Results matching “A Better Internet” from SpywareGuide Greynets Blog

I'm amazed by this - my good friend LoLo (who was writing about & shutting down Myspace scams when I was knee high to a grasshoper or something) has been sent a frankly ludicrous scaremail by EBay / Paypal, in relation to a screenshot of a phishing mail in a phish dissection post.

Seriously.

Dear ISPrime, Inc.,

We have just learned that your service is being used to violate PayPal trademarks and/or copyrights. Specifically, it appears that an ISPrime, Inc. user is hosting a page at 64.111.214.22 - http://www.ghettowebmaster.com/images/paypal-phishing-email.gif which uses our trademarks inappropriately.

While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user's unauthorized reproduction of PayPal trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from PayPal an eBay, Inc. company, the owner of the copyrighted materials. Accordingly, the information below serves as PayPal's notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A):

It gets better - or should that be worse:

Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. ? 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.

eBay/PayPal Inc.
Audit and Investigations
securityalerts@ebay.com

Jaw dropping. Did the person who initiated this fiasco not bother to check the original post? Because if you're going to dissect a phishing mail while warning people about it, it tends to help if you put a screenshot or two up. However, rather than go after the phisher, they tried to swing the banhammer at the good guy. Generally, you'd think people who are doing your brand a favour by alerting the general public to scams regarding your website are NOT the people you should be aggravating, because good will and a general desire to help quickly evaporates when faced with stupidity such as this.

If you run a security blog and happen to get one of these wonderful missives sent to your ISP (or even better, through the post) then please, let us know. As for EBay / Paypal - taking ten seconds to digest the content of a blog post works wonders...

I've always been interested in Botnet research, and a piece of code in circulation on forums at the moment seemed interesting enough to write about. The subject is "Pastebin Botnets", but first we'd better talk a little bit about Pastebins...

Pastebins - what are they?

From Wikipedia:

A pastebin, also known as a nopaste, is a web application which allows its users to upload snippets of text, usually samples of source code, for public viewing. It is very popular in IRC channels where pasting large amounts of text is considered bad etiquette. A vast number of pastebins exist on the Internet, suiting a number of different needs and provided features tailored towards the crowd they focus on most.

Pastebins have become very popular in certain hacking communities, where quick and easy sharing of a targets personal information ("Dox") is perfectly at home in the world of pastebins.


Click to Enlarge

That's for another writeup, but at least we now have a decent idea of Pastebins and how easy they make things where rapid sharing /storage of data is concerned.

What does this have to do with Botnets? Well, over the past week or two I've seen a piece of code floating around on various forums that (according to the author) has the potential to be used in conjunction with a Pastebin to issue commands to a Botnet. I'm not aware of pastebins being used for issuing Botnet commands (though of course that doesn't necessarily mean it's a new technique) and was curious to see if this is indeed something relatively new or a method that's been around for a while.

Why is a Pastebin Botnet a good idea for a Botnet owner?

In a nutshell, the Botnet owner can post Botnet drone commands quickly and without fuss to a Pastebin page (your "Botnet Hub"), and the drones will carry out those commands.

Web based Botnets have been all the rage for some time, as they're usually harder to detect than the rather obvious IRC traffic of old. There are some other advantages, too - Pastebins are plentiful and the main sites (such as Pastebin.com) are rarely offline.

In addition to this, you don't have to waste time setting up webpages & hosting accounts while hoping your host doesn't shut you down - it's simply a case of cutting and pasting text onto a Pastebin. If your page dies, it takes seconds to start again (as a sidenote, there's an interesting recent post here regarding the use of RSS feeds in conjunction with Pastebins to issue commands to Botnets from changing locations which is pretty smart).

As you can see then, Pastebins appear to be a bit of a hot topic for people discussing Botnets at the moment and a clever spin on web based Botnets in general. So how does it work?

Ye Olde Disclaimer

Although the idea behind it is sound, it seems the code doing the rounds on various forums (written in Perl) is "proof of concept" and would need some work doing to it to unleash a fully formed Botnet. Despite this, according to the creator it can already read pastebin posts for text (which are then used to issue commands to the Bots), post in the previously mentioned "Botnet hub", post in its own individual private pastebin, and get the latest post by the botnet owner.

Here's a few screenshots of said code:


Click to Enlarge

Here's a website called

GamingHarbor.com

which is a site claiming to offer "free games" in return for installing a Toolbar. The site is owned by a company called based in Cheung Sha Wan, Hong Kong.

Aside from the rather suspect "Limited Time" notice on the splash page (does anyone actually believe claims like that?) and the fact that certain links taking you to the page will claim "for your region only" messages despite the fact that anyone can clearly download it from anywhere, the biggest bit of truth stretching is reserved for the large image splash guaranteed to get any gamer salivating:

Oblivion! Dead Rising! Fable 2! Grand Theft Auto 4! You're not actually going to get any of these games, but who cares - if they convinced a passing user to download and install this Toolbar on the strength of that graphic then "Dubious Marketing 101" has done its job.

The program itself comes from

desktopsmiley.com

...and continues to put the idea into the mind of the downloader that there'll be some sort of console related "bonus" at the end of all this by making the Executable look like the buttons on a Playstation 2 joypad:

...we find the Toolbar is indeed installed, and our browser is taking us to a website about bingo. The fact that there's no visible sign anywhere on the desktop in relation to optimizers or cashback assistants doesn't trouble our gamer - he just wants to go PEW PEW a lot. With that in mind, he jumps over to the other side of the Toolbar and clicks what must be the answer to his prayers:

...our confused gamer is taken to

myfreegamespage.com

which (it's fair to say) probably isn't the magical console games factory he was expecting.

What we're left with, is a collection of mind blowingly awful games that in no way, shape or form represent the titles splashed all over the main GameHarbor website. Some require you to download gaming clients then hose 150MB of your bandwidth to play things that are probably bested by free flash games; others will probably make our Toolbar toting gamer rip his hair out as he's installed a Toolbar to "play free games", only to find...



...he has to either play "free" for an hour, or BUY the "unlimited version" for $6.99.

You couldn't make it up. But then you don't have to, as the face punching reality of lame advertising that promises much and delivers little is already with us.

Avoid this harbour like the plague - the real thing is much better, and you don't have to worry about Internet Saving Optimizers, either...

Pharming has been around for a few years now, and most (if not all) pharming attacks I've read about usually involve techniques far beyond your average script kiddie. From Wikipedia:

Pharming (pronounced farming) is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses -- they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned".

Curiously, one individual seems to be whipping up a frenzy on numerous hacking / cracking boards recently, claiming to have invented a "new, revolutionary form of phishing". It's actually "just" Pharming by another name - "Phisher Arms" (a Phisher Arm being the executable used to alter a computers hosts file) - but while being entirely ignorant of Pharming, he's also promoting a broadening and deepening of the amount of script kiddies happy to adopt such tactics. While there's a certain comedy value to him reinventing the wheel, mass adoption by wannabe pharmers is not a good thing, and there's never been a better time not to click on unknown attachments or run strange files...

In the beginning

On the 30th of April 2009, a new video appeared on exploit database Milw0rm, rather breathlessly called "Desktop Phishing: The New Art of Phishing". Along with the video came lots of graphics:


Click to Enlarge


Click to Enlarge

...and a soon to be released E-Book(!), along with an audacious bid for fame in the form of a Wikipedia page which was (unsurprisingly enough) hit with the Banhammer.

In a nutshell, it works like this:

1) Have a random executable file to hand. It can be anything, though obviously you want it to appeal to the victim you intend to send it to.

2) Bind it with a modified hosts file in such a way that it replaces the victims original hosts file when the executable runs.

3) Insert sites such as Paypal, banking sites, Ebay, whatever....into your modified hosts file, and have each of them point to an external IP address for your own computer. I bet you can see where this is going...

4) On your own computer, you host the phishing page using server software such as wampserver.

5) When the victim tries to reach Paypal or a similar site from their computer, they are of course taken to the phish page running on the attackers PC which will still say "Paypal.com" in the address bar. When the victim enters their details, they're actually placing them directly onto the attackers computer - note the URL at the top:



Whoops.

To be fair to our wheel inventing pharmer, it's an interesting technique and will no doubt be adopted en masse by the rank and file of "this is way too hard for me" wannabes out there. His video has already been viewed over 12,000 times - by comparison, most other entries on the Milw0rm frontpage are in the low thousands:


Click to Enlarge

Google "Phisher Arms" or "Desktop Phishing" and you'll already find a lot of hacking forums promoting this as the best thing ever - and they're just the ones publicly viewable.

Whatever you want to call them, there's probably quite a few of these "Phisher Arms" in circulation at the moment given that his video hit a good few weeks ago. As always, be careful what files you download...

Runescape. I've never played it, but thanks to the handy Wikipedia article I can tell you that:

"RuneScape is a Java-based Massively Multiplayer Online Role-Playing Game operated by Jagex Ltd. Recognised by Guiness World Records as the world's most popular free MMORPG, RuneScape has approximately fifteen million active free accounts and is a graphical browser-based game with a large degree of 3D rendering."

The Runescape creators don't like Bots very much. In fact, a thriving underworld of botting, cheating and leet haxing exists with a wealth of program sharing and information sharing taking place. Along with Habbo Hotel, it's where a lot of wannabe Phishers cut their teeth. With that in mind, I thought we should take a look at the following website



Here's a sample screenshot. Funky advert for powerlevelling aside, check out the text beneath it:


Click to Enlarge

For your entertainment and amusement (along with a valuable helping of "what not to reply to"), here is another selection of recent 419 mails currently in circulation. Lots of winning lottery tickets, missing gold bullion, unclaimed African thrones and other random nonsense after the jump...

Last week I spoke at RSA 2008 on the subject of "Echo Boom Hackers". Long story short, "Echo Boom" kids are supposed to be that generation which has never been without an online world to live and play in, and so their take on the nature of privacy, anonymity and that interface between your public and private worlds don't quite work in the same way as (say) mine does. Yes, I grew up without the Internet. Sue me already. We also talked about how researchers and law enforcement could use their different attitude to our advantage when attempting to shut them down.

Inbetween emergency landings, awards ceremonies and book signings to attend I got the feeling this years RSA wasn't quite as interesting as last years event. The common complaints seemed to be "Too many sessions", "not enough interesting booths" and a general sense of "can't be bothered".

I agree. I don't recall anywhere near the same amount of talks going on last year, and the inevitable result is half empty rooms and speakers wondering where all the people went. I only go to these events to speak or listen to others, and the majority of the talks I went to all suffered from a distinct lack of attendance. I was lucky - speaking with Robert Vamosi of CNet, we were doing our presentation in the Keynote Room 103 (complete with its own videocameras and producer), and so even though we talked on the last day, we still pulled in a good hundred or so people which is pretty decent. I'd have liked more, but then I'm just greedy.

Anyway, if any organisers of RSA just happen to be passing by - because I'm sure they stop by here all the time - then please, REDUCE THE AMOUNT OF SESSIONS. I was informed while there that everyone would have access to the talks they missed, yet I've returned home to see that you now apparently have to have a full session pass to see the recorded highlights / listen to audio / whatever. This is a really bad idea, and simply makes a niche event even less accessible to those that can't attend (and don't want to pay the insane prices to do so).

Rant over.

Robert and I were in town to talk about a subject that probably doesn't get brought up much at RSA (in fact, it doesn't seem to pop up much anywhere) - the new breed of wannabe hackers, the lengths they go to with regards fitting in and the dangers and problems facing both their victims and themselves, and how those dangers can quickly (and irreversibly) bleed into the real world. That all sounds faintly scary, so here's Robert and I looking all smiley at the FaceTime booth.

Phew. Here's a couple of photographs from the talk itself:

The talk was divided into three main sections - a general overview of what I've seen out there over the last 12 months+, tips and tricks for catching hackers on social networking sites, Youtube and various other places using everything from Skype to advertising networks, and (finally) the dangers that these activities produce day in and day out. It was a tricky subject to approach - the idea was to ramp up the punch of the presentation towards the end, but too general an introduction might have resulted in people getting bored and walking out. There wasn't really any way round this, but thankfully people stuck around (I think one guy left halfway through, but that was because his phone was ringing so we'll let him off the hook).

Of course, there was also the added danger that people would be expecting a high level technical presentation - this is RSA, after all - and be baffled at the sight of 70 minutes of anecdotes.

Still, I love a challenge and the presentation seemed to go down really well with the audience. There's been a fair amount of coverage already (links at the end), and a number of people asked me to get involved with a few initiatives aimed at both keeping kids safe online and also trying to steer them away from hacking and cracking which was pretty interesting. I'm just glad people found us at all, because I'm sure we were originally scheduled for the "Hackers & Threats" Track but somehow ended up on the "Industry Experts" sessions. Not really helpful when you're running round half an hour before your presentation starts wondering why nobody knows where your room is!

Just like last year, you can click here and check out some 300+ pictures from my trip, starting with the emergency landing my plane made and finishing off with - er - more aeroplane woes. So many people had issues with aircraft at this conference, maybe that could be next years theme.

As for additional reading, well, there's a fair amount of it and will probably give you a better overview of what went on than I ever could. Eventually RSA are supposedly going to stream the talk we gave in full, but that might take a week or two - as soon as it's online, I'll post a link to it.

Further Reading:

Robert Vamosi: Meet the Echo Boom Hackers
Robert Vamosi: Echo Boom Hackers - A Dangerous Game
Robert Vamosi: Echo Boom Hackers - Shame

Matt Hines: Taking Down Teen Hackers

Tech Talk Radio: RSA 2008. (The Podcast itself is floating round on the main site somewhere, but I couldn't actually find it. If anyone locates it, feel free to pass me the link!)

Consumer Reports: Kids Turned Cybercriminals

"I wonder what will happen when every rabid Dreamcast community, every "blog" on the internet, and every message board, realizes that someone has setup the above domain name in an effort to scam the Dreamcast fanbase for google ad hits and affiliate points at play-asia." - An Angry Gamer, on the Internet

It seems like the recent Dreamcast Phish story flew right by a lot of people, but if you had any love for Segas ill-fated console - and screenshots of my still-working console running Shenmue 2 will tell you that I did and still do:

.....then you can't help but have been swept up in the wave of nostalgia that hit last week.

Why?

Well, it's coming up to the tenth anniversary of Segas masterpiece, and naturally, there's a HUGE fanbase out there expecting everything from a small celebration to the announcement of a new Dreamcast console. In fact, it wasn't too long ago that Sega making some changes to the logo caused near pandemonium amongst gamers.

I swear, they're just doing it to mess with our minds.

Anyway.

It seems the Sega owned domain "Dreamcast.com" had long since been abandoned by them (though the Whois details have seemingly never been altered from the original Sega specific contact information), so with the Tenth Anniversary coming up, what better time than for some unscrupulous scammer to get in on the act with some Phishing antics? Sure enough, anyone visiting the Dreamcast site a week or so ago would have seen something like this:

That would have been enough to send hordes of over-excited gamers into a frenzy. Seriously. It would be like aliens suddenly deciding to send us a "hey, we're out here" message, or the crew of the Marie Celeste turning up on your doorstep wondering what all the fuss was about. Maybe I'm over exaggerating a bit, but wow - I nearly fell off my chair when I heard that the Dreamcast site had suddenly been updated after years of nothing. For the real hardcore gaming fans out there, a similar effect could probably only be achieved by news of the Gaming Intelligence Agency suddenly being resurrected.

Yes, I'm sure half of you don't remember that site but never mind.

Luring you in with the promise of an official @dreamcast.com Email address, they asked for your serial number, desired username, password and a current Email address. Once registered, you would end up with a seemingly valid yourserialnumber@user.dreamcast.com address.

The only problem, of course, was that it wasn't SEGA sending out your details, it was the scammer who had grabbed the domain name. The theory is that people would likely use the same password for their desired Dreamcast address as the alternate Email address they provided when signing up to the "service". Thus, you would have spam lists and hijacked email addresses galore.

It didn't take long before SEGA denounced the site, and it was pulled offline shortly after. In retrospect, a dead giveaway should have been the fact that the site had Google Ads and a few other things on it (check out the rather small screenshot) that probably wouldn't have been there if SEGA had actually been in charge. SEGA almost certainly wouldn't have had a Play-Asia affiliate code embedded in the page, for that matter:

...argh.

If you weren't there at the time - if you didn't take to this console the way so many gamers did (and still do,even today) - you probably wouldn't have the same nagging feeling as I do, that someone, somewhere, just kicked your puppy into outer space.

Yes, I am pretty annoyed by this.

You can bet a legion of gamers are, too. As one gaming website put it:

"Gaming Target will fill you in on the identities of the scammers if their names (and hopefully addresses) are published."

When you annoy even the mainstream gaming media websites to the point that they're hoping to hand out names and addresses for some vigilante justice, you know you've screwed up royally. I'm not claiming to have waited more than a week before publishing this article simply to see if I could post some triumphant pictures of the culprits being hauled off for ten rounds with Sonic the Hedgehog in a really horrible jail somewhere, but, well, you know.

Annoyed and all that.

Interestingly, this isn't the first time a SEGA domain has been obtained and used for strange and / or dubious purposes. For whatever reason, they don't seem to want anything hanging around that reminds them of the Dreamcast, and a while back something similar happened with the official Shenmue domain. It really baffles me why they would be interested in keeping the Trademark for the dreamcast up to date, while letting the domains slip away from them to be used for things like this. Here's what happened, courtesy of some random guy on the Internet:

"Sega couldn't care less about Shenmue or Dreamcast right now, so they let most Dreamcast-related domains expire. More than a year ago (can't remember the exact date) the shenmue.com domain expired. Someone registered the domain and uploaded a mirror of the then defunct Shenmue site. Since Shenmue Passport also connects to a shenmue.com subdomain, he managed to get Shenmue Passport partially working (all the download functions which had been previously mirrored by the community worked). He posted a message on Shenmue Dojo saying something like "hey guys, like at this, Sega is bringing Shenmue Passport back online". The user would then check he could indeed log in succesfully to Shenmue Passport, and be greeted with a "We're bringing back Shenmue Passport, stay tuned" message.

Now, if he had been a serious person, he would have told people "I just registered the shenmue.com domain and I think I can bring Shenmue Passport online, even though it's totally unofficial, but this is as good as it gets". Instead, he pretended to be Sega.

He registered the shenmue.com domain using his very own name (in case anyone is curious, he's from Colombia). He later changed it to make it look more legit. And I'm almost sure I saw him doing the very same thing with the dreamcast.com domain (first using his name, then changing it to someone from Sega).

It's the second time something like this happens to the Dreamcast community and it sucks."

You said it man, you said it.

Maybe we should have a whip-round and buy them the domains back as a tenth anniversary present.

Now if you'll excuse me, I have to go get my hopes up some more for the sure-to-come announcement of a Dreamcast 2...

Generally, if you employ an outside agency to advertise / promote / generally do things with your site in relation to potential visitors, you need to have a good idea of the methods employed by that company. I've had quite a few emails through from people who received something similar to the following:

"Subject: Advertising Inquiry
From: advertising@polimedia.us

We have reviewed your blogger.com blog on behalf of one of our
clients that would be interested in placing advertising with you.

Client profile :
DoingFine (http://doingfine.org)
New project (<1 month old) Theme A forum dedicated to those things that came out right and worked out fine.

We'd like either a 150x150 button, 160x600 skyscraper or 468x60 full banner (or footer). Alternatively, we may be interested in text-only advertising.

This would be a weekly, monthly or yearly arrangement. In either case we will require a one time, one day (24 hours) free placement in order to test the quality and quantity of traffic your website can actually provide*. Within this interval, we will make a final determination, based on the traffic volume, quality, and your asking price. Should we find your terms acceptable, this trial day will count towards the agreed interval.

Kindly let us know if you would be interested, which arrangement best suits your editorial needs, and what rates you would like to charge. We prefer using PayPal but may be able to accomodate alternative payment methods.

Thank you.

*Please note that we employ software that reliably detects autoclick and autosurf bots, pay per click and paid to surf type traffic, and other such non-human traffic. This may be a concern for you, especially if you are buying "bulk traffic", or employing the services of dubious "SEO experts"

The site in question, doingfine.org, seems to be harmless enough - a forum where people can, quite literally, tell the world that they are indeed "doing fine". However, the methods being used by the company promoting the site are veering on the side of "not doing very fine at all" and appear to be somewhat random and scattershot in their approach to web marketing. The obvious danger here is that people will simply come to associate Doingfine.org with spam-like tactics, strange emails and immediate associations with 419 scams.

For starters, the people behind the campaign are clearly sending these mails out quite randomly. Why? Well, here's someone with a Flickr account who was sent the same email. Anyone who took five minutes to check would realise that Flickr is for hosting photographs - you can't manipulate your pages to insert adverts, banners or buttons.

A quick Google reveals many more people feeling confused and puzzled by these emails - this is NOT a good feeling to generate amongst people online, as word of mouth spreads extremely quickly and these kinds of tactics are usually frowned upon.

Take a quick look at the site doing the promoting, and things don't improve:

Click to Enlarge

...wha? At first glance I thought it was a site related to videogames involving armies and aeroplanes or something. The English version of the site isn't any more enlightening (with phrases such as "There is nobody else", "If you want something done, we'll have to do it ourselves" and "Squeaky wheels? We've got grease" all over the place). Again, all of these factors (no real substance to the information provided, bizarre phrases and a general sense of oddness) are seen in common webscams, and naturally give people pause for thought.

Of course, the negative feedback created by the approach of Polimedia has now started to flow back to Doingfine.org, with threads such as this. There are two key things said by the site owner. One is in response to a post in a thread by a Google Blogger.com employee:

"The notion that "third parties can easily install badware into your computer by asking you to put code into your template" is the sort of nonsense that appeals to otherwise uninformed people. Coming from someone who almost certainly knows better. Not to mention SOMETHING GOOGLE SHOULD BE FIXING, should it actually be true."

This makes no sense to me. There are all sorts of dubious scams out there that involve convincing people to paste code onto their website. It only takes a little bit of malicious code to launch an IFRAME, or run some Javascript, or any number of other things and then you've got a problem on your hands. As for Google somehow being responsible for "fixing" the way in which nefarious people online can use rogue code to push exploits - huh?

The second thing of note that the site owner says is this:

"For the past week or so, we've been employing this Polimedia company to handle our marketing and advertising. So far it is working really GREAT, as far as I understand these things (which admittedly isn't very far)."

This rings warning bells, for me - the site owner seemingly claims he doesn't understand "these things" very well, which presumably means the workings of having someone else handle your marketing and advertising. First of all, if I were him, I'd certainly want to know exactly what a third-party was wanting to place on other peoples websites in my name before committing to such a deal. Secondly, all is not quite as it seems here. Why? Well, here is the owner of Doingfine.org posting to a webmaster forum.

For some bizarre reason, he is posting under the username of Polimedia - more confusion. Why post under the name of the third party company you've hired to promote your site? At any rate, the post reads:

"1000$ in this thread. This is a themed pay by post job. Here's the specs :

VERY IMPORTANT : The theme for this project is "doing just fine". Please stick to it. A story about how you are happy with your computer set-up, how your dog learned a new trick, how you baked a pie and it came out just right are welcome. PRODUCT ENDORSEMENTS ARE NOT, unless the product is really mainstream. Story about how you enjoyed a drink of Coca Cola is fine. Story about some internet-based crapola will get you insta-banned.

You will be paid $10 for every 100 posts you make to my forum at http://doingfine.org. In order for you to collect, you must :

Make 100 posts, not less, using AT LEAST 15 different registered user names, starting AT LEAST 10 new threads.

All new thread posts must be AT LEAST 12 lines, 120 words, 600 characters. These length requirements are CUMMULATIVE, meaning you must satisfy ALL.

All reply posts must be AT LEAST 2 lines, 20 words, 100 characters. These length requirements are CUMMULATIVE, meaning you must satisfy ALL.

You may not copy/paste strings longer than 35 characters or 7 words from ANYWHERE. I actually use scripts to check this.

You may add AT MOST one link per post, provided it's either a completely FREE (no adds, no sale pitch, no revenue method whatsoever) website or an image link. You may NOT add more than 30 links TOTAL.

Your post must be relevant and adequate to the available themes. The forum has a broad "doing just fine" theme. Thus, please contribute posts that describe either a personal experience, or a world event/news item about something THAT'S JUST FINE. Personal experiences are preferred, and probably easier to write.

Your posts must be INTELLIGIBLE, written in ENGLISH. You MUST make sense. Random gibberish will not count. I prefer you use standard spelling and punctuation. If you don't, all the differently named registered users you create that make recognizably the same spelling mistakes WILL be counted as one.

You MUST use the same IP address for all your posts, this is how I will count them.

You must send me (user : Mr. M) one private message when you start posting, stating that you intend to start posting. Mention this board and optionally your user name here.

You must send me (user : Mr. M) one private message when you are done posting 100 posts. It MUST contain your paypal address (you will be paid $10 within the same day) and specify if you intend to start another 100 posts block. If you do, please wait for my ok. That means I will tell you whether I'm happy with your work and you should bother doing another 100.

All people satisfying the above conditions will be paid the above sum. No exceptions.
All people FAILING to satisfy the above conditions will NOT be paid the above sum. No exceptions.

I will respond to any disputes here, should one arise (not sure why it would tho).

My budget for paying posters is 1,000$ (it actually is, yes), so post away and take my money. Good luck."

So, despite the fact that the domain was apparently only registered on the 7th February, the forum itself could appear to be extremely active because a large number of people are being paid to post under 15 different registered usernames, with 100 posts each.

This is a fairly clever idea in terms of making a forum come to life quickly - does the earlier statement regarding not understanding the workings of having a third party handle your advertising still ring true? If you're smart enough to do something like the above, why would you even bother to use Polimedia to send out these random mailshots?

Who knows. What I do know is, their tactics need a serious rethink and fast. Though the buttons and code they're placing on websites appear to be harmless, the techniques they're using to promote the site most definitely aren't - as least with regard the reputation of Doingfine.org.

Presenting IKatzu, the browser helper object that supposedly pops adverts but doesn't actually seem to do anything. Not at the moment, anyway - but that doesn't mean we can't investigate. Shall we dig around behind the scenes and see where this comes from? Let's kick things off by looking at some of the files that get dumped into your System32 folder when the initial executable is activated by the user:

The purpose of this bundle of joy is to show you adverts - as you might have expected. However, what's far more interesting than the actual application is the tangled web behind the software. A quick Google for the program seems to hint at a page promising terms and conditions, from a site called Artella.biz. However, at present the "page is not available". Thanks to good old Google cache, I was able to retrieve the T&Cs - because I'm sure Artella don't want those going missing, right? - and ran them through the Eula Analyzer. A brief look at the page made my grind teeth and probably clench a few fists, because it is so reminiscent of the "Olde Worlde" Adware bundle license agreements from 2005 / 06, where six hundred odd applications are listed along with links to other website EULAs, many of which would lead you to 404 errors or worse. I was hoping this kind of license had gone out with the Ark, but apparently not. In this case, things aren't much better - for the sake of an application that's supposed to show you some adverts, on a regular 17 Inch monitor (at least, I think that's what I'm using, don't blame me if I'm wrong), the whole thing took SEVENTEEN PAGES OF INDIVIDUAL TEXT to scroll through.

That's a lot of text.

There are also a few links off site to other pages of information, and references to companies that might be included "if applicable". All in all, not the best start. However, it gets worse - the entire EULA can be read here, and these are the results:

Number of characters: 55671
Number of words: 9399
Number of sentences: 357
Average words per sentence: 26.33
Flesch Score: 23.5
Flesch Grade: 17 : Beyond Twelfth Grade reading level
Automated Readability Index: 20 : Beyond Twelfth Grade reading level
Coleman-Liau Index: 21 : Beyond Twelfth Grade reading level
Gunning-Fog Index: 42 : Beyond Twelfth Grade reading level

...that's a pretty crazy EULA someone expects you to wade through. 9,399 words? 300+ sentences? All to see some ads? No thanks.

There's a fair amount of talk regarding removal of the advertising software in conjunction with something called "Upads.biz", so off we go to have a look:

Click to Enlarge

...is it just me, or does the picture of the laughing dude creep you out too? Ick. Anyway, a Whois search is predictably fruitless:

Click to Enlarge

Any and all useful information is hidden by "Moniker Privacy Services". That seems to be true for most (if not all) sites involved in this distribution network. We're left with Artella, so let's go check them out:

Click to Enlarge

The interesting thing here is that although this site also has its contact details hidden via Moniker Privacy Services, they sort of made that pointless by placing an address on the front page of their website - 48 Bella Vista, Edificio No. 27, Local No. 2, Ciudad de Panama, Rep. De Panama.

Bit weird?

Anyway, we finally have an address so we're vaguely better off than we were previously. However - things are about to get even weirder. Let's take a quick jump over to their Uninstall Page where they come down hard on anyone wanting to remove their application from a PC:

Click to Enlarge

"Please be aware that many so called "ad ware removers" and "spy ware removers" can cause damage to your computer and may alter your computer in such a way that our automated removal application will not function. At the present time, there is no third party software which is capable of removing Artella applications. If you have purchased an application which claims to remove Artella, we encourage you to contact your credit card company and request an immediate reversal with the reason of "Product Not As Described" and/or contact the Better Business Bureau."

.....ouch! And "no third party which is capable of removing Artella applications"? I guess this was just a dream, then. I went and tried their Uninstaller:

Imagine my dismay, then, when after hitting the YOU REMOVE NOW button the entry from Add / Remove programs just....vanished. No confirmation, no box appearing to say job well done....nothing. The entry from "Manage Add Ons" in IE had vanished, and a few files had disappeared from the System32 Folder, but that was about it - a bunch of files were still sitting there with no real indication that anything much had changed.

So I restarted my machine, hoping to see a lean, clean machine - but, lo and behold....

...the same files, still sitting there! Are they active? Are they dead? And aren't I supposed to report those pesky removal tools to the Better Business Bureau? Who knows, is what the response of the average (and probably not so average) Internet user is going to be. Even better, running quick HijackThis scan shows the following:

...ads_cpd.exe is still listed as a service! (It's still sitting in the System32 Folder, too). Considering they spent so much time complaining about third party removal tools, you'd have thought they'd have done a better job of it with their own uninstaller but oh well.

We're not done yet with this page, either. Remember "48 Bella Vista", listed as their "main headquarters" on the frontpage of their website? Well on the Uninstall Page, their "main headquarters" are listed as "Avenida Winston Churchill, Edificio Vista Del Mar, No. 43 Ciudad de Panam?, Rep. De Panam?."

....is it just me, or do they have two different main headquarters?

Let's finish this one off with a familiar face - going back to the huge EULA page, who should be listed but....

Click to Enlarge

...Mirar! Yep, just when you thought things couldn't get any more convoluted, along comes yet another element into an already crowded and confusing mix.

....what was I writing about again? Oh yeah, IKatzu. Sorry. Given the seemingly endless EULA pages, the amount of secrecy with regards who a lot of these associated sited are registered to, the multiple "main headquarters" addresses, T&C pages that seemingly no longer exist and an uninstaller that doesn't really instill faith into the end-user, I don't recommend installing this application.

......be honest, did you think I was going to say anything else?

Click to Enlarge

Upon hearing bad reports about a product called "Messenger Skinner", we decided to investigate. The program (whose target audience must strongly favour kids by virtue of the fact that the most entertaining thing it gives you is dancing bananas) has a number of issues that make it something I'd rather not recommend. Note:

"Messenger Skinner is free of any kind of spyware or trojan".

Interesting statement. Let's continue.

...looks innocent enough so far, but things are about to get messy.

Click to Enlarge

Presented with a "real" installer. That's good.

The text box is stupidly small. That's bad.

The "no" button is pre-checked and you have to physically select yes. That's good.

I don't like the colour scheme. That's bad.

The EULA is certainly comprehensive. That's good.

But that's only because there's apparently two of them.

That's bad.

See, during install, the EULA you see is NOT the EULA you see by clicking "Terms and Conditions" from the program entry on your Start list. Indeed, once installed, all you really get is a very general ramble about liability, licensing and intellectual property. Right at the end, under "Uninstall", you get the briefest of mentions for this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component."

....ooh. In fact, we need to hope that anyone installing the program not only took great note of the EULA during install, but copied and pasted it onto their system to get a better idea of what's likely to be going on in their system.

Namely:

1. USE OF THE SOFTWARE

1.1.MessengerSkinner, a Freeware application, offers a button which allow you to add funny emoticons and other things to MSN Messenger (R) 7.0, 7.5 and Windows Live Messenger (R).

1.2. The Software includes a component which will remain active at all times with the objective of verifying and ensuring the correct functioning of the Software, and offering other advantages (?Component?). When the User is connected to the Internet the Component will make periodic connections to the Provider?s servers in order to check that there are no problems in the access network or the User?s Computer. If any error which prevents the normal use of the Software is detected in the User?s Computer, the Component will seek to identify and solve it. Any changes that the Component makes to the User?s Computer will be to clearly non-essential parts thereof and for the purposes referred to in these Conditions. THE USER REQUESTS AND AUTHORIZES THE INSTALLATION AND UPDATING OF THIS COMPONENT TOGETHER WITH THE SOFTWARE IN ACCORDANCE WITH THE TERMS SET OUT IN THESE CONDITIONS. The Component will carry out the tasks described in these Conditions only when the User is connected to the Internet, whether using the Software or the User?s regular Internet connection. In any case, the User can easily uninstall the Software or the Component by selecting ?Access Connection? and ?Component Add-On? respectively in the appropriate section of the operating system control panel. Users should be aware that upon such uninstallation, the advertising messages might be sent during a period of three months after said uninstallation, the benefits provided by the Component will not be available and in certain cases the Software (if retained) or the Provider?s services may not function correctly.

Adverts for three months after uninstalling? Nice! As you'll see later, the hoops you need to jump through to uninstall hark back to the "good old days" of Direct Revenue making you download additional software to uninstall the first unwanted program. Tonight we're gonna' party like it's 2004! Yay!

1.4. In order to carry out the operations referred to in the paragraphs above, the Component will send certain data from the User?s Computer to, and will receive information and requests for these purposes from, the Provider?s servers. The data sent to the Provider?s servers by the Component will be limited to technical and connection information such as: operating system user name, name of the computer in the operating system, IP address of the LAN of the computer, country of connection, browser default country, operating system version, operating system or browser service packs installed, ID of the most recent browser update, vertical and horizontal resolution of the monitor screen, IP address of the most recent internet connection, maximum and average response times, percentage losses, name of the last RAS connection and others relevant for the purposes indicated. The User authorizes such exchanges of information with the Provider?s servers in accordance with these Conditions. At no time will any information regarding Internet sites visited or other activities of the User be sent to the Provider?s servers; this information will be processed within the User?s Computer in order to anonymously select advertising or other messages to be shown to the User. In no case will the Provider be able to identify the User nor will any profile of the User be created.

...."limited to"? What else is there left to grab, shoe size?

For the sake of this:

Click to Enlarge

....I'm starting to feel pretty uncomfortable about installing this program. Oh, note that I had to blank a few smileys out because they were, er, sort of rude. Enjoy, kids!

Anyway, now we come to the meaty part. If you installed this program and happened to run, oh, I don't know....a bunch of Rootkit Scanners...you'd probably see something a little like this:

Click to Enlarge

.....and, from another testbox, something like this:

....hidden, randomly named executables? Oh, awesome. That's just what the world needs more of. I guess that's why Symantec say the following on this writeup, then:

"# Hides the following files by using rootkit technology:

* %System%\[RANDOM].exe
* %System%\[RANDOM].dat"

......to coin a phrase, whoops.

At this point, I bet you're dying to see the program in action, right? Exactly how does Messenger Skinner operate in the context of the MSN Chat system? Well, the answer is faintly interesting:

Click to Enlarge

.....check it out, it almost totally hides the adverts served up by MSN! I wonder if they'd be happy knowing this product did that? I guess we'd better move onto the uninstaller that time forgot. In the rather general "terms and conditions" available from accessing the program via the Start menu, right at the bottom, is this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component.

The end user can uninstall our component by filling the following form:
http://www.pc-on-internet.com/uninstall"

.....oh dear. I'm sort of surprised anyone still releases applications like this - especially as it all smacks of hoop jumping and a faint impression that they don't actually want you to uninstall any of these things. For a perfect example of what I mean, check out this writeup from 2005 where I battled with the Uninstaller for Direct Revenues Aurora.

Let's all pause while you read that and say a few brief words for Aurora.

What's that? Nobody got anything good to say about it? Nah, didn't think so. Anyway....let's go over how I think uninstalling a program should go.

1) Decide to uninstall.
2) Run uninstaller.
3) The end.

Now let's see how it goes down in Messenger Skinner Land, or as I like to call it, "Hoop Jump City Central" (like Nutbush City Limits, but with a better beat).

The Main Uninstall Page:

Click to Enlarge

The Terms and Conditions Page:

Click to Enlarge

The Privacy Policy Page:

Click to Enlarge

....WHAAAAAAAAAAAAAAA?

That's right, to uninstall the program, they insist that you open up THREE DIFFERENT PAGES and read through endless reams of text - just to uninstall something!

Not only that, but then you have to hand over your Email address to contact them, tell them why you don't want it on your system anymore and (finally) "wait for someone to look into it" and then, finally, presumably, hopefully, send you the link to the uninstaller.

Click to Enlarge

But wait, it gets BETTER. Can you believe it? Look what awaits you in the mailbox:

Absolutely incredible. You're stuck with a 24 hour limit to obtain the uninstall program. If your Internet connection breaks, or you weren't planning on sitting on front of your PC all day waiting for their all important Email - too bad! Furthermore, they have such iron clad faith in their uninstaller program that if you run it more than three times, you see this:

Click to Enlarge

Even better, both Panda and Prevx flag the uninstaller as suspicious:

And even better than that, there are some people out there complaining that the uninstaller doesn't actually seem to be very good at, er, uninstalling things.

Ladies and Gentlemen, I give you the epitome of "complete disaster". Without a doubt, this is one of the worst uninstall routines I've seen in years, and you can put that on a wall and frame it.

Finally, there are a bunch of domains on the server hosting Messenger Skinner that are related to the parent company. Of particular interest is one called crazygirls-world.com (registered to the same guy as Messenger Skinner), which leads you to....

Click to Enlarge

.....Dialer related porn on a site called "gad-network.com". Of course, it's no surprise that we see Gad-Network leads us back to the Favorit Network site.

.....wait, didn't I get a really amazing uninstaller from there once?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher

The other day, I was unceremoniously dumped from a website I'd chosen to visit, being told to clear off because I happened to be using FireFox. Some more information has come to light courtesy of a thread here, and I can't say I'm impressed. If you happen to visit any websites running a particular set of code while using FireFox, you'll see this instead of your chosen website:

Click to Enlarge

The code used to do this is available in various cut and paste formats:

Click to Enlarge

The reason for this boils down to supposed revenue being lost because people use Ad Blocking tools in conjunction with FireFox. References are made to "demographics" stating that FireFox users only represent a "small percentage of online spending" (without citing the source of these demographics), hilariously OTT statements claim Mozilla are "empowering internet theft" and they effectively accuse FireFox users with adverts blocked of both infringing copyright ("to the letter of the law") and being common theives ("Accessing the content while blocking the ads, therefore would be no less than stealing").

That's a little strong, isn't it? The site I was booted from was running ads that needed to be clicked to generate revenue, simply viewing them wasn't enough to make money. That being the case, how am I "stealing" from a site when they're making the presumption I'm going to want to click their advert to make them their money in the first place? Sure, if there's no advert there at all due to a blocker then nothing is going to be clicked anyway. But the reasoning behind this is pushing a line of ADVERT ON SITE = INSTANT MONEY, which just isn't the case.

Yes, we have a right to say what we do and don't want on our PC. And yes, the guy behind this idea does have a right to block you from his website if you don't want to see his adverts.

But wow, it's still stupid and decreasing your web traffic for the sake of a few clicks on random adverts. This says to me that the only thing on the site the creator thinks is worthwhile are the adverts themselves. If they'd rather keep you away from their actual content to keep their precious adverts intact, what does that say about the worth of the material on their homepage in any case?

You're probably better off without them.

Mind you, this does have obvious bad-guy potential. How long will it be before we see someone create a bunch of exploit sites, slap their "no FireFox" code on it and instruct you to come back with a Browser they know they can hijack using x, y or z exploits?

Here's an interesting one from the database - a colleague of mine came across this a few weeks ago and now here we are, about to plunge into the depths of some more Chinese-related Malware. This time round, there's a little twist thrown in for good measure - East meets West, if you will.

We begin our journey with a Trojan called Symfly - from this file, another payload (sna.exe) was installed and during this process, something called Install7.exe was eventually brought kicking and screaming into the world. Already, we're dealing with a file three notches down a daisy-chain, which will likely give you an idea of the complexity behind this particular hijack. From close examination of the inner workings of the files involved, we can eventually determine that a site called Renwu is at the heart of the action - to the casual observer, you'd think there was nothing to see. However, the login prompt is a sure sign there's something going on. After the Install7 file has executed, a file called Demnsvr.exe is dumped into your Windows directory. Sometimes the install fails at this point - if it works, you'll know for sure because (along with some .dll files, a service and a BHO for Internet Explorer) it deposits a log file on your desktop which is kind of a giveaway:

At this point, an "updater" section on the Renwu site creates Adcheat and Historyclear on the infected PC. I couldn't decide if history clear was protecting my privacy or offering me a bite to eat, and Adcheat (seemingly) wants to make a call to Australia:

..however, this is actually a server in China, and has apparently been flagged for matters relating to Spam in the past. Of course, it comes as no shock to discover the Renwu site is tied to this server; less so, the other domains listed on it. Bill Gates is a Registrar for this website? Wow! Even better, check out this guy - Mr Drgd Drgdrgr!

With a background like that, no wonder those spam databases have issues with this box!

Eventually, we come to the next oddity of this install.....the Alexa Toolbar, installed without consent via FTP:

Click Image to Enlarge

Note the popup asking you to install a Chinese Language Pack.

What happened to the installer prompt / EULA, I hear you cry? Well, a box appears all-too-briefly in the middle of the screen - not exactly brimming with content, but then considering it's only on your screen for about half a second I can't say I'm too surprised. It took me long enough getting that screenshot. At time of writing, the Alexa Toolbar is no longer installing, but as you can see here, the file is still on the server and could easily be re-activated (it's been up and down a few time so far already). It's worth noting that when this file is installed, the desktop has a tendency to become unusable and only a reboot will cure it.

I've mentioned in the past that attempting to tackle Adware and Spyware from China is a whole new world of exploration, because of the difficulties involved in ascertaining the who, what, when, where and why of a case. Here again, we have the same difficulty. Seemingly random websites are called out to - why? Who runs them? Are they legit? Who do you contact? Could they be innocent parties, hosting backdoored files? Or are they just sites the Malware creator likes to visit in his spare time? Here's a sample selection of some of the sites called out to when the initial infection file runs and begins the process of calling down the individual files. Note - none of the below sites actually carry any of the payloads...

Click Image to Enlarge Click Image to Enlarge Click Image to Enlarge

....at this point, we need to tie it all together. Let's examine the Alexa Toolbar for a moment. It's Wikipedia time:

"The Alexa Toolbar, an application produced by Alexa Internet, is a Browser Helper Object for Internet Explorer on Microsoft Windows that is used by Alexa to measure website statistics."

...in other words, the Alexa figures for website rankings are based on the statistics generated by users who surf with the Alexa Toolbar installed.

Remember the Adcheat file I mentioned earlier? Well, after Adcheat has phoned home and HistoryClear.exe has wiped your cookie cache, the Alexa Toolbar is installed and a call is made to this site (note the two domains listed on the page). From there, a call is made to the below site (note the Alexa sub-domain Renwu.info is touting):

Click to Enlarge

This is apparently a redirect to a site called Hotrock.cn.

The question is, is this an incredibly over-elaborate attempt to artificially inflate the Alexa ranking of one (or more) of the sites listed above? If so, they're not having much luck with it. All three sites - Renwu, Hotrock and Aqclub are outside the top 100,000. An interesting tactic would have been to try and generate income via sponsored Amazon links - this is something we're still currently investigating, though it would make sense with regards installing the Alexa Toolbar in the first place. What is interesting is this graph comparing the traffic to the previously mentioned websites:

Click to Enlarge

From about halfway through January (when these files first started showing up) up to the present day, both Hotrock and Aqclub have amazingly similar traffic patterns, right down to the way it rises and falls at certain points on the graph. Remember, both of these sites are mentioned on the Renwu page that's called once the Alexa Toolbar is force-installed.

Coincidence?

It'd have to be a pretty large one...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

The issue of Blogspot URLs being redirected and used for exploits has been noted before. In this particular case we follow the evolution of sophisticated mass spamming of Google's Blogspot service URLs, coupled with other search engine spam techniques and trace the cascade of events that follow.

Overview: The "Simple Scenario"

1) Party unknown figures out how to optimize Blogspot pages to achieve high rankings in MSN portal Search Engine Results Pages (SERPS) for popular terms known as keywords, in particular keywords around World Cup coverage.

2) This person uses Google's Blogspot hosting. It has been noted before that Blogspot hosting allows users to insert JavaScript into the head of the HTML page, creating a vulnerable environment.

3) Party unknown implements a complex server-side, auto-rotation system on a domain hosted elsewhere.

4) Party unknown accomplishes "cloaking" the Blogspot URLs, hiding the auto-rotation system. The pages rank high in many MSN search results for targeted keywords.

5) Users conducting queries on MSN or users who arrive on the tainted blogspot URLs are redirected to various pages. In this particular example some sites display explicit pornographic content in addition to offering software downloads with a documented history of security risk.

The World Cup

This investigation over distribution and deception was kicked off by one of the world's biggest sporting events- the World Cup. We all have our favorite teams, and at FaceTime we want people to be able to follow their favorite teams and sports safely! The goal of our research was to investigate a popular sporting event and probe the Internet for attacks, social engineering, or any other malicious or deceptive activity centered around this event.

Flow Chart Sample of Events

To better understand the event flow, click the thumbnail image below to enlarge. This will open to a new window.

Deceptive Mass Spamming Distribution

Basic search engine analysis shows the "party unknown" appears to be using automated techniques to spam guest books and other web pages in order create links to the domain. Because of the auto-rotatation system the domain's homepage changes frequently and apparently randomly. For example, it often defaults to Google's own portal for India.

Search System Pollution

As we will show, the techniques used to taint MSN search rankings are based on an understanding of the MSN search algorithm. However the primary deceptive tactics are carried out through obfuscated JavaScript injected into Google's Blogspot page headers. This is significant because this particular problem as been publicly noted before by researcher Ben Edelman.

WARNING TO USERS: DO NOT go searching for these sites unless you are a trained security researcher. There is a dynamic component to this operation which could lead to a hostile environment or unwanted content. In short- What you see is not what you may get..

Research: How Did This Happen?

While searching for the keyword ?World Cup 2006? in the MSN search Engine, our researcher clicked the first natural result, the result below the sponsored ads. This result appeared to be an innocent looking Blogspot URL as screenshot will demonstrate.

Note on Search Engine Results:

Search engines use their own systems to determine the relevancy of a page for a keyword entered in the Search Box. Based on the search engine's algorithms the pages will be ranked and appear in the results. These results are often called SERPS or Search Engine Result Pages.

In crude theory the first result should be more relevant to the keyword, and second result would be a somewhat less relevant page?etc. Numerous factors effect relevancy beyond the scope of this write-up. It is reasonable to expect people to believe they will find the most most relevant pages on the first pages of the results. For this reason, in this study, we have placed emphasis on studying the first results returned in the SERPS.

Click To Enlarge Screenshot

How Did this Page Get to the Top?

In simple terms by using "spam techniques." With JavaScript functions of a browser turned off the user would see a page like this:

Click To View Page with JavaScript Off

Redirection and Misdirection Over Time

Upon some of the first checks of these URLs our researcher noted redirects to the following
Russian web-site. By.ru is a common hosting company, and the "tkgroup" appears to be a student class blog.

Click to enlarge ScreenShot

At first glance it might seem this could be a student prank merely playing search engine tricks. However,
after several days the same result redirected our researcher to a different website which is now ?Adult DVD Download Network? IcooNet. The context and tone have now changed considerably. The tone is now commercial in intent but also pornographic. Users would have no way of knowing the site they were trying to reach would serve pornographic content if they relied on the title, text description and link displayed in the SERP.

Click to enlarge screenshot

In this example our research term used was for FIFA, so it would seem unreasonable to be offered an adult downloader. This is deceptive, and many users may find it offensive, especially since it is reasonable to expect young football fans would be searching for similar terms and will be guided by the domain name, title and description.

From a legal context this is significant: US CODE: Title 18,2252B. Misleading domain names on the Internet, from law.cornell.edu.

In a final example, the redirection goes to a website which features pornographic galleries offering a program that is cited as a variant of Zlob.Media-Codec. It may go under different names. A EULA is presented if the user wants to access the deceptively advertised pornography. We have not placed a screenshot here because the images are simply too offensive for our blog standards, but we have retained screen capture documentation and video of the site.

The different variants of these programs have to be downloaded in order to play any of the movies on the web-site.

Note this particular search query was conducted from one of our labs in India, so other users and countries will likely get different results. In addition search results change frequently. For purposes of documentation, we have included packet logs from query to destination as well as install of software.

Query Sample 1: Term FIFA+World+Cup+2006 .txt file

Query Sample 2: Term FIFA+World+Cup+2006 .txt file

We Just Wanted the World Cup

In the sample query illustrated by the packet logs above our researcher, searching for ?FIFA World Cup 2006?, finds a tainted Blogspot site and clicks-thru. The log documents the various redirects which end with the researcher arriving on a pornographic website where he was offered, and accepted, programs with well documented problematic behavior.

The initial MSN results showed 3 out of 10 results from Blogspot which display the obfuscated JavaScript and re-direction system. Users rely on search engines to deliver them high quality and relevant results. Since the domain names contain football (soccer to U.S. readers) related terms, titles and descriptions it is reasonable the user will feel confident to click-thru.

In a system such as this any number of attacks could be launched, and depending on the degree of sophistication of the attack or skill in social engineering- the results could be quite harmful. The screenshot below shows the tainted Blogspot URLs at MSN in the top ten results.

Click To Enlarge Image

Past History of Problems

It should be noted that while unable to document any exploit behavior with the software page of the pornographic content, it has a well documented history of problematic behavior from numerous third party sources. It is usually classified as a "trojan". Reference: Sunbelt on Zlob.Media-Codec. and on Super AdBlocker on xpassman-v3 for example.

EULA Red Flags

In this particular case EULAs were presented with the software product(s) needed to access the content deceptively advertised by the unknown party. EULA analysis shows additional security software will be added, updates can be made, and home page will be change among other items.

See one EULA Analysis Sample

By accepting it the user grants the software rights to install additional components on the machine. These components or updates may not have cleared appropriate security hygiene processes. In addition no warranty on performance of the software is given.

Also notable among the EULAs displayed, using our automated readability analysis demonstrates above 12-Grade Reading Level skills needed to understand the document based on various readability batteries.

Flesch Grade: Beyond Twelfth Grade reading level
Automated Readability Index: Beyond Twelfth Grade reading level
Coleman-Liau Index:Beyond Twelfth Grade reading level
Gunning-Fog Index: Beyond Twelfth Grade reading level

Technical Background: How Did Blogspot Do This?

The attack is quite subtle. Put simply it uses obfuscated or "garbled" JavaScript.

Inspecting the inside of the source code of the blog entry, we noted a JavaScript calling a function decode().. We noted there was no simple redirection code found from the page source code at first glance. We also noted only the random numbers stored as a string. Function name itself decode, which was the hint to decode the whole function. Let us take a look at the original source code:

Click to Enlarge Screenshot

Now let us examine the screenshot of the "decoded" code:

Click to Enlarge Screenshot

Explanation of Code:
The code says if the blog is referred by any of the following major search engines:

Google
MSN
Yahoo
AOL
Ask
Altavista

Then it will open the URL http://www.toptravel10.com/search.php?aid=<*****>&q=World+Cup, which calls into action the redirection system. Therefore, the writer of this code is actively looking to intercept search traffic and move it somewhere else and the code writer is doing this with obvious intent.

However, if the blogspot address is only pasted or typed into the address bar of the IE browser it will redirect to MSN search result with the keyword "World Cup 2006". As we know from the above search result screen capture 3 out of the first 10 MSN natural search results could most likely be the same kind of tainted Blogspot entries. Clicking any of the entries will again redirect to the same system. This puts the user into a dangerous cycle. We qualify "most likely" because top ten entries can and do change dynamically beyond control of users.

Controlling the Deceit

In this case there is no need to change the source code of the page because the operator of toptravel10 domain has set-up a complex server-side, auto-rotation system of unknown make-up. The tainted Blogspot URLs used the URL http://www.toptravel10.com/search.php?aid=56340&q=World+Cup as a mediator. The Blogspot URLs will to open this page when called. At this point the toptravel10 domain's system decides where the user is redirected. The mediator remains constant and links to different URLs over a given period of time. In this entry the researcher was referred to a Russian Web-site, second ICOONet(Adult DVD Downloader), and now the mediator links to VideoGalleries which in turn offers adult oriented software.

It is also notable the ownership information for the toptravel10.com domain is cloaked through a proxy registration service.

Why Use Blogspot?

Blogspot has been the target for similar attacks in the past. Researcher Ben Edelman?s concern about blogspot will help us understand why this case is important. From his article:

?...Numerous blogs hosted at Google's Blogspot service contain JavaScript that tries to trick users into installing unneeded software..."

In this instance the obfuscated JavaScript not only impacts the quality of search engine results it also acts as a more complex line of redirects to distance the designer from the scene.

Why MSN Search?

As researchers, we might ask: "Why would someone target the MSN search system?"

The logical reasons would probably be most of the Windows based O/S use default redirection to MSN search and/or the orchestrator had some mastery at gaming the Microsoft ranking algorithm.

Examples of tainted URLs are:

http://worldcup2006z.blogspot.com
http://footballwordcup2006.blogspot.com
http://fifaworldcup2006-.blogspot.com
http://-fifaworldcup2006.blogspot.com

(Note: After contacting Google last week- these are now offline!)

.Are There More?

Yes. One such instance was found for the keyword "AIRLINE TICKETS".

These blog URLs may also be redirected to the same pornographic galleries, again depending on the system of rotation.

List of the following blog URLs for the keyword "AIRLINE TICKETS".

http://airlineticketsz.blogspot.com
http://cheapairlineticketsz.blogspot.com

Conclusion and Final Notes:

A solution was already offered by Ben Edelman:

"...What should Google do? Google already disallows JavaScript within Blogspot.com posts. Apparently Google considers embedded JavaScript too risky -- too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed..."

In terms of football (soccer) this is the equivalent of a "Yellow Card".

We must add the following caution and warning on the tactical approach.

In this particular case the unknown party used some technological sophistication coupled with knowledge of world events, search engine algorithms and planning. However, the party used poor targeting.

Let us explore a "what if" scenario...

What if the same system, using football (soccer) keywords were used to trick a user to open a page that asked them to view 'World Cup Bloopers' or 'World Cup Highlights' or lured users with a fake video over a 'disputed call' or 'insider interview' cobbled together from pirated video footage? The user, now contextually targeted would probably click and any number of hostile scenarios could be played out. The attack would only limited by the creativity and motivation of the operator.

To use our football analogy again- this is a "Red Card".

LATE ADDITION: We have contacted Google about our concerns pointing out the problem around the World Cup spam and they reacted rapidly. Initial research seems to show they scoured Blogspot and removed the tainted URLs so World Cup fans wouldn't fall into this trap during the championship weekend. However, the root of the problem still remains. What to do about the JavaScript? Ultimately that is a problem Google will have to solve.

The problem has been pointed out before- history should be the teacher.

Blog Summary Write-Up: Wayne Porter, Sr. Dir. Greynets Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

Chris Boyd and I talked about the possability of this happening back in March during our Podcast with Jeff Molander. In this instance I will quote myself:

Porter says, "Once you've compromised a PC you own it... it's yours you can do with it what you want and you can emulate that activity. Because that net is spread out... you can execute any type of activity and get away with it -from sending spam to recommending certain Web sites to infecting them with more adware to emulating surfing activity and possibly emulating click activity... yes... definitely for sure."

It appears our unfortunate prophecy has become "documented reality" as a botnet owner took aim at Adsense with a small herd of bots designed to click on adsense ads as noted the SANS Institute's Internet Storm Center...

Bottom line is that the advertiser pays in exchange for a bot visiting him.

It seems some bot operator left a website with both the bot's *.exe and the web based control panels wide open. An anonymous source sent us the URL.

The critical part to note about this activity documented by SANS is this:

It is interesting to note that the botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each.

Note the small size of the Botnet- without an anonymous tip and some lack of planning by the botnet owner it might have flown for a long time. This means it was either immature in size or the owner knew to keep the size of the herd under the radar. This is, unfortunately, what we thought we would see and The Register noted it.

Generating traffic from a small number of machines (numbered in the hundreds) makes the traffic generated from compromised machines look innocuous. In return for helping click fraud scammers keep a low profile, botnet owners rake in a percentage from the scam.

No doubt we will see more of this in the future. Whether this is contained or not will depend much on how savvy Google is in detecting and shutting down this activity as well how well user's guard their machines.

I wish I could say the prognosis was better...

Many others have picked up on this activity and that's good. The more people know about it, the better it can be defended against.

I am really ready to start tackling EULAs, so to kick things off I am revisiting a piece I did on the TinkoPal EULA months ago. Take a close look as I highlight some of the language and conditions you would accept in this EULA. For added value my comments will be in bold text surrounded by parentheses and are not a part of the EULA.

TinkoPal EULA Page: http://www.tinkopal.com/terms.html
Note: The original EULA is longer valid at this URL.

....kind of. There's something of a storm brewing, and it all centers on this writeup by Ben Edelman, and his refusal to hand over the rogue affiliate details to 180 Solutions.

On the one hand, 180 are claiming that their security procedures are fine...on the other, they are essentially making the security researchers a part of their seemingly broken loop. I'm reminded of that old line about not having your cake and eating it, but oh well. You can try, I guess...

As Wayne Porter says on his Revenews Weblog:

Many researchers have done this to help educate the public, law enforcement and the legal eagles, and it has had some effect. However the routine grows stale when Company X utilizes said research to clean up their network and then claim how great they are at making the Internet a better place and being proactive. (These are my words not those of any company I work for.)

Can you almost feel the inflection point shimmering before you in the battlefield air? Can you see the line in the sand being drawn? I can. I think in the future the anti-spyware minutemen will continue to fire volley after volley only instead of giving out the full dose of lead they are going to release only what needs to be released to call attention to the bad behavior and leave the rest in reserve as ammo for the real guns that are slowly pivoting into the battlefield.

Yep. I can see the line in the sand.

...you'd better invest in a bigger set of padlocks. Take this case for instance:

In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves.

Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as "0x80" (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims.

Brian Krebbs has a stunning writeup over at Security Fix. A must read.