March 2007 Archives

Thanks to Greg D. Feezel, CISSP, Founder and Steering Committee Member of the Northeast Ohio Information Security Forum for sending this in.

A new vulnerability affecting animated cursor and icons in Windows that has been announced. No patch
exists for the vulnerability
and exploit code has been released and there are reports of some malware exploiting this problem. Furthermore, Microsoft has acknowledged the issue raising the potential for an increase in exploitation.

According to McAfee, IE version 6 and version 7 running on fully patched versions of Windows XP SP2 are vulnerable. Windows version 2000 SP4 and Server 2003 (non & SP1) are also reportedly vulnerable. Vista is also
reported to be vulnerable but only witnessed as a denial-of-service at this point.

Computers can be infected by simply visiting a website containing a malicious .ANI file or HTML email message with one placed on it. In the past, malicious websites have used this type of vulnerability to silently install malware onto an unsuspecting visitor. These are also known as "drive-by" installs.

Suggested Actions:

Enable a firewall
Keep receiving software updates from Microsoft
Install anti-virus and anti-spyware software- ensure they are updated.
Use extreme caution when you accept file transfers from both known and unknown sources.

For More Reading:

See Microsoft Advisory

Avert Labs Blog
Avert Labs Blog

There's a long line of browsers that have completely failed to enhance end-users security and peace of mind on the web. Yapbrowser, which redirected you to illegal porn with the click of a button; The "Safety Browser", which was anything but safe and arrived in the form of an Instant Messaging hijack; Browsezilla, which allegedly increased the hitcount for various adult websites; and now, fresh out of the blocks, NetBrowserPro.

For some reason, the majority of these browsers want to convince you of their focus on security. Look at Yapbrowsers resurrection, where they laid claim to a 100% "guarantee" that no malicious code would enter your system while using the browser. Or Safety Browser, which had popups enabled by default and hijacked your IE Start Page.

NetBrowserPro (whose website actually shares the same IP address as Browsezilla - 216.255.178.220) follows this noble tradition, with the bold claim that:

"NetBrowserPro is the internet browser which aimed to the one thing - help you to watch porn.
Secure, confidential, quick and free.

Secure? Sure it is! About half of all "free porn sites" tries to install trojan or adware program to your computer in some way. According to the researches Internet Explorer was vulnerable to intrusions during 284 days of the last year!. You could always use other browser, like, for instance, Firefox, but it was vulnerable as well, however, during less than 56 days. Some people use antiviruses, but in practice antiviruses databases are being updated less frequently than the virus-makers release new viruses. However, all vulnerabilities are quite similar and do have similar methods of penetration. These methods use browsers' built-in features. In common life you do need such features to visit simple online shops, banks and other sites, but you don't need these features when you surf porn. NetBrowserPro uses only features, which are necessary to surf porn, it switch everything except this off. So there is absolutely no gap for the virus."

Well, there's probably no "gap for the virus" because according to Rootkit Revealer it comes with its very own rootkit!

http://blog.spywareguide.com/upload/2007/03/netbpro1-thumb.jpg
Click to Enlarge

How does this all begin? With a download of something called "121.exe" from the NetBrowserPro website, assuming you liked the sound of the product enough to download it in the first place:

http://blog.spywareguide.com/upload/2007/03/netbpro2-thumb.jpg
Click to Enlarge

Once downloaded, if the user runs the file they'll be faced with the following box containing the kind of EULA that I refer to as a "free for all" - because they effectively want you to agree to them updating pretty much whatever they want, whenever they want without having to notify you. Again, note the reference to "security":

http://blog.spywareguide.com/upload/2007/03/netbpro3-thumb.jpg
Click to Enlarge

It seems "security" is equated with the removal of choice and forcing you to accept their definition of what security might entail - take it or leave it, effectively. But how do we know they've made the right choices with regards their "browser security"? Of course, the answer is we don't.

Once you click through, a site called Codecaddon.com ("Codec Add-on") is contacted, and you are shown a EULA for something called MovieCommander:

http://blog.spywareguide.com/upload/2007/03/netbpro4-thumb.jpg
Click to Enlarge

Wondering what it is? Well, the Codecaddon.com website is a big clue. Look at the graphics and site layout below:

http://blog.spywareguide.com/upload/2007/03/netbpro9-thumb.jpg
Click to Enlarge

....and compare and contrast with the second site listed on this writeup from Sunbelt Software. As you can see, the site is a carbon copy of TVCodec.com. These are known as "fake codecs", and installing them is a very bad idea. Interestingly, many of the sites on the same IP address as both NetBrowserPro and Browsezilla are porn galleries that prompt you to install fake codecs to view their content.

Once everything is installed, the browser will autostart on your desktop. Before we get to the browser itself, look at the logo:

netbpro6.jpg

...seem familiar? It should, because it's almost identical to the Netscape Navigator logo. Indeed, the font used for the N appears to be identical to the Netscape one. We've seen "alternative" browsers use logos that are similar to more familiar browsers before (the Safety Browser did a poor imitation of the Internet Explorer logo, for example). The reason for this similarity can be anything from a lack of creativity on the part of the graphic designer to (in more malign cases) a desire to fool the user that it's somehow related to the more mainstream brand.

Of course, it could just be one huge coincidence.

At this point, we can finally take a look at the browser:

http://blog.spywareguide.com/upload/2007/03/netbpro5-thumb.jpg
Click to Enlarge

Note the (limited) options at the top include the ability to turn images on and off, add links and "boss", which presumably is a panic button for when you're in the workplace. I'm not entirely sure who would be using this in any sort of workplace, but at any rate, that's about all you can do with this thing. With regards your saved bookmarks, the NetBrowserPro website states:

"Moreover, all bookmarks are being kept on the remote server, which excludes the opportunity of viewing them, even with the full access to the computer."

We have absolutely no information about their "remote server", its security, what they do with the stored information or anything else. Does this sound "secure" to you? However, worse is to come. NetBrowserPro lets you click into apparently random galleries of porn that are hosted elsewhere. Sadly, many of the links clicked take the user to the kind of redirect sites that contain nothing but hundreds of images of all sorts of random pornography. Anyone that's been caught in a porn trap will know the kind of pages I'm describing. Well, though most of these redirects serve up "regular" porn, one or two took me to sites that contained what I can only describe as a couple of "dubious looking" models. While they may well be of legal age, the fact that an initial reaction to these images was "how old?" is never a particularly good indicator of the overall content of those sites, or indeed what they link to. As the sites served up by the browser seem to be randomly selected each time you fire it up, there's no real way to know what you're going to get, and that's a surefire way to have your product dropped off a cliff in a hurry. Can the people behind NetBrowserPro absolutely guarantee that none of the redirects won't take you to something you'd rather not see? That all of the people serving up the content they link to are 100% legitimate? I don't see how that's physically possible and because of this random element of chance, of having to put blind faith in a product that apparently uses rootkit / fake codec technology....I'd advise end-users not to install and run this program.

Sadly, yet another browser joins Yap, Safety and BrowseZilla in the naughty corner...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

StatCounter Say No...

| | Comments (1)

A long time ago, I signed up to the StatCounter service, though I don't think I ever used it. Well, sometimes I still get email based newsletters and this particular one happened to catch my eye....

Folks,

A few months back, StatCounter was approached by an advertiser, offered lots of $$$, and asked to include a spyware cookie on all of our member sites?we refused on the spot.

You install StatCounter to track visitors to your site NOT to open yourself and your visitors up to being spied upon by phantom advertising corporations.

It appears, however, that other players in the world of webstats were happy to take up this offer...

Full text can be seen on their blog entry here. However, what really caught my eye was this entry in the comments:

Psst, I know the counter that took the cookie offer and big thumbs down. I visit a site that has it and has the upgraded version which costs them over $20 a month and to add insult to injury they now have the cookie which also tries to redirect them to a strange website - that is when the website LOADS. It gets worse because their site is tied in to a web designer who now charges them to remove the counter code which holds the cookie.

That doesn't sound particularly appealing, does it?

The 59 Top Influencers in IT Security

We had the great fortune of having two members of Facetime's research team named on ITSecurity.com's Top Influencers in IT Security list. It is truly a highpoint to be recognized on the same page as security influentials like Amrit Williams, Alan Shimel, Richard Stiennon, Dr. Anton Chuvakin, and Bruce Schneier to name only a few.


The 59 Top Influencers in IT Security
Our list of the most influential security experts of 2007 - from corporate tech officers and government security types, to white hat hackers and bloggers.


You can see the full list here.

The Legendary Paperghost

Our own Chris Boyd, director of malware research, who also pens the "kung-fu style"- VitalSecurity.org is certainly deserving of this honor. Chris contributes not only here, but indy style at VitalSecurity.org- putting in countless hours to track down the story, frame it so that others can understand the nature of the threat and to make security interesting for everyone in a flair that is completely unique. That was one of the goals we set when we started blogging many, many months ago. To help communicate the story about online security and greynets in a human fashion- in a "real" fashion that we hoped would resonate, educate and interest people from all walks of life.

Team Honor

I was placed on the list for this blog by name, and being a blog veteran of several years, I help lead up the efforts. However, it must be clarified this is a team blog- an ongoing work of collaboration. You may often see my name heading entries or included in research and more frequently see Mr. Boyd's moniker (Paperghost), but there are many others that contribute in many different ways- often quietly and behind the scenes.

We try to recognize individuals in entries when they wish to be recognized (some actually do not) because it takes the hard work of a concerted team, working in unison, to go traveling to some of the places we must go and to face off with some of the situations we encounter. Often these people behind the scenes don't receive the public accolades they deserve or broad recognition. These are people who often pursue a lead on their own, run an ethereal trace, help gather the pieces of a complex puzzle, run extra forensics, or simply ask the right questions.

Sometimes just asking the right questions can lead to big breakthroughs.

With that in mind I am happy The Greynets Blog is recognized as an influential force in IT Security. I am happy we have had the support of our executive staff who believed the effort was worthwhile, and granted us the freedom and trust to message in our own voice and style and from where we chose. It has been exciting, tiring and much like a rollercoaster at times. However, one could not ask for a more dedicated team of individuals and diverse voices. Most importantly thanks to the readers, volunteers and colleagues who work with us day-in-day-out, to put the heat on the streets and get the message out...

Be vigilant, be smart, and travel with care.

http://blog.spywareguide.com/upload/2007/03/spamlol1-thumb.jpg
Click Image to Enlarge

....any takers? I think someone needs to hire a proof reader...

This coverage from colleague, Anne. P. Mitchess, Esq., President of the Institute for Spam and Internet Public Policy (ISIPP) on the Melanie McGuire and Google search case caught my eye. It was a matter of time before search histories come back to haunt...and this leaves me further worried about the insecure state of PCs and malware's ability to upload "at-will" into infected PCs. Think "extortionware"- we covered the concept at RSA Conference 2007.

Anne writes...


Melanie McGuire is currently on trial for the murder of her husband, William McGuire. And while many people now know that your Google and other search engine searches can be discovered, apparently back in 2004, Melanie McGuire did not. For among the searches that the prosecution has found on her computers - searches which she conducted on the days leading up to the murder - were searches for "instant poisons", "undetectable poisons", and "fatal digoxin doses." And while those alone don't necessarily prove intent, another search, "how to commit murder" is pretty unambiguous.

But the crown search in the state?s case against Melanie McGuire may be that Melanie also performed searches about gun laws in New Jersey and Pennsylvania. William McGuire was indeed murdered with a gun which, the state claims, Melanie purchased in Pennsylvania.

O.K. so far it doesn't look good for Melanie McGuire. We talk about "greynets" and how different tools, even a simple web browser, carry different degrees of risk based on their use, the user's purpose and intent, and the environment in which the software is deployed and even the security of the hardware and facility too. This case involves Google search queries to help build a case.

It gets more interesting...


Also relevant is the fact that the day before the murder, the state says, Melanie?s computer shows that she searched for a Walgreens pharmacy near to her. A pharmacist at that Walgreens has testified that on the day before the murder she filled a prescription for an as yet unidentified woman with a prescription written for ?Tiffany Bain?, for a rarely ordered but known narcotic. The prescription, for chloral hydrate, was written by Doctor Bradley Miller - a doctor at the office where Melanie McGuire worked at the time. Dr. Bradley Miller, the doctor with whom Melanie was having an affair at the time that William McGuire was murdered

That is true, chloral hydrate (a Class IV hypnotic) is rarely used these days, but still not unheard of during my days in medicine a few years ago. At any rate the circumstantial evidence is starting to pile up. You can read more at The Internet Patrol... but of particular interest was a comment by a reader- Jack Stock who pens:

As a writer, I can see myself asking these same questions of Google?how to commit a murder, the most efficient poisons, etc. And that doesn?t mean that I was planning a murder?except in a fictional story. Murder, he wrote.

There a number of factors to consider here- let's us start with just four questions for starters:

- Who physically had access to the computer?

- What other data was found on the PC?

- Was the PC compromised in any way?

- Is there any other evidence beyond stored search queries?

No matter how obvious or open-shut a case it seems, faulty computer forensic assumptions are dangerous. We certainly don't want to see something like the Julie Amero case happen. You can read a summary and full transcripts here and decide for yourself.

We are in a new era, where your digital footprints, whether you made them out of innocent research, or even if someone else made them for you- can and probably will be used against you.

Check out this piece over at ITWeek. I offer up a few thoughts on the current craze for Chinese Adware and Malware - more and more, this stuff is starting to spread outside the confines of China itself and out into the West. There's a near limitless supply of these infections at the moment, and while a lot of it is throwaway rubbish (or older, rehashed files) some of the more advanced specimens are doing pretty clever things and proving extremely hard to remove in the process....

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

Here's an interesting one from the database - a colleague of mine came across this a few weeks ago and now here we are, about to plunge into the depths of some more Chinese-related Malware. This time round, there's a little twist thrown in for good measure - East meets West, if you will.

We begin our journey with a Trojan called Symfly - from this file, another payload (sna.exe) was installed and during this process, something called Install7.exe was eventually brought kicking and screaming into the world. Already, we're dealing with a file three notches down a daisy-chain, which will likely give you an idea of the complexity behind this particular hijack. From close examination of the inner workings of the files involved, we can eventually determine that a site called Renwu is at the heart of the action - to the casual observer, you'd think there was nothing to see. However, the login prompt is a sure sign there's something going on. After the Install7 file has executed, a file called Demnsvr.exe is dumped into your Windows directory. Sometimes the install fails at this point - if it works, you'll know for sure because (along with some .dll files, a service and a BHO for Internet Explorer) it deposits a log file on your desktop which is kind of a giveaway:

install7exe2.jpg

At this point, an "updater" section on the Renwu site creates Adcheat and Historyclear on the infected PC. I couldn't decide if history clear was protecting my privacy or offering me a bite to eat, and Adcheat (seemingly) wants to make a call to Australia:

install7exe15.jpg

..however, this is actually a server in China, and has apparently been flagged for matters relating to Spam in the past. Of course, it comes as no shock to discover the Renwu site is tied to this server; less so, the other domains listed on it. Bill Gates is a Registrar for this website? Wow! Even better, check out this guy - Mr Drgd Drgdrgr!

With a background like that, no wonder those spam databases have issues with this box!

Eventually, we come to the next oddity of this install.....the Alexa Toolbar, installed without consent via FTP:

http://blog.spywareguide.com/upload/2007/03/install7exe5-thumb.jpg
Click Image to Enlarge

Note the popup asking you to install a Chinese Language Pack.

What happened to the installer prompt / EULA, I hear you cry? Well, a box appears all-too-briefly in the middle of the screen - not exactly brimming with content, but then considering it's only on your screen for about half a second I can't say I'm too surprised. It took me long enough getting that screenshot. At time of writing, the Alexa Toolbar is no longer installing, but as you can see here, the file is still on the server and could easily be re-activated (it's been up and down a few time so far already). It's worth noting that when this file is installed, the desktop has a tendency to become unusable and only a reboot will cure it.

I've mentioned in the past that attempting to tackle Adware and Spyware from China is a whole new world of exploration, because of the difficulties involved in ascertaining the who, what, when, where and why of a case. Here again, we have the same difficulty. Seemingly random websites are called out to - why? Who runs them? Are they legit? Who do you contact? Could they be innocent parties, hosting backdoored files? Or are they just sites the Malware creator likes to visit in his spare time? Here's a sample selection of some of the sites called out to when the initial infection file runs and begins the process of calling down the individual files. Note - none of the below sites actually carry any of the payloads...

http://blog.spywareguide.com/upload/2007/03/install7exe6-thumb.jpg
Click Image to Enlarge
http://blog.spywareguide.com/upload/2007/03/install7exe7-thumb.jpg
Click Image to Enlarge
http://blog.spywareguide.com/upload/2007/03/install7exe9-thumb.jpg
Click Image to Enlarge

....at this point, we need to tie it all together. Let's examine the Alexa Toolbar for a moment. It's Wikipedia time:

"The Alexa Toolbar, an application produced by Alexa Internet, is a Browser Helper Object for Internet Explorer on Microsoft Windows that is used by Alexa to measure website statistics."

...in other words, the Alexa figures for website rankings are based on the statistics generated by users who surf with the Alexa Toolbar installed.

Remember the Adcheat file I mentioned earlier? Well, after Adcheat has phoned home and HistoryClear.exe has wiped your cookie cache, the Alexa Toolbar is installed and a call is made to this site (note the two domains listed on the page). From there, a call is made to the below site (note the Alexa sub-domain Renwu.info is touting):

http://blog.spywareguide.com/upload/2007/03/hotrockrenwu-thumb.jpg
Click to Enlarge

This is apparently a redirect to a site called Hotrock.cn.

The question is, is this an incredibly over-elaborate attempt to artificially inflate the Alexa ranking of one (or more) of the sites listed above? If so, they're not having much luck with it. All three sites - Renwu, Hotrock and Aqclub are outside the top 100,000. An interesting tactic would have been to try and generate income via sponsored Amazon links - this is something we're still currently investigating, though it would make sense with regards installing the Alexa Toolbar in the first place. What is interesting is this graph comparing the traffic to the previously mentioned websites:

http://blog.spywareguide.com/upload/2007/03/3sites-thumb.jpg
Click to Enlarge

From about halfway through January (when these files first started showing up) up to the present day, both Hotrock and Aqclub have amazingly similar traffic patterns, right down to the way it rises and falls at certain points on the graph. Remember, both of these sites are mentioned on the Renwu page that's called once the Alexa Toolbar is force-installed.

Coincidence?

It'd have to be a pretty large one...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

If you use Wordpress for Blogging fun and games, make sure you pay attention to this notice. Quote time:

"Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately."

Continuing the current theme of virtual programs creating real-world issues, here's a newspaper having its distribution severely affected because of an infection crippling production equipment.

Must have been one heck of a virus...

Check out Marketscore and New.net. Not a spectacular score, threat wise - there's plenty of things out there with a bigger, badder bite. Yet in some strange way, both of these two have been tangled up in the Julie Amero case (according to the details filtering out from the ongoing case, they were both present on the infected PC spawning the popups) and she faces anything up to forty years in jail because of some fairly generic, otherwise harmless porn adverts.

My question is, do we need to start applying a "real world" danger ranking to Adware and Spyware? And if so, what other possible score could we give than the equivalent of "10 - Extremely Dangerous"? If any and all Adware can now be used to lever a situation where someone could face jail time, what other response could we have?

About this Archive

This page is an archive of entries from March 2007 listed from newest to oldest.

February 2007 is the previous archive.

April 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.