Christopher Boyd: February 2009 Archives

There's been quite a bit of action on Facebook the last couple of days, and none of it good from the looks of things:

err1.jpg
err2.jpg
err3.jpg

As you can see, there's been an application doing the rounds called "Error Check System" causing problems for lots of people.

A quick observation before going on - the name sounds an awful lot like those given to rogue security programs, isn't it? When I heard about this, I was convinced it'd pop open a rogue antispware cleaner once installed as an application. Anyway...on your notification panel, you'd see this:

err4.jpg

A message that one of your friends "faced some errors" checking your profile. If you clicked "View the Errors", you'd be taken to an application installer page.

err5.jpg

Once this was done, it would bombard your friends with invites to use the application.

Over....and over......and over again.

It seems Facebook has since killed the application off - it no longer exists (for the moment!) to install on your profile. Interestingly, the creators kept putting it back online under different Facebook application URLs until Facebook killed it off completely.

Besides incredibly annoying spam and some other potentially dubious (mis)uses of technology (many people report the app not showing up on the page where you'd remove applications, and others claim it installed without them hitting "Activate") it doesn't appear to have done anything too malicious.

However, Josh Lim covered this on his blog and I can't help but notice.....again.....well, check out this portion of his screenshot:


err0.jpg
Click to Enlarge

Ignoring the "Fake!" he pasted over the logo, how similar to rogue antispyware tool stock graphics is that? I'm pretty sure I've seen that exact graphic used on a rogue tool / advert before, but of course there's so many of them around it would take a little while to confirm. If anybody wants to play "match the graphic to the rogue" in the meantime, be my guest!

Even more curious, someone (as if by magic) has manipulated search results so that anyone searching for "Error Check System" in Google will see this as the top entry:

err00.jpg

Click it, and you're taken to an extremely aggressive set of rogue antivirus download pages.

errrr.jpg
Click to Enlarge

So even though the "threat" of Error Check System on Facebook has fallen by the wayside (until they come back, of course), you'll need to be careful if you go looking for more information on this particular incident over the coming weeks...

Let's take a look at

Mygamesfile.com

....a website that promises much, and delivers little.

You may have seen these adverts in circulation on ad networks recently:

hl2.jpg


fall3.jpg

Snap5.jpg

In each case, the advert promotes a popular videogame - most notably Half Life 2 and Fallout 3 in the above examples. The adverts are pretty clear - a picture of said game, and "Free, Legal". It seems reasonable to expect a deal has been made to allow you to obtain the advertised titles for free, legally.

Of course, it's all about to go horribly wrong.

Visit the site, and you quickly notice a few things - many 404 errors, pages that loop back on themselves and a lot of this:

lorem.jpg
Click to Enlarge

...hmmm. Moving swiftly on, we can see elements of the site are starting to slip from "reasonable" to "slimy". Namely, this:

Snap1.jpg
Click to Enlarge

"Download Half Life 2" sits proudly at the top of the page - at this point, you'd expect the full game, wouldn't you? Especially as beneath the Download button sits a number of green bars with "Server Load" written on them - each showing a different percentage. You would think this is further evidence of the site pushing out large sized downloads of the full game - imagine your dismay, then, when you shortly discover the "Server Load" graphics are entirely fake and don't represent anything at all.

Hit the Download button, and you'll see this:

Snap22.jpg
Click to Enlarge

An install prompt for Zango, pre-ticked (of course) and also giving you the option to have "free ShopperReports", whatever that is. Without installing this, you have no way to access the wonderful free game download waiting for you on the other side.

So you accept the prompt, and install Zango & company on your PC in return for the promise of a "free game".

What do you get?

Snap4.jpg
Click to Enlarge

A CNET download page offering up the Half Life 2 demo of ONE LEVEL, is what you get.You can't even play it unless you install Steam and create an account.

Yes, you've just been taken for a ride.

Even better than that, the site owner (who registered the URL anonymously, of course) can't even be bothered to offer up the correct downloads. The second advert in this article clearly shows Fallout 3, and the Fallout 3 "download page" says this:

Fallout 3 is the third game in the great Fallout Series. It is a single player RPG action game that takes place in Washington DC, following a nuclear war. 200 years after the war, survivors live safely in a fallout shelter named Vault 101. When you find that your father has inexplicably left Vault 101, you follow him to the outside world. A world filled with Super Mutants, Giant Insects, Raiders, and Slavers.

Fallout 3 allows you to explore the entire former city of Washington with near limitless freedom. The game can be played from either 1st person, or 3rd person perspective, and the course you take throughout is entirely up to you.

On top of all this, Fallout 3 renders its environment in eye popping graphics. Every explosion, every character, and every piece of scenery is displayed in full HD, creating a really powerfull experience. This is definitely a game that must be played.

Download Fallout 3 now! Just click start on the next page.


Sounds awesome, doesn't it? Imagine the look on your face, then, when you've installed Zango, been taken to the download page and....

fall4.jpg

...you're offered a PROTOTYPE from 2003 that doesn't even resemble the game eventually released last year. It's so far removed from the promised game it's not even funny:

"While playable, Van Buren is a pre-alpha tech demo, never intended for public consumption. Many features, including combat, aren't fully implemented, the graphics are very basic, and it is extremely buggy. It is also has no connection whatsoever to the Fallout 3 project currently being developed by Bethesda."

What's particularly humorous here is that their adverts say "MyGamesFile does not host or link to illegal software". However, if you read how this "not for public consumption" demo was made available in the first place....

"Oddly enough, one day after putting a tooth I lost during a biking accident under my pillow, I woke up and found a CD under my pillow. Putting it in my computer, I found out it contained something called "demo.rar". Unzipping it, guess what I found. So thank you, tooth fairy"

Whoops. The demo seems to be "on general release" nowadays, but its origins seem somewhat "under the counter", to say the least. In case you were in any doubt just how different these two are, this is Van Buren:

vb1.jpg
Click to Enlarge

...and this is Fallout 3:

fo3.jpg
Click to Enlarge

The prosecution rests, your Honour.

Just when you think it can't get any stinkier, you scroll right down to the bottom of the page.

Do my eyes see something there? Why yes, they do.....sort of.

fakeout.jpg

Oh my, dark grey text on a slightly lighter grey background. I wonder why they did that? Well, probably because it says this:

"MyGamesFile does not host or link to illegal software. All links are to legal, demonstration versions."

After all, nobody would install Zango (making the site owner money) if they were fully aware going into this "deal" that they could get these same demos elsewhere with no need to install anything, am I right? And if they furtively admit to doing nothing more than linking to demos elsewhere, what's with all the fake "server load" graphics all over the place?

This site fails.

It reminds me a little of the fake Batman MMORPG website from a few months ago - more importantly, it highlights how Zango continue to let bottom of the pile, cookie cutter sites like this through their Q&A process.

I'm willing to bet there's more of these out there. For now, the easiest way to ensure you don't get fooled by "offers" such as this is to switch off Javascript, then hit the "Download" button. If you're taken to something like Fileplanet or a Download.com Demo page, you know to back out slowly, not making any sudden movements...
This screenshot was emailed to us anonymously - it seems this scam program (which claims to give you free gold in Runescape) isn't even available to download yet (I love the "Beta tests" these things go through), but it's due to arrive "soon".

How soon? No idea. But if you know anybody that plays Runescape and they have this program on their PC, there's a very good chance their login details have been stolen.

rgd1.png
Click to Enlarge

FBI Spoof Email

| | Comments (1)
This is currently in circulation. See if you can spot the bit where they're hoping to relieve you of your cash.

ANTI-TERRORIST AND MONITORY CRIMES DIVISION
FBI HEADQUARTERS IN WASHINGTON,
D.C.FEDERAL BUREAU OF INVESTIGATION
J. EDGAR HOOVER BUILDING935 PENNSYLVANIA AVENUE,
NW WASHINGTON, D.C. 20535-0001
 
DATE: 02/02/2009
 
REMEDY FOR UNSOLICITED EMAILS.
 
Greetings from the Federal Bureau of Investigations (FBI).
 
Our Home Office has been prompted to write you an email regarding the presence of unsolicited emails traced to your email account which was reported to our agency from Google search and has been filed for record purposes.
 
This is to re-inform you that we have been receiving various complaints from victims of scam hunts and would go any extent to address this issue.
 
The FBI is not saying that you are involved in any form of illegal online activity but advice that you reduce the presence of your email profile to the public in the future.
 
 We apologize for any inconveniences you must have encountered in the past and expect you to send us a copy of such scam emails sent to you.Immediately this is ascertained,we would refer to our compensation act with the view of compensating you promptly.
 
This Email is a copyright of the Federal Bureau of Investigations (FBI) and has not been sent in to you in error.Please delete if you are not affected in the stance.Do refer to our website for further information or call me directly.
 
Do respond to this mail within the next 72 hours.
 
Agent (387.828.28928)mueller
 
FBI Special Agent in Charge
Investigations Department
Phone: (44) 703 593 2165
Fax:   (44) 703 593 2160


The phone given is an 0700 premium number, which will of course cost the unwary caller quite a bit of money. Avoid...

Playfire Controversy

| | Comments (4)
This is pretty bizarre. Here, we have a social networking site asking for pretty much every type of login you can imagine and getting a fair amount of criticism for it in the process. The way they go about it is somewhat peculiar, and though I don't think it was malicious on their part, it illustrates how what somebody thinks is a good idea can go horribly wrong very quickly.

The site in question is Playfire.com, a social networking site for people interested in videogames.

What were they doing? Well,it seemed messages were being sent to people on your XBox Live friends list, "reserving" a page for that username then presenting that individual with the below page:

pfire4.jpg
Click to Enlarge

Note that it asks for your XBox Live login. At that point, according to numerous complaints on forums, those friends would then receive a message on XBox Live that appeared to have come from you, recommending Playfire.

A Playfire employee has been busy posting to this blog post, and also this forum thread on the subject. From the last link:

"It looks like Microsoft's legal team has triumphed. According to Large Jaguar, Xbox.com Development Manager, "PlayFire is no longer collecting WLID credentials for people's Xbox LIVE accounts."

Again, I don't think there's anything malicious going on here - but it's a good example of how a few poorly chosen "features" can seriously damage your reputation.

When you're a new site, that's really the last thing you need...
filter.jpg

It's not often I pimp products - actually, I don't think I ever do it - but let's give it a try.

FaceTime are currently offering a deal where you get year-on-year URL filtering for free when you pick up a USG box. I know a lot of companies charge each year for that feature, so if filtering is your bag, feel free to check it out.

Kudos to whoever did the graphic too, I like the fadeout effect thing it has going on. And when a guy with an Arts degree likes your pictures, that has to be a good thing, right?
Nothing particularly jaw dropping, but I thought it was worth mentioning. There's quite a lot of fake Rapidshare phish pages in circulation at present - they all look like this:

rs1.jpg
Click to Enlarge

...and they want you to enter your login details to "activate premium membership immediately".

What really grabbed my attention was the URL. All of these pages specifically place certain products into the web address - no random hacker usernames or swear words in these babies. Case in point:

rs2.jpg

You can see what they did there.

At any rate, avoid any so-called "Rapidshare" page seemingly promoting albums, movies or videogames. They're not what they seem...

This arrived in my mailbox a few days ago:

par1.jpg

The EMail reads:

"This is a message from add me on msn, paris84fun@hotmail.com:
 
 add me on msn, xxx@xxxxxxxx.com thought you might enjoy checking out this blog on MySpace.com! You don't have to join MySpace.com to view the blog. Just use the link below.

[url removed]

Interesting - we have people setting up fake accounts on Myspace, sending out "check out my blog" messages to spam lists and then....

par2.jpg
Click to Enlarge

par3.jpg
Click to Enlarge

Pimping their spambots via phoney blog entries.

Shall we see what happens next?

janeh1.gif
Click to Enlarge

As you can see, it's a standard bot script that's been around since time began.

Almost had me fooled for a moment there, too...

I spent some time recently talking to Erik Larkin regarding fake infection messages from programs that really want to have some of your money.

Interview here.
It's been brought to my attention that over the last couple of days, people have been posting malicious links to entice gamers into running keyloggers - all of which seem to revolve around one particular game. These keyloggers will hijack your Steam account, which as you might have guessed, isn't a good thing to have happen.

One such poster (now banned from the official Steam forums) has been promoting lots of links to videogame modding tools, all focused around the game Left 4 Dead. As an example:

lfd0.jpg
Click to Enlarge

As you can see, "Xpro132" claims the mod does all sorts of cool things, but anyone downloading this file is in for a surprise. As one person put it,

"I downloaded the rar file,extracted the downloader exe,clicked exe and BOOM nothing... did I do something wrong?"

Unfortunately, you did :(

The file claims to be a "Web Downloader" for Left 4 Dead, giving you access to interesting features that the regular game doesn't have. The person responsible for the file has uploaded it to numerous free file hosting services:

hllfd4.gif

....which makes the "Downloaded: 3 times" message far too reassuring. From the looks of it, quite a few more people than that have been affected by this so far. This is what it looks like on the desktop:

hllfd5.gif

...and this is what ends up in your System32 Folder should you run the file:

hllfd6.gif

The second Win32 EXE is particularly difficult to shut down. From this point onwards, your Steam login (and potentially other logins) are vulnerable.

Interestingly, this same person is linking to many other files, some of which are hosted on reputable game modding websites. Here's another one:

hllfd1.gif
Click to Enlarge

This is yet another Left 4 Dead related program - this one is a "especial edition" (as the creator calls it) that allows you to play custom .WAV files ingame.

hllfd3.gif
Click to Enlarge

There are people complaining about it here, and the file itself is flagged by two security products on Virustotal.

Seeing as the other files this person has uploaded don't seem to be very good for your PCs health, it's advisable to give the Half-Life Sound L4d Especial Edition a wide berth too. We'll try and collect as many files related to this in the meantime, but for now, steer clear of anything posted to forums and game mod websites by the person above.

We detect the files as (amazingly enough) L4D Logger and L4D Keylogger.

Additional Research:

Chris Mannon, Senior Threat Researcher
Peter Jayaraj, Senior Threat Researcher
It seems a lot of people are jumping on the same sort of bandwagon that spawned the "Obama Stimulus Program" website from a few weeks ago. Namely:

1) Create a website telling everyone they can get thousands of dollars in Government grants
2) Show lots of happy people waving their cheques around
3) Tell the end-user they can have this too, if only they send a few dollars to cover postage and packaging. Presumably in return they get sent a list of Government grants that you could have gotten for free by just, you know, ringing up your local office.
4) The website owner makes so much money they most certainly don't need Government assistance.

Here's another one, sent to me by a good friend of mine. "Jeff Gets Grants":

jeff1.gif
Click to Enlarge

jeffgetsgrants.com

It's the same deal as the Obama site - pay up for shipping and handling, and then roll around in pools of money beyond your wildest dreams.

That's the theory, anyway. Let's find out a little bit about Jeff:

"Right now I am a proud firefighter and family man, born and raised in Austin, Texas. But it wasn't always this way. Year after year more and more money kept coming out from my bank account than I deposited from my salary."

....is it just me, or does all of that sound extremely fake? Well, hold that thought.

Jeff? Say hello to Kevin.

jeff2.gif
Click to Enlarge

It seems Jeff had a bang on the head, woke up as Kevin (laid off as an account rep, but married for 3 years to "Audrey") who now makes thousands of dollars "posting links on Google". The URL here is

kevingotcash.com

Talk about a split personality!

I particularly like the fake blog comments at the bottom of each website. Here's one from Kevi - wait, I mean Jeff. Or do I? Man, this is confusing.

jeff3.gif

....a "few months back"? I guess Jeff / Kevin / Mr Fake Person can travel through time too, because the site was only created on the 3rd of January 2009.

Doh.

Anyway, you might want to avoid all of these sites like the plague. None of them seem to be particularly legitimate, and I sincerely doubt you'll suddenly get "$80,000 to pay off my mortgage" like StephJ988 did. Assuming she's real.

Which she isn't.

She did come in handy, however, for finding more of these ludicrous websites. If ever you wanted to play the "how many times can one man be called so many different names" game, then here comes Christmas. As for poor old "Audrey", wife of Kevin (and Brian....and Steve....and John......and David...), I suspect she'll probably have the police after her due to the fact she's apparently married to twelve different men at the same time.

Cut and paste templates - an endless source of amusement.

wealthresource.org
briangetsmoney.com
roymadecash.com
johngetsrich.com
justingetsmoney.com
what-is-my-iq.org
coreyhasmoney.com
nickgetsgreen.com
scotts-online-money.com
journey-to-riches.com
davidscreditstory.com
johngotrich.com
kennygetsgreen.com
bradgetsgreen.com
ryansincomestory.info
danielgetspaid.com
joshmadecash.com
amysincome.com
kevinsgrantstory.com
stevesmoneystory.com
edwhitley.com/20
jamesgoesgreen.com
kegangrantsmoney.com
kylesgotcash.com
kellygetsgreen.com
mikessuccessstory.com/getgreen.html
tomsjournal.com/index2.html
jeremymadecash.com

xboxlv5.gif
Click to Enlarge

In the past few weeks, we've noticed a steady increase in posts like this and this. Everywhere you look, people are suddenly curious as to how you "boot" someone from online videogames. They're not entering this rather famous joypad combination to do it - rather, they're dabbling in somewhat more sinister methods of tampering with gamers playing on XBox Live.

Namely - Botnets. In a big way too, from the looks of things.

What is XBox Live?


Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft Corporation. Pay for a Live account, and you can shoot other gamers online all day long on Halo 3, or maybe download some premium content such as movies, trailers etc.

Live has long been the subject of social engineers and hackers - fooling people into handing over their logins and making fake Points generators stuffed with Trojans and keyloggers to steal login info has been going on seemingly forever. There is another area of Live exploiting that's not been looked into much - that of "booting" other players from games via external means.

How is this done?

Well, typically someone will connect their XBox to their PC via a crossover cable (or via their wireless connection), join a multiplayer game then sniff the traffic (you can see a tiny example of that from the first screenshot at the top of the article). They might use this method to grab ip addresses (though it can be a little over complicated for the wannabe hacker), or they might resort to social engineering tactics away from the gaming environment. However they go about it, they need an ip address if they intend to boom, headshot their victim.

In this case, we have something rather interesting that's quickly becoming mainstream after spending a long time in the underground - combining custom made tools to create Botnet drones, specifically created to knock XBox Live gamers out of whatever game they happen to be playing at the time.

The bundle currently doing the rounds is pretty slick, and combines two tools distributed in a single AIO - it actually sits in the system tray (first icon on the left) until you feel like exploring it further.

xboxlv7.gif

Here's the two applications that work the "Magic" in this particular package, when you get tired of looking at the nice icon in your system tray:

xboxlv6.gif
Click to Enlarge

xboxlv8.gif
Click to Enlarge

Both of these programs pretty much do the same thing - facilitate the ability to DDoS people from the XBox Live network (note the default port for both programs is 3074, which is required to be open for XBox Live to function).

How do they do it?

Well, the bundle comes with two "vanilla" Bots:

xboxb2.png

...although really, the Bots can be anything you like. You don't have to use the supplied files, though of course this is designed to be a DIY-in-minutes kit (humorously, both files point to a pre-existing Botnet so anyone foolish enough to run these EXEs while trying to create their Botnet empire is going to find themselves a drone for the original creator).

After creating a host with a service such as no-ip.info that points to your own ip address, you insert that host into the ready-to-roll code in the Bot file. At that point, all you need to do is send your victims the EXE, convince them to run it on their PC and they'll start reporting back to your Booter program as willing DDoS drones. Here's a (somewhat blurry) screenshot lifted from a popular Youtube video currently in circulation of an attack in progress on an XBox gamer:

xbotrunning.jpg

As you can see, the attacker "only" has four bots, but the instructions that come with the programs tend to advise "between forty and sixty". This is now, as you might imagine, all the rage.

The big incentive here, of course, is money. There seems to be quite a lucrative market for angry gamers looking to get revenge on whoever happened to headshot them the day before - we have some screenshots of sites where these "XBox DDoS Botnets" can be created from scratch for paying customers, along with a nifty price list to get things moving.

As I said earlier, some of these tactics and techniques have been around for some time - but you only need to take a quick look around hacking forums and sites such as Youtube & Yahoo Answers to see this is rapidly becoming more and more interesting to angry 14 year olds with too much time on their hands.

What can you do about it?Well, sadly for now the answer is "not a lot". You can never be sure when playing online just who has their finger on the trigger ready to nuke you from orbit with a Botnet DDoS. The problem will only get worse as money keeps changing hands and suddenly every rage fuelled gamer who had a dream of really getting even suddenly has the power to do so even after the "Game Over" screen has flashed up.

Perhaps the best solution is just to let that annoying fourteen year old claim his headshot and go back to playing chess...

Writeup: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, Sr. Threat Engineer

About this Archive

This page is a archive of recent entries written by Christopher Boyd in February 2009.

Christopher Boyd: January 2009 is the previous archive.

Christopher Boyd: March 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.