The SpywareGuide Greynets Blog

Not too long ago, a number of blogs were apparently compromised and redirects were put in place to lead you to a rogue antispyware application called Malware Alarm. Well, it looks like whoever was behind it decided to ditch the idea of compromising blogs, settling instead for setting up hundreds of Spam Blogs, pasting in some Javascript and watching all Hell break loose.

All of the spam profiles seem to have been created in July, here's a short sample:

Click to Enlarge Click to Enlarge Click to Enlarge

If you visit one of the infected sites, you'll see the "real" blog page appear for a second or two:

Click to Enlarge

...and then you'll be redirected to content that could be classed as "undesirable", and that's being incredibly generous.

By searching on code / URLs used in the hijack (and there are at least two sites perfoming redirects in combination with the Javascript employed by the bad guys), we can see that the grand total of Blogs carrying this hijack so far is...

...ouch. So far, around 1694 Blogs are carrying this redirect, and there could well be other blogs out there not accounted for yet. At this point, you're probably wondering what kind of content you're redirected to, right? Well, the answer is not particularly pleasant for any number of reasons. Some of the Blogs will send you here:

Click to Enlarge

"Teenage Assault", a hardcore rape site so extreme in its content that the only thing we can show you in the screenshot is the title on the main page. Presumably anyone crazy enough to sign up to the site and pay the joining fee will earn whoever is behind this some affiliate related cash.

The second stop is....

Click to Enlarge

Another spectacularly graphic page, this time a landing site for the ever-popular Zlob Trojans (which pose as Codecs needed to play pornographic content). There are many variations on these landing pages and the content is always a non-joy to behold.

Our final destination makes up the bulk of the redirects, and (as you might have guessed already) our finishing point is...

Click to Enlarge

....Malware Alarm! If you fall for the fake YOUR PC IS DOOMED advertising, then you'll see the below scanner doing its job (telling you your PC is still doomed, unless you pay them money to "unlock" the scanner and remove all those horrible infections it claims you have):

Click to Enlarge

Of course, if you don't pay up, then you can expect endless nag screens appearing in the middle of your screen like this:

Click to Enlarge

For now, the easiest way to avoid this is to disable Javascript. We've notified Google, and as far as we can tell, they've already nuked every single example given above. As I mentioned earlier, there could well be other domains out there performing these redirects so a little vigilance may be called for over the next few weeks. Either way:

Click to Enlarge

....that's the best thing I've seen all day.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

Posted by Paperghost at 07:59 AM | Permalink | Comments (0) | TrackBacks (0)

Based on recent research Facetime has found security incidents targeting public IM and P2P channels increased by 5 percent in Q2 2007 compared with Q1 2007. In contrast, last year we saw a 35 percent decline over the same period, from Q1 to Q2 2006. We didn't cover this report recently on the blog, as the GTA story was rolling out full steam, but it is worth the time to read the analysis.

Some Highlights

A total of 317 incidents were reported during Q2 2007, bringing the total since Jan. 1, 2007, to 618 incidents. Ongoing research reaffirms a cyclical nature to malware threats with peaks in each year, typically in the spring and fall, followed by lulls in the summer and winter. In 2007, security incidents declined somewhat during the first quarter from a high in January. In the second quarter, security threats climbed again, but appear to have peaked in June. If previous patterns hold, we can expect a decline in the summer, followed by an upswing in the early fall.

From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.

Some Key Findings

-- Increase in IRC attacks

As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.

-- Single channel attacks vs. multichannel

Similarly, single channel attacks—security incidents that propagate via only one vector, such as AOL, Yahoo or IRC—now account for almost three-fourths of all attacks. The percentage of attacks that are single-channel has also risen in each of the last six quarters, growing from a 46 percent share in the first quarter of 2006 to 71 percent in Q2 of 2007.

View the full report here along with past reports. It is important to note with the rise of unified communications and Web 2.0 we can expect attacks along social vectors to become more subtle, creative and far more sophisticated.

While single channel attacks continue to dominate, in May we covered this example of an attack through Skype (the ultimate payload being the Stration Worm) with the built-in intelligence to go after other IM services. I feel this is a good example of what we can expect long-term.

Research and Summary Write-Up: Wayne Porter, Senior Director of Special Research

Posted by Wayne Porter at 06:40 PM | Permalink | Comments (0) | TrackBacks (0)

You listened to it, or you were there in person. But did you see everything going on behind the scenes?

Well, no. But now you can, with a full-on walkthrough of the entire event - however, we're not talking about pictures of booths or people waving free pens. No, we're talking about 141 photographs that chart my journey to California, the inevitable goofing around and the build up to what remains the biggest conference event I've been fortunate enough to take part in.

Click here to see the Flickr gallery...

Posted by Paperghost at 12:48 PM | Permalink | Comments (0) | TrackBacks (0)

A Zlob Trojan guy has posted on a Security Forum, wondering why nobody likes his infection files.

Watch things explode here. Thanks to Suzi for the tip!

Posted by Paperghost at 02:33 PM | Permalink | Comments (0) | TrackBacks (0)

Yes, it's been a week or two since the event took place but a combination of factors (investigating this virus, a problem with uploading pictures via my camera and the slightly ropey RealPlayer stream for the conference footage) all caused numerous issues that made me want to cry, or at least complain a bit.

Still, here we are and now everything is working again - sort of - so let's get right down to business.

First of all, we had a Keynote from GRC supremo Steve Gibson who didn't really tell us anything new, but then that wasn't the point of his talk anyway. He gave us a brief rundown of how he got into this industry and the quality of his anecdotes was more important than him jumping up and dazzling us all with some new exploit or something. For your viewing pleasure, might I present a slightly blurry photograph of the man himself:

Click to Enlarge

...yeah, about those photos. See, the lighting in the room where the conference took place was dreadful, at least as far as grabbing decent photographs went. As you'll see later, I was sitting about five feet away from Alex Eckelberry (President of Sunbelt Software) and the pictures STILL came out blurry. So apologies in advance for any conference related pictures that sort of suck.

If I remember correctly - and I probably don't - Steve put up an image of a desktop overwhelmed by what looked like hundreds of items in the taskbar, reaching up past the halfway point on the screen. I cant recall if he mentioned in his talk that he asked users on his GRC site to assist with creating the image, but they did. I thought it was real, so that was sort of disappointing. Bah.

The first talk of the Conference was "Technical Discussion of Spyware", but if I'm being honest, I sort of lost interest in this one when they started going on about servers and databases and stuff. A number of panelists got shuffled round due to last minute cancellations, and I think this was one of the ones affected so that probably didn't help much, but thankfully here's a writeup covering what went down so that's okay.

A quick break, and it was time to get onstage for my contribution to "Internationalisation of Spyware". I found it sort of humorous that a panel dealing with "international" spyware spelt "Internationalisation" with a "z", but then silly things like that amuse me. I must admit, this panel seemed to go a lot better than the one I spoke at for the first ASC Conference in 2006. After I did my introductory ramble, the rest of the event seemed to consist of people from the FTC debating US-centric policies and laws which were completely irrelevant to the subject at hand.

This time round, the whole thing rocked and we really did talk about the subject at hand.

That's me, that is. And I'm showing the audience a shot of what I like to call our map thingy, which lists Adware vendors plugged into our database. I talked about how a lot of the new US-based laws are coming in to specifically tackle these guys, even though the Adware boat in America has (for the most part) sailed stuffed with lots of money and it's not coming back. Put simply, I don't think those guys are the ones we have to worry about much anymore. The real danger comes from those wonderful entities lurking overseas who think nothing of handing you a web browser that serves go-to-jail inducing pornography:

...or installing their own web browser without permission via an Instant Messaging Hijack:

....and (just to prove I fling my arms around while talking) here's me showing the crowd a fairly large install of numerous pieces of Ad/Spy/Mal-ware from a Chinese hijack (roughly a Gig of software installed):

Okay, so my arm isn't waving around as much as I thought but whatever.

Here's a flurry of notes on the Stop Badware Blog related to our talk. I'd say these were my key points:

Chris - A lot of stuff is quite generic (the code itself, old stuff that's been around). Chinese hijacks aren't just whackamole games with password stealers. A lot of the code is old, but what they do with it is new. Middle East, quite sophisticated root kits.

Chris - UK High Tech division crime squad. Impossible to get a hold of people. Tracking down law enforcement is useless. Accessibility of law enforcement would help.

Chris - Ministry of Media Affairs have created software (malware), that installed from various Chinese websites. You can support your government by hijacking PCs. Folks are trying to sue the government with spectacularly bad results. A lot of this stuff comes from Chinese domains where the url is random letters and numbers. but some of them are legitimate in China. There's no way to contact these domain owners. Is it malicious or has the site been hijacked?

I've talked about this kind of thing at length elsewhere, so I won't go into it here. But seeing as I'm on the subject, read this.

The third talk was Public Policy and Legislation, and this one stumped me for two reasons.

1) I missed the first 20 minutes due to having to cool down - standing around for an hour dressed head to toe in black on one of the hottest days anywhere, ever, was sort of a pain.

2) This was was (for obvious reasons) very US-centric and so a lot of the points raised meant pretty much nothing to me. All I can say is, watch the recording and make your own mind up (yes, we'll get to those links shortly).

The final talk was New Market Trends in Responding to Spyware, and the sparks flew as numerous disagreements spilled out into the car park. Not really, but one or two people got faintly grumpy which is always enjoyable at an event like this.

Eventually, things rumbled to a close and so ended the Third ASC Conference. A lot of people met up afterwards - specifically, those involved in the Julie Amero case:

Click to Enlarge

Here's the obligatory rollcall - the people in this picture are (left to right) standing:

Chad Loeven of Sunbelt, me, Joe Scalia, Ari Schwartz (CDT), Eric Howes of Sunbelt, Alissa Cooper (CDT), and Eric Davis of Google. Seated: Herb Horner, Alex Eckelberry, Julie Amero, Wes Volle, and Judy and Chip Neville.

With the meal done and dusted, I waved farewell to the Sunbelt crew and flew back home the day after. At this point, I guess you want to see the already mentioned RealPlayer footage of the conference, right? Well, all of the links can be found below:

Part 1
Part 2
Part 3

You'll need Real 10 Player to play the recordings (free download available here). I'd much prefer a regular movie file, but oh well. My talk is on Part 1, in case you were wondering. I'd like to tell you when it kicks in, but it kept crashing on me so much I'm lucky I even got to see it once.

If so inclined, you can see a large collection of photographs from the trip here. That's pretty much everything from me with regards the conference, so I'll leave you with the following thought - who stole my underwear?

Posted by Paperghost at 03:14 AM | Permalink | Comments (0) | TrackBacks (0)

Recently, there have been a number of weblogs, forums and chatrooms where spam messages advertising a videogame similar to the below have been posted:

Click to Enlarge

If you go to the YouTube video in question, you'll see the enticing prospect of what appears to be a "Grand Theft Auto game" (touted on the Modding sections of a number of GTA forums), though the modern day graphics seem to have taken a step back in time....to 1986.

Click to Enlarge

Click to Enlarge

Click to Enlarge

Click to Enlarge

As there have been a number of security stories related to YouTube in the media lately, let me say this right now: There is NO danger posed to your system through direct contact with the movie clips contained on the YouTube site itself...the "GTA Hood Life" clip is perfectly safe to play and watch. The bad guys are simply using movie files to advertise the bait (in the form of the game), at which point you go to an external website provided in the clip description text.

Click to Enlarge

As you can see, 54 people have downloaded the file so far. I love it when virus writers use free hosting services that give you a general idea of how much damage they're likely to have done (though of course the file could quite easily be hosted elsewhere, too).

Anyone in the group of 54 unfortunate enough to have executed the installer will see what appears to be a legitimate installer procedure:

Click to Enlarge

So far, so good. The installer completes, you run the game and once it finishes loading, you'll be doing drive-bys and coming straight outta Compton in no time at all, yes?

Er....

.....nothing to worry about, I'm sure. The Loader just seems to be a little slow, that's all....

Whoops. Looks like a hard knock life will have to wait (along with oversize novelty clocks) while we tackle the more immediate concern that not everything appears to be quite right with this PC. Yo.

Switching off the PC pretty much spells doom, gloom and other things ending in "oom" because once the desktop reappears, you'll discover that the only drive-by performed today was on your computer.

Click to Enlarge

As you might have guessed from the screenshot, your PC will shutdown (thanks to a pair of batch files) and you won't be able to do much with it unless you know about booting up in safe mode to avoid endless automated shutdowns. For what it's worth, the batch files are supposed to display the following, but it shuts off the PC before it can trigger - thanks to some technical hoodoo voodoo, we can show the popup:

....yeah, awesome. Thanks.

Anyway, exploring the video files uploaded by the YouTube user is pretty interesting - here's a shot of a clip where they tell us about an infection they had on their PC:

Click to Enlarge

.....and here's a shot of a clip where they show us how to "make a fatal virus":

Click to Enlarge

It's somewhat strange that they're offering help with some videos and directing people to files that cripple your PCs ability to start up with others, but maybe that's the way it is when you're West Side for Life.

And yes, I am profusely sorry for all the lame Gangsta jokes.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Posted by Paperghost at 09:20 AM | Permalink | Comments (1) | TrackBacks (0)