When one of our lead researchers, Chris Boyd, started looking into MySpace hacks and scams over a year ago, some of us at FaceTime questioned whether that was the best place for him to spend his time. Was it relevant to the business IT market that we serve?

Absolutely. The ability to control how employees use social networking on work computers is one of the key topics of conversation we have with new customers. We've heard from customers that they can't block MySpace and Facebook because their HR departments use the sites to do background checks on potential employees. Many organizations are also setting up company-oriented communities on Facebook. We've spoken with companies who have lost new employee candidates because of their policies against use of Web 2.0 including social networking and instant messaging - these companies are perceived as legacy and uninteresting places to work.

MySpace and other social networking sites have entered the enterprise, and business leaders together with IT have to figure out how to turn it into an advantage for the company. It's a much larger issue than simply making a binary decision to block or allow it.  Do you block it all, or do you allow some users or some aspects of it?  What are the cultural and employee morale issues if you shut down access? 

I have a good friend who works at a satellite office for a Fortune 100 company. His Internet is locked down beyond belief. Yet, the posters on the wall from the corporate office highlight value statements about "innovation" and other rhetoric that seems to me at odds with their Internet policy. I'm told that the morale there is a mess. Is there a relationship?

I recently spoke at the ASC Conference in DC:

...and a lot of interesting issues were laid out for discussion (I should point out we didn't speak in the Capitol Building, I just like that photograph. Plus, it looks a bit more impressive than a picture of a hotel). Shall we have an obligatory shot of a board with a lot of companies listed on it? Sure:

That's a whole lot of companies right there! Anyway, the Conference had a lot of FTC people in attendance, and kicking things off was Ari Schwartz and FTC Commissioner Jonathan Leibowitz:

A repeated theme (that may or may not have been intentional) was that, to some degree, the "battle is won" - at least as far as trying to get "legit" Adware vendors to toe the line goes. Of course, there's still plenty of badness out there to contend with. The evidence from security forums and people fighting these infections on the frontline would seem to suggest PC hijacking is as rampant as ever, if not more so.

Shall we lighten the mood with some cameo shots of the antispyware big-hitters? (Click to enlarge each image)

Stefan Savage gave a great presentation, where he looked at various elements of the underground economy of hackers - namely, what carders and data theft scammers get up to in IRC channels.

My own panel featured Alex, Lance, Cindy Southworth of the awesome NNEDV and Luke Erickson of the FTC. We talked about some pretty heavy duty stuff, including how the increasing frequency of illegal pornography is actually causing some people in security to drop out of the business (because, understandably enough, they don't want that kind of material on their PCs lest the police come calling), how kids as young as twelve are happily trading credit cards and the kind of information Phishers and data stealers are collecting (the slides provided by Lance were an extremely interesting extension of what Stefan had been saying earlier on).

A lot of food for thought, and I'm hopeful the presentation I gave regarding the kids getting involved in hacking and cracking hit home with the FTC people in attendance.

At this point, I want to give a mention to NNEDV - I spent a lot of time talking with Erica Olsen of the National Network to End Domestic Violence, and it was frankly mind boggling how many anecdotal tales ended with "Yeah, she died / was killed / beaten to a pulp" etc. It seems depressingly likely that we've just scraped the tip of domestic abuse going hand in hand with monitoring software / keyloggers / all those other wonderful products sold as "surveillance tools" to "keep Junior safe online", which are in fact almost immediately used for much darker purposes.

Truth be told, the entire conference was a strange mixture of conflicting views - on the one hand, we were being told "we've won", but on the other hand, people like myself and NNEDV were showing how a lot of individuals were ending up as losers, with no hope of fixing whatever tech-related problem they happened to be in...from the comical to the life threatening.

I guess the Internet really is serious business.

Listen to the full conference (and check out the slides) here, and make your own mind up. Adware was, is, and will continue to be a problem for the foreseeable future - but beyond all the types of "ware" out there that we need to start concentrating on, we need to remember that every single time something bad gets onto a PC, a life can potentially be destroyed forever.

Now, more than ever, we need to keep fighting.

Here's an interesting spam gimmick - do a search for something in Google / Yahoo / whatever:

.....meanwhile, the bad guy has stuffed a bunch of keywords into a Flickr screenshot page, then inserted one of those wonderful stock trading spam messages into the screenshot area. When people arrive at his Flickr page, they see this:

....awesome. In fact, this particular profile is stuffed to bursting point with keywords galore leading to yet more trading spam...

......and a pile of Viagra / cheap software garbage, too:

What site will the spammers ruin next?

You probably saw some of the coverage of the recent hijacking of musician pages on Myspace. What you probably didn't see, was evidence of the end-users who were unfortunate enough to have their systems taken over as a result of the hacked band pages. Certainly, a few reports claimed that something like "40,000" people were infected as a result of viewing the Alicia Keys Myspace page at the time that it was hacked. The only problem is, nobody seemed to be able to produce one of these individuals. While I don't believe that many users became infected purely from the Alicia Keys page, it's obvious that there would be people out there with a story to tell.

Well a few days ago, one of the end-users who clicked the overlay on a hijacked page (which would redirect you to malware and fake codecs) got in touch, and agreed to let me use the following extract to serve as a warning to anyone clicking on a Myspace page. Obviously, names / personally identifiable information has been removed.....

"To Chris Boyd:

I have contacted the company, and all they told me was to go to a computer technician and clean my software. I should mention that I had McAfee and Norton Antivirus, but both expired in May 2007. I had dial-up before and never had this problem, even with the virus protection programs expired. I guess the only solution now is to get my computer cleaned up, and buy a software that will protect me from future problems. Hope Best Buy has the right stuff! Since it's high-speed, does that mean we're open to hackers? Do you know how online visitors can be compensated for the recent attacks on the website?"

Well, for what it's worth, you'd have had the same problem if you'd visited the page and been hijacked regardless of whether or not you were on Dial Up or high speed broadband. As to whether or not you're "open to hackers", it depends what was installed during the hijack. Though there were some reports of Rootkits flying around the press when this story was in the news, all we saw installed was the fake Codec (which is usually responsible for downloading and installing the rogue antispyware cleaner currently giving you all those "alerts"). However, the payload was known to change from time to time so without seeing the individual PC, it's hard to say. The good news is, most reputable security cleaning tools remove many, many variants of these fake Codecs, and also the rogue antispyware tools they push onto hijacked PCs. The method used to hijack the computers in this attack was much more interesting and up to date, than the actual malware being foisted onto the target PC which (when compared to some of the hijacks out there) were fairly middle-of-the-road and not a huge threat.

As for being "compensated", sadly I don't think you'll get very far. Your best bet is to keep your security tools updated, try running in Limited User Mode if you're just doing general web browsing and keep Windows patched as much as possible.

Meanwhile, hacked pages are still out there and still redirect to the hijack sites at the heart of this attack, so anybody visiting a music page on Myspace needs to ensure everything they click on is legitimate. On a related note, I'd love to hear from anyone else out there that's been hijacked by the above scam...

Presenting IKatzu, the browser helper object that supposedly pops adverts but doesn't actually seem to do anything. Not at the moment, anyway - but that doesn't mean we can't investigate. Shall we dig around behind the scenes and see where this comes from? Let's kick things off by looking at some of the files that get dumped into your System32 folder when the initial executable is activated by the user:

The purpose of this bundle of joy is to show you adverts - as you might have expected. However, what's far more interesting than the actual application is the tangled web behind the software. A quick Google for the program seems to hint at a page promising terms and conditions, from a site called Artella.biz. However, at present the "page is not available". Thanks to good old Google cache, I was able to retrieve the T&Cs - because I'm sure Artella don't want those going missing, right? - and ran them through the Eula Analyzer. A brief look at the page made my grind teeth and probably clench a few fists, because it is so reminiscent of the "Olde Worlde" Adware bundle license agreements from 2005 / 06, where six hundred odd applications are listed along with links to other website EULAs, many of which would lead you to 404 errors or worse. I was hoping this kind of license had gone out with the Ark, but apparently not. In this case, things aren't much better - for the sake of an application that's supposed to show you some adverts, on a regular 17 Inch monitor (at least, I think that's what I'm using, don't blame me if I'm wrong), the whole thing took SEVENTEEN PAGES OF INDIVIDUAL TEXT to scroll through.

That's a lot of text.

There are also a few links off site to other pages of information, and references to companies that might be included "if applicable". All in all, not the best start. However, it gets worse - the entire EULA can be read here, and these are the results:

Number of characters: 55671
Number of words: 9399
Number of sentences: 357
Average words per sentence: 26.33
Flesch Score: 23.5
Flesch Grade: 17 : Beyond Twelfth Grade reading level
Automated Readability Index: 20 : Beyond Twelfth Grade reading level
Coleman-Liau Index: 21 : Beyond Twelfth Grade reading level
Gunning-Fog Index: 42 : Beyond Twelfth Grade reading level

...that's a pretty crazy EULA someone expects you to wade through. 9,399 words? 300+ sentences? All to see some ads? No thanks.

There's a fair amount of talk regarding removal of the advertising software in conjunction with something called "Upads.biz", so off we go to have a look:

...is it just me, or does the picture of the laughing dude creep you out too? Ick. Anyway, a Whois search is predictably fruitless:

Any and all useful information is hidden by "Moniker Privacy Services". That seems to be true for most (if not all) sites involved in this distribution network. We're left with Artella, so let's go check them out:

The interesting thing here is that although this site also has its contact details hidden via Moniker Privacy Services, they sort of made that pointless by placing an address on the front page of their website - 48 Bella Vista, Edificio No. 27, Local No. 2, Ciudad de Panama, Rep. De Panama.

Bit weird?

Anyway, we finally have an address so we're vaguely better off than we were previously. However - things are about to get even weirder. Let's take a quick jump over to their Uninstall Page where they come down hard on anyone wanting to remove their application from a PC:

"Please be aware that many so called "ad ware removers" and "spy ware removers" can cause damage to your computer and may alter your computer in such a way that our automated removal application will not function. At the present time, there is no third party software which is capable of removing Artella applications. If you have purchased an application which claims to remove Artella, we encourage you to contact your credit card company and request an immediate reversal with the reason of "Product Not As Described" and/or contact the Better Business Bureau."

.....ouch! And "no third party which is capable of removing Artella applications"? I guess this was just a dream, then. I went and tried their Uninstaller:

Imagine my dismay, then, when after hitting the YOU REMOVE NOW button the entry from Add / Remove programs just....vanished. No confirmation, no box appearing to say job well done....nothing. The entry from "Manage Add Ons" in IE had vanished, and a few files had disappeared from the System32 Folder, but that was about it - a bunch of files were still sitting there with no real indication that anything much had changed.

So I restarted my machine, hoping to see a lean, clean machine - but, lo and behold....

...the same files, still sitting there! Are they active? Are they dead? And aren't I supposed to report those pesky removal tools to the Better Business Bureau? Who knows, is what the response of the average (and probably not so average) Internet user is going to be. Even better, running quick HijackThis scan shows the following:

...ads_cpd.exe is still listed as a service! (It's still sitting in the System32 Folder, too). Considering they spent so much time complaining about third party removal tools, you'd have thought they'd have done a better job of it with their own uninstaller but oh well.

We're not done yet with this page, either. Remember "48 Bella Vista", listed as their "main headquarters" on the frontpage of their website? Well on the Uninstall Page, their "main headquarters" are listed as "Avenida Winston Churchill, Edificio Vista Del Mar, No. 43 Ciudad de Panam?, Rep. De Panam?."

....is it just me, or do they have two different main headquarters?

Let's finish this one off with a familiar face - going back to the huge EULA page, who should be listed but....

...Mirar! Yep, just when you thought things couldn't get any more convoluted, along comes yet another element into an already crowded and confusing mix.

....what was I writing about again? Oh yeah, IKatzu. Sorry. Given the seemingly endless EULA pages, the amount of secrecy with regards who a lot of these associated sited are registered to, the multiple "main headquarters" addresses, T&C pages that seemingly no longer exist and an uninstaller that doesn't really instill faith into the end-user, I don't recommend installing this application.

......be honest, did you think I was going to say anything else?

There's an interesting bit of activity taking place on the Skype network lately. In fact, it seems to have been around for a couple of months in various guises, but things really seem to have taken off recently for this particular scam if the amount of complaints on forums and blogs is anything to go by.

Want to take a look?

Sure you do. If you happen to go searching on the Skype userlist, you might happen to come across something similar to this:

That's an awful lot of people with the same username - if you happen to be using Skype and minding your own business, you might be surprised to find that the following text message is sent to you:

As you can see, the message reads:

"WINDOWS REQUIRES IMMEDIATE ATTENTION
============================

ATTENTION ! Security Center has detected malware on your computer !

Affected Software:

Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Your system IS affected, download the patch from the address below NOW!"

Anyone clicking the link in the screenshot will actually be taken to a "patch" that (mysteriously) neither looks like a patch or indeed comes for free.

....oh dear, that doesn't look good...

That's even worse - because I have three entirely non-existent threats on my PC. However, if I decide to "remove" them....

....my "patch" suddenly costs $19.95. "Scan & Repair Utilities" is on the Spywarewarrior Rogue Antispyware List. Steer clear of these messages and never download anything sent to you by random contacts, whether on Skype or anything else.

Upon hearing bad reports about a product called "Messenger Skinner", we decided to investigate. The program (whose target audience must strongly favour kids by virtue of the fact that the most entertaining thing it gives you is dancing bananas) has a number of issues that make it something I'd rather not recommend. Note:

"Messenger Skinner is free of any kind of spyware or trojan".

Interesting statement. Let's continue.

...looks innocent enough so far, but things are about to get messy.

Presented with a "real" installer. That's good.

The text box is stupidly small. That's bad.

The "no" button is pre-checked and you have to physically select yes. That's good.

I don't like the colour scheme. That's bad.

The EULA is certainly comprehensive. That's good.

But that's only because there's apparently two of them.

That's bad.

See, during install, the EULA you see is NOT the EULA you see by clicking "Terms and Conditions" from the program entry on your Start list. Indeed, once installed, all you really get is a very general ramble about liability, licensing and intellectual property. Right at the end, under "Uninstall", you get the briefest of mentions for this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component."

....ooh. In fact, we need to hope that anyone installing the program not only took great note of the EULA during install, but copied and pasted it onto their system to get a better idea of what's likely to be going on in their system.

Namely:

1. USE OF THE SOFTWARE

1.2. The Software includes a component which will remain active at all times with the objective of verifying and ensuring the correct functioning of the Software, and offering other advantages (?Component?). When the User is connected to the Internet the Component will make periodic connections to the Provider?s servers in order to check that there are no problems in the access network or the User?s Computer. If any error which prevents the normal use of the Software is detected in the User?s Computer, the Component will seek to identify and solve it. Any changes that the Component makes to the User?s Computer will be to clearly non-essential parts thereof and for the purposes referred to in these Conditions. THE USER REQUESTS AND AUTHORIZES THE INSTALLATION AND UPDATING OF THIS COMPONENT TOGETHER WITH THE SOFTWARE IN ACCORDANCE WITH THE TERMS SET OUT IN THESE CONDITIONS. The Component will carry out the tasks described in these Conditions only when the User is connected to the Internet, whether using the Software or the User?s regular Internet connection. In any case, the User can easily uninstall the Software or the Component by selecting ?Access Connection? and ?Component Add-On? respectively in the appropriate section of the operating system control panel. Users should be aware that upon such uninstallation, the advertising messages might be sent during a period of three months after said uninstallation, the benefits provided by the Component will not be available and in certain cases the Software (if retained) or the Provider?s services may not function correctly.

Adverts for three months after uninstalling? Nice! As you'll see later, the hoops you need to jump through to uninstall hark back to the "good old days" of Direct Revenue making you download additional software to uninstall the first unwanted program. Tonight we're gonna' party like it's 2004! Yay!

1.4. In order to carry out the operations referred to in the paragraphs above, the Component will send certain data from the User?s Computer to, and will receive information and requests for these purposes from, the Provider?s servers. The data sent to the Provider?s servers by the Component will be limited to technical and connection information such as: operating system user name, name of the computer in the operating system, IP address of the LAN of the computer, country of connection, browser default country, operating system version, operating system or browser service packs installed, ID of the most recent browser update, vertical and horizontal resolution of the monitor screen, IP address of the most recent internet connection, maximum and average response times, percentage losses, name of the last RAS connection and others relevant for the purposes indicated. The User authorizes such exchanges of information with the Provider?s servers in accordance with these Conditions. At no time will any information regarding Internet sites visited or other activities of the User be sent to the Provider?s servers; this information will be processed within the User?s Computer in order to anonymously select advertising or other messages to be shown to the User. In no case will the Provider be able to identify the User nor will any profile of the User be created.

...."limited to"? What else is there left to grab, shoe size?

For the sake of this:

....I'm starting to feel pretty uncomfortable about installing this program. Oh, note that I had to blank a few smileys out because they were, er, sort of rude. Enjoy, kids!

Anyway, now we come to the meaty part. If you installed this program and happened to run, oh, I don't know....a bunch of Rootkit Scanners...you'd probably see something a little like this:

.....and, from another testbox, something like this:

....hidden, randomly named executables? Oh, awesome. That's just what the world needs more of. I guess that's why Symantec say the following on this writeup, then:

"# Hides the following files by using rootkit technology:

* %System%\[RANDOM].exe
* %System%\[RANDOM].dat"

......to coin a phrase, whoops.

At this point, I bet you're dying to see the program in action, right? Exactly how does Messenger Skinner operate in the context of the MSN Chat system? Well, the answer is faintly interesting:

.....check it out, it almost totally hides the adverts served up by MSN! I wonder if they'd be happy knowing this product did that? I guess we'd better move onto the uninstaller that time forgot. In the rather general "terms and conditions" available from accessing the program via the Start menu, right at the bottom, is this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component.

The end user can uninstall our component by filling the following form:
http://www.pc-on-internet.com/uninstall"

.....oh dear. I'm sort of surprised anyone still releases applications like this - especially as it all smacks of hoop jumping and a faint impression that they don't actually want you to uninstall any of these things. For a perfect example of what I mean, check out this writeup from 2005 where I battled with the Uninstaller for Direct Revenues Aurora.

Let's all pause while you read that and say a few brief words for Aurora.

What's that? Nobody got anything good to say about it? Nah, didn't think so. Anyway....let's go over how I think uninstalling a program should go.

1) Decide to uninstall.
2) Run uninstaller.
3) The end.

Now let's see how it goes down in Messenger Skinner Land, or as I like to call it, "Hoop Jump City Central" (like Nutbush City Limits, but with a better beat).

The Main Uninstall Page:

The Terms and Conditions Page:

The Privacy Policy Page:

....WHAAAAAAAAAAAAAAA?

That's right, to uninstall the program, they insist that you open up THREE DIFFERENT PAGES and read through endless reams of text - just to uninstall something!

Not only that, but then you have to hand over your Email address to contact them, tell them why you don't want it on your system anymore and (finally) "wait for someone to look into it" and then, finally, presumably, hopefully, send you the link to the uninstaller.

But wait, it gets BETTER. Can you believe it? Look what awaits you in the mailbox:

Absolutely incredible. You're stuck with a 24 hour limit to obtain the uninstall program. If your Internet connection breaks, or you weren't planning on sitting on front of your PC all day waiting for their all important Email - too bad! Furthermore, they have such iron clad faith in their uninstaller program that if you run it more than three times, you see this:

Even better, both Panda and Prevx flag the uninstaller as suspicious:

And even better than that, there are some people out there complaining that the uninstaller doesn't actually seem to be very good at, er, uninstalling things.

Ladies and Gentlemen, I give you the epitome of "complete disaster". Without a doubt, this is one of the worst uninstall routines I've seen in years, and you can put that on a wall and frame it.

Finally, there are a bunch of domains on the server hosting Messenger Skinner that are related to the parent company. Of particular interest is one called crazygirls-world.com (registered to the same guy as Messenger Skinner), which leads you to....

.....Dialer related porn on a site called "gad-network.com". Of course, it's no surprise that we see Gad-Network leads us back to the Favorit Network site.

.....wait, didn't I get a really amazing uninstaller from there once?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher

Yep, more fake profile Friend requests. These ones are a little more interesting than usual, though.

First of all, this thing popped into my Inbox:

It's pretty obvious that this profile screams out "fake", so off we go to take a look and....

....we see a big banner claiming "Need cash fast use easy Paypal system" with a blog entry proclaiming "$400 to Paypal". If you click the banner, you're taken to a site called "Vid-Share.com":

I'd love to be able to tell you what the software on this site does that will generate you so much money, but to find out you have to send ?19.99, apparently without any idea as to what you're going to purchase.

Interestingly, if you Google Vid-Share.com, the top result (sitting above a number of pages on Myspace that have had this banner posted to them) is rather strange:

"Myspace Hacking / Welcome Welcome to myspacehacking we are the leading email account & myspace password recovery websites on the internet today."

....guess we'll go pay it a visit then.

Apparently, you can pay between $60 to $75 dollars to recover a lost password for a variety of Email systems, and the site also offers a number of downloads of the Password crack / recovery variety. Some are free, but the one listed in orange needs to be paid for - no idea what it does though:

If you click around on the front page for a while, you'll see this message appear at the top of the screen (viewable in the main shot of the site above):

"<%'YOUR NOT SUPPOSED TO BE LOOKING THROUGH THIS INFORMATION IT WILL GET YOU NOWHERE!!%>"

I'm guessing this was only supposed to be viewable if you were rummaging round their HTML source, but oh well. Some more exploring on Myspace follows, and it seems a wave of spam profiles have been set up with the express intention of pimping the Vid-share URL:

This one is extremely interesting, as (aside from the Vid-Share spam) it also has this in one of the blog entries:

"Do you need a Myspace password

Get your passwords here Myspacerecovery.com"

Sadly, there doesn't seem to be any cached version of the (currently down) site, so there's no way to check it out and compare it against the sites already mentioned. However, we DO seem to have an overabundance of spam profiles:

....aren't we the lucky ones?

Not too long ago, a number of blogs were apparently compromised and redirects were put in place to lead you to a rogue antispyware application called Malware Alarm. Well, it looks like whoever was behind it decided to ditch the idea of compromising blogs, settling instead for setting up hundreds of Spam Blogs, pasting in some Javascript and watching all Hell break loose.

All of the spam profiles seem to have been created in July, here's a short sample:

If you visit one of the infected sites, you'll see the "real" blog page appear for a second or two:

...and then you'll be redirected to content that could be classed as "undesirable", and that's being incredibly generous.

By searching on code / URLs used in the hijack (and there are at least two sites perfoming redirects in combination with the Javascript employed by the bad guys), we can see that the grand total of Blogs carrying this hijack so far is...

...ouch. So far, around 1694 Blogs are carrying this redirect, and there could well be other blogs out there not accounted for yet. At this point, you're probably wondering what kind of content you're redirected to, right? Well, the answer is not particularly pleasant for any number of reasons. Some of the Blogs will send you here:

Click to Enlarge

"Teenage Assault", a hardcore rape site so extreme in its content that the only thing we can show you in the screenshot is the title on the main page. Presumably anyone crazy enough to sign up to the site and pay the joining fee will earn whoever is behind this some affiliate related cash.

The second stop is....

Click to Enlarge

Another spectacularly graphic page, this time a landing site for the ever-popular Zlob Trojans (which pose as Codecs needed to play pornographic content). There are many variations on these landing pages and the content is always a non-joy to behold.

Our final destination makes up the bulk of the redirects, and (as you might have guessed already) our finishing point is...

Click to Enlarge

....Malware Alarm! If you fall for the fake YOUR PC IS DOOMED advertising, then you'll see the below scanner doing its job (telling you your PC is still doomed, unless you pay them money to "unlock" the scanner and remove all those horrible infections it claims you have):

Click to Enlarge

Of course, if you don't pay up, then you can expect endless nag screens appearing in the middle of your screen like this:

Click to Enlarge

For now, the easiest way to avoid this is to disable Javascript. We've notified Google, and as far as we can tell, they've already nuked every single example given above. As I mentioned earlier, there could well be other domains out there performing these redirects so a little vigilance may be called for over the next few weeks. Either way:

Click to Enlarge

....that's the best thing I've seen all day.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

Today, we'll see that even the simplest of hijacks can result in one seriously broken PC, and install what are apparently files related to a "non-profit" group taking orders from the Chinese Government's "Ministry of Information Industry" in the process. After observing a file in the database flagged by one of our researchers, I decided to take it for a test drive and see what happened. In theory, it should have been a straightforward search hijack. In practice, if this had been my "real" PC instead of a test box, I'd now be calling in the world's biggest platoon of priests and holy water.

Let's begin, shall we?

The product we'll be looking at is this thing. Starting off the action with the oldest file in the Database:

....it didn't take long before my PC started acting strangely. And by "strangely", I do of course mean, hijacked with a whole bunch of random bits and pieces of awfulness:

The above is what had been dumped into my System32 Folder. Not a lot to go on at this point, and things are about to get worse. Before my computer-based Apocalypse takes place though, let's have a look inside one of the files and see what's lurking:

...hmm. Randomly named file handed the task of calling down lots of executables? Usually not a good sign - especially as some of the files mentioned weren't actually showing up on the PC at this point. Hidden downloaders? Looks that way, doesn't it. However, before we can pursue this line of enquiry, all the tech forensics go out of the window when....

...Internet Explorer pops open, complete with new Toolbar related addition! Is this a good time to see if anything has been deposited into the Program Files directory? You bet:

....hooray! Randomly named folders and files mixed in with the Toolbar folder and something called CNNIC. Remember this, because we'll be coming back to it. For now, we'll quickly examine the Add-ons in Internet Explorer and see how many new additions there have been. The short answer is "lots":

As I'm sure you'll agree, there's a fair amount of Browser Helper Objects in there! At this point, I decided to give the Toolbar a go and see if it worked or not. After entering a search for "Paperghost", this is what I got:

The results returned are given via the Baidu Search Engine. However, check out the bottom right hand corner - when the Toolbar was activated, a "fake warning" appeared telling me my PC had been infected and I needed to run a scan. Coincidence? Possibly. Either way, before I could click the warning and see which wonderful rogue product was about to greet me, the whole system collapsed and died in a horrible, horrible mess.

From this point onwards, the test PC would not function unless run in Safe Mode, and even then, only for a limited amount of time before rebooting itself. After a couple of attempts, I finally managed to get into the desktop and saw some new icons had appeared in Internet Explorer:

The yellow money-bag thing is for the Sofa Toolbar - however, the toolbar would no longer work, and it was impossible to reinstall it. Remember CNNIC? Well, clicking the blue icon on the left takes you to....

...the China Internet Network Information Center!

From Wikipedia:

China Internet Network Information Center: founded as a non-profit organization on June 3, 1997, is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China.

.....uh, okay, Government related webpages appearing in a hijack....new one on me. But wait, there's more:

Software produced by CNNIC

* Official version of Chinese url software, which is Malware. It installs in the user's system secretly and compulsorily, and will be automatically re-installed after you uninstall or delete it.

I had to do a little more digging than usual to find out more information on this one, because I couldn't actually get the thing to work, but one Antispyware team alleges the CNNIC software is used to hijack search results, and "also hijacks 404 pages to a controlling web server in China". In addition, you can see complaints regarding CNNIC software here and here.

Closing down Internet Explorer, I jumped over to the System32 Folder to see if anything new had been added. The answer was a resounding "yes":

No wonder the PC kept keeling over, because the System32 Folder had been completely overrun by a huge amount of files (the full list of things dumped into that folder would probably have required 3 or 4 full screenshots stitched together to give you an accurate idea of what was going on in there). A few more reboots, and eventually the fake popup from earlier on returned:

I was able to grab one final screenshot before the PC went into a sort of Permadeath, and we were finally able to see what rogue application had been installed:

....BraveSentry! After that, the test box was officially DOA. The total time taken to install all of these components was roughly ten minutes - from a seemingly harmless executable that promised maybe a Toolbar or something at best, and a few runs of your favourite Antispyware scanner at worst. If you value your PC, your sanity and your rapidly dwindling supplies of Internet Holy Water, steer well clear of this one...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery, Research: Chris Mannon, FSL Senior Threat Researcher

There's a long line of browsers that have completely failed to enhance end-users security and peace of mind on the web. Yapbrowser, which redirected you to illegal porn with the click of a button; The "Safety Browser", which was anything but safe and arrived in the form of an Instant Messaging hijack; Browsezilla, which allegedly increased the hitcount for various adult websites; and now, fresh out of the blocks, NetBrowserPro.

For some reason, the majority of these browsers want to convince you of their focus on security. Look at Yapbrowsers resurrection, where they laid claim to a 100% "guarantee" that no malicious code would enter your system while using the browser. Or Safety Browser, which had popups enabled by default and hijacked your IE Start Page.

NetBrowserPro (whose website actually shares the same IP address as Browsezilla - 216.255.178.220) follows this noble tradition, with the bold claim that:

"NetBrowserPro is the internet browser which aimed to the one thing - help you to watch porn.
Secure, confidential, quick and free.

Secure? Sure it is! About half of all "free porn sites" tries to install trojan or adware program to your computer in some way. According to the researches Internet Explorer was vulnerable to intrusions during 284 days of the last year!. You could always use other browser, like, for instance, Firefox, but it was vulnerable as well, however, during less than 56 days. Some people use antiviruses, but in practice antiviruses databases are being updated less frequently than the virus-makers release new viruses. However, all vulnerabilities are quite similar and do have similar methods of penetration. These methods use browsers' built-in features. In common life you do need such features to visit simple online shops, banks and other sites, but you don't need these features when you surf porn. NetBrowserPro uses only features, which are necessary to surf porn, it switch everything except this off. So there is absolutely no gap for the virus."

Well, there's probably no "gap for the virus" because according to Rootkit Revealer it comes with its very own rootkit!

How does this all begin? With a download of something called "121.exe" from the NetBrowserPro website, assuming you liked the sound of the product enough to download it in the first place:

Once downloaded, if the user runs the file they'll be faced with the following box containing the kind of EULA that I refer to as a "free for all" - because they effectively want you to agree to them updating pretty much whatever they want, whenever they want without having to notify you. Again, note the reference to "security":

It seems "security" is equated with the removal of choice and forcing you to accept their definition of what security might entail - take it or leave it, effectively. But how do we know they've made the right choices with regards their "browser security"? Of course, the answer is we don't.

Once you click through, a site called Codecaddon.com ("Codec Add-on") is contacted, and you are shown a EULA for something called MovieCommander:

Wondering what it is? Well, the Codecaddon.com website is a big clue. Look at the graphics and site layout below:

....and compare and contrast with the second site listed on this writeup from Sunbelt Software. As you can see, the site is a carbon copy of TVCodec.com. These are known as "fake codecs", and installing them is a very bad idea. Interestingly, many of the sites on the same IP address as both NetBrowserPro and Browsezilla are porn galleries that prompt you to install fake codecs to view their content.

Once everything is installed, the browser will autostart on your desktop. Before we get to the browser itself, look at the logo:

...seem familiar? It should, because it's almost identical to the Netscape Navigator logo. Indeed, the font used for the N appears to be identical to the Netscape one. We've seen "alternative" browsers use logos that are similar to more familiar browsers before (the Safety Browser did a poor imitation of the Internet Explorer logo, for example). The reason for this similarity can be anything from a lack of creativity on the part of the graphic designer to (in more malign cases) a desire to fool the user that it's somehow related to the more mainstream brand.

Of course, it could just be one huge coincidence.

At this point, we can finally take a look at the browser:

Note the (limited) options at the top include the ability to turn images on and off, add links and "boss", which presumably is a panic button for when you're in the workplace. I'm not entirely sure who would be using this in any sort of workplace, but at any rate, that's about all you can do with this thing. With regards your saved bookmarks, the NetBrowserPro website states:

"Moreover, all bookmarks are being kept on the remote server, which excludes the opportunity of viewing them, even with the full access to the computer."

We have absolutely no information about their "remote server", its security, what they do with the stored information or anything else. Does this sound "secure" to you? However, worse is to come. NetBrowserPro lets you click into apparently random galleries of porn that are hosted elsewhere. Sadly, many of the links clicked take the user to the kind of redirect sites that contain nothing but hundreds of images of all sorts of random pornography. Anyone that's been caught in a porn trap will know the kind of pages I'm describing. Well, though most of these redirects serve up "regular" porn, one or two took me to sites that contained what I can only describe as a couple of "dubious looking" models. While they may well be of legal age, the fact that an initial reaction to these images was "how old?" is never a particularly good indicator of the overall content of those sites, or indeed what they link to. As the sites served up by the browser seem to be randomly selected each time you fire it up, there's no real way to know what you're going to get, and that's a surefire way to have your product dropped off a cliff in a hurry. Can the people behind NetBrowserPro absolutely guarantee that none of the redirects won't take you to something you'd rather not see? That all of the people serving up the content they link to are 100% legitimate? I don't see how that's physically possible and because of this random element of chance, of having to put blind faith in a product that apparently uses rootkit / fake codec technology....I'd advise end-users not to install and run this program.

Sadly, yet another browser joins Yap, Safety and BrowseZilla in the naughty corner...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

YouTube is probably the hottest of the so-called "Web 2.0" commodities out there right now - and their recent acquisition by Google won't have done any harm to that way of thinking. Of course, the fact that YouTube allows you to share its content raises the possibility that those files might appear in all manner of strange places.

Well, here's a perfect example of people jumping on the Web 2.0 bandwagon, offering up a (frankly bizarre) "media player" that

a) doesn't actually offer up much media and
b) doesn't play them half the time, either.

A group of files have been seen floating around the eDonkey network, and they offer up some surprising results.

No EULA is displayed - depending on which of the two installers you execute, the program will simply run on the desktop or give you a bare bones installation. You'll then see this:

...the introductory splash page might look interesting, but you'll notice that there are very few buttons on the player, and half of what's there isn't actually clickable. When we continually hear a lot about the "value proposition" of installing X in return for Y, this doesn't bode well does it? Pressing the "click here to continue" message brings up a "Locating Videos" message, and you'll note the first advert served up inside the player...in this case, an advert that was apparently for the Wall Street Journal but was eventually revealed to be for GoToMyPc (what you see in the screenshot is all we saw before the YouTube clips started to play. Thanks to a reader for the heads up). I don't personally have (much of) an issue with Adverts served to me inside an application (as opposed to firing all around the outside of it), but some people might take issue with this, especially as there was no EULA and no indication that there would be adverts at all.

Are these targeted ads? Adverts served up based on browsing history? Region specific? Who knows, as nobody told you. At any rate, the supposed "media content" loads up, and you might be surprised to find....

.....YouTube movies!

Completely bizarre YouTube movies, at that - this example is a strange Lute playing session; another notable clip we saw was a 20 second clip of some guy telling us about his new book:

....though the clip is in Italian, the translated version is that he's talking about his new work, "Experiments in Temporary Happiness", a "passionate romantic novel" apparently. Though there's no indication either of these two have any involvement with the player - it seems these are just two random movie files that happened to play more than most - you can learn more about the book writing guys' work here.

Putting aside our foray into the world of romantic literature, you might find yourself disappointed if you're expecting a constant stream of YouTube clips. Apart from the fact that an avid Youtube fan would simply....go to YouTube to watch them in the first place, this program only ever seemed to serve up one of the two clips mentioned above. Sometimes we'd get a flurry of other clips before it died out, but half the time, our research team couldn't even get the movies to play. Geographical targeting, perhaps?

Underneath the movie panel, you'll note three icons - one takes you to an online backgammon site, one takes you to a scratch card game and the other provides you with the option of logging into the Skype website. Why? No idea. That's just the way this thing rolls!

Beside the icons, a banner says "powered by Hobby-Tent.com". However, the truth is a little stranger than that. A site called Zapu.com provides "net acceleration" services, and also offer a toolbar that does much the same thing.

Why is Zapu relevant?

Because they're hosting the text served up by the media player:

In addition, Zapu also hosts some of the smaller image files such as the "powered by hobby-tent" banner.

Exploring Hobby-Tent

This is where it gets really interesting. Hobby-tent is a site that links to a bunch of Youtube movies - aside from that, it's stuffed full of adverts designed to generate income.

The site is currently down, but for some strange reason, there IS one directory still available:

..."Papa Player"? What on Earth could that be? Oh well, let's download it and take a look....

Still no product specific EULA, but this time we do have an agreement for WhenU. Ironically, the version of this media player NOT circulating in P2P networks doesn't actually work, as you can see from the below screenshot. Note the "page not found" message, as the program attempts to pull up the "Thank you for using our hottest web videos personal player" text and fails miserably - again, from Zapu.com:

So far, then, we have THREE different versions of a "media player", THREE websites involved in distribution and / or hosting various pieces that make up the whole (we cover the final site below), TWO YouTube movies that made no sense whatsoever (though they made a lasting impression!) and ONE Adware vendor caught in the middle of it all.

There's still one piece of the puzzle left....

DV-Networks.com

Remember the three clickable links in the Media Player that took you to scratchcard games, Skype and backgammon? Well, clicking those links would redirect you to your destination from a site called DV-Networks.com. Visiting the site gives you a holding page, claiming it will redirect you to a site called "Iportent.com", though this never actually happens.

However, some quick digging later and you'll find the below - a bunch of icons, possibly related to some other program, that take you to sites related to "free international calls" and "PC Tune ups". It's the final image that interests me, though:

...note the link to Zapu.com from the final icon, and the Alt text..."Hottest Web Videos", which is the name of the media player. Clicking that link takes you to this page, which seems to be a holding area for numerous streamed movie clips from sites similar to Youtube:

...are these clips supposed to stream via the Media Player too? It's hard to say, though for now it looks like YouTube is the primary focus.

Why is DV-Networks.com particularly interesting? Well, a quick Google didn't reveal much about the site....however, this link is particularly interesting. It's a forum post on Spamcop relating to some application that caused some consternation amongst the users:

3. There are discrepancies regarding the name of the person behind this software. On the referenced website, his name is given as "Barak Abutbul" and yet in the domain name registration, it appears as "Barak Avitbul." My knowledge of Hebrew is limited, but I don't think that sort of discrepancy is due to transliteration issues...he gave the name differently in different situations. For example, he posted information about another of the "MinuteGroup" programs (VCatch) at Winsite, using the "Avitbul" version of his name:

you'll see that this operation is no longer active at that URL, in that it displays a logo for "IPortent" and says "Formely [sic] DVNetworks."

Now, if you check out the About Us page on the Zapu site, one of the founders is named as...Barak Abutbul. The forum post continues:

"5. If you Google "Barak Abutbul," you'll find some rather disturbing references to this man as being part of a group of hackers (or crackers?) who were charged with breaking into computers at the "Pentagon, US Navy, NASA, MIT, Harvard, Yale, Cornell, Stanford, the Israeli Parliament. Hacked two Israeli ISPs obtaining names and passwords of subscribers." The news articles say that Abutbul reached a plea agreement in exchange for testifying against the others."

...is this the same individual? Certainly, Googling the name does indeed return some incredibly troublesome results. Check out the data from a packet capture as the player installed and phoned home:

...note the name "baraka" highlighted in red.

If it's not the same person, it's certainly a strange collection of chance happenings and coincidences. At any rate, I'd be very wary about using this media player - especially as quite a few other Vendors detect this particular file:

"Experiments in Temporary Happiness"? In this case, I'd say that's an entirely appropriate description...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Threat Researcher
Supplemental / E-Commerce Research: Wayne Porter, Senior Director Special Research

Noted blogger John Battelle reports in his blog based on a couple of pieces...about who Google (NASDAQ:GOOG) is working with these days.

One example from HomeLandStupidity.us he references:

IT contractors and intelligence officials familiar with the arrangement confirmed to HSToday.us that Google had been providing assistance to the intelligence community, but would not say under what authority that assistance had been requested or provided.

The intelligence community appears to be interested in data mining Google's vast store of information on each user who uses Google's services. Google collects data on each user's search queries, which web sites users visited after making a query, and through its Google Analytics service, can also track users on cooperating web sites. It's not clear what level of access to or how much of this information has been made available to intelligence agencies.

John goes on to note:

This might be filed in the Tin Foil Hat category, or it might be something we look back on and wonder how we ever missed it. I don't have any idea which. That alone sort of scares me.

The story says that Google is working with the Govt. in the war on terror. It depends a lot on ex CIA agent Robert Steele, who may or may not be a trustworthy source.

I've seen this story all over the place this weekend, and it strikes me as possibly accurate on at least one level: If the CIA/Dept. of Homeland Security was NOT trying to secretly work with Google, it's even lamer than we might imagine. After all, the company has just about the best infrastructure in the world to help them do their job. Is it legal? Moral? Right? Another question entirely....

This is ironic for two reasons:

1) Chris Boyd (Microsoft Security MVP) and head of our Malware Research Labs (currently on hiatus preparing for our talk at the RSA show and something he want talk about called The Fourth Wall) and yours truly- Wayne Porter, also Microsoft Security MVP, Director of Special Research, currently working on e-commerce analysis....were recently, along with the Facetime Communication's team and our Security Labs team, noted publicly on Google's Security thank you page:

Google Thanks You People and organizations with an interest in security issues have made a tremendous contribution to the quality of the online experience. We are grateful for the responsible disclosure of security vulnerabilities in our software. On behalf of our millions of users, would like to thank the following individuals and organizations for going out of their way to improve the Google experience for everyone:

* Alex Shipp, Messagelabs
* Bryan Jeffries
* Castlecops
* H D Moore
* Jeremiah Grossman
* Johannes Fahrenkrug
* Martin Straka
* Team Cymru
* Yahoo! Paranoids
* Wayne Porter & Chris Boyd, FaceTime Communications
* Alex Eckelberry, Sunbelt Software
* Richard Forand

I add as an odd aside that after commenting on an article at ThoughtShapers on Google's move into podcasting/adsense and how they are tearing up top down media all kinds of people pinged me on whether I was one of the 'trusted sources" who leaked this to Jeff Molander. The answer is no. I made that clear in my personal blog notably here (The Google Rumor Mill Redux- Getting Details Straight) and an aside here Leaked Papers and Google Adsense.

Going back to John's observations though I have no idea how Google or to what capacity they are working with Homeland Security- I am just a cog. With their processing and information gathering power I would be hard pressed to say that it wouldn't make sense for DHS and / or the CIA not to want to do so.

Remember that GUID I talked about at Revenews? (Note: GUID is a Globally Unique Identifier. A GUID is often a pseudo-random number used in software applications. Each generated GUID is "statistically guaranteed" to be unique.)

For example, the concept of a GUID or the longer they use a service (even anonymously and in aggregate) makes it easier to determine who they are. Granted Google may not have any nefarious purposes for this, but what happens when other agencies do? You might be ?anonymous? to Google, but when another agency plays connect the dots after obtaining access to your machine and subpoenas activity around a GUID- you aren?t so anonymous anymore. In reality, you become an online novel- I can perhaps establish your character by your queries. Of course, this risk exists with any tracking mechanisms, but a service as ubiquitous as Google, especially one that looks at queries, is all the more potent.

2) I do know that Homeland Security does pay attention to cyberthreats- as they should. I was surprised to find some of our research in their daily briefing reports, specifically around some notable worms. These reports a.k.a. The DHS Daily Open Source Infrastructure Report (Daily Report) is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. They divide it up by the critical infrastructure sectors and key assets defined in the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.

An Example- this was over the KMeth Worm, which I find interesting.

Most of these Daily Briefings- which are free and unclassified appear on the DHS.gov site, although to search them you need to use the FEMA.gov site...

Tin Foil Hats? I don't know. Safety and privacy and security are all different but related and require a delicate balance. Then you have to think back to the NSA wiretaping scandal. Did people really notice? Did they really care?

Take a look at Google Trends (given the questions is this a good place to validate this question?). Google trends is a fairly good indicator of search activity. It is an indirect reflection of what is going on online.

Here we see the terms: wiretapping, NSA scandal, wiretapping scandal, wire tapping

Click to See Chart

Interesting...there is some movement there.

Now: NSA scandal, wiretapping scandal, ATT scandal, NSA wiretapping, phone tapping

Click to See Chart

Nada, zilch. Not even if you analyze U.S. queries only- despite major press coverage. Try your own strings and see what turns up.

Of course per Google: "Google Trends aims to provide insights into broad search patterns. As a Google Labs product, it is still in the early stages of development. Also, it is based upon just a portion of our searches, and several approximations are used when computing your results. Please keep this in mind when using it."