Christopher Boyd: August 2006 Archives

Quite often, you'll come across a website that's been hacked and admire the no doubt humorous picture, comical text and "advice" given to the site Admin as little more than a harmless prank and something to be filed away on a hacked site archive. Well, beware because many of those "hacked site" archives don't clean up the pages beforehand - you'll likely be hit with something nasty if the hacker decided to put something evil there. And wouldn't you know it if we have one such example for you coming up?

An individual under the alias of of SnIpEr_SA is currently making his way through as many domains as he can handle (currently up to 25+ in the last ten days, which isn't very prolific thankfully) and leaving a little "present" for anyone unlucky enough to view his pages while using IE:

It's not often you find an affiliate of WhenU doing something that could be viewed as out-and-out deceptive, so this is a very interesting find indeed. Especially considering they do not have affiliates, at least affiliates in the "traditional sense" according to our Sr. Director of Greynets Research- Wayne Porter, who specializes in online economic models. His answer upon a quick analysis of the initial research:

It is a given WhenU has made a number of improvements from their past practices, and that is critical for setting an example. However, we take history into account and also look at what we see today. You will note they proclaim quite clearly, "No affiliate distribution, because it's impossible to police." This is wise. WhenU understands unchecked partner models leads to dangerous relationship sprawl and in the end you tar and feather your own brand and hurt people.
What is strange is the next bullet point "All distribution partners are monitored and must adhere to our strict guidelines; zero tolerance for infractions. (Porter notes this link here.) I would have to ask, from a commerce perspective- how do they monitor them, how do they vet them, what metrics are used to determine inappropriate and appropriate behavior and what is the difference between affiliate and partner? This case seems to be confusing to the end user- is this acceptable? Is this the experience they demand of their partners?
In this case the distribution partner does not appear to be an affilate per the classic definition. I think it is a good question and would welcome dialogue from Bill Day on how they differentiate between an affiliate and a distribution partner. Clearly the program is being distributed via third parties and one would reasonably assume on cost-per-action or a split revenue basis, or a hybrid deal- that part remains unclear- but the revenue model drives behavior- we know that from field research. If Bill Day is willing to participate I am willing to prepare some questions for him if he would like to go on record about the policies and the reality of how they are put into action. The usual rules of engagement for dialogue of course."

Back to the case at hand...

During research my colleague Peter was probing for Myspace themed files in P2P land, and while using Bearshare, he came across a file called "Myspace". A movie file, no less. Would be it contain Emo kids singing in a garage? Thirty-somethings complaining because none of their friends use Myspace to network?

Nope. In fact, the answer is a little stranger than that. First of all, check out the nice popup you see when firing up the movie for the first time:
Click to Enlarge

...wait, DRM*? Isn't that what we kept hearing about during the Zango / Myspace fiasco? Could this mean some type of "software" is on the way? It sure could...
Click to Enlarge

At this point, I'm sure of two things:

1) The Adware involved in this case is WhenU
2) I have absolutely no idea what "ETE" is, nor why I would want it.

Still, the file is called "Myspace" and we all know Myspace is cool, right? So a Myspace moviefile is going to be even cooler. Isn't it?

Well, no.

This is where things get really confusing for the end-user, because so far they have:

* Gone onto a file sharing network and downloaded a movie file called "Myspace"
* Been presented with a DRM popup relating to WhenU Adware, and told this is needed to install "ETE" despite not being informed of what ETE actually is. Note the popup mentions the install is from a website, when it's clearly from P2P.

At this point, pressing the Continue button will prompt the end-user to download an executable file:
Click to Enlarge

Eventually (after a period of complete inactivity on the desktop), you see this:
Click to Enlarge

...and we finally discover what ETE is - some kind of free entertainment center. Great, except it doesn't even appear to be on the system. Maybe it's one of those new invisible models I've heard so much about? Perhaps they have Romulan cloaking technology or something.

Anyway - after giving up looking for the mystical "ETE", the confused end-user will run the moviefile. They're presented with....the adultfriendfinder website and, er, some dancing bacon. Seriously:
Click to Enlarge

Why? No idea. Anyone see what this has to do with Myspace yet?

Our motto at the FaceTime lab is to try not to leave any stone unturned, so I wasn't prepared to let this mystery go. After some digging, it turns out that ETE is not a standalone application - it's actually a website:
Click to Enlarge

This site lets you download applications from another site, called According to a Whois lookup, both sites are registered to someone in Taiwan. The download section of the Binartisan site contains many, many installers for games, screensavers and other programs:


Most of these are WhenU installers - it doesn't take a great leap of the imagination to realise that the affiliate, or partner (depending on nomenclature) here is likely the same person distributing these files in P2P land under the name "Myspace". Of course, naming them after the number one Social Networking site on the web (when the files themselves have absolutely nothing to do with Myspace) is altogether more problematic. Some might even call it deceptive.

I think I'll suggest Wayne add that to his question list.

*Notes on DRM: Any technology used to protect the interests of owners of content and services (such as copyright owners). Typically, authorized recipients or users must acquire a license in order to consume the protected material?files, music, movies?according to the rights or business rules set by the content owner.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery: Peter Jayaraj, FSL Threat Researcher
E-commerce Policy Research Evaluation: Wayne Porter, Senior Director Greynets Research.

A passing bird tells me we should all read this PDF Document - inside, you'll find details on a rather nasty threat which leaps into action from a domain called - you guessed it - Gromozon. Inside the document, you'll see descriptions of how the threat works in relation to different browsers, what you can expect if you get infected and some information on how to attempt removal.

A great piece of work - make sure you check it out.

Kevin Mitnick Hacked


Well not Kevin himself, but his website. Pakistani hackers took it upon themselves to have a bit of fun at his expense and defaced his homepage. Kevin (who shot to "fame" for rather dubious reasons...see here)..has been hacked before, and I'm guessing this won't be the last time. After all, it's an easy way to bump up your bragging rights...

...that is, a noble tradition of products you'd probably rather not have on your PC! Building on the success of various other supposed "security products" that arrive on the back of a hijack, VirusRescue is causing something of a stir at the moment across the various security blogs out there.

My take on this here - you can see posts from Security Cadets here and here (particularly entertaining as a rep from VirusRescue posted there) and what is possibly the first mention of this new "product" here (courtesy of Security Ticker). It'll be interesting to see if their spokesperson makes any more appearances...

Yesterday, the CDT published an interesting summary of their opinion on the war against Spyware. Particularly good reading if you couldn't work your way through their last "Following the Money Trail" PDF!

The message is clear (and it's one we hear all the time, so I won't bother repeating it word for word) - we're making some good progress, but there's a long way to go until we have a firm handle on this particular problem...

Zango haven't been out of the news recently - we've seen Myspace, Warner Brothers and the CDT (Center for Democracy and Technology) all added to the mix and the end-result is probably as fatiguing for the reader as it is for the people writing about it!

However, yet another tale has come to light, and it's not a particularly pleasant one. A pornographic website promoting videos provided by Zango (a pornographic website which, it should be noted, appears in many PC hijacks as you can see here) seems to be attracting visitors by means of a dubious keywords scam.

What's happened is that numerous websites have been set up, stuffed with keywords of an incredibly disgusting nature, that redirect you to the Zango content. A list of keywords has been collected in PDF format by Sunbelt Software. Be warned - it is not pleasant.

You can see thoughts on this from Suzi Turner, Sunbelt and myself.

I'm sure more will be adding their thoughts on this in due course...

Our team has discovered a rather nasty little program currently in circulation relying on trickery and the desire to obtain "secret" information to get itself installed. Once onboard the machine, it has the potential to steal banking information, drop you into a Botnet and generally give you a very bad day as your computer becomes a drone controlled by an unknown botmaster.

The vector of attack appears to be focused in the chat realm - across AIM Chat, IRC Chat and regular web-based chat. The link usually looks like this:

Hi, have you ever wanted to sign on your buddies AOL Instant Messenger screen name, but never had the password? Well there has been a new break in the AIM servers that is allowing this vital information to be revealed. check the pro for more info!

Clicking the link takes you to the below website:
Click to Enlarge

The download link to the infection file has now changed (though the application "homepage" is still the same), but a quick check of where the file was being called from would hopefully have set some alarm bells ringing:
Click to Enlarge

As you can see, the attackers are hosting numerous dubious sounding files, including a jpeg.exe and "Windows.exe" - otherwise known as the Feldor Trojan.

After installing the program, it reboots your computer and, as you can imagine, deposits a number of files you would rather not want on your system. However, the average end-user probably wouldn't think to check what's been placed in their System32 Folder. They'll enter the desired AIM Contact Details, run the tool and...
Click to Enlarge

...they'll be told that AIM has "fixed the vulnerability" in their software. Sounds convenient. Sadly, uninformed users will probably shrug and forget about the program altogether. This would be a mistake. Let's take a quick jump over to the System32 Folder...


You can see Windowsxp.exe - a banking Trojan, and the previously mentioned Windows.exe process. In case you're wondering, the AIM Screen Name Hacker's uninstaller does actually work, but (thoughtfully) leaves the infection files behind.

As a parting thought, it's worth noting that depending on which version you happen to download and install, you may well find your PC turned into a Botnet drone. As always with a program like this, it's worth remembering...if it looks too good to be true, it probably is.

Remember chat programs can harbor threats just as dangerous or more so than what you see on the Web. Keep your guard up and don't click on links in chat programs or chat rooms or run programs of a dubious nature- especially if you don't know the buddy you are chatting with. Even if you do know them that doesn't make it 100% safe either, as many programs rely on the "circle of trust" dynamic to do their dirty work and spread their mayhem.

Key Terms To Learn: Botnet- Drone- Chat Rooms- Trojan

Research and Blog Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher
Secondary Research: Wayne Porter, Senior Director Greynets Research

Quicktime's "HREFtracks" feature (a method used to embed url links into moviefiles that will open at a specific point in time) is being used by an enterprising individual to pop open adverts for adult dating services from movie files obtained via P2P Networks. The HREFtrack feature contains URL information that can be opened interactively or automatically, and in this case, files found on the Gnutella network are using this functionality (here's an example of someone getting hit while using Limewire). From the Quicktime site:

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

In the example we have below, the movie file is called "Sex Monica Bellucci Malena". Of course, opening the movie up reveals something entirely different - what appears to be someone dancing to music:
Click to Enlarge

About three quarters of the way through the clip (once it hits the "trigger"), an affiliate link for pops open via your browser (in this case, Firefox):
Click to Enlarge

The observant people out there will have noticed the videoclip in the above screenshot is still at the start - that's simply because by the end of the clip, most of her clothes have fallen off. If you wind the videoclip back and forth with your mouse, you'll continue to repeatedly pop open the same advert manually as you scroll. Of course, the HREFtrack feature is simply doing what it's supposed to do - the interesting thing here is the possibility for someone to use it in a more malicious way. You could pop open a link to a drive-by website that tries to install software without the end-user's permission, or how about a fake "promotional video" for a bank that pops open a "security check" Phishing page? There's a lot of possibilities with this one, and we should probably be thankful that people are currently only using this to spam affiliate links. It probably won't be long until someone pushes the leet hax0r button and things start to go pear-shaped...

Blog Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Vinayak Palankar, Software Engineer

About this Archive

This page is a archive of recent entries written by Christopher Boyd in August 2006.

Christopher Boyd: July 2006 is the previous archive.

Christopher Boyd: September 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.