Results matching “Gator” from SpywareGuide Greynets Blog

"Block Checkers" are those wonderful scam sites that claim to be able to show you who has you down as "blocked" on your favourite IM application. They've been around for a while, but always take the form of a website that you enter your details on. Once you've entered your login, you can expect to see your IM account sending lots of spam for viagra (along with adverts for the block checker site you used) to all of your contacts.

It's a rather spectacular way to lose all your friends on Instant Messaging (and quickly answers the question of "Who is blocking you". Answer: everybody).

Well, some wily individual has taken inspiration from the static webpages and come up with a Block Checker in the form of an executable file. However, this one has somewhat more sinister intentions than spamming links to a useless block check website with the occasional advert for a genuine rolex watch.

Shall we take a look?

There's quite a few autoclickers around at the moment (programs that will attempt to cheat pay per click networks) - thankfully the majority seem to be fairly unreliable. Like this one:


Click to Enlarge

A custom built web browser designed with the affiliate clickfrauder in mind, it gives everything the budding cheat could want.

Apart from a working program, that is. But hey, error messages can be fun too!

This next one is a little slicker, however, and doesn't seem to crash and burn once you fire it up.


Click to Enlarge

You want options? You got options! Select who you'd like to defraud today:

There are a couple of Steam account stealers currently in circulation. How do I know they're account stealers? Well, a couple of clues coming up - but first, the obligatory "picture of the file on the desktop", because I know you love them as much as I do.

Here's a fairly typical website (giveawaycafe.co.uk) designed to give you "free" vouchers worth 250 GBP, in return for signing up to a number of offers. Typically, these offers could range from taking out a trial with EMusic to signing up to a bookclub for a year. So far, so good, nothing particularly sinister. Look, there's a smiling woman on it and everything:


Click to Enlarge

However, I must admit I was rather surprised when I checked out the Terms and Conditions after a friend mentioned the site to me. From the T&Cs, under the heading "Marketing Partners":

If you have indicated your consent to receive marketing messages, we may share, license or sell your information to third parties for various marketing purposes, including their online (e.g., e-mail marketing) and offline (e.g., telemarketing, cell phone text messaging, skip tracing (emphasis mine), and direct mail) marketing programs. If you would like to be removed from these programs at any time, click here and follow the opt-out instructions.

Note that they don't mention who these marketing partners would actually be, but enough about that. What is skip tracing? From Wikipedia:

Skiptracing (also skip tracing) is a colloquial term used to describe the process of locating a person's whereabouts for any number of purposes. A skiptracer is someone who performs this task, which may be the person's primary occupation. The term comes from the word "skip" being used to describe the person being searched for, and comes from the idiomatic expression "to skip town," meaning to depart, perhaps in a rush, and leaving minimal clues behind for someone to "trace" the "skip" to a new location.

Skip tracing tactics may be employed by debt collectors, bail bond enforcers (bounty hunting), private investigators, attorneys, police detectives, journalists or as a part of any investigation that entails locating a subject whose contact information is not immediately known.

Effectively, social engineering tactics in the real world used by people who hunt potential criminals down for a living. Here, people are giving permission for nameless third parties to leave that same option open, in return for some gift vouchers.

Records that "skiptracers" use may include phone number databases, credit reports (including information provided on a loan application, credit card application, and in other debt collector databases), job application information, criminal background checks, utility bills (electricity, gas, water, sewage, phone, internet, and cable), social security, disability, and public tax information. These methods don't break any law because the information is freely available due to the nature of the business, whether it be debt collectors, bounty hunters, or other "skiptracers".

Anyone else think this is hugely OTT? When did advertisers decide to start policing / tracking their customers in such a potentially heavy-handed manner?

Couldn't we just go back to the occasional mailshot instead?

Hot on the heels of this writeup comes another example of a particular technique favoured by 419 Scammers at the moment. It follows a familiar pattern - someone has their EMail account hijacked, and then all of their contacts will find this in their Inbox shortly afterwards:

Hello,
I am sorry I didn't inform you about my traveling to Africa for a program called Empowering Youth to Fight Racism,HIV/AIDS,and Lack of Education,the program is taking place in three major countries in Africa which are Ghana,Togoland and Nigeria,I am presently in Lagos Nigeria.
 
I misplaced my wallet on my way to the hotel where i lodged my wallet which contains my money,and other valuable things were kept.I will like you to assist me with a soft loan urgently with the sum of $3,400 US Dollars to sort-out my hotel bills and get myself back home.
 
I will appreciate whatever you can afford, i 'll pay you back as soon as i return.
Kindly look for any western union and use this informations below to send me whatever you can afford.

Name : <Redacted>
Address : <Redacted>
Zip code: <Redacted>
State :Lagos
Country :Nigeria
Test Question :To who?
Answer :
Amount send $:?

Once you have it sent, please send me the money transfer control number,with details used in sending it. I await to read from you.

The EMail content is practically identical to the last one with only a few minor alterations. The recipient was naturally suspicious (especially over the fact that their skills with the English language had suddenly taken a turn for the worse) and asked if it was really their contact sending them this mail. The reply was as follows:

Thanks for geting back to me i really appreciate your mail this massage is from me.what i need you to do for me is that just lend me some money when i get back i will pay you back and explain everythings to you ok

Perhaps given the concern over their contact losing all grasp of their native tongue, sending back a missive lacking in spelling, punctuation and basic sentence structure wasn't the smartest of moves.

Happily, our intepid investigator was able to confirm with the victim that yes, they had been hacked and as far as I'm aware nobody lost any money to these scammers. Thanks to Jeanette at Mother Hen Productions for sending this over!

A friend of mine happens to get about six million 419 EMails every week, so I thought it might be useful to post some up as examples of what's currently doing the rounds in the world of online scamming. There's a fair amount of text, so for your sanity, the email content is posted after the jump....

I recently spoke at the ASC Conference in DC:

Click to Enlarge

...and a lot of interesting issues were laid out for discussion (I should point out we didn't speak in the Capitol Building, I just like that photograph. Plus, it looks a bit more impressive than a picture of a hotel). Shall we have an obligatory shot of a board with a lot of companies listed on it? Sure:

Click to Enlarge

That's a whole lot of companies right there! Anyway, the Conference had a lot of FTC people in attendance, and kicking things off was Ari Schwartz and FTC Commissioner Jonathan Leibowitz:

Click to Enlarge

A repeated theme (that may or may not have been intentional) was that, to some degree, the "battle is won" - at least as far as trying to get "legit" Adware vendors to toe the line goes. Of course, there's still plenty of badness out there to contend with. The evidence from security forums and people fighting these infections on the frontline would seem to suggest PC hijacking is as rampant as ever, if not more so.

Shall we lighten the mood with some cameo shots of the antispyware big-hitters? (Click to enlarge each image)

Alex Eckelberry! Bill Pytlovany! John Levine! Lance James! (Long story..)

Stefan Savage gave a great presentation, where he looked at various elements of the underground economy of hackers - namely, what carders and data theft scammers get up to in IRC channels.

Click to Enlarge

My own panel featured Alex, Lance, Cindy Southworth of the awesome NNEDV and Luke Erickson of the FTC. We talked about some pretty heavy duty stuff, including how the increasing frequency of illegal pornography is actually causing some people in security to drop out of the business (because, understandably enough, they don't want that kind of material on their PCs lest the police come calling), how kids as young as twelve are happily trading credit cards and the kind of information Phishers and data stealers are collecting (the slides provided by Lance were an extremely interesting extension of what Stefan had been saying earlier on).

Click to Enlarge (Thanks to Bill P for the image!)

A lot of food for thought, and I'm hopeful the presentation I gave regarding the kids getting involved in hacking and cracking hit home with the FTC people in attendance.

At this point, I want to give a mention to NNEDV - I spent a lot of time talking with Erica Olsen of the National Network to End Domestic Violence, and it was frankly mind boggling how many anecdotal tales ended with "Yeah, she died / was killed / beaten to a pulp" etc. It seems depressingly likely that we've just scraped the tip of domestic abuse going hand in hand with monitoring software / keyloggers / all those other wonderful products sold as "surveillance tools" to "keep Junior safe online", which are in fact almost immediately used for much darker purposes.

Truth be told, the entire conference was a strange mixture of conflicting views - on the one hand, we were being told "we've won", but on the other hand, people like myself and NNEDV were showing how a lot of individuals were ending up as losers, with no hope of fixing whatever tech-related problem they happened to be in...from the comical to the life threatening.

I guess the Internet really is serious business.

Listen to the full conference (and check out the slides) here, and make your own mind up. Adware was, is, and will continue to be a problem for the foreseeable future - but beyond all the types of "ware" out there that we need to start concentrating on, we need to remember that every single time something bad gets onto a PC, a life can potentially be destroyed forever.

Now, more than ever, we need to keep fighting.

There's a long line of browsers that have completely failed to enhance end-users security and peace of mind on the web. Yapbrowser, which redirected you to illegal porn with the click of a button; The "Safety Browser", which was anything but safe and arrived in the form of an Instant Messaging hijack; Browsezilla, which allegedly increased the hitcount for various adult websites; and now, fresh out of the blocks, NetBrowserPro.

For some reason, the majority of these browsers want to convince you of their focus on security. Look at Yapbrowsers resurrection, where they laid claim to a 100% "guarantee" that no malicious code would enter your system while using the browser. Or Safety Browser, which had popups enabled by default and hijacked your IE Start Page.

NetBrowserPro (whose website actually shares the same IP address as Browsezilla - 216.255.178.220) follows this noble tradition, with the bold claim that:

"NetBrowserPro is the internet browser which aimed to the one thing - help you to watch porn.
Secure, confidential, quick and free.

Secure? Sure it is! About half of all "free porn sites" tries to install trojan or adware program to your computer in some way. According to the researches Internet Explorer was vulnerable to intrusions during 284 days of the last year!. You could always use other browser, like, for instance, Firefox, but it was vulnerable as well, however, during less than 56 days. Some people use antiviruses, but in practice antiviruses databases are being updated less frequently than the virus-makers release new viruses. However, all vulnerabilities are quite similar and do have similar methods of penetration. These methods use browsers' built-in features. In common life you do need such features to visit simple online shops, banks and other sites, but you don't need these features when you surf porn. NetBrowserPro uses only features, which are necessary to surf porn, it switch everything except this off. So there is absolutely no gap for the virus."

Well, there's probably no "gap for the virus" because according to Rootkit Revealer it comes with its very own rootkit!

Click to Enlarge

How does this all begin? With a download of something called "121.exe" from the NetBrowserPro website, assuming you liked the sound of the product enough to download it in the first place:

Click to Enlarge

Once downloaded, if the user runs the file they'll be faced with the following box containing the kind of EULA that I refer to as a "free for all" - because they effectively want you to agree to them updating pretty much whatever they want, whenever they want without having to notify you. Again, note the reference to "security":

Click to Enlarge

It seems "security" is equated with the removal of choice and forcing you to accept their definition of what security might entail - take it or leave it, effectively. But how do we know they've made the right choices with regards their "browser security"? Of course, the answer is we don't.

Once you click through, a site called Codecaddon.com ("Codec Add-on") is contacted, and you are shown a EULA for something called MovieCommander:

Click to Enlarge

Wondering what it is? Well, the Codecaddon.com website is a big clue. Look at the graphics and site layout below:

Click to Enlarge

....and compare and contrast with the second site listed on this writeup from Sunbelt Software. As you can see, the site is a carbon copy of TVCodec.com. These are known as "fake codecs", and installing them is a very bad idea. Interestingly, many of the sites on the same IP address as both NetBrowserPro and Browsezilla are porn galleries that prompt you to install fake codecs to view their content.

Once everything is installed, the browser will autostart on your desktop. Before we get to the browser itself, look at the logo:

...seem familiar? It should, because it's almost identical to the Netscape Navigator logo. Indeed, the font used for the N appears to be identical to the Netscape one. We've seen "alternative" browsers use logos that are similar to more familiar browsers before (the Safety Browser did a poor imitation of the Internet Explorer logo, for example). The reason for this similarity can be anything from a lack of creativity on the part of the graphic designer to (in more malign cases) a desire to fool the user that it's somehow related to the more mainstream brand.

Of course, it could just be one huge coincidence.

At this point, we can finally take a look at the browser:

Click to Enlarge

Note the (limited) options at the top include the ability to turn images on and off, add links and "boss", which presumably is a panic button for when you're in the workplace. I'm not entirely sure who would be using this in any sort of workplace, but at any rate, that's about all you can do with this thing. With regards your saved bookmarks, the NetBrowserPro website states:

"Moreover, all bookmarks are being kept on the remote server, which excludes the opportunity of viewing them, even with the full access to the computer."

We have absolutely no information about their "remote server", its security, what they do with the stored information or anything else. Does this sound "secure" to you? However, worse is to come. NetBrowserPro lets you click into apparently random galleries of porn that are hosted elsewhere. Sadly, many of the links clicked take the user to the kind of redirect sites that contain nothing but hundreds of images of all sorts of random pornography. Anyone that's been caught in a porn trap will know the kind of pages I'm describing. Well, though most of these redirects serve up "regular" porn, one or two took me to sites that contained what I can only describe as a couple of "dubious looking" models. While they may well be of legal age, the fact that an initial reaction to these images was "how old?" is never a particularly good indicator of the overall content of those sites, or indeed what they link to. As the sites served up by the browser seem to be randomly selected each time you fire it up, there's no real way to know what you're going to get, and that's a surefire way to have your product dropped off a cliff in a hurry. Can the people behind NetBrowserPro absolutely guarantee that none of the redirects won't take you to something you'd rather not see? That all of the people serving up the content they link to are 100% legitimate? I don't see how that's physically possible and because of this random element of chance, of having to put blind faith in a product that apparently uses rootkit / fake codec technology....I'd advise end-users not to install and run this program.

Sadly, yet another browser joins Yap, Safety and BrowseZilla in the naughty corner...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

In Internet News Week our V.P. of Marketing Frank Cabri makes a notable quote along the lines of our usual rapier wit-wielding MVP- Chris Boyd. (e.g. describing IM safety along that "Ben Stiller and Circle of Trust Kind of Thing".)

"Some organizations' ears are ringing from this consumerization of an IT trend and the fact that employees are bringing in unsanctioned applications through the back door," Cabri said. "Organizations are hearing about it from us, from some of the industry analysts, and in many cases, seeing it first hand on their networks."

And yet there are still many that aren't aware of the issue and usage continues to grow. The recent Mark Foley case in the U.S. Congress where, in which Instant Messaging was used to send inappropriate messages to a teenage congressional page, is a case in point.

"Sometimes it takes a Mark Foley-like situation to happen in your own organization to raise awareness of the risk and the impact," Cabri noted. "Obviously, our goal is to help customers before this happens."

"Lets face it, no business wants to get 'Foley'ed' on a national level -- the business consequences of this could be extremely negative."

Ouch- "Foley'ed"- adapt coinage indeed. Frank is, of course, referring to the recent Mark Foley Scandal that recently emerged in IM.

Learn More: See a brief video of Kailash Ambwani, our CEO at Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and failing to monitor IM (or other greynets) can lead to big problems, especially if you are a big company.]

This cascade of events is one of the drivers that is forcing big companies to take a hard look at their corporate policies, especially with regulatory challenges like:

- Gramm-Leach-Bliley Financial Modernization Act (GLBA)

- Sarbanes-Oxley Act of 2002 (SOX)

- Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Will the Foley Force raise awareness of the issues? Good question and more pertinent than ever now December 1st approaches. What is the big deal about December 1st? It is "E-discovery Day" when things could get more tedious and potentially more costly for the Enterprise if they are not prepared.

E-discovery refers to finding and producing documents stored in electronic form in response to litigation or regulatory requirements. Civil litigants, regulators and criminal prosecutors as a matter of course now ask for copies of selected e-mail communications or make broad requests for all electronic records. After Dec. 1, changes are set to take effect in the Federal Rules of Civil Procedure make e-discovery a standard part of federal proceedings.

So where can you start if you are a large enterprise? First, figure out how much instant messaging traffic is going on in your network-you might be surprised not only by the traffic, but the other insidious malware that rides along. Facetime has a free tool called the RTMonitor that can help with this or you can contact them for a demo.

Best Practices for Emerging Compliance Challenges: Electronic Messaging and Communications (ReymannGroup):

[Download IM Compliance and Regulations Document [PDF] This paper is a great primer on what you need to know.

Some might be wondering...just what is Instant Messaging (IM)? We use it everday, it has been around for a decase, but because of its ephemeral nature we tend to treat it differently. I consulted Archive.org for some background...

Instant Messaging (IM) is an electronic messaging service that allows users to determine whether a certain party is connected to the messaging system at the same time. IM allows them to exchange text messages with connected parties in real time.

To use the service, users must have IM client software installed on their workstations. While there are many types of IM clients, they all tend to function in a similar manner. Client software may either be part of an agency's IT network and available to only registered users, or be public and available to anyone on the Internet. The client software logs into a central server to create connections with other clients logged in at that same time. Users create and exchange messages through their local client application.

Other important points:

* In addition to sending messages, users may have the ability to attach and exchange electronic files such as images, audio, video, and textual documents. This capability depends on the configuration of the individual client software as well as on protocols established at the client server.

* Depending on the software, users who are online may have the ability to respond to messages.

* Users may also block other users with whom they do not want to exchange messages.

* Users may only communicate with others using the same or a compatible client software.

How does IM differ from email?

Fundamentally, the difference between IM and email is the notion of presence. This means that users of the IM system are aware that other users have logged in and are willing to accept messages. Unlike email, IM content can only be sent to users who are logged in to the system and accepting messages. If users are not logged in, others do not have the ability to send them messages.

Because IM is not predicated upon an open standard, there is no uniformity regarding message transmission and structure.

Remember Instant Messenging will be treated like an e-mail- IM, despite its ephemeral or fleeting nature, it is a document- a document that should be factored into your archive equation if you want to cover the bases soundly and not get "Foley'ed"....let's go back to Archive.org...

Does IM content qualify as a Federal Record?

The statutory definition of records (44 U.S.C. 3301) [Google Government Research Query on 44 U.S.C. 3301] includes all machine readable materials made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business. Agencies that allow IM traffic on their networks must recognize that such content may be a Federal record under that definition and must manage the records accordingly. The ephemeral nature of IM heightens the need for users to be aware that they may be creating records using this application, and to properly manage and preserve record content. Agency records management staff determine the record status of the IM content based on the overall records management policies and practices of their agency.

I think in light of the recent scandal (and how many don't we know about...) we probably will see agencies taking a new look at their IM practices- it is potentially too costly to ignore. This isn't the only scandal either, there are others, but they tend to focus around e-mail, again don't discount the ephemeral nature of IM, like the "Boy's Club Case" as reported by Baselinemag.com.

Peratis wanted WestLB to search for e-mail and Bloomberg messages from mailboxes of 19 current and former equities executives, human-resources representatives, bank managers and others, using more than 170 terms. These ranged from Quinby's name and initials, to employment-related words like "fire" and "bonus," to derogatory sexual slang...

In this case I don't know if IM was enabled or factored into discovery. However, according to our recent studies- it often is enabled, whether IT is really aware of it. Odds are after the Foley Case- e-mail will not be the only prime target for discovery- discovery that can be quite expensive to dig up if an Enterprise is not prepared.

Question from a Reader: "Can people hide messages in pictures? Is this for real?"

Yes this is for real! It is not limited to just pictures, although this is one the common uses, but messages can be embedded in any number of digital media types. It can even be embedded into sound files.

This practice is called steganography, or stego for short. Steganography is the science of writing hidden messages in such a way that no one, except the intended recipient knows of the message.

Usually a steganographic message will appear to be something else: a picture, an article, a shopping list, or some other message - this is referred to as the covertext or in the case of digital file- the carrier.

Steganography is different than cryptography. With cryptography, encryption is the process of obscuring information to make it unreadable without special knowledge. In this case the message is not concealed just scrambled or obscured.

The obvious advantage of steganography over cryptography is that messages do not attract any attention. A coded message that is unhidden, no matter how strong the encryption, will arouse suspicion and may in itself be problematic. For example, in some countries encryption is illegal.

A common form of steganography is the use of jpeg files (a computer image) to hide the message. Research is already underway to create systems that can detect secret files or messages hidingwithin digital images.

Electronic images, such as jpeg files, provide the perfect ?cover? because they?re very common ? a single computer can contain thousands of jpeg images and they can be posted on Web sites or e-mailed anywhere. Steganographic, or stego, techniques allow users to embed a secret file, or payload, by shifting the color values just slightly to account for the ?bits? of data being hidden. The payload files can be almost anything from illegal financial transactions and the proverbial off-shore account information to sleeper cell communications or child pornography.

?We?re taking very simple stego techniques and trying to find statistical measures that we can use to distinguish an innocent image from one that has hidden data,? said Clifford Bergman, ISU math professor and researcher on the project. ?One of the reasons we?re focusing on images is there?s lots of ?room? within a digital image to hide data. You can fiddle with them quite a bit and visually a person can?t see the difference.?

?At the simplest level, consider a black and white photo ? each pixel has a grayscale value between zero (black) and 255 (white),? said Jennifer Davidson, ISU math professor and the other investigator on the project. ?So the data file for that photo is one long string of those grayscale numbers that represent each pixel.?

You can read more on the Ames Laboratory research here.

Curious users can also try stego software, but use at your own risk. You should be sure it is legal to use in your country. In some countries this type of software is illegal and carries stiff penalities for use.

Dound's Steganography Freeware. This software allows users to encode and decode messages of their choice with a keyword. The message is coded into a picture, which can be sent via e-mail, uploaded, and so on, and then decoded by the recipient with the keyword that it was encoded with. It's easy to use and you can't tell the difference between the original and the encoded pictures. It comes with a test picture, too.

Steganography Trialware. This application enables you to use digital data hiding techniques to hide as well as encrypt files within other files such as picture or sound files. This allows you to encrypt sensitive information, while at the same time hiding it in a file that will not look suspicious, so nobody even knows that there is encrypted information.

Steganos Security Suite: Trialware. $69 to Buy. Offers a complete encryption software package, which provides protection for users of PCs and laptops. The software features 256-bit AES encryption of an unlimited amount of data; e-mail encryption; the ability to use USB sticks as rewriteable mobile safes; the potential to track down a lost or stolen laptop; track shredding, a password manager; password quality control; a file shredding; and steganographic capabilities.

While Googling for downloading Hijackthis, i spotted a link from Google's Adsense program. Check out the following screenshot:

Click Image to enlarge
(Note the Red X is part of the SiteAdvisor program which can help users spot sites that use deceptive practices and is only displayed if you using the program.)

In above screenshot clicking the link ?HijackThis Free download? opens a site http://hijack-thisnet/. Naturally curiosity compelled me to dig deeper into this site and also I wanted to know what Merijn, the original creator of HJT had to about this site? It appears it struck his radar a long time ago and was not pleased the name of his product was being used to push other commercial products.

He states from http://www.merijn.org/

" April 22, 2005:
Just a short note on the domain HIJACK-THIS.NET: this is not mine! It has been registered by an affiliate of XoftSpy (who are also on the Rogue Antispyware List on SpywareWarrior.com) and they are luring people into downloading their software believing it is HijackThis. Also, they have registered a few AdWords at Google leading to the same result. We'll see where this goes. In the meantime, if you want to download any of my programs, the official domain is and always will be www.merijn.org."

UPDATE: April 29, 2005:
I just received word from Paretologic (the ownsers XoftSpy) that the affiliate responsible for the page has been terminated and the site will be taken down. That's one down, one to go. :) "

Let's dig into this mystery...