July 2008 Archives

Yep, here's another one of these things.

This time round, the site is called

whosthatt(dot)com

and it popped up a message to one of my testing accounts a little earlier on. So there, there's nothing in Google save for this one entry. Remember, kids - just say no...

Myspace Drive By

| | Comments (0)
Spotted in the wild (like they're spotted anywhere else!)

Apparently the following happened while someone tried to view a blog post:

msdb1.jpg

Click to Enlarge

A fake "your system may be infected" popup. Note the site it launches from is one of the more aggressive types (it shrinks your browser down into the bottom corner, and won't let you do anything other than cycle in an endless loop of popups until you agree to download the file being pushed).

These kind of attacks occur because of rogue adverts being pushed into advertising space, which is likely what happened here. If you are unfortunate enough to be trapped by an attack like this, don't panic - just do a CTRL+ALT+DEL and close the browser window...

Easy Google Income

| | Comments (1)
Here's an interesting piece of spam trying to cash in on the Google name that could wind up being quite costly for anyone willing to take a chance and see what it's all about. This was sent to one of my friends:

goffer0.jpg

Click to Enlarge

Is it a good thing or a bad thing that the office is based in the West Indies and to unsubscribe your email goes to Romania? At any rate, they don't seem to want my patronage - unfortunately, I'm not particularly interested in free iPods or a Nintendo Wii so a few clicks later and I'm where I should be:

goffer2.jpg

Click to Enlarge

At the bottom of the page, it says "Google does not sponsor, endorse, and is no way affiliated with Easy Net Income or this promotion."

Well, they could have fooled me what with all the Google material they've splashed across the site. The quote in the box is interesting, too: "Riches range from a few hundred dollars a month to $50,000 or more a year".

Go hunting on USA Today though, and the quote doesn't have anything to do with something called "Easy Google Income" - it's to do with Adsense. Bits missing have been reinserted and bolded:

"Tales of AdSense riches range from a few hundred dollars a month to $50,000 or more a year, though high-dollar paydays are rare. They require a Web site with tons of traffic and the ability to put in 18-hour days working the system.

I think the missing parts are kind of important, don't you? Of course, the CD title clearly makes you think you're going to get some mysterious money magnet, but stops short of telling you whether it would be a program, ebook or magical leprechaun.

In fact, what happens is you apparently sign up for the CD at the cost of subscribing yourself to some kind of "free trial" - at the end of which, you have to pay $39.90 a month for access to training courses to "Internet Wealth University" (I swear I'm not making this up). There's also an "activation fee" charged immediately to the card you subscribe with, though I'm guessing you only enter your details once you've entered your name / address and moved onto the second page (which I'm not about to do, in case you were wondering).

Internet Wealth University must have an awful lot of poor students, going by the problems people are having unsubscribing.

"When you try to call the company, you get an automated answering system that tells you all representatives are busy and then puts you on hold-forever, or they disconnect you after 5 minutes!"

Indeed, there's quite a lot of people wondering what this is all about, including the inevitable concern over billing issues.

Our advice? Steer well clear. There is a lot of money up for grabs here, but it's all being netted by the people running these websites. Their customers don't appear to be so lucky...

This is pretty interesting.

"The result was a 416-page novel about two parents who reluctantly install spyware on their 16-year-old son's computer in an an attempt to determine why he has become moody, withdrawn and hostile."

Anybody read this?
4chan, popular imageboard website, is currently under heavy DDoS attack (as you might have guessed from the title!) From their status page:

The site is still down due to an ongoing DDoS attack.

Remember kids: DDoS is cruise control for cool.

UPDATE: Well, we're still down. Unfortunately, there is very little (read: nothing) that can be done about a 3-5Gbit DDoS attack.


No word yet on who is behind it, but will post updates if more information comes to light.
In the last few days, we've discovered a program that attempts to get around certain privacy related features on Myspace groups (which are effectively mini-forums run by Myspace users). Note that the program doesn't attempt to do anything to individual end-users like infect their PC - and as long as you're not posting up personal / private information to Myspace groups that you don't want to risk being grabbed by nefarious individuals, you have nothing to worry about. (As a general rule of thumb, you shouldn't post sensitive information to any third-party website in any case, but that's another story).

We're not posting up any additional information at this time, because we don't want to cause a mass stampede by people to grab the files in question and start using them left, right and center until Myspace has had a chance to tackle the problem.

For now, we've passed on everything to Myspace and hopefully they'll be able to resolve this speedily.

Smash and Grab

| | Comments (0)
Ever wondered how much damage can be caused with what is likely a few handily placed keyloggers and trojans?

Well, this is probably a good (bad?) place to start.

"Also while that was happening the person who stole my GoDaddy account also stole our paypal accounts and charged several thousand dollars to us. PayPal is working to get that money back, so far about 600.00 was retrieved but we are still waiting for news on the other funds."

Ouch....


Homer's Odyssey

| | Comments (0)
Well, it's been a pretty busy week here as Homer Simpson + Malware = quite the commotion.

It started off with USA Today, VNUNet and CNET, then appeared on Slashdot over the weekend. After that, the sheer joy at being able to use Homer Simpson pictures in tech-related writeups was evident. Who would have thought it would finish off with Matt Selman himself (the Simpsons scriptwriter responsible for the whole "Chunkylover53" phenomenon) writing about the situation.

Pretty nuts. Heck, I even got to do a four minute Podcast that (from what I've been told) goes out to around 100 radio stations in the States. I think the closest I got to crossing security with popular culture previously was ye olde net-war (that revolved around a "stolen" picture of Lindsay Lohan - long story), but this one has Homer Simpson in it so clearly it wins by default.

However, what a lot of people might have missed - in fact, I nearly missed it myself - was something that appeared shortly before the plug appeared to be pulled on poor old Homer. Here's a screenshot of his previous message history - you can see how many times it was constantly changing:

hmess1.gif
Click to Enlarge

Here's the final message I saw before the lights seemingly went out on Homer:


krhomer.jpg

Click to Enlarge

That message is particularly interesting, because it refers to a group of individuals who were involved in this Comcast hack not so long ago. Were they involved here? Or are the real culprits simply blaming someone else?
Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, Simpsons fans galore with net access immediately added "Chunkylover53" to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

What's interesting here is that as far as I'm aware (and please, correct me if I'm wrong), the AIM screen-name"Chunkylover53" is not necessarily connected to the "official" chunkylover53@aol.com email address - anyone could have set up that AIM screen-name, using whatever EMail address they feel like. However, people will naturally add "Chunkylover53" to their AIM accounts thinking it will be the "real" Homer. This is where the problems set in

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

kimya0.gif

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file called "Kimya.exe", about 150kb in size, and it looks like this:

kimya1.jpg


Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

kimya2.jpg


....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

kimya3.jpg


kimya4.jpg

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

rootkitkim.jpg


Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

kimyabots.gif


....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

kimya66.gif


...and it currently advertises a link for a dating website:

chunkyaway.jpg


We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control, or indeed, related to what you're looking for in the first place.

We detect this infection as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

Twitter Spam

| | Comments (0)
The plan - to grab as many followers as possible:

tspam1.jpg


...then when you think you have enough of them (admittedly, our spammer here is settling for a less-than-grand total of 56), send them....

tspam2.jpg


.....some spam. In this case, the spam is for a website showing you how to "run your car on water". Well, it's better than viagra ads I guess. Here's a good article which covers some more Twitter spam.

This is a particularly strange hijack that typically begins with the following file opened up from the web:

sys0.jpg


If the file is allowed to execute on the PC, you may well see the dreaded Blue Screen Of Death (or BSOD to its friends).

However, all is not what it seems. While the end-user is faced with the horrors of the BSOD, behind the scenes Malware is installing by the bucketload.How is this possible, I hear you cry? Surely if the PC has crashed, nothing can be installing?

Not in this case, because the blue screen of death is fake - to be more accurate, the bad guys have taken Sysinternals blue screen of death screensaver and bundled it in with the hijack files. This is what the .scr file looks like on the PC:

sys1.jpg


And this is what you see if you explore the code:

sys2.jpg


It seems the bad guys are not without a sense of humour. Hiding a blizzard of infection file installs behind a legitimate screensaver created by a security expert is pretty bizarre. Here is the registry entry created:

sys6.jpg

Meanwhile, here are just some of the files installed onto the PC during the download:

sys5.jpg

Click to Enlarge

The PC pretty much grinds to a halt while all of this is taking place:

sys7.jpg


When the computer finally comes back under your contol, you can expect to see numerous warnings related to fake antispyware programs appearing all over the desktop:

sys8.jpg

Click to Enlarge

sys9.jpg

Click to Enlarge

sys10.jpg


Collectively, we detect the various bundles on offer here as Fake.AV and Smiddy.

Discovery and Research: Chris Mannon, FSL Senior Threat Researcher
A fresh wave of spam messages related to the website covered here have started popping up on MSN Messenger clients. Avoid the following domains:

get-that-stuff.info
imagefrosty.info
hostapic.info
I've often highlighted the utterly worthless spam messages that seem to endlessly circulate on Facebook, usually warning not to add (insert random name here) because they're an evil hacker and will destroy your PC, kill your family and so on.

Well, today I came across another such message:

norris1.jpg


.....insert gag about them being related to Chuck here....but underneath that message was something far more interesting:

norris2.gif


Sounds serious, right? It seems personal, because it's their friend missing which adds a little more urgency - they provide a contact email address to notify them on, and it mentions a real world example of someone who went missing and was found via the Internet.

However.

Dig into this a little bit, and it all becomes clear quite quickly that something isn't quite right here. For starters, search for the missing persons name and there is no mention of him ever "going missing". Nothing on websites, news pages....it's like the whole thing is a work of fiction. In fact, buried in unrelated entries is the following snippet from a page on myyearbook.com:

norris3.jpg

Click to Enlarge

Check out the name of the "hacker" you shouldn't add. It seems someone has simply swiped the name and started pasting it into spam messages. A quick search of Facebook confirms the name and face go together.

A quick search for the email address listed as a contact brings up more interesting posts, this time posted to a personal blog:

norris5.gif

Click to Enlarge

Same text....same reference to "real world" example....same email address. This person sure does get through a lot of missing friends! Note that this "missing person" chain letter has now stepped outside of Facebook and into other websites and networks.

At this point, you're probably wondering about the validity of the "real world" example, aren't you? Well, that would be a good idea! Notice they don't give any detail - it simply says "That is how the girl from Stevens Point was found by circulation of her picture on TV", and expect you to accept it as is. If you go searching for that phrase, it doesn't take long to find a page on Snopes.com regarding a missing girl hoax that stretches back some years:

"Please look at the picture, read what her father says, then forward his message on. Maybe if everyone passes this on, someone will see this child. That is how the girl from Stevens Point was found by circulation of her picture on tv..."

An email hoax, wrapped up and repackaged for the Facebook generation.


I've had a few people mention "odd things" happening when trying to install an application on Facebook called "Gridview". Well, I decided to try it out. On the install screen, you see this:

gview7.jpg

Makes sense so far. Here's the install screen where you agree to let the application loose on your profile:

gview8.jpg

Click to Enlarge

Once done, you see the following screen and this is where it all starts to go a bit wrong:

gview6.gif

Click to Enlarge

Note that the application is ALREADY installed by this point, because the Gridview icon is on your list of current applications (highlighted by the red box on the left).

However, top right (also highlighted) is a box made to look like a standard Facebook "continue" button. When installing the application for the first time, this caught me out too - I didn't notice the app was already installed and (naturally enough) clicked the "continue" button, thinking there was something else I needed to do to complete the installation.

Imagine my confusion, then, when I was suddenly presented with this:

gview2.jpg

Click to Enlarge

A page asking me to download "Mothers Day E-cards", via IAC (creators of Smiley Central, amongst other things). By this point, you've left the Facebook network completely and are sitting on a page served up by an advertising network - go back to the Facebook screenshot above and check out the URL at the bottom of the browser. That's the actual destination of the "Continue" button.

That's a pretty sneaky tactic, if you ask me.

What needs to be established is, who is responsible for the placement of the fake "Continue" button? Is it the creator of the application, or is it legitimate advertising space on Facebook being subverted in a rather creative fashion by an advertising agency promoting IAC products?

I've tried reinstalling the application a few times, and the graphic displayed sometimes changes to more overt "this is an advert" style banners leading to other sites offering similar downloads / offers. Other applications installed don't seem to display sneaky adverts like that in the same location, but every application install is somewhat different so that's not really a conclusive answer.

At any rate, be wary of what you click on when installing Facebook applications...
I saw an interesting post over at Anti-Virus-Rants today, where Kurt Wismer linked to an article regarding content scraping. In essence, the site doing the scraping (Security Ratty) ended up with "Security Ratty is a slimy, content stealing thief" on the front page. I find this interesting, because not so long ago I'd considered doing something similar with one of those fake security spam blog things that lift the content and splatter a ton of adverts on their site, while removing correct attribution.

Instead, I decided to do a little digging and quickly traced it back to a guy running a whole network of various sites, blogs and other networks. However - something didn't seem quite right. For all intents and purposes, he seemed like a normal, legit guy. He had pictures of himself on various portals. He openly advertised his main line of business, which (I think) was something to do with accountancy. There was a personal blog about pet dogs.

Holding fire on the "Here's a post specifically for your scraper site poking fun at you, aren't I clever" post, we found out that the guy had purchased a bunch of ready-to-roll blogs in good faith and had no idea the sites were removing correct attribution (and replacing it with fake names), amongst various other things. Realistically, I didn't expect him to know the ins and outs of all the little details that turned reproduction in good faith into something that just about started to cross the line. A few helpful emails back and forth, and everything was fixed at their end and it didn't snowball into some big stupid argument over nothing.

Coming from an arts background, I'm realistic enough to know that if you put something out there, it's going to get copied and / or republished without your permission (or worse) down the line. That's the risk of publishing material online, and to a large degree, there is absolutely nothing you can do about it. The way I see it, you spend the rest of your days on a futile hunt to shut down all the content scrapers, or accept that (at the very least) the information you hope may be of use to somebody will reach and help them in some way.

If it doesn't have my name attached to it, I can live with that - but I'd rather invest my energies in research and writing than a few hours brief "victory" via a slow procession down an RSS feed. I'm not familiar with the ins and outs of the particular case linked to, but for all I know, the scraper site in question is entirely automated and devoid of any real life person manning the controls. If that's the case, the "victory" is rendered almost entirely pointless save for a cool-for-a-while screenshot.

Is that really a good use of time and effort? Personally, I'm more pleased with our behind-the-scenes EMail resolution but different strokes, different folks and all that...


A handful of scam mails currently in circulation, including one mention of "groundnut oil" that seems so bizarre I had to highlight it in bold text. All this and more, after the jump...
Interesting article over at PCWorld:

One of the first social networking upstarts, MySpace, is facing continuing security problems that threaten to spoil many of the innovative features that make the site useful.

Hackers, spammers and Internet malcontents have turned many of the "group" sites, which are dedicated to interests such as home beer brewing, animal welfare and gay rights issues, into cyber-graffiti walls, filled with offensive comments and photographs.


Link here.


Here's a spamming program that targets Xfire users, with a particularly distasteful name. If you're under 16, you'll probably find the name incredibly lulzy (or whatever it is that kids under 16 are saying at the moment). Open up the zip the program comes in, and you'll see that it's called...er...


rpe2.jpg


...yeah, charming. Note that it also comes bundled with a solitary MP3, presumably to rock out to over and over again while you get your fill of spamming chatboxes for a small portion of eternity.

Here's the application in action - there seems to be an abundance of angry, red shouty faces with this one, doesn't there?

rpe3.jpg

Click to Enlarge

Hit the "Bomb Em" button, and the program rather helpfully asks you how many times you want to nuke your victim. For no real reason, I went for a comic reference and selected 52:

rpe4.jpg

But wait! One more charming popup box awaits:

rpe5.jpg

Click to Enlarge

.....anyone think the creator needs anger management classes yet?

Fast Track to Botnet Central

| | Comments (0)
Its true, you too can finally get into the botnet you always wanted.  Finally the ability to be a zombie computer under some losers control is yours!

Seriously though, becoming a victim to a hacker's botnet is incredibly easy.  These attacks are not typical to other forms of destruction found on the internet.  There true intent is usually to remain hidden from view until called upon.  In the case of FastTrackBot however there is a new objective.  FastTrackBot downloads several executable files that keep your computer clicking on the attacker's affiliate links.  These executable files keep the webpages in hidden iexplore.exe windows in order to hide the application from suspicious eyes.  If you're using X-cleaner, I suggest you take a look at the Expert Tab.  The Show All Hidden Windows function is great for showing you exactly what is open at the time.


replace ad.pngFastTrackBot phones home to several of these sites in order to keep the user clicks through affiliate links.

Aside from creating invisible windows to hog your bandwidth up, it also attempts to install a rogue anti-spyware application.  This is a popular technique when attempting to fraud the victim into leaking credit card information when actually attempting to purchase the fake product.  FastTrackBot inserts a fake security center that appears identical to the one found in Windows XP.

securitycenter.pngAs you can see in the address bar, this is not the actual security center.  Clicking anywhere on this window means almost certain doom in the worst way possible...a never ending stream of fake "YOU ARE INFECTED!!!!" alerts.

infect.png
In order to kill the actual application, you have to remove it from memory first, then remove its autostart which is found in 5 different locations - or simply remove with our free Microscanner.

About this Archive

This page is an archive of entries from July 2008 listed from newest to oldest.

June 2008 is the previous archive.

August 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.