June 2006 Archives

Sometimes, I'm amazed at the ease with which it's possible to create a Botnet Empire [Define Botnet]. Don't believe me? Well, check out the screenshot below, obtained by a colleague of mine in a random IRC Chatroom:

Click Image to Enlarge

Now, you would hope people wouldn't fall for this.

I am afraid you would be totally, utterly wrong. Check this out, it's the page hosting the infection file. The novel aspect here is, it's a webhosting page that shows how many times the file has been downloaded. Now, it's reasonable to assume that almost all the people who were naive enough to download the file, would also be naive enough to run the thing. Screenshot time:

Click Image to Enlarge
Click Image to Enlarge

Downloaded 375 times in 2 days.

Downloaded 380 times in 10 days.

...amazing. That's 375 brand new drones [Define Drone] for some random Botnet owner, in only two days.

The download rates drop sharply after the first few days- why is this? Well, they don't need to keep injecting the link in chatrooms to infect new boxes. They can simply use the drones they have to scan new machines for vulnerabilities instead.

You probably noticed that on the hosting page, they even tell you what the file is likely to do:


EXE (short for 'executable') and COM are the common filename extension for denoting an executable file (a program) in the MS-DOS, Microsoft Windows, and OS/2 operating systems. Generally, "exe" may be used as a noun to refer to such a file.

...and yet, people will still run it. Whoops.

As for the Botnet itself, I imagine you probably want to see it, yes? Well, today is your lucky day. We skipped the boring part where I download and run the file, as that's not particularly interesting to watch. What is interesting, is seeing how these guys use some common tricks of the trade to convince the infected user that there's "nothing to see here".

At this point, I've run the executable and a new folder has "mysteriously" appeared in the System32 folder.

It's movie time...

flmtckr1.jpg Click here to play the movie in new window. (7.00 MB Flash file)
Hit the "Play" button to start video. Close Window to Return to Blog


00:00 to 00:08 seconds: We're looking at the folder dumped onto the system shortly after the Alexander file is let loose on the PC. Check out those file names...svchost.exe? With a mIRC icon? Sorry, that's just too suspicious! Ignoring the other files (which point to the relevant servers hosting the Botnet channel, pre-determined user nicknames and the like), I click the file to open it up. Whoops - it doesn't like that, as you can see. A small, minimised box appears in the extreme top -right hand corner of the screen, before vanishing (blink and you'll miss it!)

Again, I try - doh! We could be at this for a while.

00:10 to 00:12 seconds:Thankfully, this isn't a particularly difficult problem to resolve. See that file, "close.dll"? Think the name is a bit of a major clue? Well, you'd be right. Deleting the file means you can click on svchost.exe and it'll stay open - open it up, and...

00:13 to 00:18 seconds: Ah, a minimised IRC Channel! Shall we open it up? Yeah, let's do this thing. In Mystery Box Number 1, we have...

00:19 to 00:28 seconds: Botnet Central! I love the message:

"Please part because this is a private channel"

...no kidding! Perhaps you shouldn't be dumping people into a Botnet then?

In any case, you can see the channel is packed with people - sorry, drones - and from there, the aspiring Bot Master can do a wide variety of not so lovely things to pretty much anyone he pleases. Remember once they control the computer, what they can do is only limited by their imagination. We are actively working on getting this Botnet shut down...with any luck, it'll be out of the picture within a few days at most. Fingers crossed...

On a side-note my colleague, Wayne Porter and I have been conducting some new "top secret" methods in which to identify and knock out these rogues (that's why we are a lab - remember?) It has extended into a far deeper and more complex research project than we imagined, but it may produce some startling new ways to combat the menace at large...

IMPORTANT UPDATE: Google has reacted very quickly to our concerns, and we have been in discussions with their top engineers. As netizens we are encouraged by their quick reaction to our concerns, and willingness to listen thoughtfully to our feedback. Successful companies like Google understand that one must be a part of the conversation, not stand outside the conversation or try to obscure it. Our hats are off!
Stay tuned for more news...(See Addendum At Bottom)

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications

Back to the entry and analysis from Paperghost....

The idea of problems behind "gated" communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to "keep the bad guys out" would be a great idea. But what happens when those bad-guys are already inside the gates?

From Wikipedia:

(Orkut is) run by Google and named after its creator, Google employee Orkut Buyukkokten. It claims to be designed to help users meet new friends and maintain existing relationships. Similar to Friendster and MySpace, orkut goes a step further by permitting "communities" of users. It is also invitation-only: users must be invited to join the community by someone already there.

So, an interesting concept. But as we saw with Myspace not so long ago, people can (and will) game the system. In this case, the targets are (primarily) Brazilian users of Orkut - because for some reason, something like 70% of all users are from Brazil, and Portuguese is the language of choice right now. Of course, Orkut are not to blame here - nor are social networking sites in general. The sad fact is, large concentrations of end-users in a confined space are like the world's biggest honeypot to a social engineer.

It figures, then, that this particular infection - a variant of an older password stealer, which we dubbed Orc.Malware - should contain a message in Portuguese. Following up a hot tip from this guy (FallenHawk, an extremely resourceful Security Researcher), I was able to get a look at something rather nasty. Something that has apparently been nailing Orkut users for at least a month or so, but (until now) has been ultra-elusive with regards trying to pin it down. The early variants (one or two of which I've since obtained) didn't do very much, and there was no direct tie to Orkut, other than this was where the bad-guys were pushing it. Now, however, the infection will pop up a message telling you your data is being mailed off someplace, before sending you to the Orkut site (as you'll see from the video later on. Bring some popcorn).

The source of the problem are these two nasties (disguised as images), created in the System32 folder by a rogue executable file:


Let's have a look at how these things get on board in the first place. We'll start off with the method of delivery...the infection message. The most common one we've seen so far is this:

"Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [link removed] - Sei que vai gostar"

A (very rough!) translation: "As Orkut limits the amount of photos that can be published in my account, I created a slideshow with some photos of mine, please click to see!"

This message is deposited in an Orkut user's "Scrapbook" (similar to a guestbook), and as the Scrapbooks are public, anyone visiting can see the link and click it. As you probably guessed, that's a real bad idea in this case.

The end-user is presented with what looks like an image file - open it up, and covert ops of the nastiest kind are instigated against the PC. Two more files are installed.

They don't look like much, but they're busy trying to drain your pockets of cash and anything else they can get their hands on. One of the files contains references to a pile of specific login pages for Brazilian banks, as well as a whole section devoted to Orkut and its Friends and Scrapbook pages. On the Orkut help site, they mention how automated Scrap sending isn't allowed:

"If you use other sites to log into orkut or send your friends scraps, you will likely be blocked from performing any actions on orkut.com for about 15 minutes and you'll see the message "We're sorry...but your query looks similar to automated requests."

However, there are many examples of people abusing the system - Orkut has had lots of problems previously with people creating Spam scripts. And this particular infection does seem to have at least a (very) basic automated functionality. I first tested this on the Eighth of June, and was more interested in the data-theft aspect at that point. I didn't see anything particularly unusual going on (beyond the keylogging, of course!) and yet when I logged in a few days later, I saw this:

Click to Enlarge

...and this:

Click to Enlarge

During testing, I had two contacts in my "Friends" network. To my surprise, both of those users now had the infection message sitting in their scrapbooks. As you can see, the time / date of both messages is identical: 09:54 AM, 08/06/2006.

Now that's pretty freaky.

Worse still, this infection seems to be amazingly random. During one round of testing, it even deposited me into an XDCC Botnet:

Click to Enlarge

Yay, I'm file-sharing pirated content!

As for how the data is actually sent back to the hacker guy, you'll probably want to check this short movie clip out:

flmtckr1.jpg Click here to download movie (2.90 MB)

00:00 to 00:09 seconds: End-user is going about their daily business, logging into Orkut. Note that you could be performing any web-based activity here; it's just a little thing I like to call context. Plus, I don't actually have any Brazilian bank accounts so you'll just have to make do with Orkut.

00:10 to 00:14 seconds: The end-user clicks into "My Computer". Oh dear - an "error message", warning that you have insufficient virtual memory and the application will now close (or words to that effect. I never was very good with Babelfish).

00:17 to 00:27: At this point, the end-user is probably wondering what on Earth is going on, as they see a message telling them their "form has been submitted", and that they will be redirected somewhere in 5 seconds. Can you guess where?

00:28 to 00:34: That's right, Orkut! I mean, he stole all your bank details and website logins, but at least he gives you a chance to get back into Orkut and change your password before he steals that too!

Click image to Enlarge

Make no mistake about it - this infection is a real nasty one. And worse still, it looks like the tip of a very ugly iceberg. I'd insert a really rubbish comment at this point about "how I hope we're not too late to avoid a Spyware-Titanic", but you'd probably hate me for it. Even if it was a nice tie in to the whole iceberg thing. So I'll just leave you with the advice that randomly clicking links to check out pictures, especially when those pictures are from some magical party you've never heard of, is probably not a very good idea.

Many thanks to Peter in our Bangalore office for his incredible sleuth work and the entire team for assisting in pulling this complex case to pieces. Special thanks to Wayne Porter for all night monitoring and revisions.

ADDENDUM: A startling event was discovered during extended testing on an infected machine, which was infected in a lab setting on the 13th of June. The link to the dangerous payload was propogated on the 16th...however the infection message is timestamped as having been sent on the 14th of June:

Click to Enlarge


Click to Enlarge

ADDENDUM Saturday, 17 2006 Happy Endings for Orkut

From CNET:

Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement. "We are working on a more permanent solution for users to guard against these malicious efforts."

For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications

Security is always full of twists and surprises. To borrow from the spirit of Forrest Gump" Security is like a box of handgrenades- you'll never know when you're gonna get a live one."

Much to the chagrin of some Yahoo Mail users. the JS/Yamanner Worm played havoc through a vulnerability in Yahoo Mail service. Now for that bizarro twist- the alleged worm writer was simply looking for a job. He concocted the worm to show off his "elite skills".

From Silicon Valley Sleuth Blog.

Subject: I have written JS/Yamanner@MM Worm

I have written JS/Yamanner@MM Worm that has been discovered 12 June 2006. I found that in Yahoo! mail and use it to execute scripts ( collecting yahoo addresses from someone mail, sending this email using Ajax technology to them and then redirecting them into a sample site).

Finally I should mention that I don't like to disturb no one. Since I live in iran and taking a Job in good computer companies is very hard (becaue getting Visa is very hard from US) I just want to prove that I have some abilities in web programming . And I like to work with professional team like you if there is any way to do that.

Perhaps they should have named the worm JS/BadManners?

Bottom line is security companies don't hire digital criminals. The actions don't say much for this misguided individual. As Silicon Valley Sleuth notes he simply could of have written a proof of concept instead of steam rolling innocents via e-mail. Security ethics are cemented around integrity. Some of the finest malware fighters I know are truly great people- who care not only about our technological ecosphere but simply want to make it more safe.

On that note stay tuned to this bat channel- PaperGhost has been leading a mad hunt, guns blazing, with the team into the murky depths of- let's say the "Lords of The Underworld". That's your hint. The days get stranger...

I also promise you won't want to hire this guy either...not even to stock your grocery shelves or to mow your lawn.

I recently came across an installer file being pushed in a Botnet - nothing new there, but it serves up an interesting take on how Adware companies need to make sure that it's not just their software springing up in hijacks - it's their websites, too.

In this case, the Zango.com website is popped open on the user's desktop (ignore the box mentioning Poker, that's from a different popup):

Click image to enlarge

...this is what's known in the trade as "strangeness incarnate". Usually someone will try and install something, so they can make money. Simply popping open the Zango.com website doesn't seem to point to any financial gain, unless the person behind it gets a cut of the profits from the clips on that page. But that would also be stupid, as it wouldn't be too hard for the Zango people to then find out who stuck what movie files where on their website. Plus, I'm under the impression that Zango themselves are responsible for placing the videoclips on Zango.com anyway.

I ran the infection again, and who should pop up in the next barrage of adverts but Bestoffers Network (another name for Direct Revenue):

Click image to enlarge

....whoops. As for what's installed, it's the usual (rather popular) mish-mash of files from WebHancer, Dollar Revenue, SurfSidekick and Toolbar888, which is apparently a Maxifiles variant. I've spoken about Maxifiles in relation to Direct Revenue many times. At any rate, here's a screenshot:

Click image to enlarge

Nice collection!

Of course, it goes without saying that the PC is hosed shortly after the install:

Click image to enlarge

...ouch. Still, at least the hijacked end-user will have no shortage of Smileys to play with, pills to take and celebrity videos to watch while smoke starts to pour out the back of their monitor. All in all, I'd say that's a pretty good tradeoff...!

Question from a Reader: "Can people hide messages in pictures? Is this for real?"

Yes this is for real! It is not limited to just pictures, although this is one the common uses, but messages can be embedded in any number of digital media types. It can even be embedded into sound files.

This practice is called steganography, or stego for short. Steganography is the science of writing hidden messages in such a way that no one, except the intended recipient knows of the message.

Usually a steganographic message will appear to be something else: a picture, an article, a shopping list, or some other message - this is referred to as the covertext or in the case of digital file- the carrier.

Steganography is different than cryptography. With cryptography, encryption is the process of obscuring information to make it unreadable without special knowledge. In this case the message is not concealed just scrambled or obscured.

The obvious advantage of steganography over cryptography is that messages do not attract any attention. A coded message that is unhidden, no matter how strong the encryption, will arouse suspicion and may in itself be problematic. For example, in some countries encryption is illegal.

A common form of steganography is the use of jpeg files (a computer image) to hide the message. Research is already underway to create systems that can detect secret files or messages hidingwithin digital images.

Electronic images, such as jpeg files, provide the perfect ?cover? because they?re very common ? a single computer can contain thousands of jpeg images and they can be posted on Web sites or e-mailed anywhere. Steganographic, or stego, techniques allow users to embed a secret file, or payload, by shifting the color values just slightly to account for the ?bits? of data being hidden. The payload files can be almost anything from illegal financial transactions and the proverbial off-shore account information to sleeper cell communications or child pornography.

?We?re taking very simple stego techniques and trying to find statistical measures that we can use to distinguish an innocent image from one that has hidden data,? said Clifford Bergman, ISU math professor and researcher on the project. ?One of the reasons we?re focusing on images is there?s lots of ?room? within a digital image to hide data. You can fiddle with them quite a bit and visually a person can?t see the difference.?

?At the simplest level, consider a black and white photo ? each pixel has a grayscale value between zero (black) and 255 (white),? said Jennifer Davidson, ISU math professor and the other investigator on the project. ?So the data file for that photo is one long string of those grayscale numbers that represent each pixel.?

You can read more on the Ames Laboratory research here.

Curious users can also try stego software, but use at your own risk. You should be sure it is legal to use in your country. In some countries this type of software is illegal and carries stiff penalities for use.

Dound's Steganography Freeware. This software allows users to encode and decode messages of their choice with a keyword. The message is coded into a picture, which can be sent via e-mail, uploaded, and so on, and then decoded by the recipient with the keyword that it was encoded with. It's easy to use and you can't tell the difference between the original and the encoded pictures. It comes with a test picture, too.

Steganography Trialware. This application enables you to use digital data hiding techniques to hide as well as encrypt files within other files such as picture or sound files. This allows you to encrypt sensitive information, while at the same time hiding it in a file that will not look suspicious, so nobody even knows that there is encrypted information.

Steganos Security Suite: Trialware. $69 to Buy. Offers a complete encryption software package, which provides protection for users of PCs and laptops. The software features 256-bit AES encryption of an unlimited amount of data; e-mail encryption; the ability to use USB sticks as rewriteable mobile safes; the potential to track down a lost or stolen laptop; track shredding, a password manager; password quality control; a file shredding; and steganographic capabilities.

Internet security...sometimes it isn't all dry analysis and wading through rogue code and links...sometimes the stories get- strange.

First we thought the YapBrowser was dead and buried. After being exposed for serving up UA Porn by a number of security experts 180Solutions (now Zango after the Hotbar merger) stopped sponsoring the product. A product, I might add, that should have never gotten through any good quality assurance department in the first place.

Then I conducted an e-mail interview with "John Sandy" to try to get to the bottom of the fiasco. The answers were evasive and to date no one can seem to take responsibility for the situation- it has all been pass the buck. Then, mysteriously and quietly, the YapBrowser comes back online promising an adult browser that in their own words: "There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities.". We find that promise hard to believe.

We thought that might be the end of it, but now a mini-soap opera is playing out as the people behind the project have launched a discussion forum. What is intriguing about this forum is that a number of the names are the same as or similiar to well known security professionals and analysts and people in stories we have covered before. They have registered as users and they are actively carrying on coversations. Some examples include:

Chris Boyd, our own PaperGhost, well known and accomplished malware researcher who went back and forth with the YapBrowser crew across a number of blogs including his own at VitalSecurity.org. It is notable the real Chris Boyd did not sign up at the forum. (He has now as Paper-Ghost to monitor the events.)

Susie, who we assume could be an impersonation of Suzi Turner, the well known anti-malware activist that runs SpywareWarrior.com and blogger at ZDNET Spyware Confidential who covered the story and had harsh words for the Yap people. In the forum she states her favorite blog is "Sunbelt Software", run by Alex Eckleberry, who was also instrumental in the crack down on YapBrowser, our own Greynets Blog, and a large business blog I contribute to at Revenews (neutral ground where the first interview took place). Susi goes on to make some jabs at VitalSecurity and Washington Post's Security Blog- written by Brian Krebs. It is notable that the real Suzie does consult for Sunbelt Software and she doesn't speak Russian either. Then again, maybe it isn't *that* Suzie just a vague "coincidence".

RinCe- An individual who assisted our team with a tip-off while investigating a rogue botnet involved in a massive credit card theft scheme whose owners later wound up in serious legal hotwater after the story broke. RinCe doesn't speak Russian to our knowledge. (More on that story later.)

Ozzy, we assume this could be the top gun hacker buster of BlueMicro We really don't know if it is actually Ozzy having a go at them, or an Ozzy impersonater, but given the circumstances we simply have to wonder. You see how confusing it all gets.

To top it off they link to my interview with the alleged "John Sandy" as if the interview vindicates their activities. Folks- it doesn't. My role was merely to facilitate the conversation and work with the translators to try to get some answers to how a situation could go so horribly wrong.

So why this apparent complex game of charades? We really don't now. That is what we mean by the story getting stranger and stranger. We will continue to monitor, but that won't distract us from the really interesting stories on the horizon. Stay tuned for more mayhem from the digital trenches.

ADDENDUM: Within a few minutes of posting this blog, the Chris Boyd page at Wikipedia was defaced. Fortunately the Wikipedia provides the IP address of individuals who deface the popular wiki.

Yesterday we reported on speculation of a marriage between Hotbar and 180Solutions. Today it was announced that 180 Solutions had merged with Hotbar. The new name for the company will be Zango and it would probably be correct to assume they are now the largest adware maker on the Internet.

According to the Seattle Times:

Bellevue-based 180solutions, which makes software commonly known as adware, has acquired Hotbar of New York for an undisclosed amount of money. As part of the announcement, 180solutions will be renamed after its consumer brand: Zango.

Adware is an application that users download to their computer to get free content. The application monitors what they are doing online to deliver relevant advertising. In the past, Zango and other companies have been lumped together with spyware, which works similarly, but is typically installed on a computer without permission.

For several weeks speculation has been moving fast and furious inside security research circles that "adware" maker 180Solutions Inc. has been courting Hotbar, another company that traffics in adware. Naturally this deal would catch the eyes and probing minds of security researchers given 180Solution's checkered past and Hotbar has had it is own fair share of controversy. The most notable when Symantec sued Hotbar for the right to classify Hotbar's products as adware. (The suit was settled out of court.)

Now there are articles hitting mainstream press covering the proposed deal, and we can point readers to a rough translation of an article that Google News snagged out of Israel: Hotbar in talks for sale to 180Solutions at Globes.co.il

The article says :

Israeli dot.com company Hotbar Inc. is negotiating its sale at a company value of $52 million. The probably buyer is Internet company 180Solutions Inc.. Sources inform ''Globes'' that Hotbar is also negotiating with other companies, including ICQ. Hotbar develops software that sits on the browser, enabling users to change their toolbar to include links to services the company offers. Founded in 1999 by CEO Oren Dobronsky and president Gabriella Karni, the company has raised $15 million to date. Its last financing round was held in 2001. Investors include Eurofund, Tamar technology Ventures, Technorov Holdings, CE Unterberg Towbin, and Deutsche Bank subsidiary ABS Ventures. According to IVC Online, the company had $35 million in sales in 2004.

180Solutions develops software solutions for on-line advertising. The company develops adware, otherwise known as spyware, activities hated by surfers and users of computers. Coincidently or not, this activity is connected to a lawsuit anti-virus developer Symantec Corp. (Nasdaq:SYMC) filed a year ago against Hotbar, in which Symantec demanded that some of Hotbar?s activities be classified as adware. the case was settled out of court a few months ago.

Some of this article seems completely off base and some of the connections are a pretty far stretch. For example, it is hard to discern how the Symantec suit had anything to do with a deal like this being brokered- although the article does reference it as a possible "coincidence".

Furthermore, it would be surprising if ICQ were a buyer- ICQ is merely an instant messaging service. Mirabilis was the name of the Israeli company that produced ICQ. Mirabilis was formed in 1996 by four Israelis Arik Vardi, Yair Goldfinger, Sefi Vigiser and Amnon Amir, and was purchased by AOL in 1998 for over 200 hundred million U.S. (Note our recent walk down IM memory lane with ICQ.)

In 2001, a new company called AOL Time Warner was created when AOL purchased Time Warner forming the world's largest media company . The deal, announced in 2000, employed an atypical merger structure in which each original company merged into a newly created entity. We have documented Time Warner engaged in distribution deals with 180Solutions for some of their online soap operas. A distribution deal that was ill-timed given the highly problematic YapBrowser fiasco where the browser product, sponsored by Zango (the same adware product sponsoring Time Warner's content), displayed UA pornography after making it through 180Solution's "stringent" approval process. [Reference background on YapBrowser and links to our interview.] 180Solutions did end the relationship after the activities came to public light.

At this stage it all remains speculative, however information from many credible sources has been flowing into researchers for weeks now and coupled with coverage in Israel- Hotbar's hometown- this researcher is inclined to believe the deal is more than likely going down.

The looming question will be if 180Solutions will continue with what many call irresponsible and poorly controlled distribution practices. A good researcher relies on intuition and what he/she sees in the field. At the same time a good researcher doesn't ignore history and its lessons either.

Skype continues to bring new firsts to everyone's Internet social and work experience- myself included. First there was a strange SPIM ambush [define SPIM] and now something more interesting.

Before I get into the experience and in order to fully understand and appreciate why I find this experience so progressive, I need to back up a decade ago to the launch of a company called Mirabilis. Mirabilis made the ICQ product. ICQ, short for "I Seek You", was launched over a decade ago by three enterprising Israeli entrepreneurs. ICQ drove online communications out of message boards and forums and into real time text chat. Back in 1997 ICQ really changed how I and many others operated online. Instead of waiting for e-mails to bounce back and forth you could message in real-time. Before that time the closest I had come to chat was on dial-up Bulletin Board Systems that hade multi-chode chat and three inbound phone lines. With IM development, feedback and collaboration suddenly became easier, faster and it cut down geographical barriers and fused the world at incredible speed. It was life and business changing for many people and a very exciting time to experience.

Naturally it was first adopted by technical userers who immediately grasped the concept. It also became essential for online team gaming like Quake, where you had to organize players before a match of TCP/IP based gunslinging action. Families and friends began to use it to communicate, form relationships, stay up to date and it also provided small businesses and virtual workers a whole new way to do interact. Because of the social nature of Instant Messaging it propogated like wildfire passing by word-of-mouth, e-mail and community.

While I still retain my original ICQ number, the digits are so low I simply can't let it go, I have forsaken ICQ and even AOL IM for the most part. I have moved on to Skype. Skype offers voice chat, web cam ability, conference ability and file transfers among other options.

Skype is free, easy to use and fairly good quality for voice calls- plus you can dial land lines or get a SkypeIn number- for free. I keep it open most of my work day, unless I don't want an interruption. With Skype on the desktop I am able to work and communicate with people around the world at the click of a button- it is absolute critical for working global research. If you stop and think about it that is extremely powerful. This is the next wave for the Enterprise too, as customers will demand to interact with businesses in the format they choose.

One look at Google trends of Google Chat and AIM versus Skype shows just how monumental and fast Skype use has ignited. So on with my experience...

Recently Chris Boyd and had a conversation with a reporter from a very high profile magazine. That isn't news of course. We do that all the time. What was novel is that we did it via Skype. That may not seems like a big deal, but this reporter didn't flinch when it was suggested we utlilize Skype to connect everyone- no problem at all!

I simply cannot imagine that happening two years ago. Having a Skype call with a technically savvy reporter is progressive and underscores how businesses are adopting this communication tool for their work. Skype is becoming as ubiquotous as Google if you think about terms like "Skype Me" or "Google It".

Naturally all of this free communication without the barriers doesn't come without some risk. IM networks can be attack vectors for worms as we detailed in a recent threat and as with any virtual communication you don't know for sure that who you are talking with is really are who they claim to be. In many cases threats from unknown people with unknown agendas can be risky too.

Instant Messaging is a rich petri dish for social engineering and it is also laced with fast-circulating rumors. Going back to ICQ again one of the old and long standing ICQ rumors was that Mirabilis was going to charge for their service. It never happened and AOL bought ICQ a few years ago, but that didn't stop the rumors from flying all across the Web fueled by the IM medium. Many people believed the rumors if the outcry on the Web was accurate.

In terms of businesses many are starting to embrace IM and VoIP and this is partly powered by the incredibly lush features and partly because employees themselves are introducing the tools into the Enterprise on their own. Soon businesses cannot afford not to embrace it because their customers will be demanding it in tandem. Enterprise IM applications are great if you want to communicate inside the Enterprise only, but all businesses have customers and these customers will set the tone for how they want to communicate with the business.

Will Skype supplant land lines? Probably not anytime soon, but lots of home users and business users are embracing it at a rate that is astounding. Voice 2.0 is upon us and it is an exciting time to be on the Internet.

IST Adware Via WMV Files

| | Comments (2)

Are you interested to downloadable movie clips? Many people are so be alert!

During the course of research, I tried googling for some popular video albums, I came across a forum that holds many articles and download links based on the users interests. More than ten thousand members are sharing their articles and download links in this forum. Many of these are what you might call spicy material. I suddenly paused when I found a fellow who was posting many adult video clips. Most of the download links are from Rapidshare

Rapidshare is a domain where people can upload / download files of up to 45GigaBytes.

I picked up one of the threads which appeared on May 22, 2006.


Jimpolk , the user name of the person who posted the thread did not give any personal information and he is not the member of any public group in the pakkadesi forum so I can deduce this might be a marketing attempt.


I received two download links, which hold the same video clips and I selected via the rapidshare link.

I downloaded the clip and played it using Windows Media Player. It suddenly began acquiring a license rather than opening the media.


I used Netpeeker to track what is happening with my Media Player and the report showed the Windows Media Player making contact with ysbwebcom to install IST Adware products


All becomes apparent when an Active X Control pops up. The Active X control is signed by Integrated Search Technologies. (Note: This does not mean a control is safe- only signed.)


They did not allow me to view the video without installing the IST adware.


The EULA was last updated on May 4, 2006 (Incidentally the very same date which Jimpolk registered in the pakkadesi forum), which is a very recent move by Integrated Search Technologies to distribute their Advertisements. People can also check out EULA Analyzer Beta to help analyze agreements.

Users will need to agree to a license that enables the installment of several applications. These include ISTbar , SlotchBar , YourSitebar and Xxxtoolbar. This is just to view one movie!

They may also install their third parties adware products like Internet Optimizer and SurfAccuracy.

I picked up the network traffic, which helped me to find determine IST might be affiliated with some people who are distributing the WMV files. Of course, it could also be an account set-up for internal analysis.

POST /v7.aspx?id=65181&filename=Desi_bhabhi_******.wmv&affiliate_id=1000656:1913 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: SendHTTP
Host: drm.ysbweb.com

GET /ist/scripts/license.php?key_id=&filename=Desi_bhabhi_******.wmv&affiliate_id=1000656%3a1913 HTTP/1.1
User-Agent: SendHTTP
Host: www.ysbweb.com

Since there is large demand for adult entertainment online it comes as no surprise, companies are distributing their products through pornographic video clips. Likewise it is not surprising people are trying to earn money by becoming an affiliate for adware companies like IST. (In this case, by uploading their movies in sites like rapidshare.) The user, JimPolk, may be one among them who gets their pocket money just by distributing adware through the video clips.

The lesson here is that free often carries a steeper price tag than what you might think- the trade-offs are often hidden. Think before you click and ask yourself is downloading several applications that will throw pop-up ads, make trade-offs in your privacy, and slowing down your computer worth the video you are about to download? Also consider you will have to endure this software long after the video is gone.

Every now and again, I see people firing URLs into chat-rooms - and this particular link (from an anonymous tipoff) would lead me to rather unusual destination. It's one of the oddest Botnet escapades I've seen in a while.

Our tale begins with me downloading and running an executable I'd been informed about. In case you're wondering (and you probably are), they've cunningly disguised it as a movie file:


...clever, eh? Well, not really. But you'd be amazed how many people will fall for something like this. And seeing how Botnets are flavour of the month around here at the moment, I thought I'd have a poke around this little operation and see what I could find. You'll never guess where this one ends up though...

Click image to enlarge

...and we're in! Small to average sized net, as you can see from the numbers in the picture. Checking out the first channel didn't really bring up anything interesting - just the usual Botnet channel scanning for vulnerabilities:

Click image to enlarge

Nothing to see here then, right?

Wrong. Because we still have one channel left, and it's the channel that's going to confirm the relation between the random URL link from my tipoff and this particular Botnet:

Click image to enlarge

Now, deciding to investigate further, I went and checked out the site that this thing came from. usually it's an otherwise empty "holding page", or a site advertising pills of some description - imagine my surprise, then, when I saw the site hosting this thing was...

Click image to enlarge

Yep, a popular forum (3,500 or so users!) about Christianity.

Of course, it's entirely possible that the site could have been hacked and a single file has been dumped there, randomly. It happens all the time. However - go back a step and check out the directory that the executable is sitting in:

Click image to enlarge

Oh noes!

A whole pile of extremely nasty files. In addition, this directory has nothing to do with the Forum, so someone has some pretty high level access going on there.

Worse still, the first file appeared on the 26th December 05...and we know what day comes before the 26th, right? And the files have continued to grow until the 25th May 06.

So, we have a pile of nasty files, all sitting in a directory hidden behind a religious interest forum, with some of the files being used in a mini-Botnet Empire.

Did I mention the files were nasty?

Oh, yes indeed.

Some kick IRC into life in a vaguely obvious "you've been jacked" kind of fashion:

Click to enlarge

One of the files completely kills your ability to browse the web - IE? Firefox? Opera? Doesn't matter, it'll break them all. Another slaps you down with a lovely slice of virus pie, and if you're insane enough to run everything there just for laughs, well, don't be surprised when your PC slows to a crawl and demands to be put out of its misery.

As of this moment in time, Wayne Porter has attempted to contact the site owners via Email (it bounced due to the mailbox being full) and via their DNS information - so far, no reply. We'll keep you updated on how this one goes...

About this Archive

This page is an archive of entries from June 2006 listed from newest to oldest.

May 2006 is the previous archive.

July 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.