Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
Recent Posts
Monthly Blog Archives
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

The SpywareGuide Greynets Blog


October 30, 2007

  • YHGames - No Fun, No Games

Do you think the following website is all sweetness and light?

Click to Enlarge

.....well, now that you mention it....

Click to Enlarge

....whoops. Still, it's worth noting that, as with so many of these infection files, you DO sometimes get a few chances to redeem yourself before everything goes pear shaped:

Click to Enlarge

Mind you, this would be a pretty boring blog entry if we did the sensible thing and failed to run the executable, right? Run it, run it, I hear you cry.

Well, okay then, just for you I'll run it...this is what ends up in your System32 Folder:


One of the files made reference to IFRAMES inside the code - never a good sign:


The page mentioned wasn't available during testing, so it could have been trying to load pretty much anything at all, from dubious advert to rogue executable. Who knows. What we do know, is that when everything is done and dusted, you're left with references to Browser Helper Objects:


...Winsock Layer hijacks...


...and a rogue service:


....that's a lot of hoop jumping to monitor what websites you're visiting, but oh well.

YHGames - no fun, no games.

October 25, 2007

  • IKatzu - EULA Fun and Tangled Trails

Presenting IKatzu, the browser helper object that supposedly pops adverts but doesn't actually seem to do anything. Not at the moment, anyway - but that doesn't mean we can't investigate. Shall we dig around behind the scenes and see where this comes from? Let's kick things off by looking at some of the files that get dumped into your System32 folder when the initial executable is activated by the user:


The purpose of this bundle of joy is to show you adverts - as you might have expected. However, what's far more interesting than the actual application is the tangled web behind the software. A quick Google for the program seems to hint at a page promising terms and conditions, from a site called Artella.biz. However, at present the "page is not available". Thanks to good old Google cache, I was able to retrieve the T&Cs - because I'm sure Artella don't want those going missing, right? - and ran them through the Eula Analyzer. A brief look at the page made my grind teeth and probably clench a few fists, because it is so reminiscent of the "Olde Worlde" Adware bundle license agreements from 2005 / 06, where six hundred odd applications are listed along with links to other website EULAs, many of which would lead you to 404 errors or worse. I was hoping this kind of license had gone out with the Ark, but apparently not. In this case, things aren't much better - for the sake of an application that's supposed to show you some adverts, on a regular 17 Inch monitor (at least, I think that's what I'm using, don't blame me if I'm wrong), the whole thing took SEVENTEEN PAGES OF INDIVIDUAL TEXT to scroll through.

That's a lot of text.

There are also a few links off site to other pages of information, and references to companies that might be included "if applicable". All in all, not the best start. However, it gets worse - the entire EULA can be read here, and these are the results:

Number of characters: 55671
Number of words: 9399
Number of sentences: 357
Average words per sentence: 26.33
Flesch Score: 23.5
Flesch Grade: 17 : Beyond Twelfth Grade reading level
Automated Readability Index: 20 : Beyond Twelfth Grade reading level
Coleman-Liau Index: 21 : Beyond Twelfth Grade reading level
Gunning-Fog Index: 42 : Beyond Twelfth Grade reading level

...that's a pretty crazy EULA someone expects you to wade through. 9,399 words? 300+ sentences? All to see some ads? No thanks.

There's a fair amount of talk regarding removal of the advertising software in conjunction with something called "Upads.biz", so off we go to have a look:

Click to Enlarge

...is it just me, or does the picture of the laughing dude creep you out too? Ick. Anyway, a Whois search is predictably fruitless:

Click to Enlarge

Any and all useful information is hidden by "Moniker Privacy Services". That seems to be true for most (if not all) sites involved in this distribution network. We're left with Artella, so let's go check them out:

Click to Enlarge

The interesting thing here is that although this site also has its contact details hidden via Moniker Privacy Services, they sort of made that pointless by placing an address on the front page of their website - 48 Bella Vista, Edificio No. 27, Local No. 2, Ciudad de Panama, Rep. De Panama.

Bit weird?

Anyway, we finally have an address so we're vaguely better off than we were previously. However - things are about to get even weirder. Let's take a quick jump over to their Uninstall Page where they come down hard on anyone wanting to remove their application from a PC:

Click to Enlarge

"Please be aware that many so called "ad ware removers" and "spy ware removers" can cause damage to your computer and may alter your computer in such a way that our automated removal application will not function. At the present time, there is no third party software which is capable of removing Artella applications. If you have purchased an application which claims to remove Artella, we encourage you to contact your credit card company and request an immediate reversal with the reason of "Product Not As Described" and/or contact the Better Business Bureau."

.....ouch! And "no third party which is capable of removing Artella applications"? I guess this was just a dream, then. I went and tried their Uninstaller:


Imagine my dismay, then, when after hitting the YOU REMOVE NOW button the entry from Add / Remove programs just....vanished. No confirmation, no box appearing to say job well done....nothing. The entry from "Manage Add Ons" in IE had vanished, and a few files had disappeared from the System32 Folder, but that was about it - a bunch of files were still sitting there with no real indication that anything much had changed.

So I restarted my machine, hoping to see a lean, clean machine - but, lo and behold....


...the same files, still sitting there! Are they active? Are they dead? And aren't I supposed to report those pesky removal tools to the Better Business Bureau? Who knows, is what the response of the average (and probably not so average) Internet user is going to be. Even better, running quick HijackThis scan shows the following:


...ads_cpd.exe is still listed as a service! (It's still sitting in the System32 Folder, too). Considering they spent so much time complaining about third party removal tools, you'd have thought they'd have done a better job of it with their own uninstaller but oh well.

We're not done yet with this page, either. Remember "48 Bella Vista", listed as their "main headquarters" on the frontpage of their website? Well on the Uninstall Page, their "main headquarters" are listed as "Avenida Winston Churchill, Edificio Vista Del Mar, No. 43 Ciudad de Panamá, Rep. De Panamá."

....is it just me, or do they have two different main headquarters?

Let's finish this one off with a familiar face - going back to the huge EULA page, who should be listed but....

Click to Enlarge

...Mirar! Yep, just when you thought things couldn't get any more convoluted, along comes yet another element into an already crowded and confusing mix.

....what was I writing about again? Oh yeah, IKatzu. Sorry. Given the seemingly endless EULA pages, the amount of secrecy with regards who a lot of these associated sited are registered to, the multiple "main headquarters" addresses, T&C pages that seemingly no longer exist and an uninstaller that doesn't really instill faith into the end-user, I don't recommend installing this application.

......be honest, did you think I was going to say anything else?

October 23, 2007

  • Q Nyx - Popup Heaven

Here's an interesting one from China.."Q Nyx". No idea what that means, but it isn't good if you get it on your PC. Your computer won't go into meltdown or anything, but you will see a lot of popups. It's a fairly standard hijack, with a whole bunch of files dumped into your System32 Folder:

Click to Enlarge

From there, generic popups windows and slightly porntacular images are the order of the day:

Click to Enlarge
Click to Enlarge

A number of security programs are mentioned in the code of one of the executables, which would seem to indicate it's going to try and tamper with them:


....never a good thing, really, is it?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

October 18, 2007

  • DSData - There's A Storm Brewing

My colleague Chris Mannon recently came across a file that contains all sorts of Botnet fun and games, along with a fair amount of spam related action into the bargain....and final tie-in to a familiar face. Shall we take a look?

Of course.

I always like to get a look at the file sitting all harmless and stuff on the desktop - don't you? I hope so, because here it is:


It should come as no surprise that both files are "in use" by another application and you can't delete them via normal methods.

...yeah, it's not doing much yet but it does get more interesting. If the end user is duped into running the executable, it vanishes and deposits two files into the System32 Directory:


That's not all - I mentioned Spam, right? Well, while running, it has the ability to manipulate mail in Outlook (spam, spam, spam, spam) and specifically looks for Opera Mail usernames and passwords.

Can you guess what kind of Spam it sends?


....yep, it's related to our "good friend" The Storm Worm, because "Get Krackin" is the latest scam to come out of the Storm Stable.

We detect this bundle of joy as DSData.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

October 17, 2007

  • SkypeDefender Doesn't Defend

Skype were good enough to notify us about something they recently came across, and the results are pretty interesting. To kick things off, here's a victim complaining about the infection on the Skype forum.

....read that? Okay, cool. Then let's begin:


As you might have guessed, that's the executable sitting on your desktop. Run it, and you'll see the following:


...oooh, the promise of plug-in excitement! However, what you see next should give the game away. Note the amazingly out of place login button on the fake Skype application:

Click to Enlarge

If you enter your login details, you'll be handed a "Your details aren't valid" message:

Click to Enlarge

....at which point, your login credentials have been sent back to base. We detect this as Skype Defender - do yourself a favour, and ONLY download applications related to Skype from the official Skype website.

September 06, 2007

  • The Twisting Tale of Messenger Skinner
Click to Enlarge

Upon hearing bad reports about a product called "Messenger Skinner", we decided to investigate. The program (whose target audience must strongly favour kids by virtue of the fact that the most entertaining thing it gives you is dancing bananas) has a number of issues that make it something I'd rather not recommend. Note:

"Messenger Skinner is free of any kind of spyware or trojan".

Interesting statement. Let's continue.


...looks innocent enough so far, but things are about to get messy.

Click to Enlarge

Presented with a "real" installer. That's good.

The text box is stupidly small. That's bad.

The "no" button is pre-checked and you have to physically select yes. That's good.

I don't like the colour scheme. That's bad.

The EULA is certainly comprehensive. That's good.

But that's only because there's apparently two of them.

That's bad.

See, during install, the EULA you see is NOT the EULA you see by clicking "Terms and Conditions" from the program entry on your Start list. Indeed, once installed, all you really get is a very general ramble about liability, licensing and intellectual property. Right at the end, under "Uninstall", you get the briefest of mentions for this:

This software is completely free as it is subsidized by the Favorit contextual advertising component."

....ooh. In fact, we need to hope that anyone installing the program not only took great note of the EULA during install, but copied and pasted it onto their system to get a better idea of what's likely to be going on in their system.



1.1.MessengerSkinner, a Freeware application, offers a button which allow you to add funny emoticons and other things to MSN Messenger (R) 7.0, 7.5 and Windows Live Messenger (R).

1.2. The Software includes a component which will remain active at all times with the objective of verifying and ensuring the correct functioning of the Software, and offering other advantages (“Component”). When the User is connected to the Internet the Component will make periodic connections to the Provider’s servers in order to check that there are no problems in the access network or the User’s Computer. If any error which prevents the normal use of the Software is detected in the User’s Computer, the Component will seek to identify and solve it. Any changes that the Component makes to the User’s Computer will be to clearly non-essential parts thereof and for the purposes referred to in these Conditions. THE USER REQUESTS AND AUTHORIZES THE INSTALLATION AND UPDATING OF THIS COMPONENT TOGETHER WITH THE SOFTWARE IN ACCORDANCE WITH THE TERMS SET OUT IN THESE CONDITIONS. The Component will carry out the tasks described in these Conditions only when the User is connected to the Internet, whether using the Software or the User’s regular Internet connection. In any case, the User can easily uninstall the Software or the Component by selecting “Access Connection” and “Component Add-On” respectively in the appropriate section of the operating system control panel. Users should be aware that upon such uninstallation, the advertising messages might be sent during a period of three months after said uninstallation, the benefits provided by the Component will not be available and in certain cases the Software (if retained) or the Provider’s services may not function correctly.

Adverts for three months after uninstalling? Nice! As you'll see later, the hoops you need to jump through to uninstall hark back to the "good old days" of Direct Revenue making you download additional software to uninstall the first unwanted program. Tonight we're gonna' party like it's 2004! Yay!

1.4. In order to carry out the operations referred to in the paragraphs above, the Component will send certain data from the User’s Computer to, and will receive information and requests for these purposes from, the Provider’s servers. The data sent to the Provider’s servers by the Component will be limited to technical and connection information such as: operating system user name, name of the computer in the operating system, IP address of the LAN of the computer, country of connection, browser default country, operating system version, operating system or browser service packs installed, ID of the most recent browser update, vertical and horizontal resolution of the monitor screen, IP address of the most recent internet connection, maximum and average response times, percentage losses, name of the last RAS connection and others relevant for the purposes indicated. The User authorizes such exchanges of information with the Provider’s servers in accordance with these Conditions. At no time will any information regarding Internet sites visited or other activities of the User be sent to the Provider’s servers; this information will be processed within the User’s Computer in order to anonymously select advertising or other messages to be shown to the User. In no case will the Provider be able to identify the User nor will any profile of the User be created.

...."limited to"? What else is there left to grab, shoe size?

For the sake of this:

Click to Enlarge

....I'm starting to feel pretty uncomfortable about installing this program. Oh, note that I had to blank a few smileys out because they were, er, sort of rude. Enjoy, kids!

Anyway, now we come to the meaty part. If you installed this program and happened to run, oh, I don't know....a bunch of Rootkit Scanners...you'd probably see something a little like this:

Click to Enlarge

.....and, from another testbox, something like this:



....hidden, randomly named executables? Oh, awesome. That's just what the world needs more of. I guess that's why Symantec say the following on this writeup, then:

"# Hides the following files by using rootkit technology:

* %System%\[RANDOM].exe
* %System%\[RANDOM].dat"

......to coin a phrase, whoops.

At this point, I bet you're dying to see the program in action, right? Exactly how does Messenger Skinner operate in the context of the MSN Chat system? Well, the answer is faintly interesting:

Click to Enlarge

.....check it out, it almost totally hides the adverts served up by MSN! I wonder if they'd be happy knowing this product did that? I guess we'd better move onto the uninstaller that time forgot. In the rather general "terms and conditions" available from accessing the program via the Start menu, right at the bottom, is this:

This software is completely free as it is subsidized by the Favorit contextual advertising component.

The end user can uninstall our component by filling the following form:

.....oh dear. I'm sort of surprised anyone still releases applications like this - especially as it all smacks of hoop jumping and a faint impression that they don't actually want you to uninstall any of these things. For a perfect example of what I mean, check out this writeup from 2005 where I battled with the Uninstaller for Direct Revenues Aurora.

Let's all pause while you read that and say a few brief words for Aurora.

What's that? Nobody got anything good to say about it? Nah, didn't think so. Anyway....let's go over how I think uninstalling a program should go.

1) Decide to uninstall.
2) Run uninstaller.
3) The end.

Now let's see how it goes down in Messenger Skinner Land, or as I like to call it, "Hoop Jump City Central" (like Nutbush City Limits, but with a better beat).

The Main Uninstall Page:

Click to Enlarge

The Terms and Conditions Page:

Click to Enlarge

The Privacy Policy Page:

Click to Enlarge


That's right, to uninstall the program, they insist that you open up THREE DIFFERENT PAGES and read through endless reams of text - just to uninstall something!

Not only that, but then you have to hand over your Email address to contact them, tell them why you don't want it on your system anymore and (finally) "wait for someone to look into it" and then, finally, presumably, hopefully, send you the link to the uninstaller.

Click to Enlarge

But wait, it gets BETTER. Can you believe it? Look what awaits you in the mailbox:


Absolutely incredible. You're stuck with a 24 hour limit to obtain the uninstall program. If your Internet connection breaks, or you weren't planning on sitting on front of your PC all day waiting for their all important Email - too bad! Furthermore, they have such iron clad faith in their uninstaller program that if you run it more than three times, you see this:

Click to Enlarge

Even better, both Panda and Prevx flag the uninstaller as suspicious:


And even better than that, there are some people out there complaining that the uninstaller doesn't actually seem to be very good at, er, uninstalling things.

Ladies and Gentlemen, I give you the epitome of "complete disaster". Without a doubt, this is one of the worst uninstall routines I've seen in years, and you can put that on a wall and frame it.

Finally, there are a bunch of domains on the server hosting Messenger Skinner that are related to the parent company. Of particular interest is one called crazygirls-world.com (registered to the same guy as Messenger Skinner), which leads you to....

Click to Enlarge

.....Dialer related porn on a site called "gad-network.com". Of course, it's no surprise that we see Gad-Network leads us back to the Favorit Network site.

.....wait, didn't I get a really amazing uninstaller from there once?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher

September 03, 2007

  • Compromised Emails Lead To IE Exploiter Tool

Sometimes, it's impossible to know where an investigation will take you. And though your initial focus might change somewhat, every now and again the focus will change so dramatically that what you end up with is nothing like what you were expecting.

This is one of those occasions.

A few days back, someone posted a link on the Spywarewarrior.com forum, asking if it was a "list of hijacked Emails". It definitely looked suspicious, so with that, off I went to have a look around.

Click to Enlarge

....okay, hundreds of Email addresses with names and no other information provided. Not a lot to go on. However, a quick Directory jump back and....

Click to Enlarge

Eight sets of files containing thousands upon thousands of Email Addresses.

Not just Email addresses, either. Depending on the document opened, you might find yourself looking at a collection of EMail addresses, full name, postal address, IP address and time / date they submitted their form / mail to whatever website they happened to be on at the time (yes, the websites were listed too). Though we've blanked a lot out, the following screenshot will still give you an idea of how much data is up for grabs (note the scrollbar at the side of the screen is only halfway through this particular page):

Click to Enlarge


The majority of the websites listed are down, but you can probably guess the content - possible prizes in exchange for your Mail Address (and possibly other information) being used in opt-in databases for "promotional purposes", anyone? Yeah, I'd think that was a good bet. There's nothing wrong with genuine opt-in....but something has gone seriously wrong here, and the potential for things to get out of hand very quickly will soon be seen.

Googling one of the domains flagged up an interesting thread on a popular Adult Webmaster forum, gfy.com:

Click to Enlarge

Quote time:

"What I am offering is 150-200k Daily Emails - 4-6 Mil Unique Monthly Emails
Full Data Included. name,email,address,ip,time,date,source etc

Price is 2.5k Monthly and we also accept Weekly payments as well"

Now, at this point, everything is likely to be legit; everyone has opted in; the data is only going to be sold to "a maximum of three people".

The problem is, once you submit your details to anything online, it doesn't take long for that information to wind up in all sorts of strange places you couldn't possibly have imagined (the seller probably didn't see this coming, either). Over the course of a year or two....wow. As proof of this "wow", check out the below shot taken from another directory of the website we were looking at earlier:

Click to Enlarge

....."hacked pages"? "IP Scan"? "IE Exploit"? I'd hate to be the Master of the Obvious and claim my Spidey Sense is tingling, but let's have a look at some of the items in the folders. Kicking things off with "Hacked pages", we immediately discover some cool and funky things about our targets:

Click to Enlarge

Ah! Viva la Group Louz O MNIN Ndouz Room Pal! (Or was it "Le"? I never was fantastic with French). I guess at this point you'll be wanting to see an example of their handywork, right? Oh, okay then. Here's a hacked page of theirs from sometime around July:

Click to Enlarge

....yeah, that's not the most dazzling hacked page ever, is it? Kids just don't put the effort in these days. However, things are about to get a little more interesting (because one solitary page hacked does not a leet hax0r make). Let's take a look at the "IE Exploiter", because this is the unexpected gold that sends this entire investigation somewhere else entirely:



Running the tool creates a page of HTML and deposits it on your desktop. That HTML mentions a file called "Bl4ck". Haven't I seen that somewhere before?

Yep, right here in August 2006.

Click to Enlarge

Put simply, you run the tool, generate your HTML and edit it (and your EXE as appropriate, or stick with the "Bl4ck" file (and keep the optional .WAV file too!) - the core of this attack appears to be this exploit. For those interested, the default hacked page will look like this:

Click to Enlarge

...plain, but it gets the job done I suppose. Because you can use whatever EXE you want with this thing, there's plenty of potential for Internet badness. Here's a forum post complaining of the same exploit in October 2006 - it seems the file in that instance tries to send Spam mail. Now we can see why the guy with the Email lists would want to keep hold of a tool like that. Here's another example of a banking trojan being dropped in the same way.

But wait, we're not done yet. I recognise some of those usernames listed on the IE Exploiter tool. A few of them tied in directly with the investigations into the Q8 Army hacks from 2005/06. IM Rootkits, fake BitTorrent clients and Mr Bean videos being pushed via the BitTorrent installs (no, we never found out what the deal was with Mr Bean).

Focus on Sniper_SA, mentioned in the "Greetz" section of the program. He's responsible for the hack above featuring The Terminator (in that case, pushing the default "Bl4ck" file) but a lot more website hacks besides. Check these out:

Click to Enlarge
Click to Enlarge
Click to Enlarge

A lot of digging around later, and I finally stumble across this website (note the fake MSN Chatbox window in the bottom left hand corner - top tip, never click these):

Click to Enlarge

From there, it's only a quick jump over to Snipers' forum:

Click to Enlarge

On the main page, there's a huge list of members - many of whom are either well known for their hacking exploits or (again) had their usernames come up repeatedly during the Q8 Army investigation. Here's a small selection:

Click to Enlarge

....that's a pretty big collection of leet hax0rs. After wading through those for a while, I eventually came across someone posting on a number of forums who would post up hacks, cracks, virus writing techniques and more besides....the majority of the posts always giving the Email address of the IE Exploiter tool creator in his examples. It's a fairly safe bet they're one and the same person, but what really broke my brain was his avatar:

Click to Enlarge

....Please, tell me you see it too.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, FSL Threat Researcher

August 20, 2007

  • Is Purityscan D.O.A?

Here's the Database entry for Purityscan.

Here's their website:


Click to Enlarge

.....things that make you go "Hmmm".

July 31, 2007

  • Blog Hijackings Lead to Zlob, Rape Porn and Rogue Antispyware

Not too long ago, a number of blogs were apparently compromised and redirects were put in place to lead you to a rogue antispyware application called Malware Alarm. Well, it looks like whoever was behind it decided to ditch the idea of compromising blogs, settling instead for setting up hundreds of Spam Blogs, pasting in some Javascript and watching all Hell break loose.

All of the spam profiles seem to have been created in July, here's a short sample:

Click to Enlarge
Click to Enlarge
Click to Enlarge

If you visit one of the infected sites, you'll see the "real" blog page appear for a second or two:

Click to Enlarge

...and then you'll be redirected to content that could be classed as "undesirable", and that's being incredibly generous.

By searching on code / URLs used in the hijack (and there are at least two sites perfoming redirects in combination with the Javascript employed by the bad guys), we can see that the grand total of Blogs carrying this hijack so far is...


...ouch. So far, around 1694 Blogs are carrying this redirect, and there could well be other blogs out there not accounted for yet. At this point, you're probably wondering what kind of content you're redirected to, right? Well, the answer is not particularly pleasant for any number of reasons. Some of the Blogs will send you here:

Click to Enlarge

"Teenage Assault", a hardcore rape site so extreme in its content that the only thing we can show you in the screenshot is the title on the main page. Presumably anyone crazy enough to sign up to the site and pay the joining fee will earn whoever is behind this some affiliate related cash.

The second stop is....

Click to Enlarge

Another spectacularly graphic page, this time a landing site for the ever-popular Zlob Trojans (which pose as Codecs needed to play pornographic content). There are many variations on these landing pages and the content is always a non-joy to behold.

Our final destination makes up the bulk of the redirects, and (as you might have guessed already) our finishing point is...

Click to Enlarge

....Malware Alarm! If you fall for the fake YOUR PC IS DOOMED advertising, then you'll see the below scanner doing its job (telling you your PC is still doomed, unless you pay them money to "unlock" the scanner and remove all those horrible infections it claims you have):

Click to Enlarge

Of course, if you don't pay up, then you can expect endless nag screens appearing in the middle of your screen like this:

Click to Enlarge

For now, the easiest way to avoid this is to disable Javascript. We've notified Google, and as far as we can tell, they've already nuked every single example given above. As I mentioned earlier, there could well be other domains out there performing these redirects so a little vigilance may be called for over the next few weeks. Either way:

Click to Enlarge

....that's the best thing I've seen all day.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

July 11, 2007

  • This Will End In Disaster

A Zlob Trojan guy has posted on a Security Forum, wondering why nobody likes his infection files.

Watch things explode here. Thanks to Suzi for the tip!

July 02, 2007

  • GTA: Hoodlife - Virus Attack is a Public Enemy

Recently, there have been a number of weblogs, forums and chatrooms where spam messages advertising a videogame similar to the below have been posted:

Click to Enlarge

If you go to the YouTube video in question, you'll see the enticing prospect of what appears to be a "Grand Theft Auto game" (touted on the Modding sections of a number of GTA forums), though the modern day graphics seem to have taken a step back in time....to 1986.

Click to Enlarge


Click to Enlarge


Click to Enlarge


Click to Enlarge

As there have been a number of security stories related to YouTube in the media lately, let me say this right now: There is NO danger posed to your system through direct contact with the movie clips contained on the YouTube site itself...the "GTA Hood Life" clip is perfectly safe to play and watch. The bad guys are simply using movie files to advertise the bait (in the form of the game), at which point you go to an external website provided in the clip description text.

Click to Enlarge

As you can see, 54 people have downloaded the file so far. I love it when virus writers use free hosting services that give you a general idea of how much damage they're likely to have done (though of course the file could quite easily be hosted elsewhere, too).

Anyone in the group of 54 unfortunate enough to have executed the installer will see what appears to be a legitimate installer procedure:

Click to Enlarge

So far, so good. The installer completes, you run the game and once it finishes loading, you'll be doing drive-bys and coming straight outta Compton in no time at all, yes?



.....nothing to worry about, I'm sure. The Loader just seems to be a little slow, that's all....


Whoops. Looks like a hard knock life will have to wait (along with oversize novelty clocks) while we tackle the more immediate concern that not everything appears to be quite right with this PC. Yo.

Switching off the PC pretty much spells doom, gloom and other things ending in "oom" because once the desktop reappears, you'll discover that the only drive-by performed today was on your computer.

Click to Enlarge

As you might have guessed from the screenshot, your PC will shutdown (thanks to a pair of batch files) and you won't be able to do much with it unless you know about booting up in safe mode to avoid endless automated shutdowns. For what it's worth, the batch files are supposed to display the following, but it shuts off the PC before it can trigger - thanks to some technical hoodoo voodoo, we can show the popup:


....yeah, awesome. Thanks.

Anyway, exploring the video files uploaded by the YouTube user is pretty interesting - here's a shot of a clip where they tell us about an infection they had on their PC:

Click to Enlarge

.....and here's a shot of a clip where they show us how to "make a fatal virus":

Click to Enlarge

It's somewhat strange that they're offering help with some videos and directing people to files that cripple your PCs ability to start up with others, but maybe that's the way it is when you're West Side for Life.

And yes, I am profusely sorry for all the lame Gangsta jokes.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher
Technical Research: Chris Mannon, FSL Senior Threat Researcher

June 22, 2007

  • Pornoplayer installed from fake Windows Codec

There are several ways modern spyware is infecting unsuspecting systems these days. The most common is still the method of bundling malware into trojans so that the user has as little to do with the installation process as possible. Downloader-ADV is a very large series of Trojan downloaders designed to cripple a machine with adware, password crackers, spyware, and other malware. One instance of Downloader-ADV, innocently named loader.exe, drops a pornography media player under the guise of a perfectly legitimate Windows codec. The name of this player is appropriately named, Pornoplayer.

Upon installing loader.exe, it will phone home to kozirodstwo.com. You may recognize this site for such infamous hits as PWS-Pinch and Agent-ECM. You are then directed to a pornography site called porn-party.net.


This site pushes on the user a seemingly legitimate codec from Microsoft.


This is actually an installer for Pornoplayer!


Other files are also installed along with the Downloader-ADV/Pornoplayer combo. Research also points to pornstar-photos.com installing another part of the Trojan downloader as well as being redirected to rones.porn-host.org. This site is a warehouse for pornography that installs ICOO products.

May 23, 2007

  • Skype Worm Variant Targets Other Instant Messaging Clients

Background: In recent months, there have been a number of so-called "Skype Worms" that have been spread in a similar fashion as an Instant Messaging infection - user is sent malicious link, user clicks link and becomes infected assuming they run the executable file waiting for them. Here's one - here's another.

Yesterday, I discovered what appears to be a new collection of "Skype Worm" infection binaries in circulation - it uses the tried and tested methods employed by similar infections over the past few months, with the ultimate payload being the Stration Worm. Aside from that, there's another little surprise waiting but we'll get to that shortly...


...the above is a .pif file, pretending to be "photos". Yes, there are many people who will fall for this. If you were sent there via a malicious link in your Skype client (from an infected friend, say) then decided to run the file you'll shortly have numerous files clogging up both your System32 and your Windows folders.

At this point, you may be notified by the Skype client that something is not quite right:

Click to Enlarge

Allow the file to "access Skype", and your contacts will see the below:

Click to Enlarge

...with the infection message leading to more rogue files. Remember the "little surprise" I mentioned earlier? Well, it looks like the makers of this bundle wanted to hedge their bets, so with that in mind, one of the files deposited onto the target PC checks to see if a number of different Instant Messaging programs are installed. After a little while testing some of the applications mentioned, we eventually saw the below pop up on a test machine, courtesy of one of the additional files downloaded to the PC:


...and here it is sending an infection message via MSN Messenger:


The infection checks the registry for evidence of programs like AIM, Trillian, Yahoo Messenger, Miranda and (of course) ICQ - however, so far we've only seen it fire a message to an ICQ and an MSN Messenger Client. The main target appears to be Skype with regards a delivery mechanism for the messages sent, but the potential for the infection to leap across various networks is obviously there. The domains the files are hosted on have been flagged for spam-related practices (Viagra pills, mostly) and the whole operation is very similar to previous outbreaks of these Skype worms. In all likelihood, it's the same people behind this wave of attacks, too.

As always, be careful what you click on...

Write up, Research: Chris Boyd, Director of Malware Research
Research: Ramesh Kumarasamy, Threat Research Engineer

May 16, 2007

  • Ben Edelman On InfoWorld

Two excellent articles you really should read:

"Scammers gaming YouTube ratings for profit"

You'll never look at a can of Iron-Bru in the same way again...

"Spyware hunter probes larger market flaws"

A nice insight into the world of Ben Edelman (check out the pictures to see his triple-monitor-of-doom!)

May 11, 2007

  • USB Worm Targets Firefox, Orkut and YouTube

You might have seen a recent flurry of USB Worms in the news - well, one of our researchers found what appears to be a variant targeting (as you might have guessed from the title) Firefox, Orkut and YouTube.

How does this happen? For starters, if you have the infection file on your computer (before activation) it'll probably look something like this:


Not too bad yet, right? Well, if you're unfortunate to double click the thing and run it (of course, in a non-testing environment this would spread automatically via USB shares) your day will take a turn for the worse. Attempt to use Firefox, and you'll see this (along with an MP3 of someone laughing at you playing in the background):

Click to Enlarge

"Use Internet Explorer you dope - I don't hate Mozilla but use IE or else"

At this point, you can't use the browser and it closes automatically on you.

Jumping over to IE, if you attempt to get to the Orkut website....

Click to Enlarge


The "fun" doesn't end here, however - because whoever made this apparently isn't too keen on you visiting the YouTube website either:

Click to Enlarge

Of course, the people behind the infection files can deny an infected user access to whatever sites they feel like - in that sense, it's not that different from putting a website into your HOSTS file. For whatever reason, this individual felt the need to vent their spleen at YouTube and Orkut and blocked them via the infection file. Needless to say, this spreads the same way the first wave of USB infections did (an Autorun.inf file):

Click to Enlarge

Finally, it's worth noting that some of these files are designed so that the .EXE looks like a folder on your desktop:


You'd be surprised how many people fall for that. I've also written about this elsewhere, and if you'd like to see the hijack in action (and hear the wonderful laughter that plays when you try to use Firefox, Orkut or YouTube) then click here.

Write up: Christopher Boyd, Director of Malware Research
Research and Discovery: Manoj V, Malware Threat Researcher

May 03, 2007

  • Images Speak Louder Than Words

We recently came across two Chinese hijacks (one weighing in at around 30MB, the other at 15MB) that can completely destroy your PC. The files that arrive seem to be a little bit random, but a good number of them have the potential to send your CPU usage through the roof and keep it there until your PC keels over. With a whole bunch of them installing at the same time, blue screens and repeated crashes are the order of the day. I briefly mentioned this thing here - well, consider this writeup a sample of the kind of things you can expect if unfortunate enough to be hit by this thing. It goes without saying that there's spyware, adware, malware, rootkits and pretty much everything else you can think of in this payload - in fact, feast your eyes on a sample of some of the files installed:

Click to Enlarge

I'm sure you'll agree, that's one seriously big pile of stuff.

Normally, I'd walk you through an install step-by-step, but in this case there's not much point. When the install starts, your desktop pretty much freezes and the only way to see what's on there is reboot, hope it doesn't crash and start digging (with the CPU at 100% all the way, of course). Doesn't sound pleasant, and it most certainly isn't. With that in mind, here's a more-random-than-usual selection of screenshots from both hijacks...

Click to Enlarge

This isn't going to be good, is it? Here's another random error from the pile:


There were quite a lot of errors generated, as it turned out. When I wasn't looking at error screens, I was beaten down with prompts to install all kinds of things. The below installer prompt wants to install a Toolbar onto the computer:

Click to Enlarge

...and for completeness, here's the inevitable shot of the Toolbar:


I'm guessing you want to see a shot of the Task Manager at this point, yes?

Click to Enlarge

You can see the PC is already at 100% CPU usage, and half the things on there are already "not responding".

Click to Enlarge

You can see a nice selection of browser windows open here, stuffed with rotating adverts (both Firefox and Internet Explorer).


Nope, I have absolutely no idea what I'm being asked either.

Most of the files don't produce any visuals - only a few pop adverts, the rest run silently and kill your machine. However, the other hijack installer (that eventually sucks down roughly 15MB or so of files) was calling a lot of the same stuff and popping the same adverts. For starters, that Toolbar appeared in both bundles. Well, we ran that one (thinking a game of compare and contrast would be fun) and sure enough....

Click to Enlarge

More popups! More silent files that flood your Task Manager and kill off your PC!

Click to Enlarge

The above is an installer prompt for a program we've covered before. Don't worry, you'll see what it is in the next screenshot...

Click to Enlarge

Here, you can see something called "Disk Free" - I'd like to tell you if it's any good or not, but...you know....blue screens etc. Note the bottom right hand corner - that's our old pal Coopen, the desktop-picture changing marvel (come on, you don't think I selected that picture myself, do you?)

While we're on the subject of old friends, remember the CNNIC? Sure you do. I didn't know they had some kind of Messenger program, though:


I found that image along with a bunch of files, though the Messenger itself didn't appear to want to work. Shame.

As I've already mentioned, this second install is a little lighter on the CPU than the first, so it was possible to follow (most) of the install in one go. Imagine my surprise, then, when the following made itself known....

Click to Enlarge

Kubao is some sort of IM / P2P Messaging system, and (as far as I can tell) works a little like Skype...

Click to Enlarge
Click to Enlarge


Click to Enlarge

You wouldn't believe how long it took me to create an account and log into the thing, but there's a screenshot of it in action anyway.

Click to Enlarge

...oh, and here's some weirdo Anime RPG game apparently populated with volleyball players or something.

As you may have noticed, neither of these hijacks are things you'd probably want to have on your computer. There seems to be a vague hint of moneymaking involved, but whoever put these things together wasn't thinking straight when they decided how many individual files to install onto the PC. There's an art to concocting a hijack that doesn't kill the PC, and these guys were presumably absent from Hijacker School that day. In terms of bandwidth used to perform these installs, the particularly brutal way your PC is taken over and the complete disregard as to whether or not the thing actually functions properly afterwards, I'd have to rate these as two of the worst computer beatdowns I've yet encountered.

The "brave new world" of Chinese Malware hijacks is truly upon us. I'm just not quite sure we're ready for it...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: FSL Threat Research Team, WV

April 19, 2007

  • Beware: Phishing Attack Exploits Virginia Tech Tragedy

This was sadly inevitable, but you can see what to avoid here, courtesy of Sophos. The file itself seems to be a commonplace Banking Trojan popular in Brazil - a variant of which was used in the Orkut Worm attack last year. I expect we'll see many more variations on this in the weeks to come - indeed, there are already fake "donation websites" popping up online so be careful what you click on...

April 13, 2007

  • Chinese VM Detection, With a Splash of Adware

Here's a nice find - a file that searches for a Virtual PC by means of a Registry check. If the Virtual Machine is detected, the install comes to a halt. If you're on a real computer, however, you'll find numerous files downloaded and installed onto your PC. Along with the usual Trojans, there's something called CPush:


This is a Browser Helper Object related to Sogou, also from China:

Click to Enlarge

There are numerous other websites mentioned in files, install logs and executables - as usual, they vary from blank pages to game websites:

Click to Enlarge

Finally, some of the files make reference to a well known IRC Server used for Botnet activity - though we didn't see any live Botnet action while testing the files, there's nothing to say they couldn't install additional Bot components sometime after the initial hijack. We did find a Login page on one of the related sites, but that proves nothing - it could just as easily be an Admin Panel as it could a Command and Control Center:

Click to Enlarge

What's interesting here is that it seems to share some similarities with this Worm. They both seem to have emerged at the same time - I'd love to know which one came first, though I'd prefer it if they hadn't emerged at all...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: FSL Threat Research Team, WV

April 04, 2007

  • China Internet Network Information Center: On Your PC Whether You Want Them or Not

Today, we'll see that even the simplest of hijacks can result in one seriously broken PC, and install what are apparently files related to a "non-profit" group taking orders from the Chinese Government's "Ministry of Information Industry" in the process. After observing a file in the database flagged by one of our researchers, I decided to take it for a test drive and see what happened. In theory, it should have been a straightforward search hijack. In practice, if this had been my "real" PC instead of a test box, I'd now be calling in the world's biggest platoon of priests and holy water.

Let's begin, shall we?

The product we'll be looking at is this thing. Starting off the action with the oldest file in the Database:


....it didn't take long before my PC started acting strangely. And by "strangely", I do of course mean, hijacked with a whole bunch of random bits and pieces of awfulness:


The above is what had been dumped into my System32 Folder. Not a lot to go on at this point, and things are about to get worse. Before my computer-based Apocalypse takes place though, let's have a look inside one of the files and see what's lurking:


...hmm. Randomly named file handed the task of calling down lots of executables? Usually not a good sign - especially as some of the files mentioned weren't actually showing up on the PC at this point. Hidden downloaders? Looks that way, doesn't it. However, before we can pursue this line of enquiry, all the tech forensics go out of the window when....

Click to Enlarge

...Internet Explorer pops open, complete with new Toolbar related addition! Is this a good time to see if anything has been deposited into the Program Files directory? You bet:


....hooray! Randomly named folders and files mixed in with the Toolbar folder and something called CNNIC. Remember this, because we'll be coming back to it. For now, we'll quickly examine the Add-ons in Internet Explorer and see how many new additions there have been. The short answer is "lots":

Click to Enlarge

As I'm sure you'll agree, there's a fair amount of Browser Helper Objects in there! At this point, I decided to give the Toolbar a go and see if it worked or not. After entering a search for "Paperghost", this is what I got:

Click to Enlarge

The results returned are given via the Baidu Search Engine. However, check out the bottom right hand corner - when the Toolbar was activated, a "fake warning" appeared telling me my PC had been infected and I needed to run a scan. Coincidence? Possibly. Either way, before I could click the warning and see which wonderful rogue product was about to greet me, the whole system collapsed and died in a horrible, horrible mess.

From this point onwards, the test PC would not function unless run in Safe Mode, and even then, only for a limited amount of time before rebooting itself. After a couple of attempts, I finally managed to get into the desktop and saw some new icons had appeared in Internet Explorer:


The yellow money-bag thing is for the Sofa Toolbar - however, the toolbar would no longer work, and it was impossible to reinstall it. Remember CNNIC? Well, clicking the blue icon on the left takes you to....

Click to Enlarge

...the China Internet Network Information Center!

From Wikipedia:

China Internet Network Information Center: founded as a non-profit organization on June 3, 1997, is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China.

.....uh, okay, Government related webpages appearing in a hijack....new one on me. But wait, there's more:

Software produced by CNNIC

* Official version of Chinese url software, which is Malware. It installs in the user's system secretly and compulsorily, and will be automatically re-installed after you uninstall or delete it.

I had to do a little more digging than usual to find out more information on this one, because I couldn't actually get the thing to work, but one Antispyware team alleges the CNNIC software is used to hijack search results, and "also hijacks 404 pages to a controlling web server in China". In addition, you can see complaints regarding CNNIC software here and here.

Closing down Internet Explorer, I jumped over to the System32 Folder to see if anything new had been added. The answer was a resounding "yes":

Click to Enlarge

No wonder the PC kept keeling over, because the System32 Folder had been completely overrun by a huge amount of files (the full list of things dumped into that folder would probably have required 3 or 4 full screenshots stitched together to give you an accurate idea of what was going on in there). A few more reboots, and eventually the fake popup from earlier on returned:


I was able to grab one final screenshot before the PC went into a sort of Permadeath, and we were finally able to see what rogue application had been installed:

Click to Enlarge

....BraveSentry! After that, the test box was officially DOA. The total time taken to install all of these components was roughly ten minutes - from a seemingly harmless executable that promised maybe a Toolbar or something at best, and a few runs of your favourite Antispyware scanner at worst. If you value your PC, your sanity and your rapidly dwindling supplies of Internet Holy Water, steer well clear of this one...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery, Research: Chris Mannon, FSL Senior Threat Researcher

March 28, 2007

  • NetBrowserPro: The Porn Browser

There's a long line of browsers that have completely failed to enhance end-users security and peace of mind on the web. Yapbrowser, which redirected you to illegal porn with the click of a button; The "Safety Browser", which was anything but safe and arrived in the form of an Instant Messaging hijack; Browsezilla, which allegedly increased the hitcount for various adult websites; and now, fresh out of the blocks, NetBrowserPro.

For some reason, the majority of these browsers want to convince you of their focus on security. Look at Yapbrowsers resurrection, where they laid claim to a 100% "guarantee" that no malicious code would enter your system while using the browser. Or Safety Browser, which had popups enabled by default and hijacked your IE Start Page.

NetBrowserPro (whose website actually shares the same IP address as Browsezilla - follows this noble tradition, with the bold claim that:

"NetBrowserPro is the internet browser which aimed to the one thing - help you to watch porn.
Secure, confidential, quick and free.

Secure? Sure it is! About half of all "free porn sites" tries to install trojan or adware program to your computer in some way. According to the researches Internet Explorer was vulnerable to intrusions during 284 days of the last year!. You could always use other browser, like, for instance, Firefox, but it was vulnerable as well, however, during less than 56 days. Some people use antiviruses, but in practice antiviruses databases are being updated less frequently than the virus-makers release new viruses. However, all vulnerabilities are quite similar and do have similar methods of penetration. These methods use browsers' built-in features. In common life you do need such features to visit simple online shops, banks and other sites, but you don't need these features when you surf porn. NetBrowserPro uses only features, which are necessary to surf porn, it switch everything except this off. So there is absolutely no gap for the virus."

Well, there's probably no "gap for the virus" because according to Rootkit Revealer it comes with its very own rootkit!

Click to Enlarge

How does this all begin? With a download of something called "121.exe" from the NetBrowserPro website, assuming you liked the sound of the product enough to download it in the first place:

Click to Enlarge

Once downloaded, if the user runs the file they'll be faced with the following box containing the kind of EULA that I refer to as a "free for all" - because they effectively want you to agree to them updating pretty much whatever they want, whenever they want without having to notify you. Again, note the reference to "security":

Click to Enlarge

It seems "security" is equated with the removal of choice and forcing you to accept their definition of what security might entail - take it or leave it, effectively. But how do we know they've made the right choices with regards their "browser security"? Of course, the answer is we don't.

Once you click through, a site called Codecaddon.com ("Codec Add-on") is contacted, and you are shown a EULA for something called MovieCommander:

Click to Enlarge

Wondering what it is? Well, the Codecaddon.com website is a big clue. Look at the graphics and site layout below:

Click to Enlarge

....and compare and contrast with the second site listed on this writeup from Sunbelt Software. As you can see, the site is a carbon copy of TVCodec.com. These are known as "fake codecs", and installing them is a very bad idea. Interestingly, many of the sites on the same IP address as both NetBrowserPro and Browsezilla are porn galleries that prompt you to install fake codecs to view their content.

Once everything is installed, the browser will autostart on your desktop. Before we get to the browser itself, look at the logo:


...seem familiar? It should, because it's almost identical to the Netscape Navigator logo. Indeed, the font used for the N appears to be identical to the Netscape one. We've seen "alternative" browsers use logos that are similar to more familiar browsers before (the Safety Browser did a poor imitation of the Internet Explorer logo, for example). The reason for this similarity can be anything from a lack of creativity on the part of the graphic designer to (in more malign cases) a desire to fool the user that it's somehow related to the more mainstream brand.

Of course, it could just be one huge coincidence.

At this point, we can finally take a look at the browser:

Click to Enlarge

Note the (limited) options at the top include the ability to turn images on and off, add links and "boss", which presumably is a panic button for when you're in the workplace. I'm not entirely sure who would be using this in any sort of workplace, but at any rate, that's about all you can do with this thing. With regards your saved bookmarks, the NetBrowserPro website states:

"Moreover, all bookmarks are being kept on the remote server, which excludes the opportunity of viewing them, even with the full access to the computer."

We have absolutely no information about their "remote server", its security, what they do with the stored information or anything else. Does this sound "secure" to you? However, worse is to come. NetBrowserPro lets you click into apparently random galleries of porn that are hosted elsewhere. Sadly, many of the links clicked take the user to the kind of redirect sites that contain nothing but hundreds of images of all sorts of random pornography. Anyone that's been caught in a porn trap will know the kind of pages I'm describing. Well, though most of these redirects serve up "regular" porn, one or two took me to sites that contained what I can only describe as a couple of "dubious looking" models. While they may well be of legal age, the fact that an initial reaction to these images was "how old?" is never a particularly good indicator of the overall content of those sites, or indeed what they link to. As the sites served up by the browser seem to be randomly selected each time you fire it up, there's no real way to know what you're going to get, and that's a surefire way to have your product dropped off a cliff in a hurry. Can the people behind NetBrowserPro absolutely guarantee that none of the redirects won't take you to something you'd rather not see? That all of the people serving up the content they link to are 100% legitimate? I don't see how that's physically possible and because of this random element of chance, of having to put blind faith in a product that apparently uses rootkit / fake codec technology....I'd advise end-users not to install and run this program.

Sadly, yet another browser joins Yap, Safety and BrowseZilla in the naughty corner...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

March 25, 2007

  • StatCounter Say No...

A long time ago, I signed up to the StatCounter service, though I don't think I ever used it. Well, sometimes I still get email based newsletters and this particular one happened to catch my eye....


A few months back, StatCounter was approached by an advertiser, offered lots of $$$, and asked to include a spyware cookie on all of our member sites…we refused on the spot.

You install StatCounter to track visitors to your site NOT to open yourself and your visitors up to being spied upon by phantom advertising corporations.

It appears, however, that other players in the world of webstats were happy to take up this offer...

Full text can be seen on their blog entry here. However, what really caught my eye was this entry in the comments:

Psst, I know the counter that took the cookie offer and big thumbs down. I visit a site that has it and has the upgraded version which costs them over $20 a month and to add insult to injury they now have the cookie which also tries to redirect them to a strange website - that is when the website LOADS. It gets worse because their site is tied in to a web designer who now charges them to remove the counter code which holds the cookie.

That doesn't sound particularly appealing, does it?

March 12, 2007

  • Kailash Ambwani Talks on Greynets and Perils of Web 2.0

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

March 07, 2007

  • Chinese Website Serves Up Alexa Toolbar

Here's an interesting one from the database - a colleague of mine came across this a few weeks ago and now here we are, about to plunge into the depths of some more Chinese-related Malware. This time round, there's a little twist thrown in for good measure - East meets West, if you will.

We begin our journey with a Trojan called Symfly - from this file, another payload (sna.exe) was installed and during this process, something called Install7.exe was eventually brought kicking and screaming into the world. Already, we're dealing with a file three notches down a daisy-chain, which will likely give you an idea of the complexity behind this particular hijack. From close examination of the inner workings of the files involved, we can eventually determine that a site called Renwu is at the heart of the action - to the casual observer, you'd think there was nothing to see. However, the login prompt is a sure sign there's something going on. After the Install7 file has executed, a file called Demnsvr.exe is dumped into your Windows directory. Sometimes the install fails at this point - if it works, you'll know for sure because (along with some .dll files, a service and a BHO for Internet Explorer) it deposits a log file on your desktop which is kind of a giveaway:


At this point, an "updater" section on the Renwu site creates Adcheat and Historyclear on the infected PC. I couldn't decide if history clear was protecting my privacy or offering me a bite to eat, and Adcheat (seemingly) wants to make a call to Australia:


..however, this is actually a server in China, and has apparently been flagged for matters relating to Spam in the past. Of course, it comes as no shock to discover the Renwu site is tied to this server; less so, the other domains listed on it. Bill Gates is a Registrar for this website? Wow! Even better, check out this guy - Mr Drgd Drgdrgr!

With a background like that, no wonder those spam databases have issues with this box!

Eventually, we come to the next oddity of this install.....the Alexa Toolbar, installed without consent via FTP:

Click Image to Enlarge

Note the popup asking you to install a Chinese Language Pack.

What happened to the installer prompt / EULA, I hear you cry? Well, a box appears all-too-briefly in the middle of the screen - not exactly brimming with content, but then considering it's only on your screen for about half a second I can't say I'm too surprised. It took me long enough getting that screenshot. At time of writing, the Alexa Toolbar is no longer installing, but as you can see here, the file is still on the server and could easily be re-activated (it's been up and down a few time so far already). It's worth noting that when this file is installed, the desktop has a tendency to become unusable and only a reboot will cure it.

I've mentioned in the past that attempting to tackle Adware and Spyware from China is a whole new world of exploration, because of the difficulties involved in ascertaining the who, what, when, where and why of a case. Here again, we have the same difficulty. Seemingly random websites are called out to - why? Who runs them? Are they legit? Who do you contact? Could they be innocent parties, hosting backdoored files? Or are they just sites the Malware creator likes to visit in his spare time? Here's a sample selection of some of the sites called out to when the initial infection file runs and begins the process of calling down the individual files. Note - none of the below sites actually carry any of the payloads...

Click Image to Enlarge
Click Image to Enlarge
Click Image to Enlarge

....at this point, we need to tie it all together. Let's examine the Alexa Toolbar for a moment. It's Wikipedia time:

"The Alexa Toolbar, an application produced by Alexa Internet, is a Browser Helper Object for Internet Explorer on Microsoft Windows that is used by Alexa to measure website statistics."

...in other words, the Alexa figures for website rankings are based on the statistics generated by users who surf with the Alexa Toolbar installed.

Remember the Adcheat file I mentioned earlier? Well, after Adcheat has phoned home and HistoryClear.exe has wiped your cookie cache, the Alexa Toolbar is installed and a call is made to this site (note the two domains listed on the page). From there, a call is made to the below site (note the Alexa sub-domain Renwu.info is touting):

Click to Enlarge

This is apparently a redirect to a site called Hotrock.cn.

The question is, is this an incredibly over-elaborate attempt to artificially inflate the Alexa ranking of one (or more) of the sites listed above? If so, they're not having much luck with it. All three sites - Renwu, Hotrock and Aqclub are outside the top 100,000. An interesting tactic would have been to try and generate income via sponsored Amazon links - this is something we're still currently investigating, though it would make sense with regards installing the Alexa Toolbar in the first place. What is interesting is this graph comparing the traffic to the previously mentioned websites:

Click to Enlarge

From about halfway through January (when these files first started showing up) up to the present day, both Hotrock and Aqclub have amazingly similar traffic patterns, right down to the way it rises and falls at certain points on the graph. Remember, both of these sites are mentioned on the Renwu page that's called once the Alexa Toolbar is force-installed.


It'd have to be a pretty large one...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

March 02, 2007

  • The Real World Impact of Virus Attacks

Continuing the current theme of virtual programs creating real-world issues, here's a newspaper having its distribution severely affected because of an infection crippling production equipment.

Must have been one heck of a virus...

March 01, 2007

  • A New Rating System Required?

Check out Marketscore and New.net. Not a spectacular score, threat wise - there's plenty of things out there with a bigger, badder bite. Yet in some strange way, both of these two have been tangled up in the Julie Amero case (according to the details filtering out from the ongoing case, they were both present on the infected PC spawning the popups) and she faces anything up to forty years in jail because of some fairly generic, otherwise harmless porn adverts.

My question is, do we need to start applying a "real world" danger ranking to Adware and Spyware? And if so, what other possible score could we give than the equivalent of "10 - Extremely Dangerous"? If any and all Adware can now be used to lever a situation where someone could face jail time, what other response could we have?

February 23, 2007

  • A Balanced View of the Julie Amero Case

You've probably seen a number of articles regarding the case of Julie Amero, a substitute teacher caught in a storm of porn popups and faced with anything up to 40 years in jail. Well, here's an excellent piece of work that details exactly WHY Julie Amero is the victim of a witch-hunt. Never again will you stumble for an answer to the question "why didn't she just turn it off?"...

February 20, 2007

  • Winfixer Adverts Served by MSN Messenger

Microsoft have had their hands full these past few days, trying to eradicate rogue adverts appearing on banner ads served up via MSN Messenger. Here's the original writeup on this, and here's some coverage in the news with a line or two from yours truly...

  • FTC: Pop-up Ads, Failure to Disclose Rootkits Are Bad Business

An interesting interview with FTC Chairman Deborah Platt Majoras. However, compare and contrast with the reaction to Direct Revenue being fined just $1.5 million Dollars:

FTC Commissioner Jon Leibowitz, the sole vote against the settlement, said the $1.5 million fine "is a disappointment because it apparently leaves Direct Revenue's owners lining their pockets with more than $20 million from a business model based on deceit."

...is it just me, or should more people be thinking the same thing as this guy?

February 15, 2007

  • Chinese Adware: Coopen

Here's an interesting one - apparently from a Chinese Trojan bundle, "Coopen" places a media tool on your desktop, which rotates between desktop backgrounds and screensavers. At least your desktop hijack will be a visually striking multimedia experience!

Click to Enlarge

That's not all, however - the Coopen media player is really only the introductory salvo. From the same bundle, your desktop will end up with a non-closable box on it, which you can only kill off using Task Manager:

Click to Enlarge

The box itself mostly serves up an endless stream of high bandwidth adverts that seem to do nothing other than promote short movie clips and streamed video:

Click to Enlarge

There also seems to be a lot of popups from what appears to be some sort of social networking / blogging site:

Click to Enlarge

You can read more about Coopen here. Although Coopen itself is not particularly high risk - it's a media program rotating screensavers - it does illustrate how complicated things will be for researchers in the West as more of these programs start to appear, such as here where the researcher might not even know if the popup box is related to Coopen, or a different part of the same Trojan hijack. Is it Adware? Spyware? Malware? All one program, or different components doing different things (as is the case here). Is the intent behind it malicious, or is it supposed to serve some useful purpose? How do we track the money streams? Will we be able to penetrate the networks behind the scenes and work out who the key players are? Most importantly, what do we do when faced with a EULA containing six million Chinese characters?

Tough questions, and no easy answers in sight...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: CC, and Chris Mannon, FSL Senior Threat Researchers

January 29, 2007

  • Adware Makes Advertisers Feel the Burn

In a novel ruling, it's not the Adware guys made to pay the price but the advertisers:

Priceline.com, Travelocity.com and Cingular Wireless have settled over charges that they used secret adware Internet software programs as marketing tools, New York Attorney General Andrew Cuomo said on Monday.

This is the first time marketers have been held responsible for ads displayed through adware, the software that automatically displays promotional material, Cuomo's office said in a statement.

More on this here at CNET. Going after the advertisers is a pretty interesting tactic, but it seems to be having an impact. How much, we'll have to wait and see...

December 16, 2006

  • European Mailer Society (FEDMA) Warns Against Spyware Use

Another attempt at self-regulation...this time in Europe- no less from a " a common-interest and self-regulatory body for junk mailers, cold callers and senders of unsolicited bulk email." warned its members from using spyware or deceptive software....interesting to say the least.

The Federation of European Direct and Interactive Marketing (FEDMA), a common-interest and self-regulatory body for junk mailers, cold callers and senders of unsolicited bulk email, has issued an anti-spyware code warning its members off using intrusive or deceptive technology.

FEDMA represents the direct marketing industry, covering email, post, telephone and 'direct response' marketing, and its members include marketing associations from Australia, Canada and the United States as well as countries across Europe. The new charter aims to discourage members from using spyware as part of their information-gathering and advertising campaigns.

Spyware tactics defined in the document include deceptive software installation, taking control of computers to send spam and malware, modifying browser and other settings, and hiding or otherwise becoming difficult to remove. Members offering marketing software are advised to ensure it uses proper identification and disclosure of the source of software and advertising, access to privacy policies and full opt-out or uninstallation facilities.

The text of the charter can be found (in PDF format) see what you think...

December 01, 2006

  • Myspace Phish Attack Leads Users to Zango Content

A while ago on the Spywareguide Blog, I covered a technique being used in Peer to Peer land involving URLs being embedded in Quicktime movies, which would then pop open a website. This has now been taken to the next level, with an intensive and seemingly never ending Phish attack, the sole aim of which seems to be directing end-users to a collection of Zango movies on a pornographic website. The Phish pages are hosted on compromised servers - presumably the people doing the hacking aren't particuarly brilliant at it, because they keep getting found out (an example of them being caught in the act can be seen here).

How does this attack work?

Continue reading "Myspace Phish Attack Leads Users to Zango Content" »

November 27, 2006

  • The Free Myspace Viewer - Beware!

It's been an interesting few weeks for Myspace - there's been a number of scams and dubious programs making their way across countless user profiles. The "fun" clearly isn't over yet, because check out the latest piece of scammery doing the rounds on everybody's favourite social networking site...

Continue reading "The Free Myspace Viewer - Beware!" »

November 06, 2006

  • The Zango Double-dip ?
There have been a lot of articles and posts about Zango.  Most of them focus on the installation practices, lack of user notification and even how the company recently received a fine by the FTC.

This piece is not one of those.  Instead of talking about the Zango software, I would like to have a brief look together at the theoretical business model that drives Zango. 

Some relevant snippets from the Zango site:
Web publishers, content creators and providers aren't able to earn a living from their products. <Snip> online consumers have proven reluctant to pay a monthly subscription fee for access to online content and entertainment. <Snip> Zango has developed a unique solution to this economic dilemma. <Snip> With the Content Economy model, consumers are able to access and enjoy web content and entertainment for free, because when they search or browse online for products and services, they see ads from Zango advertisers. <Snip> Web publishers and content providers get paid by Zango for distributing their creative assets. Zango earns revenue from online advertisers, and thus, keeps this new Content Economy alive and thriving.
I see!  Visitors will never pay to see online content, so the content creators will never get to see a dime from their work.
So Zango's self-proclaimed raison d'etre is to provide these starving "long tail" creators/artists with some income so they can keep producing the content that everybody likes, instead of needing to beg for spare change at a mall entrance.

Surely, that's a noble cause, no?  Let's see...

Continue reading "The Zango Double-dip ?" »

September 12, 2006

  • Trojan Downloads Illegal Content?

Here's a particularly nasty tale - a man has been charged with numerous counts of possessing illegal material. The interesting thing here is that he claims a hacker put that material there in the first place. As we've seen, this is not beyond the realms of possibility - Yapbrowser is now an oft-cited case where the end-user had no idea using that application would open up illegal material on their PC. I imagine there's quite a lot of people out there who may well end up in situations like the above through no fault of their own, but of course we need to be careful that this doesn't become an "easy way out" excuse for people actively looking for this kind of dreadful content.

This Spyware thing's never straightforward, is it?

August 29, 2006

  • Bl4ck: Coming Soon to a Hacked Page Near You

Quite often, you'll come across a website that's been hacked and admire the no doubt humorous picture, comical text and "advice" given to the site Admin as little more than a harmless prank and something to be filed away on a hacked site archive. Well, beware because many of those "hacked site" archives don't clean up the pages beforehand - you'll likely be hit with something nasty if the hacker decided to put something evil there. And wouldn't you know it if we have one such example for you coming up?

An individual under the alias of of SnIpEr_SA is currently making his way through as many domains as he can handle (currently up to 25+ in the last ten days, which isn't very prolific thankfully) and leaving a little "present" for anyone unlucky enough to view his pages while using IE:

Continue reading "Bl4ck: Coming Soon to a Hacked Page Near You" »

August 28, 2006

  • WhenU "Partner" Pushes "Myspace" Videos in P2P Land

It's not often you find an affiliate of WhenU doing something that could be viewed as out-and-out deceptive, so this is a very interesting find indeed. Especially considering they do not have affiliates, at least affiliates in the "traditional sense" according to our Sr. Director of Greynets Research- Wayne Porter, who specializes in online economic models. His answer upon a quick analysis of the initial research:

It is a given WhenU has made a number of improvements from their past practices, and that is critical for setting an example. However, we take history into account and also look at what we see today. You will note they proclaim quite clearly, "No affiliate distribution, because it's impossible to police." This is wise. WhenU understands unchecked partner models leads to dangerous relationship sprawl and in the end you tar and feather your own brand and hurt people.
What is strange is the next bullet point "All distribution partners are monitored and must adhere to our strict guidelines; zero tolerance for infractions. (Porter notes this link here.) I would have to ask, from a commerce perspective- how do they monitor them, how do they vet them, what metrics are used to determine inappropriate and appropriate behavior and what is the difference between affiliate and partner? This case seems to be confusing to the end user- is this acceptable? Is this the experience they demand of their partners?
In this case the distribution partner does not appear to be an affilate per the classic definition. I think it is a good question and would welcome dialogue from Bill Day on how they differentiate between an affiliate and a distribution partner. Clearly the program is being distributed via third parties and one would reasonably assume on cost-per-action or a split revenue basis, or a hybrid deal- that part remains unclear- but the revenue model drives behavior- we know that from field research. If Bill Day is willing to participate I am willing to prepare some questions for him if he would like to go on record about the policies and the reality of how they are put into action. The usual rules of engagement for dialogue of course."

Back to the case at hand...

During research my colleague Peter was probing for Myspace themed files in P2P land, and while using Bearshare, he came across a file called "Myspace". A movie file, no less. Would be it contain Emo kids singing in a garage? Thirty-somethings complaining because none of their friends use Myspace to network?

Nope. In fact, the answer is a little stranger than that. First of all, check out the nice popup you see when firing up the movie for the first time:

Click to Enlarge

...wait, DRM*? Isn't that what we kept hearing about during the Zango / Myspace fiasco? Could this mean some type of "software" is on the way? It sure could...

Click to Enlarge

At this point, I'm sure of two things:

1) The Adware involved in this case is WhenU
2) I have absolutely no idea what "ETE" is, nor why I would want it.

Still, the file is called "Myspace" and we all know Myspace is cool, right? So a Myspace moviefile is going to be even cooler. Isn't it?

Well, no.

This is where things get really confusing for the end-user, because so far they have:

* Gone onto a file sharing network and downloaded a movie file called "Myspace"
* Been presented with a DRM popup relating to WhenU Adware, and told this is needed to install "ETE" despite not being informed of what ETE actually is. Note the popup mentions the install is from a website, when it's clearly from P2P.

At this point, pressing the Continue button will prompt the end-user to download an executable file:

Click to Enlarge

Eventually (after a period of complete inactivity on the desktop), you see this:

Click to Enlarge

...and we finally discover what ETE is - some kind of free entertainment center. Great, except it doesn't even appear to be on the system. Maybe it's one of those new invisible models I've heard so much about? Perhaps they have Romulan cloaking technology or something.

Anyway - after giving up looking for the mystical "ETE", the confused end-user will run the moviefile. They're presented with....the adultfriendfinder website and, er, some dancing bacon. Seriously:

Click to Enlarge

Why? No idea. Anyone see what this has to do with Myspace yet?

Our motto at the FaceTime lab is to try not to leave any stone unturned, so I wasn't prepared to let this mystery go. After some digging, it turns out that ETE is not a standalone application - it's actually a website:

Click to Enlarge

This site lets you download applications from another site, called Binartisan.com. According to a Whois lookup, both sites are registered to someone in Taiwan. The download section of the Binartisan site contains many, many installers for games, screensavers and other programs:


Most of these are WhenU installers - it doesn't take a great leap of the imagination to realise that the affiliate, or partner (depending on nomenclature) here is likely the same person distributing these files in P2P land under the name "Myspace". Of course, naming them after the number one Social Networking site on the web (when the files themselves have absolutely nothing to do with Myspace) is altogether more problematic. Some might even call it deceptive.

I think I'll suggest Wayne add that to his question list.

*Notes on DRM: Any technology used to protect the interests of owners of content and services (such as copyright owners). Typically, authorized recipients or users must acquire a license in order to consume the protected material—files, music, movies—according to the rights or business rules set by the content owner.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery: Peter Jayaraj, FSL Threat Researcher
E-commerce Policy Research Evaluation: Wayne Porter, Senior Director Greynets Research.

August 24, 2006

  • Gromozon: Rootkits, Adware and More...

A passing bird tells me we should all read this PDF Document - inside, you'll find details on a rather nasty threat which leaps into action from a domain called - you guessed it - Gromozon. Inside the document, you'll see descriptions of how the threat works in relation to different browsers, what you can expect if you get infected and some information on how to attempt removal.

A great piece of work - make sure you check it out.

August 18, 2006

  • VirusRescue: Keeping Up a Noble Tradition

...that is, a noble tradition of products you'd probably rather not have on your PC! Building on the success of various other supposed "security products" that arrive on the back of a hijack, VirusRescue is causing something of a stir at the moment across the various security blogs out there.

My take on this here - you can see posts from Security Cadets here and here (particularly entertaining as a rep from VirusRescue posted there) and what is possibly the first mention of this new "product" here (courtesy of Security Ticker). It'll be interesting to see if their spokesperson makes any more appearances...

August 17, 2006

  • Latest Briefing from the Center for Democracy and Technology

Yesterday, the CDT published an interesting summary of their opinion on the war against Spyware. Particularly good reading if you couldn't work your way through their last "Following the Money Trail" PDF!

The message is clear (and it's one we hear all the time, so I won't bother repeating it word for word) - we're making some good progress, but there's a long way to go until we have a firm handle on this particular problem...

August 15, 2006

  • Another Dubious Affiliate for Zango?

Zango haven't been out of the news recently - we've seen Myspace, Warner Brothers and the CDT (Center for Democracy and Technology) all added to the mix and the end-result is probably as fatiguing for the reader as it is for the people writing about it!

However, yet another tale has come to light, and it's not a particularly pleasant one. A pornographic website promoting videos provided by Zango (a pornographic website which, it should be noted, appears in many PC hijacks as you can see here) seems to be attracting visitors by means of a dubious keywords scam.

What's happened is that numerous websites have been set up, stuffed with keywords of an incredibly disgusting nature, that redirect you to the Zango content. A list of keywords has been collected in PDF format by Sunbelt Software. Be warned - it is not pleasant.

You can see thoughts on this from Suzi Turner, Sunbelt and myself.

I'm sure more will be adding their thoughts on this in due course...

August 09, 2006

  • CDT Releases Following The Money Trail Part Two

The Center for Democracy and Technology has released their latest report on advertising intermediaries, which include ad networks, affiliate networks, and cpa networks. The document might be confusing if you are not practiced in the world of online advertising but the CDT does a pretty good job of making a complex economy simple.

The takeaway is that advertisers and advertising intermediaries need to practice more due dilligence in their business practices.

Find below the download links for the Following the Money Trail Series Part I and the latest Part II. If you want to understand how malware and money are the new fuel for Internet mayhem this is a good place to start.

To give you an idea how complex some of the relationships become while we track the money trail on cases take a look at this sample screenshot from the report. Rest assured we have seen cases far more tangled than this cloud.


"Companies need to take responsibility when their advertising dollars go to support companies that prey on unsuspecting consumers," said CDT Policy Analyst Alissa Cooper, who co-authored the report. "Whether placed directly or through intermediaries, these ads diminish the Internet experience for millions of people. Advertisers that work with these distributors are running out of excuses, and must either start policing their advertising spending, or answering to their customers who have been harmed by adware."

Indeed! We could not agree more.

Take the time to get educated with these great reports from the CDT and pass them along to your friends. Have an advertising question? Drop us a comment and and I will be happy to answer it for you or find someone who can.

Part 1 of the CDT Report [PDF]

Part 2 of the CDT Report [PDF]

Report Write-Up: Wayne Porter, Sr. Dir. Greynets Research

August 08, 2006

  • The AIM Screen Name Hacker - Beware or Be Snared!

Our team has discovered a rather nasty little program currently in circulation relying on trickery and the desire to obtain "secret" information to get itself installed. Once onboard the machine, it has the potential to steal banking information, drop you into a Botnet and generally give you a very bad day as your computer becomes a drone controlled by an unknown botmaster.

The vector of attack appears to be focused in the chat realm - across AIM Chat, IRC Chat and regular web-based chat. The link usually looks like this:

Hi, have you ever wanted to sign on your buddies AOL Instant Messenger screen name, but never had the password? Well there has been a new break in the AIM servers that is allowing this vital information to be revealed. check the pro for more info!

Clicking the link takes you to the below website:

Click to Enlarge

The download link to the infection file has now changed (though the application "homepage" is still the same), but a quick check of where the file was being called from would hopefully have set some alarm bells ringing:

Click to Enlarge

As you can see, the attackers are hosting numerous dubious sounding files, including a jpeg.exe and "Windows.exe" - otherwise known as the Feldor Trojan.

After installing the program, it reboots your computer and, as you can imagine, deposits a number of files you would rather not want on your system. However, the average end-user probably wouldn't think to check what's been placed in their System32 Folder. They'll enter the desired AIM Contact Details, run the tool and...

Click to Enlarge

...they'll be told that AIM has "fixed the vulnerability" in their software. Sounds convenient. Sadly, uninformed users will probably shrug and forget about the program altogether. This would be a mistake. Let's take a quick jump over to the System32 Folder...


You can see Windowsxp.exe - a banking Trojan, and the previously mentioned Windows.exe process. In case you're wondering, the AIM Screen Name Hacker's uninstaller does actually work, but (thoughtfully) leaves the infection files behind.

As a parting thought, it's worth noting that depending on which version you happen to download and install, you may well find your PC turned into a Botnet drone. As always with a program like this, it's worth remembering...if it looks too good to be true, it probably is.

Remember chat programs can harbor threats just as dangerous or more so than what you see on the Web. Keep your guard up and don't click on links in chat programs or chat rooms or run programs of a dubious nature- especially if you don't know the buddy you are chatting with. Even if you do know them that doesn't make it 100% safe either, as many programs rely on the "circle of trust" dynamic to do their dirty work and spread their mayhem.

Key Terms To Learn: Botnet- Drone- Chat Rooms- Trojan

Research and Blog Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher
Secondary Research: Wayne Porter, Senior Director Greynets Research

August 03, 2006

  • Using Quicktime to Spam in P2P Land

Quicktime's "HREFtracks" feature (a method used to embed url links into moviefiles that will open at a specific point in time) is being used by an enterprising individual to pop open adverts for adult dating services from movie files obtained via P2P Networks. The HREFtrack feature contains URL information that can be opened interactively or automatically, and in this case, files found on the Gnutella network are using this functionality (here's an example of someone getting hit while using Limewire). From the Quicktime site:

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

In the example we have below, the movie file is called "Sex Monica Bellucci Malena". Of course, opening the movie up reveals something entirely different - what appears to be someone dancing to music:

Click to Enlarge

About three quarters of the way through the clip (once it hits the "trigger"), an affiliate link for Adultfriendfinder.com pops open via your browser (in this case, Firefox):

Click to Enlarge

The observant people out there will have noticed the videoclip in the above screenshot is still at the start - that's simply because by the end of the clip, most of her clothes have fallen off. If you wind the videoclip back and forth with your mouse, you'll continue to repeatedly pop open the same advert manually as you scroll. Of course, the HREFtrack feature is simply doing what it's supposed to do - the interesting thing here is the possibility for someone to use it in a more malicious way. You could pop open a link to a drive-by website that tries to install software without the end-user's permission, or how about a fake "promotional video" for a bank that pops open a "security check" Phishing page? There's a lot of possibilities with this one, and we should probably be thankful that people are currently only using this to spam affiliate links. It probably won't be long until someone pushes the leet hax0r button and things start to go pear-shaped...

Blog Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Vinayak Palankar, Software Engineer

July 31, 2006

  • Did Digg cause the Zango / Warner Brothers Rift?

The question on everybody's lips right now (well probably not, as it happened over the weekend but still..) is:

How much impact did this have on Zango pulling out of their Warner Brothers deal?

Digg.com is a well known source of breaking news stories, and often those stories spring into life well before many journalists are aware that the tale has come, gone and been again due to its rapid spread and rather large reach. A story was recently submitted to Digg with a rather spectacular title:

"Warner Bros website distributing Zango Spyware + Kiddy porn browser".

As someone who follows Zango extremely closely, I nearly fell off the chair when I saw this hit the frontpage of Digg. Could something have gone so amazingly wrong with Zango's distribution chain that someone had gamed the system (once again) and started serving up illegal pornography from the Warner Brothers site courtesy of Zango?

The answer is no. The story submitted to Digg takes the user to a Blog entry dated Thursday, 11th May 2006. Contained within are a number of factual errors, where various Zango related stories have meshed into one, messy whole - however, when the story was re-submitted to Digg last weekend (after being submitted for the first time a few months back and getting nowhere), the submitter added the rather inflammatory title into the mix and people went crazy voting for the thing. End result, a factually incorrect story slamming onto the frontpage of Digg and causing major, major ripples in the Adware space into the bargain.

We think.

Because in all honesty, there's no real way to tell exactly how much impact this submission had on Zango pulling out of the Warner Brothers deal. The first inkling that something was afoot was an article that hit the Washington Post, courtesy of Brian Krebs. This appeared the day after the Digg article went boom, and inside sources tell me that something was definitely going on in that timespan. The question...is what. In reality, we have no way of knowing who reads Digg, but as someone who has been Dugg a lot of times, I have a good feel for the way it works with regards to the way a story leaks into the media. I've had at least one story "break" from Digg - as an example...

BitTorrent Installed without Permission, Downloads Movie Files

The above story was part of a larger investigation. We didn't put out a press release about it, but we did fire it up as a Blog Article and let it loose. Now, that story was picked up by mainstream press and exploded - a clear indicator of the power of Digg. So, it is not impossible that such a massively dugg story such as the Zango / Warner Bros story could end up hitting in the right places. Especially as many, many people who voted for the piece also submitted their feelings about this to Warner Brothers directly.

At this point, I imagine they saw the title involving illegal pornography, maybe did a little Googling about Zango and got just as confused as some of the facts involved here. It doesn't help that findings about Zango and Myspace hit at roughly the same time as this story (well, the whole of July, actually) - in fact, I had a Digg going on at the same time as the Warner Bros story. In fact, someone suggested people Digg my story from the Warner Bros Digg too - leading to the strange site of two Zango related stories hitting first and second place in the Digg Security Section:

Click to enlarge

In fact, I actually saw a few pieces covering the story that mixed up the details from both the Zango on Myspace story and the Zango / Warner Bros article. As the Zango / WB story on Digg is now flagged as "inaccurate", many of you have asked me to straighten things out with regards the facts surrounding this whole mess - which is mainly the reason I've written this up in the first place. Though I'm no expert on the Zango / Warner Bros situation, I do know my stuff where the "illegal content" comes into play in all of this. With that in mind, here's my attempt to ease your mind...

1) "Warner Bros website distributing Zango Spyware + Kiddy porn browser"

This is entirely incorrect. The Warner Bros website was distributing Zango Adware (not "spyware"), and at no point in time did it distribute a "kiddy porn browser". The writer has confused a number of pieces of information - in this case, the "kiddy porn browser" is something called Yapbrowser.

Yapbrowser was a web-browser that (for a short period of time) was distributed with Zango Adware. When you used the browser, it redirected you to a 404 error page that contained hardcore child pornography. The Zango Adware itself did not have any connection with the child pornography, other than their software was bundled with the web browser. Once the revelation of the browser's "hidden feature" was brought to light, Zango removed themselves from distribution with Yapbrowser. Zango's main failing here is that they clearly did not test the Yapbrowser application enough, because they would have realised one click of the browser's "go" button was enough to send you to the illegal content. This doesn't say a great deal about the policing of their affiliates, but they were not responsible for serving up the offending content in any way.

Simply because Zango Adware was launched from the Warner Bros site does not mean visitors were at risk from anything "illegal" appearing on their desktop.

2) "They are also the people behind this alleged child porn browser. They are also the people who still silently install their software on your pcs".

This is taken from the Blog entry that caused all the commotion. Again, this is incorrect. Zango were not responsible for the browser - indeed, the article the Do Not Reply blog links to actually states as much:

"So who is this "Enigma Global Inc" that the YapBrowser installer claims is responsible for the program?"

These are the two main points that people asked me to address, because after seeing the Digg story and knowing that their kids visit the Warner Bros website, they were suddenly panicking like nothing else at the thought they might have illegal pornography on their desktops.

I'm all for taking a company apart in public when needed - but in my opinion, this was entirely the wrong way to go about it. It freaked out too many people through no real reason other than inaccuracy, and I know one person actually scrubbed their hard drive because they thought the police were going to "kick the door in" or something. However you angle it, that's not a particularly pleasant situation for people to be in. The original Yapbrowser story was bad enough - in fact, it's probably the nastiest investigation I've ever been a part of - but dragging it up from the depths to cause needless panic was rather unnecessary. "The end justifying the means" is always a tough one to call, but in this case, it's way too close to the line for my liking.

Would I feel different if I hadn't been involved in the Yapbrowser shambles?


All I can say on this occasion is - this is one of the few times a story about Zango did not get a vote from me. Still, who knows what the future holds...!

July 26, 2006

  • Gambing Site Promoted by...Gambling Bots!

Yesterday I wrote about fake Myspace profiles leading to pornographic webcam sites - today, we're looking at a variation on the theme. However, the end result this time is not naked ladies, but gambling software. The profile uses the same bait as the webcam profiles - attractive female, long "about me" section designed to convince the person in the profile is indeed "real":

Click to enlarge

There's also one final lure that the webcam profiles did not have:

"The first night I used a poker bot I won $3,000".

The irony here is that an online gambling website is being pushed by a profile promoting illegal bots - exactly the kind of program that the gambling site would not want being used on their system. Talk about conflict of interest! Of course, if you click the link to "Red Casino", you won't see any Bots - just a website asking you to install the gambling software:

Click to enlarge

From there, gambling fun is just a step away...

Click to enlarge

It goes without saying, but never download any programs you happen to find floating around Myspace - especially when it sounds too good to be true. In this case, you're "only" downloading a piece of online gambling software - but there are far greater risks out there in Myspace land as we've already seen...!

July 25, 2006

  • Webcam Bots Invade Myspace

Myspace has had a mighty beating lately due to people exploiting the network for their own ends - we've had Adware, Flash hacks, infections via banner adverts and now here's the next problem marching across Tom's lawn with big, muddy boots and trampling all the flowers. It's time to take a look at the seedier side of what goes on in Myspace - you've probably heard about "Myspace Bots", but not seen one in action. Well, today's your lucky day.

There are currently lots of near-identical profiles being created on Myspace at the moment, for some reason all called "Monica". No idea why, I guess they just like the name - at least they're not going to forget who's who. This is of some benefit to us, however, because it makes it easier to steer clear of fake-profile related trouble. It goes without saying to double check any Myspace users you encounter called "Monica" for the time being, especially if the text on the "about me" section of these profiles is all about being "different" and "individual" - and adding them to your MSN Messenger. Here's a screenshot of one of these profiles (note that the picture will change with each profile, but the "about me" text will remain (mostly) the same:

Click to enlarge

Once added, talking to "Monica" will result in a bunch of Bot-style replies that all try to get you to pay for access to hardcore pornography webcams. The interesting part was trying to work out how much was automated, and how much was human-controlled. The first chat I had veered away from the "4 random replies and set to Away status" that all the subsequent sessions with Monica had - after all, when you're telling someone to "do a barrell roll" and asking them if they "like potatoes", yet all you get for your troubles is "check out my webcam!" it's the signal for a (not very advanced) Bot. It's entirely possible that the first chat was human controlled, but they had to stick to a script and not deviate too much. Ultimately it's all about the money, not random chat with some guy they're trying to extract payment from. Worth noting that if someone was talking to me the first time, they were quite happy to encourage me to join up, even though I mentioned I was twelve years old!

Click to enlarge

You can see the results of some of these chats here - always good to see just how intelligent these things are (whether human or Bot!) As you'll see, the first chat definitely suggests some form of personality behind the screen - however, the rest are all 100% guaranteed conversations with automated scripts. Doh!

I can only imagine the money being brought in by a scam like this - fake profiles on Myspace have been around for some time, but a quick check of the message boards and forums suggest that this particular issue is taking off in a fairly major (and concentrated) way. It's the easiest thing in the World to create a bunch of fake profiles on Myspace, though to be fair, at time of writing Myspace have deleted a whole bunch of these accounts so proactive steps are being taken.

It's just a shame that they seemed to have missed one in the process! As I mentioned in this BBC article on the problems facing Myspace at the moment:

"Any site has an increased risk of attack where a lot of customisation is possible," said Mr Boyd. "This level of customisation is what both attracts people to use the service, and what causes the most security issues."

The problem faced by Myspace is that if you start locking down all the things the users like about the service in the first place, they'll simply move elsewhere - quite the dilemma! However, somehow they need to educate their users to see that, sometimes, restrictions can be a good thing. The good news is, there are plenty of tech support and Spyware help groups on Myspace and they're doing an extremely good job of educating the everyday users there. We need to see much, much more of this kind of activity if Myspace is to begin clawing back the security of both its own service and that of its userbase.

Of course, if any of you Myspace users ever see anything you think is dubious going on - be it Adware, fake profiles or anything else - feel free to drop us a line here. We'll happily go check it out and see if we can get something done about it.

Stay tuned to Spywareguide, because we'll be looking at more common (and not so common!) scams and other such shenanigans going on in Myspace land - tomorrow, we'll be looking at a nice (!) example of Gambling software being pushed with (clearly fake) user profiles.

Looks like someone's number is up...

July 21, 2006

  • The SmartBrowser Bait and Switch

There's been plenty of issues for Zango to consider these past few weeks - in particular, their unexpected appearance on Myspace is a good example. Well, we have a rather intersting case here - a website enticing an end-user to install something they think they need, only to pull the rug out from under them and reveal that (in actual fact), is was this program over here that they needed all along!

Click to Enlarge

As you can see, the site above is a typical free movies / webcam website. This site displays numerous videos for you to watch, with the words "live now" next to a play button. Pressing the button does not launch a video (as one would reasonably assume!), but actually opens up a download prompt:

Click to Enlarge

The name of the executable continues the baiting strategy - "open for instant access". At this stage, the end-user still reasonably believes running this software is essential to viewing the videos on the frontpage. You can see the icon on the desktop and a EULA (feel free to try our Beta EULA Analyzer) presented below:

Click to Enlarge

However, when you install it, IE opens automatically and you see this:

Click to Enlarge

...a page of Zango videos, where you have to install various pieces of Adware from Zango in order to acquire the License to watch the video. However, these are not the "videos" mentioned on the frontpage - in fact, they don't seem to exist. And as far as "watching the videos on the frontpage" goes, installing Smart Browser serves no purpose whatsoever. Research from our database reflects:

The SmartBrowser is controlled by smart-browser.com. In our studies it changes the default home page. It opens pop-up pornographic advertising. Examples included extremelybabes.com and extremelyamateurs.com, and redirects attempted access of other pornographic sites to these sites instead. (Caution: these sites may attempt to load premium-rate dialers.)

EULA Analysis demonstrates some notable and alarming security risks:





What we have here is a clear example of Bait and Switch - luring you in with one offer, only to be denied the desired item, but presented with a "substitute" at the last moment. The difference here, is that the webmaster also gets to install Smart Browser onto the PC in the process - I suppose you could call it a two for the price of one deal or a "bonus". Even if the end-user doesn't choose to download any Zango videos, they'll still be receiving pop-ups (and possibly premium rate dialers) via Smart Browser.

As I am (increasingly) fond of saying - if it looks to good to be true....it probably is.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher
EULA Analysis: Wayne Porter, Senior Director of Greynets Research

  • BBC Coverage of Myspace Problems

You can read the full article here - a good summary of some of the problems faced by Social Networking sites as hackers and confidence tricksters move in on previously unsoiled ground. From the article:

Chris Boyd, director of Malware research at Facetime Security Labs, said sites such as MySpace and Orkut often felt like "gated communities" and made people feel more secure than they should.

"They might click something that outside of that community they would usually think twice about," he added.

It's good to note that sites such as Orkut and Myspace are reacting quickly to these issues - the question is, can they keep up with the bad guys?

July 20, 2006

  • More Myspace Misery

Check out this illuminating post by Brian Krebs on how anything up to a million Myspace users were exposed to Spyware. Myspace is having a pretty rough time of it lately, with Zango Adware, Flash-based redirects and XSS (cross site scripting) attacks running riot. I don't think anyone could have predicted this current explosion of attacks on Myspace, but this probably won't be the last time you see Myspace mentioned here. The hackers have picked up the scent of blood in the air...

July 17, 2006

  • Myspace Under Flash Fire

If you use Myspace, you need to be extremely careful at the moment.

First we had Zango Adware being pushed from profiles encouraging other users to spread the same content.

Then, we had a "Myspace Toolbar".

Now, there is talk of an exploit that relies on redirects via Flash, meaning the hacker has complete control over your profile. You can see the ripples being made here on Digg - should be interesting to see if Myspace put out some kind of "official response" to this one as it's really caught fire. Of course, there have been exploits floating round Myspace for a long time...but as always, don't let familiarity breed contempt - here's a nasty example of what can go wrong for the non-cautious individual!

July 06, 2006

  • Yapbrowser acquired by Searchwebme

Yep, it's Yap time again. The Yap (of course) being Yapbrowser - a free web-browser that served up a whole lot more than end-users were probably bargaining for. Just when you think there's nothing more to write about, something else pops up and gets the whole story moving again. In this case, a tip from RinCe illustrates that there are some people who will still take a gamble on one of the strangest browser stories in years. Step up to the plate, Searchwebme (you'll need to scroll down to the entry dated Tuesday, 12th June):

"More recently the browser it self has been in trouble. We are well aware of Yapbrowser's application history but this is all the in past, this is why were pleased YapBrowser has decided to partner with us, SearchWebMe. We can assure you that the new YapBrowser download does not contain any hidden software, spy-ware, ad-ware or any harmful applications. We will be regularly checking the software and updating."

They link to both Wayne Porter's Interview with a Yapbrowser Representative, and a post from the Sunbelt Blog. Searchwebme appear to be a new(ish) Search Engine, with various portals and services on offer for both the casual surfer and the aspiring webmaster. It will be interesting to see how this particular partnership develops over the coming months. They appear to have been live for a few weeks now and there have been no reports of anything going wrong - we received this tip-off a few weeks ago, but didn't want them to feel like "Big Brother" was watching over them!

Could this finally be the end of what the Yapbrowser people would definitely consider their "bad luck run"?

June 08, 2006

  • YapBrowser- The Story Gets Stranger and Stranger

Internet security...sometimes it isn't all dry analysis and wading through rogue code and links...sometimes the stories get- strange.

First we thought the YapBrowser was dead and buried. After being exposed for serving up UA Porn by a number of security experts 180Solutions (now Zango after the Hotbar merger) stopped sponsoring the product. A product, I might add, that should have never gotten through any good quality assurance department in the first place.

Then I conducted an e-mail interview with "John Sandy" to try to get to the bottom of the fiasco. The answers were evasive and to date no one can seem to take responsibility for the situation- it has all been pass the buck. Then, mysteriously and quietly, the YapBrowser comes back online promising an adult browser that in their own words: "There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities.". We find that promise hard to believe.

We thought that might be the end of it, but now a mini-soap opera is playing out as the people behind the project have launched a discussion forum. What is intriguing about this forum is that a number of the names are the same as or similiar to well known security professionals and analysts and people in stories we have covered before. They have registered as users and they are actively carrying on coversations. Some examples include:

Chris Boyd, our own PaperGhost, well known and accomplished malware researcher who went back and forth with the YapBrowser crew across a number of blogs including his own at VitalSecurity.org. It is notable the real Chris Boyd did not sign up at the forum. (He has now as Paper-Ghost to monitor the events.)

Susie, who we assume could be an impersonation of Suzi Turner, the well known anti-malware activist that runs SpywareWarrior.com and blogger at ZDNET Spyware Confidential who covered the story and had harsh words for the Yap people. In the forum she states her favorite blog is "Sunbelt Software", run by Alex Eckleberry, who was also instrumental in the crack down on YapBrowser, our own Greynets Blog, and a large business blog I contribute to at Revenews (neutral ground where the first interview took place). Susi goes on to make some jabs at VitalSecurity and Washington Post's Security Blog- written by Brian Krebs. It is notable that the real Suzie does consult for Sunbelt Software and she doesn't speak Russian either. Then again, maybe it isn't *that* Suzie just a vague "coincidence".

RinCe- An individual who assisted our team with a tip-off while investigating a rogue botnet involved in a massive credit card theft scheme whose owners later wound up in serious legal hotwater after the story broke. RinCe doesn't speak Russian to our knowledge. (More on that story later.)

Ozzy, we assume this could be the top gun hacker buster of BlueMicro We really don't know if it is actually Ozzy having a go at them, or an Ozzy impersonater, but given the circumstances we simply have to wonder. You see how confusing it all gets.

To top it off they link to my interview with the alleged "John Sandy" as if the interview vindicates their activities. Folks- it doesn't. My role was merely to facilitate the conversation and work with the translators to try to get some answers to how a situation could go so horribly wrong.

So why this apparent complex game of charades? We really don't now. That is what we mean by the story getting stranger and stranger. We will continue to monitor, but that won't distract us from the really interesting stories on the horizon. Stay tuned for more mayhem from the digital trenches.

ADDENDUM: Within a few minutes of posting this blog, the Chris Boyd page at Wikipedia was defaced. Fortunately the Wikipedia provides the IP address of individuals who deface the popular wiki.

June 07, 2006

  • Official: 180Solutions and Hotbar Merge Become Zango

Yesterday we reported on speculation of a marriage between Hotbar and 180Solutions. Today it was announced that 180 Solutions had merged with Hotbar. The new name for the company will be Zango and it would probably be correct to assume they are now the largest adware maker on the Internet.

According to the Seattle Times:

Bellevue-based 180solutions, which makes software commonly known as adware, has acquired Hotbar of New York for an undisclosed amount of money. As part of the announcement, 180solutions will be renamed after its consumer brand: Zango.

Adware is an application that users download to their computer to get free content. The application monitors what they are doing online to deliver relevant advertising. In the past, Zango and other companies have been lumped together with spyware, which works similarly, but is typically installed on a computer without permission.

June 06, 2006

  • More Speculation Hotbar & 180Solutions in Talks at 52 Million

For several weeks speculation has been moving fast and furious inside security research circles that "adware" maker 180Solutions Inc. has been courting Hotbar, another company that traffics in adware. Naturally this deal would catch the eyes and probing minds of security researchers given 180Solution's checkered past and Hotbar has had it is own fair share of controversy. The most notable when Symantec sued Hotbar for the right to classify Hotbar's products as adware. (The suit was settled out of court.)

Now there are articles hitting mainstream press covering the proposed deal, and we can point readers to a rough translation of an article that Google News snagged out of Israel: Hotbar in talks for sale to 180Solutions at Globes.co.il

The article says :

Israeli dot.com company Hotbar Inc. is negotiating its sale at a company value of $52 million. The probably buyer is Internet company 180Solutions Inc.. Sources inform ''Globes'' that Hotbar is also negotiating with other companies, including ICQ. Hotbar develops software that sits on the browser, enabling users to change their toolbar to include links to services the company offers. Founded in 1999 by CEO Oren Dobronsky and president Gabriella Karni, the company has raised $15 million to date. Its last financing round was held in 2001. Investors include Eurofund, Tamar technology Ventures, Technorov Holdings, CE Unterberg Towbin, and Deutsche Bank subsidiary ABS Ventures. According to IVC Online, the company had $35 million in sales in 2004.

180Solutions develops software solutions for on-line advertising. The company develops adware, otherwise known as spyware, activities hated by surfers and users of computers. Coincidently or not, this activity is connected to a lawsuit anti-virus developer Symantec Corp. (Nasdaq:SYMC) filed a year ago against Hotbar, in which Symantec demanded that some of Hotbar’s activities be classified as adware. the case was settled out of court a few months ago.

Some of this article seems completely off base and some of the connections are a pretty far stretch. For example, it is hard to discern how the Symantec suit had anything to do with a deal like this being brokered- although the article does reference it as a possible "coincidence".

Furthermore, it would be surprising if ICQ were a buyer- ICQ is merely an instant messaging service. Mirabilis was the name of the Israeli company that produced ICQ. Mirabilis was formed in 1996 by four Israelis Arik Vardi, Yair Goldfinger, Sefi Vigiser and Amnon Amir, and was purchased by AOL in 1998 for over 200 hundred million U.S. (Note our recent walk down IM memory lane with ICQ.)

In 2001, a new company called AOL Time Warner was created when AOL purchased Time Warner forming the world's largest media company . The deal, announced in 2000, employed an atypical merger structure in which each original company merged into a newly created entity. We have documented Time Warner engaged in distribution deals with 180Solutions for some of their online soap operas. A distribution deal that was ill-timed given the highly problematic YapBrowser fiasco where the browser product, sponsored by Zango (the same adware product sponsoring Time Warner's content), displayed UA pornography after making it through 180Solution's "stringent" approval process. [Reference background on YapBrowser and links to our interview.] 180Solutions did end the relationship after the activities came to public light.

At this stage it all remains speculative, however information from many credible sources has been flowing into researchers for weeks now and coupled with coverage in Israel- Hotbar's hometown- this researcher is inclined to believe the deal is more than likely going down.

The looming question will be if 180Solutions will continue with what many call irresponsible and poorly controlled distribution practices. A good researcher relies on intuition and what he/she sees in the field. At the same time a good researcher doesn't ignore history and its lessons either.

June 03, 2006

  • IST Adware Via WMV Files

Are you interested to downloadable movie clips? Many people are so be alert!

During the course of research, I tried googling for some popular video albums, I came across a forum that holds many articles and download links based on the users interests. More than ten thousand members are sharing their articles and download links in this forum. Many of these are what you might call spicy material. I suddenly paused when I found a fellow who was posting many adult video clips. Most of the download links are from Rapidshare

Rapidshare is a domain where people can upload / download files of up to 45GigaBytes.

I picked up one of the threads which appeared on May 22, 2006.


Jimpolk , the user name of the person who posted the thread did not give any personal information and he is not the member of any public group in the pakkadesi forum so I can deduce this might be a marketing attempt.


I received two download links, which hold the same video clips and I selected via the rapidshare link.

I downloaded the clip and played it using Windows Media Player. It suddenly began acquiring a license rather than opening the media.


I used Netpeeker to track what is happening with my Media Player and the report showed the Windows Media Player making contact with ysbwebcom to install IST Adware products


All becomes apparent when an Active X Control pops up. The Active X control is signed by Integrated Search Technologies. (Note: This does not mean a control is safe- only signed.)


They did not allow me to view the video without installing the IST adware.


The EULA was last updated on May 4, 2006 (Incidentally the very same date which Jimpolk registered in the pakkadesi forum), which is a very recent move by Integrated Search Technologies to distribute their Advertisements. People can also check out EULA Analyzer Beta to help analyze agreements.

Users will need to agree to a license that enables the installment of several applications. These include ISTbar , SlotchBar , YourSitebar and Xxxtoolbar. This is just to view one movie!

They may also install their third parties adware products like Internet Optimizer and SurfAccuracy.

I picked up the network traffic, which helped me to find determine IST might be affiliated with some people who are distributing the WMV files. Of course, it could also be an account set-up for internal analysis.

POST /v7.aspx?id=65181&filename=Desi_bhabhi_******.wmv&affiliate_id=1000656:1913 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: SendHTTP
Host: drm.ysbweb.com

GET /ist/scripts/license.php?key_id=&filename=Desi_bhabhi_******.wmv&affiliate_id=1000656%3a1913 HTTP/1.1
User-Agent: SendHTTP
Host: www.ysbweb.com

Since there is large demand for adult entertainment online it comes as no surprise, companies are distributing their products through pornographic video clips. Likewise it is not surprising people are trying to earn money by becoming an affiliate for adware companies like IST. (In this case, by uploading their movies in sites like rapidshare.) The user, JimPolk, may be one among them who gets their pocket money just by distributing adware through the video clips.

The lesson here is that free often carries a steeper price tag than what you might think- the trade-offs are often hidden. Think before you click and ask yourself is downloading several applications that will throw pop-up ads, make trade-offs in your privacy, and slowing down your computer worth the video you are about to download? Also consider you will have to endure this software long after the video is gone.

May 31, 2006

  • Return of The Yap Browser

In a surprising twist the YapBrowser project is back online and loose on the Internet or at least the site is back online.


This time the website claims:

"YapBrowser is a browser which will make searching for any information online much simpler. Download YapBrowser for free and forget about getting to sites containing harmful exploits. Your computer will be free from viruses breeding online. Attention! You can download a 100% free adult version of YapBrowser. Using it you will be able to search for and browse adult content for free. There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities. Now you can download it for no cost at all.

So it is an adult version this time around and the user is getting a warning upfront and you guessed it- it's free and now backed by a 100% guarantee you won't experience a "system infection".

For those who are new to the saga you can check out the interview with the creators behind the software as well as some general advice. It is a lengthy read.

YapBrowser The InterviewYapBrowser Questions and E-mail Interview
Yapbrowser...Not Something You'd Want to Plugin To!

Naturally we do not recommend the software given the highly debatable history behind it.

Thus far our tests indicate:

1. Yapbrowser is up for download
2. The MD5 of the main executable is same as the earlier file.
3. There were no third party downloads seen nor there were any third party DNS queries made the download.
4. Currently the software is not working properly.(Receive 404 error pages for every URL entered).
5. Currently Yupsearch.com is redirected to yapbrowser.com.
6. Adult Browser download link is not active.
7. No Phone Home activity seen.

We'll be watching, but I suggest user's steer clear.

May 26, 2006

  • A Hijack that's All Smiles...

...or should that be Smileys?

Check out the below site:

Click to enlarge

Looks nice and innocent, right? Mr Smiley of Smiley Central looking all happy and, er, smiley on a website that basically fires you off to various top 100 lists and other "get this now" kinds of places.

Sadly, this website has something nasty lurking in the background - because if you know where to look, the startled expression on Mr Smiley's face is given a whole new meaning. Enter the URL for the super-secret hidden Executable (instead of randomly clicking any of the links displayed onscreen), and...:


Is this an executable I see before me? Looks like it! Run the thing, and before you know it, your desktop is covered with all manner of popups and icons and who-knows-what else:

Click to enlarge

The startled look on Mr Smiley's visage is looking more and more like a horrified grimace, isn't it?

Interestingly, the payload is incredibly similar to the one covered here, minus the Zango installer (though a call is made to Zangocash.com).

Once again, we see friendly smileys subverted and used for the purpose of evil, instead of good.


May 19, 2006

  • The (un)Safety Browser: Latest IM Hijack

Ever wondered if music should be assigned an "annoyance level" in the Spywareguide.com database? Probably not, but after seeing this latest hijack you might think twice. Throw in a browser which installs itself without your permission and you have one of the craziest hijacks I've seen this year:say hello to yhoo32.explr, courtesy of FaceTime Security Labs.

Sitting comfortably?

Then let's begin...

Continue reading "The (un)Safety Browser: Latest IM Hijack" »

  • The Hidden Implications of the Blue Security Takedown.
Blue Security just threw in the towel. Regardless of what you think of them or their methods let's ponder the implications for the Internet thus far.

Continue reading "The Hidden Implications of the Blue Security Takedown." »

  • Self Fulfilling Prophecy? Botnets and Adsense

Chris Boyd and I talked about the possability of this happening back in March during our Podcast with Jeff Molander. In this instance I will quote myself:

Porter says, "Once you've compromised a PC you own it... it's yours you can do with it what you want and you can emulate that activity. Because that net is spread out... you can execute any type of activity and get away with it -from sending spam to recommending certain Web sites to infecting them with more adware to emulating surfing activity and possibly emulating click activity... yes... definitely for sure."

It appears our unfortunate prophecy has become "documented reality" as a botnet owner took aim at Adsense with a small herd of bots designed to click on adsense ads as noted the SANS Institute's Internet Storm Center...

Bottom line is that the advertiser pays in exchange for a bot visiting him.

It seems some bot operator left a website with both the bot's *.exe and the web based control panels wide open. An anonymous source sent us the URL.

The critical part to note about this activity documented by SANS is this:

It is interesting to note that the botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each.

Note the small size of the Botnet- without an anonymous tip and some lack of planning by the botnet owner it might have flown for a long time. This means it was either immature in size or the owner knew to keep the size of the herd under the radar. This is, unfortunately, what we thought we would see and The Register noted it.

Generating traffic from a small number of machines (numbered in the hundreds) makes the traffic generated from compromised machines look innocuous. In return for helping click fraud scammers keep a low profile, botnet owners rake in a percentage from the scam.

No doubt we will see more of this in the future. Whether this is contained or not will depend much on how savvy Google is in detecting and shutting down this activity as well how well user's guard their machines.

I wish I could say the prognosis was better...

Many others have picked up on this activity and that's good. The more people know about it, the better it can be defended against.

May 18, 2006

  • Zango on Myspace

Want to see an example of the PM floating around Myspace as blogged by Brian Krebs that eventually leads to a Zango install? Because we've been looking at these bad boys for the last few days too. Good old multi-blog action - nothing finer!

Here you go:

Click image to enlarge

Continue reading "Zango on Myspace" »

  • The War is Not Lost

Lots of people have been pointing me to this writeup, entitled "Have we lost the war" (as you might have gathered!)

There's a lot of talk about what some products do (and don't) do, but the two main extracts are below. From the article:

"Have we really got to a point where users have to admit that they cannot get rid of the spyware infesting their PCs? Why else would we need to create a 'safe' connection before accessing an online bank?"

Well, why not create a safe connection? Isn't that what you're doing when you install Antivirus, Antispyware and a Firewall? Making things inherently safer? So how is applying tighter security some kind of "admission" that we've lost a so-called war?

"Instead of killing off spyware we are learning how to live with it, which makes me think that this battle is almost over."

Again, this is nothing new. We've been "living with Spyware" since forever, so either nothing has changed or the "battle" has been lost from day one. It all sounds a touch self-pitying to me. Either you do something about it or you shut up shop. And if you shut up shop, you can't expect any mercy from the bad guys. take Blue Security - they were recently smashed into the ground by angry Spammers. Well, they waved the white flag and "gave up" - because they didn't want anymore fallout hitting innocent websites. The thing that Blue Security missed, is that the Spammers don't care and have continued to blast them into little pieces (and the innocent bystanders, too).

I'm reminded of the Stones song, "All or Nothing". I'm also reminded of "Street Fighting Man", but mostly because I like the version by Rage Against the Machine. Which is also strangely fitting, come to think of it.

May 16, 2006

  • Around the World in Eighty Infections

Well, not exactly. We don't have any balloons or men in funny hats - however, you may find this article interesting - it deals with the "local traits" of the US, Europe, China, Russia and more, "local traits" meaning "ability to do nasty things to your PC". According to the writeup, Europe is both attacker and victim, America needs to get a firm handle on where the danger is coming from before it's too late and China's ability to man the walls is severely lacking.

Is it just me, or did they base their study on World War 2?

Joking aside, there's some interesting information presented here:

"...the US does certainly harbour some of the most prolific spammers in the world, as well as the world's three worst ISPs for relaying spam, says Spamhaus."

The depth of Spam coming out of the States is not widely known by Joe Public, and it always seems to come as something of a surprise to them. In addition:

"The most recent figures from MessageLabs suggest almost one-fifth (18.1 per cent) of all compromised machines are located in the US - and it's a fair bet, based on recent police investigations, that many of those doing the infecting are also US-based."


China leads the way in attack volume, with the others playing catchup. Meanwhile, Russia slides down the table with less than 2% of attacks last year and the Middle East is mentioned in connection with Spyware. I have some personal experience of this, and I have to say - those guys are a tough nut to crack.

All in all, a good writeup - however, I'd like to have seen more detail. Some specific examples of what each region gets up to, maybe, or how about some anecdotal evidence. I'd also love to know what kind of actvities are going on in Korea, but that's a whole other ball game...!

May 10, 2006

  • Warner Brothers and 180Solutions Equals Zango for Soap.

Chris Boyd checked in from the, It's too insane not to be true department, and now we have another piece of ripped-up reality that makes you wonder what rock ad agencies hide under or perhaps who dinged them in the head with a rock?

According to Media Post 180Solutions and Warner Brothers are working in tandem.

Several bloggers have picked up on this this connection, my favorite was from Chris Kramer of Netexponent who said:

According to today's Media Post online, media giant Warner Brothers has been working with controversial adware company 180 Solutions to distribute their online soap opera "Deception". Can anyone think of a more appropriate title for 180 to be featuring?

(Random and Pointless Trivia: Blogger Chris Kramer is vegetarian and once accidentally ate a scallop mistaking it for a tater tot. This is true.)

Kramer's take is appropriate indeed.

Is this is why 180Solutions has been so silent about UA Porn distribution fiasco complete with interview that details their "harsh" testing process? The fiasco is spelled out in big glowing letters during this interview I conducted. Both in Russian and English and taken apart by PaperGhost over at VitalSecurity.

So let's rewind and back-up and look at what was going on while Warner Brothers and 180 were making web content...

Andrew Clover checks in with some candid evidence on one distributor. It comes complete with a video of pornography- not your run of the mill porn but what appears to be child porn. Link to Video- illegal images have been obscured.(Note special Codec may be required to view.)

Chris Boyd provides more technicolor here. Sunbelt Software gives us the possible Russian background connection. and finally TechDirt asks some more questions....

Suzi Turner of ZDNET's Spyware Confidential asks the ultimate question: "What legitimate company would want to be affiliated with 180solutions after learning of 180's apparent liaison with child porn and CoolWebSearch?"

Well now I have the answer for you Suzi- Warner Brothers!

May 09, 2006

  • Interview with a Botnet Host

I got this lovely missive in my mailbox a few days ago:

Tired of being scammed?
Tired of servers downtime?
Tired of high latency?
Being Blocked or Blacklisted too fast?

Get rid of asian datacenters and choose a better Spam friendly solution with us.We have the latest development in Bulletproof Webservers that will
handle your high complaint loads.

Contact us for pricing!
ICQ #:
MSN Messenger:

Botnet Hosting Servers
5 Ips that changes every 10 minutes (with different ISP)
Excellent ping and uptime.
100 percent uptime guarantee. Easy Control Panel to add or delete your domains thru webinterface.
Redhat / Debian LINUX OS.
SSH Root Access.
FTP Access.

We have Direct Sending Servers, and we also do Email Lists Mailings.

Spam friendly and Botnet hosting? Oh, dream come true! With that in mind, I decided to check out their website - not a good start, it was offline and the email address kept bouncing. Three of the four IM addresses didn't seem to work and we nearly had no writeup, but with the last address I tried...

Continue reading "Interview with a Botnet Host" »

May 05, 2006

  • YapBrowser- The Interview


I have now received the response's from Yap Browser. Special thanks to Anna of Sunbelt and Joeseph of Facetime for taking out time to provide translation services. The controversy all started when some researchers downloaded the Yap Browser which was bundled with 180 Solutions- Zango product, and the browser was serving up what appeared to be UA Porn (Under Age Porn).

For our Russian speaking readers I have uploaded the interview questions and answers in Russian.

Porter's Interview Questions in Russian

"John Sandy": YapBrowser's Response to Interview in Russian

Per the rules of engagement I will refrain from comments here. However trackbacks are on, if your trackback does not show up please e-mail me and I will put up a summary. On to the interview...

Wayne Porter's E-mail Interview: Questions to Yap Browser:

Porter:. So that it is clear what is the name of the entity or company that develops and operates YapBrowser?

Yap's Response: Enigma Global Inc.

Porter:. Are YapBrowser and YapSearch.com controlled and / or operated by the same entity or otherwise related?

Yap's Response: Yapbrowser.com- is a website of our program called yapbrowser, where users can download our program and read its description. Yapsearch.com – is a website that is supposed to be reflected within the yapbrowser.com. Also, yapsearch.com is a search engine ( but at this moment not functioning, since we have not selected a non-free search system, which feed could have been used to do searches. At that moment there was only a design form/template on the website.)

Porter: For the purpose of general information background and mutual understanding, can you describe the business that you conduct on the Internet?

Yap's Response: We were planning to open a partner program [[translation: partnering meaning bundling here]] and pay our partners for installations of our yapbrower. The installation of the program was supposed to be sponsored by zango. That is, every partner could register into our bundle and create a link to our program at their website. Before that, we would have to check the website content ( if it breaks any rules i.e. is not illegal) and then allow them to proceed.

Porter: How long has YapBrowser been available for end-users to download from the Internet?

Yap's Response:We came up with the idea of Yapbrowser about half a year ago. Before that, we were trying to come up with what would be the best to be downloaded by users, and chose yapbrowser. Yapbrowser was never made available for end-user. Only some people knew about our program ( programmers, designers, zango etc.) At the time when the problem was discovered, our program was still in development, and wasn’t launched yet. There was no traffic on the websites.

Porter: Aside from working with 180solutions can you cite, as trade references, any other businesses or advertisers that you work with, have worked with in the past or those who have expressed interest in working with you in the future?

Yap's Response: We haven’t even had a chance to buy advertisement spots for our project, let alone launching it for testing. Therefore, we didn’t have any partners. At that time we collaborated only with zango. After the testing we would have started with advertisement on internet forums. Later the new partner would be appearing.

Porter:. How long has YapBrowser bundled the 180solutions product- Zango?

Yap's Response: We bundled our programs recently. Since zango was going through certification (or something of that kind) we had to wait for quite some time. I think the bundling happened about a month or two ago.

Porter: How were you not aware over that period of time that your application / sites were redirecting to the offensive material?

Yap's Response: First of all, I wasn’t paying much attention to yapsearch.com website. To test it, I simply installed the design template with non-working hyperlinks and a search line field. I have no idea that on a non-existing page there might be such content with offensive material. When I was shown an article about our website I was shocked. And, naturally, I realized what happened.

Porter How rigorous was 180Solutions / Zango in terms of checking your application
before they agreed to have their software bundled with the YapBrowser application?

Yap's Response:The testing process was very harsh. First, our program is included into zango installer. We supply some design elements for the program installation, EULA text. The program installation is done with the confirmation of two agreements. Zango’s approach to this issue is very serious; therefore, I do see that they are dependable, and choose them as partners. In this situation there is no zango’s fault. Most likely it is my program’s fault that such mistake was made. And, of course, the real offender is the host company.

Porter: Did 180solutions test the software prior to your agreement to bundle Zango?

If so, can you describe the process that was involved?

Yap's Response: Yes, testing was done a couple of times. I sent the program to zango to be tested. They replied me with the changes that I had to make in the program. That happened a couple of times before we finally had desired results. (But I would like to repeat, that the programs were not launched, the partner-program was still in development)

Porter:Did they test your application after it launched with the Zango product bundled?

Yap's Response: Yes, the testing was done. Maybe, at that time 404 page wasn’t showing any illegal content. I cannot say for sure since I did not check.

Porter: Have you received payment from 180Solutions for the Zango downloads you delivered?

Yap's Response: By that time, no more than 5 downloads of my proglram were made What payments can we talk about?

Porter: Your sites were hosted on a server that also hosted known hijack sites and sites related to other allegedly illegal practices. Specific examples would include instme. biz and nstallme. info.

At the time of my testing there were only six other sites residing on this server besides yours,and approximately 60 + sites on a related IP address. Again, many of which were highly dubious and well known to the security community.

Given the current state of Russian webmaster forums, where whole sections are devoted to "rogue" sites and installers, as well as the widespread coverage of these groups by Western security companies, how is that you were not aware of the practices of your neighbours on this server?

Yap's Response: I had’t even thought that these people could have done this to me. First of all, they were not my permanent web host company. The sites were kept there temporarily, before the launching of the program for the testing purposes by my employees. If I would have launched the program, I would have bought my own server.

At that time it was not worth to maintain an expensive server because this project was taking too much money, which I am very limited with. The websites were kept at that server for free. The person who supplied me with that was contacting with me via icq. Do you need his number?

Of course, after he realized what happened, he dissapeared. He was also registering domain yapcash in his name. And at this time I do not have access to that domain. My thoughts on that, is that these people wanted to use the traffic from my yapbrowser somehow. They probably were somehow related to such hacker sites like instme. biz and nstallme. info. I do not posesss that information.

Porter: How is it that you were not aware your chosen server host were well known and documented for hosting such sites and material?

Yap's Response: This was not my permanent webhost. It was used only for tests ( I repeat). I did not plan to send there traffic from my parner websites, (but I think that’s what the webhost expected, since he let me keep my sites there for free.

Porter: To quote from your exchange with Paperghost at VitalSecurity.org:


Paperghost: The same details are used for a group of sites at Eltel, a Russian ISP, including one site that redirects the user to browser exploits at paradise-dialer.com,
which load trojans, spyware and dialers. Paradise-dialer's whois places it as part of
the CWS group known as Dimpy, aka BigBuks. Since the BigBuks whois is also given
by mix-click, referred to by the yapbrowser/yapsearch whois, and the aforementioned
servers at Pilosoft and Eltel (as well as the paradise-dialer server also at Pilosoft just a
few IP addresses away) run many other sites that link back to browser exploits and
child porn promotions run by BigBuks, it seems reasonable to assume that they are
the same group of people.

So, is this you or not? And if not, how come the contact details are the same?

YapBrowser: We now try to find people which are involved in an illegal site. They had some attitude to domain names, but not to our activity. Similar these people are engaged in distribution illegal content and in parallel contain a server for this purpose. We have chosen a unsuccessful place of accommodation of the projects in a network.

Given your statements and acknowledgement of illegal content distribution, presumably you have accurate details of who you did business with for hosting. This would include business names, individual names, addresses, phone-numbers, etc.You appear to claim to have been victimized by a supposedly legitimate business entity, are you willing to serve the public interest by making this information available in this interview?

If so, please provide details. If not, why not?

Yap's Response: I do not have any names, phone numbers, addresses etc J I did not work togetherwith them at that level. I have icq number 278-690-157 and nick Androgen, which has been offline for a long time now. You know the IP addresses of the server. My sites were kept on his webhost. You say that the IP addresses match, and that is understandable because my sites were on the same server as the illegal sites, and I did not know about it. FTP access is not working either for a long time now. In the first couple of days I was trying to do something, but then the websites just stopped working. I moved to another webhost. I was defamated on various forums and webhost just deleted my sites.

Porter It was been brought to my attention that:

A representative of YapBrowser is John Helbert, as seen here:


A connection has been made between this person and an individual called “Klass” a member of a “Lolita / CP” board called “Dark Master”. (Matching ICQ numbers, etc). More on this connection can be seen here:

Sumbelt Haloscan comments

What is your response to this connection between YapBrowser and the “Dark Master” forums?

Yap's Response: I am not part of the group “Lolita / CP” under “Dark Master” name J Dark Master is an old forum, which was closed. Anybody who wanted could register there, and I do not belong to those people, who do illegal projects. Yapbrowser has nothing to do with that forum. There is no factual prove of the relation.

Porter: Ben Edelman provides video evidence of the dubious activities of an outfit
called HighConvert working with a number of adware companies. See video: http://www.benedelman.org/scripts/video/?v=highconvert-081505 this operation appears to be related to a document uncovered and transcribed from Russian into English by Sunbelt Software in early April. The YapSearch domain is cited in this document. Reference English translation of document here: Sunbelt Translation Document.

The document outlines plans for “invisible clickers”, lowering of browser’s security settings, utilizing “Blue Screen of Death” for trick ads, and the changing of 404 error pages among other dubious practices. How do you explain this reference to YapSearch?

Yap's Response: Probably, this document was written by a person, who communicated with me at some point, but I do not know who that person is, maybe a programmer. There is an example of the feed design of yapsearch.com in this document. I think that it was written by someone who was in touch with me earlier, because there is a program mentioned there, that is similar to mine, but that one is included in an illegal project. Yapbrowser does not belong to that project (described in the document). And it couldn’t belong because all changes we make in the program, we have to show to zango to be checked.

Porter:. Did YapSearch or YapBrowser ever deploy any of the tactics outlined in this document?

Yap's Response: Of course not. Why are you asking that? Have the program checked by knowlegeble programmers to assure that there are no such functions in my program.

Porter: Given the current state of affairs what is the future for YapBrowser-do you still intend to distribute this application?

Yap's ResponseAt this moment, the development of the program is completely suspended. Bad things are written about us on many websites. I had no idea that I could encounter this problem in the project and understand my mistakes. To show my goodwill, I am ready to donate money for children. All details about the donation you will be able to see on my website yapsearch.com

Closing Comments from Yap Browser's, "John Sandy"

I hope, now things will turn around, and you will finally understand that my project is not involved into any illegal activity. Please, try to distribute this article among all forums and blogs.

Thank you for the interview, hope that you will help me to solve this problem.

End of Interview

  • FTC Gets Heavy with Sanford Wallace...

Sanford Wallace is the guy responsible for plastering alarming messags across end-user's desktops, related to a hijack called Spy Wiper and Spy Deleter. As you might have guessed, he's now in a whole world of trouble with the FTC. For more information on Sanford (and his, er, lovely nickname) click here. For the full list of "really bad things" (TM) done in the name of mass emailing and Spyware pushing, check out the page on the FTC website. Notable quotables?...

"A default judgment against Wallace and Smartbot.Net orders them to give up $4,089,500 in ill-gotten gains. "

"Lansky, an ad broker who disseminated ads containing Wallace's spyware, will give up $227,000 in ill-gotten gains."


For more coverage on this issue check out Steve Shubitz at Stopscum.com He even has some of
Sanford's most treasured posts.

May 04, 2006

  • The Number One Job is...

...security, according to this article. Well, no surprise there - but with that in mind, perhaps you'd like to check out the all new Jobs Section?

May 03, 2006

  • How Much is Too Much?

You'd think I'd be pleased about software telling you what it's going to do. However, sometimes there's a little too much information for the end-user to digest. Imagine my surprise at the following install, then, where the end-user has to sit through four EULAs, including two Zango agreements which could potentially conflict with one another! Sitting comfortably? Then let's begin...

Click image to enlarge

"Rubberfaces" is an application which takes pictures of celebrities and fires them around the screen, distorting their features in a humorous fashion. However, the real action takes place when you're attempting to install the thing. Firing up the executable presents you with the above EULA. Clicking "Next" brings you to a "MySearch" EULA box:

Click image to enlarge

Continue reading "How Much is Too Much?" »

April 30, 2006

  • YAPBrowser- Questions & E-mail Interview

I received confirmation via the "Yap Browser" people who stated they would work on answering questions for next week. The YapBrowser's questions were written in English and then translated into Russian (Thanks Anna and thanks Joe!) and urged to reply in Russian- their native laungage. As soon as I have their answers I will have them translated, once again, by two different teams and post the Russian answer document as well. All will be followed per the rules of engagement.

Wayne Porter's E-mail Interview: Questions to Yap Browser:

1. So that it is clear what is the name of the entity or company that develops and operates YapBrowser?

2. Are YapBrowser and YapSearch.com controlled and / or operated by the same entity or otherwise related?

3. For the purpose of general information background and mutual understanding, can you describe the business that you conduct on the Internet?

4. How long has YapBrowser been available for end-users to download from the Internet?

5. Aside from working with 180solutions can you cite, as trade references, any other businesses or advertisers that you work with, have worked with in the past or those who have expressed interest in working with you in the future?

6. How long has YapBrowser bundled the 180solutions product- Zango?

7. How were you not aware over that period of time that your application / sites were redirecting to the offensive material?

8. How rigorous was 180Solutions / Zango in terms of checking your application
before they agreed to have their software bundled with the YapBrowser application?

9. Did 180solutions test the software prior to your agreement to bundle Zango?

If so, can you describe the process that was involved?

10. Did they test your application after it launched with the
Zango product bundled?

11. Have you received payment from 180Solutions for the
Zango downloads you delivered?

12. Your sites were hosted on a server that also hosted
known hijack sites and sites related to other allegedly illegal practices.
Specific examples would include instme. biz and nstallme. info.

At the time of my testing there were only six other sites residing on this server besides yours,
and approximately 60 + sites on a related IP address. Again, many of which were highly dubious
and well known to the security community.

Given the current state of Russian webmaster forums, where whole sections are
devoted to "rogue" sites and installers, as well as the widespread coverage of these
groups by Western security companies, how is that you were not aware of the
practices of your neighbours on this server?

13. How is it that you were not aware your chosen server host
were well known and documented for hosting such sites and material?

14. To quote from your exchange with Paperghost at VitalSecurity.org:


Paperghost: The same details are used for a group of sites at Eltel, a Russian ISP,
including one site that redirects the user to browser exploits at paradise-dialer.com,
which load trojans, spyware and dialers. Paradise-dialer's whois places it as part of
the CWS group known as Dimpy, aka BigBuks. Since the BigBuks whois is also given
by mix-click, referred to by the yapbrowser/yapsearch whois, and the aforementioned
servers at Pilosoft and Eltel (as well as the paradise-dialer server also at Pilosoft just a
few IP addresses away) run many other sites that link back to browser exploits and
child porn promotions run by BigBuks, it seems reasonable to assume that they are
the same group of people.

So, is this you or not? And if not, how come the contact details are the same?

YapBrowser: We now try to find people which are involved in
an illegal site. They had some attitude to domain names, but not to our activity. Similar
these people are engaged in distribution illegal content and in parallel contain a server
for this purpose. We have chosen a unsuccessful place of accommodation of the
projects in a network.

Given your statements and acknowledgement of illegal content distribution,
presumably you have accurate details of who you did business with for hosting.
This would include business names, individual names, addresses, phone-numbers, etc.
You appear to claim to have been victimized by a supposedly legitimate business entity,
are you willing to serve the public interest by making this information
available in this interview?

If so, please provide details. If not, why not?

15. It was been brought to my attention that:

A representative of YapBrowser is John Helbert, as seen here:


A connection has been made between this person and an individual called “Klass” a member of a “Lolita / CP” board called “Dark Master”. (Matching ICQ numbers, etc). More on this connection can be seen here:

Sumbelt Haloscan comments

What is your response to this connection between YapBrowser and the “Dark Master” forums?

16. Ben Edelman provides video evidence of the dubious activities of an outfit
called HighConvert working with a number of adware companies. See video: http://www.benedelman.org/scripts/video/?v=highconvert-081505
this operation appears to be related to a document uncovered and transcribed from Russian
into English by Sunbelt Software in early April. The YapSearch domain is cited in this document.
Reference English translation of document here: Sunbelt Translation Document.

The document outlines plans for “invisible clickers”, lowering of browser’s security settings,
utilizing “Blue Screen of Death” for trick ads, and the changing of 404 error pages among
other dubious practices. How do you explain this reference to YapSearch?

17. Did YapSearch or YapBrowser ever deploy any of the
tactics outlined in this document?

18. Given the current state of affairs what is the future for YapBrowser-
do you still intend to distribute this application?

April 24, 2006

  • Deception, Deceit and Dollars- Spotting Red Flags

While Googling for downloading Hijackthis, i spotted a link from Google's Adsense program. Check out the following screenshot:

Click Image to enlarge

(Note the Red X is part of the SiteAdvisor program which can help users spot sites that use deceptive practices and is only displayed if you using the program.)

In above screenshot clicking the link “HijackThis Free download” opens a site http://hijack-thisnet/. Naturally curiosity compelled me to dig deeper into this site and also I wanted to know what Merijn, the original creator of HJT had to about this site? It appears it struck his radar a long time ago and was not pleased the name of his product was being used to push other commercial products.

He states from http://www.merijn.org/

" April 22, 2005:
Just a short note on the domain HIJACK-THIS.NET: this is not mine! It has been registered by an affiliate of XoftSpy (who are also on the Rogue Antispyware List on SpywareWarrior.com) and they are luring people into downloading their software believing it is HijackThis. Also, they have registered a few AdWords at Google leading to the same result. We'll see where this goes. In the meantime, if you want to download any of my programs, the official domain is and always will be www.merijn.org."

UPDATE: April 29, 2005:
I just received word from Paretologic (the ownsers XoftSpy) that the affiliate responsible for the page has been terminated and the site will be taken down. That's one down, one to go. :) "

Let's dig into this mystery...

Continue reading "Deception, Deceit and Dollars- Spotting Red Flags" »

April 16, 2006

  • Yapbrowser...Not Something You'd Want to Plugin To!

This one has crept across the security pros and analysis can now be found here and here.

For those not in the know, Yapbrowser is a browser "search tool" - unfortunately, none of the paid for links work (returning a blank page) and anything entered into the browser redirects to...illegal pornography. What makes this even more interesting is that you need to install Zango (from 180 Solutions) to run the application.

The response, or perhaps lack of one, from 180 should be interesting, to say the least...I wonder how it will differ from their interview Wayne Porter did with them a year ago.

They said...

First, 180solutions cares a tremendous amount about what users think about our software from how it is distributed to how it works on a user?s machine. As our company has grown, our company has and will continue to invest heavily in user-focused initiatives. Going forward, through the use of additional staff and innovative technology, we will dramatically increase control over how our partners operate. We understand and accept the responsibility to monitor and police our partners.

Historically, 180solutions has not installed software; we relied on a network of partners to distribute our applications. Over the last year, 180solutions has placed greater emphasis on managing distribution partners as well as moving to maintain more control over how our software is installed on users? machines. In response to public and our own concerns, we careful monitor our channels for conduct we find inappropriate. 180solutions has a stringent distributor code of conduct in place and frequently audits distribution partners.


Porter's Preface to 180 Solutions Response & Some Software Philosophy.

Official Response from 180solutions to Porter's Questions

March 31, 2006

  • When the Closet Opens...There is More Than 180 Inside

Sometimes, things will crawl out of the closet whether you want them to or not. In this case, the closet-dweller happened to be an ex-employee of 180 Solutions. Make sure you check the interview between the ex-180 guy and Jimmy Daniels over at ReveNews. It's one of the best chinwags regarding the inner-workings of an Adware company I've ever seen. In fact, it was so cool I managed to get it on Slashdot.

March 23, 2006

  • A Small, Happy Moment In Australian IRC Land

Why?....because it's always good to see a bad guy taken down, right?

A VICTORIAN has been charged over a series of high-profile international internet hacking attacks.

The 22-year-old man was arrested in Melbourne early yesterday after a joint state and federal investigation into the sophisticated attacks on internet relay chat servers in Australia last year, the federal police said.
Belgium's federal computer crime unit tipped off Australian authorities about the attacks, which used remotely controlled computer networks known as botnets.

The US, Singapore and Austria were also affected by the hacking attacks on Australian IRC servers.

More here.

March 18, 2006

  • More On The Botnet Bust...

Check out my interview with Internetnews.com. From the article:

"We had a tip-off from an individual known as RinCe," Chris Boyd, security research manager at FaceTime, told internetnews.com. "With his assistance, we were able to map the activities of these groups in great detail. From there, it was a case of analyzing all the files, making the right connections, finding compromised servers and gathering more data."

...and how sweet it is.

When you're done there, we have more coverage on Techweb :

"They're using the kitchen sink approach times one hundred," said Boyd.

As far as notable quotables go, that's a cliche-laden screamer, wouldn't you say? On the other hand, it's a more than accurate description of the scam at hand. Stay frosty...

March 08, 2006

  • Viewpoint in Spyware Brawl

This looks like a slam-bang fist fight is developing out in the wild wild, wikki-wikki wild-wild-web (you can slap me for the poor gag later.) I just really liked the Will Smith cowboy film. I'm sorry).

Viewpoint is taking something of a beating by this chap - some mails have gone back and forth, and what will happen now is

1) Absolutely nothing at all, as it fizzles out into nothingness


2) It all kicks off with fireworks, explosions and probably some very happy lawyers.

Either way, Viewpoint interestingly reference some wrangling they are having with Paraletologic - could end up a two on one tag-team effort if Paraleto aren't too happy with Viewpoint dragging them into this thing.

/ Steps back to a safe distance and watches...

February 21, 2006

  • This Story Made Me Spill My Noodles

As any regular day, this evening after work I settled with a snack (today: Cup-o-noodles) behind the computer for some "light reading" of industry blogs and their related links. This was a safe activity until tonight, when I came across this 180solutions press release, which made my noodles fly all over the place.

Let's for a moment sidestep the disregard for the great research work my collegues at FaceTime did, and focus on this quote:

However, according to McGraw, the company took the extra measure of requiring each user to re-opt in to the installation a second time, even though proper consent was obtained at the time of first install. "In this case, the re opt in opportunity wasn't required, because the few users who did install our software as delivered in this exploit did so with knowledge and consent," McGraw said. "But it was the right thing to do given the unorthodox and unapproved nature of the installation interface those users encountered."

Now let's read that again.

Continue reading "This Story Made Me Spill My Noodles" »

February 20, 2006

  • Security Measures Broken In Half...

....kind of. There's something of a storm brewing, and it all centers on this writeup by Ben Edelman, and his refusal to hand over the rogue affiliate details to 180 Solutions.

On the one hand, 180 are claiming that their security procedures are fine...on the other, they are essentially making the security researchers a part of their seemingly broken loop. I'm reminded of that old line about not having your cake and eating it, but oh well. You can try, I guess...

As Wayne Porter says on his Revenews Weblog:

Many researchers have done this to help educate the public, law enforcement and the legal eagles, and it has had some effect. However the routine grows stale when Company X utilizes said research to clean up their network and then claim how great they are at making the Internet a better place and being proactive. (These are my words not those of any company I work for.)

Can you almost feel the inflection point shimmering before you in the battlefield air? Can you see the line in the sand being drawn? I can. I think in the future the anti-spyware minutemen will continue to fire volley after volley only instead of giving out the full dose of lead they are going to release only what needs to be released to call attention to the bad behavior and leave the rest in reserve as ammo for the real guns that are slowly pivoting into the battlefield.

Yep. I can see the line in the sand.

February 19, 2006

  • Another Small Piece of the Puzzle- Agree Speed

This vitalsecurity entry took me to an interview the Washington Post did with a botnet herder. It is indeed a bit of a long read, but proved to be worthwhile.

As a spyware researcher, I was always wondering how the botnet operators are able to install all the different pieces of adware onto the victims PCs, without the users being any wiser. Many of these programs now have "confirmation boxes" which show a EULA that needs to be "agreed to" before installing. For the sake of clarity I will keep the disucssion on whether these EULAs actually fulfill their purpose for another place and time. We observered the end-user not seeing anything at all.

My first assumption was that the botnet operators distributed "hacked"/modified versions of the adware package, with that particular screen removed.

I was wrong. Seems like I was applying Occam's Razor at the dull end.

This "pseudo-technical" quote tipped me off that something else was going on:

Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements.

If you are any kind of developer, this should ring a bell.
It seems they are using the good old "SendKeys" command, that has been arround for years.

In terms of efficiency this sleight of hand makes sense. Instead of having to mess with a resource editor, repackaging and hosting their own modified versions, they merely use the original installer package from the official adware location, launch it, do a "FindWindow" and a sendkeys of a few "OK" clicks. This can be implemented in less than a dozen lines of VBScript.

So it turns out the user gets to "see" the confirmation dialog after all, but only for the time it takes the Windows API to process the requests. On an average computer, that will be less time that it takes to blink a eye. On a slower system, that will about a quarter of a second, still in the "subliminal message" range. All of this is of course assuming that the user is effectively staring at the screen at the exact time of installation. This could be fairly unlikely, since most of these installations are scheduled to happen unattended in the wee hours of the night.

The adware vendors will, as per standard protocol, claim that there is nothing they can do about this practice.

With that I offer some free consulting advice for these vendors, who are actually interested in weeding out the bad affiliates (anybody still listening?) . It's easily implemented by a junior developer in a few hours and will earn back its costs many times over in a few days.

Given that your application is already reporting back installations, along with a computer identifier and an affiliate ID (otherwise you would not be able to cut cheques for your affiliates, which is exactly the root of the problem) :

- In the confirmation dialogs, note the time when the window opened. Note the time when the "I agree" button was clicked.

- Substract these measurements, so you end up with a number of elapsed seconds

- Report this "agree speed" along with the other installation information back to your central server.

- Release this as a new minor version of your application. Don't alert affiliates, just put the package in place of the existing one

- Run some simple statistics on this speed. If a user agrees to the license agreement in under half a second, he is either a Vulcan on steroids or a bot. Report the affiliate for fraud or the user to SETI. (If the records show that the elapsed time to read and agree to the 3000+ word EULA was still less than 3 seconds, you might still make some cash by reporting the user here or here. But I promised to have that discussion another time.)

So there, Mr. Adware Vendor, you have it. Using this free advice, you cannot lose. You make money in all cases and you have users who actually want your product.

I am not naive enough to think that this would actually make the vendors refuse the installation-adware is an industry driven by greed. But it will give them a good reason not to pay out the affiliate for the fraudlent installation. Which translates to less money and hence motivation for the fraudsters.

February 18, 2006

  • When Computers Get Snatched...

...you'd better invest in a bigger set of padlocks. Take this case for instance:

In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves.

Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as "0x80" (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims.

Brian Krebbs has a stunning writeup over at Security Fix. A must read.

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.