November 2009 Archives

Fake Program Is Fake...

| | Comments (0)
Throw another fake program that claims to "hack" XBox Live accounts on the pile:


If you ever run anything like the above on your PC, the only thing you'll hack is yourself.

Don't do it, kids!
You know how the nice man on the internet offers you free stuff and you download the free stuff and run the free stuff?

Yeah, don't want to be doing that. With the launch of Modern Warfare 2 and Left 4 Dead 2 on PC in recent weeks, it's only natural that people would quickly jump on the shenanigan bandwagon.

Case in point:


Numerous forums, chatrooms and Youtube videos abound with plentiful Left 4 Dead and Modern Warfare Keygens that really, really work (honest) and most definitely aren't infection files in the slightest.

No sir. Would we put something like this in a video comment if it was an infection file?


...uh...don't answer that.

Anyway, they look nice:




...but they all come with horrible stings in the tail. Some are designed to be bound with whatever infection the attacker wants to bop you over the head with; others come pre-rolled with a malicious file onboard like the one below that's currently being promoted on various Youtube videos:

Modern Warfare / L4D2 Keygen Worm, originally uploaded by Paperghost.

Allow the randomly named file to open fire on your PC, and you'll see many entries like this filling up a HJT log:


That particular file is a worm, and not a particularly nice one at that. Make no mistake, any and all "keygen creators" you'll see over the coming weeks in relation to the above PC games should be avoided like the plague...or a zombie....or a heavily armed soldier that keeps respawning from the same hut even though you shot him dead ten times already.

Stupid respawns...

Testimonial Fail

| | Comments (0)


Ever wondered exactly how people who enjoy putting malicious files into the wide blue yonder ensure their bundles of joy are as attractive as possible to those who would happily download them?

Well, I came across this program today and thought it was worth looking into. It dips into what's hot and current in the world of free downloads then uses that to ensnare as many potential victims as possible.

How do they do it?


The above program helps, for starters. Fire it up and you see this:


As you can see, there's a number of "Top 100" options for music, videos, software and a download button. What are we downloading, and from where? The answer to the first question is quickly revealed when you see a number of text files deposited in one of the application folders:

Open up the "Musik" file, and you're presented with a long list of rather current albums:

Click to Enlarge

A quick check of network traffic and the source of the lists is clear:


Compare the list of albums above with the below screenshot of the Top Album Torrents on The Pirate Bay, organised by number of Seeders:

Popular Pirate Bay Downloads, originally uploaded by Paperghost.

In a simple (yet rather clever move) the program organises the various types of file according to the files with the biggest amount of seeders on The Pirate Bay, then rips the names of each file (be it music, video or something else altogether) and arranges them in lists on your PC. From there, it is child's play to apply the names of the files to your infections (it also allows you to change file sizes, icons and remove version data to make your infection look more like the real thing) then offer them as downloads on forums, free file hosting and anywhere else the attacker can think of.

By using this tool, someone with a penchant for rogue file distribution is always going to have an easy to use list of the freebies most in demand by the downloaders, and (unfortunately for us) it all makes pimping their infections that little bit easier.

Talk about harnessing people power...
"Block Checkers" are those wonderful scam sites that claim to be able to show you who has you down as "blocked" on your favourite IM application. They've been around for a while, but always take the form of a website that you enter your details on. Once you've entered your login, you can expect to see your IM account sending lots of spam for viagra (along with adverts for the block checker site you used) to all of your contacts.

It's a rather spectacular way to lose all your friends on Instant Messaging (and quickly answers the question of "Who is blocking you". Answer: everybody).

Well, some wily individual has taken inspiration from the static webpages and come up with a Block Checker in the form of an executable file. However, this one has somewhat more sinister intentions than spamming links to a useless block check website with the occasional advert for a genuine rolex watch.

Shall we take a look?


"MSN Block Checker", from Microsoft Corp. A quick check - aha - will reveal a different story:


"MsnFake"? Oh dear. Here's what the program looks like when fired up:


Do you want to see the obligatory fake error message that appears when you enter your Windows LIVE ID and hit "Sign in"? Of course you do.


Faintly humorous that they left "MsnFake" in the popup box. Examining the code of the program rather gives the game away:


Yes, your LIVE ID login will be mailed back to base. Given that your Windows LIVE ID could be associated with your IM account, your EMail, XBox Live and a bunch of other stuff this could be a Very Bad Thing(TM).

One bright spot here is that the program is being distributed in pieces - that is, as a collection of files and images that need to be compiled once you've entered the EMail address you want the stolen logins sent to. Here's what the typical wannabe user will see immediately after downloading it:

Click to Enlarge

Hopefully this will result in lots of people creating absolutely unusable infection files, but it pays to be on your guard. NEVER, EVER run a "Block Checker" program because generally speaking a scam based on a scam is not a good thing to get tangled up in.

We detect this file as Mob.Blockcheck.
You might want to keep an eye on your honesty levels over the next few weeks where Facebook is concerned - sometimes trying to find out more than you're entitled to will bite you on the backside as we're about to see.

You may or may not be familiar with the "Honesty Box" application on Facebook - like similar features on Myspace etc, it allows people to leave entirely anonymous messages on your Facebook page to the tune of "I love you" or "You're a big stinky head" leading to hours of fun for all the family.

It seems a group of individuals are spamming a fake program to the walls of unsuspecting Facebook users, promising to "reveal all" with regards who called them an idiot at 2 in the morning:


The program claims it will strip out the hidden data from your honesty box, then convert it into a name so you know who left the message. Of course, it's all nonsense; the program is bound with a random Keylogger / Trojan / Virus of the attackers choosing, which means your day could take a very random and unfortunate turn depending on what they have in store for you.

Fakey fakey, originally uploaded by Paperghost.

 This could be a perfect setup for scammers to phish accounts, then use those compromised accounts to spam the application onto more Facebook walls where new victims can be attacted by the lure of "really secret stuff".


Fake Keygen, originally uploaded by Paperghost

If you have an annoying relative who can't help themselves when it comes to grabbing "free stuff" online which turns out to be "horrible stuff" once they run the file, you may want to direct them to this blog entry with vague finger wagging and maybe the occasional grimace.

A fake program designed to be bound with whatever infection file the attacker decides upon is currently doing the rounds on forums and the odd video sharing website comment.

As you can see from the above screenshot, it's a fake Kaspersky Keygen and once you run the file you'll activate whatever nasty it's been bundled with. You can see a rather funky animated version of the above here, as it pretends to generate serials while dropping some Leet Hax-Fu on your system in the background.

Of course, the solution here is not to run Keygens and buy the product legitimately but failing that, show your wayward relative this post then confine them to the attic with a bucket of fish heads...
Not so long ago, I wrote about "Google are hiring" spammers on Twitter, and how they were apparently using "Twitter like" bird images as their avatar - one would think to make themselves look a little more "official" than someone with a "buy stuff now" image which would be a clear clue to a spammer.

I said "There's a lot of these profiles around at the moment - ignore / block the lot of them and hope Twitter gets a grip on this fresh wave of spammers..."

At the time, I thought it was obvious that I was refering to blocking them based on their message content (as opposed the images they used, however funky or generic they may be) but it seems I should have been clearer and now someone is a little grumpy about it.

It was later pointed out that the images were the new default images for Twitter profiles without an avatar - due to an error with the comments moderation, the two comments posted to that (along with a bunch of others) were lost to the void and only recently reclaimed.

No problem, article updated.

However, there's this blog entry still to address (written six days after a comment was made from a poster whose submission went AWOL) and I don't think she's very happy with me:

"I have friends with these new bird avatars and I can attest to the fact that they are not spammers. They do not deserve to be blocked and treated as if they are. They have done nothing wrong."

The image change was something I noted about the spam accounts; however, I thought the rather large clue as to who to block was in the screenshot and article title: namely, accounts spamming "Google are hiring".


After all, why would you block a friend if they weren't physically sending "Google are hiring" spam given that was what the spam accounts were sending? It seems faintly ludicrous to think someone would mentally disassociate the content from the ultimate decision to block communications based purely on me mentioning the image changes, but there you go. I'll try to be clearer next time, and I guess I'll place the award on the mantelpiece...

About this Archive

This page is an archive of entries from November 2009 listed from newest to oldest.

October 2009 is the previous archive.

December 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.