July 2007 Archives

Not too long ago, a number of blogs were apparently compromised and redirects were put in place to lead you to a rogue antispyware application called Malware Alarm. Well, it looks like whoever was behind it decided to ditch the idea of compromising blogs, settling instead for setting up hundreds of Spam Blogs, pasting in some Javascript and watching all Hell break loose.

All of the spam profiles seem to have been created in July, here's a short sample:

Click to Enlarge Click to Enlarge Click to Enlarge

If you visit one of the infected sites, you'll see the "real" blog page appear for a second or two:

Click to Enlarge

...and then you'll be redirected to content that could be classed as "undesirable", and that's being incredibly generous.

By searching on code / URLs used in the hijack (and there are at least two sites perfoming redirects in combination with the Javascript employed by the bad guys), we can see that the grand total of Blogs carrying this hijack so far is...

...ouch. So far, around 1694 Blogs are carrying this redirect, and there could well be other blogs out there not accounted for yet. At this point, you're probably wondering what kind of content you're redirected to, right? Well, the answer is not particularly pleasant for any number of reasons. Some of the Blogs will send you here:

Click to Enlarge

"Teenage Assault", a hardcore rape site so extreme in its content that the only thing we can show you in the screenshot is the title on the main page. Presumably anyone crazy enough to sign up to the site and pay the joining fee will earn whoever is behind this some affiliate related cash.

The second stop is....

Click to Enlarge

Another spectacularly graphic page, this time a landing site for the ever-popular Zlob Trojans (which pose as Codecs needed to play pornographic content). There are many variations on these landing pages and the content is always a non-joy to behold.

Our final destination makes up the bulk of the redirects, and (as you might have guessed already) our finishing point is...

Click to Enlarge

....Malware Alarm! If you fall for the fake YOUR PC IS DOOMED advertising, then you'll see the below scanner doing its job (telling you your PC is still doomed, unless you pay them money to "unlock" the scanner and remove all those horrible infections it claims you have):

Click to Enlarge

Of course, if you don't pay up, then you can expect endless nag screens appearing in the middle of your screen like this:

Click to Enlarge

For now, the easiest way to avoid this is to disable Javascript. We've notified Google, and as far as we can tell, they've already nuked every single example given above. As I mentioned earlier, there could well be other domains out there performing these redirects so a little vigilance may be called for over the next few weeks. Either way:

Click to Enlarge

....that's the best thing I've seen all day.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

Based on recent research Facetime has found security incidents targeting public IM and P2P channels increased by 5 percent in Q2 2007 compared with Q1 2007. In contrast, last year we saw a 35 percent decline over the same period, from Q1 to Q2 2006. We didn't cover this report recently on the blog, as the GTA story was rolling out full steam, but it is worth the time to read the analysis.

Some Highlights

A total of 317 incidents were reported during Q2 2007, bringing the total since Jan. 1, 2007, to 618 incidents. Ongoing research reaffirms a cyclical nature to malware threats with peaks in each year, typically in the spring and fall, followed by lulls in the summer and winter. In 2007, security incidents declined somewhat during the first quarter from a high in January. In the second quarter, security threats climbed again, but appear to have peaked in June. If previous patterns hold, we can expect a decline in the summer, followed by an upswing in the early fall.

From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.

Some Key Findings

-- Increase in IRC attacks

As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.

-- Single channel attacks vs. multichannel

Similarly, single channel attacks?security incidents that propagate via only one vector, such as AOL, Yahoo or IRC?now account for almost three-fourths of all attacks. The percentage of attacks that are single-channel has also risen in each of the last six quarters, growing from a 46 percent share in the first quarter of 2006 to 71 percent in Q2 of 2007.

View the full report here along with past reports. It is important to note with the rise of unified communications and Web 2.0 we can expect attacks along social vectors to become more subtle, creative and far more sophisticated.

While single channel attacks continue to dominate, in May we covered this example of an attack through Skype (the ultimate payload being the Stration Worm) with the built-in intelligence to go after other IM services. I feel this is a good example of what we can expect long-term.

Research and Summary Write-Up: Wayne Porter, Senior Director of Special Research

You listened to it, or you were there in person. But did you see everything going on behind the scenes?

Well, no. But now you can, with a full-on walkthrough of the entire event - however, we're not talking about pictures of booths or people waving free pens. No, we're talking about 141 photographs that chart my journey to California, the inevitable goofing around and the build up to what remains the biggest conference event I've been fortunate enough to take part in.

Click here to see the Flickr gallery...

A Zlob Trojan guy has posted on a Security Forum, wondering why nobody likes his infection files.

Watch things explode here. Thanks to Suzi for the tip!

Recently, there have been a number of weblogs, forums and chatrooms where spam messages advertising a videogame similar to the below have been posted:

Click to Enlarge

If you go to the YouTube video in question, you'll see the enticing prospect of what appears to be a "Grand Theft Auto game" (touted on the Modding sections of a number of GTA forums), though the modern day graphics seem to have taken a step back in time....to 1986.

Click to Enlarge

Click to Enlarge

Click to Enlarge

Click to Enlarge

As there have been a number of security stories related to YouTube in the media lately, let me say this right now: There is NO danger posed to your system through direct contact with the movie clips contained on the YouTube site itself...the "GTA Hood Life" clip is perfectly safe to play and watch. The bad guys are simply using movie files to advertise the bait (in the form of the game), at which point you go to an external website provided in the clip description text.

Click to Enlarge

As you can see, 54 people have downloaded the file so far. I love it when virus writers use free hosting services that give you a general idea of how much damage they're likely to have done (though of course the file could quite easily be hosted elsewhere, too).

Anyone in the group of 54 unfortunate enough to have executed the installer will see what appears to be a legitimate installer procedure:

Click to Enlarge

So far, so good. The installer completes, you run the game and once it finishes loading, you'll be doing drive-bys and coming straight outta Compton in no time at all, yes?

Er....

.....nothing to worry about, I'm sure. The Loader just seems to be a little slow, that's all....

Whoops. Looks like a hard knock life will have to wait (along with oversize novelty clocks) while we tackle the more immediate concern that not everything appears to be quite right with this PC. Yo.

Switching off the PC pretty much spells doom, gloom and other things ending in "oom" because once the desktop reappears, you'll discover that the only drive-by performed today was on your computer.

Click to Enlarge

As you might have guessed from the screenshot, your PC will shutdown (thanks to a pair of batch files) and you won't be able to do much with it unless you know about booting up in safe mode to avoid endless automated shutdowns. For what it's worth, the batch files are supposed to display the following, but it shuts off the PC before it can trigger - thanks to some technical hoodoo voodoo, we can show the popup:

....yeah, awesome. Thanks.

Anyway, exploring the video files uploaded by the YouTube user is pretty interesting - here's a shot of a clip where they tell us about an infection they had on their PC:

Click to Enlarge

.....and here's a shot of a clip where they show us how to "make a fatal virus":

Click to Enlarge

It's somewhat strange that they're offering help with some videos and directing people to files that cripple your PCs ability to start up with others, but maybe that's the way it is when you're West Side for Life.

And yes, I am profusely sorry for all the lame Gangsta jokes.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher
Technical Research: Chris Mannon, FSL Senior Threat Researcher