The SpywareGuide Greynets Blog

There are several ways modern spyware is infecting unsuspecting systems these days. The most common is still the method of bundling malware into trojans so that the user has as little to do with the installation process as possible. Downloader-ADV is a very large series of Trojan downloaders designed to cripple a machine with adware, password crackers, spyware, and other malware. One instance of Downloader-ADV, innocently named loader.exe, drops a pornography media player under the guise of a perfectly legitimate Windows codec. The name of this player is appropriately named, Pornoplayer.

Upon installing loader.exe, it will phone home to kozirodstwo.com. You may recognize this site for such infamous hits as PWS-Pinch and Agent-ECM. You are then directed to a pornography site called porn-party.net.

This site pushes on the user a seemingly legitimate codec from Microsoft.

This is actually an installer for Pornoplayer!

Other files are also installed along with the Downloader-ADV/Pornoplayer combo. Research also points to pornstar-photos.com installing another part of the Trojan downloader as well as being redirected to rones.porn-host.org. This site is a warehouse for pornography that installs ICOO products.

Posted by Chris Mannon at 11:18 AM | Permalink | Comments (0) | TrackBacks (1)

Over the weekend there was apparently an issue with the registration of Live ID accounts, which could allow nefarious characters to indulge in a spot of phishing. More here at CIO.com.

Posted by Paperghost at 08:45 AM | Permalink | Comments (0) | TrackBacks (0)

I'll be speaking on "The Internationalization of Spyware" at the upcoming ASC Conference in June. Agenda and speakers can be found here.

Posted by Paperghost at 07:16 AM | Permalink | Comments (0) | TrackBacks (0)

If you happened to open up certain profiles on Myspace these past few days, you'd have the misfortune of seeing the following appear in the middle of your screen:

Click to Enlarge

That's a vaguely scary thing to have appear on a Myspace profile, because you just know it's going to be pressed a ridiculous amount of times. Upon downloading the file, if the user runs it, when using Internet Explorer they'll see some of the below sights:

Click to Enlarge Click to Enlarge

Of course, no hijack like this would be complete without some fake Taskbar warnings, right?

If you click on either the popups or the hijacked IE banner you're taken to a site called Antispysolutions.com:

Click to Enlarge

Time for a quick detour. Here's some coverage of one of the programs, Spy Away, from March of this year. Have a look at the fake "detection" in the detections box - note that it simply says "Sistray.exe". Apparently the application and / or site vanished for a while. Well, fast forward to the present day and if you download and run the executable, you'll see a very interesting difference:

Click to Enlarge

...the application claims to "detect" 180 Solutions (Zango), along with a few other items. This is done by downloading some "dummy" files that the scanner then magically finds. The files themselves don't do anything as far as we can tell apart from sit there and feed the results of the scanner - of course, they aren't legitimate Zango executables. Here's a screenshot of some of the files deposited onto the PC:

Click to Enlarge

Myspace users would do well to give these so-called security applications a miss. This particular install works best on Windows 2000 - if the user is on XP, there's a good chance nothing will happen. Thanks to LoLo for the tipoff.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

Posted by Paperghost at 01:49 PM | Permalink | Comments (0) | TrackBacks (0)