a chance to buy advertisement spots for our project, let alone launching it for testing. Therefore, we didn?t have any partners. At that time we collaborated only with zango. After the testing we would have started with advertisement on internet forums. Later the new partner would be appearing.

Porter:. How long has YapBrowser bundled the 180solutions product- Zango?

Yap's Response: We bundled our programs recently. Since zango was going through certification (or something of that kind) we had to wait for quite some time. I think the bundling happened about a month or two ago.

Porter: How were you not aware over that period of time that your application / sites were redirecting to the offensive material?

Yap's Response: First of all, I wasn?t paying much attention to yapsearch.com website. To test it, I simply installed the design template with non-working hyperlinks and a search line field. I have no idea that on a non-existing page there might be such content with offensive material. When I was shown an article about our website I was shocked. And, naturally, I realized what happened.

Porter How rigorous was 180Solutions / Zango in terms of checking your application
before they agreed to have their software bundled with the YapBrowser application?

Yap's Response:The testing process was very harsh. First, our program is included into zango installer. We supply some design elements for the program installation, EULA text. The program installation is done with the confirmation of two agreements. Zango?s approach to this issue is very serious; therefore, I do see that they are dependable, and choose them as partners. In this situation there is no zango?s fault. Most likely it is my program?s fault that such mistake was made. And, of course, the real offender is the host company.


Porter: Did 180solutions test the software prior to your agreement to bundle Zango?

If so, can you describe the process that was involved?


Yap's Response: Yes, testing was done a couple of times. I sent the program to zango to be tested. They replied me with the changes that I had to make in the program. That happened a couple of times before we finally had desired results. (But I would like to repeat, that the programs were not launched, the partner-program was still in development)

Porter:Did they test your application after it launched with the Zango product bundled?

Yap's Response: Yes, the testing was done. Maybe, at that time 404 page wasn?t showing any illegal content. I cannot say for sure since I did not check.


Porter: Have you received payment from 180Solutions for the Zango downloads you delivered?

Yap's Response: By that time, no more than 5 downloads of my proglram were made What payments can we talk about?

Porter: Your sites were hosted on a server that also hosted known hijack sites and sites related to other allegedly illegal practices. Specific examples would include instme. biz and nstallme. info.

At the time of my testing there were only six other sites residing on this server besides yours,and approximately 60 + sites on a related IP address. Again, many of which were highly dubious and well known to the security community.

Given the current state of Russian webmaster forums, where whole sections are devoted to "rogue" sites and installers, as well as the widespread coverage of these groups by Western security companies, how is that you were not aware of the practices of your neighbours on this server?

Yap's Response: I had?t even thought that these people could have done this to me. First of all, they were not my permanent web host company. The sites were kept there temporarily, before the launching of the program for the testing purposes by my employees. If I would have launched the program, I would have bought my own server.

At that time it was not worth to maintain an expensive server because this project was taking too much money, which I am very limited with. The websites were kept at that server for free. The person who supplied me with that was contacting with me via icq. Do you need his number?

Of course, after he realized what happened, he dissapeared. He was also registering domain yapcash in his name. And at this time I do not have access to that domain. My thoughts on that, is that these people wanted to use the traffic from my yapbrowser somehow. They probably were somehow related to such hacker sites like instme. biz and nstallme. info. I do not posesss that information.


Porter: How is it that you were not aware your chosen server host were well known and documented for hosting such sites and material?

Yap's Response: This was not my permanent webhost. It was used only for tests ( I repeat). I did not plan to send there traffic from my parner websites, (but I think that?s what the webhost expected, since he let me keep my sites there for free.

Porter: To quote from your exchange with Paperghost at VitalSecurity.org:

VitalSecurity.org

Paperghost: The same details are used for a group of sites at Eltel, a Russian ISP, including one site that redirects the user to browser exploits at paradise-dialer.com,
which load trojans, spyware and dialers. Paradise-dialer's whois places it as part of
the CWS group known as Dimpy, aka BigBuks. Since the BigBuks whois is also given
by mix-click, referred to by the yapbrowser/yapsearch whois, and the aforementioned
servers at Pilosoft and Eltel (as well as the paradise-dialer server also at Pilosoft just a
few IP addresses away) run many other sites that link back to browser exploits and
child porn promotions run by BigBuks, it seems reasonable to assume that they are
the same group of people.

So, is this you or not? And if not, how come the contact details are the same?

YapBrowser: We now try to find people which are involved in an illegal site. They had some attitude to domain names, but not to our activity. Similar these people are engaged in distribution illegal content and in parallel contain a server for this purpose. We have chosen a unsuccessful place of accommodation of the projects in a network.

Given your statements and acknowledgement of illegal content distribution, presumably you have accurate details of who you did business with for hosting. This would include business names, individual names, addresses, phone-numbers, etc.You appear to claim to have been victimized by a supposedly legitimate business entity, are you willing to serve the public interest by making this information available in this interview?

If so, please provide details. If not, why not?

Yap's Response: I do not have any names, phone numbers, addresses etc J I did not work togetherwith them at that level. I have icq number 278-690-157 and nick Androgen, which has been offline for a long time now. You know the IP addresses of the server. My sites were kept on his webhost. You say that the IP addresses match, and that is understandable because my sites were on the same server as the illegal sites, and I did not know about it. FTP access is not working either for a long time now. In the first couple of days I was trying to do something, but then the websites just stopped working. I moved to another webhost. I was defamated on various forums and webhost just deleted my sites.

Porter It was been brought to my attention that:

A representative of YapBrowser is John Helbert, as seen here:

http://sunbeltblog.blogspot.com/2006/04/yapbrowser-getting-yelled-at.html

A connection has been made between this person and an individual called ?Klass? a member of a ?Lolita / CP? board called ?Dark Master?. (Matching ICQ numbers, etc). More on this connection can be seen here:

Sumbelt Haloscan comments

What is your response to this connection between YapBrowser and the ?Dark Master? forums?

Yap's Response: I am not part of the group ?Lolita / CP? under ?Dark Master? name J Dark Master is an old forum, which was closed. Anybody who wanted could register there, and I do not belong to those people, who do illegal projects. Yapbrowser has nothing to do with that forum. There is no factual prove of the relation.

Porter: Ben Edelman provides video evidence of the dubious activities of an outfit
called HighConvert working with a number of adware companies. See video: http://www.benedelman.org/scripts/video/?v=highconvert-081505 this operation appears to be related to a document uncovered and transcribed from Russian into English by Sunbelt Software in early April. The YapSearch domain is cited in this document. Reference English translation of document here: Sunbelt Translation Document.

The document outlines plans for ?invisible clickers?, lowering of browser?s security settings, utilizing ?Blue Screen of Death? for trick ads, and the changing of 404 error pages among other dubious practices. How do you explain this reference to YapSearch?

Yap's Response: Probably, this document was written by a person, who communicated with me at some point, but I do not know who that person is, maybe a programmer. There is an example of the feed design of yapsearch.com in this document. I think that it was written by someone who was in touch with me earlier, because there is a program mentioned there, that is similar to mine, but that one is included in an illegal project. Yapbrowser does not belong to that project (described in the document). And it couldn?t belong because all changes we make in the program, we have to show to zango to be checked.

Porter:. Did YapSearch or YapBrowser ever deploy any of the tactics outlined in this document?

Yap's Response: Of course not. Why are you asking that? Have the program checked by knowlegeble programmers to assure that there are no such functions in my program.

Porter: Given the current state of affairs what is the future for YapBrowser-do you still intend to distribute this application?

Yap's ResponseAt this moment, the development of the program is completely suspended. Bad things are written about us on many websites. I had no idea that I could encounter this problem in the project and understand my mistakes. To show my goodwill, I am ready to donate money for children. All details about the donation you will be able to see on my website yapsearch.com

Closing Comments from Yap Browser's, "John Sandy"

I hope, now things will turn around, and you will finally understand that my project is not involved into any illegal activity. Please, try to distribute this article among all forums and blogs.

Thank you for the interview, hope that you will help me to solve this problem.

End of Interview

Sanford Wallace is the guy responsible for plastering alarming messags across end-user's desktops, related to a hijack called Spy Wiper and Spy Deleter. As you might have guessed, he's now in a whole world of trouble with the FTC. For more information on Sanford (and his, er, lovely nickname) click here. For the full list of "really bad things" (TM) done in the name of mass emailing and Spyware pushing, check out the page on the FTC website. Notable quotables?...

"A default judgment against Wallace and Smartbot.Net orders them to give up $4,089,500 in ill-gotten gains. "

"Lansky, an ad broker who disseminated ads containing Wallace's spyware, will give up $227,000 in ill-gotten gains."

...ouch...

For more coverage on this issue check out Steve Shubitz at Stopscum.com He even has some of
Sanford's most treasured posts.

...security, according to this article. Well, no surprise there - but with that in mind, perhaps you'd like to check out the all new Jobs Section?

You'd think I'd be pleased about software telling you what it's going to do. However, sometimes there's a little too much information for the end-user to digest. Imagine my surprise at the following install, then, where the end-user has to sit through four EULAs, including two Zango agreements which could potentially conflict with one another! Sitting comfortably? Then let's begin...

Click image to enlarge

"Rubberfaces" is an application which takes pictures of celebrities and fires them around the screen, distorting their features in a humorous fashion. However, the real action takes place when you're attempting to install the thing. Firing up the executable presents you with the above EULA. Clicking "Next" brings you to a "MySearch" EULA box:

Click image to enlarge

As i blogged earlier in the Entry
In Clean VM, SpyOnThis detected 13 different threats which are all FPs. Most of them were cookies.

Let us dig onto each key flagged as spywares by SpyOnThis and see why are they False Positives?

Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CTLS
RiskLevel: 4

ClearSearch object found!!!
Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CRLS
RiskLevel: 4

Claria object found!!!
Object: Claria
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_USERS:.default\software\microsoft\systemcertificates\trustedpublisher\crls
RiskLevel: 3

Look at the Original keys are in Registry which is flagged as Spyware,

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs]

Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

Note: There are no values associated with the keys when it detected as Spyware.

In order to make a full analysis we need to know some basic things here:


CA - Certification Authority

An entity entrusted to issue certificates that assert that the recipient individual, computer,
or organization requesting the certificate fulfills the conditions of an established policy.

CRL - Certificate Revocation List
A document maintained and published by a certification authority (CA) that lists certificates
issued by the CA that are no longer valid.

CTL - Certificate Trust list
A predefined list of items that have been signed by a trusted entity. A CTL can be anything,
such as a list of hashes of certificates, or a list of file names. All the items in the list are
authenticated (approved) by the signing entity.

The keys which i mentioned are default keys for Windows operating system to handle
trusted publisher certificates when IE makes secure connection (SSL). SSL creates a secure
connection between a client and a server, over which any amount of data can be sent securely.

CA releases CRLs so often to make sure the user or enterprise knows about the no longer valid certificates.
This registry key modified when we import the CRLs from CA.

None of the above keys are related to either Claria or ClearSearch.
Thus classifying these keys as spyware is erroneous.

Let us check other keys also in detail.

Let's Dive Right Into It...

Recently, like my colleague Chris Boyd, I received the Microsoft MVP Award, I thought I might get a raise- instead I received the honor of leading the Greynets Blog! What a task it has been. Imagine having a team of extremely smart and busy analysts, researchers, and engineers from all around the world, many from different cultures, and getting them to settle down to write about their experiences and document some of their findings? Piece of cake right?

Who is This Blog For...

Good question and I have a good answer. The Greynet Blog carries a wide range of information to fit every type of person: the casual PC user, the new PC user, the hard-core technical user, the Enterprise manager, and intermediate users too. We even you use it ourselves!

Rather then try to create a blog that is nothing but complete technical jargon or a blog that caters only to beginners we try to produce a good mix of novice and intermediate material. However, we know there are some hard core programmers, spyware warriors and analysts out there who enjoy a thrill ride all the way into the Matrix and back. Don't worry- we won't leave you out because we like to visit the Matrix too. And if you are a beginner or an intermediate user you can always shoot us a question and we can try to answer it here. That is one of our aims- to educate and help people from all backgrounds understand the impact of the technology and software they use.

Think of the Greynets Blog as a salad bar...you can pick and choose exactly what you want and we never charge for seconds, as a matter of fact we encourage them and you can leave out the bean sprouts if you don't like them.

Haven't I Seen Some of You Guys Before?

Maybe. ..Perhaps in the press or some of you may know me from my Revenews Blog where I bust up the financials on seedy outfits. You may know the infamous Chris Boyd, a.k.a. Paperghost from VitalSecurity.org where he kicks up the action on malware and spyware writers "kung-fu" style and is a recognized CNET Top 100 Blogger as well as a MSFT Security MVP x2! You will soon meet a new legion of bloggers from various disciplines and cultures- Manoj, Deepak, Peter, Charles, Chris, Tyler, Jan (who we call Obijan- which is another story from another galaxy) from across our company.

I promise more individuals will follow as we cover topics from P2P file sharing to securing IM networks and, of course, the ever present threat of spyware, malware and adware and what it means to you. Our goal is to share our experiences deep in the cyber- trenches, to educate both Enterprise users and the home PC user and to do this through opinions backed up by facts and evidence- and hopefully entertain you occasionally. We also intend to drag in some other notables in the security industry, many our colleagues, and get their take on things- and who knows maybe we can drag in an executive or two to get the 10,000 mile (or meter if your from not from the U.S.-assume nothing.) view on the future of security.

So What Is It?

Like many blogs, also known as weblogs, it contains documented experiences from the trenches- often where the real battles happen and we show it to you one bullet at a time, slow motion style, so like Neo, you can avoid the bullets but watch the ripples as they tear up the air.

Some of the experiences are quite comical, some quite sad, but they all carry the message that Internet Security is no longer simply black and white- it comes in various shades of grey. Ultimately it is up to you- the Systems's Administrator of the Home PC User to make decisions on what you want or do not want on your machine or network. Afterall you have that right- it's your property!

About this Archive

This page is an archive of entries from May 2006 listed from newest to oldest.

April 2006 is the previous archive.

June 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.