August 2007 Archives

Recently, I was in Singapore to give a number of talks on Spyware and Adware attacks. Interestingly, a number of people in the area Emailed me to let me know about something infecting their friends via MSN Messenger. As we investigated further, it did indeed seem to be based around the Singapore area (with a few mentions of it on Chinese forums, too). Here's a screenshot from a popular Singapore community forum:
Click to Enlarge

...and here's a screenshot from a Chinese forum:
Click to Enlarge

...note the Flag of Hong Kong in the bottom left hand corner. All the cases we've seen of this so far have been limited to the Singapore region, with a couple of individuals mentioning it on Hong Kong-centric forums. Of course, this doesn't mean there aren't other victims out there but the spread so far seems to be quite limited.

Check out this map -


There are many, many domains hosting the main Executable (dubbed "Singworm") pushed by the Instant Messaging infection link, the majority of which are hosted in Hong Kong and Taiwan. Yet another file (Winsys.exe) is downloaded from a number of different servers, one of which is apparently running out of Israel.


Variants of Winsys.exe have been known to be involved in various types of data theft, including login details, banking information and personal data.

The worm itself is mostly built for Spamming, with elements of the Stration Worm and other pieces of Malware thrown in for good measure.

It starts, as it always does, with the downloading and execution of a single file - in this case, rather oddly called "":
Click to Enlarge

As soon as you run the file, the system attempts to start sending spam via the collection of files already deposited on the PC. At certain points in time, the amount of Spam the system was trying to send was so much that the testbox slowed down to a crawl and a reboot was needed. Here's a few of the files dropped into the System32 Folder:
Click to Enlarge

At this point, if you have MSN Messenger the inevitable infection link will appear in the chat window of your contacts, which says "here are new smiles for MSN, they are incredible!":
Click to Enlarge

....and of course, you'll send your infection link again.....and again.....and again.....
Click to Enlarge

At this point, detection for most of the files involved in this on is sketchy at best. We've notified MSN of this threat - in the meantime, if you're in the Singapore and Hong Kong regions, be aware of any strange links coming through from your colleagues...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: CC, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Senior Threat Researcher

Time to do some last minute checks with regards conference details and generally hang out at one of the many local stalls...
Click to Enlarge

Click to Enlarge

Click to Enlarge

Click to Enlarge

Behind The Scenes

| | Comments (0)

You know, a lot of work goes into pulling angry faces like this:
Click to Enlarge

...yeah, I know it looks like I'm about to say something sweary, but honestly I'm not. I just rage and roll, apparently.

With that in mind, here's a couple of pics from a sort of "mini-event" that doubled as a prep session for the main talks...
Click to Enlarge
Click to Enlarge
Click to Enlarge

Welcome to Singapore

| | Comments (0)
Click to Enlarge

A few weeks ago, I was honoured to be asked to go and speak at a number of events taking place in....well, you probably guessed from the title. For some reason, I was unable to post to Spywareguide from Singapore so you probably caught me rambling on about all sorts of random lunacy on instead.

Well, now I'm back and can finally post things and stuff about....things and stuff. If you see what I mean....

Ingreslock Exploit: Alive and Well

| | Comments (0)

There has been a large steady stream of new Trojans coming out of China lately. Now it seems like its starting to look more drastic than that. It all begins with Downloader-Arun. Like most other downloaders, its purpose is to download as many Trojans as possible. This is just how bad it can get:

Breakdown of what Downloader-Arun installs on the victim PC.

While Downloader-Arun is installing, it contacts another Chinese site to download sercer.exe onto the victim's PC. Sercer.exe is immediately ran and moved to C:\Program Files\Internet Explorer as SPLOAE.exe.
Sercer.exe has the same file size and MD5 hash as C:\Program Files\Internet Explorer\SPLOAE.exe.

Once SPLOAE.exe is running, it gets information that is stored in SPLOAE.dat.
This is the same information that is stored in SPLOAE.dat.

Since the infection is in the Internet Explorer directory, it's probably a good idea to check out what kinds of connections are taking place. Looking closer at the connection you'll see that someone is attempting exploit your computer! You may recognize this type of attack if you were a playboy customer in '98.
A connection has been made at port 1524. Foul play is sure to follow.

Now would be a good time to check and see what kinds of connections are currently active on the infected PC.
You can tell if there is a connection to your computer by using the netstat -a -n command.

There is a connection established to the same IP address that was seen during the installation. Taking a closer look at the domain brings you to *dramatic pause* his blog!
The established connection redirects to a blog of questionable safety.

Fortunately for the victim, there is a very easy way to tell if you are being exploited by this threat. If you are infected by this particular threat, there will be an autostarter value called "MrXiaokan".
This threat auto starts using the value "Mrxiaokan"

This was just 1 of the files that was installed from the original Trojan Downloader-Arun. Other threats are out there just waiting to be clicked. My advice to you is this: Mind your clicks.

Yep, more fake profile Friend requests. These ones are a little more interesting than usual, though.

First of all, this thing popped into my Inbox:


It's pretty obvious that this profile screams out "fake", so off we go to take a look and....
Click to Enlarge

....we see a big banner claiming "Need cash fast use easy Paypal system" with a blog entry proclaiming "$400 to Paypal". If you click the banner, you're taken to a site called "":
Click to Enlarge

I'd love to be able to tell you what the software on this site does that will generate you so much money, but to find out you have to send ?19.99, apparently without any idea as to what you're going to purchase.

Interestingly, if you Google, the top result (sitting above a number of pages on Myspace that have had this banner posted to them) is rather strange:
Click to Enlarge

"Myspace Hacking / Welcome Welcome to myspacehacking we are the leading email account & myspace password recovery websites on the internet today."

....guess we'll go pay it a visit then.
Click to Enlarge

Apparently, you can pay between $60 to $75 dollars to recover a lost password for a variety of Email systems, and the site also offers a number of downloads of the Password crack / recovery variety. Some are free, but the one listed in orange needs to be paid for - no idea what it does though:
Click to Enlarge

If you click around on the front page for a while, you'll see this message appear at the top of the screen (viewable in the main shot of the site above):


I'm guessing this was only supposed to be viewable if you were rummaging round their HTML source, but oh well. Some more exploring on Myspace follows, and it seems a wave of spam profiles have been set up with the express intention of pimping the Vid-share URL:
Click to Enlarge

This one is extremely interesting, as (aside from the Vid-Share spam) it also has this in one of the blog entries:
Click to Enlarge

Click to Enlarge

"Do you need a Myspace password

Get your passwords here"

Sadly, there doesn't seem to be any cached version of the (currently down) site, so there's no way to check it out and compare it against the sites already mentioned. However, we DO seem to have an overabundance of spam profiles:
Click to Enlarge

....aren't we the lucky ones?

Bored Spammers

| | Comments (0)

You know, if you're a spammer then sure - you can be fancy and innovative and send your PDFs and your FDFs. But sometimes, it all gets too much. What do you do? Easy, take your foot off the gas and simply send me a URL which leads to....
Click to Enlarge

....a page on Yahoo Finance. Guys, please - you're just not trying hard enough this week...!

Is Purityscan D.O.A?

| | Comments (0)

Here's the Database entry for Purityscan.

Here's their website:

Click to Enlarge

.....things that make you go "Hmmm".

The other day, I was unceremoniously dumped from a website I'd chosen to visit, being told to clear off because I happened to be using FireFox. Some more information has come to light courtesy of a thread here, and I can't say I'm impressed. If you happen to visit any websites running a particular set of code while using FireFox, you'll see this instead of your chosen website:
Click to Enlarge

The code used to do this is available in various cut and paste formats:
Click to Enlarge

The reason for this boils down to supposed revenue being lost because people use Ad Blocking tools in conjunction with FireFox. References are made to "demographics" stating that FireFox users only represent a "small percentage of online spending" (without citing the source of these demographics), hilariously OTT statements claim Mozilla are "empowering internet theft" and they effectively accuse FireFox users with adverts blocked of both infringing copyright ("to the letter of the law") and being common theives ("Accessing the content while blocking the ads, therefore would be no less than stealing").

That's a little strong, isn't it? The site I was booted from was running ads that needed to be clicked to generate revenue, simply viewing them wasn't enough to make money. That being the case, how am I "stealing" from a site when they're making the presumption I'm going to want to click their advert to make them their money in the first place? Sure, if there's no advert there at all due to a blocker then nothing is going to be clicked anyway. But the reasoning behind this is pushing a line of ADVERT ON SITE = INSTANT MONEY, which just isn't the case.

Yes, we have a right to say what we do and don't want on our PC. And yes, the guy behind this idea does have a right to block you from his website if you don't want to see his adverts.

But wow, it's still stupid and decreasing your web traffic for the sake of a few clicks on random adverts. This says to me that the only thing on the site the creator thinks is worthwhile are the adverts themselves. If they'd rather keep you away from their actual content to keep their precious adverts intact, what does that say about the worth of the material on their homepage in any case?

You're probably better off without them.

Mind you, this does have obvious bad-guy potential. How long will it be before we see someone create a bunch of exploit sites, slap their "no FireFox" code on it and instruct you to come back with a Browser they know they can hijack using x, y or z exploits? "read the fine print". So it was sort of humorous to see this - nothing to do with Adware, but a good metaphor for all the double-talking, nonsensical EULAs I've had to endure over the years.

It's always good when someone gets busted for online stupidity. Click here and feel good about things for a random amount of time.

I just saw this in the Database and had an overwhelming urge to run it.
Click to Enlarge


Click to Enlarge

Click to Enlarge

...the lesson to be learned here is that if I'm ever in need of a date, this thing will fix me up. I think.

I think this EMail has some identity issues it needs to resolve. The top of the mail is designed to look like it's from EBay:
Click to Enlarge

....though the pills (instead of TVs and MP3 Players) sort of give it away.

However, scroll down and just under the plethora of pills, we have...
Click to Enlarge

.....a collection of entirely genuine links to EBay, which will teach you all about "protecting yourself from spoof (fake) EMails".

There's humour in there somewhere.

I recently had an interview with - here's the full piece, which focuses on the ever present danger from social networking and the new phenomenon of 419 Scammers targeting property websites.

It seems like EMail spammers have tried every attachment under the sun lately, but here's something I got this morning - an .FDF file bundled in with Spam mail:
Click to Enlarge

An .FDF file is a text file format used for data exported from .PDF form fields. They're usually smaller than PDF files, because they only contain form field data, not the entire form. The content in the attachment was just the usual garbage relating to the "latest hot stock picks".


About this Archive

This page is an archive of entries from August 2007 listed from newest to oldest.

July 2007 is the previous archive.

September 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.