August 2008 Archives

......courtesy of a humorous missive here.

Don't Panic

| | Comments (0)
Sometimes it's easy to believe that every last thing online is going to eat into your PC, burn your house down, kill your cat and so on. The last few days I'd been hearing rumblings about some "Youtube rap video" and a file that would start hijacking your PC - well, thanks to a tipoff from a forum-goer at Spywarewarrior, I can hopefully put this one to rest.

In short, a video promoting a rap mix-tape supposedly took you to a file that "hijacked your PC with Spywarestop". In actual fact, there's no file to hijack you. Let's take a look - here's the Youtube page in question:

mixtape1.gif

Click to Enlarge

As you can see, there's the mix-tape being advertised and a link to Mediafire, where the mix-tape is hosted. Click the Mediafire link, and all that happens is you'll see an advert for various antispyware tools - some of them on the Rogue Antispyware list, some of them not on the list but known to be of little worth to the end-user.


mixtape2.gif

Click to Enlarge

In this particular case, it's an advert for Adware Alert. It's not hijacking you, or breaking things or making your browser fly around the screen, nor is it a "virus". It's just an (admittedly loud) advert. If you're running a browser compatible with Adblock Plus, all you'll see beneath the Mediafire logo is a blank space. Even if you're vaguely alarmed by the advert, all you have to do is click the "Continue to Mediafire.com" message at the top right of the screen (missing from the above screenshot as I cropped the image too small - whoops) and you'll be taken to the file you requested.

Like the title says - don't panic. This really isn't something to worry about too much. Even the most obnoxious rogue antispyware advert (the ones that do resize your browser, throw up endless popups and make annoying "Woop woop" noises) can usually be escaped by simply hitting CTRL+ALT+DEL and using Task Manage to close your browser session.
Recently my pal Bill Pytlovany (of WinPatrol fame) wrote an article on his blog asking "What's Wrong With Toolbars"?

I wrote something along similar lines way back in 2005, and it's vaguely depressing to see how little has apparently changed. I'm not going to quote myself, but rather compare and contrast Bills experiences (and those of his commentators) with the person who posted a comment to my entry, which I quote below in full:

"Unfortunately, the few 'honest' toolbars have indeed taken the wrath of users as a result of the spyware, parasite, adware and other creepy applications of an otherwise good technology.

What's interesting is that, as far as my own toolbar system goes, I've had offers from clients all over the world to develop different kinds of toolbars -- and without fail -- it is the US-based companies that seem most willing to cross the line and request applications that I simply refuse to develop.

We're talking about features like:

- Forced Install
- Hidden Install
- Report all URLs back
- Report all searches back
- Forcibly and hidden set home page
- Forcibly and hidden set default search engine
- Forcibly generate un-blockable pop-ups
- Install and run hidden executables
- Bypass all security and anti-virus tools
- The list goes on...

What's sad is that I'm able to generate the most powerful and incredibly useful toolbars imaginable. Ones that can save countless hours of time and effort. Ones that can be customized on a per-user basis to make the Internet and use of ones's own computer a pleasure.

However, there will always be people around who's sole motivation is the almighty dollar -- and who will do ANYTHING to get it.

These people don't care about you, your wants, your needs, your security or safety -- as long as they can line their pockets with your money, or by taking advantage of actions you perform (even one lousy click!).

They'll infect your machine, using whatever means necessary, and they won't stop -- EVER."

The "industry" has certainly cleaned up since then, but the insistence on wanting to cram a toolbar on every PC, ever, remains. I must admit to being kind of disturbed that none of these companies seemingly want to take "No" for an answer - instead of leaving alone, they keep coming back every month or so. Of course, given the potential for mass moneymaking that's on offer I can't say I'm entirely surprised...


Batman is still in full swing at the box office - I'm sure me seeing it seven times probably didn't hurt - so with that in mind (and thoughts of the Zango / Dark Knight issue still rattling around my brain) I thought it would be fun to see exactly how quickly it can all go wrong when looking for Dark Knight material online.

The answer is: extremely quickly.

There's a lot of sites out there claiming to carry "full versions" of The Dark Knight, and although they don't offer Zango, they do offer fake media codecs (which usually do all sorts of horrible things to a computer). Let's pull one of these sites apart as an example of how the scam fits together.

Here's a typical site pushing what they claim to be The Dark Knight:

dbman000.jpg
Click to Enlarge

Dijgg(dot)com, an obvious Digg.com knockoff apparently hosting a large streaming window - the movie quality will be awesome, won't it? Well, actually, no it won't.

In the middle of the video window is a popup:

dbman0.jpg


Install the "codec", and this won't end well. The EXE comes from a site called Favoritetube(dot)com:

dbman1.jpg


A quick check for the safety ratings of that website should be enough to tell you this is a scam. Indeed, there isn't even a movie being streamed here (despite it saying "Connecting" at the bottom of the movie player) - because if you right click on the player itself:

dbman0000.jpg


You can see the "player" is actually just a static image (because I'm given the option to "Copy Image Location"). The image is hosted at Favoritetube, just like the "codecs":

dbman2.jpg

Click to Enlarge

There are quite a lot of these sites floating around out there at present:

dbman3.jpg

Click to Enlarge

dbman4.jpg
Click to Enlarge

dbman100.jpg
Click to Enlarge

At this point, it's a given that I'm going to show you what happens if you install one of the files typically pushed from the above sites, right? Well, wait no longer - this....

dbman7.jpg


...will deposit a rogue antispyware tool on your desktop (one of more more obnoxious ones that refuses to leave you alone):

antispycheck1.jpg

Click to Enlarge

Strange and annoying icons will start to creep across your desktop:

dbman8.jpg


....and you'll have more fake system alerts than you can shake a very large stick at:

antispycheck22.jpg


This concludes my public safety announcement. I'm off to see Dark Knight again...

ASCII Art Spam

| | Comments (1)
I recently had a chat with Stephen Shankland over at CNET regarding the weird and wacky world of ASCII Art Spam. It's been around for some time now, and every now and again there's a little surge (currently most of it seems to be coming out of Korea & China) before dying down again.

Of course, it has an element of visual appeal to it in some cases:


A bowl of spammy noodles, originally uploaded by pragmatic_pete.

They're pretty cool noodles, however you look at it. The biggest problem (for the spammers, anyway) continues to be the fact that, for the most part, the spam is largely unintelligble.


ASCII Art Spam, originally uploaded by schoschie.

.....wha? Sexy....grrmfs? Girls? Gorillas? Who knows. The problem with mangled text also extends (somewhat more crucially) to the URLs they happen to be pimping:


Spam, originally uploaded by cablejimmy.

They're not doing too badly there until they reach the web address, at which point it might as well say

www. absolutelynoideawhatthatsays .com

Of course, the last thing I'm suggesting is that I long for the day when the spammers get it right, but at least they can provide us with some cheap laughs regarding how hopeless their spam is in the meantime.

A "Myspace Cracking tool" has recently come to light, though if you're considering attempting to crack some Myspace accounts with this:

mscrkff1.jpg


....then you might want to think again, on account of it not being quite what it seems. This "cracking tool" is only after one persons details: yours. Run it, and you'll see the following (somewhat bizarre) message, which should be your first clue that all is not quite right here:

mscrkff2.jpg


At this point, your CD tray may well pop open - perhaps in tribute to the Trojans of old that did pretty much the same thing. At any rate, you're certainly not cracking any Myspace accounts, and after a faint grinding from your PC you're left to sit and stare at your desktop, wondering what went wrong. Here's a clue - have a poke around inside the EXE, and some lines of code will likely start to give the game away:

mscrkff3.jpg


..."Firefox password grabber"? Oh dear.

The observant end-user will notice a .txt file appears on their C Drive, and itcontains all the stored passwords saved via Firefox on their computer:

mscrkff5.jpg

Click to Enlarge

As you can see, the bad guys here seem to be exploiting a well known password recovery tool for nefarious purposes - in this case, Firepassword. You're probably wondering what happens with the stored login details at this point - well, do some more digging in the code and you'll see this:

stolen.jpg

Click to Enlarge

The stolen Firefox passwords are sent to an FTP drop set up by the hacker, and every login you had stored in Firefox at that point is immediately at risk. Of course, if you're foolish enough to play around with hacking tools then there's a good chance you're going to get burned sooner or later...

We detect this as FoxPass.

A colleague of mine had a private message sent to them on Facebook yesterday from the account of a friend. The message is related (of course) to the recent Facebook worm:

fbspam1.jpg


Click the link, and you'll see something like this:

fbspam2.jpg
Click to Enlarge

Yes, it's Ye Olde Fake Codec installer, hosted on what appears to be a hacked website. As always, pay close attention to what you're being sent from your friends. If it doesn't seem like something they'd send you, that's probably because they didn't...

Pass It On!

| | Comments (0)
Another day, another useless message being kicked around Facebook:

fbspam000.jpg


If you see this, please - ignore it and tell your friends off for sending it to others in the first place ;)
One of the few things that - perhaps - alerts users that they've been phished is when (after entering perfectly valid login details) they see something like this:

hablog6.jpg

...or like this:

hablog7.jpg


Generally, when net-savvy users get phished, they're alert enough to know that messages such as the ones above are a clue that they might have stumbled onto a Phishing page (assuming they're 100% sure they entered their details correctly, of course). This "break" in the login cycle has always been a weakness of a phish page, and the typical flow of events is as follows:

1. Visit Phish page
2. Enter details
3. User is told "your login cannot be processed at this time", and your information is stolen

What if the process could go like this:

1. Visit Phish page
2. Enter details
3. Phish page steals your information, but logs you into the target site

You'd miss that vital clue - the failed login - and assume everything was okay.

Well, a Phish for the popular Habbo Hotel caught my eye today because it does just that - seamlessly logging you into Habbo Hotel once your details have been stolen. Here is the Phish page in question:

hablog111.jpg
Click to Enlarge

Here I am, entering my login details into the page:

hablog2.jpg


At this point, a regular Phish page risks giving the game away because of the familiar variations on "Your login could not be processed" that appear at this point in the procedure.

However, the Phish page takes you to a page hosting an encoded base64 script (inside which, the hidden code goes about its business of logging you into the site for real. No, we're not going to make it easier for wannabe Phishers and show everyone how its done).

From there, the user is deposited onto the Habbo Hotel website, fully logged in - no "Your login could not be processed" messages here!

hablog41.jpg

Click to Enlarge

Meanwhile, my login has been stolen (it's the one in red) and placed in the ever growing pile collected by the Phisher:

hablog5.jpg
Click to Enlarge

From the point where I decided to login to Habbo Hotel, to the point where I'm actually logged into the site there is no break in the usual procedure and I have absolutely no indication I've just been phished. If this kind of devious tactic is employed for banking phishes, it'll make it all the more crucial that end-users start to think about running Anti-Phishing programs and browsers that have built-in Phish Detectors because the stakes seem to have raised once again.

I'm on holiday this week, but thought I'd better give this a mention anyway (plus, when did being on holiday ever stop me from posting stuff on blogs, right?)

I was surprised to see this posted to the comments section of the Sunbelt Blog:

spgspam1.gif

I was about as surprised as The Dean was!

To quote a further post from The Dean:

"Well, that's weird. Isn't spywareguide Paperghost's blog? I know he wouldn't spam here. And, the link on the first comment goes to a 404 page."

So, we have someone spamming with broken English, dropping links to 404 pages on Spywareguide. Curious.

Now, I did have some suspicions on this - for starters, the recent blogs regarding the pirate movie websites that pop Zango installers just hit a few news websites. As this article mentions, a lot of the sites involved in this are from Asian regions - China, Indonesia etc. I couldn't help but notice the name of the poster was "Tam" - a common name in certain parts of Asia.

Coincidence? Or a possible affiliate not too happy about this being highlighted? Well, a quick email later and the results for the spammer are in:

spgspam2.gif

A potentially forged Reverse DNS aside, it's a strange thing indeed that they just happen to resolve to Vietnam given that a good portion of these sites are in Asia, isn't it?

I think I'll see if any are owned by someone called "Tam".

When I return from my holiday, of course....

This is pretty interesting. After a week or two of seeing CNN spam, then MSNBC spam (both of which allude to "breaking news stories" in order to get peoples attention), it seems the people behind those attacks are now sending out plain emails (with none of the allusions to being from major news networks) that simply say "BREAKING news" in the title field:

breakingnews.jpg

If you visit the link in the email, you'll see this:

breakingnews2.jpg
Click to Enlarge

I don't believe I've seen the length, rating and viewcount under the video before so that's likely a new tactic they've employed. Looks like they need to hire a spellchecker though...

Lost.....and Found

| | Comments (0)
The practice of affiliates signing up with Zango then hiding pirated movies behind their installer prompt ([1], [2]) takes another twist, as we go hunting for TV episodes instead of movies and find....

zan1.gif
Click to Enlarge

zan2.gif
Click to Enlarge

zan3.gif
Click to Enlarge

zan4.gif
Click to Enlarge

......TV shows (streamed from Chinese Youtube-style websites for the most part, though a lot of the clips have been pulled for breaking ToS on the sites in question), hidden behind Zango installer prompts. Many of the episodes are uploaded by individuals who link back to Warez sites (such as the Xinoa.net site in his profile), so these are clearly not all legitimate uploads. Some of the videos linked to may be legitimate, but for the most part, the videos across the sites are branded with Chinese BitTorrent websites, video rip portals with the name of the site branded onto the clip , deleted for being an unauthorised upload and so on).

Obviously, this is something of a mini industry we have here but I'm faintly alarmed that so many of these affiliates are happily churning out these kinds of sites. I'm also pretty sure Zango doesn't want people seeing what effectively says "Free ripped off movies online sponsored by Zango" on their installer prompts, either.

As a side note, it's not just Zango affiliates doing this - here's another example, this time for something called "Cpalead.com" that wants you to fill in a survey in return for seeing "free" episodes of Lost:

cpal1.gif
Click to Enlarge

In case you were wondering, my monitor isn't broken, they just grey out the page when the popup appears. The Lost episodes appear to be ripped by end-users and uploaded to Megavideo.com.

The sites above are

lost-stream(dot)com
ietv(dot)co.uk/category/watch-lost-online
watchprisonbreakonlinefree(dot)com
watch-lost-online(dot)info
www.heroesstreaming(dot)com

I guess I ended up with a trilogy after all.
A few days ago, I wrote about a site asking you to install Zango before you could view the site content (which happens to be pirated movies). Well, another site has come to light doing a similar thing - I'm starting to wonder how many of these are actually out there. It's also served to highlight what I feel is a particularly confusing popup box, but we'll get to that later. First off, here's the website in question:

bc0.jpg
Click to Enlarge

Bestcinemaonline(dot)com. As you can see, the site is similar to the last one (except that site is registered anonymously to an individual in China, whereas this one is registered to someone in Indonesia). Also, the format is different - the last site was more of a "movie repository", whereas this one takes the shape and style of a blog with each individual entry pointing to a film. And what films they are!

bc5.jpg
Batman!

bc6.jpg
X-Files!

bc2.jpg
Click to Enlarge

Hellboy! (Is that even out yet?)

As you might have expected, a lot of the movies end up looking like this when attempting to watch them:

bc3.jpg
Click to Enlarge

.....whoops.

I must also give a special mention to one of the most confusing popup warnings I've ever seen - it really threw me, and I admit I nearly installed Zango accidentally after seeing it. If (when prompted with the Zango installer box) you click "Cancel", this appears in the middle of your screen:

bc1.jpg

"Click OK to Cancel or Click "Cancel" to continue the installation".

.....Whaaaaaa? That's a bit of a brain bender, right there. I hope this set of writeups doesn't become a Trilogy...


Here's a site - movietvonline(dot)com - that requires you to install Zango in order to view the content.

joker1.jpg

Click to Enlarge

Nothing unusual there, though I did think the owners of the website were pushing things a little, perhaps, to ask you to install something to view content you could view for free on the official website.

Anyway.

Turns out I was somewhat wrong, because they're not asking you to download Zango in order to watch trailers:

joker2.jpg

They want you to agree to install Zango in order to view whole movies, some streamed on the movietvonline website from other sources, others in the form of broken up downloads hosted on file-downloading sites.

Here's a shot of what appears to be a badly made camcorder (complete with people talking and scrunching up paper in the background) streamed on the website:

joker3.jpg

Clearly, the Joker isn't asking Batman "Why so serious" - he's asking him why the camcorder rip is so seriously bad. In fact, the whole site appears to be nothing more than a mass repository of dubiously acquired movie copies:

joker4.jpg

Click to Enlarge

...Holy Pirated Content, Batman!
Someone really has to reign me in with these titles. Anyway, you may or may not have heard that the CNN spam mails have now morphed into mails that appear to come from Msnbc.com instead. The titles of the emails are still as insane as ever:

msb1.jpg


......uh, wow. The email will take you to a fake Flash download, just like the previous efforts:

msb2.jpg
Click to Enlarge

Obviously, they haven't gotten around to making fake Msnbc pages so for now we're still stuck with the fake CNN pages.

An odd side-effect of these emails is that they're likely lowering subscriber numbers for CNN and Msnbc, because the emails contain genuine unsubscribe links at the bottom:

msb3.jpg


I doubt the creators of these scam mails intended that - they're just wanting to make the mails look realistic - but I could imagine disgruntled subscribers wondering why CNN and Msnbc keep sending them these things then reaching for the "no more, please!" link...

Trust No One?

| | Comments (2)
Sorry to go all X-Files on you, but I received an EMail earlier today that really drives home how paranoid we probably all are about Phishing nowadays.

Entitled "Chris Boyd, would you be able to spot a fake email?", it was apparently from Paypal:

fakeornot1.jpg

"Protect yourself from phishing: Paypal is working with Gmail and Yahoo! to block fake Paypal emails from your inbox. Learn how".

As it turns out, the email was real - but as soon as I hear someone asking me "Can you spot a fake Email", my brain is sadly conditioned to assume the mail asking me that question is fake anyway.

Kind of depressing, isn't it? At any rate, it's interesting how certain words / phrases in mails will automatically set alarm bells ringing. If I'd received this email, I'd have deleted it as soon as I saw the phrase "Your download to win contest has arrived".

Download to Win Contest?? That sounds so very, very wrong, doesn't it?
Nothing earth-shattering, but worth a mention anyway. I've noticed a couple of blogs pushing security blog feeds are also hawking pretend Youtube vids:

sblog1.jpg
Click to Enlarge

When the videos are clicked, you'll find your browser vanishes down onto the taskbar, replaced by this sitting in the middle of the screen:

sblog2.jpg

Once you click the popup box away, you're confronted with this:

sblog3.jpg

Click to Enlarge

...a randomly selected rogue antivirus product. From here on it, any and all attempts to get rid of this page results in an endless barrage of popups, scare tactics ad hilariously lame warning messages (note the first one is called a "Security Update"):

sblog4.jpg


sblog5.jpg


sblog6.jpg


sblog7.jpg

Wow, they just get more and more hysterical, don't they?

The site to block that's pimping the fake videos is

thoughtcrime(dot)blogtodo(dot)com
The Facebook News Feed is something that tells everyone on your friend list what both you (and everyone on your friend list) is doing, and it's the first thing you see when you login:


feed0.jpg

Click to Enlarge

Effectively, it takes bits and pieces of all the smaller feeds and rolls them into one. However, imagine instead of the above in your feed, you see something like this:

feed1.jpg

Click to Enlarge

Those are customised messages inserted into your feed - and there's a good chance everyone on your Friends list will see it on their own feed when they login to Facebook.

This would happen because someone has made a Bot for Facebook that allows you to insert your own custom message / image / clickable link into your Facebook feed. I've no idea if this is against the Facebook Terms of Service or not, but I can only imagine the chaos that would ensue if someone purchases this application then decides to use it for nefarious purposes. It's being promoted as a sales / marketing tool, but from a security standpoint it seems potentially disastrous.

If a bad actor buys their own Bot, imagine the Myspace-style spam campaigns that could take place...everything from malicious URLs to obnoxious flashing banners could be the order of the day. At the very least, one would hope the makers of this Bot have some quality control going on with regards Bot owners. More here.

/ Hat-tip to LoLo

In general, my anti-spam filters and tools are pretty effective. So when I start to see something like this....

cn1.jpg


cn2.jpg

....it's obvious that a huge spam wave is underway. These are, of course, related to the fake CNN Spam from a few days ago. Here, the emails take the form of "custom alerts":


cn3.jpg

Click to Enlarge

I've seen two types of this mail - one links to a genuine CNN article from the headline text (with the smaller link underneath leading to an infection site), the other simply links to the infection site from both clickable links. As before, deleting these Emails is the best course of action. Interestingly, the format of these mails might not be working to the spammers advantage. Lots of people I've talked to who had one of these mails sent through simply deleted them without a second thought, thinking it was merely something on the real CNN they thought they'd signed up to and didn't actually want.


There's been a fair amount of Twitter coverage recently, but it's worth noting that other countries have their own versions of Twittering and some of them have seem to be a little easier to use in conjunction with Instant Messaging, whereas Twitter still seems to have a need for third party services, add-ins and other tools to get the job done if the service used is something other than Google Talk, Livejournal Chat or Jabber (if it's now more straightforward for other clients too, please let me know!)

Either way, the below illustrates why adding Instant Messaging features to services such as Twitter can cause problems in the long run and needs to be considered carefully.

We were alerted to the fact that a large amount of Spam seemed to be coming out of China in the last day or two (indeed, one contact mentioned to me that this particular message had been sent to their Honeypot around 29,000+ times, which is a lot of spamming for one URL however you look at it). The spam in question seemed to have been sent via a Spambot, and the only mentions of this URL so far in search engines seems to be related to China - shall we take a look?

The URL in question (with part of it redacted) is

http: //5834******/ ;)

You'll notice the spam is short, snappy and also includes a little smiley-face thing at the end. In fact, it looks a little bit like the kind of link people send to their contacts on Twitter, doesn't it?

Well, let's see - a quick search and we find this:

fanf1.jpg

Click to Enlarge

A page from Fanfou.com, which I believe is a Chinese site "inspired" by Twitter with much of the same features and functionality. In fact, it has one feature working straight off the bat that Twitter users previously had to rely on plugins for - the ability to send messages to their page via MSN Messenger updates.

http: //5834****** doesn't actually resolve anywhere - however, a quick Ping to that address and we have an IP:

fanf3.jpg

Click to Enlarge

Type the IP address into the browser, and via some geolocational technology, you'll see a region specific version of the following dating website:

fanf4.jpg

Click to Enlarge

Go back to the page on Fanfou.com, scroll down and select any of the clickable links and surprise - the same page appears. This particular account on Fanfou has something like 30+ pages devoted to endless Spim links via MSN. They link to placeholder pages, sites that look as though they've been suspended and / or deleted with no way to determine what content was there previously - all interspersed with "Twitter" style messages throughout such as this:

fanf5.jpg

Again, note everything is coming via MSN. By this point, you're probably wondering exactly how they allow you to send messages to their Twitter-style pages. Well, the solution is quite clever - check out the IM page. You enter your MSN address, and when you login to your MSN account, you'll suddenly find you have a new IM buddy who wants to be a contact:

fanf6.jpg

Add it, and whenever you want to put a message on your page, send it an instant message and, lo and behold, your Tweet-style message has appeared on your page:

fanf8.jpg

Click to Enlarge

In conclusion, the steps here appear to be

1) Create a Spambot that infects users via MSN Messenger
2) Tailor the messages it sends to be short and sweet, just like a Twitter-style message
3) Set up an account on a service such as Fanfou.com that makes it easy to send messages to your page via MSN Messenger (or other IM services affected by your bot)
4) Infect the PC running your MSN Messenger account then watch as it spams the userpage with whatever messages you want it to send.

Of course, the links can be anything from dating sites and ringtone adverts to infection files and exploits - all made so much more easier (and far less time consuming than manually typing in URLs to your userpage) by the functionality built into the site you happen to be using. It's also worth noting that the accounts sending the Spim don't have to be set up by the spammer - they could be compromised accounts that had been hijacked when clicking a rogue IM link, which is a great way of filling out the spamming ranks very quickly.

This is definitely something Twitter - and any other site out there involved in microblogging - need to keep an eye out for, and consider carefully when thinking of adding integration with popular Instant Messaging clients.

We detect the file sending the weblinks via MSN as Foubot.

Research and Writeup: Christopher Boyd, Director of Malware Research
Additional Research: Chris Mannon, Senior Threat Researcher

Strange Russian Spam

| | Comments (0)
Vaguely weird piece of EMail spam seen appearing in mailboxes:

russspam1.jpg

Click to Enlarge

A bunch of regular text (in Russian, obviously) with an image overlaid on top of it. Putting the text in an image has been around for a long time, but I haven't seen it pasted over the top of normal text content before.

Humorously, the link in the email takes you to....

russspam2.jpg

Click to Enlarge

....The Hobo E-Shop. No word yet if you get free bourbon bottles wrapped in brown paper bags and a barrel filled with flammable oil but we're looking into it.
There seem to be quite a few of these in circulation over the past day or so:

Download the latest version! <URL Removed>

About this mailing:
You are receiving this e-mail because you subscribed to
MSN Featured Offers. Microsoft respects your privacy.
If you do not wish to receive this MSN Featured Offers e-mail,
please click the "Unsubscribe" link below. This will not
unsubscribe you from e-mail communications from third-party
advertisers that may appear in MSN Feature Offers.
This shall not constitute an offer by MSN. MSN shall
not be responsible or liable for the advertisers' content
nor any of the goods or service advertised. Prices and item
availability subject to change without notice.

2008 Microsoft | Unsubscribe <http://www.msn.com>  |
More Newsletters <http://www.msn.com>  |
Privacy <http://www.msn.com>

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052


As you might have guessed, it's fake. Microsoft don't send out EMails asking you to download files from random, non-Microsoft websites. This:

ie71.jpg

....is not what it appears to be. Run the file, and instead of IE7, you're actually more likely to see a fake antivirus program appear on your desktop:

top106.jpg

Click to Enlarge

By the time you see this, its probably too late.  This threat also i known to send the user fake infected alerts to provoke the victim into buying the product.  It also utilizes the Sysinterals fake Blue Screen of Death Screen Saver to scare the victim.  As you can see below, there have been several options taken out of the desktop properties window to hinder users from restoring the default settings.

background.png

This particular product is detected by us as Fake.AV, and is also being pushed quite heavily via the recent CNN videos scam. You can see another example of these emails here. There is more than one URL being used for this attack, so be alert!

Additional Research: Chris Mannon, Senior Threat Researcher
I saw this in the security section earlier today:

diggspam1.jpg

Click to Enlarge

Each one links to a page on a website called Tubeteases(dot)com, and each page streams a Youtube video - usually females bouncing around in various states of undress.

diggspam2.jpg

Click to Enlarge

Usually with spam like this, there's a financial incentive - however, I'm having a hard time working out what the motive is here. There are no clickable ads to make money from on the site - it's just page after page of miniaturised Youtube clips.

diggspam3.jpg

Click to Enlarge

No popups, no flashing banners, no mousetraps.....nothing.

I thought I'd worked it out when I scrolled down the page and saw a large advert for a webcam site. Aha! Obviously the gimmick is luring you to the above video site then get you to pay up for webcam access, right?

Well, not exactly...

diggspam4.jpg

Click to Enlarge

...."Free"? Oh dear, this isn't going well. They don't even have the advert for the webcam site at the top of the page, it's stuffed down at the bottom somewhere so I can't even claim "in-your-face" advertising.

At the very bottom, I saw a set of weblinks to other sites - surely this is the gimmick then? Entice potential webmasters to pay up for links placed on-site? Well, as it turns out, no. Clicking the "free slots available" link simply takes you to a page offering a free link placement script.

Normally spam = profit. Here though, I can't see that this follows the usual pattern. Perhaps someone woke up feeling philanthropic and randomly decided the best course of action for Digg.com users was watching hundreds of postage-stamp sized clips of semi-naked females.

We can tell them off for spamming Digg though, so we've got them there...
One of my musician colleagues received the following email:

------Original Message------
From: smith douglas
Subject: lovely song
Sent: Aug 5, 2008 5:50 PM

Hello Lovely vocalist
 
I am Olatunji Hassan a music lover and I must say I listened to
your song via the internet and was moved.I lived in the United
States all my life and now I am back in my father land(AFRICA)
I must also lay my emphasis on the fact that I still travel to
 us when the country is pretty hot.
I am the C.E.O of Douglas compensations
The compensation company is a company which has gotten the
approval of the Government to dispatch lost funds and recovered
theft funds to individuals who seems to need the funds.
I am using the power bestowed on me by my Government to approve
the sum of 100,000 United states Dollars for you.
your urgent reply is needed in regards to this development.
Olantunji Hassan.


Of course, it's a scam. There are plenty of musicians promoting their music on their websites, blogs, fan sites and forums - which presents scammers with a huge selection of targets to choose from. Be on your guard...

Like me, you've probably had quite a few "CNN Top 10" emails through over the last day or so. Here's just two of the many, many mails I've had through to various mailboxes:

top101.jpg


If you opened up any of the mails, you'd have seen this:

top102.jpg

Click to Enlarge

The first clue that something might have been amiss is the strangeness of some of the titles ("Michael Jackson sued by his own dog" isn't something I'd expect to see on CNN, at least not yet). Of course, the giveaway is that regardless of what link you click on, each one takes you to a website that isn't CNN.com - in fact, they all point to the same "video".

top103.jpg

Click to Enlarge

If you download and install the file offered up, horrible things will start happening to your PC. Let's put it this way - anyone expecting to see Michael Jacksons dog in a courtroom is going to be severely disappointed.

Before long, your desktop will look like this:

top105.jpg

Click to Enlarge

You'll have warnings like these:

top107.jpg



And a rogue antivirus product will magically appear on your desktop:

top106.jpg

Click to Enlarge

Worst of all, look at the name of one of the fake infections they try to scare the user with.

There's subtlety, then there's this:

top108.jpg

....if you want to avoid your computer contributing to the "terrorist threat", don't open up any emails claiming to contain CNN videos.

Even if its Michael Jackson and his dog.



There's a porn spammer about, in this case sending Skype users links to an adult dating website with a propensity for showing lots of naked flesh on the frontpage.

annaunreal.gif

Take my advice and block "annafleshy5" - you really don't want her sending you anything. Incidentally, I have a feeling there'll be an "annafleshy6, 7 and 8" on the way shortly if they're not already out there pushing their wares...

An "Aw3s0me" Offer?

| | Comments (0)
Yes, it's time for our regular "sites to avoid" update with regards URLs related to this ring of sites asking for MSN login details. Yesterday evening, I received this via MSN:


awesomeoffer1.jpg

Interestingly, this is the first site I've seen promoted on MSN related to this where the site being pushed isn't asking for your login details. Instead, it cycles through a bunch of adverts & promotions instead. Rather worryingly, the domain has been flagged for Phishing.

awesomeoffer2.jpg

Click to Enlarge

In what might be a departure for these websites, there appears to be "real" Whois data listed for the URL, as opposed the "privacy protected" details I seem to remember being used for all the others.

Registrant Contact:
   TST Management, Inc
   Jeff Fisher
  
   Edificio Magna Corp. 5th Floor, Office 511
   Ave. Manuel Maria Icaza y Calle 51
   Panama City, Panama 0000
   PA

I'm sure there'll be another chapter in this ongoing saga soon.

You may or may not have come across these before, but there seems to be a fresh set of phish messages (most likely from compromised accounts) being fired around XBox Live using the lure of free Microsoft points as bait (gamers can use these points to buy games, amongst other things).

Consequently, if you happen to be sent something like this by one of your contacts:

xbox.jpg

...then run away very quickly. In this case, the website was made to look like a genuine login page - of course, when you entered your details you had been phished and would be returned to the real XBox page as if nothing untoward had happened.

The phishing page above is currently offline, but may well return (and obviously it's the easiest thing in the world for the scammer behind this to simply change the URL being sent out by hijacked accounts).
Looks like this will be the final piece of the Wall-E puzzle that took shape over the weekend. Both Norton and AVAST have stopped flagging the game demo as a problematic file.

What's faintly worrying here is that everyone bar the most important link in the chain - THQ - replied to emails about this. Even Pixar apparently got back to someone (even if it was in the shape of an automail!)

Really, the one part in all of this who you'd hope would come back with a speedy response would be the game developers, but sadly their reply seems to have been lost to the void...

Wall-E Update

| | Comments (0)
This morning, I emailed THQ in an effort to see where they're up to with regards their demo of a Wall-E game being flagged as an infection by both Norton 360 and a number of people running AVAST. So far, my own testing has revealed nothing further, but I currently have two issues:

1) I haven't run the file through every piece of security software known to man, and I haven't had a chance to run it through dedicated keylogger scanners yet either.

2) I'm currently having to do my testing on a virtual machine, and if the thing causing the issue requires a "real" PC before something starts to go horribly wrong, I'm obviously going to miss it completely.

At any rate, it's curious that two separate scanners are flagging this. If THQ get back to me, I'll post another update...
I woke this morning to find an interesting set of blog entries regarding the Wall-E demo game from THQ - someone downloaded the demo and found their AV scanner flagging it as potentially dangerous.

A quick roundup of posts:

1) Security researcher Timeless Prototype downloads the Wall-E demo, only to find his antivirus software going crazy. It has detected Spyware.Ardakey.

2) Over at Spyware Sucks, Sandi Hardmeier decides to try downloading versions of the game from different regions, only to find the French, German ,Danish and Italian versions are all 177MB in size, whereas the US version is "only" 133MB. Furthermore, the 177MB versions all have different filenames. Note that (so far) it's the UK version (clocking in at 177MB) that has been snagged by an antivirus program. As Sandi notes, there is no way an extra 40-odd MB are needed for a keylogger, so why the extra filesize?

3) Wayne Porter contacted Cachefly (who manage the servers the game is downloading from), and they said this:

"I can confirm that our servers were not compromised, beyond that I can't offer much else.

Obviously we'd like to be as helpful as possible, but since it's related to customer data we're rather limited in what we can discuss. I've opened a ticket to make THQ aware of this, and we can/will work them on tracking stuff down if we need to (we do have a history of all versions of a file w/ filesizes/md5 checksums, and the dates/times/src ip of all revisions)."


The 177MB file is still available to download, I grabbed it a little earlier on today:

walle3.jpg

What we really need to know, is if this is anything to be worried about or not. I would have contacted THQ UK directly, but they don't seem to be available on a Sunday. Until this is resolved one way or another, I'd have to advise people not to download this demo as a precaution until THQ (or Norton, whose AV program flagged the file) have clarified exactly what is going on here. We're currently running some more antivirus / antispyware scans against the download in question, but as you can imagine, this takes some time. A particular problem here is that there are issues submitting a file like this to sites such as Virustotal.com, because of their 10MB file size limit.

Sorting this one out might take a while...

/ Update - some people are saying AVAST flags the file, too.

About this Archive

This page is an archive of entries from August 2008 listed from newest to oldest.

July 2008 is the previous archive.

September 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.