July 2006 Archives

The question on everybody's lips right now (well probably not, as it happened over the weekend but still..) is:

How much impact did this have on Zango pulling out of their Warner Brothers deal?

Digg.com is a well known source of breaking news stories, and often those stories spring into life well before many journalists are aware that the tale has come, gone and been again due to its rapid spread and rather large reach. A story was recently submitted to Digg with a rather spectacular title:

"Warner Bros website distributing Zango Spyware + Kiddy porn browser".

As someone who follows Zango extremely closely, I nearly fell off the chair when I saw this hit the frontpage of Digg. Could something have gone so amazingly wrong with Zango's distribution chain that someone had gamed the system (once again) and started serving up illegal pornography from the Warner Brothers site courtesy of Zango?

The answer is no. The story submitted to Digg takes the user to a Blog entry dated Thursday, 11th May 2006. Contained within are a number of factual errors, where various Zango related stories have meshed into one, messy whole - however, when the story was re-submitted to Digg last weekend (after being submitted for the first time a few months back and getting nowhere), the submitter added the rather inflammatory title into the mix and people went crazy voting for the thing. End result, a factually incorrect story slamming onto the frontpage of Digg and causing major, major ripples in the Adware space into the bargain.

We think.

Because in all honesty, there's no real way to tell exactly how much impact this submission had on Zango pulling out of the Warner Brothers deal. The first inkling that something was afoot was an article that hit the Washington Post, courtesy of Brian Krebs. This appeared the day after the Digg article went boom, and inside sources tell me that something was definitely going on in that timespan. The question...is what. In reality, we have no way of knowing who reads Digg, but as someone who has been Dugg a lot of times, I have a good feel for the way it works with regards to the way a story leaks into the media. I've had at least one story "break" from Digg - as an example...

BitTorrent Installed without Permission, Downloads Movie Files

The above story was part of a larger investigation. We didn't put out a press release about it, but we did fire it up as a Blog Article and let it loose. Now, that story was picked up by mainstream press and exploded - a clear indicator of the power of Digg. So, it is not impossible that such a massively dugg story such as the Zango / Warner Bros story could end up hitting in the right places. Especially as many, many people who voted for the piece also submitted their feelings about this to Warner Brothers directly.

At this point, I imagine they saw the title involving illegal pornography, maybe did a little Googling about Zango and got just as confused as some of the facts involved here. It doesn't help that findings about Zango and Myspace hit at roughly the same time as this story (well, the whole of July, actually) - in fact, I had a Digg going on at the same time as the Warner Bros story. In fact, someone suggested people Digg my story from the Warner Bros Digg too - leading to the strange site of two Zango related stories hitting first and second place in the Digg Security Section:

http://blog.spywareguide.com/upload/2006/07/2zngtop-thumb.gif
Click to enlarge

In fact, I actually saw a few pieces covering the story that mixed up the details from both the Zango on Myspace story and the Zango / Warner Bros article. As the Zango / WB story on Digg is now flagged as "inaccurate", many of you have asked me to straighten things out with regards the facts surrounding this whole mess - which is mainly the reason I've written this up in the first place. Though I'm no expert on the Zango / Warner Bros situation, I do know my stuff where the "illegal content" comes into play in all of this. With that in mind, here's my attempt to ease your mind...

1) "Warner Bros website distributing Zango Spyware + Kiddy porn browser"

This is entirely incorrect. The Warner Bros website was distributing Zango Adware (not "spyware"), and at no point in time did it distribute a "kiddy porn browser". The writer has confused a number of pieces of information - in this case, the "kiddy porn browser" is something called Yapbrowser.

Yapbrowser was a web-browser that (for a short period of time) was distributed with Zango Adware. When you used the browser, it redirected you to a 404 error page that contained hardcore child pornography. The Zango Adware itself did not have any connection with the child pornography, other than their software was bundled with the web browser. Once the revelation of the browser's "hidden feature" was brought to light, Zango removed themselves from distribution with Yapbrowser. Zango's main failing here is that they clearly did not test the Yapbrowser application enough, because they would have realised one click of the browser's "go" button was enough to send you to the illegal content. This doesn't say a great deal about the policing of their affiliates, but they were not responsible for serving up the offending content in any way.

Simply because Zango Adware was launched from the Warner Bros site does not mean visitors were at risk from anything "illegal" appearing on their desktop.

2) "They are also the people behind this alleged child porn browser. They are also the people who still silently install their software on your pcs".

This is taken from the Blog entry that caused all the commotion. Again, this is incorrect. Zango were not responsible for the browser - indeed, the article the Do Not Reply blog links to actually states as much:

"So who is this "Enigma Global Inc" that the YapBrowser installer claims is responsible for the program?"

These are the two main points that people asked me to address, because after seeing the Digg story and knowing that their kids visit the Warner Bros website, they were suddenly panicking like nothing else at the thought they might have illegal pornography on their desktops.

I'm all for taking a company apart in public when needed - but in my opinion, this was entirely the wrong way to go about it. It freaked out too many people through no real reason other than inaccuracy, and I know one person actually scrubbed their hard drive because they thought the police were going to "kick the door in" or something. However you angle it, that's not a particularly pleasant situation for people to be in. The original Yapbrowser story was bad enough - in fact, it's probably the nastiest investigation I've ever been a part of - but dragging it up from the depths to cause needless panic was rather unnecessary. "The end justifying the means" is always a tough one to call, but in this case, it's way too close to the line for my liking.

Would I feel different if I hadn't been involved in the Yapbrowser shambles?

Probably.

All I can say on this occasion is - this is one of the few times a story about Zango did not get a vote from me. Still, who knows what the future holds...!

Yesterday I wrote about fake Myspace profiles leading to pornographic webcam sites - today, we're looking at a variation on the theme. However, the end result this time is not naked ladies, but gambling software. The profile uses the same bait as the webcam profiles - attractive female, long "about me" section designed to convince the person in the profile is indeed "real":

http://blog.spywareguide.com/upload/2006/07/pkrbt1-thumb.jpg
Click to enlarge

There's also one final lure that the webcam profiles did not have:

"The first night I used a poker bot I won $3,000".

The irony here is that an online gambling website is being pushed by a profile promoting illegal bots - exactly the kind of program that the gambling site would not want being used on their system. Talk about conflict of interest! Of course, if you click the link to "Red Casino", you won't see any Bots - just a website asking you to install the gambling software:

http://blog.spywareguide.com/upload/2006/07/pkrbt2-thumb.jpg
Click to enlarge

From there, gambling fun is just a step away...

http://blog.spywareguide.com/upload/2006/07/pkrbt3-thumb.jpg
Click to enlarge

It goes without saying, but never download any programs you happen to find floating around Myspace - especially when it sounds too good to be true. In this case, you're "only" downloading a piece of online gambling software - but there are far greater risks out there in Myspace land as we've already seen...!

Myspace has had a mighty beating lately due to people exploiting the network for their own ends - we've had Adware, Flash hacks, infections via banner adverts and now here's the next problem marching across Tom's lawn with big, muddy boots and trampling all the flowers. It's time to take a look at the seedier side of what goes on in Myspace - you've probably heard about "Myspace Bots", but not seen one in action. Well, today's your lucky day.

There are currently lots of near-identical profiles being created on Myspace at the moment, for some reason all called "Monica". No idea why, I guess they just like the name - at least they're not going to forget who's who. This is of some benefit to us, however, because it makes it easier to steer clear of fake-profile related trouble. It goes without saying to double check any Myspace users you encounter called "Monica" for the time being, especially if the text on the "about me" section of these profiles is all about being "different" and "individual" - and adding them to your MSN Messenger. Here's a screenshot of one of these profiles (note that the picture will change with each profile, but the "about me" text will remain (mostly) the same:

http://blog.spywareguide.com/upload/2006/07/mspcebtprofile1-thumb.jpg
Click to enlarge

Once added, talking to "Monica" will result in a bunch of Bot-style replies that all try to get you to pay for access to hardcore pornography webcams. The interesting part was trying to work out how much was automated, and how much was human-controlled. The first chat I had veered away from the "4 random replies and set to Away status" that all the subsequent sessions with Monica had - after all, when you're telling someone to "do a barrell roll" and asking them if they "like potatoes", yet all you get for your troubles is "check out my webcam!" it's the signal for a (not very advanced) Bot. It's entirely possible that the first chat was human controlled, but they had to stick to a script and not deviate too much. Ultimately it's all about the money, not random chat with some guy they're trying to extract payment from. Worth noting that if someone was talking to me the first time, they were quite happy to encourage me to join up, even though I mentioned I was twelve years old!

http://blog.spywareguide.com/upload/2006/07/mspcebtprofile2-thumb.jpg
Click to enlarge

You can see the results of some of these chats here - always good to see just how intelligent these things are (whether human or Bot!) As you'll see, the first chat definitely suggests some form of personality behind the screen - however, the rest are all 100% guaranteed conversations with automated scripts. Doh!

I can only imagine the money being brought in by a scam like this - fake profiles on Myspace have been around for some time, but a quick check of the message boards and forums suggest that this particular issue is taking off in a fairly major (and concentrated) way. It's the easiest thing in the World to create a bunch of fake profiles on Myspace, though to be fair, at time of writing Myspace have deleted a whole bunch of these accounts so proactive steps are being taken.

It's just a shame that they seemed to have missed one in the process! As I mentioned in this BBC article on the problems facing Myspace at the moment:

"Any site has an increased risk of attack where a lot of customisation is possible," said Mr Boyd. "This level of customisation is what both attracts people to use the service, and what causes the most security issues."

The problem faced by Myspace is that if you start locking down all the things the users like about the service in the first place, they'll simply move elsewhere - quite the dilemma! However, somehow they need to educate their users to see that, sometimes, restrictions can be a good thing. The good news is, there are plenty of tech support and Spyware help groups on Myspace and they're doing an extremely good job of educating the everyday users there. We need to see much, much more of this kind of activity if Myspace is to begin clawing back the security of both its own service and that of its userbase.

Of course, if any of you Myspace users ever see anything you think is dubious going on - be it Adware, fake profiles or anything else - feel free to drop us a line here. We'll happily go check it out and see if we can get something done about it.

Stay tuned to Spywareguide, because we'll be looking at more common (and not so common!) scams and other such shenanigans going on in Myspace land - tomorrow, we'll be looking at a nice (!) example of Gambling software being pushed with (clearly fake) user profiles.

Looks like someone's number is up...

There's been plenty of issues for Zango to consider these past few weeks - in particular, their unexpected appearance on Myspace is a good example. Well, we have a rather intersting case here - a website enticing an end-user to install something they think they need, only to pull the rug out from under them and reveal that (in actual fact), is was this program over here that they needed all along!

http://blog.spywareguide.com/upload/2006/07/zngosbrowser1-thumb.jpg
Click to Enlarge

As you can see, the site above is a typical free movies / webcam website. This site displays numerous videos for you to watch, with the words "live now" next to a play button. Pressing the button does not launch a video (as one would reasonably assume!), but actually opens up a download prompt:

http://blog.spywareguide.com/upload/2006/07/zngosbrowser2-thumb.jpg
Click to Enlarge

The name of the executable continues the baiting strategy - "open for instant access". At this stage, the end-user still reasonably believes running this software is essential to viewing the videos on the frontpage. You can see the icon on the desktop and a EULA (feel free to try our Beta EULA Analyzer) presented below:

http://blog.spywareguide.com/upload/2006/07/zngosbrowser3-thumb.jpg
Click to Enlarge

However, when you install it, IE opens automatically and you see this:

http://blog.spywareguide.com/upload/2006/07/zngosbrowser4-thumb.jpg
Click to Enlarge

...a page of Zango videos, where you have to install various pieces of Adware from Zango in order to acquire the License to watch the video. However, these are not the "videos" mentioned on the frontpage - in fact, they don't seem to exist. And as far as "watching the videos on the frontpage" goes, installing Smart Browser serves no purpose whatsoever. Research from our database reflects:

The SmartBrowser is controlled by smart-browser.com. In our studies it changes the default home page. It opens pop-up pornographic advertising. Examples included extremelybabes.com and extremelyamateurs.com, and redirects attempted access of other pornographic sites to these sites instead. (Caution: these sites may attempt to load premium-rate dialers.)

EULA Analysis demonstrates some notable and alarming security risks:

- "YOU AGREE THAT UPON ENTERING ANY SITES UNDER THE CATEGORY THAT FEETS OUR PUBLISHERS CATEGORIES ,AN ADVERISEMENT MATCHING THAT CATEGORY WOULD POP UP, AND"

- "YOU AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO OUR SERVER FOR ANY UPDATES OR ADDINS. AND"

- "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO SEND EMAILS (PUBLISHMENT & FILES) TO YOUR FRIENDS (USING YOUR LOCAL USER DATABASE) AND TO OUR LISTS .AND YOU ASSURE US THAT YOU WON'T CONSIDER THAT A VIOLATIONS OF YOUR PRIVACY OR ANY OTHER RIGHT. AND"

- "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO CHATS IRC, YAHOO ,MSN ,ETC IN ORDER TO PUBLISH OUR PRODUCTS."


What we have here is a clear example of Bait and Switch - luring you in with one offer, only to be denied the desired item, but presented with a "substitute" at the last moment. The difference here, is that the webmaster also gets to install Smart Browser onto the PC in the process - I suppose you could call it a two for the price of one deal or a "bonus". Even if the end-user doesn't choose to download any Zango videos, they'll still be receiving pop-ups (and possibly premium rate dialers) via Smart Browser.

As I am (increasingly) fond of saying - if it looks to good to be true....it probably is.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher
EULA Analysis: Wayne Porter, Senior Director of Greynets Research

You can read the full article here - a good summary of some of the problems faced by Social Networking sites as hackers and confidence tricksters move in on previously unsoiled ground. From the article:

Chris Boyd, director of Malware research at Facetime Security Labs, said sites such as MySpace and Orkut often felt like "gated communities" and made people feel more secure than they should.

"They might click something that outside of that community they would usually think twice about," he added.

It's good to note that sites such as Orkut and Myspace are reacting quickly to these issues - the question is, can they keep up with the bad guys?

More Myspace Misery

|

Check out this illuminating post by Brian Krebs on how anything up to a million Myspace users were exposed to Spyware. Myspace is having a pretty rough time of it lately, with Zango Adware, Flash-based redirects and XSS (cross site scripting) attacks running riot. I don't think anyone could have predicted this current explosion of attacks on Myspace, but this probably won't be the last time you see Myspace mentioned here. The hackers have picked up the scent of blood in the air...

Ben Edelman has some new spyware research about Vonage and some of the unsavory things going on. It is a long and technical read, but I recommend it. (see link to video at end) and Late Entry on Vonage behind the scenes action.

He covered several examples, but the one that caught my eye and I wanted to talk about was the use of ad injection.

Examples he covered in the article. Ad Injection in bold.

Spyware-Delivered Pop-Up Ads
Direct Revenue
Targetsaver - covering AOL
Targetsaver - covering a sexually-explicit site
SearchingBooth

Banner Injection Into Others' Properties
Fullcontext - ad injected into Google.com
Searchingbooth - ad injected into True.com
Searchingbooth - ad injected into eBay
DollarRevenue - replacing an ad within Boston.com

Spyware Delivered Banner Farms
Hula's Global-Store
ExitExchange

Spyware Lead Acquisition
Direct Revenue - Vendare's Myphonebillsavings
Direct Revenue - NextClick's Phonebillsolution

It is worthy to note that in the first three examples: Google, eBay, and True.com ads are injected above a site.
However, DollarRevenue injects its ads into a site - covering a banner placed by the site. For a site this means the person who bought the media might not be getting their fair share and the site owner is not getting paid.

But what does this mean for people- netizens?

I was intrigued by this question and what seems to be a relatively dead tactic coming to life the field. So I queried Ben for a discussion. In short he wondered aloud whether banner injection might be "the next big thing." He told me that until this past month, he had only seen one spyware program injecting banner ads into others' sites: DeskWizz's SearchingBooth. but then this past month he found two more -- FullContext and DollarRevenue. That's a startling and rapid growth -- suggesting there may be more to come.

Ben also pointed out that these ad injectors benefit from the lack of transparency in banner ad syndication. At least affiliate merchants generally get to approve their partners one by one. (Most sophisticated merchants have long since disabled auto-approve.) But when advertisers buy banner ads, especially run-of-network / remnant / untargeted ads, they get very little visibility into where those ads appear. This is practically an invitation for placements in spyware injections and other unseemly locations.

In the past many users suspected they had spyware from all the annoying pop-ups, but like the Borg the dark forces adapt and change tactics- smaller front prints, random file names and MD5's, using rootkits- so I am not surpised if this new tactic enters into the fray. I can invision it popping up on social networks like MySpace or non-hierarchical news sites like Digg.

The Ad Injection is very subtle and thus people may not know it is going on and that a program is doing it.

Take for this instance an "anti-fraud screen" I found while tracing the money trails of a mass spam attack (still looking into that one) that was delivering malware and porn through deceptive SEO and encoded JavaScript injection. In this case, as I understand it so far, a company from Russia runs a private pay-click-engine and I believe offers XML feeds and search results powered through syndication results from various pay-per-click search engines. They dole out up to 75% or more for webmasters and pocket the rest.



http://blog.spywareguide.com/upload/2006/07/7search-anti-fraud-thumb.gif

Click To Enlarge In New Window

While it is good 7Search is periodically checking for problem syndication- I have to ask- why do you need the end user to police it? I would prefer them to keep the problems out at the gate.

What topic did you click? Straight forward. If you can remember. Why not log the topic?

Are you infected with spyware? How would they really know? That is how it got the moniker "spyware" in the first place. People didn't know how it got there or someone else installed it or any number of situations occur.

Are you a part of pay-to-surf program- name them? Ouch. Not as if people getting paid are going to out anyone- or would they? Doesn't add up to me. Not to mention incetivized search historically gives low yields for advertisers.

In closing pay close attention to this video from Ben's research on the DollarRevenue ad injection. The easy to catch warning signs of spyware infection may indeed fade meaning people will have to be all the more careful.

Watch in full video of what an ad injection looks like: Edelman's Video on Ad Injection. (Opens to New Window)

LATE ENTRY: Using the ever-so-handy insider status in the ad world I have learned from more than one anonymous source that Vonage is putting on hold a number of their advertising deals. I am not sure if it is just with the companies Edelman cited in his research or how far this reaches yet. At any rate Vonage is reacting and getting serious in their response. This could be a pivotal movement in the spyware wars. You kill the spies by cutting out the well-funded brands sponsoring their existence.

Doing research is often a mind-wracking excursion, but it is great to learn the hard work pays off.

Our RTGuardian is designed for Enterprise protection and Network Testing Labs Calls the RTGuardian 'A World Class Internet Gateway'. The RTG specifically attacks the growing IM and P2P problem and can attack the spyware problem too. Thumbs up!

From the release.


RTG Detects 100 Percent of IM Protocols, 99 Percent of P2P Protocols and 96 Percent of Malware, Spyware and Adware, and Effectively Detects and Controls Skype


FOSTER CITY, Calif., July 18 /PRNewswire/ -- FaceTime Communications, the leading provider of solutions for securing and managing greynets, today announced that Network Testing Labs (Mobile, Ala.), the world's foremost independent security testing facility, has recognized the RTGuardian 500 with an "excellent" rating based on five key criteria: identifying and thwarting malware, ease of use, reports, installation and documentation.

Now back to more research...

If you use Myspace, you need to be extremely careful at the moment.

First we had Zango Adware being pushed from profiles encouraging other users to spread the same content.

Then, we had a "Myspace Toolbar".

Now, there is talk of an exploit that relies on redirects via Flash, meaning the hacker has complete control over your profile. You can see the ripples being made here on Digg - should be interesting to see if Myspace put out some kind of "official response" to this one as it's really caught fire. Of course, there have been exploits floating round Myspace for a long time...but as always, don't let familiarity breed contempt - here's a nasty example of what can go wrong for the non-cautious individual!

The issue of Blogspot URLs being redirected and used for exploits has been noted before. In this particular case we follow the evolution of sophisticated mass spamming of Google's Blogspot service URLs, coupled with other search engine spam techniques and trace the cascade of events that follow.

Overview: The "Simple Scenario"

1) Party unknown figures out how to optimize Blogspot pages to achieve high rankings in MSN portal Search Engine Results Pages (SERPS) for popular terms known as keywords, in particular keywords around World Cup coverage.

2) This person uses Google's Blogspot hosting. It has been noted before that Blogspot hosting allows users to insert JavaScript into the head of the HTML page, creating a vulnerable environment.

3) Party unknown implements a complex server-side, auto-rotation system on a domain hosted elsewhere.

4) Party unknown accomplishes "cloaking" the Blogspot URLs, hiding the auto-rotation system. The pages rank high in many MSN search results for targeted keywords.

5) Users conducting queries on MSN or users who arrive on the tainted blogspot URLs are redirected to various pages. In this particular example some sites display explicit pornographic content in addition to offering software downloads with a documented history of security risk.

The World Cup

This investigation over distribution and deception was kicked off by one of the world's biggest sporting events- the World Cup. We all have our favorite teams, and at FaceTime we want people to be able to follow their favorite teams and sports safely! The goal of our research was to investigate a popular sporting event and probe the Internet for attacks, social engineering, or any other malicious or deceptive activity centered around this event.

Flow Chart Sample of Events

To better understand the event flow, click the thumbnail image below to enlarge. This will open to a new window.

http://blog.spywareguide.com/upload/2006/07/flowchart-thumb.JPG

Deceptive Mass Spamming Distribution

Basic search engine analysis shows the "party unknown" appears to be using automated techniques to spam guest books and other web pages in order create links to the domain. Because of the auto-rotatation system the domain's homepage changes frequently and apparently randomly. For example, it often defaults to Google's own portal for India.

Search System Pollution

As we will show, the techniques used to taint MSN search rankings are based on an understanding of the MSN search algorithm. However the primary deceptive tactics are carried out through obfuscated JavaScript injected into Google's Blogspot page headers. This is significant because this particular problem as been publicly noted before by researcher Ben Edelman.


WARNING TO USERS: DO NOT go searching for these sites unless you are a trained security researcher. There is a dynamic component to this operation which could lead to a hostile environment or unwanted content. In short- What you see is not what you may get..

Research: How Did This Happen?

While searching for the keyword ?World Cup 2006? in the MSN search Engine, our researcher clicked the first natural result, the result below the sponsored ads. This result appeared to be an innocent looking Blogspot URL as screenshot will demonstrate.


Note on Search Engine Results:

Search engines use their own systems to determine the relevancy of a page for a keyword entered in the Search Box. Based on the search engine's algorithms the pages will be ranked and appear in the results. These results are often called SERPS or Search Engine Result Pages.

In crude theory the first result should be more relevant to the keyword, and second result would be a somewhat less relevant page?etc. Numerous factors effect relevancy beyond the scope of this write-up. It is reasonable to expect people to believe they will find the most most relevant pages on the first pages of the results. For this reason, in this study, we have placed emphasis on studying the first results returned in the SERPS.

http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAWorldCupSearchResult-thumb.JPG
Click To Enlarge Screenshot


How Did this Page Get to the Top?

In simple terms by using "spam techniques." With JavaScript functions of a browser turned off the user would see a page like this:

Click To View Page with JavaScript Off


Redirection and Misdirection Over Time

Upon some of the first checks of these URLs our researcher noted redirects to the following
Russian web-site. By.ru is a common hosting company, and the "tkgroup" appears to be a student class blog.

http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFARussianWebSite-thumb.JPG
Click to enlarge ScreenShot

At first glance it might seem this could be a student prank merely playing search engine tricks. However,
after several days the same result redirected our researcher to a different website which is now ?Adult DVD Download Network? IcooNet. The context and tone have now changed considerably. The tone is now commercial in intent but also pornographic. Users would have no way of knowing the site they were trying to reach would serve pornographic content if they relied on the title, text description and link displayed in the SERP.

http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAIcoonet-thumb.JPG
Click to enlarge screenshot

In this example our research term used was for FIFA, so it would seem unreasonable to be offered an adult downloader. This is deceptive, and many users may find it offensive, especially since it is reasonable to expect young football fans would be searching for similar terms and will be guided by the domain name, title and description.

From a legal context this is significant: US CODE: Title 18,2252B. Misleading domain names on the Internet, from law.cornell.edu.

In a final example, the redirection goes to a website which features pornographic galleries offering a program that is cited as a variant of Zlob.Media-Codec. It may go under different names. A EULA is presented if the user wants to access the deceptively advertised pornography. We have not placed a screenshot here because the images are simply too offensive for our blog standards, but we have retained screen capture documentation and video of the site.

The different variants of these programs have to be downloaded in order to play any of the movies on the web-site.

Note this particular search query was conducted from one of our labs in India, so other users and countries will likely get different results. In addition search results change frequently. For purposes of documentation, we have included packet logs from query to destination as well as install of software.

Query Sample 1: Term FIFA+World+Cup+2006 .txt file

Query Sample 2: Term FIFA+World+Cup+2006 .txt file


We Just Wanted the World Cup

In the sample query illustrated by the packet logs above our researcher, searching for ?FIFA World Cup 2006?, finds a tainted Blogspot site and clicks-thru. The log documents the various redirects which end with the researcher arriving on a pornographic website where he was offered, and accepted, programs with well documented problematic behavior.

The initial MSN results showed 3 out of 10 results from Blogspot which display the obfuscated JavaScript and re-direction system. Users rely on search engines to deliver them high quality and relevant results. Since the domain names contain football (soccer to U.S. readers) related terms, titles and descriptions it is reasonable the user will feel confident to click-thru.

In a system such as this any number of attacks could be launched, and depending on the degree of sophistication of the attack or skill in social engineering- the results could be quite harmful. The screenshot below shows the tainted Blogspot URLs at MSN in the top ten results.

http://blog.spywareguide.com/upload/2006/07/3of10BlogSpotURLsinFirstpageoftheMSNResult-thumb.JPG
Click To Enlarge Image


Past History of Problems

It should be noted that while unable to document any exploit behavior with the software page of the pornographic content, it has a well documented history of problematic behavior from numerous third party sources. It is usually classified as a "trojan". Reference: Sunbelt on Zlob.Media-Codec. and on Super AdBlocker on xpassman-v3 for example.

EULA Red Flags

In this particular case EULAs were presented with the software product(s) needed to access the content deceptively advertised by the unknown party. EULA analysis shows additional security software will be added, updates can be made, and home page will be change among other items.

See one EULA Analysis Sample

By accepting it the user grants the software rights to install additional components on the machine. These components or updates may not have cleared appropriate security hygiene processes. In addition no warranty on performance of the software is given.

Also notable among the EULAs displayed, using our automated readability analysis demonstrates above 12-Grade Reading Level skills needed to understand the document based on various readability batteries.

Flesch Grade: Beyond Twelfth Grade reading level
Automated Readability Index: Beyond Twelfth Grade reading level
Coleman-Liau Index:Beyond Twelfth Grade reading level
Gunning-Fog Index: Beyond Twelfth Grade reading level

Technical Background: How Did Blogspot Do This?

The attack is quite subtle. Put simply it uses obfuscated or "garbled" JavaScript.

Inspecting the inside of the source code of the blog entry, we noted a JavaScript calling a function decode().. We noted there was no simple redirection code found from the page source code at first glance. We also noted only the random numbers stored as a string. Function name itself decode, which was the hint to decode the whole function. Let us take a look at the original source code:

http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAJavaScript-thumb.JPG
Click to Enlarge Screenshot


Now let us examine the screenshot of the "decoded" code:



http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAJavaScriptDecoded-thumb.JPG
Click to Enlarge Screenshot


Explanation of Code:
The code says if the blog is referred by any of the following major search engines:

Google
MSN
Yahoo
AOL
Ask
Altavista

Then it will open the URL http://www.toptravel10.com/search.php?aid=<*****>&q=World+Cup, which calls into action the redirection system. Therefore, the writer of this code is actively looking to intercept search traffic and move it somewhere else and the code writer is doing this with obvious intent.

However, if the blogspot address is only pasted or typed into the address bar of the IE browser it will redirect to MSN search result with the keyword "World Cup 2006". As we know from the above search result screen capture 3 out of the first 10 MSN natural search results could most likely be the same kind of tainted Blogspot entries. Clicking any of the entries will again redirect to the same system. This puts the user into a dangerous cycle. We qualify "most likely" because top ten entries can and do change dynamically beyond control of users.

Controlling the Deceit

In this case there is no need to change the source code of the page because the operator of toptravel10 domain has set-up a complex server-side, auto-rotation system of unknown make-up. The tainted Blogspot URLs used the URL http://www.toptravel10.com/search.php?aid=56340&q=World+Cup as a mediator. The Blogspot URLs will to open this page when called. At this point the toptravel10 domain's system decides where the user is redirected. The mediator remains constant and links to different URLs over a given period of time. In this entry the researcher was referred to a Russian Web-site, second ICOONet(Adult DVD Downloader), and now the mediator links to VideoGalleries which in turn offers adult oriented software.

It is also notable the ownership information for the toptravel10.com domain is cloaked through a proxy registration service.


Why Use Blogspot?

Blogspot has been the target for similar attacks in the past. Researcher Ben Edelman?s concern about blogspot will help us understand why this case is important. From his article:

?...Numerous blogs hosted at Google's Blogspot service contain JavaScript that tries to trick users into installing unneeded software..."

In this instance the obfuscated JavaScript not only impacts the quality of search engine results it also acts as a more complex line of redirects to distance the designer from the scene.


Why MSN Search?

As researchers, we might ask: "Why would someone target the MSN search system?"

The logical reasons would probably be most of the Windows based O/S use default redirection to MSN search and/or the orchestrator had some mastery at gaming the Microsoft ranking algorithm.

Examples of tainted URLs are:

http://worldcup2006z.blogspot.com
http://footballwordcup2006.blogspot.com
http://fifaworldcup2006-.blogspot.com
http://-fifaworldcup2006.blogspot.com

(Note: After contacting Google last week- these are now offline!)

.Are There More?

Yes. One such instance was found for the keyword "AIRLINE TICKETS".

These blog URLs may also be redirected to the same pornographic galleries, again depending on the system of rotation.

List of the following blog URLs for the keyword "AIRLINE TICKETS".

http://airlineticketsz.blogspot.com
http://cheapairlineticketsz.blogspot.com

Conclusion and Final Notes:

A solution was already offered by Ben Edelman:

"...What should Google do? Google already disallows JavaScript within Blogspot.com posts. Apparently Google considers embedded JavaScript too risky -- too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed..."

In terms of football (soccer) this is the equivalent of a "Yellow Card".

We must add the following caution and warning on the tactical approach.

In this particular case the unknown party used some technological sophistication coupled with knowledge of world events, search engine algorithms and planning. However, the party used poor targeting.

Let us explore a "what if" scenario...

What if the same system, using football (soccer) keywords were used to trick a user to open a page that asked them to view 'World Cup Bloopers' or 'World Cup Highlights' or lured users with a fake video over a 'disputed call' or 'insider interview' cobbled together from pirated video footage? The user, now contextually targeted would probably click and any number of hostile scenarios could be played out. The attack would only limited by the creativity and motivation of the operator.

To use our football analogy again- this is a "Red Card".

LATE ADDITION: We have contacted Google about our concerns pointing out the problem around the World Cup spam and they reacted rapidly. Initial research seems to show they scoured Blogspot and removed the tainted URLs so World Cup fans wouldn't fall into this trap during the championship weekend. However, the root of the problem still remains. What to do about the JavaScript? Ultimately that is a problem Google will have to solve.

The problem has been pointed out before- history should be the teacher.


Blog Summary Write-Up: Wayne Porter, Sr. Dir. Greynets Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

Yep, it's Yap time again. The Yap (of course) being Yapbrowser - a free web-browser that served up a whole lot more than end-users were probably bargaining for. Just when you think there's nothing more to write about, something else pops up and gets the whole story moving again. In this case, a tip from RinCe illustrates that there are some people who will still take a gamble on one of the strangest browser stories in years. Step up to the plate, Searchwebme (you'll need to scroll down to the entry dated Tuesday, 12th June):

"More recently the browser it self has been in trouble. We are well aware of Yapbrowser's application history but this is all the in past, this is why were pleased YapBrowser has decided to partner with us, SearchWebMe. We can assure you that the new YapBrowser download does not contain any hidden software, spy-ware, ad-ware or any harmful applications. We will be regularly checking the software and updating."

They link to both Wayne Porter's Interview with a Yapbrowser Representative, and a post from the Sunbelt Blog. Searchwebme appear to be a new(ish) Search Engine, with various portals and services on offer for both the casual surfer and the aspiring webmaster. It will be interesting to see how this particular partnership develops over the coming months. They appear to have been live for a few weeks now and there have been no reports of anything going wrong - we received this tip-off a few weeks ago, but didn't want them to feel like "Big Brother" was watching over them!

Could this finally be the end of what the Yapbrowser people would definitely consider their "bad luck run"?

Phishing is a form of criminal activity using social engineering or trickster techniques to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. Some phishing has become so complicated that it no longer needs to steal information from the web, IM or E-mail, but lure users to use phone connections and capture them using phone techniques. (You call a number, they ask you to enter in your account number and PIN and viola- they capture the "tones" made by your telephone keypad input and your account is wide open to the scammer.)

We talked a while ago about the global phishing termination operation launched by CastleCops and Sunbelt Software. The volunteer PIRT Squad is comprised of folks who report phish, investigate phish, and actively work on phish takedown and termination (original concept by Robin Laudanski). PIRT is funded by CastleCops.

Our own Microsoft Security MVP, Chris Boyd, has been participating on the PIRT Squad over at CastleCops and some of the first results are in. CastleCops' operators, Robin and Paul Laundanski, have compiled the list of the top phished brands in May. Here the all-volunteer group of phishing terminators has been having a real impact on phishing. Our own research team follows-up on many of these phish sites and note that many are offline quickly! That is good news...but the battle is far from over. (Other "things" may lurk on the end of these phish attempts, but that is for another entry.)

So without further ado the top brands fished in May:
Pay special attention to how "pure Internet play" brands like PayPal and eBay are the most common targets.

May 2006 confirmed phish (brand plus total count for May):

PayPal - 520
eBay - 309
Bank of America - 37
Barclays - 36
Wells Fargo - 36
Chase - 33
WAMU - 28
HSBC - 20
MasterCard - 18
e-gold - 17
Nationwide - 17
Citi - 16
BancorpSouth - 14
Postbank.de - 12
Halifax - 11
NetBank - 11
Laredo Nat'l Bank - 10
Nat'l Australia Bank - 10
Western Union - 10
National Credit Union - 9

With this early report in mind we have to take into account that Google is now throwing their hat into the e-commerce ring with a service called "Google Checkout". The business implications of this move are very, very complicated and beyond the scope of this entry- although they are important to security researchers too. However, in terms of pure security research the proverbial writing is on the wall...Google and e-commerce will only attract scammers like bears to honey. How successful they will be will depend much on how Google implements the process, their anti-fraud features, and how educated people are on phishing in general.

I admit, especially in my talks and speeches with youngsters, I am quite dismayed at the lack of awareness on Internet safety. That is one area I, and our team, have been pondering.

One of the best forms of defense is very simply- "street smarts". For example, we teach children not to go into dark alleys late at night, actually most parents wouldn't let their children out in a city at night! Yet our digital highways can be dangerous too- often the mediums are treated differently. I plan more on this in the future.

For now, us get back to Google Checkout.

Some of the features of Google Checkout include:

1) Google will store your complete shopping history. This is convenient of course, but remember if you lose access to that account- that history goes with you. This is no different than losing access via a hack to any e-mail account.

2) Google won't share your full credit card number, even with the merchants you buy from. This makes sense, since Google is doing the transaction on behalf of the merchant.

3) Google won't share your email address with merchants if you don't want them to. This is nice- you don't have to worry about getting lots of promotions via e-mail if you don't want.

4) Google will not spam you. Google pledges they will not spam you- great. They never have and I believe that is not in their plans.

5) You can store as many credit cards in Google Checkout as you want! That is where it starts to get a little bit risky.

Now, again, I am not being anti-Google, I am only being a realist. You have a pure play Internet brand, new to offering payment transaction processing to the public at large, prepared to do business en masse. If we look at recent history, like the PIRT report, it only stands to reason that Google, other privacy concerns aside, will experience their fair share of phishing attempts.

For now- use "street smarts". Be wary and be careful.

NOTE: If you are technically adept at handling phishing attempts and want to help by joining the PIRT Squad you can join the team here, if you simply want to report a phishing attempt you can do so by clicking here.

About this Archive

This page is an archive of entries from July 2006 listed from newest to oldest.

June 2006 is the previous archive.

August 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.