Christopher Boyd: May 2009 Archives

I must admit, the first thing I thought of when I heard about this was the security implications. As it turns out, it's not just me pondering these issues. More from Graham Cluley here.

PS3 fake virus warning, originally uploaded by Paperghost.

Today I had a guest column published over at TechRadar. The subject? Fake virus warnings on the Playstation 3 console. A very bizarre example of how PC related shenanigans can easily cross over into areas that really have no business being deluged with fake virus warnings...
Schadenfreude: "largely unanticipated delight in the suffering of another which is cognized as trivial and/or appropriate."

As you might have already guessed, here comes some largely unanticipated delight. Suffering is optional, yet highly probable.

There's a rather meaty virus creation program currently doing the rounds that offers pretty much every kind of "let's break stuff" option you could think of. To the uninitiated, it looks like the world's greatest virus creation tool.

virctz1, originally uploaded by Paperghost.

Antivirus slaughter, Delete My Documents, Send Victim Info, Turn monitor off every 2 minutes and my personal favourite, "Super Spazz". It's all there, and it's all hardcore.

Unfortunately, it's all about to go horribly wrong for our wannabe script kiddie.

Click a button - any button - and this appears on the desktop:


Whoops. As it turns out, hal.dll is somewhat important:

"Hal.dll is the core of Windows' Hardware Abstraction Layer, which allows applications to access devices in the system without knowledge of the specific protocol used by any one device."

At that point, the penny drops - this isn't the world's greatest virus creation tool. Rather, it's the world's greatest "blow up your own computer while pretending to be a virus creation program" tool.

Add keyboard.sys and mouse.drv to the list of files nuked from orbit, and it's no surprise that when our wannabe script kiddie reboots his PC, he sees this:


...good luck explaining that one to dad when he gets home, kids.
Despite going boom, there are still plenty of Zango installs out there. I've no idea if they're still actually paying affiliates or what, but let's take a look at a recent site that's come to light anyway.

The site in question here is a typical "make money from ripped videos" effort, called

I've never heard of the program in question, but it looks like a hideous 80s restyling of Saved By the Bell or something. Seriously, my eyes:

Click to Enlarge

It's been an interesting day or so where leaked pictures on the web is concerned - stories abound regarding the leak of what are allegedly naked Rihanna shots (link is safe for work, obviously). Indeed, leaks of naked people plastered all over the web are becoming more and more common.

With that in mind, I thought we'd take a look at something I found at the weekend - a malicious program specifically designed to get onto your PC, scour the hard drive and send all the pictures it finds back to the hacker.

In time honoured tradition, here are the files as they appear on the desktop:


Aw look at the little hand, waving at you. Or, to be more accurate, look at the creepy set of fingers about to go pawing through your pictures.

As soon as you fire up Picture Hunter, you know the creator is fully aware of his rather ill-advised shenanigans:


It never fails to amaze me how many people create programs like this yet are never responsible for anything, ever. Oh well. The program springs into life with a number of basic options for our wannabe image pilferer:


As you can see, you enter your FTP account login details and FTP address into the required fields, then hit "Build". What you end up with is a customised version of the "Stub" file that contains your FTP data. Check out the file size, it's tiny:


Approximately 24.5kb of file rummaging activity is on the way - amazing to think how much damage such a small file could cause, as we'll see. It's worth noting that there are multiple versions of this in the wild - although some don't grab JPEG files, others not only grab JPEGs but also Zips, Docs and PDFs as an added bonus.

On my testbox, I've placed a number of images - each one a different type of file.

If I was tricked via Social Engineering into running the Server file (and of course, the attacker will likely rename it and probably give it a pretty icon to make it more appealing to the target) then the file will immediately start digging through the PC, digging out image files and then sending them to the attackers FTP account where he can browse the pictures at leisure.

Here's my FTP account a few minutes after the infection file has been executed on the target PC:


A .bmp, a .GIF and a .PNG have already appeared in the FTP directory. Shall we take a closer look at one of the files?



These are harmless images, but the potential for damage to a reputation (or just general embarassment) is huge - how many people store monster nudie pictures of themselves on their home computer, for example? The program attempts to minimise the amount of non essential images collected by filtering out certain areas of the PC - so temporary internet files, program files and images under 1kb in size are ignored.

Interestingly, the attacker could put themselves at risk due to the program simply scooping up whatever it finds - what if the infected PC has illegal pornography on it? All of a sudden, they've just uploaded a bunch of child pornography pictures to a third party FTP service - who probably aren't going to be very pleased, to put it mildly.

Of course, if the attacker is greedy enough to create a file like this in the first place, that's a risk they'll just have to take. For the rest of us, let this be a timely warning - the best place to store your image files (especially ones that involve you running around with a whip and a gimpsuit) is on an external hard drive that you can hide under the bed, in a locked case, surrounded by high explosives and tripwires.

Don't say we didn't warn you :)

Not so long ago, I wrote about XBox Live Chain Letter Spam, and how it suddenly seemed to be the cool thing to do. Well, here's an interesting example of how unfounded rumours + pretty pictures = hours of wasted fun for all the family.

Halo 3 is one of the biggest titles on the XBox console - if you've never heard of the game, click here while the rest of us wait for you.

All done? Good.

One of the most intriguing features of the game is the ability to save screenshots & videofiles to allocated storage space provided by the game maker, then share those files with other gamers. It didn't take long before people started to abuse this system through a combination of believing anything they were told and the desperation produced by wanting something (almost) nobody else has.

The rare item in question here would be Halo 3's mythical "Recon Armor" - an insanely rare item given only to Bungee employees and people who perform near miraculous (or just stupidly impressive) feats ingame. To give you an idea of how coveted this ingame item is, here's a 583 page thread (!) dedicated to finding out how to get your hands on it.


It didn't take long before some jokers decided to make this armor the "feature" of endless chain letter spam taking advantage of the file sharing functionality.

Your XBox Live account can send and receive messages to other users, much like the PM system of a forum. Quite a lot of people - those who play Halo 3 all the time and those who have never touched it in their lives - will have been sent a message like this over the past couple of months, entirely out of the blue:


...enigmatic, right? It becomes even more curious when after trying to read this message, you see the following:


It's a good job I have Halo 3, or this would be a rather short writeup.

After digging out the disc, inserting it into the console and firing the game up I eventually worked out how the file share system works. Here's the body of the message I was sent (excuse the quality of the next few images, they're photographs of my TV screen):

halrec3, originally uploaded by Paperghost.

Note at the bottom it says "Check out this film clip". If you hit the "Go to" link, you'd sit through thirty seconds of pointlessness and wonder why you'd bothered, or (if the link was for an image) you'd be left with a pretty (but pointless) picture.

What were the film clips? Well, I can't show you those but I *can* show you the image spam, and once you see them this will all make sense:

halrec4, originally uploaded by Paperghost.

"If you recommend this to 50 people, you get Recon Armor".

As you probably already guessed, spamming these images to 50 people does NOT get you recon armor. It does, however, make you remarkably unpopular. There are a lot of variations on these image spam messages, here's another one:

halrec5, originally uploaded by Paperghost.

"Recommend this to 100 people to get Crystal Armor". long as it's crystal..... pretty bad, especially when talking about inflating malicious files.

Here's a curious program called "Byte Adder", which is used to make files look bigger than they actually are.


Why would you do this? Well, it's a lot more credible to potential victims if you're trying to persuade them that your HORRIBLE_FILE.EXE is actually the same size as "Lovely fluffy bunnies.exe" (or whatever it is you're trying to convince them to download and run).

You simply tell it what size you want your infection file to come out the other side as, and it calculates how many Bytes to add in. I have to say, it's pretty slick and yet another tool in the armoury of script kiddies everywhere.

At InfoSec Europe 2009, I gave a talk about the problems companies will face as they move to services of a 2.0 nature. What follows are my Top Five Tips for tackling some of these issues - they seemed to go down quite well, so hopefully there's something in there you can make use of too.

TOP TIP ONE: Put someone in charge of Social Networking in the workplace.

I noticed as I was talking about sites such as Twitter, Yammer, etc that nobody in the room of about 130 people had used (or in most cases even heard of) any of these websites.

My concern with this is that I can guarantee there's some degree of what I like to call Intellectual Property Spillage going on. In other words, random employees and marketing bods see these new sites, think it's a good idea to be on them and then before you know it, there are unofficial presences all over the place and it becomes difficult to control exactly what's going on.

When I spoke about this issue recently, a chap in the talk went off and came back to me half an hour later. He told me he was amazed to find something like five groups set up by staff on Facebook, a Youtube page and a Yammer account - all out there online, doing their own things.

I was pleased to see a rep from a major music company approached me after the InfoSec talk and told me his company specifically employs someone to go around all the 2.0 sites registering "official" presences on these sites and keeping an eye on the oddball accounts.

Works for them...

TOP TIP TWO: Enforce a set of rules with regards what NOT to put on sites like Yammer

Yammer is basically Twitter for business users. Anyone from a company can set up a "private" Yammer account for the group, and then invite other employees to start posting about what they're working on.

The problem here is that many companies rush to join services like Yammer, post up a whole bunch of information that could be somewhat sensitive and then abandon the account. The following screenshot says it all:

Click to Enlarge

As you can see, the last post was four months ago, with all that company specific information just sitting around, doing nothing. In addition, Yammer profiles want users to fill in a ludicrous amount of personal information. Full name, title, start date, significant other, kids names, birthday, interests, work / mobile phone, previous employers & start dates...and that's only a portion of the data requested. It's a social engineers dream, assuming they can trick a Yammer user to hand over their login OR pull off a successful phish attack.

Even better, you can view the company user list and see who has the most followers - assuming the most followed people are likely to be the most relevant / important people there, you're painting a huge bullseye on the "Staff who most need to be stalked".

My advice? If you have someone keeping an eye out for 2.0 sites / groups related to your company, ensure services such as Yammer are top of the list...and think carefully about posting sensitive company information. It'll only take one solitary phish to cause a lot of problems.

TOP TIP THREE: Keep real world friends & work associates OUT of your top 10 friends on Myspace

Yeah, Myspace is somewhat looked down upon by all the cool kids but whatever. There's still a lot of early adopters out there who use it successfully for networking, and it's still a powerful marketing tool for certain types of product / company / dreadful Emo bands.

Myspace is also notorious for troll groups and general idiocy. A typical past-time for trolls is to find out personal information, then cause trouble in the real world. Hassling people at their place of work is always great fun for them, or if that should fail, causing trouble for friends / work colleagues.

They do this by seeing who sits in your "Top five / ten / whatever" list of friends, on the basis that most people will (naturally enough) place their real world friends / workmates in that top position.

You know what I'm going to suggest, don't you? Take all your real world contacts and place them OUTSIDE the Top Ten Friends list. Put all those random people you accumulate - the bands, random additions, people you talk to on a forum once every blue moon - in the top spot. When the bad guys go trawling for information they can use against you, they're not going to get very far when they're wasting all their time conversing with German rock guitarists and spambots.

TOP TIP FOUR: Avoid the "Life story on Linkedin" approach

Yes, Linkedin is a useful way to make business contacts, see who is going to relevant events and so on. However - when I was at InfoSec, I was taken by how many people basically treat it as a posh version of Facebook and competing with people they know to see who can get the most "friends".

This is a TERRIBLE idea. Consider this - Linkedin works by constantly, endlessly nagging you to fill things in, complete this, flesh that out to hit utterly meaningless "targets".


Think about the amount of personal and business related information you're adding to your Linkedin page. Consider it's likely to be similar to the kind of data you're putting onto the more private Yammer account that only your workmates can see, only HERE you're making it viewable to all those random additions to your contact list.

Is that really a good idea? It's not hard for a social engineer to create a fake profile on Linkedin and go roaming - especially while people seem to be treating it as a popularity contest...

TOP TIP FIVE: Delete old Twitter messages (the "five a day" rule)

If you want to build up a picture of a potential target, Twitter is the place to hang out. It's random, it's stream of consciousness and no matter how hard the person posting tries, even a person who carefully considers what they post is going to leak some personal data about themselves that they'd rather not share.

It doesn't have to be anything spectacular; it's just an endless series of useful nuggets that someone, somewhere can use to build up a picture of you and do bad things. It's surprisingly easy to work out where someone lives (for example) when they're doing something as basic as posting region specific pictures of buses in their area on twitpic, for example.

To some people this isn't a big deal; to others who want to keep their location more anonymous than most, they probably didn't stop to think something as basic as posting up a picture of a bus could reveal their location.

In the same way, now so many people use Twitter for business related things it's easy to imagine that over time someone might have posted things that could be used to flesh out a target. Want to go dumpster diving? Well, what time does the only guy in his office go on his coffee break at? Oh look, according to Twitter he goes every day at 10:30AM, and we know he's the only person in there because he says he locks up...

Anyway, my advice is this - if your business world crosses over into your Twitter posts in some prominent way, you might want to consider deleting all but your five most recent Twitter posts. Do you really need them all lying around, waiting to potentially cause problems further down the line?

That concludes my "Top Five Tips". You might not agree with all of them (and feel free to share your own!), but hopefully there's enough in there to give some pause for thought the next time a 2.0 site is begging you to fill it up with an endless stream of information.
I recently attended InfoSec, and have already posted up a bunch of entries about the show:

* InfoSec Europe 2009: An Introduction
* Booth Girls: THIS is how you do it
* Best. Video. Ever.
* Some Observations

You can also see the image gallery for the trip here, and I have one more post to make...
Lance James posted up an extremely interesting account of his experience at the recent RSA conference.

"We were flagged in the computer. That's how it all started. Well, first all SSC registered personnel were suddenly blocked online access. Then at the registration booth we were asked to "step aside". It's not that being held up or detained is new to us... only usually the holdover is at the airport on account of trying to get the six laptops, four phones and assorted recording devices through to carry-on. After a brief wait, the general manager and regional vice president of the conference arrived and quickly got down to the business of a perceived "breach" in responsible reporting."

More on disclosure, responsibility and the familiar issue of "the blame game" here.

About this Archive

This page is a archive of recent entries written by Christopher Boyd in May 2009.

Christopher Boyd: April 2009 is the previous archive.

Christopher Boyd: June 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.