Internet Threats, IM, Malware, P2P, Spyware - Software in a World of Grey.
« April 2008 |
Main
- Fake Windows Update Popup: It's Back (Again)
The fake Windows Update popup has been doing the rounds on Myspace for a long time (we're talking at least June 2007). Every now and again it returns, usually varying the payload. Well, here we have an example where Phishing is involved and a sneaky imitation of a well known security program is thrown in for good measure. Find out more after the jump...
Deepak, one of our researchers came across this today:
It is, of course, Ye Olde Fake Microsoft popup, complete with installer that typically tries to scare the user into purchasing rogue antispyware products.
However, this one leads back to an FTP Directory with a bunch of new files that have apparently been sitting there since the 11th of May:
Even more interesting, check out the HTML file sitting in the directory:
Click to Enlarge
We have a definite tie between one of these fake popups and an honest-to-goodness Phishing page sitting on the same URL. Shall we look at one of the popups? You might find this strangely familiar, because the bad guys are imitating a well known security product:
Compare and contrast with the real thing - an alert from reputable security program NOD32 Antivirus.
Pretty devious.
Discovery and Research: Deepak Setty, FSL Senior Threat Research Engineer
- OKOK.exe is not okay - okay?
The biggest threat companies are facing today is corporate espionage. Even the most secure networks aren't 100% safe, but there are ways network administrators can spot a worm or attacker before the damage is done. Recently I came across a worm that has the potential to send the internal infrastructure of a network to the attacker by using a service related to Backdoor.CVM.
The infection begins like it usually does. Someone clicks something they shouldn't. Regardless of how it happens, the results are the same.
You can expect to see this many added/modified files across your network if this worm has its way.
The worm's first order of business is to contact the site hosting the malicious content. This particular variant of this threat phoned home to http:// 513389.cn/kk.txt. Once there it downloads 34 executable files, the last of which being okok.exe. Once okok.exe is saved to the infected machine as C:\Windows\System32\Microsoft\svchost.exe it sends out an ARP broadcast to map the network.
Svchost.exe (okok.exe) sends out an ARP broadcast across the network.
After that it's only a matter of time until more and more computers on the network start displaying similar network activity. We detect this threat as OkOk.
Here's a curious file that relies on the power of a shock to the system for anyone wanting to indulge in some hacking and cracking action. Namely: stealing MSN Messenger passwords.
Upon firing up the "program" (which is actually a batch file, giving some hint as to the actual nature of the payload), the user sees this:
Seems to good to be true, doesn't it? Sure enough, a few seconds later and...
At this point, the end-user silly enough to run this file is probably thinking their PC is going to go up in flames - however, nothing actually happens and your PC will continue to function as normal. Has someone created this to deter wannabe hackers from jumping on the "steal everything" bandwagon? Or is this just a gag by hackers at the expense of noobish newcomers?
(Additional Research: Deepak Setty, FSL Senior Threat Research Engineer)
- Roll Up, Roll Up, Get Your Passports Here
If you got this in your mail, would you be curious?
Subject: UN Diplomatic Passport & Swiss Private Bank Accounts
Union Privacy Ltd
Union Privacy group is the world's largest provider and expeditor of global travel documents and passports. We service people, companies of all sizes, from small neighborhood businesses, to large tour and cruise ship operators, to most of the FORTUNE 500. Union Privacy has the unique advantage of offering clients the best of all worlds - highly trained visa and passport professionals combined with attention to flexible, responsive service.
We offer Comprehensive guide to obtaining second passports and citizenships, camouflage passports, new identities, legal residency and more.
Through our long time reliable and trusted contacts at governmental level, we are finally able to offer a genuine United Nations Diplomatic appointment and passport from a respected UN member country. Also you can take apart in our Passport Programs for your Second Passport (even with New Identity).
I certainly was. Find out what happened after the jump...
My, where to begin? Exploring the website the email originated from makes me a little wary - for starters it mentions "Camouflage Passports". Traditionally, these kinds of documents do not have a very good reputation:
The passports' manufacturers claim that the camouflage passports cannot be regarded as counterfeit passports because they are not purporting to be documents that are internationally recognized. This is however highly questionable as the passports pose as documents of former (but real) countries, and in some cases documents issued by these countries before their dissolution are still valid. Furthermore, the majority of the countries did not simply vanish. Instead they have transformed into different legal units or entities who have taken over their administrative authorities, including passport issuance.
...whether a simple possession of a camouflage passport is illegal in countries other than those listed above depends on the legal specifics of the individual country, it is however likely that authorities in any country will not look too kindly on a discovery of fake identification documents."
That alone is enough to make me wonder what on Earth I've just been sent. However, things take on a stranger appearance at this point. With regards obtaining my "UN Diplomatic Passport":
Yes, the first thing you see is text informing you that the only appointment available is "In Southern Africa". Furthermore, you have to fly out to the host country to meet the "Head of State". Additionally, you need $45,000 lying around AND you have to pay a "referral fee" upfront before they'll actually do anything. Oh, and you have to send them proof of funds, too. Once you've done all of that, you also need to send:
If (paying) via Credit Card : please attach the following scanned copies and send us via e-mail :
a. A scanned copy of your passport (photograph and signature must be visible)
b. A scanned copy of another Photo ID (Driving License, Military ID, State Issued ID) (photograph and signature must be visible)
c. A scanned copy of Bank Statement or if you place an order with credit card , a scanned credit card billing statement is required.
d. If you place an order with Credit Card, a scanned copy of your credit card (both sides)
I think I'll pass on the offer, thanks anyway.
- First Time For Everything
As you might imagine, I'm registered on a lot of social networking sites - a lot of the time, just to see what's coming through in terms of hijacks, adverts, scams etc. I've been registered on Wayn.com for a long time, but never seen anything strange come through. Until this morning, that is, when I found out I had a message waiting from Janet Jackson.
As you do.
Something tells me this isn't Janet inviting me to sing with her at the next Superbowl...
Click to Enlarge
....whoops. I doubt this is the start of an endless barrage of ringtone spam and free iPods, but it'll be interesting to see if I get anything else like this. Have spammers worked out a way to game Wayn? Have I just been lucky so far? Or have they only just started targeting the site? No idea. I'm still up for singing at the Superbowl though...
- More Fake Instant Messaging Scams
Here's another fake Instant Messaging application from the creator of the fake Google Talk program currently in circulation. This time round, the victim is MSN Messenger:
Click to Enlarge
Clicking the "Sign In" button opens up a smaller popup - asking you to fill in your .NET Passport details. Of course, filling in your details will result in a fake "Service could not be found message". Once you leave the PC, the attacker happily wanders over, browses to the C Directory and steals your login details.
These programs seem to be flavour of the month at the moment...
- Fake GoogleTalk Application In The Wild
We're still trying to pin down exactly how new this is, but it seems someone has released a fake Google Talk application into the wild.
Compare the fake application on the left with the real thing on the right, and note the differences:
Immediately, we can see that the real thing has a rounded curve at the top - the fake is blocky, and looks like a regular Windows application box. There's an "Inbox" link at the top when you start up the fake application - there isn't a link like that when firing up Google Talk for the first time. The Username / Password box is much lower down on the fake application, and (again) the real "Sign In" button is curved on the real application. Finally, you'll see "Forgot your account / Don't have an account" on the genuine Google Talk program - not so on the fake.
How does this work?
Well, the program doesn't connect to the Internet - for this attack to be successful, the hacker needs physical access to a PC that lots of people use. Could be a workplace PC, could be in a school, library, Net Cafe - anywhere where it's possible to run an executable file then retreat to a safe distance while the potential victim sits down and thinks "Just need to check something on IM..."
Assuming the victim enters their login details into the fake application, they will immediately see a fake error message, and probably think no more of it:
Once they've finished whatever they were doing and left the PC, the attacker only has to sit down and browse to the C Drive where they'll see this:
As you probably guessed, any all login details typed into the fake application will be stored in this text file:
We detect this application as Fake Googletalk.
Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, FSL Senior Threat Researcher
- Random Skype Conversations With A Bulgarian...Sort Of
Here's an extract from an odd chat I had today with someone claiming to be a "hot chick from Bulgaria". There's a fair amount of text, so read on if you fancy hearing about how I spent the afternoon being bombarded with pornography and something that reeked of "infection file"....
[13:43:42] CaMu says: hi hi hi
[13:44:41] Paperghost says: hello
[13:44:52] CaMu says: :))))
[13:45:28] CaMu says: How are you What is your name
[13:46:07] Paperghost says: Chris, and you?
[13:48:22] CaMu says: SAmi
[13:48:23] CaMu says: :)
[13:48:31] CaMu says: pic ?
[13:48:58] Paperghost says: dont have one here, sorry. where are you from
[13:49:34] CaMu says: BUlgaria
[13:49:37] CaMu says: :P
[13:49:48] CaMu says: you
[13:49:50] CaMu says: ?
[13:49:59] Paperghost says: england
[13:50:10] CaMu says: WOW
[13:50:13] CaMu says: :)
...yes, "wow". I have a feeling this is going to end up with a request to check out a webcam or something...
[13:50:17] CaMu says: qko bace
[13:50:42] CaMu says: sorry this is not english
[13:52:57] Paperghost says: no problem
[13:55:57] CaMu says: oks
[13:56:05] Paperghost says: do you have a picture?
[13:56:51] CaMu says: yes
[14:09:35] Paperghost says: cool, is that you? do you have a website?
See how I'm cutting to the chase here? I should get bonus points for dispensing with the pleasantries and getting right to the "Show me your webcam site" part.
[14:12:54] CaMu says: Did it right see . . . after all me now I am bulgarian All bulgarians are beautiful . . . It is not i that have website.. sorry
...huh, okay. They don't have a website? But how are they going to bill me $19.99 a month? And then...all of a sudden....
[14:13:09] CaMu изпраща файловете "pic254663.jpg", "ΦΦΦΦΦ.jpg" до участниците в чата.
[14:13:24] CaMu изпраща файла "Image16.jpg" до участниците в чата.
....they start sending me pictures. Pictures of naked amateurs, at least one of whom is a recognisable American porn star. I wonder if they'll claim they're all of her?
[14:19:54] Paperghost says: good pics!
[14:21:33] CaMu says: ;)
....in hindsight, not the smartest thing to say because I'm suddenly drowning in a sea of Bulgarian porn. And although it probably isn't displaying correctly, a lot of the text is in Russian...
[14:22:43] CaMu изпраща файловете "thumb_37763.jpg", "9236.jpg", "9237.jpg", "148859.jpg", "155788.jpg", "160643.jpg", "original_77701.jpg", "original_91707.jpg", "original_201502.jpg", "original_274304.jpg" до участниците в чата.
[14:24:17] CaMu says: Do they fancy those You. . ? ? ? We are for my girlfriends in them and the all are bulgarians
That's a whole lot of fake Bulgarian porn, right there. And oh my, she DID claim the pictures are of her (well, some of them anyway). Is this actually going somewhere, though?
You bet....
[14:26:24] CaMu says: The pornography-movie wants that I to mail Li out. . I Be
[14:27:52] CaMu изпраща файла "BG sex - Minet4iika Ot Stara Zagora Dyha I Gulta Spermata (XXX PORNO).avi" до участниците в чата.
[14:41:57] Paperghost says: oh dear you went offline
...yes, "oh dear". The person at the other end attempted to send me a movie file of some description, and then suddenly vanished. Obviously this means I never received the "movie file", but I'm willing to bet that the file in question probably contained a nasty surprise.
Interestingly, I found a similar experience here - same pattern, same gimmick ("Bulgarians" using lots of Russian text) and the conversation even ended with a random insult. Bonus!
If you think this is the part where I get all preachy and advise never to accept random image / movie files from strangers, you'd be right. If anyone else out there has had a similar experience, please feel free to share your tales of pornography bombardments and random insults...
- Comments Working (Again!)
We did fix it - but something went horribly, horribly wrong somewhere and the comments broke again.
*cough*
Anyway, the fresh deluge of Viagra spam in my mailbox tells me the comments are now 100% up and running once more. I'm now going to sit in the corner and cross my fingers...
Hackers are not only harnessing the power of memes in a big way, they are (in some cases) having their creations dictated to them by whatever the passing fad happens to be at the time. A pretty strange turnaround, but it's all down to the popularity of various warring factions on the web that are increasingly attracting a hacking community. Witness the rise of Anonymous, Project Chanology and a host of others, many of whom "borrow" Memes from sites such as 4Chan, then argue over who created what meme first.
Well, read on to see an example of a DDoS tool riddled with memes just so it'll gain acceptance from the target audience (complete with built in radio and chat functionality, just to keep the "Partyvan" mentality going a little longer) after the jump. By the way, there's no getting around this - many Internet memes are (by their very nature) cruel, vile and offensive. This makes the nature of explaining some of these memes slightly tricky, and (as this is a safe for work blog) kind of makes it difficult to link to source material without making you go blind. As such, anything that might cause you boss to yell at you has been labeled not safe for work. And with that out of the way....
Above is a perfect example of the way in which very specific demands are now being placed on the creators of hacking / cracking tools. If you want to be accepted, you have to stuff your program full of Memes. Otherwise, nobody wants it and you have a large plate of Epic Fail on your hands.
...as you might have guessed, we're looking at a Beta release here! Fire the program up, and you're presented with the following:
Even before you see the program, you're deluged with a mashup of Memes - namely Mudkips (WARNING - probably not safe for work), and Laz0rs. Then the program kicks into life, and the meme-fest continues:
Packets sent are pre-filled as Loldongs (click here for the origin - again, possibly not work safe) and there's some text that says "Mudkips I choose you". Interestingly, clicking the text causes this error - perhaps the creator intended a Mudkip to appear on your desktop or something and never got round to finishing it off.
Things get even weirder at this point - remember, this is supposed to be a DDoS tool. And yet it not only has a proxy built in, but also has a radio AND chatroom functionality:
 Click to Enlarge
Communal DDoS attacks, gotta' love it. Sort of.
What caused the creation of this particular tool though? Well, let's leave it to the creator to explain...
....and, now that it makes no sense whatsoever, allow me to fill in the gaps.
This is Longcat. This is Longcat doing battle with Tacgnol. Longcat is looooooooong. Longcat is an extremely well known and popular meme, and certain segments of Anonymous seemingly get a little annoyed when people start using him for their own ends. From the Partyvan Wiki:
"Meme theft is the only way to sucsessfully troll Anonymous. One of the most typical types of meme theft is when a meme (especially a well-known meme) is made into an item that is sold for money, virtual or actual. The response of Anonymous to meme theft are raids that are godly and usually result in the destruction of the website."
One site, Subeta.org, found this out the hard way when they offered up Longcat as a "virtual item" on their website. You can read about what happened here - once again, not safe for work.
Well, it appears another website, GaiaOnline, is offering up Lolcat scarves to their users. This has now set in motion the Second Longcat Crusade, and also caused a wave of hack tool creators to offer up their DDoS tools to "aid the cause". Ironically, none of these tools will likely be used as Anonymous members have already realised that attempting to DDoS GaiaOnline will not work. As one person put it:
"DDoS attacks don't work on Gaia, due to the fact that they have over 20 dedicated servers that host their forums. If we want to do any serious damage to this site, we're gonna have to come up with a new method of attack. Subeta was only defeated when we achieved Keith Kurson's credit card numbers and ordered thousands upon thousands of Fresh Prince of Bel-Air boxed sets with them. Let's try doing something like that."
The Internet, Kids. It's Serious Business. For more on the Second Longcat Crusade, click here. It's possibly not safe for work either, but then that's no real surprise anyway, right?
I had this waiting for me in my Myspace friend request box today:
...uh. I had pegged this as a standard fake profile, but the addition of the personalised "Why, hello there" message wasn't something I'd seen before with one of these fake profile requests. A look at the profile, and...
Click to Enlarge
.....strange - not the usual fake profile hurling adverts for ringtones, Adware and who-knows-what at me. It's a bit arty, a bit daring - certainly in your face, but for once, it's not adverts and scams in your face, and that's a refreshing change. Could it all go wrong with the "About Me" text though?
Apparently not. There's no mention of the latest Viagra pills or even a webcam. This is weird. It's almost too good to be true.
Almost.
Click anywhere on the page, and (courtesy of an invisible overlay)....
Click to Enlarge
Doh! And we were doing so well for a while there...
- I Just Called, To Say.......Nothing, Actually
There seems to be an odd case of dubious phonecalls taking place in the UK at the moment, but nobody can quite work out if the calls are coming from a legitimate company in need of some customer service training or a scam outfit who simply want to match your details to those on a list before selling it on to the highest bidder.
Alternatively claiming to be a representative of Halifax Bank (or First Assist, an accident insurance company), they cold call their "target" and immediately start quizzing them for personal details, apparently without prompting.
There's three whole pages of puzzled individuals here, and another extremely interesting writeup about it here.
- Beware: New MSN Messenger Password Stealing Program In The Wild
A new hacking program is in circulation that lets hackers create executable files easily and with no fuss. When the victim is tricked into running the infection file, a connection is made to the attacker's PC and they can steal any MSN login details stored on the PC. Here's what the attacker sees in his newly created directory after installing the infection creation tool:
Note the selection of text files that accompany the program. We've seen a growing trend for hackers to leave copyright warnings on their programs, and messages of a similar nature elsewhere. Well, the all-out branding assault continues here:
....Belgium Power? Once they're done impressing you with the technical specs of the programs creation, they continue to hit you around the head with more information:
Once you fire up the Client, you can't help but be impressed by the clean, logical layout (very reminiscent of a spreadsheet, actually):
Click to Enlarge
Even better, the desire for being properly credited for their work runs wild here:
Click to Enlarge
According to that screenshot, they consider their Crew name to be a Trademark, and and program itself seems to be Copyrighted (All Rights Reserved). Creating the infection file is as simple as hitting the "Build It" button - when you see this, you're ready to start pushing your infection file to the masses.
Once the attacker has sent the infection file to the victim and convinced them to execute it on their PC, the attacker will be notified like so:
At that point, the attacker simply opens up the "spreadsheet" page and sees this:
The message says "Ready for action" - so very, very true. At this point, the attacker simply opens the "Passwords" tab, hits the "Get MSN Passwords" button and is presented with all the login details stored on the PC:
We detect this as PassHax.
Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, FSL Senior Threat Researcher
- Pinont.com - No Need To Panic
There have been a few discussions on security lists and forums regarding a wave of spam comments on Facebook that (for the most part) mention a site called Pinont.com. There were some theories that this might be some kind of worm attack - however, one of my researchers told me last night that a relative was apparently phished and (not long after) comments such as these started appearing from the relatives account:
As the title states, no need to panic - it's highly unlikely this is anything other than somebody harvesting accounts the old fashioned way then promoting an endless deluge of pill websites. Yes, Phishing sucks - but for now, it doesn't look like Pinont.com is the Herald of the End of Days or anything equally dramatic..
- The Spectre Of Rogue Facebook Applications, Back Once More
In January, everything went a little crazy because of a Facebook application that (if you believed the hype) force installed Zango, hijacked your PC, set fire to your house, killed your pets.....well, you get the idea. In actual fact, the truth of the matter was a little more convoluted. All I could see was that this application opened up a popup, which (every now and again) would just happen to be an advert for Zango. Hardly Earth shattering, but of course it did switch people on to the fact that they needed to be careful which applications they gave permission to access their data while on Facebook.
Well, a few months on and it looks like the BBC had a coder create an application (in three hours or less) that could swipe a whole pile of data on both you and your friends, before mailing it back home to base. I can't stress enough - when it comes to social networking sites, NEVER post anything you wouldn't feel comfortable posting on an otherwise open and accessible site such as your blog, personal website, whatever. I have pages on Myspace, Facebook, Orkut and a whole bunch of others - and there is NOTHING on them that you couldn't find elsewhere. There is no hidden treasure trove of data to mine, and so I don't care what happens to it because it's all out there in the public domain anyway. This is what I've been telling people for the longest time, and it works.
A few days ago, I talked about the oddly intrusive chat attack I experienced, and how FaceTime products can control / lock down / fire into orbit Facebook applications where necessary. To date, there haven't been any applications out there that have gone in and done all sorts of horrible and malicious things to end-users on Facebook. Personally, I've been more concerned about applications that allow people to post a seemingly endless and imaginative array of body parts in various comical situations. Nobody really wants that all over their desktop in a regular workplace environment, right? However, this seems to me to be a warning shot of sorts - a warning that we not only need to consider locking down applications that cause annoyance and embarrassment, but also to keep an ear to the ground as we await the inevitable arrival of the "I BREAK STUFF" application.
Coming soon to a Web 2.0 site near you...
- Credit Card Up For Renewal? Then Beware This Phish...
Today I received an interesting phish that only caught my eye purely because of a chance circumstance involving my credit card. What I ended up with was three websites (at least one of which has likely been hacked), two phishes and a collection of screenshots for you to look at after the jump...
Normally I ignore emails from Paypal, but because my credit card is due to expire, this one caught my eye:
Click to Enlarge
"Your credit card information has been changed!
On Apr. 28, 2008, your credit card was removed from your PayPal account.
You are receiving this email notification because this email address is listed as the administrative contact email for your PayPal account. If you belive this is an error, for assistance click the link below, log in to your PayPal account and follow the instructions.
https://www.paypal.com/us/cgi-bin/helpweb?cmd=_help
Please do not reply to this email. This mailbox is not monitored and you will not receive a response.
Sincerely,
PayPal"
If I wasn't aware of phish attacks, I might have thought Paypal had a feature where credit cards that have just expired are automatically removed from their system, and logged into the fake site thinking I was about to update my details. I wonder how many people have been caught out by this? Of course, hovering over the supposed Paypal URL reveals a somewhat different final destination:
A main site (in the URL above) redirects you to a fake Paypal website at a second domain, which would be this:
Click to Enlarge
The site hosting the Paypal phish has possibly been hacked, and all content has been removed save for the Paypal page:
Shall we check out what lies on the first domain performing the redirects?
Click to Enlarge
That doesn't look like a scammers website. In fact, it's an Indian company that (according to one of their other websites) "is India's leading manufacturer of oleochemicals and makes more than a hundred chemicals for use in over two dozen industries."
Whoops.
Checking out the directory we're looking for gives us this:
Now, we've already seen that Redir1.html takes us to the above Paypal phish. Where does "Redir.html" take us?
Click to Enlarge
Well would you look at that, another Phish page. Like the other site hosting the Paypal phish, this one seems to have been gutted too and no other content remains. The slow process of getting all these sites cleaned up now begins...
|
