September 2008 Archives

Oh dear.

Here we have a phish page for the Bank of India:

fishphish0.jpg
Click to Enlarge

The hacked site hosting the Phish?

fishphish22.jpg
Click to Enlarge

Wildlife-fishing.net.

I'm sure it's entirely coincidental, but groan-worthy all the same.
This site:

Mexsexporno.com

...is being spammed quite heavily on forums and blogs. Visit the site, and you are (of course) asked to install a fake media codec in order to view the non-existent movies on offer.

sexmex.jpg
Click to Enlarge

sexmex1.jpg
Click to Enlarge

That's a first for me - being presented with a "Licence Agreement" for an Antivirus 2008 hijack. (normally this thing just appears on the desktop without warning). Mind you, it could use a little work - I notice an "Agree and Install" button, but they seem to have forgotten the one that says "No Thanks".

Strange, that...

419 Scammer Via Skype

| | Comments (2)
Well that's typical, I go on holiday and the moment I switch a PC on to check something, this appears in Skype:

stephanie kidkhyan says: how are u i hope good, my name is stephanie napapon am from thailand but live london i contant u for my late fahter consingment in afirca pls if u can help me u will take 30% of the money pls the money in the box is 5.2mioll euro.i have all the document and my passport pls i need u help ok this is my email addr stephanienapapon@yahoo.com

This person then tried their hardest to get me to ring a UK based mobile phone number. Let's think about that for a second...someone in Thailand, a father with a "consignment" in Africa and a phone number located in an entirely different continent.

Yeah, doesn't sound too convincing does it? Do yourself a favour and block this Skype address:

napapon4love

In the meantime, we've reported the Username involved.
If you have an XBox Live account, be on the lookout for this.

In every case I've ever seen, when someone offers you "free" goodies for something related to XBox live you should give it a very wide berth unless it's something official from Microsoft. I personally don't even bother with official third-party offers - I go straight to Microsoft for anything, and if they don't have the particular amazing offer that I happen to see available directly from them, well, too bad for me.

Here's an example of something you should avoid entirely unless you want your account details stolen.

Called the "Microsoft Point Generator", the end-user is fooled into thinking they can create their own Microsoft Points by simply entering their Windows Live ID and Password into the sections provided:

xbox1.jpg

Hit "Generator Points" (I'm assuming they meant to say "Generate"...) and your details are sent via EMail to those responsible for the scam:

xbox2.jpg

That's the EMail and password of the victim at the bottom, there.

We detect this as PWS.XBpoint.

Additional Research: Chris Mannon, Senior Threat Researcher
Earlier today, we noticed it was possible for malicious users to abuse Imageshack by obtaining the IP Address of anyone who had uploaded an image to the site (considering they have 2+ million uploads a day, that's an awful lot of people to choose from). The first step would be to make a simple alteration to the file extension on a "direct link" URL for any Imageshack picture.

Once done, a file would be presented for download.

imshck1.jpg


Upon opening up the file, you would be presented with the IP Address of the uploader:

imshck2.jpg


This presents an obvious security risk, and could be used for everything from freaking people out on forums via the method of "magically" revealing someones IP address to more devious activities like building up a posting history of particular IP addresses, or simply trying to run exploits against the end-user in question. Of course, end-users might be caught out if they've been uploading images on company time, too (the snooper could match an IP to a company and go to them with an easily identifiable person in a photograph for example. It may sound a touch OTT, but never underestimate someones capacity to cause trouble over the silliest things).

We notified Imageshack at 7:59 PM GMT / 11:59 AM PT. Imageshack responded at 9:03 PM GMT / 1:03 PM PT, letting us know that the issue reported had been addressed and were confident that "this security gap no longer exists". After some testing, that appears to be the case. If you try the same technique now, you'll see this:

forbidden1.jpg

We don't know how long this has been in circulation for, but I'll stick my neck out and guess (hope!) that it's a recent thing. Kudos to Imageshack for acting so quickly - I can't remember the last time we found something that was patched at such speed, and full credit to them. The last time an issue like this existed was (I believe) back in 2006, which was also apparently fixed rapidly.

A shame it doesn't always happen like that...


Chinese malware attacks WoW community

| | Comments (2)

I realize this might not be new to the WoW community, but there are obvious threats out there that need some attention.  Recently the team here at Facetime Security Labs has seen one threat in particular that we feel is especially evil.  The story begins like most of these stories begin; with someone downloading something without scanning for a virus first.

There are about 10 million players on World of Warcraft - most of which are in China.  The amount of malware coming out of China in the last several years has been staggering.  Its no surprise really that World of Warcraft players would become a target. 

The first thing this trojan does it watch for the user to login to their WoW account and store the information to be sent to the attacker.


login.png

The attacker also creates numerous entries in the Image File Execution Options to prevent the victim from removing the application.  This way, the user is forced into removing the application manually, or biting the bullet and reformatting.

The list below is all the programs that are rendered useless by this trojan:

regtool.exe
KPPMain.exe
egui.exe
kpfw32.exe
kwatch.exe
kpfwsvc.exe
kavstart.exe
kaccore.exe
kissvc.exe
kmailmon.exe
esafe.exe
ravtool.exe
ravtask.exe
ravstub.exe
UpLive.exe
UmxPol.exe
UmxFwHlp.exe
UmxCfg.exe
UmxAttachment.exe
UmxAgent.exe
UIHost.exe
TrojDie.kxp
Trojanwall.exe
TrojanDetector.exe
SysSafe.exe
symlcsvc.exe
SREng.EXE
SmartUp.exe
shcfg32.exe
scan32.exe
safelive.exe
Rsaupd.exe
RegClean.exe
QHSET.exe
PFWLiveUpdate.exe
KAV32.exe
mmqczj.exe
mcconsol.exe
MagicSet.exe
KWatchX.exe
KWatch9x.exe
kvupload.exe
KVStub.kxp
KVSrvXP.exe
KVScan.kxp
KvReport.kxp
kvolself.exe
kvol.exe
KVMonXP_1.kxp
KvfwMcl.exe
KvDetect.exe
KVCenter.kxp
KsLoader.exe
KRepair.com
KRegEx.exe
KMFilter.exe
KMailMon.exe
KISLnchr.exe
KAVStart.exe
KAVSetup.exe
KAVPFW.exe
KAVDX.exe
KASTask.exe
KASMain.exe
KaScrScn.SCR
kabaload.exe
isPwdSvc.exe
HijackThis.exe
FTCleanerShell.exe
FileDsty.exe
ccSvcHst.exe
CCenter.exe
AvMonitor.exe
avgrssvc.exe
autoruns.exe
AppSvc32.exe
AgentSvr.exe
IceSword.exe
adam.exe
WoptiClean.exe
nod32krn.exe
mmsk.exe
Ras.exe
vsstat.exe
NPFMntor.exe
webscanx.exe
avconsol.exe
Navapsvc.exe
KPFW32.exe
KAVPF.exe
procexp.exe
safebank.exe
rfwproxy.exeFYFireWall.exe
avp.com
rfwsrv.exe
rfwmain.exe
rfwstub.exe
idag.exe
WinDbg.exe
OllyICE.EXE
OllyDBG.EXE
360safe.exe
qqkav.exe
qqdoctor.exe
safeboxtray.exe
360rpt.exe
360safebox.exe
360tray.exe
qqsc.exe
ati2evxx.exe
Iparmor.exe
PFW.exe
navapsvc.exe
Navapw32.exe
KVwsc.exe
KVsrvXP.exe
KVFW.EXE
rav.exe
ravtimer.exe
RAVmon.exe
RAVmonD.exe
rising.exe
KAVsvcUI.exe
kavsvc.exe
avp.exe
runiep.exe


X-Cleaner.exe isn't on there?!  I'm insulted.  As you can see this threat hinders the ability for several mainstream anti-virus, anti-malware, rootkit detector, and process explorer.

After the trojan blocks access to your security applications, it sits and listens for any kind of Warcraft traffic that it might potentially steal.  The attacker will have the ability to consistently ping the infected PC and take information as needed.

wireshark.png

We currently detect this threat as PWS.Game.rnq.  Mind your clicks.


Fake Paypal Bruteforcer

| | Comments (0)
I see a lot of programs designed to hack the wannabe hacker. It's been a trend for some time now for professional Phishers to offer up Trojaned Phishing kits to newbies (so they can watch the newcomer do all the hard work then snatch the booty at the last second), and the practice of hackers placing bait for wannabes such as this has probably been going on for a lot longer.

In that tradition, then, I have for your entertainment today a fake Paypal brute forcer, which is actually nothing more than a fake front-end, designed to be bound to the real payload which will hijack the wannabe Paypal cracker. Of course, that payload can be anything the creator so desires. Here's what it looks like:

pp1.jpg


Note the "Dictionary.com" message, obviously designed to make the wannabe hacker think there's a monstrous word-list to accompany this "bruteforcer". The somewhat arty graphic of what I presume is a credit card is a nice touch, though perhaps I'm moving somewhat off topic at this point. The moment the wannabe hacker hits the "Brute Force" button, whatever payload has been bound to the front-end is activated, and the wannabe just got owned:

pp2.jpg


Our hapless wannabe will be waiting a long time...

Dreamcast Hoaxes

| | Comments (0)
I've always been fascinated by how many net hoaxes and scams have revolved around the Dreamcast console and related games (in particular, Shenmue). I thought it might be interesting to have a look at some of the most memorable ones, though this list is by no means exhaustive so please feel free to add to the list if I've missed any.

Fake Shenmue Passport, February 2006: Back in 2006, gamers were amazed to find the Shenmue Passport spring back to life. For those of you who don't know what the Shenmue Passport is, click here. Everyone else can just skip to the "good stuff", which would be seeing this appear on your TV if you'd had the brainwave to go online with your long-dead Dreamcast in February 2006:

ppupdate.jpg
Click to Enlarge

A message proclaiming that downloadable content for Shenmue was back online, and that more would be "coming soon". Forums everywhere started to look like this. All of a sudden, downloads were available from the seemingly official (and freshly reborn) website and messages saying "We'll be back soon" were plentiful, sparking rumours  of a Shenmue 3  announcement (or even something related to the  limbo-ridden Shenmue Online).

However, something didn't seem quite right about all this and the truth eventually came out thanks to a fantastic bit of detective work here. Someone had bought the domain once it had expired, and decided to "give fans hope" with a bunch of uploads and fake messages. As you might expect, this did not go down very well (in fact, you can see the process of SEGA reclaiming the domain from the culprit here thanks to someone who was copied in on the EMail conversations).

Shenmue 3 Youtube Trailer, January 2007: This is a fairly crummy hoax, but did seem to sucker a lot of people. Take some CGI footage from the canceled "Shenmue Online" game, stick "Shenmue 3" over the top of it:

shentrailer.jpg

Place the whole mess onto Youtube then sit back and laugh. Even though the video was placed online in 2007, it's still fooling people a year on.

Dreamcast Phish, March 2008: This one was particularly nasty, and was similar in execution to the way the Shenmue.com domain was swiped for the above scam. Someone grabbed the Dreamcast.com domain, then used it to phish for email logins and caused an awful lot of LET'S KILL THE PERSON RESPONSIBLE IMMEDIATELY type comments across the Net. This is what the previously dormant website suddenly looked like after being offline for all those years:

dreamphish.JPG


Seeing that sent quite a few Dreamcast fans insane (myself included) which made it all the more horrible when it was revealed to be nothing more than yet-another-Dreamcast-hoax.

Luring you in with the promise of an official @dreamcast.com Email address, they asked for your serial number, desired username, password and a current Email address. Once registered, you would end up with a seemingly valid yourserialnumber@user.dreamcast.com address.

The only problem, of course, was that it wasn't SEGA sending out your details, it was the scammer who had grabbed the domain name. The theory is that people would likely use the same password for their desired Dreamcast address as the alternate Email address they provided when signing up to the "service". Thus, you would have spam lists and hijacked email addresses galore.

It didn't take long before SEGA denounced the site, and it was pulled offline shortly after. In retrospect, a dead giveaway should have been the fact that the site had Google Ads and a few other things on it (check out the rather small screenshot) that probably wouldn't have been there if SEGA had actually been in charge. SEGA almost certainly wouldn't have had a Play-Asia affiliate code embedded in the page, for that matter:

affcodedc.gif


Messing around with one particular videogame is one thing, but whipping fans of the Dreamcast console into a frenzy with the promise of an out-of-the-blue Dreamcast revival was never going to end well. Sadly, the culprit was never found but hopefully they'll drop a really heavy plantpot stuffed with bricks on their foot at some point in the near future.

Shenmue "Believe" Advert, July 2008: Oh dear. EDGE magazine usually post up a cryptic, arty image as a substitute for a regular "Next Month" page. For the September issue, someone started a thread on the NEOGAF forum previewing said issue. In this case, the Next Month page looked like a notepad - and one of the more iconic images of Shenmue was the Notepad the main character used to store notes, items and the like.

A quick photo manipulation later and...

notepad1.jpg
Click to Enlarge

If you can't see it, in the middle of the pad the original poster has placed "Shenmue 3: Believe" in very faint text.

This spread across the net like wildfire for a few days, until of course people started to get their hands on the issue in question and realised the whole thing was....yet again.....a hoax. I believe the EDGE preview turned out to be for an article about videogame instruction manuals.

Shenmue 3 Disc Hoax, August 2008: Sometimes innocent bloggers (who really should check the source material...) are sent images and post them up. Bad idea. Not so long ago, SEGA unveiled a room containing every single game they'd ever made. One of the images contained a pile of GD-Rom discs which SEGA used to store prototypes and early build versions of Dreamcast games on. Despite the blogger in question actually linking to the original, they were suckered in by a photoshop alteration where someone had placed "Shenmue 3" over the top:

shenmuegdr.jpg
Click to Enlarge

As SEGA themselves said,

"Ha, that's too funny, they've totally photoshopped the image. I wonder how long it is before we see this getting picked up as fact."

As it turns out, it wasn't too long - I did see this pop up on a couple of forums, but this one was caught pretty early. It's still surprising that the blogger didn't just check the original image more closely though.

This ends our tragic roundup of scams related to the Dreamcast console. I have a feeling we'll be seeing more soon enough...
It seems these cookie-cutter sites offering Zango in return for things that can easily be obtained elsewhere are never going to dry up. Case in point - here's an advert I saw a little earlier today on a gaming site:

pokead.gif
Click to Enlarge

This advert takes you to the following colourful website:


pokez1.jpg
Click to Enlarge

The domain in question here is

pppokemon.com

On offer is a "free" Pokemon online game, assuming you agree to install Zango to play it:

pokez2.jpg
Click to Enlarge

Of course, we know how this is going to turn out. Install Zango, download the zipfile, install the "game" and....

pokez5.jpg

....what you actually end up with is a Client for something called "Pokemon World Online". The only problem is, you can download this minus Adware at their official website. Interestingly, they actually flagged this on one of their news articles and mention a second website:

pokez7.jpg
Click to Enlarge

The second site listed is

onlinepokemongame.info

Both domains are registered anonymously. Colour me surprised...
There's been a recent surge in interest with regards the fake Batman MMORPG game from a few weeks ago - meanwhile, the digging has continued and some interesting bits and pieces have come to light.

If you examine the Whois details for some of the sites on the server related to this lot, you quickly find something strange. Despite all of the domains looking and acting the same, some of them are registered anonymously, while the majority have full contact details. As an example, let's take

adventure-quest-hacks.info

Here are the Whois details for this site - as you can see, this webpage (like a good portion on the server) are registered to a named individual in Canada (as opposed an anonymous registrant like the original Batman MMORPG website). There is a Google Ad at the bottom - however, the publisher ID is different to the ID that was used to roll out the fake Batman game advert so that doesn't help lead us to the potential identity of the site owner.

The only real thing of note with regards this person in Google is this post, where he's looking for someone to work with him on a "Browser Based RPG Game" so that's not much use either.

Of course, there's no way to know for sure who the fake Batman game website was / is registered to. However, I am curious why there appear to be a number of near-identical sites (in terms of content, the way they've been put together and general all-round execution) on the same server registered to this individual. Almost every site on that server has been made in the same way, with a single intention - convince the end-user to install Zango in return for everything ranging from empty lies to near-worthless content that could have been obtained elsewhere.

Is that name there as a placeholder for someone else? Does he own the server but not the sites (and if so, shouldn't the site owners actually be listed in the Whois details)? Could there be a group of individuals all running a couple of sites each and taking their own split of the profits (which would explain why some sites are tied to names and others are anonymous)?

More importantly, shouldn't Zango be taking a closer look at the sites listed here and here and (perhaps) canceling those affiliate accounts too?
Hmm, something doesn't look right about this person on a random friend list I came across today:

fred1.jpg


Why hello there, "Freddy". Should you visit the profile, Freddy seemingly has a rapid identity change:

fred2.jpg

Click to Enlarge

This is (of course) a fake graphic placed on top of a real profile (in this case, a "Comedy" profile). Note that they haven't aligned it very well, though they do score bonus points for ensuring that both "Angelina" and every single fake person in their contact list are showing as "Online now". Click the image, and you're taken to (surprise, surprise) a dating website:

fred3.jpg
Click to Enlarge

There was a time when I would stumble across these overlaid profiles every other day (not to mention the endless friend requests from Bots promoting similar websites), but the friend requests have long since dried up and I hardly ever see these kinds of profiles anymore.

That's not to say they're not out there anymore, but it would be nice to think Myspace have cracked down on these in recent months...

Some Skype Spam..

| | Comments (0)
A short and sweet entry, this one. Ignore any messages you see like the below:

Hey [name goes here], this Nixie. Now I am looking for new friends. U can look my photo here:

elliser.com/girls/keengirl


The above URL redirects you to

xxxblackbook.com

...which is an adult dating website. Of course, Skype users should be suspicious when any unsolicited message comes through - even when from a supposedly "hot and horny female", or however it is that they tend to describe themselves...

Twitter Spamrun

| | Comments (0)
I saw a message on Twitter here from one of my contacts, and decided to go check it out. What I found was an unhealthy dose of spam profiles all pushing the same collection of products (most of which seem to be purchase only).

The product being promoted here is something called "Twitter Friend Adder" which costs $50 to buy. Here's the profile in question:

tfa2.jpg

Click to Enlarge

In addition to the profile site_test3, there's the original site_test profile and numbers 2, 4 and 5. In addition to those, there are what look like more placeholder profiles that haven't been made live yet numbered 6, 7, 9, 10, 11, 12, 13, and 14.

tfa3.jpg
Click to Enlarge

Reminds me of the way people create sock-puppet accounts on Myspace...
There's been quite a lot of action going on around here recently, with a fair amount of coverage of some of the things written about. It's also interesting to note that there's been something of a resurgence in dubious Adware affiliate activity lately - companies such as Zango (who I've written very little about over the past few months) have suddenly come to the fore with what seems like an endless procession of really bizarre behaviour.

That seems as good a place as any to start, so get your bookmarking fingers at the ready and you may find a few articles to pass the time on your lunchbreak with.

August 2008: Adware on Pirate Movie Sites: [1],[2],[3],[4]

This is (of course) related to the large network of websites pushing pirated movie files in return for Zango installs. These sites are still being mapped out, with fresh discoveries all the time. The utterly fake claims with regards what a piece of Adware can do for you is one of the remnants of the old "Adware wars" I can't say I'm happy about seeing making a comeback.

August 2008: Precocious Phishers Target Teen World: [1]

Logging you into the target site once you've been phished is a nifty idea, and from what I've seen the person who came up with the idea was a teen himself. There's a surprise...

August 2008: ASCII Art Spam [1],[2]

Every now and again, peculiar spam tactics emerge and (truth be told) can be fun to work out. The above two links are related to a particular run of ASCII art spam that made a little comeback recently.

September 2008: Webcam hackers shock victims with gay porn [1]

I've always had an interest in Memes, but using shock memes to screenshot the victims reaction via webcam is quite the "humorous" tactic. I still love that one guy simply sat there picking his nose while watching one of the shock sites involved though.

September 2008: Fake Batman MMORPG leads to Adware install [1],[2],[3],[4],[5]

This one was particuarly fun to pull apart, as I got to combine two of my favourite things - Batman and videogames. An amazingly brash scam, and you can see more related sites here and here. Curiously, the story had a second wind breathed into it this week, with more coverage on Techdirt and WebProNews. The only conclusion I can draw from this is that Batman is indeed awesome.

September 2008: Fake Twitter Profile Punts Orkut Attack: [1],[2]

There seems to be a little confusion over this, though I'm not entirely sure why - the blog entry clearly references the Malware attack using twitter to promote infection links from a few weeks ago, and this is not the same attack - this one specifically focuses on Orkut users.

Here ends your Link-O-Rama edition of Spywareguide.


Ka-Ching

| | Comments (0)
I've written about cunningly placed adverts on Facebook application installer pages before, but this is getting to be a little.....excessive.

Here's what I saw when installing an image viewer, from the point where I started to install the app, during and once I'd finally made the application live on my page:


kac1.jpg
Click to Enlarge

kac2.jpg
Click to Enlarge

kac3.jpg
Click to Enlarge

As I said....excessive. Anyone thinking these boxes are part of the application installer will be taken to a familiar face:

kac4.jpg
Click to Enlarge

Yes, it's this thing again.

Facebook should really have strict policies on the kind of adverts allowed on installer pages (as a matter of fact, I don't think there should be any adverts allowed on these pages in the first place. It's way too easy to fool people.
I've written about websites offering up pirate movie content in exchange for Zango installs previously. Well, here's an interesting spin on that idea courtesy of Ben Edelman who came across this a day or two ago.

It's your typical example of the above - this one is called prisonbreakstreaming(dot)com.

I've highlighted the interesting part in red:

zangobuffer.jpg
Click to Enlarge

"we know there are plenty of people rushing over to watch Prison Break episode 3 now, we recommend downloading zango to help speed up buffering and to watch the videos streaming."

As far as I'm aware, Zango does not help "speed up buffering" or improve streaming. Reminds me of the Adware installs from a couple of years ago where website owners would claim absolutely anything just to get you to install something.

Happy days are here again?

Twitter responded quickly with regards the profile pushing Orkut themed links on their site.

The profile in question currently looks like this:

deadork.jpg
Click to Enlarge

We're keeping a close eye on the other profiles - if they should suddenly spring into life and start to distribute infection links, they'll be on the receiving end of similar treatment...
Orkut has long been a popular target for hackers, and we've come across evidence of Orkut users being targeted via Twitter pages carrying infection links. Here is the page in question, the profile carrying three links that have been sent out to the 17 people following the profile (and also fired into the "all-users" timeline):

orktwit1.jpg
Click to Enlarge

As you can see, we've already clicked one of the links which requests one of the three executables linked to from the page (the messages themselves say things like "To download the album with photos from the profile directly from orkut click on the link below" and "Take a look at the pictures" in Portuguese, according to Google Translator!)

The pages linked to either try and get you to download an infection file straight away, or pretend you're installing a Flash update:

orktwit2.jpg
Click to Enlarge
orktwit3.jpg
Click to Enlarge

Once the files are run on the end-users PC, a variety of malicious files will be installed and various types of data theft may be attempted. For example, one of the EXEs will pop open the Orkut website in what is obviously an attempt to get you to fill in your user details:

orktwit5.jpg
Click to Enlarge

Of course, you need to sign into Orkut with your Google Account, so if you happen to see the Orkut website magically appear on your desktop prompting you to login, think twice about entering your login until you can ensure your PC is free of infection. "Luckily", you'll have a very large clue in the form of the following error messages constantly cycling on your desktop:

orktwit6.jpg
Click to Enlarge

Similarly, run one of the other files and you'll end up with this rather happy looking person appearing in your web browser:

orktwit4.jpg

Apparently "Malandro" means "trickster" in Portuguese -I don't know about you, but I would tend to suspect all is not well with my PC when something like that shows up unannounced! As with many Orkut themed / targeted attacks, the files being used are a collection of older attacks, with some pieces clearly being reused from this infection.

What's particularly interesting to me is the use of Twitter to push these Orkut attacks, and also the fact that the attackers have seemingly created the majority of the profiles 17 followers - presumably to make the infection link carrying profile seem more legitimate and part of a small group or community of friends.

orktwit7.jpg
Click to Enlarge

Most of them have no user image, random sounding names and (the dead giveaway) most of them are following each other, despite none of them seemingly sending out any messages since joining that would make people want to follow them in the first place. The small amount of messages sent from the profile would tend to suggest a trial run, perhaps - or maybe they have many accounts and are sending out only a few tweets at a time from each one to keep themselves under the radar.

In some ways, then, this is a refinement of the attack noted by Kaspersky here because they're targeting a specific group of users instead of taking the "Come and get it, everybody" approach. Obviously, just because you don't use Orkut doesn't mean you're safe from this - the URLs are entirely indescriminate with regards who clicks them and becomes infected, so if you see any profiles on Twitter that mention Orkut with hyperlinks that reference "Photo albums" or "galleries" (the oldest Orkut-targeted infection tactic in the book), steer well clear. For now, we've notified Twitter of this particular profile.

We detect this as Orkontron.

(Thanks to Senior Threat Researcher Chis Mannon for additional research).
There's at least 100+ people running round with the below tool at their disposal (at least, according to the download figures on the main free-file hosting page. This obviously doesn't include random forum downloads).

Anyone with the following EXE on their desktop:

fspam11.jpg


Has access to a program designed to spam VBulletin boards (as you probably gathered from the title!):

spammer000.jpg
Click to Enlarge

Results seem to be impressive.

spam1111.jpg
Click to Enlarge

Be on your guard for a random script-kiddie driveby...

Good Value Proposition?

| | Comments (0)
There's been some extensive examination of the server that hosted the (now deceased) Batman Online game website. I already highlighted two of the other dubious "MMORPG websites" designed to get the end-user to jump through hoops for very little (if anything) in return.

Now I'm going to show you what else is lurking on the same box. As you might have expected, most of the other sites follow the same pattern - entice you into installing Adware, and giving you little to nothing in return.

Family Guy Video site:

final1.jpg
Click to Enlarge

Install Zango to "see Family Guy". Except once you've installed it, you're taken to a page of Youtube links.

Watch Avatar Online:

final3.jpg
Click to Enlarge

Install Zango to see the episodes. Once installed, you're taken - predictably - to another page of links. Even better, all of the links take you to some 18 year old guys videopage who only seems to have a grand total of three videos online. They don't exactly look official, either.

Copy DS games:

final5.jpg
Click to Enlarge

Install Zango to "find out" how to copy DS games. Once done, you get a page of info that could have been found in Google in about five second flat.

Download Hip-hop beats:

final7.jpg
Click to Enlarge

This one is particularly humorous. The site has four songs available to download, with a "Full Beat Download List" also available. To hear any of the four songs, you have to install Zango.

Once you've done that, you finally have access to the download list. Imagine your dismay, then, when you find the list is six songs long. They also say

"Please note that any beat you download is of respect to its rightful artist or dj. We do not enourage stealing of music as your own. Please keep whatever you download only to yourself."


...mmm.

As you might have guessed, the rest of the sites are like this - everything is either a blatant lie like the Batman site, a wonderfully creative bending of the truth (like the Dragonball Z MMORPG webpage) or underperforming nonsense like the "Hip Hop Beats" URL.

Here's a list of the sites on this box that act in a similar manner to the above:

Adventure-quest-hacks.info
ant-young-herma.info
Aqhacks.com
Avataronline.info
batmangame.info
bed-political-belle.info
bleachonline.info
conquerhacks.info
copypspgame.com
copypspgames.info
dbzonline.info
downloadhiphopbeats.info
dragon-fable-hacks.info
freedsgames.info
freexbox360games.info
funnyfamilyguy.info
habbohacks.info
Harrypottergame.info
inuyashaonline.info
laced-responsible-yum.info
maplestorya.info
maplestoryhax.net
narutoonline.info
neopets-hacks.info
onlinedbzgame.info
pokemonepisodes.info
pspgamecentral.info
Pspgames4free.info
rakionhacks.info
rune-scape-hacks.info
runehacks.info
Runehackz.net
Runescape-hacks.info
Southparkepisodes.info
trainyourpet.info
watchavatarepisodes.info
watchben10.info
watchbleach.info
watchdbz.info
watchdeathnote.info
watchdigimon.info
watchfma.info
watchinuyasha.info
watchlovehina.info
watchnarutoonline.info
watchpbonline.info
Watchpokemon.info
Watchsailormoon.info
watchygo.info
watchyugioh.info
yuyuhakusho.info

There might be one or two that I missed, so feel free to add them.

More MMORPG Fakeouts

| | Comments (0)
Here's a few more sites presumably created by the maker of the fake Batman Online game.

Step up, Dragonball Z:

dbz1.gif
Click to Enlarge

To "download" this Dragonball Z MMORPG, you have to fill out a survey:

dbz2.gif
Click to Enlarge

Once done, you'll be amazed(!) to find you're taken to....shockingly....the official Dragonball Z MMORPG game.

The only problem? The website is in Japanese and the game hasn't been released yet.

dbz3.gif
Click to Enlarge

Forgive me for thinking this isn't the greatest deal I've ever been sold.

Now it's Harry Potters turn:

hp1.jpg
Click to Enlarge

Like the Batman site, you need to install Zango. Do so, and.....you're taken to the popular Hogwarts Live, which you could have easily found and played yourself without installing Adware. As you probably guessed, the screenshot from the title graphic on the site is not part of the game you'll eventually play.

The sites involved are

onlinedbzgame.info

and

harrypottergame.info

in case you want to add them to your blocklists.

Hunt The Dark Knight

| | Comments (0)
After writing about this website yesterday (and alerting those I know involved in comics, comic forums and news portals), I woke up to see this...

deadbat.gif
Click to Enlarge

Of course, it's too early to tell if the site has been pulled permanently - but it looks like someone realised there's no point trying to scam a community when they're already waiting for it with a baseball bat.

Thanks to all who put the word around - your honorary vigilante badges are in the post...
This is Newsarama, a site (mostly) geared around comics and other related media:

batzang1.jpg
Click to Enlarge

You'll notice Batman, over on the right there. Let's take a closer look:

batzang2.gif


"Free Online Batman Game"? Well, that's curious because I follow comics pretty closely and I'd be the first to know if an "Online Batman Game" had been in the works (this advert has been doing the rounds on numerous comic-related websites. Visit the URL in the ad - Batmangame.info - and you'll see this...

batzang3.gif
Click to Enlarge

There it is again - "Online Batman Game". Furthermore, the text goes on to say:

"Batman Online lets you do anything and every little thing you'd like in a Batman game. From leveling up your character to destroying villans, it has it all. Download and play this amazing game now, all for free! I'm sure you'll be playing for hours on end, it's that much fun.

    Level Up Your Character
 
   Explore a Huge Vast World
 
   Play Online With Your Friends
 
   Hundreds of Quests To Finish
 
   Perfect Battle System

So start your Batman adventure today! Download the  full game below and fight them all!"


Note that they specifically call it "Batman Online". It specifically sounds like a text blurb you'd expect to see with a MMORPG. However, something isn't quite right here.

1) The only DC licensed MMORPG anybody knows of is this, and it isn't due out until 2009. It's not Batman-centric, either.

2) The screenshots are lifted from the Batman Begins videogame, which came out in 2005. If you were offering a "Batman Online Game", wouldn't you use screenshots from that instead of an unrelated title?

3) Absolutely no licensing, copyright or legal mumbo-jumbo on the page anywhere. DC and Warner Bros don't roll like that.

4) The website - Batmangame.info - is registered anonymously. Not exactly something you see everyday for websites related to licensed DC franchises such as Batman videogames.

5) "To download and play the Batman Online Game you must download and install Zango as well. It is free, very easy to install and will give you access to the full game."

Shall we continue?

batzang4.gif
Click to Enlarge

A Zango installer prompt, complete with picture of Batman at the top. Click "Start" and you'll get the usual collection of Zango installer screens, including one that rather humorously has a guy in a superhero costume.

Once everything is installed, you're taken to another page. Up to this point you've been promised an "Online Batman Game", the description of which is clearly intended to evoke images of a MMORPG. However....

batveng.jpg
Click to Enlarge

All of a sudden, you're being told you're downloading "Batman: Vengeance" on a cheap-looking splash page and shown what looks like an unofficially ripped Batman: Vengeance trailer on Youtube.

In case you're unaware, Batman: Vengeance is a videogame first launched way back in 2001 for consoles (followed shortly after by a PC version). What does this have to do with an "Online Batman Game"? Well, nothing, actually. Aside from the fact you were presented with one thing and are now handed another, things get even stranger when you see the download location:

batzang00.gif
Click to Enlarge

Have you ever heard of an officially licensed game being offered via Rapidshare downloads? It's possible, I guess, but it seems a little odd. However, the real oddness is reserved for the "Online Batman game" itself.

Remember, we've been promised "Hundreds of quests", "A huge vast world", the ability to "level up your character" and  "play online with your friends".

batinstall.gif
Click to Enlarge

Imagine your dismay, then, when you've installed Zango, downloaded the game from Rapidshare using up around 140MB of bandwidth, installed it and....

batdemo.gif

Oh dear.

Not only are you given a totally different game than what was advertised, you're given a DEMO VERSION of that game with four short sample levels present, no online functionality and quite a few less quests than the "hundreds" advertised.

Hilariously, you can download a 100% legit copy of this demo here at Fileplanet, sans Adware. Setting aside the issue of whether this file is actually sitting on Rapidshare with either Ubisoft or DC / Warner Bros permission (and if it IS okay to be there, I'm pretty sure it's NOT okay to falsely advertise it as some kind of MMORPG) there are some questions that need to be raised.

When this guy approached them with his website, did nobody stop to think that this game did not actually match up with the "Online Batman" game it was touted as? Didn't someone at Zango Quality Control actually download the game and see the big "This is a demo" wording as soon as it starts up? Or question why the screenshots on the website don't look like the graphics for Batman: Vengeance in the slightest?

However you look at it, this is a scam, pure and simple. Whoever came up with the idea of an "Online Batman Game" is lying through their teeth. Of course, because their website is registered anonymously we have no idea who the culprit is, unless of course Zango want to deposit them on the steps of Gotham City and let me dispense some Batman-style justice to their posterior.

However, based on the way these things tend to go - God forbid anyone ever offer up the identity of someone happily scamming the public at large, even when that person is dragging the name of the company associated with them through the mud by their antics - I think I might be waiting some time for the Bat Signal...

A Costly Crush

| | Comments (0)
I've seen a few blog posts over the last couple of days, with people complaining about an application on Facebook charging them crazy amounts of money. Certainly, there's a lot of angry Facebook users out there:


crushtracker0.gif
Click to Enlarge

Some more complaints? Sure, I can do that:

hugecrush1.gif


There are many, many more like the above comments out there. One slight problem with all of this is that the complaints are scattered across a whole range of different Crush application forums - in short, they're all being blamed, but they can't all be doing this, can they? What's the alternative, though?

A short while ago, I wrote about deceptive advert placements with regards another facebook application. It seems we have a similar situation here, where an "enterprising" Ad network is placing Facebook-style buttons onto installer pages and hoping people will be fooled. As it turns out, it seems to be working. While attempting to install one randomly selected Crush application, I noticed the following advert at the top of the installer splash (highlighted in red):

hugecrush3.gif
Click to Enlarge

It's easy to imagine a regular Facebook user thinking this is part of the application install and clicking "Ok". Do that, and you're taken to a site called Amazingchat(dot)net that throws up a fake message regarding you having "7 New Crush Messages" (and uses geolocational technology to point a targeted message your way). If you look like you're in the UK, you'll see this:

hugecrush4.gif
Click to Enlarge

Wow, FOUR of my (fake and non-existent) messages are from Sheffield! How about if I look like I'm in the States? You've guessed it....

hugecrush5.gif


Windy City, here I come!

Not. It's looking promising so far, though. If we can just go to the next screen and see something utterly useless advertised in exchange for lots of money....

hugecrush666.gif
Click to Enlarge

Horoscopes for only ?9 / $15 a week? WOW!

Also, there go your savings.

Could this be the site at the heart of so many complaints? Well, let's quickly check who runs it...

hugecrush7.gif

"Sms-helpdesk", eh? I do believe I've seen a long thread concerning people having issues with large bills for phone messages. Indeed, a rep from sms-helpdesk actually appears to be posting there:

hugecrush8.gif


Shame it seems some people can't even get through to the supposed helpline. Perhaps "Denise" would be better off tackling the deceptive placement of adverts made to look like installer buttons, not to mention non-existent crush messages based around geolocational targeting?

Just a thought...
Over the last few days I've seen a scan doing the rounds on a couple of adult webmaster sites & forums, like here (Warning: there may be NSFW content on that forum). There's another link here regarding some follow up information which seems to be safe for work, but the forum it links to most definitely isn't. Just a heads up.

Anyway, the source of all the commotion is this scan, the contents of which read:

Epic Cash Files Lawsuit Against Zango and Adult Friend Finder

On August 26, 2008, Epic Cash LLC filed suit against Zango, Inc. and the owners of AdultFriendFinder.com for Unfair Business Practices, Unfair Competition, Tortious Interference with Prospective Economic Advantage, Unjist Enrichment, and Conversion.

Check the scan for full details - the root of the problem seems to be Epic Cash claiming Zango Adware diverted traffic away from Epic Cash websites and "converted Epic Cash's business to their benefit".  This could prove to be interesting...
It's nothing new that many hackers use programs that allow them to "spy" on their victims once they've compromised the PC (as long as they have a webcam switched on, of course). Similarly, hacking culture has always had a fascination for memes, incorporating them into part of the design of their latest DDoS tools.

However, the strange obsession with shock memes has now spilled into a "fun" game currently doing the rounds on various hacking sites and forums.

What this involves is hackers compromising a PC (using whatever hacking tool they feel like that allows them to connect to a victims computer, there is no specific Executable used for this), ensuring the victim has a webcam switched on then opening up shock meme websites at the most inopportune moment, recording the moment of impact with the webcam feed. Or, as one guy put it:

spinny1.jpg


If you don't know what Meatspin is, you can probably count yourself lucky. If you still want to know, click here (for an explanation. Not Meatspin itself, though the explanation might be classed NSFW anyway).

Here's a real life example of one such incident, taken from a message board:

spinny2.gif
Click to Enlarge

Typically, the shock meme website is opened up at full blast, which startles the victim (most sites of this nature loop a piece of music in the background while the, er, action takes place on screen). The bigger the shock, the better. Here's one guy who sounds like he shot about six feet in the air when the meme site fired up in his browser:


spinny3.jpg
Click to Enlarge

This might all sound like fun and games - sort of - but note that the above individual did try to grab the victims credit card details.

Generally, the attacker doesn't interact with the victim (because they want friends, relatives or others to think the victim actually brought the site up themselves) but here's a little trash talk anyway:

spinny4.jpg


At this point, the attacker may or may not grab a screenshot for posterity. I've seen quite a few galleries on sites comprised of people looking shocked at Tubgirl, or being spun round baby right round by Meatspin, and there's no doubt countless others out there floating around. Of course, not everybody is shocked (or indeed impressed) by a shockmeme site popping up on their computer. As an example of that, take this guy:

spinny5.jpg


Full credit to anyone that counters a shockmeme site appearing on their desktop by picking their nose for five minutes. At any rate, the golden rule with this is that the hackers only bother doing this when a webcam is present and left switched on. If there's no webcam, there's no point trying to elicit a response (because for all they know they're popping open 2 Girls and 1 Cup to an empty server room).

Webcams can be a fun tool, but remember to switch them off every now and again or they could come back to haunt you. Of course, depending on the shock meme site deployed (and who happens to be in the room with you at the time), that could be the least of your worries...


securetags.jpg
Click to Enlarge

...courtesy of Secureonlinetags(dot)com, seemingly associated with popups from rogue antispyware hijacks. The feedback isn't particularly positive on Siteadvisor either, so you might want to block this domain.

About this Archive

This page is an archive of entries from September 2008 listed from newest to oldest.

August 2008 is the previous archive.

October 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.