May 2008 Archives

I was wondering where I'd seen the website my colleague wrote about last week - turns out one of my fellow security researchers had posted a link (in a hidden forum) to a series of Youtube videos where the website was being promoted. Of course, you can't make videos clickable on Youtube, so an interesting tactic currently employed is to do this with your video instead:


Click to Enlarge

Nothing says "Download me now" like a great big arrow pointing to the download link in the description. Interesting use of visual cues, there. It didn't save our enterprising file pusher though, because Google quickly whacked his account and removed his videos.

Content Match OVERLOAD

| | Comments (0)
You've seen it a thousand times before in malware infections.  A Trojan Downloader that installs another Trojan Downloader which installs blah blah blah until you have a Russian Doll scenario.  By the time you notice your being attacked, its probably already too late.  The trojan in question here is called Trojan.Bind.

added.PNGAnd thats just what was installed before my PC started giving me "Virtual Memory Low" messages.  The threats installed here range from a harmless hijacked start page to a new BHO in your browser to a rootkit thats designed to sniff around the network of the infected PC. Just to name a few known threats installed by Trojan.Bind are:

IE Invoker

Most of the infections installed by this trojan are known, but there is really no perfect solution of prevention.   The best way you can prevent this from happening to you is to MIND YOUR CLICKS.  Don't click anything unless your sure you know what it is.  Most malware these days comes from China.  So if you look down at the bottom of the browser and see "http://www.blahblah.CN" (emphasis on the .cn part) then be cautious. 

The next thing you should do is make sure you have the latest definitions from your anti-virus or anti-malware application.  It is a CONTINUOUS struggle to fight all the baddies that are after your computer.  Whether its for theft or just plain destruction, one click can lead to a disaster for you and your computer.  We currently detect and remove for all the threats installed by this trojan.

INTERESTING SIDE NOTE:  While testing this trojan, the fan on my PC starting making awful noises, then subsequently passed away.  Coincidence?

There's a group of individuals firing out emails at the moment that bear all the classic hallmarks of a typical "Money Mule" scam. For those who don't know what a Money Mule scam is, the following extract from this page will be useful:

As most of the fraudsters behind these scams are located overseas and it is not possible to make cross-border transfers out of UK online bank accounts overseas, a "money mule" or "money transfer agent" is required to launder the funds obtained as a result of phishing and Trojan scams. After being recruited by the fraudsters, money mules receive funds into their accounts and they then withdraw the money and send it overseas using a wire transfer service, minus a certain commission payment.

What is the scam in question, I hear you ask? Well, it seems someone is currently targeting restaurant owners - first, making a general enquiry with regards the price for a large party to come and have a meal. Once they have the confidence of the victim (and offering to pay in advance with a card that is likely stolen), they then mention that there is a problem with the travel agent they're using to fly out. Typically, the payment system is "broken" and so the only way they can still make it over is if the helpful restaurant owner handles the travel payment themselves (with the tempting offer of a cut of the cash).

You know it's all going to end in tears if you get sent an email with the following:

However, the prepaid agent has just informed us that their credit card merchant/terminal is faulty and is currently undergoing online upgrading and therefore cannot charge credit cards.So, we kindly solicit that once you are in receipt of my credit card details.

You are required to charge ? 7000.00 in  your account ,then deduct ? 2000.00 as initial deposit , And the transfer ? 5000.00 to the prepaid flight/travel consultant, whose information I will forward to you once this is confirmed

Sounds too good to be true, and of course, it is. What will happen here is that the police (and bank) will investigate the transactions made on the stolen card, only to find 2,000 Euros sitting in the bank account of the restaurant owner, a further 5,000 Euros that have been forwarded on to a third party (posing as a "Travel Consultant") by the restaurant owner (which isn't going to go down too well with the police) and a fake reservation that they cannot fulfill (though that'll be the least of their worries at this point).

Read on after the jump to see the dialogue that took place between the scammers and the person who forwarded warning of this scam onto me...

A warning for those rummaging around on EBay looking for retro videogame bargains. I happened to see this up for sale:


Click to Enlarge

A rare limited edition Dreamcast console called the R7. Time for a little history lesson? You bet.

"This version of the console was previously used as a network console in pachinko parlors in Japan. "R7" stands for "Regulation #7" (2nd provision, 1st section, number seven in the Japanese Penal Code), which regulates businesses that are deemed to affect public morals.

Originally the Black R7 Dreamcasts were Ltd Edition Japanese Dreamcasts that were used as prizes in pachinko parlors in Japan, and were previously only avaliable through pachinko parlors. The R7 relates to the ruling in Japanese law (regulation 7) of no legal gambling! Hence they are rare to find even in Japan".

As a collector of hard to find Dreamcast consoles, I found this listing particularly interesting as it shows Belgium as the location of the item (usually, these machines don't pop up in Europe too often) and the price was extremely cheap (though the shipping cost was unusually high, which was my first clue something wasn't quite right here). I wonder how many others would have immediately gone racing for the "Buy it now" button, without bothering to notice that the seller is listed as a seller "since 28-Dec-03 in Japan".

Huh? But it gets worse. Wade through the listing and eventually you see this:

" Sega - Console Dreamcast japonaise Regulation 7 - NOIR

La boite comprend la console sega, 1 manette, et les cables.

Tr?s bon ?tat g?n?ral et complet.

Article collector.

Livraison EMS depuis le jais le japon : 55,00?"

That last part? EMS shipping from Japan. The item location is listed as Belgium, but the item itself is actually located in Japan. In all likelyhood, the seller lives in Belgium but is currently staying in Asia - I actually contacted the seller about this, and amazingly they were quite happy to admit that the item is NOT in Belgium but didn't bother to update any details.

Currently this individual is selling 72 items - how many people in Europe will buy these items not expecting horrendous amounts of Import Tax and handling fees added on to their purchases? I doubt the seller would take any responsibility for paying the fees - if the buyer refuses to pay up, they're then liable for the cost of shipping the item back to Japan.

I myself have bought many items from Japan via people who live elsewhere but ship the items over - in those cases, the listings are correct and you know you're going to pay import fees. This, however, seems faintly deceptive - especially as the seller has been alerted to this problem. I can't help but think they're going to start getting an awful lot of bad feedback about this...

Misleading Download seen on TV

| | Comments (0)

So I was wandering around siteadvisor and came across this site.

Orly?  What channel?  These guys have been pushing their application as a download accelerator for torrent clients like uTorrent.  According to the description seen above, it also does everything but get you a cup of coffee.  If you actually download and run the file "setupclickhere.exe" then you'll soon discover you've been had.  Instead of defying the internet and downloading at 100Mb, you'll be given a FREE hidden application that surfs to affiliate links of the designers choosing.

app.PNGAs you can see the attacker has chosen these 5 links to legit sites through an affiliate network.  How are these links chosen you ask?  Well upon running the threat, it goes to another website related to where its just a simple matter of changing the text on a html file (http://www.{BLOCKED}  This allows the attacker to change what affiliate links he wants his victims to surf to in order to give the most profit. 

Of course the victim is hardly aware of the attack since the pages are surfed through hidden Internet Explorer pages.  Don't panic though!  If you think you've been infected by this program you can run our extremely nifty online scanner!  We detect this threat as HighSpeedTorrent.


Click to Enlarge

The owners of this site about hacking must have some confidence in their hosts if they're under a DDoS attack but are still allowing their registered users on the forum. Perhaps they should consider sending out "BRB DDoS Attack" messages via Twitter to all their members...
A new one to watch out for - a random friend request which turns out to be a page littered with horrendous spelling mistakes and the promise of getting rich quick:


Click to Enlarge

Some of the better ones include "Ah Now Dont Give Me that Griny Smile huh ..!", "I was Enving him" and my personal favourite, "Look Here i am sharing this with all Myspacian's".

..........oh-kay. Clicking the link takes you to a paid survey site, which throw up a popup saying "
I will NEVER share your information with ANYONE! I hate spam as much as you do."

Someone should tell that to whoever signed up to their affiliate program...
How many times have you seen that message appear in your life? If I had a nickel for every time I saw this message I would not be writing this blog. I would be playing golf in Florida or I could afford a full tank of gas instead of just getting a quarter tank.

It may be easy for some of us to see an infection and remove it ourselves but the vast majority do not understand what is happening when they see a message saying "You're infected!" They think they are truly infected and that this message is a savior, a digital deity, if you click here and scan, everything will be made right in the world again. The "digital deity," of course, needs money first, ranging from $29.99 - $79.99. This money will invoke the powers of his binary goodness and he will cleanse your pc from all wrong.

Not hardly! This kingly donation should never take place. You should close that web browser. Do not place your mouse on the browser to close it. Use the ALT + F4 method, which will generally close any active window or program. You can ALT + TAB between active running programs. Some of the messages do not arrive via your browser, but rather from your pc itself. You may get a message from your system tray.

Some of my favorites are:

Warning! Spyware detected on your computer.
Click here to remove all Spyware and viruses immediately.

Protect your system today.

Warning: Your security and privacy are at risk!
Message:  Spyware has been detected on your computer.
Click here to run a full system scan to protect your PC.

 By the time you see these messages, you are already infected. The message should read "Got Trojan?"

Do not panic, but it is time for action. There are still good programs in this world! Users can purchase reliable Anti-Spyware programs. There are also great sites on the internet for you to take advantage of at no cost to you.

The sites listed above are just two examples. There are many sites dedicated to help rid us of the "Digital Deity." Remember, do not give in to the temptation of clicking on a "Click here to run a full system scan to protect your PC" message. That temptation could lead to someone asking for a donation. And right now, gas prices are just too high for good working folks to donate :)

All Change Continued

The search functionality and commenting is now back up and running. As Mr. Boyd has mentioned before, due to the major site change please let us know if something is not working as expected. 
"He claimed to *work* for a charity that runs homeless hostels. It turned out he was a 'guest' there and was thus breaking the hostel's rules by trading from his accommodation.

The charity have been helpful and rung me several times to resolve the issue and have issued him with a warning.

I don't want him made homeless over this, though. I just want my money back and steps made by eBay to ensure that no one else has to go through the same hassle."

Strap yourselves in and take some time to read all 19 pages(!) of what has to be one of the worst EBay experiences I have ever seen. Just when you think it can't get any worse for the buyer - it does. Spectacularly. As a starting point, you may want to digest this blog entry to get a general overview of what caused this mess. It should be said, the EBay "Customer Service" on display here is absolutely dreadful - I hope it's not like this every time something goes wrong with a purchase...
Comic writer and commentator Kevin Church notes a particular kind of spam attack over at a well known comics blog. Hadn't actually seen this in action before...

MSNAgent attempts to hide from security analysts

| | Comments (0)

Recently I came across a threat facing MSN messenger users that employs extremely devious means of infection.  The actual executable for this MSN worm is hidden in a .jpg file.



The reason there is no preview available is that this isn't a picture, but executable code in the guise of a picture file.


The thing that makes this so interesting is the length at which the attacker is willing to go in order to hide themselves from detection of commonly used security applications.  Only by using certain tools can you see the threat running behind the scenes.  Here you can see an ominously almost legitimate application running called "MSNAgent".



MSN Agent starts up when the computer boots up.


MSNAgent has the ability to connect to a remote server for the purposes of stealing your MSN username and password.  The file "gf1008.exe" is originally saved in the Temporary Internet Files to avoid too much suspicion.  Its on the Desktop in this example for the purposes of testing. 



This is shown to the user whenever the computer is restarted.


Taking a closer look at gf1008.exe shows you the following:


You can see here that this file is directly related to the autostart value "MSNAgent".  It also shows us that it's trying to make a connection to a remote server as well as get the user to change their password presuming for the purpose of phishing the user.



Attempting to find this threat running with other free security apps might be a problem.




Thumbnail image for hijackthis.PNG



Thumbnail image for regedit.PNG

MSNAgent can't be found in the registry through traditional means either.


Hijackthis is one of the common security applications used to verify if there is an infection when users try to get help from other users on a forum.  Most of the time, Hijackthis is the first step when trying to find the threat.


Never fear though.  We detect this threat as MSNAgent.  Using our Microscanner should reveal if you are currently under surveillance.

All Change Part Deux

As Mr. Boyd has previously noted, we are going through an overhaul on the site. As of right now the searching and commenting sections are not functioning properly and we apologize for the inconvenience.

All Change

| | Comments (0)
As you might have noticed, the SpywareGuide Blog has had a facelift - we're still tweaking a few things so please let us know if you see anything weird happening!

The fake Windows Update popup has been doing the rounds on Myspace for a long time (we're talking at least June 2007). Every now and again it returns, usually varying the payload. Well, here we have an example where Phishing is involved and a sneaky imitation of a well known security program is thrown in for good measure. Find out more after the jump...

OKOK.exe is not okay - okay?

| | Comments (0)

The biggest threat companies are facing today is corporate espionage. Even the most secure networks aren't 100% safe, but there are ways network administrators can spot a worm or attacker before the damage is done. Recently I came across a worm that has the potential to send the internal infrastructure of a network to the attacker by using a service related to Backdoor.CVM.
The infection begins like it usually does. Someone clicks something they shouldn't. Regardless of how it happens, the results are the same.
You can expect to see this many added/modified files across your network if this worm has its way.

The worm's first order of business is to contact the site hosting the malicious content. This particular variant of this threat phoned home to http:// Once there it downloads 34 executable files, the last of which being okok.exe. Once okok.exe is saved to the infected machine as C:\Windows\System32\Microsoft\svchost.exe it sends out an ARP broadcast to map the network.
Svchost.exe (okok.exe) sends out an ARP broadcast across the network.

After that it's only a matter of time until more and more computers on the network start displaying similar network activity. We detect this threat as OkOk.

Scare Tactics

| | Comments (0)

Here's a curious file that relies on the power of a shock to the system for anyone wanting to indulge in some hacking and cracking action. Namely: stealing MSN Messenger passwords.

Upon firing up the "program" (which is actually a batch file, giving some hint as to the actual nature of the payload), the user sees this:


Seems to good to be true, doesn't it? Sure enough, a few seconds later and...


At this point, the end-user silly enough to run this file is probably thinking their PC is going to go up in flames - however, nothing actually happens and your PC will continue to function as normal. Has someone created this to deter wannabe hackers from jumping on the "steal everything" bandwagon? Or is this just a gag by hackers at the expense of noobish newcomers?

(Additional Research: Deepak Setty, FSL Senior Threat Research Engineer)

If you got this in your mail, would you be curious?

Subject: UN Diplomatic Passport & Swiss Private Bank Accounts

Union Privacy Ltd

Union Privacy group is the world's largest provider and expeditor of global travel documents and passports. We service people, companies of all sizes, from small neighborhood businesses, to large tour and cruise ship operators, to most of the FORTUNE 500. Union Privacy has the unique advantage of offering clients the best of all worlds - highly trained visa and passport professionals combined with attention to flexible, responsive service.

We offer Comprehensive guide to obtaining second passports and citizenships, camouflage passports, new identities, legal residency and more.

Through our long time reliable and trusted contacts at governmental level, we are finally able to offer a genuine United Nations Diplomatic appointment and passport from a respected UN member country. Also you can take apart in our Passport Programs for your Second Passport (even with New Identity).

I certainly was. Find out what happened after the jump...

As you might imagine, I'm registered on a lot of social networking sites - a lot of the time, just to see what's coming through in terms of hijacks, adverts, scams etc. I've been registered on for a long time, but never seen anything strange come through. Until this morning, that is, when I found out I had a message waiting from Janet Jackson.

As you do.


Something tells me this isn't Janet inviting me to sing with her at the next Superbowl...
Click to Enlarge

....whoops. I doubt this is the start of an endless barrage of ringtone spam and free iPods, but it'll be interesting to see if I get anything else like this. Have spammers worked out a way to game Wayn? Have I just been lucky so far? Or have they only just started targeting the site? No idea. I'm still up for singing at the Superbowl though...

Here's another fake Instant Messaging application from the creator of the fake Google Talk program currently in circulation. This time round, the victim is MSN Messenger:
Click to Enlarge

Clicking the "Sign In" button opens up a smaller popup - asking you to fill in your .NET Passport details. Of course, filling in your details will result in a fake "Service could not be found message". Once you leave the PC, the attacker happily wanders over, browses to the C Directory and steals your login details.

These programs seem to be flavour of the month at the moment...

We're still trying to pin down exactly how new this is, but it seems someone has released a fake Google Talk application into the wild.

Compare the fake application on the left with the real thing on the right, and note the differences:


Immediately, we can see that the real thing has a rounded curve at the top - the fake is blocky, and looks like a regular Windows application box. There's an "Inbox" link at the top when you start up the fake application - there isn't a link like that when firing up Google Talk for the first time. The Username / Password box is much lower down on the fake application, and (again) the real "Sign In" button is curved on the real application. Finally, you'll see "Forgot your account / Don't have an account" on the genuine Google Talk program - not so on the fake.

How does this work?

Well, the program doesn't connect to the Internet - for this attack to be successful, the hacker needs physical access to a PC that lots of people use. Could be a workplace PC, could be in a school, library, Net Cafe - anywhere where it's possible to run an executable file then retreat to a safe distance while the potential victim sits down and thinks "Just need to check something on IM..."

Assuming the victim enters their login details into the fake application, they will immediately see a fake error message, and probably think no more of it:


Once they've finished whatever they were doing and left the PC, the attacker only has to sit down and browse to the C Drive where they'll see this:


As you probably guessed, any all login details typed into the fake application will be stored in this text file:


We detect this application as Fake Googletalk.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, FSL Senior Threat Researcher

We did fix it - but something went horribly, horribly wrong somewhere and the comments broke again.


Anyway, the fresh deluge of Viagra spam in my mailbox tells me the comments are now 100% up and running once more. I'm now going to sit in the corner and cross my fingers...


| | Comments (0)

Hackers are not only harnessing the power of memes in a big way, they are (in some cases) having their creations dictated to them by whatever the passing fad happens to be at the time. A pretty strange turnaround, but it's all down to the popularity of various warring factions on the web that are increasingly attracting a hacking community. Witness the rise of Anonymous, Project Chanology and a host of others, many of whom "borrow" Memes from sites such as 4Chan, then argue over who created what meme first.

Well, read on to see an example of a DDoS tool riddled with memes just so it'll gain acceptance from the target audience (complete with built in radio and chat functionality, just to keep the "Partyvan" mentality going a little longer) after the jump. By the way, there's no getting around this - many Internet memes are (by their very nature) cruel, vile and offensive. This makes the nature of explaining some of these memes slightly tricky, and (as this is a safe for work blog) kind of makes it difficult to link to source material without making you go blind. As such, anything that might cause you boss to yell at you has been labeled not safe for work. And with that out of the way....

It's A Trap!

| | Comments (0)

I had this waiting for me in my Myspace friend request box today:


...uh. I had pegged this as a standard fake profile, but the addition of the personalised "Why, hello there" message wasn't something I'd seen before with one of these fake profile requests. A look at the profile, and...
Click to Enlarge

.....strange - not the usual fake profile hurling adverts for ringtones, Adware and who-knows-what at me. It's a bit arty, a bit daring - certainly in your face, but for once, it's not adverts and scams in your face, and that's a refreshing change. Could it all go wrong with the "About Me" text though?


Apparently not. There's no mention of the latest Viagra pills or even a webcam. This is weird. It's almost too good to be true.


Click anywhere on the page, and (courtesy of an invisible overlay)....
Click to Enlarge

Doh! And we were doing so well for a while there...

There seems to be an odd case of dubious phonecalls taking place in the UK at the moment, but nobody can quite work out if the calls are coming from a legitimate company in need of some customer service training or a scam outfit who simply want to match your details to those on a list before selling it on to the highest bidder.

Alternatively claiming to be a representative of Halifax Bank (or First Assist, an accident insurance company), they cold call their "target" and immediately start quizzing them for personal details, apparently without prompting.

There's three whole pages of puzzled individuals here, and another extremely interesting writeup about it here.

A new hacking program is in circulation that lets hackers create executable files easily and with no fuss. When the victim is tricked into running the infection file, a connection is made to the attacker's PC and they can steal any MSN login details stored on the PC. Here's what the attacker sees in his newly created directory after installing the infection creation tool:


Note the selection of text files that accompany the program. We've seen a growing trend for hackers to leave copyright warnings on their programs, and messages of a similar nature elsewhere. Well, the all-out branding assault continues here:


....Belgium Power? Once they're done impressing you with the technical specs of the programs creation, they continue to hit you around the head with more information:


Once you fire up the Client, you can't help but be impressed by the clean, logical layout (very reminiscent of a spreadsheet, actually):
Click to Enlarge

Even better, the desire for being properly credited for their work runs wild here:
Click to Enlarge

According to that screenshot, they consider their Crew name to be a Trademark, and and program itself seems to be Copyrighted (All Rights Reserved). Creating the infection file is as simple as hitting the "Build It" button - when you see this, you're ready to start pushing your infection file to the masses.

Once the attacker has sent the infection file to the victim and convinced them to execute it on their PC, the attacker will be notified like so:


At that point, the attacker simply opens up the "spreadsheet" page and sees this:


The message says "Ready for action" - so very, very true. At this point, the attacker simply opens the "Passwords" tab, hits the "Get MSN Passwords" button and is presented with all the login details stored on the PC:


We detect this as PassHax.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, FSL Senior Threat Researcher

There have been a few discussions on security lists and forums regarding a wave of spam comments on Facebook that (for the most part) mention a site called There were some theories that this might be some kind of worm attack - however, one of my researchers told me last night that a relative was apparently phished and (not long after) comments such as these started appearing from the relatives account:


As the title states, no need to panic - it's highly unlikely this is anything other than somebody harvesting accounts the old fashioned way then promoting an endless deluge of pill websites. Yes, Phishing sucks - but for now, it doesn't look like is the Herald of the End of Days or anything equally dramatic..

In January, everything went a little crazy because of a Facebook application that (if you believed the hype) force installed Zango, hijacked your PC, set fire to your house, killed your pets.....well, you get the idea. In actual fact, the truth of the matter was a little more convoluted. All I could see was that this application opened up a popup, which (every now and again) would just happen to be an advert for Zango. Hardly Earth shattering, but of course it did switch people on to the fact that they needed to be careful which applications they gave permission to access their data while on Facebook.

Well, a few months on and it looks like the BBC had a coder create an application (in three hours or less) that could swipe a whole pile of data on both you and your friends, before mailing it back home to base. I can't stress enough - when it comes to social networking sites, NEVER post anything you wouldn't feel comfortable posting on an otherwise open and accessible site such as your blog, personal website, whatever. I have pages on Myspace, Facebook, Orkut and a whole bunch of others - and there is NOTHING on them that you couldn't find elsewhere. There is no hidden treasure trove of data to mine, and so I don't care what happens to it because it's all out there in the public domain anyway. This is what I've been telling people for the longest time, and it works.

A few days ago, I talked about the oddly intrusive chat attack I experienced, and how FaceTime products can control / lock down / fire into orbit Facebook applications where necessary. To date, there haven't been any applications out there that have gone in and done all sorts of horrible and malicious things to end-users on Facebook. Personally, I've been more concerned about applications that allow people to post a seemingly endless and imaginative array of body parts in various comical situations. Nobody really wants that all over their desktop in a regular workplace environment, right? However, this seems to me to be a warning shot of sorts - a warning that we not only need to consider locking down applications that cause annoyance and embarrassment, but also to keep an ear to the ground as we await the inevitable arrival of the "I BREAK STUFF" application.

Coming soon to a Web 2.0 site near you...

Today I received an interesting phish that only caught my eye purely because of a chance circumstance involving my credit card. What I ended up with was three websites (at least one of which has likely been hacked), two phishes and a collection of screenshots for you to look at after the jump...

About this Archive

This page is an archive of entries from May 2008 listed from newest to oldest.

April 2008 is the previous archive.

June 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.