Christopher Boyd: February 2007 Archives

"These Web sites are just bottomless pits of useful information" for phishers, identity thieves and others, said Chris Boyd, security research manager at FaceTime Communications, an Internet security firm. Raiding them, he said, is the equivalent of "Dumpster diving." Link

A good article regarding the perils of Myspace - some interesting facts and figures, along with this (vaguely worrying) quote:

"MySpace now is trying to hire attorneys and additional security experts to make improvements, Nigam said."

...considering the scope of Myspace, shouldn't this sort of setup already be in place?

You've probably seen a number of articles regarding the case of Julie Amero, a substitute teacher caught in a storm of porn popups and faced with anything up to 40 years in jail. Well, here's an excellent piece of work that details exactly WHY Julie Amero is the victim of a witch-hunt. Never again will you stumble for an answer to the question "why didn't she just turn it off?"...

YouTube is probably the hottest of the so-called "Web 2.0" commodities out there right now - and their recent acquisition by Google won't have done any harm to that way of thinking. Of course, the fact that YouTube allows you to share its content raises the possibility that those files might appear in all manner of strange places.

Well, here's a perfect example of people jumping on the Web 2.0 bandwagon, offering up a (frankly bizarre) "media player" that

a) doesn't actually offer up much media and
b) doesn't play them half the time, either.

A group of files have been seen floating around the eDonkey network, and they offer up some surprising results.

http://blog.spywareguide.com/upload/2007/02/ytplayer5-thumb.jpg
Click to Enlarge

No EULA is displayed - depending on which of the two installers you execute, the program will simply run on the desktop or give you a bare bones installation. You'll then see this:

http://blog.spywareguide.com/upload/2007/02/ytplayer10-thumb.jpg
Click to Enlarge

...the introductory splash page might look interesting, but you'll notice that there are very few buttons on the player, and half of what's there isn't actually clickable. When we continually hear a lot about the "value proposition" of installing X in return for Y, this doesn't bode well does it? Pressing the "click here to continue" message brings up a "Locating Videos" message, and you'll note the first advert served up inside the player...in this case, an advert that was apparently for the Wall Street Journal but was eventually revealed to be for GoToMyPc (what you see in the screenshot is all we saw before the YouTube clips started to play. Thanks to a reader for the heads up). I don't personally have (much of) an issue with Adverts served to me inside an application (as opposed to firing all around the outside of it), but some people might take issue with this, especially as there was no EULA and no indication that there would be adverts at all.

Are these targeted ads? Adverts served up based on browsing history? Region specific? Who knows, as nobody told you. At any rate, the supposed "media content" loads up, and you might be surprised to find....

http://blog.spywareguide.com/upload/2007/02/ytplayer6-thumb.jpg
Click to Enlarge

.....YouTube movies!

Completely bizarre YouTube movies, at that - this example is a strange Lute playing session; another notable clip we saw was a 20 second clip of some guy telling us about his new book:

http://blog.spywareguide.com/upload/2007/02/ytplayer4-thumb.jpg
Click to Enlarge


....though the clip is in Italian, the translated version is that he's talking about his new work, "Experiments in Temporary Happiness", a "passionate romantic novel" apparently. Though there's no indication either of these two have any involvement with the player - it seems these are just two random movie files that happened to play more than most - you can learn more about the book writing guys' work here.

Putting aside our foray into the world of romantic literature, you might find yourself disappointed if you're expecting a constant stream of YouTube clips. Apart from the fact that an avid Youtube fan would simply....go to YouTube to watch them in the first place, this program only ever seemed to serve up one of the two clips mentioned above. Sometimes we'd get a flurry of other clips before it died out, but half the time, our research team couldn't even get the movies to play. Geographical targeting, perhaps?

Underneath the movie panel, you'll note three icons - one takes you to an online backgammon site, one takes you to a scratch card game and the other provides you with the option of logging into the Skype website. Why? No idea. That's just the way this thing rolls!

Beside the icons, a banner says "powered by Hobby-Tent.com". However, the truth is a little stranger than that. A site called Zapu.com provides "net acceleration" services, and also offer a toolbar that does much the same thing.

Why is Zapu relevant?

Because they're hosting the text served up by the media player:

http://blog.spywareguide.com/upload/2007/02/ytplayer1-thumb.jpg
Click to Enlarge

In addition, Zapu also hosts some of the smaller image files such as the "powered by hobby-tent" banner.

Exploring Hobby-Tent

This is where it gets really interesting. Hobby-tent is a site that links to a bunch of Youtube movies - aside from that, it's stuffed full of adverts designed to generate income.

http://blog.spywareguide.com/upload/2007/02/ytplayer7-thumb.jpg
Click to Enlarge

The site is currently down, but for some strange reason, there IS one directory still available:

ytplayer8.jpg

..."Papa Player"? What on Earth could that be? Oh well, let's download it and take a look....

http://blog.spywareguide.com/upload/2007/02/ytplayer9-thumb.jpg
Click to Enlarge

Still no product specific EULA, but this time we do have an agreement for WhenU. Ironically, the version of this media player NOT circulating in P2P networks doesn't actually work, as you can see from the below screenshot. Note the "page not found" message, as the program attempts to pull up the "Thank you for using our hottest web videos personal player" text and fails miserably - again, from Zapu.com:

http://blog.spywareguide.com/upload/2007/02/ytplayer12-thumb.jpg
Click to Enlarge

So far, then, we have THREE different versions of a "media player", THREE websites involved in distribution and / or hosting various pieces that make up the whole (we cover the final site below), TWO YouTube movies that made no sense whatsoever (though they made a lasting impression!) and ONE Adware vendor caught in the middle of it all.

There's still one piece of the puzzle left....

DV-Networks.com

Remember the three clickable links in the Media Player that took you to scratchcard games, Skype and backgammon? Well, clicking those links would redirect you to your destination from a site called DV-Networks.com. Visiting the site gives you a holding page, claiming it will redirect you to a site called "Iportent.com", though this never actually happens.

However, some quick digging later and you'll find the below - a bunch of icons, possibly related to some other program, that take you to sites related to "free international calls" and "PC Tune ups". It's the final image that interests me, though:

http://blog.spywareguide.com/upload/2007/02/ytplayer13-thumb.jpg
Click to Enlarge

...note the link to Zapu.com from the final icon, and the Alt text..."Hottest Web Videos", which is the name of the media player. Clicking that link takes you to this page, which seems to be a holding area for numerous streamed movie clips from sites similar to Youtube:

http://blog.spywareguide.com/upload/2007/02/ytplayer14-thumb.jpg
Click to Enlarge

...are these clips supposed to stream via the Media Player too? It's hard to say, though for now it looks like YouTube is the primary focus.

Why is DV-Networks.com particularly interesting? Well, a quick Google didn't reveal much about the site....however, this link is particularly interesting. It's a forum post on Spamcop relating to some application that caused some consternation amongst the users:

3. There are discrepancies regarding the name of the person behind this software. On the referenced website, his name is given as "Barak Abutbul" and yet in the domain name registration, it appears as "Barak Avitbul." My knowledge of Hebrew is limited, but I don't think that sort of discrepancy is due to transliteration issues...he gave the name differently in different situations. For example, he posted information about another of the "MinuteGroup" programs (VCatch) at Winsite, using the "Avitbul" version of his name:

http://www.winsite.com/bin/Info?4754

4. The two partners listed on the "minutegroup" site apparently have had some other joint projects. Here's a mockup of their "DV Networks" site I found on the site of the company that designed the "minutegroup" site:

http://www.121webdesign.com/customers/dvnetworking/

However, when you go to:

http://www.dv-networks.com/

you'll see that this operation is no longer active at that URL, in that it displays a logo for "IPortent" and says "Formely [sic] DVNetworks."

Now, if you check out the About Us page on the Zapu site, one of the founders is named as...Barak Abutbul. The forum post continues:

"5. If you Google "Barak Abutbul," you'll find some rather disturbing references to this man as being part of a group of hackers (or crackers?) who were charged with breaking into computers at the "Pentagon, US Navy, NASA, MIT, Harvard, Yale, Cornell, Stanford, the Israeli Parliament. Hacked two Israeli ISPs obtaining names and passwords of subscribers." The news articles say that Abutbul reached a plea agreement in exchange for testifying against the others."

...is this the same individual? Certainly, Googling the name does indeed return some incredibly troublesome results. Check out the data from a packet capture as the player installed and phoned home:

http://blog.spywareguide.com/upload/2007/02/ytplayer15-thumb.jpg
Click to Enlarge

...note the name "baraka" highlighted in red.

If it's not the same person, it's certainly a strange collection of chance happenings and coincidences. At any rate, I'd be very wary about using this media player - especially as quite a few other Vendors detect this particular file:

http://blog.spywareguide.com/upload/2007/02/ytplayer24-thumb.jpg
Click to Enlarge

"Experiments in Temporary Happiness"? In this case, I'd say that's an entirely appropriate description...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Threat Researcher
Supplemental / E-Commerce Research: Wayne Porter, Senior Director Special Research

Microsoft have had their hands full these past few days, trying to eradicate rogue adverts appearing on banner ads served up via MSN Messenger. Here's the original writeup on this, and here's some coverage in the news with a line or two from yours truly...

An interesting interview with FTC Chairman Deborah Platt Majoras. However, compare and contrast with the reaction to Direct Revenue being fined just $1.5 million Dollars:

FTC Commissioner Jon Leibowitz, the sole vote against the settlement, said the $1.5 million fine "is a disappointment because it apparently leaves Direct Revenue's owners lining their pockets with more than $20 million from a business model based on deceit."

...is it just me, or should more people be thinking the same thing as this guy?

Chinese Adware: Coopen

| | Comments (0)

Here's an interesting one - apparently from a Chinese Trojan bundle, "Coopen" places a media tool on your desktop, which rotates between desktop backgrounds and screensavers. At least your desktop hijack will be a visually striking multimedia experience!

http://blog.spywareguide.com/upload/2007/02/coopn5-thumb.jpg
Click to Enlarge

That's not all, however - the Coopen media player is really only the introductory salvo. From the same bundle, your desktop will end up with a non-closable box on it, which you can only kill off using Task Manager:

http://blog.spywareguide.com/upload/2007/02/coopn1-thumb.jpg
Click to Enlarge

The box itself mostly serves up an endless stream of high bandwidth adverts that seem to do nothing other than promote short movie clips and streamed video:

http://blog.spywareguide.com/upload/2007/02/coopn2-thumb.jpg
Click to Enlarge

There also seems to be a lot of popups from what appears to be some sort of social networking / blogging site:

http://blog.spywareguide.com/upload/2007/02/coopn3-thumb.jpg
Click to Enlarge

You can read more about Coopen here. Although Coopen itself is not particularly high risk - it's a media program rotating screensavers - it does illustrate how complicated things will be for researchers in the West as more of these programs start to appear, such as here where the researcher might not even know if the popup box is related to Coopen, or a different part of the same Trojan hijack. Is it Adware? Spyware? Malware? All one program, or different components doing different things (as is the case here). Is the intent behind it malicious, or is it supposed to serve some useful purpose? How do we track the money streams? Will we be able to penetrate the networks behind the scenes and work out who the key players are? Most importantly, what do we do when faced with a EULA containing six million Chinese characters?

Tough questions, and no easy answers in sight...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: CC, and Chris Mannon, FSL Senior Threat Researchers

While recently in Spain (doing a sort of QA session on the latest spyware threats), I was surprised to find they wanted a short video session too, so here it is. Nothing technical - just an entry level ramble about basic protection, the risks of unsafe Instant Messaging and a bunch of other stuff.

Botnet Basics

| | Comments (0)

Just in case you're not too familiar with the basics of what a Botnet actually is, you might want to check out this video over at EWeek. It's about five minutes long, and a nice introduction to all things Botnet.

RSA 2007: Botnet Live

| | Comments (0)

The dust has settled from RSA 2007, and it was standing room only as Wayne Porter and I explored the methods of shutting down Botnets by dealing with details outside of the Botnet itself - in other words, tackling the human angle as opposed server details to have a bigger impact on the bad guys.

Crowd at Botnet Live with Wayne Porter and Chris Boyd at RSA
Click to Enlarge

I believe the total audience was around four hundred people - thanks to all that came along, and also many thanks to the FaceTime research team who do an awful lot of work behind the scenes.

We provided a brief overview of the current Botnet hunting landscape, some top tips for getting stuff shut down when it's located in some far flung corner overseas and (most importantly), two case studies that illustrate the ways in which we use social media and storytelling to further the reach of our security tales, and spread the word on anything bad that happens to be going down at the time.

Wayne Porter handles this heavy quote- where you probably can't get a tee-shirt.
Click to Enlarge

Featured heavily were the Carder Botnet, and the Q8 Army Botnet.

In both cases, the Botnet itself was only the skeleton upon which we built an intricate weave of research and storytelling. We used all the borderline elements around the outskirts of each Botnet to build up an (almost) complete picture of the people behind it, and get something done about it. We also explored the idea that without even knowing it, one investigation can cause quite the fallout in completely unrelated areas and take down whole groups of people quite unintentionally.

There was a whole bunch of material here that wasn't published first time round - there were numerous reasons for this, but going into them would probably mean some guy would try and kill me with cheeswire, and it'd all go a bit Jason Bourne on you.

Of particular note was the custom built Q8 Army mIRC Tool. It had all sorts of crazy options built into it, and by and large they all did vaguely nasty things. We were also able to (finally) show many of the Q8 Army sites that we came across during the course of the original investigation. Many of these sites popped up on (or around) September 11th, 2001 - and yes, you can probably guess the kind of things they contained.

Dangerous botnet tools
Click to Enlarge

In addition, we tracked these guys back to 2001 (or thereabouts), where they were apparently stealing credit card information to purchase things like satellite equipment, radio / telecommunications gear and second hand PCs. What they intended to do with all that stuff, we can only speculate - but the implications are pretty disturbing, aren't they?

Once again, thanks to everyone who turned up, those who threw in some questions at the end and anyone who came up and said hello.

Wayne Porter and Chris Boyd aka Paperghost
Click to Enlarge

We had a blast and hopefully we'll be let loose on you all over again.

For further coverage, check out EWeek - Botnet Stalkers Share takedown Tactics, Affiliate Fair Play, RealTechNews and MCWResearch. From Finland and more to come.

With only hours to go until our presentation on all things Botnet, we present a small collection of images from our time in and around the conference area...

http://blog.spywareguide.com/upload/2007/02/PIC_0101-thumb.jpg
Click Image to Enlarge

....well, it's traditional to grab a snap of the entrance or something, right? Only problem is, I think this might actually be the back door. What can I say, my map was upside-down...

http://blog.spywareguide.com/upload/2007/02/PIC_0102-thumb.jpg
Click Image to Enlarge

One vendor had an artist fully decked out in Renaissance clothing, and he was pretty good with a pencil too. I know these things, I have an Art degree.

http://blog.spywareguide.com/upload/2007/02/IMG_7063-thumb.jpg
Click Image to Enlarge

This is Bong Su, location for a FaceTime sponsored event handily located right by the Conference building....

http://blog.spywareguide.com/upload/2007/02/IMG_7076-thumb.jpg
Click Image to Enlarge

......and the carnage within!

About this Archive

This page is a archive of recent entries written by Christopher Boyd in February 2007.

Christopher Boyd: January 2007 is the previous archive.

Christopher Boyd: March 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.